Sixes

NULL

开始照旧拿nmap扫一下,开了21,22,80。其中21是ftp,匿名登录进去之后只有一个flag,也没有其他的。22端口是ssh,现在也登录不进去。那就只能去80开的网页看看了
首先进去是个网页

在里面到处找一下,有一个admin.php的后台登陆,但登录不进去,后面找到一个sql注入,手工测试了一下,数字型的bool盲注,由于这台机子还带waf,访问速度受限。

拿sqlmap跑一下,跑出来sixes表,里面有第二个flag,和一个叫webmaster的用户和md5的c78180d394684c07d6d87b291d8fe533解不出来….
那就只能继续在网页里找其他突破点。在contact.php
之后在里面找到一个看起来像ssrf的,给了提示说是输入url。

在本地开个nc监听,刚开始看着也没什么,抓狂了很久,发现只能输入url,又找了很久的洞,发现他是设置了phpsession,而他发回来的包里也有phpsession,尝试替换了一下,发现是管理员的phpsession,成功进入了后台


有个文件上传,有校验,测试了一下,是只验证文件头尾,是对应的文件头,不验证文件结尾。在图片后添加php代码,即可上传。但它没有回显上传位置。根据之前网页里的图片推测,发现是在/img目录下。


蚁剑弹个shell

通过php的shell进去之后,是正常的www-data的权限,uname看了一下是linux4.15,内核提权无望。那就只能试试拿里面唯一一个用户webmaster的文件来提权。

用了目录权限检索工具查找,自己有权限运行的所有webmaster的文件,找了很久,看到一个notemaker。自己菜只会web,不会pwn……

拜托了队内的pwn师傅,师傅看了一眼说能通,打通了,给了exp。之后被师傅疯狂嘲讽,shell太垃圾……重新用python弹shell回来

pwn通之后,成为了webmaster的shell,用列举文件权限,sudo -l,给了sudo service的权限,也没啥其他的,那就只能开始死亡shell脚本审计。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
#!/bin/sh

###########################################################################
# /usr/bin/service
#
# A convenient wrapper for the /etc/init.d init scripts.
#
# This script is a modified version of the /sbin/service utility found on
# Red Hat/Fedora systems (licensed GPLv2+).
#
# Copyright (C) 2006 Red Hat, Inc. All rights reserved.
# Copyright (C) 2008 Canonical Ltd.
# * August 2008 - Dustin Kirkland <kirkland@canonical.com>
# Copyright (C) 2013 Michael Stapelberg <stapelberg@debian.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# On Debian GNU/Linux systems, the complete text of the GNU General
# Public License can be found in `/usr/share/common-licenses/GPL-2'.
###########################################################################


is_ignored_file() {
case "$1" in
skeleton | README | *.dpkg-dist | *.dpkg-old | rc | rcS | single | reboot | bootclean.sh)
return 0
;;
esac
return 1
}

VERSION="`basename $0` ver. 1.57+kali1"
USAGE="Usage: `basename $0` < option > | --status-all | \
[ service_name [ command | --full-restart ] ]"
SERVICE=
ACTION=
SERVICEDIR="/etc/init.d"
OPTIONS=
is_systemd=


if [ $# -eq 0 ]; then
echo "${USAGE}" >&2
exit 1
fi

if [ -d /run/systemd/system ]; then
is_systemd=1
fi

cd /
while [ $# -gt 0 ]; do

if [ -z "${SERVICE}" -a $# -eq 1 -a "${1}" = "--status-all" ]; then
cd ${SERVICEDIR}
for SERVICE in * ; do
case "${SERVICE}" in
functions | halt | killall | single| linuxconf| kudzu)
;;
*)
if ! is_ignored_file "${SERVICE}" \
&& [ -x "${SERVICEDIR}/${SERVICE}" ]; then
out=$(env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" status 2>&1)
retval=$?
if echo "$out" | egrep -iq "usage:"; then
#printf " %s %-60s %s\n" "[?]" "$SERVICE:" "unknown" 1>&2
echo " [ ? ] $SERVICE" 1>&2
continue
else
if [ "$retval" = "0" -a -n "$out" ]; then
#printf " %s %-60s %s\n" "[+]" "$SERVICE:" "running"
echo " [ + ] $SERVICE"
continue
else
#printf " %s %-60s %s\n" "[-]" "$SERVICE:" "NOT running"
echo " [ - ] $SERVICE"
continue
fi
fi
#env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" status
fi
;;
esac
done
exit 0
elif [ $# -eq 2 -a "${2}" = "--full-restart" ]; then
SERVICE="${1}"
# On systems using systemd, we just perform a normal restart:
# A restart with systemd is already a full restart.
if [ -n "$is_systemd" ]; then
ACTION="restart"
else
if [ -x "${SERVICEDIR}/${SERVICE}" ]; then
env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" stop
env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" start
exit $?
fi
fi
elif [ -z "${SERVICE}" ]; then
SERVICE="${1}"
elif [ -z "${ACTION}" ]; then
ACTION="${1}"
else
OPTIONS="${OPTIONS} ${1}"
fi
shift
;;
esac
done

run_via_sysvinit() {
# Otherwise, use the traditional sysvinit
if [ -x "${SERVICEDIR}/${SERVICE}" ]; then
exec env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" ${ACTION} ${OPTIONS}
else
echo "${SERVICE}: unrecognized service" >&2
exit 1
fi
}

update_openrc_started_symlinks() {
# maintain the symlinks of /run/openrc/started so that
# rc-status works with the service command as well
if [ -d /run/openrc/started ] ; then
case "${ACTION}" in
start)
if [ ! -h /run/openrc/started/$SERVICE ] ; then
ln -s $SERVICEDIR/$SERVICE /run/openrc/started/$SERVICE || true
fi
;;
stop)
rm /run/openrc/started/$SERVICE || true
;;
esac
fi
}

# When this machine is running systemd, standard service calls are turned into
# systemctl calls.
if [ -n "$is_systemd" ]
then
UNIT="${SERVICE%.sh}.service"
# avoid deadlocks during bootup and shutdown from units/hooks
# which call "invoke-rc.d service reload" and similar, since
# the synchronous wait plus systemd's normal behaviour of
# transactionally processing all dependencies first easily
# causes dependency loops
if ! systemctl --quiet is-active multi-user.target; then
sctl_args="--job-mode=ignore-dependencies"
fi

case "${ACTION}" in
restart|status|try-restart)
exec systemctl $sctl_args ${ACTION} ${UNIT}
;;
start|stop)
# Follow the principle of least surprise for SysV people:
# When running "service foo stop" and foo happens to be a service that
# has one or more .socket files, we also stop the .socket units.
# Users who need more control will use systemctl directly.
for unit in $(systemctl list-unit-files --full --type=socket 2>/dev/null | sed -ne 's/\.socket\s*[a-z]*\s*$/.socket/p'); do
if [ "$(systemctl -p Triggers show $unit)" = "Triggers=${UNIT}" ]; then
systemctl $sctl_args ${ACTION} $unit
fi
done
exec systemctl $sctl_args ${ACTION} ${UNIT}
;;
reload)
_canreload="$(systemctl -p CanReload show ${UNIT} 2>/dev/null)"
if [ "$_canreload" = "CanReload=no" ]; then
# The reload action falls back to the sysv init script just in case
# the systemd service file does not (yet) support reload for a
# specific service.
run_via_sysvinit
else
exec systemctl $sctl_args reload "${UNIT}"
fi
;;
force-stop)
exec systemctl --signal=KILL kill "${UNIT}"
;;
force-reload)
_canreload="$(systemctl -p CanReload show ${UNIT} 2>/dev/null)"
if [ "$_canreload" = "CanReload=no" ]; then
exec systemctl $sctl_args restart "${UNIT}"
else
exec systemctl $sctl_args reload "${UNIT}"
fi
;;
*)
# We try to run non-standard actions by running
# the init script directly.
run_via_sysvinit
;;
esac
fi

update_openrc_started_symlinks
run_via_sysvinit

上面是Ubuntu上的service的源码,跟这个靶机里是基本相同的。
这个原理是linux有这个设置,当运行如下指令的时候

1
cd /etc/inid.t/../../bin

实际上就是

1
cd /bin

那么,这个service的功能就是,调用系统的env指令,来执行/etc/init.d/里的服务启动脚本。至于,具体这个service功能,会有另外一篇文章具体讲解。

由于在这个靶机,webmaster用户给了sudo运行service的权限,于是可以构造一下exp

1
sudo service ../../bin/bash

来弹出root的shell,最终getroot