HTB-UnderPass
该靶机nmap扫描udp发现161端口snmp服务,使用snmpwalk扫描得到目次信息,使用dirsearch扫描得到一个yml文件,存放数据库账号密码,记录下来,此时需要登录口,使用字典扫描拼接/app目次,得到登录界面,使用版本号搜索默认凭证,找到一个用户,MD5解密hex值,ssh登录,sudo -l 发现mosh,查找使用方式,设置环境变量,然后实行登录一台现役靶机
https://track123.oss-cn-beijing.aliyuncs.com/20250329191438675.png
一、信息网络
靶机ip:10.10.11.48
攻击机ip:10.10.16.26
nmap扫描,发现服务是Apache/2.4.52 (Ubuntu)
https://track123.oss-cn-beijing.aliyuncs.com/20250329192303949.png
先设置域名解析
echo "10.10.11.48 underpass.htb" |sudo tee -a /etc/hostshttps://track123.oss-cn-beijing.aliyuncs.com/20250329192411577.png
实行UDP扫描
nmap -sU -sV -Pn 10.10.11.48得到的信息如下,开着snmp服务
PORT STATE SERVICE
161/udpopen snmp
1812/udp open|filtered radius
1813/udp open|filtered radacct目次扫描
没有泄露目次
https://track123.oss-cn-beijing.aliyuncs.com/20250329192721079.png
子域名扫描
使用ffuf扫描均未发现可用信息
ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt:FUZZ -u "http://underpass.htb/FUZZ" -ic
ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt:FFUZ -H "Host: FFUZ.underpass.htb" -u http://underpass.htb -fw 20没有可用信息
https://track123.oss-cn-beijing.aliyuncs.com/20250329195206301.png
二、边界突破
访问80端口,是一个apache2的配置信息,ubuntu系统
https://track123.oss-cn-beijing.aliyuncs.com/20250329192615127.png
这里查看源码以及指纹信息均未发现泄露的信息,只能重新扫描靶机了
使用snmpwalk实行扫描,关键信息:daloradius
https://track123.oss-cn-beijing.aliyuncs.com/20250329223402876.png
猜测其是目次,拼接进行扫描
https://track123.oss-cn-beijing.aliyuncs.com/20250329223907099.png
目次如下
/daloradius/.gitignore
/daloradius/app
/daloradius/ChangeLog
/daloradius/doc->http://10.10.11.48/daloradius/doc/
/daloradius/Dockerfile
/daloradius/docker-compose.yml
/daloradius/library->http://10.10.11.48/daloradius/library/
/daloradius/LICENSE
/daloradius/README.md
/daloradius/setup->http://10.10.11.48/daloradius/setup/访问第一个目次,发现一个配置文件,但是无法访问
https://track123.oss-cn-beijing.aliyuncs.com/20250329224048823.png
在docker-compose.yml 文件里发现数据库的账户密码
https://track123.oss-cn-beijing.aliyuncs.com/20250329224308663.png
如下,这个时间应该找找有没有登录点,这几个目次均没有,重新扫描/app目次
database:radius
user:radius
passswd:radiusdbpw扫出来一个登录界面
daloradius/app/users/login.phphttps://track123.oss-cn-beijing.aliyuncs.com/20250329225134910.png
一个登录界面,使用上面的账户密码不成功
https://track123.oss-cn-beijing.aliyuncs.com/20250329225442578.png
换一个字典重新扫描,得到一个新目次
dirsearch -u http://10.10.11.48/daloradius/app/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e*
http://10.10.11.48/daloradius/app/operators/login.php一个登录界面,先实行上面的账户密码不成功,发现下面有版本号
https://track123.oss-cn-beijing.aliyuncs.com/20250329225734086.png
发现默认用户名administrator和密码radius,
https://track123.oss-cn-beijing.aliyuncs.com/20250329230041357.png
成功登录
https://track123.oss-cn-beijing.aliyuncs.com/20250329230127732.png
在config里有个语言可以修改,先换成中文
https://track123.oss-cn-beijing.aliyuncs.com/20250329230242717.png
发现一个用户名和密码
https://track123.oss-cn-beijing.aliyuncs.com/20250329230327953.png
如下
用户名:svcMosh
密码:412DD4759978ACFCC81DEAB01B382403在该网站识别,拿到密码:underwaterfriends
https://track123.oss-cn-beijing.aliyuncs.com/20250330110856304.png
ssh连接
https://track123.oss-cn-beijing.aliyuncs.com/20250330111144625.png
三、权限提升
user.txt
该目次下存放user.txt,成功查看
https://track123.oss-cn-beijing.aliyuncs.com/20250330111306681.png
root.txt
sudo -l查看,发现一处可实行路径
/usr/bin/mosh-serverhttps://track123.oss-cn-beijing.aliyuncs.com/20250330111430037.png
实行一下看看,看不懂
https://track123.oss-cn-beijing.aliyuncs.com/20250330111614391.png
查看suid
https://track123.oss-cn-beijing.aliyuncs.com/20250330111655422.png
查找上面发现的可实行路径,参考文章
https://www.cnblogs.com/sunweiye/p/12003616.html方法如下
https://track123.oss-cn-beijing.aliyuncs.com/20250330113201044.png
重新查看
https://track123.oss-cn-beijing.aliyuncs.com/20250330113610108.png
找到上面的密钥:NnSZo0rz1vdi7bRzX4Hn4g
export MOSH_KEY=NnSZo0rz1vdi7bRzX4Hn4g
mosh-client 127.0.0.1 60001 #这里应该连接的是靶机ip,因为是在靶机里执行,直接连接其本地ip成功登录,拿到root.txt
https://track123.oss-cn-beijing.aliyuncs.com/20250330113548393.png
结束
https://track123.oss-cn-beijing.aliyuncs.com/20250330113655469.png
四、总结
snmpwalk扫描:
dirsearch字典扫描:
mosh登录:
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]