基本信息

端口扫描

22,80,443:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ nmap -sC -sV 10.10.11.143
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-08 09:54 CST
Nmap scan report for 10.10.11.143
Host is up (0.19s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| http-methods:
|_ Potentially risky methods: TRACE
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.91 seconds

80/443

默认页面:

响应中得到域名:

office.paper

加hosts后访问:

office.paper

wordpress 5.2.3,其中一个comment中提示信息:

draft无法直接查看,但可以搜到相关漏洞:

得到Secret Registration URL:

1
http://chat.office.paper/register/8qozr226AhkCHZdyY

chat.office.paper

同样添加hosts后访问,是rocket.chat:

使用secret url注册登录:

recyclops bot

频道里有个机器人,可以执行一些命令:

频道是只读的,但可以和机器人私聊:

list file

可以使用list查看目录,file查看文件,并且存在目录遍历:

../hubot/.env

env文件中得到密码:

1
2
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23

username

/etc/passwd文件和home目录确认用户名:

user flag

dwight ssh密码就是bot密码,得到user.txt

1
2
ssh dwight@office.paper
Queenofblad3s!23

提权信息

linpeas发现CVE-2021-3560:

提权 & root flag

exp一键打:

1
2
[root@paper ~]# cat /etc/shadow
root:$6$rfCS6Tb3sgIjkTux$UhBHq5wWPncgtVnltzm3Squ9KBcX3/9k0y6o8AG6lNSKOobHatUWFzPS1J8uuh/QML6kyhZ10ngXa5nCBLDkL.:18811:0:99999:7:::

参考资料