基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV 10.10.10.222
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-11 13:35 CST
Nmap scan report for 10.10.10.222
Host is up (0.069s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.31 seconds

80

一个普通的web,页面信息能够得到子域名,contact里可以得到8065端口:

那就把已知信息加hosts:

1
10.10.10.222 helpdesk.delivery.htb delivery.htb

8065

一个什么系统,需要登录,可以注册:

随意注册提示需要验证,但自己的邮箱并没有收到,应该是需要某种方式获取它分配的邮箱:

helpdesk

转去helpdesk,就是常规的helpdesk系统:

new ticket

创建一个ticket,得到一个邮箱地址和ticket id:

check ticket status

Check status就是进入分配给我们的邮箱的收件箱:

8065 create account

然后去8065使用这个邮箱创建账号:

get verify email

之后去收件箱查看新邮件:

可以看到验证信息:

verify email

直接新开一个标签页复制粘贴访问验证链接,验证成功,登录:

internal

进入internal,跳过教程:

这里其实是后面的提示信息,上面那一行是一组用户名密码:

1
2
3
4
@developers Please update theme to the OSTicket before we go live.  Credentials to the server are maildeliverer:Youve_G0t_Mail! 
10:30 PM

Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"

user flag

然后直接ssh连接,得到user.txt:

1
maildeliverer:Youve_G0t_Mail!

提权信息

/opt/mattermost/config目录里是配置信息,里面有mysql连接信息:

1
mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s

mysql

mysql里查看数据,得到root密码hash:

1
2
3
4
5
6
7
8
9
mysql -u mmuser -p'Crack_The_MM_Admin_PW' mattermost

show databases;
use mattermost;
show tables;
select * from Users;

select Password from Users where Username = 'root';
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO

config.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
...
"SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    },
...

hash crack

这个hash直接常规方式跑不出来的,根据前面的提示信息,PleaseSubscribe! 不在rockyou里,需要根据提示生成新字典:

OneRuleToRuleThemAll

1
2
3
4
5
git clone https://github.com/stealthsploit/Optimised-hashcat-Rule.git
cd Optimised-hashcat-Rule/

# root权限
echo "PleaseSubscribe!" | hashcat -r OneRuleToRuleThemAll.rule --stdout > wordlist.txt

然后使用生成的新字典可以破解出来密码:

1
2
3
sudo john -w=./wordlist.txt hash.txt

PleaseSubscribe!21

root flag

然后直接使用得到的密码切换到root,读取root.txt:

参考资料