noone___'s blog
0%

THM打靶日寄68-M4tr1x:Exit Denied

发表于 更新于 分类于
阿西吧中间教育hw嗯拖了一个月才打完,有懒狗我不说是谁

  • 扫描打点

    • 80

      扫了一下有一大堆目录,看过去没找到什么东西

      挠头,偷看wp,在memberlist的第二页可以找到题目中说的白色兔子:

      该用户发过一堆post,但看不到,注册个账号看一眼:

      帖子里说 /bugbountyHQ 可能有漏洞

      但提交被禁用了,f12找到 /reportPanel.php

      最新的几个漏洞里,应该是使用弱密码那个

      1
      2
      3
      your mybb login system is not using any 'captcha mechanism' or 'failed login timeout method' which makes it very vulnerable to password spray attacks.
      Considering several surveys have found that 3 in 5 online users use weak passwords such as:
      password123, Password123, crabfish, linux123, secret, piggybank, windowsxp, starwars, qwerty123, qwerty, supermario, Luisfactor05, james123, ect, i would say you should ASAP implement some protection to avoid future data breaches.

      那就是爬个全部账户名来密码喷射

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      37
      import requests
      from bs4 import BeautifulSoup

      base_url = "http://10.10.93.104/memberlist.php"
      headers = {
      }

      def get_usernames(page):
          params = {
              "sort": "regdate",
              "order": "ascending",
              "perpage": "20",
              "page": str(page)
          }
          response = requests.get(base_url, headers=headers, params=params)
          soup = BeautifulSoup(response.text, 'html.parser')

          usernames = []
          for link in soup.find_all('a', href=True):
              if 'member.php?action=profile&uid=' in link['href']:
                  name = link.text.strip()
                  if name and name not in usernames:
                      usernames.append(name)
          return usernames

      all_users = []
      for i in range(1, 4):  # 页数从1到3
          users = get_usernames(i)
          all_users.extend(users)

      unique_users = sorted(set(all_users))

      with open("usernames.txt", "w", encoding="utf-8") as f:
          for user in unique_users:
              f.write(user + "\n")

      print("用户名已保存到 usernames.txt")

      直接用burp爆一下,在版主 ArnoldBagger 的邮件里找到一个目录 /devBuilds

      在v2中可以看见p.txt有数据库账密:

      那就是要考虑解密gpg文件了

      hint里面说在源代码里面找,在 reportpanel.php 中找到:

      扔给cyberchef:a permutation of only the english letters will open the locks

      下面那个是 address ,访问这一串0101的页面的源码,发现中文中夹杂着几个英文 ofqxvg

      那就是把这堆全排列来爆gpg文件:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      import itertools
      str1 = 'ofqxvg'
      p = itertools.permutations(str1)

      for pass_list in list(p):
          pwd = ''
          for val in pass_list:
              pwd += val
          print(pwd)

      根据插件中信息,用mod:myS3CR3TPa55 直接登数据库

      此时可以拿到另一个版主blackcat的cookie:JY1Avl8cqCMkIFprMxWbTxwf8dSkiv7GJHzlPDWJWWg9gnG3FB

      注意到网页的cookie格式是UID+cookie:

      直接f12-storage里面改cookie,刷新一下变成blackcat:

      然后去 User PC-Manage Attachment 中找到一堆附件

      在testing压缩包中找到testing.png,上面写着是 SSH-TOTP

      这个不会做一点,参考代码:https://github.com/GeardoRanger/M4tr1xBrute

      看hint得知要先改时区:timedatectl set-timezone UTC

  • 朴素的提权

    可以做到任意文件读写,那就是经典改/etc/passwd环节

    但并没有flag,find找到 /etc/-- -root.py

    这个b程序名加上引号也不能直接运行,气晕过去

    还要找ACP Pin,搜一下:

    还缺个webflag,那就登这个 bigpaul:ilovemywifeandgirlfriend022366的号看看

    然后进mybb的后台: