DX1: Liberty Island

端口扫描

root@ip-10-10-143-156:~# nmap -sTCV -p- --min-rate 1000 10.10.115.247

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-08 11:22 BST
Nmap scan report for ip-10-10-115-247.eu-west-1.compute.internal (10.10.115.247)
Host is up (0.0043s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/datacubes *
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: United Nations Anti-Terrorist Coalition
5901/tcp  open  vnc     VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|     VeNCrypt (19)
|     VNC Authentication (2)
|   VeNCrypt auth subtypes: 
|     Unknown security type (2)
|_    VNC auth, Anonymous TLS (258)
23023/tcp open  unknown
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 200 OK
|     Access-Control-Allow-Origin: *
|     Content-Type: text/plain
|     Date: Sun, 08 Oct 2023 10:23:02 GMT
|     Content-Length: 90
|     UNATCO Liberty Island - Command/Control
|     RESTRICTED: ANGEL/OA
|     send a directive to process
|   GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Access-Control-Allow-Origin: *
|     Content-Type: text/plain
|     Date: Sun, 08 Oct 2023 10:22:37 GMT
|     Content-Length: 90
|     UNATCO Liberty Island - Command/Control
|     RESTRICTED: ANGEL/OA
|_    send a directive to process

80

root@ip-10-10-143-156:~# gobuster dir -u http://10.10.115.247/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.115.247/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html
[+] Timeout:        10s
===============================================================
2023/10/08 11:43:02 Starting gobuster
===============================================================
/index.html (Status: 200)
/terrorism.html (Status: 200)
/robots.txt (Status: 200)
/threats.html (Status: 200)
/server-status (Status: 403)
===============================================================
2023/10/08 11:44:56 Finished
===============================================================

在 http://10.10.234.178/badactors.html 页面我们可以看到有一个黑名单里面都是用户名, 先攒着万一后门有爆破呢

访问 /robots.txt 可以发现一个禁止爬取的目录

访问这个新发现的目录, 发现

跳转到 0000 我们可能需要进行枚举
从给出的文章内容可以看出密码已经全部被修改了

接着我开始了枚举之路

root@ip-10-10-143-156:~/dx1libertyislandplde# ffuf -w ./dir.txt -u http://10.10.115.247/datacubes/FUZZ
.....
                  [Status: 301, Size: 323, Words: 20, Lines: 10]
                  [Status: 301, Size: 323, Words: 20, Lines: 10]
                  [Status: 301, Size: 323, Words: 20, Lines: 10]
                  [Status: 301, Size: 323, Words: 20, Lines: 10]
                  [Status: 301, Size: 323, Words: 20, Lines: 10]
                  [Status: 301, Size: 323, Words: 20, Lines: 10]

当访问 0451 时, 其输出和其他明显不同

告诉我们这里有一个 VNC 连接
对于登陆密码则是 : smashthestate 使用 username 作为 key 、 MD5 加密的HMAC前 8 位
- 对于 username 而言是我们之前的黑名单用户同时从 JL 来看应该是 "jallred","jlebedev", "jooleeah” 三个用户

利用这三个用户的进行一波 HMAC 操作, 最终发现其中一个为对应的密码

后渗透

ajacobson (VNC)

使用得到的密码进行连接我们的 VNC 服务端 (如果显示拒绝, 就重启靶机吧)

ajacobson —> root

tip

💡 整个靶机最离谱的来了

在用户的家目录存在一个 badactors-list

C:\home\ajacobson\Desktop> ls -al
total 6792
drwxr-xr-x  2 ajacobson ajacobson    4096 Oct 22  2022 .
drwxr-xr-x 20 ajacobson ajacobson    4096 Oct  8 13:40 ..
-rwxr-xr-x  1 ajacobson ajacobson 6941856 Oct 22  2022 badactors-list
-rw-r--r--  1 ajacobson ajacobson     643 Oct 22  2022 user.txt