Delivery
#0 信息收集
利用Nmap对靶机进行开发端口服务探测,靶机开放了22,80,8065端口。nmap 10.10.10.222 -p-
nmap 10.10.10.222 -p22,80,8065 -A
nmap 10.10.10.222 -p22,80,8065 -A
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-16 06:12 UTC
Nmap scan report for 10.10.10.222
Host is up (0.0030s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Thu, 15 Apr 2021 14:59:20 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: nyugsjw3p3bjiejf7b7tgantsr
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Fri, 16 Apr 2021 06:12:52 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Fri, 16 Apr 2021 06:12:52 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8065-TCP:V=7.80%I=7%D=4/16%Time=60792AE3%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,DF3,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\
SF:x20bytes\r\nCache-Control:\x20no-cache,\x20max-age=31556926,\x20public\
SF:r\nContent-Length:\x203108\r\nContent-Security-Policy:\x20frame-ancesto
SF:rs\x20'self';\x20script-src\x20'self'\x20cdn\.rudderlabs\.com\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:\x20Thu,\x2015\
SF:x20Apr\x202021\x2014:59:20\x20GMT\r\nX-Frame-Options:\x20SAMEORIGIN\r\n
SF:X-Request-Id:\x20nyugsjw3p3bjiejf7b7tgantsr\r\nX-Version-Id:\x205\.30\.
SF:0\.5\.30\.1\.57fb31b889bf81d99d8af8176d4bbaaa\.false\r\nDate:\x20Fri,\x
SF:2016\x20Apr\x202021\x2006:12:52\x20GMT\r\n\r\n<!doctype\x20html><html\x
SF:20lang=\"en\"><head><meta\x20charset=\"utf-8\"><meta\x20name=\"viewport
SF:\"\x20content=\"width=device-width,initial-scale=1,maximum-scale=1,user
SF:-scalable=0\"><meta\x20name=\"robots\"\x20content=\"noindex,\x20nofollo
SF:w\"><meta\x20name=\"referrer\"\x20content=\"no-referrer\"><title>Matter
SF:most</title><meta\x20name=\"mobile-web-app-capable\"\x20content=\"yes\"
SF:><meta\x20name=\"application-name\"\x20content=\"Mattermost\"><meta\x20
SF:name=\"format-detection\"\x20content=\"telephone=no\"><link\x20re")%r(H
SF:TTPOptions,5B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x2
SF:0Fri,\x2016\x20Apr\x202021\x2006:12:52\x20GMT\r\nContent-Length:\x200\r
SF:\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConten
SF:t-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n
SF:400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close
SF:\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nCon
SF:nection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
SF:);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.36 seconds
先从80端口入手,上面是一个osTicket服务,有注册和查询功能。查询并没有符合的公开漏洞。
访问8065端口是个mattermost服务。先注册一个账号,需要邮箱收验证码可以使用80端口的osTicket接收。
注册一个邮箱。
获取验证码并激活。
#1 敏感信息泄露
登录后能看到一些内部的聊天记录,直接泄漏了maildeliverer用户的账号密码。maildeliverer:Youve_G0t_Mail!
还泄露了后面的密码rockyou字典没有,可能与"PleaseSubscribe!"有关。
利用该账号密码成功登录到靶机,直接获取user Flag
#2 提权
接下来就是提权了。
sudo (没有权限)
SUID (没有可以利用的)
自启动 (在root目录下,没有权限)
在/opt/mattermost/congfig目录下有个配置文件congfig.json(大概)。里面有链接3306的账号密码。mmuser:Crack_The_MM_Admin_PW
确认一下。netstat -antp
直接登录到3306,是MariaDB。查库、查表、查数据。
在mattermost.User下有个root用户的账号和hash。查询User表所有数据能看到是‘’系统‘’用户。
用hashid查询加密类型:bcrypt。也可以查询hashcat的官网进行查询。
这里卡了一会,根据前面提示密码与PleaseSubscribe!有关,hashcat可以根据规则生成字典,相关参考链接放在末尾。
这些事hashcat自带的规则,直接选个比较大的d3ad0ne.rule
把PleaseSubscribe!放在pass里,导入规则生成新的字典password.txthashcat -r /usr/share/hashcat/rules/d3ad0ne.rule --stdout pass > password.txt
浏览一下新的字典。
在用john对root的hash进行匹配。获得root的密码。
└──╼ [★]$ john hash.txt --wordlist=password2.txt --format=bcrypt
Created directory: /home/htb-z4yn/.john
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
PleaseSubscribe!21 (?)
1g 0:00:00:00 DONE (2021-04-19 05:28) 4.000g/s 144.0p/s 144.0c/s 144.0C/s PleaseSubscribe!..PleaseSubscrio
Use the "--show" option to display all of the cracked passwords reliably
Session completed
用该密码登录到root获取root flag
参考
hashcat类型:https://hashcat.net/wiki/doku.php?id=example_hashes
hashcat基于规则攻击:https://hashcat.net/wiki/doku.php?id=rule_based_attack