打靶记录(六十)之THMCyberCraft

端口扫描

sudo nmap --min-rate 10000 -p- 10.10.180.170   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-02 01:48 UTC
Nmap scan report for 10.10.180.170
Host is up (0.23s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
25565/tcp open  minecraft

Nmap done: 1 IP address (1 host up) scanned in 11.73 seconds

sudo nmap -sT -sV -sC -O -p22,80,25565 10.10.180.170
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-02 01:49 UTC
Nmap scan report for 10.10.180.170
Host is up (0.23s latency).

PORT      STATE SERVICE   VERSION
22/tcp    open  ssh       OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:36:ce:b9:ac:72:8a:d7:a6:b7:8e:45:d0:ce:3c:00 (RSA)
|   256 e9:e7:33:8a:77:28:2c:d4:8c:6d:8a:2c:e7:88:95:30 (ECDSA)
|_  256 76:a2:b1:cf:1b:3d:ce:6c:60:f5:63:24:3e:ef:70:d8 (ED25519)
80/tcp    open  http      Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Did not follow redirect to http://cybercrafted.thm/
|_http-server-header: Apache/2.4.29 (Ubuntu)
25565/tcp open  minecraft Minecraft 1.7.2 (Protocol: 127, Message: ck00r lcCyberCraftedr ck00rrck00r e-TryHackMe-r  ck00r, Users: 0/1)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.63 seconds

cybercrafted.thm添加进hosts

Web

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://cybercrafted.thm/' -H 'HOST:FUZZ.cybercrafted.thm' -fw 1

扫下子域

得到：

store                   [Status: 403, Size: 287, Words: 20, Lines: 10, Duration: 228ms]
www                     [Status: 200, Size: 832, Words: 236, Lines: 35, Duration: 2182ms]
www.admin               [Status: 200, Size: 937, Words: 218, Lines: 31, Duration: 229ms]
admin                   [Status: 200, Size: 937, Words: 218, Lines: 31, Duration: 5216ms]
www.store               [Status: 403, Size: 291, Words: 20, Lines: 10, Duration: 910ms]

添加进hosts

对三个域名都进行目录扫描，在store的域名找到一个search.php，看上去像是一个查询搜索框，试了一下没有XSS,那也许有sql注入了，直接抓包放sqlmap跑

sqlmap -r sql.txt --dump

得到一个webflag和一对凭证，哈希直接用john爆破

xXUltimateCreeperXx:diamond123456789

在admin网页中直接登录，发现可以执行命令

直接用wget上传一个php反弹shell

开启监听，访问得到shell

横向移动

有xxultimatecreeperxx和cybercrafted两个用户

xxultimatecreeperxx的家目录我们有访问权限，在.ssh中加入我们的公钥进行ssh连接，但是发现我们没有读写的权限，那就试着爆破这个用户的私钥。用ssh2john转为hash

得到creepin2006

chmod 600 key

ssh -i key xxultimatecreeperxx@10.10.180.170

然后我们就有权限进入/opt/minecraft目录了

可以在目录中看到插件名称LoginSystem

因为看到crontab中有个计划任务，曾想着用tar来横向的，但是参数不太对

但是在plugins/LoginSystem中有个日志，直接暴露了密码JavaEdition>Bedrock

提权

ssh连接一下

sudo -l

发现可以执行一个screen -r

执行后直接Ctrl+a+c生成一root权限的新的会话

碎碎念

因为MCtag就直接来打了233有兴趣的可以看看之前写的MC开服教程。

靶机总体来说还是偏简单的233