KoTH Hackers

端口扫描

root@ip-10-10-143-156:~/kothhackers# nmap -sTCV -p 21,22,80,9999 --min-rate 1000 10.10.215.183

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-08 08:21 BST
Nmap scan report for ip-10-10-215-183.eu-west-1.compute.internal (10.10.215.183)
Host is up (0.00019s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp           400 Apr 29  2020 note
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.143.156
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ff:ea:b0:58:35:79:df:b3:c1:57:01:43:09:be:2a:d5 (RSA)
|   256 3b:ff:4a:88:4f:dc:03:31:b6:9b:dd:ea:69:85:b0:af (ECDSA)
|_  256 fa:fd:4c:0a:03:b6:f7:1c:ee:f8:33:43:dc:b4:75:41 (EdDSA)
80/tcp   open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Ellingson Mineral Company
9999/tcp open  abyss?
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Date: Sun, 08 Oct 2023 07:22:00 GMT
|     Content-Length: 1
|     Content-Type: text/plain; charset=utf-8
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request

21

从上面扫描结果中我们可以看到 FTP 是存在匿名登陆的, 所以我们可以借此来完成登陆, 在登陆之后这里存在第一个 flag 以及一个 note

ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Apr 30  2020 .
drwxr-xr-x    2 ftp      ftp          4096 Apr 30  2020 ..
-rw-r--r--    1 ftp      ftp            38 Apr 30  2020 .flag
-rw-r--r--    1 ftp      ftp           400 Apr 29  2020 note

查看 note 文件可以得出以下结论:

• 用户名的构成 : 姓氏首字母加名字 全部小写
• rcampbell : 弱密码
• gcrawford : 弱密码 加密密钥

root@ip-10-10-143-156:~/kothhackers# cat note 
Note:
Any users with passwords in this list:
love
sex
god
secret
will be subject to an immediate disciplinary hearing.
Any users with other weak passwords will be complained at, loudly.
These users are:
rcampbell:Robert M. Campbell:Weak password
gcrawford:Gerard B. Crawford:Exposing crypto keys, weak password
Exposing the company's cryptographic keys is a disciplinary offense.
Eugene Belford, CSO

80

root@ip-10-10-143-156:~/kothhackers# gobuster dir -u http://10.10.215.183/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.215.183/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,txt
[+] Timeout:        10s
===============================================================
2023/10/08 08:27:50 Starting gobuster
===============================================================
/news (Status: 301)
/index.html (Status: 301)
/contact (Status: 301)
/img (Status: 301)
/staff (Status: 301)
/robots.txt (Status: 200)
/backdoor (Status: 301)

访问这些内容在 backdoor 可以发现一个登录框, 所以尝试暴力破解 (因为之前不是收集到两个用户存在弱密码), [这里存在一点扩展], 但是很可惜尝试了许久后, 并没有获取到得到密码估计是个兔子洞了, 因此转向我们的 FTP 服务

21

进行暴力破解之后, 得到了两个用户的密码

因为我们之前收集到 gcrawford 泄露了密钥, 因此我们优先访问这个用户, 从输出中我们可以看到共享了家目录, 并且我们从此获取到了对应的 SSH 私钥

ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-x---    6 ftp      ftp          4096 Apr 30  2020 .
drwxr-x---    6 ftp      ftp          4096 Apr 30  2020 ..
lrwxrwxrwx    1 ftp      ftp             9 Apr 30  2020 .bash_history -> /dev/null
-rw-r--r--    1 ftp      ftp           220 Apr 29  2020 .bash_logout
-rw-r--r--    1 ftp      ftp          3771 Apr 29  2020 .bashrc
drwx------    2 ftp      ftp          4096 Apr 29  2020 .cache
drwx------    3 ftp      ftp          4096 Apr 29  2020 .gnupg
drwxrwxr-x    3 ftp      ftp          4096 Apr 29  2020 .local
-rw-r--r--    1 ftp      ftp           807 Apr 29  2020 .profile
drwx------    2 ftp      ftp          4096 Oct 08 07:16 .ssh
-r--------    1 ftp      ftp           252 Apr 30  2020 business.txt

后渗透

gcrawford

得到的私钥存在加密行为进行解密, 之后进行登陆

gcrawford —> root

之后我发现用户 gcrawford 存在一个 SUDO 特权, 我们可以利用此来完成攻击 nano#sudo

扩展

rabbit holes

访问我们的 backdoor , 查看网页源代码, 我们可以发现其中存在一个 login.js, 在其中存在一点问题, 我们可以进行分析:

• 泄露了一个新的路径 : /backdoor/shell
• cookie 是根据返回的状态码确定的

async function login() {
    const usernameBox = document.querySelector("#username");
    const passwordBox = document.querySelector("#password");
    const creds = { username: usernameBox.value, password: passwordBox.value }
    const response = await postData("/api/login", creds)
    const statusOrCookie = await response.text()
    console.log(statusOrCookie)
    if (statusOrCookie=== "Incorrect credentials") {
        alert("Incorrect Credentials")
        passwordBox.value=""
    } else {
        Cookies.set("SessionToken",statusOrCookie)
        window.location = "/backdoor/shell"
    }
}

我们可以直接访问 /backdoor/shell, 从下面这张图我们可以确定以下:

• 一个新的 api , 其目标是 cmd 可以执行命令 但是前提是我们的 token 是对的
• 这个用于执行命令